Singapore to shake up verification of identities
Chris Hamblin, Editor, London, 12 November 2020
The Monetary Authority of Singapore is planning to promulgate more stringent rules to govern the types of information that a financial institution can use when it verifies the identity of someone who is not able to meet its staff face-to-face.
The regulator has issued a new consultative document with the aim of countering a rising tide of scams that rely on impersonations and dealing with some of the risks that arise from the theft and misuse of someone's personal particulars. It is keen to ensure that financial institutions "must not rely solely on information that are often given out by individuals such as NRIC number, residential address and date of birth to verify an individual’s identity." An NRIC is a National Registration Identity Card, a commonplace in authoritarian countries.
When a financial firm verifies someone's identity (and this might be someone who is authorised to act on behalf of a company) in the context of non-face-to-face contact, the consultative paper suggests that it must do so using at least one of the following types of information (excluding personal particulars such as name, NRIC number, address, date of birth, contact number or email address).
- Something that only the individual knows, such as a password or personal identification number.
- Something that only the individual has, such as a cryptographic identifying device or token.
- Something that uniquely identifies the individual, based on his biometrics or behaviour.
- Information (such as account transaction information or an application identification number) that is (i) in the case of an individual authorised to act on behalf of an entity, only known between the individuals authorised to act on behalf of the entity, the entity and the relevant entity; or (ii) in other cases, only known between the individual and the relevant entity.
The regulated firm must take reasonable care to ensure that anyone that it appoints to act on its behalf complies with this and acts as though he is the regulated firm himself.
In its latest enforcement report, which covers the months between January last year and June this year, the MAS states that it revoked the licence of one financial advisor and two fund management firms. It ensured that nine people were sentenced to terms of imprisonment, although it did not provide details, levied S$3.4 million in financial penalties and compositions on 18 financial institutions and imposed S$11.7 million in civil penalties in relation to one case of insider dealing, one case of deceptive trading and one case of failure to disclose shareholdings. It also banned 25 unfit representatives from re-entering the financial sector, many of whom have been mentioned in our web-pages.
The average time between 1 January 2019 and 30 June 2020 that the MAS took to complete reviews and investigations was as follows.
- Criminal prosecutions: 24 months.
- Civil penalties: 26 months.
- Regulatory actions: 8 months.
- Referrals to external agencies: 3 months.
- Average across all concluded cases: 8 months.
The regulator's enforcement-related priorities for the future are to make itself more able to detecting misconduct among financial advisors, to ask for fresh powers (an almost annual occurrence) and to make senior managers more accountable to it.