๐™„๐™› ๐™ฎ๐™ค๐™ช๐™ง ๐™—๐™ช๐™จ๐™ž๐™ฃ๐™š๐™จ๐™จ ๐™จ๐™ฉ๐™ž๐™ก๐™ก ๐™ช๐™จ๐™š๐™จ ๐™‰๐™๐™„๐˜พ ๐™ฃ๐™ช๐™ข๐™—๐™š๐™ง๐™จ ๐™ฉ๐™ค ๐™–๐™ช๐™ฉ๐™๐™š๐™ฃ๐™ฉ๐™ž๐™˜๐™–๐™ฉ๐™š ๐™˜๐™ช๐™จ๐™ฉ๐™ค๐™ข๐™š๐™ง๐™จ, ๐™‹๐˜ฟ๐™‹๐˜พ ๐™ฌ๐™–๐™ฃ๐™ฉ๐™จ ๐™ฎ๐™ค๐™ช ๐™ฉ๐™ค ๐™จ๐™ฉ๐™ค๐™ฅ. ๐˜ผ๐™ฃ๐™™ ๐™ฉ๐™๐™š๐™ฎ'๐™ง๐™š ๐™ฃ๐™ค๐™ฉ ๐™–๐™จ๐™ ๐™ž๐™ฃ๐™œ ๐™ฃ๐™ž๐™˜๐™š๐™ก๐™ฎ.

You send your customer a PDF statement. Before they can open it, you ask them to key in the last four digits of their NRIC. Feels responsible, right? You're verifying their identity. You're protecting their data.

Except you're not. You're doing the opposite.

Every time you ask a customer to key in their NRIC โ€” full or partial โ€” to access a file, open an account, or verify their identity, you're asking them to risk one piece of confidential data in order to protect another. That's not security. That's a paradox.

PDPC has recognised this, and they've made it clear: businesses should not use full or partial NRIC numbers as an authentication factor. This isn't a suggestion. Enforcement begins by January 2027, and if your systems still rely on NRIC-based authentication by then, you are not compliant with the PDPA.

๐—ช๐—ต๐—ฎ๐˜ ๐—ง๐—ต๐—ถ๐˜€ ๐— ๐—ฒ๐—ฎ๐—ป๐˜€ ๐—ณ๐—ผ๐—ฟ ๐—ฌ๐—ผ๐˜‚๐—ฟ ๐—•๐˜‚๐˜€๐—ถ๐—ป๐—ฒ๐˜€๐˜€

If you currently use NRIC โ€” even just the last four digits โ€” for any of the following, you need to make changes:

  • Password-protecting PDF statements or documents
  • Customer login or account verification
  • Identity authentication for accessing sensitive information

The intent behind the guideline is straightforward: NRIC numbers are permanent, unique identifiers. They cannot be changed if compromised. Using them as passwords or PINs treats them as disposable credentials when they are anything but.

๐— ๐˜† ๐—”๐—ฑ๐˜ƒ๐—ถ๐—ฐ๐—ฒ ๐—ฎ๐˜€ ๐—ฎ ๐——๐—ฃ๐—ข

๐—™๐—ถ๐—ฟ๐˜€๐˜, ๐—ฎ๐˜‚๐—ฑ๐—ถ๐˜ ๐˜†๐—ผ๐˜‚๐—ฟ ๐˜€๐˜†๐˜€๐˜๐—ฒ๐—บ๐˜€ ๐—ป๐—ผ๐˜„. Identify everywhere your business uses NRIC โ€” full or partial โ€” for authentication. Don't wait until late 2026 to scramble.

๐—ฆ๐—ฒ๐—ฐ๐—ผ๐—ป๐—ฑ, ๐˜€๐˜„๐—ถ๐˜๐—ฐ๐—ต ๐˜๐—ผ ๐—ฝ๐—ฟ๐—ผ๐—ฝ๐—ฒ๐—ฟ ๐—ฎ๐˜‚๐˜๐—ต๐—ฒ๐—ป๐˜๐—ถ๐—ฐ๐—ฎ๐˜๐—ถ๐—ผ๐—ป ๐—บ๐—ฒ๐˜๐—ต๐—ผ๐—ฑ๐˜€. There are proven alternatives that protect your customers without putting their personal data at risk:

  • SMS or email one-time passwords (OTP)
  • Two-factor authentication (2FA) apps
  • Unique PINs or passwords set by the customer themselves

๐—ง๐—ต๐—ถ๐—ฟ๐—ฑ, ๐˜€๐˜๐—ผ๐—ฝ ๐˜‚๐˜€๐—ถ๐—ป๐—ด ๐—ฏ๐—ถ๐—ฟ๐˜๐—ต ๐—ฑ๐—ฎ๐˜๐—ฒ๐˜€ ๐˜๐—ผ๐—ผ. PDPC hasn't explicitly banned birth dates as authentication yet, but as a DPO, I'd tell you it's only a matter of time. Birth dates are easily guessable and widely exposed. Don't replace one soon-to-be-banned method with another that's heading in the same direction.

๐——๐—ผ๐—ป'๐˜ ๐—ช๐—ฎ๐—ถ๐˜ ๐—ณ๐—ผ๐—ฟ ๐—˜๐—ป๐—ณ๐—ผ๐—ฟ๐—ฐ๐—ฒ๐—บ๐—ฒ๐—ป๐˜ ๐˜๐—ผ ๐—™๐—ผ๐—ฟ๐—ฐ๐—ฒ ๐—ฌ๐—ผ๐˜‚๐—ฟ ๐—›๐—ฎ๐—ป๐—ฑ

You have until January 2027. That sounds like plenty of time โ€” until you factor in system changes, vendor coordination, and customer communication. Start now.

If you need help auditing your authentication practices or transitioning to compliant alternatives, schedule a consultation with us at Veritos - https://calendly.com/veritos/introductory. We'll help you get this sorted before the deadline, not after.

PDPCโ€™s official announcement can be found in their press release: Organisations to Cease the Use of NRIC Numbers for Authentication by 31 December 2026 https://www.pdpc.gov.sg/news-and-events/press-room/2026/01/organisations-to-cease-the-use-of-nric-numbers-for-authentication-by-31โ€“december-2026