MAS orders financial institutions to tighten verification processes in wake of SingHealth cyberattack

SINGAPORE (July 24): The Monetary Authority of Singapore (MAS) has ordered banks and other financial institutions to tighten their customer verification processes.

The circular to all financial institutions comes in the wake of a cyberattack at SingHealth, which saw personal information of 1.5 million individuals – including Prime Minister Lee Hsien Loong – illegally accessed and stolen.

Singapore's worst cyberattack 'not work of casual hackers, criminal gangs'

With immediate effect, MAS has directed all financial institutions not to rely solely on the types of information stolen – such as name, NRIC number, address, gender, race, and date of birth – for customer verification in accessing online financial services.

Instead, MAS says additional information must be used for verification before undertaking transactions for the customer. This may include the use of One-Time Password, PIN, biometrics, and last transaction date or amount.

These measures are to address any risk that the information stolen from SingHealth may be used by fraudsters to impersonate customers and perform unauthorised financial transactions.

In addition, MAS has directed all financial institutions to conduct a risk assessment of the impact of the SingHealth incident on their existing control measures for financial services offered to customers, including transaction and inquiry functions.

Financial institutions are to take immediate steps to mitigate any risks that might arise from the misuse of the compromised information. MAS says it will engage financial institutions on their risk assessments and mitigation steps.

“MAS will work closely with the financial institutions to ensure that robust cyber defences are in place so that customers can carry out online financial transactions with confidence,” says Tan Yeow Seng, MAS’ Chief Cyber Security Officer.

The tightened customer verification processes will be added on top of two-factor authentication at login that banks are already required to put in place to identify their customers for access to online financial services.

Banks are also required to implement an additional layer of control to authorise high-risk transactions, such as opening of beneficial accounts, registration of third party payee details, and revision of funds transfer limits.

“But customers must also play their part. They must safeguard their passwords and practise good cyber hygiene. If they suspect any fraudulent transactions in their accounts, they should notify their banks immediately,” Tan adds.