Mandatory Two-Factor Authentication for Online Financial Services Platforms

Introduction

Following our May 2024 update, the Monetary Authority of Singapore (“MAS”) has been continuing its effort to ensure cyber resilience and trust in the financial system by focusing on cyber security. 

Most recently, the MAS has shared its observations that apart from Financial Institutions (“FIs”), there are more cyberattack attempts such as credentials stuffing and phishing attacks to gain unauthorised access to investors' online two-factor-authentication-for-online-financial-services-platforms accounts.  

MAS has published various circulars on key security controls recommendations, including the latest updated FAQs on Two-Factor Authentication (“2FA”) for Online Financial Services Platforms. Specifically, MAS has re-emphasized the importance and the need for mandatory 2FA implementation for applicable customers. 

Expectation from MAS

MAS expects FIs to implement multi-factor authentication as part of the effort to secure its customers’ sensitive data through secured authentication process, end-to-end application layer encryption, etc. 

Minimum 2FA implementation 

FIs are reminded that 2FA is the minimum requirement in order to shield their customers’ online accounts from unauthorized access and transaction. In addition, it is mandatory for the FIs to implement 2FA, as soon as possible, but no later than 12 September 2025, for all logins of online accounts3, including but not limited to, trading and investment accounts, email accounts and investor portals. 

Subsequent to 12 September 2025, customers shall not have access to their online financial services without the minimum 2FA requirement. 

Other security measures 

Apart from implementing 2FA, FIs are encouraged to strengthen their internal controls by, in particular: 

1. providing notification to customers promptly (e.g. via SMS, email or push notification) on the execution of trades as well as changes to customer and account-related information; 

2. implementing password policies (e.g. minimum password length and complexity); and 

3. raising customers’ awareness of the risks associated with single-factor authentication and explain the need for adoption of 2FA given the associated risks of not doing so. 

Summary 

In brief, this paper outlines the importance and urgency of implementing strong 2FA process within the FIs to reduce the potential risks including unauthorized trades, financial losses, and compromised customers’ personal data. In addition, the users are strongly encouraged to use different passwords across different online platforms or accounts and regularly update these passwords to strengthen the account security. 

How We Can Help 

As a compliance solutions advisor, we offer tailored support to help your institution meet these evolving expectations from the authority, from understanding your organization and the technology risk management, to identifying the risk and implementing best practices .

Contact us for a no-obligation consultation to ensure your institution meets MAS requirements seamlessly.

For more details about this article, please refer to

https://www.mas.gov.sg/regulation/faqs/faqs-on-two-factor-authentication-for-online-financial-services-platforms