The Financial Services and Markets (Amendment) Bill before the House today fills a gap in our current regulatory eco-system.
Over the years, MAS has closely supervised and worked with financial institutions (“FIs”) to strengthen Singapore’s defences to prevent money laundering (“ML”), terrorism financing (“TF”), and proliferation financing (“PF”). However, a weakness in the effective detection of illicit financial flows lies in the inability of FIs to alert each other to unusual activity in their customers’ accounts. Financial criminals exploit these “information silos” by making illicit transactions through a web of accounts in different FIs and moving from one FI to another to avoid detection. This Bill seeks to remedy that weakness.
To address this gap, MAS will establish and maintain a secure digital platform for FIs to share information on customers that exhibit multiple red flags indicative of potential illicit activities with each other. This platform, named COSMIC (short for “Collaborative Sharing of ML/TF Information & Cases”), will enable FIs to conduct sharper analysis of customer behaviours and activities to detect potential illicit activities more promptly and warn each other of such activities. By eliminating the information gaps between FIs, it will be easier to detect criminals.
Mr Speaker sir, I support the Bill and my speech will contain certain clarifications and suggestions for the implementation of the provisions of the Bill.
The banks involved in COSMIC in the initial stage
Sir, the six major commercial banks that are selected to be involved in the initial stage of COSMIC are DBS, OCBC, UOB, SCB, Citibank, and HSBC.
While starting with the banks with the largest local network might make sense, they are also the banks with the least to lose in turning down customers, and are likely to have the most resources to pursue and file Suspicious Transaction Reports (STRs), or perform deep dives into customer networks and relationships.
In comparison, it is the smaller offshore and private banks that would, perhaps, benefit the more from such a network of information sharing, and provide the most insight. For example, MAS withdrew the merchant banking license of one such FI, Falcon Private Bank Ltd, in 2016. In 2021, MAS fined the Singapore branch of another such FI, Bank J Safra Sarasin Ltd, for AML/CFT compliance lapses.
These banks are also the ones which would, in my opinion, likely face the most pushback from customers and Special Purpose Vehicles set up to obfuscate identities when it comes to asking Know Your Client (KYC) questions.
Adding a select group of such smaller offshore private banks into the start-up group of FIs for COSMIC, perhaps those with the largest AUM from Singapore, would be advisable. I encourage the government to consider doing this as soon as practicable. After all, in its response to the consultation with FIs, MAS sad that the initial phase would last as long as two years, which is a fairly long time.
Actual implementation and liability
While details will be eventually forthcoming, one concern is how prescriptive the subsidiary legislation from MAS will be. Clear and prescriptive regulations would minimise confusion amongst participant banks over what specifically might constitute grounds for submission of information to COSMIC.
The revised Section 28E of the Bill makes clear under what conditions a FI may make disclosures to another FI in respect of a suspicious transaction, but does not seem to be as clearly prescriptive as to under what circumstances an FI is obligated or expected or required to report such information to another FI.
The actual framework of predetermined red flags will need to be comprehensive yet flexible enough. Presumably this will be fleshed out in subsidiary regulations.
Otherwise, MAS and/or the Suspicious Transaction Reporting Officers or STROs could become inundated with questions over whether such and such a transaction should be submitted to COSMIC, to which the reply might be that banks should conduct their own assessment and submit the information if deemed appropriate. In other words, sufficiently clear and prescriptive guidelines on what constitutes a transaction that should be submitted to another FI via COSMIC would be critical to prevent confusion and possible over-submission of information.
Hence, I would urge MAS to issue these guidelines expeditiously and review these regularly in consultation with the FI community.
In relation to this particular point, the MAS, in its response to the consultation with FIs, said:
“Information sharing on COSMIC will be done via a structured data template that will be made available to all participant FIs. This will include fields for information relating to the customer including identifying information of the customer and the beneficial owners and authorised signatories of the customer, details of the transactions in question, the red flag behaviour exhibited, and the risk analysis that is relevant to the customer relationship.”
I trust these templates will be sufficiently granular to address the point I have made.
Interaction of this new Bill and Para 13.4 under MAS Notice 626
Next, the primary intent of this Bill is to enable information sharing between FIs on suspicious activity. However, paragraph 13.4 under MAS Notice 626 already gives FIs the power to share customer information to third parties without obtaining customer consent, if it is in relation to AML/CFT issues. This paragraph reads:
“13.4 For the purposes of complying with this Notice, a bank may, whether directly or through a third party, collect, use and disclose personal data of an individual customer, an individual beneficiary of a life insurance policy, an individual appointed to act on behalf of a customer, an individual connected party of a customer or an individual beneficial owner of a customer, without the respective individual’s consent.”
Thus, it would be helpful if the government could clarify just how this provision in MAS Notice 626 would interact with the provisions of this new Bill and COSMIC.
For example, can FIs share information about suspicious transactions or clients bilaterally, as it were, without reference to the COSMIC platform but taking reference instead from this provision in MAS Notice 626? Or should all such information sharing henceforth be channelled through COSMIC and be transacted under the provisions of this Bill?
Determining the thresholds of fund flows that raise red flags
Next, according to the Bill, information sharing will only be permitted if the customer’s behaviour or transaction activities exhibit pre-determined red flags that cross stipulated thresholds, suggesting that potential financial crime could be taking place.
The wording in the Bill seems to suggest that these thresholds are static threshold without the element for dynamic adjustment which is at odds with the global environment’s dynamic pace.
Hence, I would like to ask the government:
- How often will these thresholds be reviewed to determine if these thresholds have been set such as to effectively identify illicit financial flows?
- How will these thresholds be benchmarked against global standards for illegal financial flows?
Cybersecurity at COSMIC is paramount
Next, COSMIC is at its heart an online system where the key players are interacting in cyberspace. However highly confidential financial information is being shared on this system.
Should the system and some or all of the information it contains fall prey to bad actors, or COSMIC is compromised, the outcome may be extremely harmful for FIs, their customers and for Singapore, reputationally.
Thus, a key concern is how COSMIC will be secured. Who will be responsible for the integrity of the system? Would it be a special team at MAS or would this be outsourced to another government agency or private company, and if so, which one?
In conclusion sir, the Bill before us marks a significant step in enabling FIs to share information on suspicious patterns of behaviour with respect to anti ML, TF and PF goals.
The new system thus created will need to rest on clear regulatory guidelines, frequent reviews amidst a dynamic global financial services and financial crime environment as well as powerful cybersecurity defences.