Former Government CISO Chai Chin Loon talks with CXposé.tech editor-at-large, Leona Lo about why strengthening Know Your Customer (KYC) practices is important, and even more so than keeping the NRIC secret.

The recent announcement by Singapore’s Ministry of Digital Development and Information (MDDI) that the government will treat National Registration Identity Card (NRIC) numbers as public information—rather than private and confidential—sent shockwaves through the cyber community. 

This reaction was more about the surprise element than any fundamental issue with the decision itself. Some cyber experts, including former government CISO Chai Chin Loon, have argued that NRICs were never intended to be private or confidential.

Chai Chin Loon, a former government CISO in Singapore

Chin Loon believes the debate sparked by this announcement regarding the NRIC distracts from a much more crucial issue: the need to strengthen Know Your Customer (KYC) processes. In a world increasingly driven by digital services and transactions, robust KYC frameworks are essential to ensure secure identity verification. 

According to him, focusing too much on the NRIC issue diverts attention from the broader goal of enhancing KYC procedures, which should not rely solely on static and easily obtainable data like NRIC numbers.

The role of KYC and its challenges

“KYC is the backbone of identity verification,” said Chai. He emphasized that KYC goes beyond simply identifying who someone is; it also involves authentication, which ensures that an individual is indeed who they claim to be. 

He argued that while the NRIC is a precise identifier, it is not suitable for authentication purposes. “The NRIC is freely available and shouldn’t give a false impression that it’s a secret,” he stated. Relying on NRIC alone for authentication is inadequate and can create a false sense of security.

In fact, financial institutions do not rely solely on NRIC numbers for customer verification. They also request additional information, such as a person’s date of birth or mother’s maiden name. However, these are still merely identifiers and not authenticators. 

Strong KYC includes, but is not limited to, knowledge-based authentication questions like recent financial transactions or the number of credit cards a person holds. These measures, though, are becoming less effective on their own. Therefore, additional layers of security are needed, such as one-time passwords (OTPs), push authentication and biometric identification using fingerprints or facial recognition.

The NRIC is freely available and shouldn’t give a false impression that it’s a secret.

Chin Loon said that a minimum standard for KYC should be set, tailored to the risks of the service being offered. High-risk processes, such as applying for credit cards, phone numbers, or opening bank accounts, should be subject to more stringent KYC protocols. 

He is a strong advocate for Singpass, Singapore’s national digital identity system, which uses a unique authentication certificate for each individual. “Singpass is an excellent example of a secure system that balances usability and security. It’s far more reliable than older methods like SMS OTP, which are vulnerable to interception,” he explained.

Layered authentication: A necessary approach

When discussing the reliance of banks and credit card companies on SMS OTP for customer verification, he acknowledged that while it remains common, it is not foolproof. “Layering authentication is essential for security. 

Even face-to-face verification isn’t perfect, but it makes it harder for someone to bypass the system,” he explained. The higher the risk of the service, the more layers of authentication should be in place. In addition to verifying NRICs and dates of birth, banks and credit card companies commonly also ask customers transaction-related questions over the phone as an added layer of verification.

Identity verification requires comparing said identity against an original. KYC is an important process to enable this.

However, Chin Loon recognized that not all businesses can implement the highest level of KYC, especially small and medium-sized enterprises (SMEs). He noted that businesses must consider the cost-benefit balance: “What’s the cost if something goes wrong?” This is an important question when assessing the level of investment needed to secure sensitive information.

Protecting personal data: Is it still necessary?

Although the NRIC alone is not sufficient for authentication, Chai stressed the ongoing importance of protecting personal data, such as NRIC numbers, birth dates, and transaction details. These data points are critical components of a layered authentication process. 

Regarding penalties for data breaches, he argued that penalties should be proportionate to several factors, including the type of data leaked and a company’s overall cyber defense posture. Companies found to have poor cyber hygiene would still face harsh penalties. As such, businesses should continue practicing strong cyber hygiene and protect sensitive information from theft and unauthorized access.

Final Thoughts

Chin Loon stressed that strong KYC practices are about understanding the nuances of identity verification. “It’s not about the NRIC—it’s about how you layer processes, assess risks, and stay agile in an evolving digital landscape,” he said. 

Whether through systems like Singpass or robust biometric authentication, the ultimate goal is to build trust and security without compromising either.