NRIC practices under review at banks, insurers
Local banks and insurers are reviewing their use of NRIC numbers, and existing practices could change, they said in separate statements on Dec 19.
Their statements came in the wake of security concerns over the disclosure of NRIC numbers in an updated version of Singapore’s business registry portal, run by the Accounting and Corporate Regulatory Authority (Acra).
Addressing concerns of impersonators using NRICs to cheat banks, the Association of Banks in Singapore (ABS) said NRIC numbers alone cannot be used to make payment and fund transfers.
Customers who want to do so will have to pass multi-factor authentication challenges, in the form of one-time passwords or biometric authentication, to log in to their accounts.
Higher-risk activities like high-value fund transfers or adding new payees will have to be further authorised, said ABS.
In calls that The Straits Times made to local banks in the past week, banks typically required callers to identify themselves by entering their NRIC numbers during the call. The caller is required to enter a one-time password before services or privileged information are provided.
Transactions over the phone are also limited to fund transfers between the customer’s own accounts with the bank and not to anyone else, for security purposes.
NRIC numbers are useful for distinguishing individuals with identical names and facilitating efficient identification for customers seeking over-the-counter services, said ABS.
In urgent situations, such as responding to a scam in progress, some banks have opted to accept NRIC numbers to quickly identify customers in need of immediate assistance to prevent fraudulent transactions, it said.
ABS said: “Banks are conducting a thorough review of their practices on the use of NRIC numbers. We seek customers’ understanding that some existing practices may be changed as a result.”
Customers who have used their NRIC numbers or personal identifiable information – such as their names or birthdates – as their passwords should change them, it added.
Insurers also assured policyholders that NRIC numbers alone cannot be used to purchase, surrender or alter existing policies, or to submit claims.
In a joint statement on Dec 19, the General Insurance Association of Singapore and Life Insurance Association, Singapore, said NRIC numbers alone also cannot be used to change the nominated beneficiary or bank account information lodged with the issuer for receipt of policy payments.
To log in to online financial services, customers similarly need to pass multi-factor authentication. Offline transactions are subject to other forms of checks.
Acra and the Ministry of Digital Development and Information have apologised for the miscommunication that resulted in the full NRICs of directors and those registered under Acra’s database being revealed.
Digital Development and Information Minister Josephine Teo said in a press conference on Dec 19 that NRIC numbers should only be used as a means of identification.
They should not be used as authentication to provide a service or retrieve information, she said, urging organisations to discontinue this practice as soon as possible.
Get The New Paper on your phone with the free TNP app. Download from the Apple App Store or Google Play Store now