Category: 3. Business

Following the recent unmasking of Singapore National Registration Identity Card (“NRIC”) numbers by the Accounting and Corporate Regulatory Authority (“ACRA”), both the ACRA and Cyber Security Agency (“CSA”) have issued guidance on moving away from using NRIC numbers for authentication and password purposes in the private sector.

With data protection undoubtedly a top concern and priority for individuals and organisations today, our commentary reviews this significant shift in best practices for authentication in Singapore, and the need for education on the appropriate use of NRIC numbers.

Unmasking the Singapore NRIC number

In December 2024, there was a public furore over the inadvertent unmasking of Singapore NRIC numbers by ACRA. A member of the public had, by chance, discovered that the refreshed online portal ACRA had rolled out featured a new search function (which was later disabled) that allowed the full NRIC numbers of individuals registered on its database to be accessed free of charge (i.e. Bizfile People Search). This led to the government issuing a public apology later in December and instituting a review panel to investigate the incident.

Thereafter, in the same month, the Ministry of Digital Development and Information (“MDDI”) issued a statement outlining the appropriate use and misuse of NRIC numbers, which invited public debate. The MDDI made the following key points in its statement:

• As there is little value in masking the NRIC number, the government had been preparing to change the existing practice of masking the NRIC number and move towards unmasking the same eventually. The MDDI explained that masked NRIC numbers actually give individuals a false sense of security. This was because, using some basic algorithms, it was possible to uncover an individual’s full NRIC number from the masked number, especially if the year of birth of the individual was also known.
• In 2025, the MDDI and Personal Data Protection Commission (“PDPC”) plan to start educating the public on how the NRIC number should be used freely as a personal identifier in the same way individuals use their names, and the correct steps that ought to be taken for security, which would involve the proper use of authentication and passwords.

Review panel findings

In March 2025, the government shared the panel’s findings of internal communication errors between ACRA and the MDDI. ACRA’s misinterpretation of the MDDI’s internal directive on NRIC numbers had led ACRA to launch Bizfile People Search with full NRIC numbers alongside corresponding names in the search results, instead of partial NRIC numbers, which had been what was intended. ACRA, together with the Ministry of Finance, and separately, the MDDI, apologised for the incident.

New guidelines on the use of NRIC numbers

On 26 June 2025, ACRA and the CSA issued a joint advisory[1] to guide private organisations on ceasing the use of NRIC numbers for authentication of an individual. On the back of this, the MDDI similarly issued a press release[2] on stopping the use of NRIC numbers as passwords in the private sector. The public can expect more sector-specific guidance in the coming months as the government is working with regulated sectors such as finance, healthcare, and telecommunications to develop them.

Isn’t the NRIC number private information?

Public understanding and consensus has always been that an individual’s NRIC number is private and confidential and, unless required by law, the disclosure of the same is subject to that individual’s consent. This is consistent with the fact that an individual’s full NRIC number is usually masked, whether at the point of collection or disclosure. For instance, the collection of individuals’ NRIC numbers by organisations (in both the public or private sector) for various purposes tends to only require the provision of the last four characters of the NRIC number (i.e. last three numerical digits and checksum of the NRIC number e.g. 567A where the full NRIC number is S1234567A). On the occasion where an announcement of contest winners set outs their names and NRIC numbers, full NRIC numbers would not be spelled out – only the last four characters would be published. Partial disclosure was and is the norm, and a widely-accepted general practice.

The classified nature of NRIC numbers is especially entrenched in the consciousness of the Singaporean public, as it is used by individuals to conduct their private matters. In Singapore, banks and insurers customarily require customers to identify themselves by entering their NRIC number over calls to their hotlines, or online for use of digital services, as part of their customer verification protocol. While fund transfers may require multi-factor authentication (“MFA”), of which entering the NRIC number may only comprise one component, some banks have opted to accept NRIC numbers to expedite customer verification in urgent cases of fraud or scam prevention. Additionally, banks and insurers often prescribe passwords that are a combination of the customer’s full or partial NRIC number and date of birth, to unlock password protected documents such as bank statements, insurance policies or related documents. Needless to say, these documents are secured in this way because they contain sensitive personal data (e.g. financial and health information).

Would the disclosure of an NRIC number constitute a data breach?

We would highlight that even partial NRIC numbers are considered personal data under the Personal Data Protection Act 2012 (“PDPA”), to the extent that an individual can be identified from the partial NRIC number. This is the view the PDPC has taken in its Advisory Guidelines on the PDPA for NRIC and other National Identification Numbers (“Advisory Guidelines”), which were issued on 31 August 2018 (but which is due to be updated). The PDPC had in 2020 also published a series of Frequently Asked Questions for individual and organisations in relation to the treatment of NRIC numbers and physical NRICs, and this appears to have been updated in the light of recent developments.

While the public sector is not subject to the PDPA (although under the Public Sector (Governance) Act 2018, public agencies are required to comply with IM8, which is reportedly a set of instructions aligned with the PDPA but adapted to the public service context), the public outcry that followed the ACRA incident was not surprising. Had the incursion been traced to a private sector entity, it would have been considered a data breach – an unauthorised disclosure of personal data. Accordingly, it would have required mandatory notification to the PDPC, and could also trigger enforcement action by the PDPC.

A notifiable data breach is one that could cause significant harm or is of significant scale. Significant harm occurs where there is physical, psychological, emotional, economic, financial harm, harm to reputation and other harms that a reasonable person would identify as a possible outcome of a data breach. While there are prescribed categories of personal data that if disclosed would cause significant harm (e.g. full name/ alias/ identification number in combination with items such as salary information/ credit card number/ bank account number/ health information, or account name/ number/ username, or account access information like biometric data/ security code/ password/ answer to security question etc), unauthorised access to an NRIC number is likely to cause significant financial harm to the holder of that NRIC number, because of the possibility for that number to be misused for identity theft or fraudulent purposes. For the avoidance of doubt, even though an individual’s full name would constitute personal data, a data breach involving the disclosure of an individual’s full name alone (without any other accompanying personal data) would not give rise to significant harm.

Authentication versus identification

Both the joint advisory by the PDPC and CSA, and the MDDI’s statement in June 2025 distinguish between the authentication and identification of an individual.

Authentication is the more critical process of proving that an individual is who he/ she claims to be; and successful authentication is a condition precedent to permitting the individual to access services or information intended only for him/ her. On the other hand, identification is the act of differentiating one individual from another, and is an end in itself. While both are forms of verification, it is clear that authentication should not be treated as a lockstep process as there are higher stakes involved.

On a related note, a Straits Times Forum letter published on 20 June 2025 titled “Stronger safeguards needed for inter-bank transfers” suggests that authentication should be more layered so as to be watertight. The letter flagged the recent case of a car salesman cheating buyers of over S$341,000 by having them transfer payment to his personal account instead of the company account. The writer was troubled by the lack of built-in checks in interbank transfers to ensure that the name of the recipient matches the name of the holder of the account to which the funds are being transferred. There is no such gap for cheques/ banker’s drafts/ cashier’s orders as bank tellers would have to extract the name of the account holder from the account number, and verify that such name tallied with the printed payee’s name. Mandatory name verification for large transfers was proposed as a safeguard to plug this gap. On 26 June 2025, the Monetary Authority of Singapore stated that it would consider the writer’s suggestion as part of its efforts to better protect customers against fraudulent or erroneous transfers.

Returning to the use of passwords as a method of authentication, the government’s position is that in order for passwords to serve as a reasonably robust defence against unauthorised account access, passwords should not contain information that can be obtained easily, such as full names or their permutations, NRIC numbers, or dates of birth.

The issue the government is trying to address is two-pronged:

• individuals have been using their NRIC numbers, whether partially or in their entirety as their passwords or part of their passwords, to log into their digital accounts;
• organisations have been using full or partial NRIC numbers to authenticate individuals, by setting passwords on their behalf as account log-in credentials, or to enable them to access privileged information (such as unlocking password protected documents), or to perform privileged transactions.

The misuse or publication of NRIC numbers is therefore a real concern, as those privy to another’s NRIC number may be able to abuse this information for impersonation and fraud.

Accordingly, an NRIC number should be treated like an individual’s name – neither of which would, whether separately or together, in full or in part, together with other easily obtainable personal data (e.g. passwords combining an individual’s partial NRIC number and date of birth, such as “567A1Jan2025”), suffice for authentication. Both are simply means of identification.

Organisations and individuals should expedite their transitions away from the practice of deploying NRIC numbers as an authentication measure and consider adopting the following options for purposes of authenticating an individual instead:

• More specific and uncommonly known information that only that individual knows (e.g. complex password);
• An item that only that individual would possess (e.g. security token, smart card);
• An attribute that only that individual would possess (e.g. fingerprint, face, iris, palm vein).

The last two options offer stronger phishing resistance than the first. In terms of passwords, a strong one with enough complexity is typically composed of a series of random words; and where passwords are used, two-factor authentication (“2FA”) or even MFA are recommended as additional layers of security. Essentially, an individual’s name and NRIC number should not be used as passwords or as any basis of authentication.

In fact, the physical NRIC, which indicates an individual’s NRIC number, could be employed as a factor of authentication, as it contains other details (e.g. photo and thumbprint) which can be verified in person, and these additional features serve as security/ safeguards that the NRIC number on its own lacks. 

It is worth noting that the PDPC had previously issued a Technical Guide to the Advisory Guidelines (likewise scheduled to be updated) which provides organisations with tips for the replacement of NRIC numbers as identifiers for individuals, in their applications, websites or other public-facing computer systems.

The PDPC and CSA advise organisations to adopt a risk-based approach when choosing the appropriate authentication method. Factors to consider in designing a bespoke approach include:

• Value and sensitivity of what is being protected;
• Potential threats and vulnerabilities of the authentication method; and
• User experience and accessibility when using the authentication method.

The PDPC encourages organisations to take reference from the PDPC’s Guide to Data Protection Practices for ICT Systems (pages 15 to 16) in devising their authentication practices. For example, 2FA, MFA and complex passwords are particularly important for administrative accounts, as unauthorised access of these very accounts remains one of the most common root causes of data breaches to date. Staff training and restrictions on privileged account changes would also be prudent measures to implement as part of efforts to promote this sea change in mindset.

It is uncontroversial that one’s NRIC number is a unique/ personal identifier. But it will take time for the public education drive to dislodge the deeply embedded, age-old notion that an individual’s NRIC number is private knowledge that an individual is entitled to withhold.

Nonetheless, until the relevant PDPC advisories are formally amended, the NRIC number (as a personal identifier) continues to be subject to the PDPA, and the unauthorised disclosure of the same could engender significant harm. Organisations that handle personal data (which includes NRIC numbers) must still comply with their data protection obligations under the PDPA – beginning with obtaining valid consent from the individual, followed by adhering to purpose and retention limitations, and making reasonable security arrangements to protect the personal data, etc.

Exploitation of personal data and the NRIC number

Cybersecurity awareness amongst organisations and individuals alike is key to avoiding the exploitation of personal data. IT forensics experts have identified new threat actor tactics that could theoretically take advantage of the unmasking of the NRIC number. For example, a prominent threat actor group known by the name of “Scattered Spider” has gained notoriety of late for using social engineering techniques to effect data breaches on its victims. “Scattered Spider” has targeted IT helpdesks by deploying social manipulation techniques including adopting local accents and capitalising on publicly available information associated with mid-level IT personnel and network engineers to convince IT helpdesk staff to reset employee accounts without setting off alarm bells. NRIC numbers could certainly be exploited by the likes of “Scattered Spider” in their data breach attempts.

Key lessons

• Singapore NRIC numbers should be used for purposes of identification only and should not be used as a means of authentication to facilitate the provision of a service or the retrieval of information.
• Organisations and individuals must relook at existing practices of deploying NRIC numbers as authentication measures, including using them as passwords, and phase these out.
• Passwords should not contain NRIC numbers, as the likelihood of one’s NRIC number being compromised and misappropriated is a serious possibility.
• Multiple independent forms and stages of authentication are recommended, and organisations and individuals should stay vigilant of security risks and take active steps to install effective safeguards.

Kennedys regularly advises on data protection laws and cyber incidents in Singapore and worldwide. If you require any assistance in this regard, please contact our authors.

[1] https://www.pdpc.gov.sg/help-and-resources/2025/06/joint-advisory-against-using-nric-numbers-for-authentication-by-the-personal-data-protection-commission-pdpc-and-cyber-security-agency-of-singapore-csa

[2] https://www.mddi.gov.sg/newsroom/stopping-the-use-of-nric-numbers-as-passwords-in-the-private-sector/

The TRUE Initiative, in partnership with the United Nations Environment Programme, conducted a groundbreaking remote sensing campaign, the first of its kind in Africa, to offer real-world insight into the levels of pollution from vehicles operating in Kampala, Uganda.

Using plume chase technology, where a vehicle equipped with emission analyzers follows a target vehicle while sampling its exhaust plume, this project captured real-world snapshots from Kampala’s fleet in 2024. Researchers analyzed the results and observed that:

• Over 50% of gasoline passenger cars exhibited average nitrogen oxides (NO_x) emissions consistent with pre-Euro certifications, suggesting potential malfunctions or removal of catalytic converters. Although newer gasoline passenger cars under 8 years old showed lower NOx emissions than older cars, their levels were still 5.5 times higher on average than Euro 4 limits.
• Diesel heavy commercial vehicles under 8 years of age showed 14% higher average NO_x emissions than older counterparts. Similarly little differences in average real-world NOx emissions were observed among older and newer diesel vehicles across other groups— passenger cars, minibuses, and light commercial vehicles.
• Diesel minibuses, which had an average age of 25 years, showed NO_x emissions more than 9 times higher than Euro 4 limits and elevated black carbon (BC) emissions. At least 16% of diesel minibuses over 15 years old exhibited visible black smoke from their exhaust during measurement and exhibited 6 times higher average BC emissions than vehicles aged between 8 and 15 years.

Uganda is already working to improve air quality, including by outlining new programs under its National Environment (Air Quality Standards) Regulations and e-mobility strategy. Based on these results, the TRUE Initiative recommends a strengthening of import requirements on all vehicle imports and developing a roadmap to meet Euro 6 standards. For maximum benefits, this should be complemented by routine vehicle inspection programs and mandatory follow-up maintenance that would quickly identify and repair high emitters. Finally, prioritizing public transport and modernizing the aging taxi minibus fleet would significantly reduce vehicle-related air pollution.

Cover Photo: Attendees participated in a live demonstration of plume chasing technology during a kick-off event for TRUE’s remote-sensing campaign in Kampala, Uganda. The workshop was organized by UNEP and local partners in July 2024.

The emergency power generators based on 20-cylinder mtu Series 4000 P63 engines, each with an output of 2,600 kWe, ensure that the power supply on the converter platforms remains stable even if the main power supply fails. They also ensure that control and monitoring systems continue to operate, that the infrastructure of the service crew quarters is maintained, and that lighting and other safety-critical systems do not fail. They also supply power for cooling and ventilation of important system components to prevent damage from overheating. In extreme cases, the emergency power generators enable the systems to be shut down and restarted in a controlled manner.

“The engines have to be extremely reliable because they are the piece of the puzzle that matters when it comes down to it,” explained Detlev Köster, Sales Manager in the Offshore business at Rolls-Royce Power Systems. “We are delighted that Eureka Pumps is continuing to rely on our products in project phase 2.”

Rolls-Royce secures critical infrastructure worldwide in line with its strategy: The company offers mtu emergency power solutions based on diesel and gas generators as well as dynamic uninterruptible power systems (UPS). In addition to offshore platforms, these include data centers, industrial plants, airports, hospitals, power plants, and numerous other facilities that require an uninterruptible power supply.

Sainsbury’s has recorded its strongest growth since last summer after its Argos chain recorded a big step up in sales as shoppers sought out paddling pools and fans during recent hot weather.

The retail group said Argos, its catalogue shop, was able to achieve growth of 4.4% in the three months to 21 June, up from 1.9% in the previous quarter. Comparable group sales, excluding fuel, rose 4.7% on a year earlier.

The group’s total sales rose 4.9%, helped by the strong trading at Argos and a rise in clothing sales as shoppers snapped up shorts and swimsuits, as well as healthy demand for its premium food ranges. That excludes fuel, where sales fell partly because of price decreases.

The retailer said it had achieved the strong sales despite a “subdued, highly competitive and deflationary general merchandise market” as it booked rapid growth in online sales and via its app. Sales in stores declined, partly because of further closures as many Argos sites move from high streets into Sainsbury’s supermarkets.

Sainsbury’s, the UK’s second biggest supermarket chain, said it had cut prices compared with all “key competitors” as it was on track to cut £1bn in costs by March 2027. Costs were partly lowered by a shift to self-service tills and SmartShop handsets, with which shoppers scan goods in their basket on the go.

The figures indicate that Sainsbury’s is holding out against a wave of price cuts and improved service at Asda, the UK’s third largest supermarket chain, which aims to win back shoppers after more than a year of sales declines.

Simon Roberts, the chief executive of Sainsbury’s, said: “Our winning combination of great value, outstanding quality, excellent availability and leading customer service has driven further share gains, reaching our highest market share in almost a decade.

“We have great momentum, growing faster than the market for three consecutive years and we are well set to deliver another strong performance over the summer. Boosted by a sunny spring, we’re already off to a great start,” he said.

However, the strong sales figures were helped by an increase in food inflation, which rose to 3.7% in June, up from 2.8% in May. The British Retail Consortium said hot weather, with temperatures close to record levels this month, was hitting harvest yields.

Retailers have warned since Rachel Reeves’s autumn budget that the chancellor’s £25bn increase in employer national insurance contributions and 6.7% national living wage rise, introduced from April, would force them to raise their prices.

Today, NTC offers year-round testing services under a wide range of conditions, including high-speed endurance and complex handling scenarios as well as ADAS validation and autonomous driving testing. These capabilities ensure the development of high-performance, intelligent, connected, and safe vehicles. Its 700-hectare site today features 20 test tracks and facilities, including the iconic high-speed ring, a 6.2-kilometer handling course, and state-of-the-art simulation technologies.

“We are honored to celebrate this special anniversary and feel a deep sense of responsibility for what NTC represents,” says Antonio Gratis, Managing Director of NTC. “We are proud of its history, of its contribution to the industry and of the many people who shaped it over time,” adds Gratis. “This is not just a test center – it’s a place where technology and purpose come together to move the mobility forward and where the next chapters of innovation are already being written.”

Originally established by Fiat, the proving ground quickly earned a reputation for its groundbreaking 12.6-kilometer circular high-speed ring track — a revolutionary concept at that time and still unique in its shape and dimension. Over the decades, NTC has been enhancing its testing capabilities with additional tracks and facilities, serving as pivotal proving ground for diverse testing requirements and as the venue of numerous historic milestones – including multiple speed records and endurance tests that have shaped automotive engineering standards worldwide.

Acquired by the Porsche Group in 2012, NTC became a core part of the comprehensive development and validation ecosystem of Porsche Engineering, an international engineering services provider for global B2B customers. The integration into Porsche Engineering’s global network marked a new chapter, driving significant investments in modernization, infrastructure, and digitalization. It also extended capabilities across the entire vehicle development process – including seamless, real and virtual development workflows. This solidified NTC’s vital role as a leading technology partner for next-generation mobility by addressing the evolving demands of the global automotive industry.

In 2021, NTC transformed a former facility into a cutting-edge lithium-ion battery testing center. With the installation of a robust charging infrastructure, NTC has become a key partner for electric vehicle testing. In 2023, NTC broadened its technological footprint and expertise in Southern Italy by establishing a dedicated software unit in nearby Lecce. This addition enhanced NTC’s capabilities in software development, simulation, and digital innovation – while closely connecting it to the on-site validation solutions at the proving ground, including a 5G hybrid mobile private network.

Beyond its technological impact, NTC plays an important role in Southern Italy’s economy and serves a local innovation hub. Over the last decade, it contributed an average of 20 million euros per year to the local economy. Through strong partnerships with local universities, technical schools (ITS), and via a dual education system, NTC actively fosters high-level talent and develops future-ready skills in the Salento region.

About NTC

Nardò Technical Center (NTC) is a vehicle testing and development facility located in Apulia, Southern Italy. It provides 20 state-of-the-art test tracks and facilities across 700 hectares, including a 12.6-kilometer high-speed ring that enables extreme-condition testing for automotive manufacturers and suppliers worldwide. Activities range from physical vehicle testing to simulation, software development, and digital innovation, supported by a dedicated software unit based in Lecce. Founded in 1975, NTC has been owned by Porsche and operated by Porsche Engineering since 2012 and currently employs over 200 professionals. It collaborates with more than 90 automotive companies globally and has hosted some of the most advanced testing and development programs in the industry. From high-speed trials to cutting-edge simulations, NTC continues to play a key role in shaping the future of connected, intelligent, and safe mobility.

About Porsche Engineering

Porsche Engineering Group GmbH is an international technology partner to the automotive industry. The subsidiary of Dr. Ing. h.c. F. Porsche AG is developing and integrating technological solutions for its B2B customers within and beyond automotive industries – including systems, hardware, functions and software. Some 2,000 conceptual experts, engineers and software architects and developers are dedicated to the latest technologies, for example in the fields of highly automated driving functions, e-mobility and high-voltage systems, connectivity and artificial intelligence. Their aim is to carry the tradition of Ferdinand Porsche’s design office, founded in 1931, into the future and develop and integrate innovative solutions for the top tech challenges of their industry customers. In doing so, they combine in-depth vehicle and system expertise with digital and software expertise.

1 July 2025

• Short-term track (Pontes) to pilot link between distributed ledger technology platforms and TARGET Services by end-2026
• Long-term track (Appia) to shape future-ready, innovative, integrated financial ecosystems
• Initiatives will deliver on Eurosystem’s continuing commitment to safe, efficient settlement in central bank money

The ECB’s Governing Council has approved a plan that will enable settling distributed ledger technology (DLT) transactions using central bank money. The initiative follows a two-track approach: the first track “Pontes” provides a short-term offering to the market – including a pilot phase – and the second track “Appia” focuses on a potential long-term solution. The decision is in line with the Eurosystem’s commitment to supporting innovation without compromising on safety and efficiency in financial market infrastructures.

Pontes will offer a Eurosystem DLT-based solution, linking DLT platforms and TARGET Services to settle transactions in central bank money. The Eurosystem plans to launch a pilot for Pontes by the end of the third quarter of 2026. It will offer a single Eurosystem solution which incorporates features used in the Eurosystem’s exploratory work on DLT in 2024. During the pilot, the Eurosystem will also explore the feasibility of further enhancements in line with the TARGET Services operational, legal and technical standards. Between now and the launch of the Pontes pilot, the Eurosystem will consider requests for further DLT-related trials and experiments.

Appia focuses on a long-term approach for an innovative and integrated ecosystem in Europe that also facilitates safe and efficient operations at the global level. The Eurosystem will actively continue to analyse DLT-based solutions and collaborate with public and private stakeholders.

To ensure continuous dialogue with the market, the Eurosystem will establish dedicated market contact groups for both Pontes and Appia. A call for expressions of interest in participating in the Pontes contact group will be published soon.

Pontes and Appia will build on the Eurosystem’s exploratory work on new technologies for wholesale central bank money settlement, which was conducted between May and November 2024. In this exploratory work, 64 participants conducted over 50 trials and experiments. A dedicated report outlining the results of the exploratory work has been published today.

For media queries, please contact Alessandro Speciale, tel.: +49 172 1670791.

Amsterdam,

ING announced today that, as part of our €2.0 billion share buyback programme announced on 2 May 2025, in total 4,587,249 shares were repurchased during the week of 23 June 2025 up to and including 27 June 2025.

The shares were repurchased at an average price of €18.20 for a total amount of €83,509,456.89. For detailed information on the daily repurchased shares, individual share purchase transactions and weekly reports, see share buy back programme.

In line with the purpose of the programme to reduce the share capital of ING, the total number of shares repurchased under this programme to date is 39,687,217 at an average price of €18.34 for a total consideration of €728,031,948.83. To date, approximately 36.40% of the maximum total value of the share buyback programme has been completed.

Note for editors

More on investor information, go to the investor relations section on this site.

For news updates, go to the newsroom on this site or via X (@ING_news feed).

For ING photos such as board members, buildings, go to Flickr.

ING PROFILE

ING is a global financial institution with a strong European base, offering banking services through its operating company ING Bank. The purpose of ING Bank is: empowering people to stay a step ahead in life and in business. ING Bank’s more than 60,000 employees offer retail and wholesale banking services to customers in over 100 countries.

ING Group shares are listed on the exchanges of Amsterdam (INGA NA, INGA.AS), Brussels and on the New York Stock Exchange (ADRs: ING US, ING.N).

ING aims to put sustainability at the heart of what we do. Our policies and actions are assessed by independent research and ratings providers, which give updates on them annually. ING’s ESG rating by MSCI was reconfirmed by MSCI as ‘AA’ in August 2024 for the fifth year. As of December 2023, in Sustainalytics’ view, ING’s management of ESG material risk is ‘Strong’. Our current ESG Risk Rating, is 17.2 (Low Risk). ING Group shares are also included in major sustainability and ESG index products of leading providers. Here are some examples: Euronext, STOXX, Morningstar and FTSE Russell. Society is transitioning to a low-carbon economy. So are our clients, and so is ING. We finance a lot of sustainable activities, but we still finance more that’s not. Follow our progress on ing.com/climate.

Important legal information

Elements of this press release contain or may contain information about ING Groep N.V. and/ or ING Bank N.V. within the meaning of Article 7(1) to (4) of EU Regulation No 596/2014 (‘Market Abuse Regulation’).

ING Group’s annual accounts are prepared in accordance with International Financial Reporting Standards as adopted by the European Union (‘IFRS- EU’). In preparing the financial information in this document, except as described otherwise, the same accounting principles are applied as in the 2024 ING Group consolidated annual accounts. All figures in this document are unaudited. Small differences are possible in the tables due to rounding.

Certain of the statements contained herein are not historical facts, including, without limitation, certain statements made of future expectations and other forward-looking statements that are based on management’s current views and assumptions and involve known and unknown risks and uncertainties that could cause actual results, performance or events to differ materially from those expressed or implied in such statements. Actual results, performance or events may differ materially from those in such statements due to a number of factors, including, without limitation: (1) changes in general economic conditions and customer behaviour, in particular economic conditions in ING’s core markets, including changes affecting currency exchange rates and the regional and global economic impact of the invasion of Russia into Ukraine and related international response measures (2) changes affecting interest rate levels (3) any default of a major market participant and related market disruption (4) changes in performance of financial markets, including in Europe and developing markets (5) fiscal uncertainty in Europe and the United States (6) discontinuation of or changes in ‘benchmark’ indices (7) inflation and deflation in our principal markets (8) changes in conditions in the credit and capital markets generally, including changes in borrower and counterparty creditworthiness (9) failures of banks falling under the scope of state compensation schemes (10) non- compliance with or changes in laws and regulations, including those concerning financial services, financial economic crimes and tax laws, and the interpretation and application thereof (11) geopolitical risks, political instabilities and policies and actions of governmental and regulatory authorities, including in connection with the invasion of Russia into Ukraine and the related international response measures (12) legal and regulatory risks in certain countries with less developed legal and regulatory frameworks (13) prudential supervision and regulations, including in relation to stress tests and regulatory restrictions on dividends and distributions (also among members of the group) (14) ING’s ability to meet minimum capital and other prudential regulatory requirements (15) changes in regulation of US commodities and derivatives businesses of ING and its customers (16) application of bank recovery and resolution regimes, including write down and conversion powers in relation to our securities (17) outcome of current and future litigation, enforcement proceedings, investigations or other regulatory actions, including claims by customers or stakeholders who feel misled or treated unfairly, and other conduct issues (18) changes in tax laws and regulations and risks of non-compliance or investigation in connection with tax laws, including FATCA (19) operational and IT risks, such as system disruptions or failures, breaches of security, cyber-attacks, human error, changes in operational practices or inadequate controls including in respect of third parties with which we do business and including any risks as a result of incomplete, inaccurate, or otherwise flawed outputs from the algorithms and data sets utilized in artificial intelligence (20) risks and challenges related to cybercrime including the effects of cyberattacks and changes in legislation and regulation related to cybersecurity and data privacy, including such risks and challenges as a consequence of the use of emerging technologies, such as advanced forms of artificial intelligence and quantum computing (21) changes in general competitive factors, including ability to increase or maintain market share (22) inability to protect our intellectual property and infringement claims by third parties (23) inability of counterparties to meet financial obligations or ability to enforce rights against such counterparties (24) changes in credit ratings (25) business, operational, regulatory, reputation, transition and other risks and challenges in connection with climate change, diversity, equity and inclusion and other ESG-related matters, including data gathering and reporting and also including managing the conflicting laws and requirements of governments, regulators and authorities with respect to these topics (26) inability to attract and retain key personnel (27) future liabilities under defined benefit retirement plans (28) failure to manage business risks, including in connection with use of models, use of derivatives, or maintaining appropriate policies and guidelines (29) changes in capital and credit markets, including interbank funding, as well as customer deposits, which provide the liquidity and capital required to fund our operations, and (30) the other risks and uncertainties detailed in the most recent annual report of ING Groep N.V. (including the Risk Factors contained therein) and ING’s more recent disclosures, including press releases, which are available on www.ING.com.

This document may contain ESG-related material that has been prepared by ING on the basis of publicly available information, internally developed data and other third-party sources believed to be reliable. ING has not sought to independently verify information obtained from public and third-party sources and makes no representations or warranties as to accuracy, completeness, reasonableness or reliability of such information.
Materiality, as used in the context of ESG, is distinct from, and should not be confused with, such term as defined in the Market Abuse Regulation or as defined for Securities and Exchange Commission (‘SEC’) reporting purposes. Any issues identified as material for purposes of ESG in this document are therefore not necessarily material as defined in the Market Abuse Regulation or for SEC reporting purposes. In addition, there is currently no single, globally recognized set of accepted definitions in assessing whether activities are “green” or “sustainable.” Without limiting any of the statements contained herein, we make no representation or warranty as to whether any of our securities constitutes a green or sustainable security or conforms to present or future investor expectations or objectives for green or sustainable investing. For information on characteristics of a security, use of proceeds, a description of applicable project(s) and/or any other relevant information, please reference the offering documents for such security.

This document may contain inactive textual addresses to internet websites operated by us and third parties. Reference to such websites is made for information purposes only, and information found at such websites is not incorporated by reference into this document. ING does not make any representation or warranty with respect to the accuracy or completeness of, or take any responsibility for, any information found at any websites operated by third parties. ING specifically disclaims any liability with respect to any information found at websites operated by third parties. ING cannot guarantee that websites operated by third parties remain available following the publication of this document, or that any information found at such websites will not change following the filing of this document. Many of those factors are beyond ING’s control.

Any forward-looking statements made by or on behalf of ING speak only as of the date they are made, and ING assumes no obligation to publicly update or revise any forward-looking statements, whether as a result of new information or for any other reason.

This document does not constitute an offer to sell, or a solicitation of an offer to purchase, any securities in the United States or any other jurisdiction.