"Financial Services and Markets (Amendment) Bill" – Second Reading Speech by Mr Alvin Tan, Minister of State, Ministry of Culture, Community and Youth & Ministry of Trade and Industry, and Board Member of MAS, on behalf of Mr Tharman Shanmugaratnam, Senior Minister and Minister-in-charge of the Monetary Authority of Singapore, on 9 May 2023
1. Madam Deputy Speaker, on behalf of Mr Tharman Shanmugaratnam, Senior Minister and Minister-In-Charge of the Monetary Authority of Singapore, I beg to move, “That the Bill be now read a second time”.
2. Madam, a clean and trusted financial sector is the basis upon which both Singaporeans and foreigners choose to invest and have their funds managed here in Singapore. The Monetary Authority of Singapore (MAS) supervises and works closely with financial institutions (FIs) to strengthen Singapore’s defences against money laundering (ML), terrorism financing (TF), and financing of the proliferation of weapons of mass destruction (proliferation financing or PF). I shall refer to these as “financial crimes” for convenience, throughout my speech.
3. While financial institutions have made significant strides to strengthen their defences against financial crimes, they are currently unable to warn one another about unusual activity involving their customers, given customer confidentiality obligations. Criminals exploit this by making illicit transactions through different financial institutions to avoid detection.
4. To address this problem, MAS proposes to establish and maintain a secure digital platform for financial institutions to share with one another, information on customers who exhibit multiple “red flags” that may indicate potential financial crime concerns, if stipulated thresholds are met. These include those who seek to be or have been a customer of a financial institution. This platform will be named COSMIC, which is short for “Collaborative Sharing of ML/TF Information & Cases”. COSMIC will make it easier for financial institutions to detect and thereby deter criminal activity.
5. The Bill amends the Financial Services and Markets Act 2022 to permit this sharing of information and provides the legal framework for it. It will set out when and how such sharing of risk information relating to the customer may take place. The Bill also sets out robust legal and operational safeguards to protect the confidentiality of the information being shared, and the interests of legitimate customers.
6. The Bill incorporates feedback from MAS’ public consultation on COSMIC in October 2021. The consultation received broad support for COSMIC and its objective of combatting financial crime.
7. Let me briefly provide an overview of COSMIC, before elaborating how the Bill will support responsible information sharing within it.
OVERVIEW OF COSMIC
8. As mentioned earlier, COSMIC will allow participant financial institutions to share with one another information on a confidential basis, on customers whose profile or behaviour exhibits potential financial crime concerns. Such risk information could include “red flag” behaviours and details of the concerning transaction. Sharing on COSMIC would provide a recipient FI with better information to augment its risk understanding of a customer, thus enabling the FI to detect suspicious behaviour more accurately and expediently. An FI may use this information to confirm if a customer’s explanation for a financial transaction makes sense. If the FI assesses that a customer may be handling proceeds of a crime, it is required under existing law (specifically the Corruption, Drug Trafficking and other Serious Crimes (Confiscation of Benefits) Act 1992), to file a suspicious transaction report (STR) with the Singapore Police Force’s Suspicious Transactions Reporting Office, or STRO.
9. COSMIC will initially focus on three key risks which MAS and the Commercial Affairs Department (or CAD) have identified, based on their observed cases relating to criminal networks. These are areas which we have judged to benefit most from information-sharing between financial institutions at scale, and which are also high on Singapore’s priority list of risks, as identified through our continued risk surveillance.
10. The first risk area is the misuse of legal persons, for example, the abuse of shell companies. The ease of setting up a company and opening a corporate bank account supports the development of local enterprises and makes Singapore an attractive commercial centre. But we do not want criminals to take advantage of this convenience to commit financial crime, by using legal persons such as shell companies to launder monies. The misuse of legal persons to launder illicit proceeds and layer funds is also a concern related to international financial crime.
11. The second risk area is trade-based money laundering. This is the use of financing related to trade for illicit purposes. As Singapore is a global commercial and trading hub, many companies here actively participate in and facilitate regional and global trade. Our financial institutions provide key services that enable such activity. However, criminals can use trade as a disguise to transfer their illicit monies across borders undetected, for example, using fraudulent trade documents. Suppliers and customers featured in a trade payment could be controlled by the same nefarious company that is trying to launder illicit funds under the guise of genuine businesses. Mitigating trade-based money laundering is important to protect the trust in our financial institutions and companies, and to also protect legitimate trade flows.
12. The third and last risk area is proliferation financing and the evasion of international sanctions. Singapore’s deep financial and trade linkages expose our financial institutions and companies to this risk. As a responsible member of the global community, Singapore must act strongly against the financing of such activity.
13. As information sharing under COSMIC is a new paradigm in the fight against financial crime, MAS plans to introduce COSMIC in phases. MAS will prescribe the financial institutions that will participate in COSMIC. In the first phase, MAS will make COSMIC available to the six major Singapore banks which it is already co-developing the platform with. They are DBS, OCBC, UOB, SCB, Citibank, and HSBC. Sharing of information between MAS and these six banks will be voluntary in this first phase. This allows the COSMIC platform to achieve operational stability, and enables MAS to closely engage participant financial institutions to calibrate COSMIC’s features and address operational concerns. Subsequently, MAS plans to expand COSMIC’s coverage to more focus areas and financial institutions, and make sharing mandatory in higher-risk circumstances.
KEY ASPECTS OF THE BILL
14. Madam, let me now explain in more detail how the Bill will allow participant financial institutions to warn one another of potential criminal behaviour, while safeguarding the interests of the vast majority who are legitimate customers. I will first elaborate on the scope of information sharing permitted on COSMIC, including the three modes and the objective thresholds for sharing. I will also share about the safeguards in place to protect legitimate customers from being adversely impacted by such sharing, and how data shared on COSMIC will be protected.
(A) COSMIC permits sharing only for the mitigation of financial crime risks
15. I earlier mentioned that participant financial institutions may use COSMIC to share customer information with one another only for detecting or preventing financial crimes, if these customers exhibit multiple “red flags” that indicate potential financial crime concerns, and if the stipulated thresholds are met. The Bill will set out how this information may be shared, and the types of cases that are serious enough to warrant such sharing.
Modes of Information Sharing
16. There are three modes under the Bill in which information may be shared via COSMIC. They relate to: one, a participant financial institution requesting information from another participant; two, a participant financial institution proactively providing information to another; and three, a participant financial institution placing the customer on a watchlist to alert other participant financial institutions. An objective threshold needs to be crossed before information can be shared using any of the three modes. Which mode is to be used is largely guided by the extent of a customer’s “red flag” behaviours. The thresholds are progressively higher for Request, Provide and finally Alert.
Objective Thresholds for Sharing Information
17. To establish an objective standard for when information may be shared under each of these three modes of sharing, MAS will issue a directive to participant FIs detailing the threshold criteria for each of them, and the list of “red flags” associated with each threshold. The “red flags” will correspond to known criminal profiles and behaviours for key financial crime risks. For example, where transaction activities are inconsistent with the business profile of the company and cannot be explained, or if there are clear discrepancies in supporting documents that also cannot be explained. Further, only multiple “red flags” may trigger information sharing on COSMIC. This sets an objective and reasonably high threshold to ensure that COSMIC is used only for cases of significant concern, and safeguards against frivolous requests that could unnecessarily expose customer risk information. However, the thresholds, details and permutations of the “red flags” must be kept strictly confidential among only the participant FIs, to prevent criminals from circumventing them.
18. Sir, the “red flags” and thresholds are intended to ensure that sharing is purposeful and strictly restricted to cases of high financial crime concern. For most customers, no “red flag” indicators will be triggered. For these customers, I wish to reiterate that participant financial institutions will not be permitted to share customer’s information. In fact, COSMIC is intended to help identify and weed out nefarious companies more effectively so that legitimate customers can operate in a trusted environment.
19. Lastly, to ensure we do not unduly impede legitimate sharing aimed at safeguarding our financial system, the Bill will also afford protection to participant FIs from civil suits. Specifically, they will be granted immunity from liability for any loss arising out of the disclosure on COSMIC, or any act or omission in consequence of the disclosure, if the disclosure was done in accordance with the legal framework, with reasonable care and in good faith. This will provide participant FIs with confidence that legitimate information sharing to highlight higher risk customers and their related activities will not unduly expose them to legal challenge, which may even be brought by the very actors that COSMIC seeks to guard against.
Safeguards to Protect Legitimate Customers
20. Notwithstanding, I would like to address possible situations where legitimate customers are inadvertently associated with bad actors. For example, a company could end up unknowingly trading with an illicit counterparty, and hence be subject to a participant financial institution’s scrutiny.
21. There are safeguards in place to protect legitimate customers. Participant FIs should first assess if there are valid reasons for the customer’s behaviour or profile, before sharing information on COSMIC. As part of the bank’s risk assessment, banks are also expected to reach out to customers to allow them the opportunity to address the bank’s risk concerns and to explain unusual behaviors observed. Bank customers are thus strongly encouraged to be forthcoming and respond promptly to their bank’s due diligence requests. This will ensure that customers have a chance to explain and that legitimate customers are not inadvertently adversely impacted by sharing on COSMIC.
22. In addition, even after information has been shared on COSMIC, financial institutions must make an independent risk assessment of a customer. A financial institution should not rely solely on the information received on COSMIC or from COSMIC to terminate a customer relationship, including the fact that a customer has been placed on the “watchlist”. More broadly, MAS will require participant financial institutions to ensure accuracy and completeness of the information shared on COSMIC and to correct any errors or omissions, especially if a customer has provided further clarifications to address earlier financial crime concerns.
23. MAS will closely monitor how participant financial institutions use COSMIC information in cases where they had exited customer relationships, to ensure that customers are given opportunities to address the concerns of financial institutions.
(B) Safeguarding the use of and access to COSMIC information
24. Let me now move on to safeguards on the use of and access to information disclosed on COSMIC. As the owner of the COSMIC platform, MAS will ensure that COSMIC information is exchanged and stored securely. The platform will have robust controls, including cybersecurity measures, such as data encryption and firewalls to block unauthorised external access. It will also have strict user access limitations. These controls will be subject to periodic audits to ensure their efficacy.
25. When information is passed to participant financial institutions, participant financial institutions will not be allowed to disclose information obtained from COSMIC to a third party, except in tightly circumscribed and specific circumstances, such as for compliance with Court orders or requests from police to facilitate investigations. Additionally, the Bill will empower MAS to require participant financial institutions to maintain strong information cybersecurity measures for COSMIC data. This includes requirements to have systems and processes in place to prevent unauthorised use or disclosure of information obtained from COSMIC, and robust cybersecurity and encryption measures to safeguard information obtained from COSMIC. MAS will be able to inspect participants’ adherence to these measures, and will not hesitate to take firm action if they uncover any breach.
26. Apart from participant financial institutions, MAS will have access to all information shared on the platform. This is necessary for MAS to monitor if participant financial institutions are using COSMIC appropriately, and will also support MAS’ broader supervisory and surveillance role to ensure that financial institutions have robust defences against financial crime. STRO, which analyses and disseminates financial intelligence to law enforcement and regulatory agencies, will also be able to view and use COSMIC information to support the prevention and detection of financial crime.
27. Madam Deputy Speaker, in conclusion, by addressing an information sharing gap, the Bill will enable financial institutions and MAS to respond quickly to potential financial crime activity within the financial system. In parallel, adequate safeguards will be put in place to protect confidentiality of the information shared. This will strengthen Singapore’s role and reputation as a safe, trusted and innovative global financial centre.
28. Madam, I beg to move.
MAS had worked closely with the Commercial Affairs Department (CAD) to facilitate the development of the case that led to the Police’s arrest of 10 individuals for suspected involvement in offences including forgery and/or money laundering and resistance to lawful apprehension. MAS has also been collaborating closely with CAD to identify potentially tainted funds and assets in our financial system and prevent their dissipation.
Singapore announces Five-Pronged Strategy to Counter the Financing of Terrorism
Keynote Speech by Ms Loo Siew Yee, Assistant Managing Director (Policy, Payments & Financial Crime), Monetary Authority of Singapore, at the ACAMS 12th Annual AML & Anti-Financial Crime Conference – APAC on 27 April 2021