This article discusses the new provisions of the revised MAS Internet Banking Technology Risk Management Guidelines and compares it to the previous guidelines.|
FEATURES |
MAS Issues Revised Internet Banking Technology Risk Management Guidelines
This article discusses the new provisions of the revised MAS Internet Banking Technology Risk Management Guidelines and compares it to the previous guidelines.
Following a high-profile hacking case in which the accounts of 21 customers of a local bank were hacked into and a reported S$62,000 stolen before the hacker fled the country, the Monetary Authority of Singapore (‘MAS’) has
recently updated and re-issued its Internet Banking Technology Risk Management Guidelines (the ‘revised guidelines’) to increase the standards of risk management and security practices that banks must adopt.
The previous version of the guidelines before this recent update is the February 2001 version (the ‘previous guidelines’). The MAS issued its first policy statement on internet banking in July 2000.
The updated Internet Banking Technology Risk Management Guidelines (September 2002) are accessible from the MAS website at www.mas.gov.sg.
This article discusses the various aspects of the revised guidelines which are new, or which have been expanded upon, when compared to the previous guidelines. Broadly speaking, the update is geared towards further enhancing
existing measures to improve customer protection. The revised guidelines also focus on promoting customer awareness of the various risks associated with internet banking and emphasising the need for customers themselves to take
precautionary measures.
Data Confidentiality
Paragraph 4.1.5 of the revised guidelines provides that in accordance with the general principle of data protection, the encryption security pertaining to the customer’s PIN and other sensitive data should be maintained from
the point of data entry to the final system destination, where decryption and/or authentication takes place.
Additional Security Features for High Value Fund Transfers and Other Sensitive Transactions
The limitations of user-ID and PIN combination (presently the most popular and predominant method of authentication for internet online systems) should be recognised and addressed, in respect of high value fund transfers,
payment account creation and other sensitive transactions.
Paragraph 4.5.2 of the revised guidelines states that to augment one-factor PIN authentication, variable and unique authorisation codes should be used as part of the log-on process or for approving sensitive transactions. These
authorisation codes should be generated by the banks and conveyed to customers via separate channels, which are unrelated to internet banking.
In devising these security features, banks are urged to take account of their efficacy and differing customer preferences for additional online protection.
In respect of applications which require even stronger authentication, banks are called upon by the revised guidelines to deploy enhanced methods based on one-time password generating tokens, challenge and response security tokens, digital certificates, smartcards and/or biometric devices.
Confirmatory Procedures
Paragraph 4.5.4 of the revised guidelines states that confirmatory procedures should be applied in respect of transactions above certain pre-set values, creation of new account linkages, registration of third party payee
details, changing account details or revision to funds transfer limits. The additional use of digital certificates or security tokens that provide one-time passwords or challenge and response verification to strengthen the
authentication process is encouraged.
Security Practices
In addition to the list of security practices for the bank to conform to (set out in para 5.3.1 of both the revised guidelines and the previous guidelines), two new tasks for banks have been suggested, and they are for banks
to:
Bank Disclosure
New paras 8.0.4 and 8.0.5 have been added to the revised guidelines, to impose an obligation on banks to advise and explain to customers the precautionary measures that should be taken when accessing their online accounts.
These precautionary measures, to be adopted by customers, include taking adequate steps to prevent unauthorised transactions and fraudulent account use, as well as taking steps to protect the confidentiality of their access
credentials so as to prevent impersonation and unauthorised account access.
Banks are also required to explain on their websites the process relating to dispute resolution, problem solving and loss/damage allocation, if and when a security breach occurs.
Customer Education
The revised guidelines expand on the list of security measures (found in para 9.0.3 of both the revised guidelines and the previous guidelines) for customers to adopt. Specifically, the additional security measures provide as
follows:
Further, a new non-exhaustive list of security precautions for customers is set out in para 9.0.4 of the revised guidelines, which include instructing customers to delete junk and chain mails, to make regular backup of critical
data and not to disclose personal, financial and credit card information to little-known or suspect websites.
Finally, the concluding paragraph (para 9.0.5 of the revised guidelines) reiterates that banks are directly responsible for the safety and soundness of the services and systems they provide. In this regard, they are required to
maintain adequate and effective authentication and related security systems. At the same time, customers also have a reciprocal duty to firstly, take appropriate steps to ensure that their hardware or system integrity is not
compromised when engaging in online banking, and secondly, to heed their bank’s advice on security measures.
Amy Lai
Allen & Gledhill
E-mail: amy.lai@allenandgledhill.com