You are currently viewing Digital Onboarding Risks: What CMS Licence Holders Must Know

Digital Onboarding Risks: What CMS Licence Holders Must Know

The increasing adoption of digital channels has significantly transformed how Regulated Financial Institutions (RFIs) conduct onboarding, particularly within the context of regulatory compliance in Singapore.

Non-face-to-face (NFTF) onboarding, including the use of online facial verification solutions, offers greater convenience and operational efficiency. However, as highlighted in recent guidance from the Monetary Authority of Singapore (MAS), these technologies also introduce evolving risks, including deepfakes, spoofing attacks, and biometric manipulation.

As RFIs continue to digitise customer onboarding and service delivery, there is a need to balance user experience with robust risk management and AML/CFT compliance. Recent regulatory developments provide practical guidance on mitigating fraud, impersonation, and risks associated with facial biometric technologies.

Key Considerations for Regulated Financial Institutions

Strengthening Identity Verification

RFIs should implement robust processes to verify the authenticity of identity documents and detect potential tampering. This includes cross-checking against reliable and independent data sources (e.g., national digital identity systems) and ensuring consistency between submitted identification and the applicant’s facial features. RFIs may also leverage techniques such as fingerprinting and watermark detection to identify manipulated or synthetic content.

Implementing Effective Liveness Detection

To mitigate risks from deepfakes and spoofing attacks, RFIs should deploy facial verification solutions with advanced liveness detection capabilities. Techniques such as motion analysis, behavioural prompts (e.g., requiring users to perform specific actions), and 3D depth recognition help confirm physical presence. Regular testing against evolving deepfake scenarios remains essential.

Protecting Biometric and Customer Data

Given the sensitivity of biometric information, RFIs must adopt strong encryption standards to safeguard data both in transit and at rest. Periodic testing and review of cryptographic controls are necessary to ensure resilience against emerging cyber threats and maintain customer trust. Furthermore, RFIs should also consider advanced approaches such as [1] cancellable biometrics, where biometric data is transformed into non-reversible templates to reduce risks of reuse or compromise.

1. Cancellable biometrics are a critical defence mechanism designed to protect the integrity of a user’s biometric identity. Unlike a password, physical biometric features cannot be changed if stolen; these techniques solve this by applying non-reversible transformations, such as biometric salting (adding controlled noise) or irreversible feature transformations, to ensure stored data is a unique, replaceable version of the original. This allows compromised templates to be revoked and new, distinct ones to be issued.

Enhancing Security Controls Across the Process

Comprehensive security measures should be implemented to protect against manipulation and injection attacks. This includes end-to-end encryption, server-side validation to prevent client-side tampering, and real-time monitoring of verification sessions to detect suspicious behaviour.

Continuous Monitoring and Governance

Facial verification solutions should be regularly assessed for effectiveness using metrics such as False Acceptance Rate (FAR) and False Rejection Rate (FRR). RFIs remain accountable for the robustness of both in-house and third-party solutions. Additionally, RFIs should implement continuous monitoring of the verification session to detect anomalous patterns and ensure that critical validation processes are performed on the server-side to prevent unauthorised manipulation.

How Curia Regis Can Help

1. Regulatory Gap Assessments

  • Reviews onboarding frameworks against regulatory requirements, including the 2025 MAS Guidelines on AI Risk Management, to help RFIs identify gaps and strengthen compliance when integrating AI into KYC and risk assessment procedures.

2. Risk and Control Enhancements

  • Support to design and refine controls for NFTF onboarding, focusing on fraud mitigation, biometric verification, and risk management.

3. Vendor and Outsourcing Advisory

  • Support with third-party risk management, including vendor due diligence and ensuring outsourcing arrangements meet regulatory expectations.

4. Technology and Cyber Risk Advisory

  • Guidance is provided on implementing secure systems, including data protection, encryption standards, and monitoring controls for digital onboarding processes.

5. Ongoing Compliance Support

  • Continuous reviews and monitoring help RFIs maintain effective onboarding controls and stay aligned with evolving regulatory requirements.

Ensure your operational response is seamless. You can reach us here or email admin@thecuriaregis.com to get in touch. 

 

Leave a Reply