Singapore data breach could affect banks

Tour boats ply along the river next to the financial business district in Singapore. (Roslan Rahman / AFP Photo)

Singapore’s banks should watch the fallout from the island’s healthcare-data breach. This could get ugly for them.

The National Electronic Health Record project is taking a pause after hackers stole data on 1.5 million patients including Prime Minister Lee Hsien Loong, who was “specifically and repeatedly” targeted.

Immediate repercussions for banks have already become obvious, with the Monetary Authority of Singapore (MAS) cautioning lenders not to rely only on full name, national identification number, address, gender, race and date of birth for customer verification. While introducing additional layers of security such as one-time passwords or biometric identification means additional costs, most Singapore banks have such basic technologies already in place. Their bigger worry should be MyInfo.

In April, Standard Chartered Plc and the three homegrown Singapore banks — DBS Group Holdings Ltd. (DBS), Oversea-Chinese Banking Corp. (OCBC) and United Overseas Bank Ltd. (UOB) — began a pilot program to tap this state-built digital repository of citizen information for know-your-customer (KYC) checks required to open bank accounts. The idea is to eventually use MyInfo profiles to issue credit cards, home loans and insurance policies.

Every digital customer of DBS is three times as valuable to the bottom line as a brick-and-mortar customer. Singapore’s “Smart Nation” project, which envisions paperless KYC and a cashless society, has made OCBC commit to cutting bank teller jobs in the city by half and retraining the surplus staff for digital banking by 2020. Should the authorities be forced now to rethink Smart Nation’s security features, investor expectations of shareholder returns at Singaporean banks may also have to be lowered.

The other impact could be on commingling. To enable them to compete with fintech players, Singapore’s regulators have relaxed post-1998 restrictions on banks’ ownership of non-financial businesses. DBS has invested in a property marketplace and in a digital platform for buying and selling cars; UOB has gone into holiday planning, while OCBC is pampering new mothers online.

The banks’ primary aim is to own rich and varied customer data. However, following the SingHealth breach, privacy and security are bound to get a closer regulatory look. It’s one thing for Facebook Inc. to hit a speed bump over such concerns, and quite another for systemically important banks in a major financial centre to run into similar issues because of their dalliance with e-commerce.

Now that a widely publicized hack has materialized, other incidents are also coming to light. The Straits Times has reported that data on 70,000 members of the island’s Securities Investors Association were stolen five years ago — and they came to know of it only this week.

There’s a silver lining in all this, though. To safeguard citizens’ trust and preserve the reputation of its financial industry, Singapore will scale up investments in cybersecurity. That’s good news for startups that will be spawned by initiatives like the one between Israel’s Ben-Gurion University and Singapore’s Nanyang Technological University. Their researchers’ goal is to fend off cyber-attacks by mimicking how the human body fights germs.

Seven years ago, global banks running large front- and back-office operations in Singapore failed to grasp the seriousness of anti-immigration angst among Singaporeans even after voters sent a strong message in the 2011 general elections. Strict controls on foreign-worker visas since then have affected all industries, including banking. The theft of the prime minister’s health records may be another such defining moment.

If they’re reading the tea leaves right, banks should set up private equity funds that invest in cutting-edge cybersecurity startups. It would be a far better use of their resources than hawking used cars and diapers. - Bloomberg