MAS takes Singapore towards Central Registry of KYC Records
7 April 2017
When we think of Fintech’s application in the AML world, our first thoughts are probably better named screening techniques and enhanced transaction monitoring tools. Stretch the mind a bit further, and we begin to think of emerging technical clichés such as Big Data and Blockchains, the former being the term used for aggregated data which can be analysed to review patterns, behaviours and anomalies, and latter meaning a distributed ledger to settle interbank payments, keep audit trail and deter money laundering. We are unlikely to envisage that advances are now being made to centralise KYC and verification for an entire country.
MAS has engaged with 2 undisclosed banks in Q1,2017 to test the concept of leveraging upon the existing MyInfo data platform, for the purpose of performing KYC checks on customers of financial institutions (FI). The intentions were announced in Oct 2016 for this pilot and the plan is to introduce the applicability to other FIs progressively.
KYC is a mandatory check required to be formed on customers to identify and verify their credentials before they can commence any relationship or transactions with FI. It is a critical yet laborious process to collect identification information from the customers and keep it updated at least periodically as required under the regulations. This process is to be performed by each FI the customer chooses to have a relationship with and hence it is duplicative in nature.
In May 2016, the Ministry of Finance and Govtech, the Government Technology Agency of Singapore, launched MyInfo, which is a one stop personal data platform containing government verified personal details such as NRIC number, residential address etc. It enables users to provide their personal data just once to the government and retrieve these details for all subsequent transactions with all government agencies. Consent is sought from users for data transfer to the requestors. Users can even choose to be alerted whenever a digital service uses their personal data. Singpass is required to operate this account. The plan is to have all 200 e-citizen services, from various government and government linked agencies, linked to MyInfo by 2018, and increase the number of personal data items shared through the platform.
Since performance of KYC checks on an individual are laborious, increasingly costly in terms of time and resources and tend to be duplicative, it is a great idea to leverage on an existing government verified, secured and centralised database for such static customer information going forward. Subject to customer consent, the FI could access the updated information thereby reduce their compliance burden and resources requirement, thanks to such a simplified process.
The very idea of having access to relevant information in electronic form is expected to make several existing manual processes redundant in the future. Customers are often required to fill application forms and provide hard copy documents for manual verification, to the FI, who would then perform manual data entry in the internal systems which are subject to error and need a maker checker control to ensure accuracy of the data entered.
Further, any update to information such as change in address or employment/income particulars would not have to be informed multiple times to all the FIs where the customer holds a relationship. MyInfo update would suffice.
It would be easier for banks to use the electronic data to design products to cater for a specific class of customers or provide customised services. Having a transparent system also greatly reduces the chances of fraud or attempted fraud by customers misrepresenting information to FIs at the onset.
Notwithstanding the above mentioned benefits, there are however some aspects that need to be considered as we progress towards implementation of this nascent idea. A few key considerations are provided below.
MyInfo currently receives information from several government agencies and has numerous personal information fields including and not limited to date of birth (an important verification question for banks), mobile number (where 2FA systems send sms’ usually), email address (where most password reset instructions are sent), residential address, CPF details, yearly income, household income, details of family members, etc., etc. It is quite evident that this is a comprehensive source of information loaded with significant details about any individual. Further, there are plans to increase the number of data items in the database, which could possibly include information from medical, police and legal records, given that these are government linked entities as well (medical treatments and consultations if obtained from government or restructured hospitals).
While Singpass is the key to operate the account, we are aware of past instances where Singpass login information has been compromised and data stolen and misused. 1560 user accounts were breached in 2014 and 293 accounts’ information was stolen, the case of which emerged in 2015. User information was used to sponsor visa applications for Chinese nationals to access entry to Singapore successfully and even secure jobs. Hence, operating with such a gold-mine of information, and allowing access to it for non-government agencies, naturally calls for having robust and in-built security features which make the system hacker proof, secure and reliable.
Even when allowing access for legitimate use of FIs, data should be accessible in a secure manner and only on a need-to basis for users in the FIs. Controls and control assessments (for management of risk) should be designed for handling the information. Given the extent of information available in MyInfo, it is convenient to impersonate and take advantage with stolen identity details. With the readily available information, social engineering would not even be required to gain access to someone’s personal or professional life. The concept of an individual’s privacy would be put to test if there was a widespread use of personal information.
Take up Rate
Policy makers should also have a clear strategy on the intended use of the MyInfo database and the intended extent to which the concept of national identity needs to be stretched at a national level. Currently, it is not mandatory for Citizens and PRs to have a MyInfo account and provide an authorization to other agencies to collate and use the subsequently collated data. With widening the use of MyInfo account into other sectors outside of the government remit, would there be a mandatory requirement for residents of Singapore to have a MyInfo account.
Intent of Usage- Basic KYC or KYC Plus
In the current phase, FIs will be able to use the static information for performance of basic KYC checks. Given that other high quality information, over and above the name, address and NRIC number is also available on MyInfo, it would be interesting to consider if FIs could leverage the additional information for decision making and risk management purposes should this be allowed, and are there competition angles to this?
We at Bovill have a keen interest in the area. We welcome the initiative and would be happy to help FIs wanting to understand the developments and prepare for the future. Please get in touch.