Prevention of and Punishment for Sale of Data by Bank Employees with Access to Clients' Credit Card Information

72 Ms Ng Ling Ling asked the Prime Minister and Minister for Finance (a) how does MAS ensure that bank employees with access to clients’ credit card and Card Verification Value numbers, do not abuse the clients' trust and sell such data to scammers or cause scammers to gain access to them; (b) what is the punishment for employees who commit such offences; and (c) what are MAS' requirements on banks to conduct audits to uncover potential risks and offences.

Mr Gan Kim Yong (for the Prime Minister): Under the Banking Act, banks and their officers are strictly prohibited from disclosing customer information to any external party unless expressly permitted. Individuals found to be in breach of the Banking Act are liable to fines or imprisonment, or both.

As required under the Monetary Authority of Singapore's (MAS') Notice on Technology Risk Management, banks must and have put in place information technology controls to protect customer information from unauthorised access or disclosure. This includes controls to limit employees access to systems containing customer data on a need-to basis.

MAS expects banks' internal audit functions to address all material risks, including data loss. Banks have conducted audits to review their controls for data loss and users' access to systems containing customer information, and have taken measures to address issues identified.

With improvements in technology, banks are continually strengthening their ability to detect unusual staff activity using digital screen watermarks, artificial intelligence and other advanced techniques. The ability to protect the confidentiality of customer information is core to a bank's business and MAS expects that they continue to invest in this area.