In brief
The Monetary Authority of Singapore (MAS) has released1 for consultation the proposals in its paper, FI-FI Information Sharing Platform for AML/CFT, which will require Financial Institutions (FIs) to share with each other information on customers or transactions, where they cross material risk thresholds, on a secured digital platform owned and operated by MAS to be named ‘Collaborative Sharing of ML/TF Information & Cases’ (COSMIC).
Although the proposals are primarily addressed to the initial participant FIs that MAS has identified as major players in the commercial and small-medium enterprises banking segment comprising the three local banks and three qualifying full banks, nonparticipants should also take note. MAS will progressively extend COSMIC to the wider financial sector, and MAS will strengthen its surveillance to uncover any ‘risk migration’ where illicit actors shift their activities to nonparticipating FIs. Should MAS detect such migration, MAS will provide guidance to nonparticipant FIs to tighten their anti-money laundering and counter financing of terrorism (AML/CFT) controls.
Contents
The legislative framework for the information sharing platform will be contained in the new sections of the Financial Services and Markets Bill (FSMB), which will permit information sharing by FIs only to combat money laundering (ML), terrorism financing (TF) and proliferation financing (PF).
The consultation period ends on 1 November 2021, and MAS plans to introduce the FSMB in Parliament before end-2021. MAS has involved six major commercial banks in Singapore extensively on the design of the key features of COSMIC, and plans to launch the COSMIC platform in the first half of 2023.
Key takeaways
We summarise below:
- The types of customer and transactional data that MAS expects to be shared
- The modes of sharing
- The FSMB framework that will implement COSMIC, as well as protect the participating FIs and safeguard the shared information
If you would like to collaborate on a submission to MAS, or if you have any questions on how any of the proposals may impact your business, please do not hesitate to liaise with your usual contact at Baker McKenzie or the lawyers listed in this Alert.
Key risks, red flags and information sharing thresholds
MAS has identified vulnerabilities in Singapore’s competitive advantage as a commercial centre and its deep global financial and trade linkages. Sharing of risk information through COSMIC will prevent bad actors from:
- Abusing the ease of both incorporating a company and opening a bank account to launder illicit proceeds and disguise their origin
- Hiding illicit proceeds amidst cross-border trade flows of large volume and value
- Disguising the illicit financing of weapons of mass destruction, and evading international sanctions through front companies and middlemen
Information on COSMIC will enable FIs to focus on detecting key ML, TF and PF risks by identifying bad behaviours and unusual transactions of customers such as:
- Creating networks of accounts or business relationships across multiple FIs
- Transferring illicit funds amongst them to disguise the origins of the funds
- Presenting fictitious trade or business documents to justify these transactions or obtain financing
By sharing risk information on these customers exhibiting multiple high-risk behaviours or indicators that suggest serious financial crime (red flags) with each other, FIs can more effectively identify illicit networks, ascertain if a customer’s explanation bears out, and warn each other of potentially suspicious customer activities.
The thresholds and red flags are based on typologies of past domestic and global cases and the indicators, to be adjusted over time as criminals’ methods evolve, will broadly include:
- Indications that a company’s profile may be fictitious
- The customer undertaking a series of financial transactions with unclear economic purpose, such as ’round tripping’ funds back to their sender, rapidly passing monies from one party to another, or receiving or making sizeable payments from/to parties in unrelated industries
- The company being evasive or giving inconsistent replies to the FI’s queries about its unusual behaviour, or providing supporting documents that do not appear genuine
- Indications that seemingly unrelated companies conducting business with each other may in fact be operated or controlled by the same beneficial owners, with unusual patterns in the transactions amongst them
MAS intends to privately issue the red flags and threshold criteria to participant FIs. FIs and their officers will be legally obliged to keep the red flags and threshold criteria confidential to avoid unauthorised disclosure especially to bad actors, and to prevent circumvention by these bad actors.
Modes of information sharing
Based on examples of thresholds and red flags drawn from past cases, MAS will require FIs to share data in the following modes:
- Request: Where a customer exhibits red flag behaviour, the FI may request (“requesting FI“) other participating FIs (“receiving FIs“) for risk information on the customer that are linked to the activity to assess whether there are reasons to suspect that its customer is involved in illicit activity. If the receiving FI is satisfied that the information will assist the requesting FI in its assessment, the receiving FI should furnish the requested risk information within a reasonable time frame as well as use this risk information to perform an AML/CFT assessment of this shared customer.
- Provide: Where a customer’s unusual activities cross a higher threshold, indicating a greater risk of the customer being involved in illicit activity, the FI will have to proactively provide customer risk information to other FIs with a link to the customer’s activities. The receiving FIs must then perform an AML/CFT assessment of this shared customer and, where necessary, make further requests or issue more Provide messages to other participating FIs.
- Alert: Where a customer’s activities exhibit the higher threshold of red flags, and the FI has filed a suspicious transaction report on the customer and decided to terminate the relationship, the FI should place an Alert on this customer on the COSMIC watch list, which will require all participating FIs to check whether a prospective or existing customer is on this watch list.
For all three modes of Request, Provide and Alert, MAS will require the FI to explain in its submission its reasons for concern, including red flags observed and relevant risk information on the customer.
Note that the sole fact that the customer is placed on the COSMIC watch list does not automatically result in an FI rejecting or exiting this customer. MAS will also require the FI to provide the customer the opportunity to explain the unusual behaviour, and the FI must perform its own risk assessment based on the information obtained from the customer, which may provide additional or new perspectives on the risk level of the customer. Based on this assessment, the FI may decide to exit, retain or onboard the customer, and should ensure that the assessment and decision are properly documented.
After the FSMB is passed and comes into force, the sections on request, provide and alert requirements will be multiphased in application:
- In the initial phase (two years), the requirements will be voluntary for the initial participants.
- After two years, MAS will make these requirements mandatory for these initial participants.
- Subsequently, MAS will mandate certain aspects of information sharing to realise effective detection outcomes. MAS will progressively extend COSMIC to a wider segment of the financial sector and increase the key areas of focus, where appropriate.
Customer confidentiality, information security and privacy
MAS will introduce provisions in the FSMB to provide a legal basis for sharing of risk information, and safeguard the use and confidentiality of information obtained from COSMIC.
Information will be shared:
- Only to counter ML, FT and PF purposes: Sharing will be permitted only between FIs participating on COSMIC and within the bounds of the information sharing modes of Request, Provide and Alert.
- In a proportionate manner, to enable an FI to either:
- Examine whether there are reasonable grounds for suspecting its customer of illicit activity.
- Warn other FIs that a customer is engaging in potentially suspicious behaviour.
The FSMB adopts a similar approach as section 47 and the Third Schedule of the Banking Act (Cap. 19), which expressly sets out certain scenarios where disclosure of customer information is not prohibited.
The FSMB also provides safeguards that FIs must comply with when disclosing COSMIC information for specific operational purposes, including:
- For group-wide ML/TF/PF risk management
- To facilitate the performance of ML/TF/PF risk management duties and outsourcing of ML/TF/PF risk management operational functions
To protect the participant FIs from undue legal challenges arising from their participation on COSMIC, and to provide participant FIs with the confidence that legitimate information sharing will not expose them to civil suits, MAS will confer statutory protection from civil liability in respect of their disclosure of information, providing that the FI has exercised reasonable care and acted in good faith.
After the Financial Services and Markets Act comes into force, the sections on Request, Provide and Alert modes will be multiphased in application:
- In the initial phase (two years), the sharing requirements will be expected but nonmandatory for the first group of participants, focusing on key financial crime risks in commercial banking: abuse of shell companies, misuse of trade finance for illicit purposes, and PF.
- After two years, the requirements for a receiving FI to respond to a Request message, a participant FI to send a Provide message, and a participant FI to place an Alert on a customer will be made mandatory for these initial participants.
- Subsequently, MAS will mandate certain aspects of information sharing to realise effective detection outcomes. MAS will progressively extend COSMIC to a wider segment of the financial sector and increase the key areas of focus, where appropriate.
Conducting COSMIC-based reviews of customer relationships
While MAS will expect an FI to perform an AML/CFT assessment of customers that are flagged through COSMIC, in the same way as where an FI obtains risk-relevant information on its customer, MAS additionally expects to use information from COSMIC in combination with other sources of information, such as its own checks with the customer, reviewing the customer’s transactions, public information sources or intelligence from authorities.
1 See MAS press release at: https://www.mas.gov.sg/news/media-releases/2021/mas-and-financial-industry-to-use-new-digital-platform-to-fight-money-laundering