22 May 2023

On 9 May 2023, the Financial Services and Markets (Amendment) Bill (“Bill”) was passed in Parliament. The Bill provides the legal framework for financial institutions (“FIs”) to share information on customers, through a secure digital platform called COSMIC (short for “Collaborative Sharing of ML/TF Information & Cases”), for the purposes of mitigating money laundering, terrorism financing and proliferation financing (collectively, “financial crimes”) risks. The Bill sets out when and how such sharing of risk information relating to a customer may take place. It also sets out robust legal and operational safeguards to protect the confidentiality of the information being shared, and the interests of legitimate customers.

Rationale for establishment of COSMIC

In his speech delivered at the second reading of the Bill, Alvin Tan, Minister of State, Ministry of Culture, Community and Youth and Ministry of Trade and Industry, and board member of the Monetary Authority of Singapore (“MAS”), explained that while FIs have made significant strides to strengthen their defences against financial crimes, they are currently unable to warn one another about unusual activity involving their customers, given customer confidentiality obligations. Criminals exploit this by making illicit transactions through different FIs to avoid detection.

COSMIC seeks to address this problem by allowing FIs to share with one another information on customers who exhibit multiple “red flags” that may indicate potential financial crime concerns.

Sharing on COSMIC would provide a recipient FI with better information to augment its risk understanding of a customer, thus enabling the FI to detect suspicious behaviour more accurately and expediently. An FI may use this information to confirm if a customer’s explanation for a financial transaction makes sense. If the FI assesses that a customer may be handling proceeds of a crime, it is required under existing law (specifically the Corruption, Drug Trafficking and other Serious Crimes (Confiscation of Benefits) Act 1992) to file a suspicious transaction report with the Singapore Police Force’s Suspicious Transactions Reporting Office (“STRO”).

Overview of COSMIC

COSMIC will initially focus on the following three key risks: (1) the misuse of legal persons, such as the abuse of shell companies, (2) trade-based money laundering, and (3) proliferation financing and the evasion of international sanctions.

MAS plans to introduce COSMIC in phases. In the first phase, MAS will make COSMIC available to the six major Singapore banks which it is already co-developing the platform with. Sharing of information between MAS and these six banks will be voluntary in this first phase. Subsequently, MAS plans to expand COSMIC’s coverage to more focus areas and FIs, and make sharing mandatory in higher-risk circumstances.

COSMIC permits sharing only for mitigation of financial crime risks

Participant FIs may use COSMIC to share customer information with one another only for detecting or preventing financial crimes, if these customers exhibit multiple “red flags” that indicate potential financial crime concerns, and if the stipulated thresholds are met. 

Modes of information sharing

There are three modes under the Bill in which information may be shared via COSMIC. They relate to (1) a participant FI requesting information from another participant, (2) a participant FI proactively providing information to another, and (3) a participant FI placing the customer on a watchlist to alert other participant FIs.

Objective thresholds for sharing information

An objective threshold needs to be crossed before information can be shared using any of the three modes. MAS will issue a directive to participant FIs detailing the threshold criteria for each of them, and the list of “red flags” associated with each threshold. The “red flags” will correspond to known criminal profiles and behaviours for key financial crime risks. Only multiple “red flags” may trigger information sharing on COSMIC. The thresholds, details and permutations of the “red flags” must be kept strictly confidential among only the participant FIs to prevent criminals from circumventing them.

The Bill will afford protection to participant FIs from civil suits by granting them immunity from liability for any loss arising out of the disclosure on COSMIC, or any act or omission in consequence of the disclosure, if the disclosure was done in accordance with the legal framework, with reasonable care and in good faith.

Safeguards to protect legitimate customers

There are safeguards in place to protect legitimate customers inadvertently associated with bad actors, such as those who unknowingly trade with an illicit counterparty. Participant FIs should first assess if there are valid reasons for the customer’s behaviour or profile before sharing information on COSMIC. Banks, as part of their risk assessment, are also expected to reach out to customers to allow them the opportunity to address the bank’s risk concerns and to explain unusual behaviours observed.

Even after information has been shared on COSMIC, an FI must make an independent risk assessment of a customer. An FI should not rely solely on the information received on COSMIC or from COSMIC to terminate a customer relationship. Participant FIs will be required to ensure the accuracy and completeness of information shared on COSMIC and correct any errors or omissions, especially if a customer has provided further clarifications to address earlier financial crime concerns.

Safeguarding use of and access to COSMIC information

As the owner of the COSMIC platform, MAS will ensure that COSMIC information is exchanged and stored securely. The platform will have robust controls, including cybersecurity measures, which will be subject to periodic audits to ensure their efficacy.

When information is passed to participant FIs, participant FIs will not be allowed to disclose information obtained from COSMIC to a third party, except in tightly circumscribed and specific circumstances, such as for compliance with court orders or requests from police to facilitate investigations. MAS will be empowered to require participant FIs to maintain strong information cybersecurity measures for COSMIC data and will be able to inspect participants’ adherence to these measures.

Apart from participant FIs, MAS will have access to all information shared on the platform. This is necessary for MAS to monitor if participant FIs are using COSMIC appropriately, and will also support MAS’ broader supervisory and surveillance role to ensure that FIs have robust defences against financial crime. The STRO, which analyses and disseminates financial intelligence to law enforcement and regulatory agencies, will also be able to view and use COSMIC information to support the prevention and detection of financial crime.

Reference materials

The following materials are available on the Parliament website www.parliament.gov.sg and the MAS website www.mas.gov.sg: