Singapore banks will no longer use NRIC numbers for verification
Banks, public and private firms will no longer support verification of customers and employees via NRIC numbers from Jan 1, 2027.
The Personal Data Protection Commission (PDPC) and the Monetary Authority of Singapore (MAS) have ordered all banks and organizations to stop using NRIC numbers for authentication by the end of this year.
According to the Association of Banks in Singapore, NRIC numbers were never intended to serve as security credentials. Although it is the official identification document for a person, regulators say it is not suitable for verifying identity, especially if exposed or misused. Such identification methods are unnecessary because financial transactions such as payments and fund transfers already rely on multi-factor authentication. Additionally, most banks have also stopped requiring an NRIC number for security checks when performing non-transactional activities, such as accessing encrypted emails.
Verification using partial NRIC numbers in the public sector will also be terminated. According to the authorities, this method, which uses the last four characters for verification, is unreliable for accurate identification because different individuals can share the same name and partial NRIC number in some cases.
Public agencies will still be able to use full NRIC numbers in serious cases where precise identification is required, such as in official licenses or government-issued employment letters. In any other case, NRIC numbers should not be used.
The decision to implement these changes was made after the accidental exposure of company representatives’ NRIC numbers on the Accounting and Corporate Regulatory Authority’s BizFile portal in December 2024. Since then, regulators have intensified efforts to clarify the appropriate use of NRICs across both public and private sectors.
If a private company fails to comply with the new regulations, it will risk breaching Singapore’s Personal Data Protection Act as of January 1, 2027. Regulators are collaborating with industries such as banking, telecommunications, insurance, and healthcare to ensure compliance, while also consulting with the private sector to strike a balance between operational needs and data protection.
Singapore’s tightening of regulations comes in response to frequent cases of identity fraud. The government is seeking to strengthen data protection standards.
