Monetary Authority of Singapore’s transaction signing regulations force U.S. financial institutions to look at new solutions

Protecting customer accounts, both consumer and business, is a top priority for financial institutions everywhere, especially in light of the growing security risks with online and mobile banking. The global nature of today’s financial world has also led many banks to offer international banking services to multinational corporations and consumers, which has complicated their ability to provide security. As a result, many financial institutions, and even governments, are looking past yesterday’s security approaches and assessing new and stronger alternatives, such as transaction signing. 

Governments and regulatory bodies are embracing secure digital transaction signing by setting industry standards and enacting regulatory requirements aimed at engineering a more secure digital environment for their citizens. One of the strictest and most prescriptive set of standards in effect is the Monetary Authority in Singapore (MAS) Technology Risk Management Guidelines, which states that financial institutions should implement two-factor authentication at login for all types of online financial systems and transaction signing for authorizing transactions. It also requires that banking customers be able to review individual transactions as part of a batch and sign them on an out-of-band device. The guidance also suggests that a one-time-password (OTP) or digital signature be generated for each new payee being added and that the data being signed should be displayed to the customer in a meaningful way before being signed. Singapore is not the only territory implementing requirements. Others include South Korea and Taiwan. 

Two-factor authentication to secure online and mobile transactions is not a new concept. While it certainly helps counter fraud, weak implementations of it continue to allow banking systems to be targeted by fraudsters. OTP systems and challenge-based questions are being defeated with ease, enabling fraudulent schemes, such as the Eurograbber Trojan, to compromise thousands of accounts and inflict tens of millions of dollars of account takeover fraud losses.

To remain in compliance with the MAS guidelines and further protect their customers, banks should implement digital transaction signing capabilities. Specifically targeting transactions deemed as higher risk, transaction signing is used to verify the authenticity and integrity of an online transaction by requiring customers to digitally sign major transactions, such as large monetary transfers or online changes to personal customer details. 

So, how does transaction signing actually work? In order to confirm the online transaction, users are required to enter a dynamic PIN or OTP that is generated when a customer inputs information specific to a transaction, such as an account number or a transaction amount, into a device uniquely theirs. Transaction signing calculates a value based on the user input on both the client and server side. If the information does not match, the signature is voided and the transaction will not be approved.

Complying with the new regulations, while also offering efficient customer service, requires banks to implement an intuitive interface for viewing all transactions in a batch and approving them individually. The ideal solution would allow the approver’s responses to be digitally signed, supporting nonrepudiation. Where multiple approvers are required, transaction authentication messages should be sent to all the parties, approving the transaction only when the required responses have been submitted.

With the increased use of mobile devices, it is important that this type of solution also work on the phone or tablet. Industry-standard X.509 digital certificates can be employed to uniquely identify every mobile device, transforming it into a second factor that authenticates the user when logging into the corporate online banking portal. Additionally, leveraging advanced digital certificates enables executives to digitally sign approvals of all sensitive transactions (single or batched) with just one touch, and would be able to fully encrypt communications to and from the financial institution.

Implementing a transaction signing solution like this one would not only help protect banking customers, but will assist financial institutions to meet the international business banking requirements in Singapore. Given the current environment and rate of fraud targeting small business banking, it is also not inconceivable that U.S. and other regulators might start requiring broader use of transaction signing in some or all business banking transactions.

For more information on digital transaction signing, download Entersekt’s new white paper, The Importance of Transaction Signing to Banks.