On 1 October 2021, the Monetary Authority of Singapore (“MAS”) announced that it will introduce a digital platform and regulatory framework for financial institutions (“FIs") to share information with each other on customers and transactions to prevent money laundering (“ML”), terrorism financing (“TF”) and proliferation financing (“PF”). MAS has issued a consultation paper and, from 1 October 2021 to 1 November 2021, is seeking feedback on the introduction of the proposed regulatory framework for information sharing and the platform to be named the Collaborative Sharing of ML/TF Information & Cases, or COSMIC for short.
Being able to query and alert each other on potential illicit behaviours will enable FIs to better assess customers and transactions and enhance the quality of the suspicious transaction report (“STR”) that FIs are required to file if they suspect that a customer is involved in ML/TF/PF activities. Information sharing will also allow faster detection of illicit actors, and allow MAS, law enforcement agencies and FIs to act early to disrupt criminal networks and stem material damage to the financial system.
The information sharing by FIs on COSMIC will be permitted only for the purpose of combating ML, TF and PF. It is proposed that information to be shared include information relating to, or particulars of, a customer (e.g. the beneficial owners and authorised signatories of a customer) and transactions, the high risk behaviour exhibited, and risk observations or analysis that are relevant to the account or customer (“risk information”). COSMIC participants will also be required to implement robust measures to safeguard against unauthorised use and disclosure of COSMIC information. MAS will supervise FIs for compliance with these requirements and take action against errant FIs.
Targeted for launch in the first half of 2023, the COSMIC platform will be developed and deployed in phases with an initial focus on combating the key risk areas of misuse of legal persons (such as shell companies), trade-based ML, and PF. To allow participant FIs adequate time to familiarise themselves with this new paradigm, information-sharing on COSMIC will be voluntary in the initial phase. Subsequently, certain aspects of information sharing will be made mandatory. The initial participants will be six banks which MAS had involved in the development of COSMIC. Following the initial phase, MAS intends to make the risk information sharing requirements mandatory. MAS will also consider when to expand the scope of participant FIs and the key risks to be targeted by COSMIC.
Key information-sharing features of COSMIC
Focus on key risks
In the initial phase of COSMIC, sharing of risk information will be permitted to detect and disrupt the following:
- Misuse of legal persons: Internationally, the misuse of legal persons to launder illicit proceeds and disguise their origin is a dominant financial crime concern. In the Singapore context, the Singapore Police Force’s Commercial Affairs Department and MAS have observed cases of shell companies being used to launder suspicious or illicit flows.
- Trade-based ML: Criminals may seek to transfer illicit proceeds across borders under the guise of global trade, as these can be hidden amidst flows of large volume and value. It is important to mitigate such trade-based ML in order to allow FIs and companies to continue engaging in and facilitating legitimate regional and global trade flows.
- Proliferation financing: PF is the illicit financing of weapons of mass destruction, as well as the evasion of international sanctions. It is important to detect and disrupt PF as Singapore’s deep financial and trade linkages globally are vulnerable to being exploited for PF.
Red flags and thresholds for information sharing
A legislative framework will be introduced to govern the sharing of risk information on COSMIC. Under the framework, a customer must first exhibit multiple high risk behaviours or indicators that suggest serious financial crime (“red flags”) before the FI is required to or may share risk information on that customer with other participant FIs. MAS will also require the FI to seek an explanation from the customer for the red flags as part of its risk assessment of potential financial crime concerns. Red flags will include:
- indications that a company’s profile may be fictitious;
- the customer undertaking a series of financial transactions with unclear economic purpose, such as “round tripping” funds back to their sender, rapidly passing monies from one party to another, or receiving or making sizeable payments from/to parties in unrelated industries;
- the company being evasive or giving inconsistent replies to the FI’s queries about its unusual behaviour, or providing supporting documents that do not appear genuine; and/or
- indications that seemingly unrelated companies conducting business with each other may in fact be operated or controlled by the same beneficial owners, with unusual patterns in the transactions among them.
Modes of information sharing
An FI may request for risk information on a customer that has been flagged through COSMIC from other FIs which are linked to the activity. MAS proposes three modes of information sharing:
- Request: A Request message must focus on clarifying a potential suspicion involving certain red flag behaviour that the customer has exhibited. The requesting FI can only seek information that would help to establish or clear suspicions on its customer. The Request message should explain the context of the Request, including the red flags observed and relevant risk information on the customer. The receiving FI should furnish the requested risk information within a reasonable timeframe, if it is satisfied that such risk information may assist in the assessment and determination of ML/TF/PF risk concerns.
- Provide: Where the customer’s unusual activities cross a higher threshold, indicating a greater risk of illicit activity, an FI would have to proactively provide risk information on the customer by sending a Provide message to other FIs with a link to the customer’s activities. As with a Request message, the Provide message should explain the context of the concern, including red flags observed and relevant risk information on the customer. Upon receiving a Provide message, an FI must perform an anti-money laundering and countering the financing of terrorism (“AML/CFT”) assessment of its own customer within a reasonable time period, taking into account the information received. If necessary, the receiving FI may also make a further Request and/or issue more Provide messages to the same FI or other participant FIs on COSMIC.
- Alert: Where a customer’s activities exhibit the higher threshold of red flags, and the FI has filed an STR on the customer and decided to terminate the relationship, the FI should place an Alert on this customer on the “watchlist” in COSMIC. As with Request and Provide messages, the FI should explain in its submission its reasons for concern, including red flags observed and relevant risk information on the customer. Participant FIs on COSMIC should check if a prospective or existing customer is on the watchlist and use the risk information as part of their AML/CFT assessments on prospective or existing customers.
FIs should respond to Request messages, send Provide messages and place Alerts on customers within a reasonable time period so that the information from COSMIC is received and can be acted upon in a timely manner. Material networks of suspicious actors and activities, forming across FIs, will be automatically escalated by COSMIC to MAS for further analysis and follow-up.
Statutory framework and confidentiality of information-sharing
The legislative framework for COSMIC will be set out in the new Financial Services and Markets Act (“FSMA”) which has yet to be enacted. The Financial Services and Markets Bill is targeted to be introduced in Parliament later this year. MAS intends to amend the new FSMA to include the framework for COSMIC. The proposed legislative provisions for COSMIC are set out in Annex B to the consultation paper.
The proposed legislative framework will permit the disclosure of risk information on COSMIC for AML/CFT purposes only. Sharing of risk information will be permitted only between participant FIs and within the bounds of the information sharing modes of Request, Provide and Alert. Participant FIs will be required to put in place measures to safeguard the confidentiality and appropriate use of the shared risk information. These requirements will be set out in subsidiary legislation and include requirements to have systems and processes in place to prevent unauthorised access to and use of platform information, and requirements to maintain records and audit trails of access to risk information, and restrictions on staff access to COSMIC.
FIs and their officers may be subject to penalties if they do not comply with the requirements of the legislative framework.
Statutory protection against civil liabilities
Under the proposed legislative framework, FIs participating on COSMIC will be conferred statutory protection from civil liability in respect of their disclosure of information onto COSMIC, provided the FI had exercised reasonable care and acted in good faith. This will give participant FIs confidence that legitimate information sharing on COSMIC to highlight higher risk customers and their related activities will not expose them to civil suits.
Sharing of platform information with local and overseas affiliates of FIs, and third parties
In the consultation paper, MAS sets out the scenarios and related conditions that have to be met before an FI may share COSMIC platform information with local and overseas affiliates of FIs, and third parties. These scenarios will be expressly provided for under the FSMA.
Purposes for which platform information may be disclosed include the following:
- For specific legal purposes and to facilitate investigations or prosecutions of offences, e.g. for compliance with court orders or requests from police or public officers, and for the making of a complaint or report relating to an alleged offence. Disclosure of platform information will also be allowed for compliance with the provisions of the FSMA. This approach is similar to that under the Banking Act.
- To facilitate the performance of ML/TF/PF risk management duties (e.g. for the carrying out of AML/CFT controls and processes including customer due diligence, transaction monitoring and AML data analytics) and outsourcing of ML/TF/PF risk management operational functions. FIs will be required to comply with additional conditions when making further disclosures of platform information for such purposes.
- For group-wide ML/TF/PF risk management. FIs will be permitted to disclose the platform information they receive from COSMIC to both their local and overseas affiliates only for group-wide ML/TF/PF risk management purposes, on a need-to-know basis and provided additional conditions are met.
The imposition of additional conditions in (2) and (3) above is necessary to mitigate the risks of leakage and unauthorised disclosures, and unintended legal risks to FIs that had shared the information. FIs should note that platform information should not be further disclosed to any other persons and for any other purposes other than as set out in the consultation paper.
Use of COSMIC information to conduct reviews of customer relationships
FIs will be expected to perform an AML/CFT assessment of customers that are flagged through COSMIC as engaging in high risk behaviours or highly unusual activities. The assessment should be done using information from COSMIC together with other sources of information, such as the FI’s checks with the customer, a review of the customer’s transactions, public information sources or intelligence from authorities. An FI wishing to exit the customer relationship should give the customer adequate opportunity to explain the observed activity. In this regard, MAS intends to amend the AML/CFT Notices to require that, prior to exiting a customer relationship, an FI must provide the customer adequate opportunity to address its concerns, and document its assessment and the results of these checks with the customer. These requirements will apply to all FIs, not just those with access to COSMIC. MAS will consult on the Notice amendments later.
The following materials are available on the MAS website www.mas.gov.sg: