Singapore Passes MAS’ Bill on ‘COSMIC’ to Gather Info on “Red Flag” Customersby Fintech News Singapore May 10, 2023
The Singapore parliament has passed the Monetary Authority of Singapore’s (MAS) bill to establish the COSMIC platform.
COSMIC is a secure digital platform for financial institutions to share with one another, information on customers who exhibit multiple “red flags” that may indicate potential financial crime concerns.
Short for “Collaborative Sharing of ML/TF Information & Cases”, COSMIC will make it easier for financial institutions to detect and thereby deter criminal activity.
The bill amends the Financial Services and Markets Act 2022 to permit this sharing of information and provides the legal framework for it.
It has incorporated feedback from MAS’ public consultation on COSMIC in October 2021.
Key risk areas that COSMIC will focus on
COSMIC will initially focus on three key risks based on observed cases relating to criminal networks.
The first risk area is the misuse of legal persons, for example, the abuse of shell companies to launder illicit proceeds and layer funds.
The second risk area is trade-based money laundering which is the use of financing related to trade for illicit purposes. Criminals can use trade as a disguise to transfer their illicit monies across borders undetected, for example, using fraudulent trade documents.
The third and last risk area is proliferation financing and the evasion of international sanctions. Singapore’s deep financial and trade linkages exposes its financial institutions and companies to this risk.
When does COSMIC permit info sharing?
MAS stressed that participant financial institutions may use COSMIC to share customer information with one another only for detecting or preventing financial crimes.
Modes of info sharing
There are three modes under the bill in which information may be shared via COSMIC.
- A participant FI requests information from another participant
- A participant FI proactively provides information to another
- A participant FI places the customer on a watchlist to alert other participant FIs
An objective threshold needs to be crossed before information can be shared using any of the three modes. MAS said that the thresholds are progressively higher for Request, Provide and finally Alert.
Objective thresholds for sharing info
MAS will be issuing a directive to participant FIs detailing the threshold criteria for each of them, and the list of “red flags” associated with each threshold.
The “red flags” will correspond to known criminal profiles and behaviours for key financial crime risks. Only multiple “red flags” may trigger information sharing on COSMIC.
This sets an objective and reasonably high threshold to ensure that COSMIC is used only for cases of significant concern, and safeguards against frivolous requests that could unnecessarily expose customer risk information.
However, the thresholds, details and permutations of the “red flags” must be kept strictly confidential among only the participant FIs, to prevent criminals from circumventing them.
The bill will also afford protection to participant FIs from civil suits. Specifically, they will be granted immunity from liability for any loss arising out of the disclosure on COSMIC, or any act or omission in consequence of the disclosure, if the disclosure was done in accordance with the legal framework, with reasonable care and in good faith.
Safeguards to protect legitimate customers
Participant FIs should first assess if there are valid reasons for the customer’s behaviour or profile, before sharing information on COSMIC.
As part of the bank’s risk assessment, banks are also expected to reach out to customers to allow them the opportunity to address the bank’s risk concerns and to explain unusual behaviors observed.
This will ensure that customers have a chance to explain and that legitimate customers are not inadvertently adversely impacted by sharing on COSMIC.
In addition, even after information has been shared on COSMIC, financial institutions must make an independent risk assessment of a customer.
They should not rely solely on the information received on COSMIC or from COSMIC to terminate a customer relationship, including the fact that a customer has been placed on the “watchlist”.
More broadly, MAS will require participant financial institutions to correct any errors or omissions, especially if a customer has provided further clarifications to address earlier financial crime concerns.
How will MAS protect COSMIC info?
MAS stressed that it will ensure that the information is exchanged and stored securely as the owner of the COSMIC platform.
The platform will have robust controls, including cybersecurity measures, such as data encryption and firewalls to block unauthorised external access. It will also have strict user access limitations. These controls will be subject to periodic audits to ensure their efficacy.
Participant FIs will not be allowed to disclose information obtained from COSMIC to a third party, except in tightly circumscribed and specific circumstances, such as for compliance with court orders or requests from police to facilitate investigations.
Singapore Police Force’s Suspicious Transactions Reporting Office (STRO) will also be able to view and use COSMIC information to support the prevention and detection of financial crime.
How will COSMIC be rolled out?
MAS said that it plans to introduce COSMIC in phases. MAS will prescribe the financial institutions that will participate in COSMIC.
In the first phase, MAS will make COSMIC available to the six major Singapore banks – DBS, OCBC, UOB, SCB, Citibank, and HSBC – which it is already co-developing the platform with.
According to the regulator, sharing of information between MAS and these six banks will be voluntary in this first phase.
This allows the COSMIC platform to achieve operational stability, and enables MAS to closely engage participant financial institutions to calibrate COSMIC’s features and address operational concerns.
Subsequently, MAS plans to expand COSMIC’s coverage to more focus areas and financial institutions, and make sharing mandatory in higher-risk circumstances.