Financial institutions across Southeast Asia are grappling with an alarming surge in identity and financial fraud. Based on an APAC Identity fraud report released by Sumsub, identity fraud has surged dramatically in the region with over 200% increase in countries like Singapore, Thailand and Indonesia.
Fraudsters are becoming increasingly sophisticated, leveraging advanced technologies and exploiting vulnerabilities in traditional systems and human behavior. AI-powered tools are widely used to forge documents and create highly convincing deepfakes to impersonate trusted users during initial verification checks and fool biometric systems. These fraudulent activities span from the initial onboarding (identification) phase with its KYC (Know Your Customer) processes, to the ongoing authentication of customers to their accounts. In this increasingly hostile digital environment, financial institutions need to urgently address several critical objectives:
Achieve regulation compliance. This includes adhering to stringent regulations within the required timeframe. Non-compliance can lead to hefty fines, reputational damage, and operational restrictions.
Avoid financial loss due to fraudulent activities. Direct financial losses from fraud can be substantial, impacting profitability and stability. Robust identity verification and fraud prevention mechanisms are essential to safeguard assets.
Protect brand and retain customer trust. The proliferation of sophisticated attacks and fraud, such as account-take-over (ATO), deepfakes, and AI-powered scams, directly erode customer confidence and tarnish a bank's reputation. Maintaining trust is paramount in the competitive financial landscape.
Regulation control enhancement to fight against advanced frauds.
Central banks and regulators across Southeast Asia are accelerating efforts to strengthen digital security, enhance identity verification, and combat financial fraud through mandatory adoption of biometrics, multi-factor authentication (MFA), and advanced fraud management systems. This push directly responds to escalating fraudulent activities in KYC and authentication.
In Malaysia, Bank Negara Malaysia (BNM)'s updated e-KYC policy (April 2024) mandates secure, effective, and risk-proportionate e-KYC measures. Technology providers for e-KYC solutions must have their modules (document verification, biometric matching, liveness detection) assessed by credible external independent assessors against standards like ISO 19794-5 and ISO 30107-3. Financial institutions must review these requirements every three years or upon material changes.
The Philippines' Bangko Sentral ng Pilipinas (BSP), driven by the Anti-Financial Account Scamming Act (AFASA), requires supervised institutions to improve fraud management systems by June 2026. This emphasizes stronger authentication, limiting easily interceptable methods like SMS/email OTPs due to social engineering. Recommended methods include biometric authentication (fingerprint, facial, voice recognition) and behavioral biometrics, augmented with adaptive authentication based on context.
Singapore’s Monetary Authority of Singapore (MAS) updated its guidelines in June 2025, strongly expecting financial institutions to implement two-factor authentication (2FA) for online financial services by September 12, 2025.
In Thailand, the Bank of Thailand (BOT) published a "Guideline for Biometric Technology Adoption in Financial Services" (September 2023). This promotes safe biometric use, emphasizing compliance with international standards like ISO, NIST, and FIDO biometric requirements, with external assessments, particularly for systems involving biometric data and third-party providers.
Vietnam (July 2024) mandates end-to-end biometric verification for digital transactions, especially for transfers of VND10 million or more, requiring face biometric scanning via smartphone cameras. Circular 50/2024/TT-NHNN requires online banking service providers to meet ISO 30107-3 for presentation attack detection (PAD) and FIDO authentication certification from July 1st, 2026. These solutions must be tested by a FIDO Alliance-recognized organization.
Failure to meet these milestones defined by regulators can result in disruptions to banking services, potentially leading to adverse business impacts and a decline in customer trust.
The challenges of supplier selection and qualification.
Even with clear criteria and a robust understanding of required solutions, the journey of selecting and qualifying an eKYC supplier is fraught with challenges for financial institutions:
Lack of internal expertise. Many financial institutions, particularly those new to advanced digital identity solutions, lack the in-house technical knowledge to thoroughly evaluate complex technologies like AI-driven risk assessment, biometrics, liveness detection, and FIDO standards. This can lead to underestimating risks or overestimating a vendor's capabilities.
Integration complexities. Modern eKYC solutions must integrate seamlessly with a bank's intricate legacy systems, which often presents significant technical hurdles, unexpected costs, and project delays.
Lock-in vendor. Choosing a proprietary solution can lead to long-term dependence on a single vendor, making it difficult and expensive to switch if the solution proves inadequate or if better technologies emerge. This inhibits flexibility and future innovation.
Evolving regulatory landscape. The rapid pace of regulatory changes means that a compliant solution today might not be compliant tomorrow. Financial institutions need partners who are not only up to date but also proactive in adapting to new mandates.
Wasted Investment. Investing heavily in a solution that ultimately performs poorly (e.g., high false positives for fraud or false negatives for legitimate customers) results in wasted resources and continued exposure to risk. An inefficient or unqualified solution can quickly eat away at any expected benefits, turning an investment into a financial drain.
Underestimating operational risks. Especially in diverse markets, predicting the operational impact of a new eKYC solution on customer journeys and internal processes can be challenging without deep contextual understanding and regional case studies.
Data security and privacy concerns. Entrusting sensitive customer data to a third-party requires rigorous due diligence in their security protocols, data handling practices, and compliance with local data residency and privacy laws.
These complexities underscore the need for a rigorous, informed, and independent evaluation process.
Key areas to consider for supplier selection and qualification.
When selecting an identification and authentication solution supplier, a comprehensive evaluation is essential to align the chosen solution with an organization's specific needs and regulatory requirements. This assessment covers following key areas:
Coverage. This encompasses geographical reach and functionalities for identification and authentication, such as ID document authenticity verification, biometric matching, liveness detection, and AI-driven risk analysis solution. It's also crucial to ensure the solution is future-proof and can adapt to evolving requirements, such as digital identity initiatives or new payment use cases.
Quality. This focuses on the reliability and sources of data utilized for development by the supplier. Organizations must scrutinize data sources for reliability and potential quality issues. The effectiveness of de-duplication, matching, and cross-referencing tools is a significant indicator of quality.
Efficiency. This evaluates the solution's level of automation, digitalization, and supported customer interaction channels. The primary goal is to minimize user journey friction and enhance customer experience, while reducing the manual efforts required in data validation.
Support. This examines the supplier’s service level in the solution's development and ongoing management. It's vital to assess the ability to address issues like poor performance or increased fraud rates. Supplier stability and consistent performance across various operating systems are also critical.
Maturity. This assesses the solution's proven track record, involving an understanding of its testing methodologies, performance metrics, and relevant external certifications.
Security. This is paramount, focusing on the solution's resistance to attacks and its ability to detect abnormalities like fake or synthetic identities. Suppliers should provide verifiable evidence of technology performance, such as external certifications. Resistance to account takeovers and other cyberattacks, along with integrated fraud detection and prevention measures (e.g., monitoring unusual behavior) with risk-based assessment mechanisms are key. The capability to provide alternatives to mitigate risks associated with phishing or social engineering attacks is also essential.
Compliance. This is crucial, requiring assurances that the solution adheres to Anti-Money Laundering (AML), Know Your Customer (KYC), Customer Due Diligence (CDD), and relevant personal data protection laws depending on the applicable policies in the targeting countries. Some regulations may require evidence or certificates from an external assessor or auditor to prove conformance with indicated standards.
Work with an expert partner for a secure digital future.
Navigating the treacherous waters of digital identity verification, fraud, and regulatory compliance requires more than just an internal review. Financial institutions need a reliable, knowledgeable, and neutral partner to support them throughout this critical journey. Combining Fime’s accredited testing laboratory and Consult Hyperion’s expertise, our end-to-end service enable financial institutions navigate the complexities of supplier selection and embrace the digital future with resilience and confidence.
Looking to select and deploy the best-in-class solution? Let’s talk.
