Singpass.bizGet a quote
← All guides
pdpanricregulations

The 2027 NRIC Authentication Ban: What Singapore Businesses Need to Do

From 1 January 2027, Singapore businesses can no longer use NRIC numbers to log customers in. If that is how your login works today, this is what you need to change.

Published 23 April 20267 min readSingpass.biz team

From 1 January 2027, Singapore businesses can no longer use NRIC numbers — in full or partial form — as a means of authenticating a customer or user online. If your login page still asks for NRIC and date of birth, you have a finite window to migrate. Here is exactly what the rule says, what it affects, and the three migration paths that meet the new requirement.

What the 2027 rule actually says

The Personal Data Protection Commission (PDPC) published its Advisory Guidelines on the NRIC and Other National Identification Numbers in 2024 and reaffirmed its position in the 2025 update: an NRIC number is a sensitive national identifier, not a credential. Using it as a username or password — or combining it with a second piece of weak data like a date of birth or postal code — is now treated as an unsafe authentication practice.

The deadline for businesses to stop using NRIC as an authenticator is 1 January 2027. After that date, the PDPC can enforce the rule under its existing PDPA powers: investigation, direction, and, in serious cases, financial penalties.

Who is affected

You are affected if any of the following describe your business today:

  • Your customer login screen asks for NRIC (or FIN) and nothing else.
  • Your customer login asks for NRIC plus date of birth, plus postal code, or plus last-four digits of a mobile number.
  • Your loyalty programme or member portal uses NRIC as the account identifier and a simple password for entry.
  • Your HR system lets employees self-serve by entering their NRIC to retrieve pay slips or tax forms.
  • Your ticketing, booking, or customer-portal service resolves accounts by NRIC at any self-service step.

You are not affected simply by collecting NRIC. Collection for a justified business purpose — KYC for a regulated service, director disclosure on a licence application, accepting an IC at a physical counter — remains lawful under the PDPA, subject to the usual necessity test. What changes is that the NRIC can no longer be treated as the thing that proves a person is who they say they are.

Why the PDPC made this change

NRIC numbers are present in tens of thousands of leaked datasets, on resumes, on delivery receipts, on school forms, and on visible visitor logs. They are trivial to obtain for anyone determined to impersonate a target. Using them as an authenticator gives a user a credential they cannot change — and one that a bad actor may already have.

The three compliant migration paths

1. Singpass login (the recommended path)

Replace your NRIC-based login with Singpass. The customer taps “Sign in with Singpass” on your site; the Singpass app on their phone confirms the identity; your system receives a verified identity token. This is the path the Singapore government itself has taken across its citizen-facing services and the one the PDPC points to as the standard replacement.

Advantages: no passwords to manage, phishing-resistant, works for Singapore citizens, PRs, and most work-pass holders, no migration cost to the customer, and a future-proof identity surface. Covered in detail in our main implementation guide.

2. Email or mobile OTP with a separate password

Have customers register with an email address and a password, with OTP verification on a mobile number at first login. This is the “modern SaaS” pattern and is acceptable to the PDPC because neither the email nor the password is a national identifier.

Caveats: you take on all the password-management risk (credential stuffing, forgotten-password loops, SIM-swap attacks) and lose the ability to confirm a customer’s real identity without a separate KYC step.

3. A combination — Singpass for verification, your own credentials for daily login

Many businesses land here. Singpass verifies the identity at onboarding (and periodically for sensitive actions), and the customer then manages a regular account with your business using email, password, and optional 2FA. This keeps your UX simple for daily use while satisfying the PDPC rule.

What the migration looks like

A realistic timeline for an SME sitting on NRIC-based login today:

  • Weeks 1–2: Scope the accounts affected, decide on a migration path (Singpass, email+OTP, or hybrid), and communicate the change to customers in an advance notice email.
  • Weeks 3–5: Stand up the new login. If choosing Singpass, the GovTech application and the integration itself run in parallel on our side for most customer-onboarding use cases.
  • Weeks 6–8: Roll out to a pilot group, gather feedback, patch rough edges.
  • Weeks 9–12: Mandatory cut-over — old NRIC-based login disabled, all customers on the new flow.

Businesses that wait until Q4 2026 will hit a GovTech queue competing with everyone else who delayed. We recommend starting the migration no later than mid-2026.

Common questions

Do we need to delete NRIC numbers from our records?

No. The PDPC rule is about use as authentication, not about storing NRIC data at all. You can continue to hold NRIC on customer records for legitimate business purposes, subject to the PDPA’s existing necessity and retention rules.

What if we only use NRIC for internal staff logins?

Internal HR / payroll / staff-portal logins are in scope — employees are data subjects too. If your staff currently log in using NRIC, that pattern needs to migrate by the deadline.

Does the rule apply to paper forms?

No. Paper forms collected at a physical counter are not “online authentication” in the PDPC’s sense. The rule targets digital authentication flows.

We have a legacy system we cannot change — what then?

Talk to the PDPC early and document a transition plan. A credible, dated migration plan is usually acceptable as an interim position; doing nothing past January 2027 is not.

How does this interact with MAS or other regulator KYC rules?

Not at all, directly. MAS, CEA, MOM, and other regulators still require KYC for regulated activities, and Singpass-backed verification satisfies those requirements. The 2027 PDPC rule sits on top and restricts the authenticator shape, not the identity-verification shape.

The action list

  1. Audit every customer, partner, and staff login flow today. List each place an NRIC is accepted as a credential.
  2. Decide on a migration path for each. For customer-facing flows, Singpass is the path with the lowest ongoing operational burden.
  3. Set a cut-over date no later than Q4 2026.
  4. Communicate the change to customers at least six to eight weeks before cut-over.
  5. Verify the old flow is disabled and the new flow is the only option from 1 January 2027.

If your business needs a migration path and does not have engineering bandwidth to run the Singpass integration in-house, book a free 20-minute scoping call and we will quote a timeline and fixed cost before you leave the call.

Ready to chat?

Get a free scoping call on your use case.

Tell us what your business does. We’ll tell you exactly how Singpass can help, how long it takes, and what it costs — in plain English.

Book My Free Call →