Connect with us

Singapore

Singapore banks and insurers to review NRIC practices following public concerns

Singapore banks and insurers are reviewing their use of National Registration Identity Card (NRIC) numbers after recent public concern.

The Association of Banks in Singapore (ABS) and insurance associations assured customers that NRIC numbers alone cannot authorise transactions and stressed multi-factor authentication measures.

Published

on

SINGAPORE: Banks and insurers in Singapore are conducting a thorough review of their practices regarding the use of National Registration Identity Card (NRIC) numbers.

This comes amid heightened public concern following an incident involving the unmasking of NRIC numbers on a government portal, which led to anxiety about identity theft and fraud.

The Association of Banks in Singapore (ABS) announced on Thursday (19 Dec), that NRIC numbers alone cannot be used to effect payments or fund transfers.

It noted that banks use multi-factor authentication for online services and additional controls for high-risk activities such as high-value fund transfers, adding new payees, or raising transfer limits.

ABS acknowledged that NRIC numbers are important for identifying customers, particularly those with identical names, and for providing efficient over-the-counter services.

However, it stressed that banks are reviewing their practices to enhance security and adapt to changing needs.

In situations requiring urgent assistance, such as ongoing scams, banks sometimes use NRIC numbers to quickly identify customers and prevent fraudulent transactions.

“We seek customers’ understanding that some existing practices may be changed as a result,” ABS said.

It also advised customers against using NRIC numbers or other personal information, such as their name or date of birth, as login passwords.

Similarly, the General Insurance Association of Singapore (GIA) and the Life Insurance Association, Singapore (LIA), issued a joint statement on Thursday, assuring policyholders that NRIC numbers alone cannot be used to purchase, surrender, or alter policies, nor to submit claims or change payment details.

Insurers also employ multi-factor authentication and are reviewing their practices.

Incident involving unmasked NRIC numbers

The reviews follow a recent incident involving the Bizfile portal, managed by the Accounting and Corporate Regulatory Authority (ACRA), which revealed full NRIC numbers in its search results. This sparked public anxiety and criticism.

On 19 December 2024, Minister for Digital Development and Information Josephine Teo and ACRA Chief Executive Chia-Tern Huey Min addressed the matter at a press conference, expressing regret for the oversight.

Minister Teo acknowledged the public’s concerns and apologised for the distress caused.

She explained that the incident arose from a misunderstanding of an internal circular issued by the Ministry of Digital Development and Information (MDDI).

The circular had directed government agencies to phase out the use of masked NRIC numbers internally. However, ACRA mistakenly applied the directive to its public-facing Bizfile portal.

“The main purpose of the NRIC is to be a unique identifier; it cannot be a secret, just as our names are not secret,” Minister Teo explained.

She added that while the NRIC serves as an identifier, its dual role as an authenticator increases vulnerability to identity theft and fraud.

Algorithms can potentially reconstruct full NRIC numbers using partial data combined with other personal information, making masking ineffective.

ACRA Chief Executive Chia-Tern Huey Min echoed the apology, acknowledging a lapse in coordination between staff.

The July directive from the MDDI was intended to uphold the NRIC’s role as a unique identifier while reducing reliance on masked numbers, which provide a false sense of security.

“Unfortunately, there was a misunderstanding, and ACRA proceeded on the assumption that it should unmask NRIC numbers on the new Bizfile portal,” she explained.

She added that steps are being taken to ensure such lapses do not recur.

Wider implications and security concerns

The saga highlights broader concerns over the use of NRIC numbers in both public and private sectors.

Singaporeans expressed worries about the risks associated with using NRIC numbers as both identifiers and authenticators, urging organisations to adopt alternative authentication methods to reduce dependence on such sensitive information.

17 Comments
Subscribe
Notify of
17 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments

Trending