Singapore: MAS Issues Revised Internet Banking Technology Risk Management Guidelines

Following a high-profile hacking case in which the accounts of 21 customers of a local bank were hacked into and a reported S$62,000 stolen before the hacker fled the country, the Monetary Authority of Singapore (the "MAS") has recently updated and re-issued its Internet Banking Technology Risk Management Guidelines (the "revised guidelines") to increase the standards of risk management and security practices that banks must adopt.

The previous version of the guidelines before this recent update is the February 2001 version (the "previous guidelines"). The MAS issued its first policy statement on internet banking in July 2000.

The updated Internet Banking Technology Risk Management Guidelines (September 2002) are accessible from the MAS website at www.mas.gov.sg.

This article discusses the various aspects of the revised guidelines which are new, or which have been expanded upon, when compared to the previous guidelines. Broadly speaking, the update is geared towards further enhancing existing measures to improve customer protection. The revised guidelines also focus on promoting customer awareness of the various risks associated with internet banking and emphasising the need for customers themselves to take precautionary measures.

Paragraph 4.1.5 of the revised guidelines provides that in accordance with the general principle of data protection, the encryption security pertaining to the customer’s PIN and other sensitive data should be maintained from the point of data entry to the final system destination, where decryption and/or authentication takes place.

In respect of high value fund transfers, payment account creation and other sensitive transactions, the limitations of user-ID and PIN combination (presently the most popular and predominant method of authentication for internet online systems) should be recognised and addressed.

Paragraph 4.5.2 of the revised guidelines states that to augment one-factor PIN authentication, variable and unique authorisation codes should be used as part of the log-on process or for approving sensitive transactions. These authorisation codes should be generated dynamically by the banks and conveyed to customers via separate channels, which are unrelated to internet banking.

In devising these security features, banks are asked to take account of their efficacy and differing customer preferences for additional online protection.

In respect of applications which require even stronger authentication, banks are called upon by the revised guidelines to deploy enhanced methods based on one-time password generating tokens, challenge and response security tokens, digital certificates, smartcards and/or biometric devices.

Paragraph 4.5.4 of the revised guidelines states that confirmatory procedures should be applied in respect of transactions above certain pre-set values, creation of new account linkages, registration of third party payee details, changing account details or revision to funds transfer limits. The additional use of digital certificates or security tokens to provide one time passwords or challenge and response verification to strengthen the authentication process is encouraged.

In addition to the list of security practices for the bank to conform to (set out in paragraph 5.3.1 of both the revised guidelines and the previous guidelines), two new tasks for banks have been suggested, and they are for banks to establish network surveillance (paragraph 5.3.1(i) of the revised guidelines), and conduct regular system and data integrity checks (paragraph 5.3.1(j) of the revised guidelines).

New paragraphs 8.0.4 and 8.0.5 have been added to the revised guidelines, to impose an obligation on banks to advise and explain to customers the precautionary measures that should be taken when accessing their online accounts. These measures would include taking adequate steps to prevent unauthorised transactions and fraudulent account use, as well as taking steps to protect the confidentiality of their access credentials so as to prevent impersonation and unauthorised account access.

Banks are also required to explain on their websites the process relating to dispute resolution, problem solving and loss/damage allocation, if and when a security breach occurs.

The revised guidelines expand on the list of security measures (found in paragraph 9.0.3 of both the revised guidelines and the previous guidelines) for customers to adopt. Specifically, the additional security measures provide that PINs should be changed regularly, the same PIN should not be used for different websites, applications or services, particularly when they relate to different entities, customer should check the authenticity of the bank’s website by comparing the URL and the bank’s name in its digital certificate, and customer should check bank account balance and transactions frequently and report any discrepancy.

Further, a new non-exhaustive list of security precautions for customers is set out in paragraph 9.0.4 of the revised guidelines, which include instructing customers to delete junk and chain mails, to make regular backup of critical data and not to disclose personal, financial and credit card information to little-known or suspect websites.

Finally, the concluding paragraph (paragraph 9.0.5 of the revised guidelines) reiterates that banks are directly responsible for the safety and soundness of the services and systems they provide. In this regard, they are required to maintain adequate and effective authentication and related security systems. At the same time, customers also have a reciprocal duty to first, take appropriate steps to ensure that their hardware or system integrity is not compromised when engaging in online banking, and secondly, to heed their bank’s advice on security measures.