The Monetary Authority of Singapore (MAS) has issued a circular to all financial institutions, directing them to tighten their customer verification processes.
This follows the recent cyber attack at SingHealth where personal information of 1.5 million individuals was illegally accessed and stolen, MAS said in a press release.
The move is to address any risk that the information stolen from SingHealth may be used by fraudsters to impersonate customers and perform unauthorised financial transactions.
Specifically, with immediate effect, all financial institutions should not rely solely on the types of information stolen (name, NRIC number, address, gender, race, and date of birth) for customer verification.
Before undertaking transactions for the customer, additional information must be used for verification. This may include, for instance, One-Time Password, PIN, biometrics, last transaction date or amount, and so on.
Currently, banks in Singapore are already required to put in place two-factor authentication at login to identify their customers for online services. They are also required to implement an additional layer of control to authorise high-risk transactions.
In addition, financial institutions also have in place robust measures to verify customer identity. Personal information – such as name, NRIC number, address, date of birth – are generally not used as the sole means of verification. The reason being these are often freely given out by members of the public for various purposes, such as when filling out lucky draw coupons or surveys.
“MAS will work closely with the financial institutions to ensure that robust cyber defences are in place so that customers can carry out online financial transactions with confidence. But customers must also play their part," said Mr Tan Yeow Seng, MAS’ Chief Cyber Security Officer. "They must safeguard their passwords and practise good cyber hygiene. If they suspect any fraudulent transactions in their accounts, they should notify their banks immediately.”