How Secure are Know Your Customer (KYC) Services?

How KYC improves the customer experience while remaining secure

Know Your Customer (KYC) services is a process that enables organisations to verify the identity of their users through independent and reliable sources of data such as social security cards, passports, and employment documents. While the primary benefit of KYC services is that they minimise the risk of money laundering, other benefits of this software include ease of onboarding users, provides authorisation and digital signatures, and eliminating the need for financial institutions to collect physical documents to verify a customer's identification or obtain a photograph of the consumer separately.


Furthermore, KYC services can streamline the customer onboarding process, especially when integrated with a national digital identity platform like MyInfo. This is a tool that allows SingPass users to auto-fill personal information into online forms and enables organisations to have non-face-to-face user identification. Subsequently, MyInfo improves the efficiency with which government and private services are delivered as it minimises the time spent filling out online forms and provides digital authorisation and signatures with secure authentication and proper consent from users.


As the cybersecurity of digital services is still a concern, this article will look at how secure the MyInfo software is and discuss how it can be enabled for any organisation that wants to benefit from KYC services.


Ensuring The Security of Your KYC Services

MyInfo, developed as part of Singapore’s National Digital Identity Framework, provides Singapore residents the means to prove their identity and digitally sign their documents so that they can carry out online transactions seamlessly and securely. This is made possible through the following 3 factors:


1. Adheres to industry IT security standards

As the personal and sensitive information of millions of users are available online, there is great pressure to properly protect and secure online transactions and systems. Organisations want a reliable way to verify the credentials of their users and users want to be able to trust that their data is managed responsibly. As a result, MyInfo compiles user information from credible data sources, one of which is the Immigrations and Checkpoints Authority national registry, and is integrated with multi-factor authentication to protect against identity fraud.


2. Operates as a consent-based platform

While MyInfo-integrated KYC services allow businesses to securely authenticate their users' identities with SP/CP (SingPass/CorpPass) user data privacy must still be protected. That is why MyInfo functions as a consent-based platform, allowing users to choose who can access their data and how much of it can be used. This means that when a user clicks the MyInfo button to auto-fill their information or digital signatures, a notification appears advising them of the information that will be shared with the service provider and asking for their permission. As a result of the secure identification and authentication procedure used by MyInfo-integrated KYC services, there is less need for face-to-face interaction between clients and organizations, allowing for more efficient onboarding.



3. Utilises SP/CP (SingPass/CorpPass) for authentication

As MyInfo leverages on SPCP to authenticate users, this platform is particularly beneficial for organisations that use SingPass as their federated identity management system. SingPass is based on OIDC (OpenID Connect), a protocol that both authenticates and authorises users for the service providers. OIDC is a layer upon existing cybersecurity infrastructure such as OpenID and OAuth2.0 that provide a more secure IT environment for online transactions to happen.


How Applications Can Be Securely Integrated with MyInfo

Since MyInfo uses the OIDC protocol, businesses can be assured of safe API connectivity when they integrate their web applications with it. OIDC enables web applications to authenticate users using an external server known as the OpenID Connect Provider (OP) that communicates with an identity provider to obtain the user's credentials. ID tokens that are issued to web applications that contain JSON documents which details user information, how and when the user has been authenticated, and the length of the user session. Other tokens such as access tokens and refresh tokens can be issued as well. These tokens enable secure transfer of encrypted and digitally signed user data between various systems.


Protecting Your Business’ KYC Services

KYC services ensure that businesses do their due diligence in reducing identity fraud and money laundering activities. At the same time, KYC services should be a safe and seamless experience for both businesses and users. While SPCP and MyInfo are designed and implemented to be very secure by utilising the industry security standards such as OpenID, OAuth2.0, it comes with its own complexity when integrating into the business’ current IT infrastructure. In such cases, an experienced IT security service provider like AdNovum Singapore can assist banks and other organisations in properly linking their third-party software to MyInfo. Contact us today to learn more.