NRIC numbers may not be secure enough for authentication purposes, but how will companies adapt?
Source: Business Times
Article Date: 16 Dec 2024
Author: Yong Jun Yuan
Publicly available NRIC numbers can lead to unintended challenges with compliance and data breaches.
National Registration Identity Card (NRIC) numbers may not be secure enough to authenticate transactions, but making the full numbers publicly available may lead to unintended consequences.
On Saturday (Dec 14), the Ministry of Digital Development and Information (MDDI) announced that the government will view NRIC numbers as public information, instead of being private and confidential as they currently are.
The government is also planning to stop the practice of masking NRIC numbers as this provides a false sense of security.
Responding to public queries, the nation’s privacy watchdog, the Personal Data Protection Commission (PDPC), said that its existing guidelines for NRIC numbers including banning its widespread use remain in force. This raises questions about how banks and other regulated sectors will treat NRIC numbers.
As the various stakeholders study the changes and look to update guidelines, one issue raised by a local bank employee is that the sudden shift to making NRIC numbers public raises questions about how local identification data will be treated differently from foreign data.
For know-your-customer and anti-money laundering purposes, government-issued identification data, such as passport numbers, are routinely collected from both local and foreign bank customers
“It cannot be that for European data, I treat it with a higher standard and then for Singaporean’s data, I treat it with a lower standard,” the source said, adding that a harmonised framework will need to be built.
The employee also noted that since new regulations were put in place in 2019, banks’ compliance teams have spent time and effort updating systems and processes. They have also had to retrain staff to protect such data, including NRIC numbers.
Contradictory information from the government could erode other bank employees’ trust in compliance teams, the source said.
In its statement on Saturday, MDDI suggested that NRIC numbers should not be considered sensitive. However, compliance teams had taught bank employees that it is.
The ministry said: “As a unique identifier, the NRIC number is assumed to be known, just as our real names are known. There should therefore not be any sensitivity in having one’s full NRIC number made public, in the same way that we routinely share and reveal our full names to others.”
Another issue for banks might be how they would deal with an NRIC data leak since it is now considered public information. Banks would typically be required to disclose such breaches to PDPC.
Still, there are benefits to pushing companies to shift away from the practice of using NRIC numbers for verification purposes.
Stefanie Yuen Thio, joint managing partner at TSMP Law Corporation, said that she agrees with the government’s stance that NRIC numbers are for identification and are insufficiently private for verification.
“I have, on a number of occasions, told the bank officer asking to do a ‘phone verification’ before proceeding to take my banking instructions, that the NRIC and date of birth information they request is easily available and not sufficiently secure,” she said.
She added that this is a good wake-up call for companies to consider how they can enhance their verification procedures with biometric or in-app verification methods.
Ben Chester Cheong, a Singapore University of Social Sciences law lecturer, said that the government’s policy shift represents a forward-thinking approach to digital identity management.
“This policy evolution makes practical sense – treating NRIC numbers as public identifiers rather than confidential information reflects their true purpose and eliminates the false sense of security that masking provides,” he said.
Similarly, director of legal firm Covenant Chambers Khelvin Xu said that there are valid reasons for allowing the retrieval of NRIC numbers in some circumstances.
For example, practicing lawyers retrieve NRIC numbers and addresses to ensure that lawsuits are served on the right people.
But he added that allowing anyone to retrieve any person’s NRIC number, regardless of their justification, goes too far. He also agrees with the move to disable the Accounting and Corporate Regulatory Authority’s Bizfile portal’s search function for now.
“After all, not doing so makes it more likely for identity theft to occur, particularly when it is uncertain how many organisations presently use NRIC numbers as authenticators, and how long they will take to change their authentication methods,” he said.
Since an update on Dec 9, users of the Bizfile portal have been able to search for business owners and shareholders’ full NRIC numbers with just their name. These numbers were previously masked, where only the last four alphanumeric characters were shown.
Companies required by law to collect NRIC numbers are also awaiting guidelines and updates on any changes to the handling of such data.
Telcos StarHub and Simba told The Business Times that they are waiting on the Infocomm Media Development Authority to provide updates and guidance.
Meanwhile, the Association of Banks in Singapore has not yet made any public statements on the issue.
Source: Business Times © SPH Media Limited. Permission required for reproduction.
2292