Financial Services and Markets (Amendment) Bill

Order for Second Reading read.

1.43 pm

The Minister of State for Culture, Community and Youth and Trade and Industry (Mr Alvin Tan) (for the Senior Minister and Coordinating Minister for Social Policies): Mdm Deputy Speaker, on behalf of Mr Tharman Shanmugaratnam, Senior Minister and Minister-in-Charge of the Monetary Authority of Singapore (MAS), I beg to move, "That the Bill be now read a second time".

Madam, a clean and trusted financial sector is the basis upon which both Singaporeans and foreigners choose to invest and have their funds managed here in Singapore. MAS supervises and works closely with financial institutions (FIs) to strengthen Singapore's defences against money laundering (ML), terrorism financing (TF) and financing of the proliferation of weapons of mass destruction. I shall refer to these as "financial crimes" for convenience, throughout my speech.

While FIs have made significant strides to strengthen their defences against financial crimes, they are currently unable to warn one another about unusual activity involving their customers, given customer confidentiality obligations. Criminals exploit this by making illicit transactions through different FIs to avoid detection.

To address this problem, MAS proposes to establish and maintain a secure digital platform for FIs to share, with one another, information on customers who exhibit multiple "red flags" that may indicate potential financial crime concerns, if stipulated thresholds are met. These include those who seek to be or have been a customer of an FI. This platform will be named COSMIC, which is short for "Collaborative Sharing of ML/TF Information and Cases". COSMIC will make it easier for FIs to detect and, thereby, deter criminal activity.

The Bill amends the Financial Services and Markets Act 2022 to permit this sharing of information and provides the legal framework for it. It will set out when and how such sharing of risk information relating to the customer may take place. The Bill also sets out robust legal and operational safeguards to protect the confidentiality of the information being shared and the interests of legitimate customers.

The Bill incorporates feedback from MAS' public consultation on COSMIC in October 2021. The consultation received broad support for COSMIC and its objective of combatting financial crime. Let me briefly provide an overview of COSMIC, before elaborating how the Bill will support reasonable information sharing within it.

As mentioned earlier, COSMIC will allow participant FIs to share with one another information, on a confidential basis, on customers whose profile or behaviour exhibits potential financial crime concerns. Such risk information could include "red flag" behaviours and details of the concerning transaction. Sharing on COSMIC would provide a recipient FI with better information to augment its risk understanding of a customer, thus enabling the FI to detect suspicious behaviour more accurately and expediently.

An FI may use this information to confirm if a customer's explanation for a financial transaction makes sense. If the FI assesses that the customer may be handling proceeds of a crime, it is required under existing law, specifically the Corruption, Drug Trafficking and Other Serious Crimes (Confiscation of Benefits) Act 1992, to file a suspicious transaction report (STR) with the Singapore Police Force's Suspicious Transactions Reporting Office (STRO).

COSMIC will initially focus on three key risks which MAS and the Commercial Affairs Department (CAD) have identified, based on their observed cases relating to criminal networks. These are areas which we have judged to benefit most from information sharing between FIs at scale, and which are also high on Singapore's priority list of risks, as identified through our continued risk surveillance.

The first risk area is the misuse of legal persons, for example, the abuse of shell companies. The ease of setting up a company and opening a corporate bank account supports the development of local enterprises and makes Singapore an attractive commercial centre. But we do not want criminals to take advantage of this convenience to commit financial crime, by using legal persons such as shell companies to launder monies. The misuse of legal persons to launder illicit proceeds and layer funds is also a concern related to international financial crime.

The second risk area is trade-based money laundering. This is the use of financing related to trade for illicit purposes. As Singapore is a global commercial and trading hub, many companies here actively participate in and facilitate regional and global trade. Our FIs provide key services that enable such activity. However, criminals can use trade as a disguise to transfer their illicit monies across borders undetected, for example, using fraudulent trade documents. Suppliers and customers featured in a trade payment could be controlled by the same nefarious company that is trying to launder illicit funds under the guise of genuine businesses. Mitigating trade-based money laundering is important to protect the trust in our FIs and companies, and to also protect legitimate trade flows.

The third and last risk area is proliferation financing and the evasion of international sanctions. Singapore's deep financial and trade linkages expose our FIs and companies to this risk. As a responsible member of the global community, Singapore must act strongly against the financing of such activity.

As information sharing under COSMIC is a new paradigm in the fight against financial crime, MAS plans to introduce COSMIC in phases.

MAS will prescribe the FIs that will participate in COSMIC. In the first phase, MAS will make COSMIC available to the six major Singapore banks which it is already co-developing the platform with. They are DBS, OCBC, UOB, SCB, Citibank and HSBC. This sharing of information between MAS and these six banks will be voluntary in this first phase. This allows the COSMIC platform to achieve operational stability, and also enables MAS to closely engage participant FIs to calibrate COSMIC's features and address operational concerns. Subsequently, MAS plans to expand COSMIC's coverage to more focus areas and FIs, and make sharing mandatory in higher-risk circumstances.

Madam, let me now explain in more detail how the Bill will allow participant FIs to warn one another of potential criminal behaviour, while safeguarding the interests of the vast majority who are legitimate customers. I will first elaborate on the scope of information sharing permitted on COSMIC, including the three modes and the objective thresholds for sharing. I will also share about the safeguards in place to protect legitimate customers from being adversely impacted by such sharing, and also how data shared on COSMIC will be protected.

I earlier mentioned that participant FIs may use COSMIC to share customer information with one another only for detecting or preventing financial crimes, if these customers exhibit multiple "red flags" that indicate potential financial crime concerns and if the stipulated thresholds are met. The Bill will set out how this information may be shared, and the types of cases that are serious enough to warrant such sharing.

There are three modes under the Bill in which information may be shared via COSMIC. They relate to: one, a participant FI requesting information from another participant; two, a participant FI proactively providing information to another; and three, a participant FI placing the customer on a watchlist to alert other participant FIs. An objective threshold needs to be crossed before information can be shared using any of the three modes. Which mode is to be used is largely guided by the extent of a customer's "red flag" behaviours. The thresholds are progressively higher for Request, Provide and then, finally, Alert.

To establish an objective standard for when information may be shared under each of these three modes of sharing, MAS will issue a directive to participant FIs detailing the threshold criteria for each of them and the list of "red flags" associated with each threshold. The "red flags" will correspond to known criminal profiles and behaviours for key financial crime risks. For example, where transaction activities are inconsistent with the business profile of the company and cannot be explained, or if there are clear discrepancies in supporting documents that also cannot be explained.

Further, only multiple "red flags" may trigger information sharing on COSMIC. This sets an objective and reasonably high threshold to ensure that COSMIC is used only for cases of significant concern and safeguards against frivolous requests that could unnecessarily expose customer risk information. However, the thresholds, details and permutations of the "red flags" must be kept strictly confidential among only the participant FIs, to prevent criminals from circumventing them.

Madam, the "red flags" and thresholds are intended to ensure that sharing is purposeful and strictly restricted to cases of high financial crime concern. For most customers, no "red flag" indicators will be triggered. For these customers, I wish to reiterate that participant FIs will not be permitted to share customer's information. In fact, COSMIC is intended to help identify and weed out nefarious companies more effectively, so that legitimate customers can operate in a trusted environment.

Lastly, to ensure that we do not unduly impede legitimate sharing aimed at safeguarding our financial system, the Bill will also afford protection to participant FIs from civil suits. Specifically, they will be granted immunity from liability for any loss arising out of the disclosure on COSMIC, or any act or omission in consequence of the disclosure, if the disclosure was done in accordance with the legal framework, with reasonable care and in good faith. This will provide participant FIs with confidence that legitimate information sharing to highlight higher risk customers and their related activities will not unduly expose them to legal challenge, which may even be brought by the very actors that COSMIC seeks to guard against.

Notwithstanding, I would like to address possible situations where legitimate customers are inadvertently associated with bad actors. For example, a company could end up unknowingly trading with an illicit counterparty and hence, be subject to a participant FI's scrutiny.

There are safeguards in place to protect legitimate customers. Participant FIs should first assess if there are valid reasons for the customer's behaviour or profile, before sharing information on COSMIC. As part of the bank's risk assessment, banks are also expected to reach out to customers to allow them, to give them the opportunity to address the bank's risk concerns and to explain unusual behaviours observed. Bank customers are thus strongly encouraged to be forthcoming and respond promptly to their bank's due diligence queries. This will ensure that customers have a chance to explain and that legitimate customers are not inadvertently adversely impacted by sharing on COSMIC.

In addition, even after information has been shared on COSMIC, FIs must make an independent risk assessment of a customer. An FI should not rely solely on the information received from COSMIC to terminate a customer relationship, including the fact that a customer has been placed on the "watchlist". More broadly, MAS will require participant FIs to ensure accuracy and completeness of the information shared on COSMIC and to correct any errors or omissions, especially if a customer has provided further clarifications to address earlier financial crime concerns.

MAS will closely monitor how participant FIs use COSMIC information in cases where they had exited customer relationships, to ensure that customers are given opportunities to address the concerns of FIs.

Let me now move on to safeguards on the use of and access to information disclosed on COSMIC. As the owner of the COSMIC platform, MAS will ensure that COSMIC information is exchanged and stored securely. The platform will have robust controls, including cybersecurity measures, such as data encryption and firewalls to block unauthorised external access. It will also have strict user access limitations. These controls will be subject to periodic audits to ensure their efficacy.

When information is passed to participant FIs, participant FIs will not be allowed to disclose information obtained from COSMIC to a third party, except in tightly circumscribed and specified circumstances, such as for compliance with Court orders or requests from Police to facilitate investigations.

Additionally, the Bill will empower MAS to require participant FIs to maintain strong information cybersecurity measures for COSMIC data. This includes requirements to have systems and processes in place to prevent unauthorised use or disclosure of information obtained from COSMIC, and robust cybersecurity and encryption measures to safeguard information obtained from COSMIC.

MAS will be able to inspect participants' adherence to these measures and will not hesitate to take firm action if they uncover any breach.

Apart from participant FIs, MAS will have access to all information shared on the platform. This is necessary for MAS to monitor if participant FIs are using COSMIC appropriately, and will also support MAS' broader supervisory and surveillance role to ensure that FIs have robust defences against financial crime. STRO, which analyses and disseminates financial intelligence to law enforcement and regulatory agencies, will also be able to view and use COSMIC information to support the prevention and detection of financial crime.

Mdm Deputy Speaker, in conclusion, by addressing an information sharing gap, the Bill will enable FIs and MAS to respond quickly to potential financial crime activity within the financial system. In parallel, adequate safeguards will be put in place to protect confidentiality of the information shared. This will strengthen Singapore's role and reputation as a safe, trusted and innovative global financial centre. Madam, I beg to move.

Question proposed.

Mdm Deputy Speaker: Mr Derrick Goh.

2.01 pm

Mr Derrick Goh (Nee Soon): Mdm Deputy Speaker, Singapore must uphold its status as a trusted global financial centre, as criminal networks leverage on the dynamic financial and technological landscape to commit more sophisticated commercial crimes, like in the areas of ML, TF and PF. While our defences against ML/TF/PF have strengthened over the years, MAS must continue in its commitment to refresh traditional policies, as we cannot combat new criminal typologies with old methods.

A notable way in which ML/TF/PF crimes are perpetrated is by creating a web of individual accounts or through accounts of shell companies opened across different FIs to facilitate illicit fund flows. This capitalises on the limited ability of FIs to share and piece information together, in part due to the FIs' compliance with well-intentioned client confidentiality obligations as well as banking secrecy regulations.

We need to overcome this, and I believe the new digital COSMIC platform paves the way forward for stronger public-private partnerships, for authorities and FIs to assess risks more holistically and disrupt financial crime more effectively.

That said, I would like to seek some clarifications on this Bill and will start with COSMIC's coverage and implementation.

While we welcome the inclusion of six major banks as a start, can the Minister clarify the expected effectiveness of COSMIC? For example, assuming COSMIC had been rolled out in the past year, how many more material cases of ML/TF/PF would be detected in this back test? I ask, as this would enable a clearer understanding of COSMIC's effectiveness with the six banks participating at onset, and to calibrate how fast it should scale to achieve a meaningful impact.

Relevant to this, I understand that the initial phase is planned to be approximately two years starting from second half of 2024, during which information is shared by the six banks only on a voluntary basis as the Minister had mentioned. Considering that innovations in financial crime are rapidly evolving, it is crucial for COSMIC's implementation to be swift and effective. To this end, can the Minister explain how MAS will review and shorten this period, including mandating information sharing earlier if the platform proves to be stable and effective?

Digital financial services are also developing very, very quickly and as compared with traditional banks, regulations in this space are still maturing, which could encourage their usage as vectors for crime. Against this backdrop, can the Minister elaborate on the plans for COSMIC to include fintech, payments and other virtual asset service providers?

Clause 28G of the Bill states that MAS will be issuing threshold criteria and high-risk indicators to participating FIs, which when met, mandates FIs to request, provide and publish risk information on COSMIC, under clauses 28D to F respectively. The criteria are confidential to avoid circumvention by bad actors.

Understandably, risk processes vary across sub-sectors and the different FIs have different risk appetites, some of which may be more conservative than COSMIC's. As COSMIC scales, can the Minister explain if FIs are able to leverage on COSMIC's information to meet their tighter risk standards than the required baseline, as stipulated in COSMIC's implementation?

Also, as we discuss this Bill, the exponential increase in scam cases comes to mind as was discussed in the earlier Bill, just a while ago. Typically, scam proceeds are swiftly dissipated across different local and foreign bank accounts as part of a broad and organised money laundering network, which makes it challenging for authorities to trace and recover assets. Close to S$1.3 billion have been lost to scams over the last two years, despite the best efforts of authorities and private sector entities. Given significant impact, can the Minister clarify if and how COSMIC can help to stem this facilitation of scams?

Madam, I will now turn to cybersecurity risks and data confidentiality. With financial intelligence on companies, individuals and their related parties shared on a larger database used by multiple FIs and authorities, I am glad that the Bill has factored safeguards to ensure cybersecurity and data confidentiality.

Regarding cybersecurity, COSMIC is required to comply with the Government's security standards and have features like user authentication and data encryption. FIs must also implement controls to complement MAS' efforts in preventing information security breaches. For clearer accountability, can the Minister clarify the roles and responsibilities of the participating FI who provides the information, vis-à-vis MAS as the owner of the COSMIC platform, in the unfortunate event of a cybersecurity incident or breach?

As participating members, the effectiveness of each FI's controls will be crucial to uphold the security of the entire network. To this end, can the Minister share if there will be periodic reviews or audits conducted by MAS on the robustness of FI controls relevant to COSMIC?

Regarding data confidentiality, MAS has clarified that within the Government, only authorised officers from MAS and the Suspicious Transactions Reporting Office in the CAD will be able to directly access and use information from COSMIC. Clause 28K of the Bill sets out conditions for onward disclosure of information and Clause 28I accords statutory protection for FIs against civil liabilities. Further to the provisions, can the Minister clarify if MAS or CAD may use information in COSMIC to assess, and/or subsequently, penalise a participating FI for any ML/TF/PF control lapse?

Madam, in concluding, I am reminded of the parable of the blind men and an elephant, where each feels a different part of an animal, resulting in limited and inaccurate perspectives of what the animal is really like. It is only through the sharing of experiences by everyone that a clearer picture is formed.

COSMIC can indeed help us piece together the clearer picture of financial crimes. Greater collaboration between FIs and authorities is fostered, so that as sophisticated as criminal operations may be, they can be quickly unravelled and have fewer places to hide. This will further strengthen the oversight of Singapore's reputation as a global financial centre. Madam, I support the Bill.

Mdm Deputy Speaker: Mr Leon Perera.

2.09 pm

Mr Leon Perera (Aljunied): Mdm Deputy Speaker, the Financial Services and Markets (Amendment) Bill before the House today fills a gap in our current regulatory ecosystem.

Over the years, MAS has closely supervised and worked with FIs to strengthen Singapore's defences to prevent ML/TF/PF. However, a weakness in the effective detection of illicit financial flows lies in the inability of FIs to alert one another to unusual activity in their customers' accounts. Financial criminals exploit these "information silos" by making illicit transactions through a web of accounts in different FIs and moving from one FI to another to avoid detection. This Bill seeks to remedy that weakness.

To address this gap, MAS plans to establish and maintain a secure digital platform for FIs called COSMIC to share information on customers that exhibit multiple "red flags" indicative of potential illicit activities with one another. This platform will enable FIs to conduct sharper analysis of customer behaviours and activities to detect potential illicit activities more promptly and warn each other of such activities.

Mdm Deputy Speaker, I support the Bill and my speech will contain certain clarifications and suggestions for the implementation of the provisions of this Bill.

Firstly, Madam, the six major commercial banks that are selected to be involved in the initial stage of COSMIC are DBS, OCBC, UOB, SCB, Citibank and HSBC.

While starting with these banks with the largest local network might make sense, they are also the banks with the least to lose in turning down customers and are likely to have the most resources to pursue and file STRs or perform deep dives into customer networks and relationships.

In comparison, it is the smaller offshore and private banks that would, perhaps, benefit more from such a network of information sharing and provide the most insight. And to exemplify this, MAS withdrew the merchant banking license of one such FI, Falcon Private Bank Ltd, in 2016, as well as another BSI Bank. In 2021, MAS fined a Singapore branch of another such FI, Bank J Safra Sarasin Ltd, for Anti-Money Laundering/Combating the Financing of Terrorism (AML/CFT) compliance lapses.

These banks are also the ones which would, in my opinion, likely face the most pushback from customers and special purpose vehicles set up to obfuscate identities when it comes to asking Know Your Client (KYC) questions.

Adding a select group of such smaller offshore private banks into the start-up group of FIs for COSMIC would be advisable. I encourage the Government to consider doing this as soon as practicable. After all, in its response to the consultation with FIs, MAS said that the initial phase would last as long as two years, which is a fairly long time.

While details will eventually be forthcoming, one concern – and I move on to my second point – is how prescriptive the subsidiary legislation from MAS will be. Clear and prescriptive regulations would minimise confusion amongst participant banks over what specifically might constitute grounds for submission of information to COSMIC.

The revised section 28E of the Bill makes clear under what conditions a FI may make disclosures to another FI in respect of a suspicious transaction, but does not seem to be as clearly prescriptive as to under what circumstances an FI is obligated, or expected, or required to report such information to another FI. Would there be any change in this regard?

The actual framework of predetermined "red flags" will need to be comprehensive yet flexible enough. Presumably this will be fleshed out in subsidiary regulations.

Otherwise, MAS and/or the STRO could become inundated with questions over whether such and such a transaction should be submitted to COSMIC, to which the reply might be that banks should conduct their own assessment and submit the information if deemed appropriate.

In other words, Mdm Deputy Speaker, sufficiently clear and prescriptive guidelines on what constitutes a transaction that should be submitted to another FI via COSMIC would be critical to prevent confusion and the possible over-submission of information.

Hence, I would urge MAS to issue these guidelines expeditiously and review these regularly in consultation with the FI community.

In relation to this particular point, the MAS, in its response to the consultation with FIs, said: "Information sharing on COSMIC will be done via a structured data template that will be made available to all participant FIs. This will include fields for information relating to the customer including identifying information of the customer and the beneficial owners and authorised signatories of the customer, details of the transactions in question, the "red flag" behaviour exhibited and the risk analysis that is relevant to the customer relationship."

I trust these templates, going forward in subsequent iterations, will be sufficiently granular to address the point that I have made.

Moving on to my third point, Mdm Deputy Speaker, the primary intent of this Bill is to enable information sharing between FIs on suspicious activity. However, paragraph 13.4 under MAS Notice 626 already gives FIs the power to share customer information with third parties without obtaining customer consent, if it is in relation to AML/CFT issues.

This paragraph reads: "13.4 For the purposes of complying with this Notice, a bank may, whether directly or through a third party, collect, use and disclose personal data of an individual customer, an individual beneficiary of a life insurance policy, an individual appointed to act on behalf of a customer, an individual connected party of a customer or an individual beneficial owner of a customer, without the respective individual's consent."

Thus, it would be helpful if the Government could clarify just how this provision in MAS Notice 626 would interact with the provisions of this new Bill and COSMIC.

For example, can FIs share information about suspicious transactions or clients bilaterally, as it were, without reference to the COSMIC platform but taking reference instead from this provision in MAS Notice 626? Or should all such information sharing henceforth be channelled through COSMIC and be transacted under the provisions of this Bill?

My fourth point. According to the Bill, information sharing will only be permitted if the customer's behaviour or transaction activities exhibit predetermined "red flags" that cross stipulated thresholds, suggesting that potential financial crime could be taking place.

The wording in the Bill seems to suggest that these thresholds are static thresholds without the element for dynamic adjustment, which is at odds with the global environment's dynamic pace.

Hence, I would like to ask the Government: firstly, how often will these thresholds be reviewed to determine if these thresholds have been set to effectively identify illicit financial flows? And secondly, how will these thresholds be benchmarked against global standards for illegal financial flows?

Next, Mdm Deputy Speaker, COSMIC is, at its heart, an online system where the key players are interacting in cyberspace. However, highly confidential financial information is being shared on this system. Should the system, or some, or all of the information that it contains fall prey to bad actors, or if COSMIC is compromised, the outcome may be extremely harmful for FIs, their customers and for Singapore reputationally.

Thus, a key concern is how COSMIC will be secured. Who will be responsible for the integrity of the system? Would it be a special team at MAS or would this be outsourced to another Government agency or private company, and if so, which one?

In conclusion, Mdm Deputy Speaker, the Bill before us marks a significant step in enabling FIs to share information on suspicious patterns of behaviour with respect to anti-ML/TF/PF goals. The new system, thus created, will need to rest on clear regulatory guidelines, be frequently reviewed amidst a dynamic global financial services and financial crime environment, as well as powerful cybersecurity defences.

Mdm Deputy Speaker: Mr Murali Pillai.

2.17 pm

Mr Murali Pillai: Mdm Deputy Speaker, as I understand, the primary motivation of the Bill is to provide a framework to share customer information between FIs in Singapore, through a secure digital platform known as COSMIC, to better combat the scourge of financial crime.

I support this aim. With the growing sophistication of criminals engaged in financial crime who take advantage of information asymmetry between FIs, enforcement agencies and regulators within a global ecosystem, there is a case to require enhanced cooperation between FIs, even if they may be business competitors. In return, the FIs are immunised against civil liability for sharing information amongst them.

The basic idea is that, with the pooling of information between FIs, there is a better chance to know the nature of the beast that the FIs are dealing with. I do not think there is any quarrel with the basic premise of the Bill.

Like the hon Member Mr Derrick Goh who spoke before me, this too brings to my mind the famous Indian folktale of the six blind men and the elephant. This story must have made an impact in our childhood. Each of them touched a different part of the animal and came with a completely different assessment of how the elephant looked like. They later learnt though, that when they put together all the information that they have separately gleaned, only then did they know the truth of the matter.

The points I will be raising in my speech are focused on trying to better understand the mechanics of the proposed framework and how they can be reconciled against the stated aim of the Bill.

Everyone wants to know the final shape of the beast, but what incentives are there for people who own each individual part to take the time and trouble to give up his piece and see where and how it fits?

I will cover just two areas. First, operational issues; and second, enforcement issues.

On operational issues, I seek clarification on the important timing issue between the requesting FI and the disclosing FI. This addresses the question, "Do you have a piece?"

I note that under the proposed section 28D of the Bill, the disclosing FI has a discretion whether to disclose to the requesting FI the risk information that is being sought for. In the event the discloser declines to disclose the risk information, it must notify the requester of its decision and the reasons for the same. There is no specific timeline specified for the discloser to reply to the requester through COSMIC. This is understandable as the time needed may be case specific.

On the other hand, there should be a general understanding between FIs that requests for information should be dealt with urgency, so that there is a chance to catch up with the suspected criminals.

In the banking world, with transactions being completed in a matter of microseconds, speed of response is of utmost important. May I please ask what stipulations will be imposed on prescribed FIs in this regard? Can we ask, for example, for guidelines – what is a reasonable time to respond?

I would also like to understand whether the framework will allow for redress against FIs, which are objectively assessed to be too conservative or even obstructive, in rejecting requests for risk information. Such attitudes will undermine the aim of the Bill. May I ask what can be done in these circumstances to deal with such eventualities? How do we assess when a specific FI is being unduly dismissive of a request which should have been taken more seriously?

In this regard, I note that it is proposed that MAS be given the power to issue notices, of a general or specific nature, to FIs for the effective administration of the information sharing framework. Is it contemplated that this issue I raised will be dealt with through enforcement action permitted under the MAS notices?

There is, in addition, a connected issue of parity on the part of FIs. Currently, the six major commercial banks chosen to join COSMIC all have strong AML/CFT capabilities. They invest substantial amounts of money in compliance systems that will allow the banks to monitor real-time transactions and analyse them against a treasure trove of databases to flag suspicious activities. They also make significant investments into the training of compliance officers to act as competent gatekeepers for the respective banks.

Going forward, should MAS decide to expand the list to include more FIs, what would be the considerations to ensure that FIs which have less compliance capabilities and capacities do not unfairly leverage off FIs which do?

I see this as a potential double-edged sword. On one hand, I would imagine that, at least theoretically, the bigger the number of FIs which can join COSMIC, the better protection we get from ML/TF/PF activities. On the other hand, by prescribing entry requirements, there is a possibility that the smaller FIs may be less motivated to make investments to qualify.

One possible option is to make it compulsory for all FIs licensed in Singapore to eventually have a minimum level of compliance competencies so that they all meet the entry requirements. This will eliminate the moral hazard I am concerned about, but I am not sure if this is practicable.

The middle ground option would be to employ the 80-20 rule and just focus on banks of a certain size and above. However, this will be a dog whistle for the criminals to use smaller banks. I would be grateful for the hon Minister of State's views on this matter.

The next operational issue I wish to touch on is the proposed ability on the part of a prescribed FI to, on its own motion, disclose risk information to another prescribed FI in certain circumstances as provided for under section 28E in the Bill.

I support this move. It makes the information-sharing platform much more effective. That is, what do you do if you suspect someone else has a piece?

To depend on only the requesting FIs to initiate the information-sharing process assumes that the requestors will be able to identify "red flags". This may not be always the case. In all likelihood, there will continue to be blind spots in form of Donald Rumsfeld's "unknown unknowns" or going back to the parable of the blind men and the elephant. Allowing FIs possessing the risk information to proactively share it with the relevant FIs, even without initiation by the latter, addresses this problem.

I note that the operative word here is "may". FIs "may" proactively share information. The question I have is what structural incentives or disincentives can be provided to the FIs so that they can be motivated to be proactive. Would this be dealt with under the proposed MAS Notice?

I now turn to the area of enforcement against FIs to ensure compliance with the information-sharing framework. I have two specific questions in this area.

First, it is proposed that under section 28J in the Bill that a prescribed FI or its officers who knowingly or recklessly discloses, or publishes any risk information pertaining to a customer of the bank that is false or misleading in a material particular.

I support the need to create this offence. There are serious repercussions for the customer if the FI gets it wrong. The hon Minister of State acknowledged this in his speech. The customer will be denied access to their bank accounts and probably would be subject of STRs that may trigger investigations by enforcement authorities.

I would like to know why it is not proposed that FIs which are negligent in making such disclosures to other FIs not guilty of offences.

I would like to point out that under section 176(1) of the Financial Services and Markets Act, it is an offence for a person to provide false information to the MAS without exercising reasonable care to ensure that the information is not false or misleading in any material particular. This is the same for other statutes that MAS enforces, such as the Banking Act 1970 (BA) or the Financial Advisers Act. It is consistently provided that a person who negligently provided false information to the MAS is guilty of an offence.

These provisions were enacted with the current paradigm of information flow in mind, that is, as between the FI and MAS. The proposed information-sharing framework between FIs changes the paradigm. I am struggling to understand why in the new paradigm, we are allowing for a lower standard of probity on the part of the FIs when, in fact, the repercussion on the customer is substantially the same.

In fact, I note that under the proposed section 28L in the Bill, MAS is not only entitled to a copy of the risk information that was shared by an FI to another FI, but can also act on it. If that is the case, why is it proposed that the consequence for negligently providing false information to MAS be dealt with differently from negligently providing false information to another FI? I would be grateful for the hon Minister of State's clarification on this.

Under the proposed provisions, it seems that anyone may falsely describe to another the piece he has without consequence if it is attributable to lack of diligence on his part.

Next, I would like to suggest that the proposed offences against FIs under the information-sharing framework be considered for listing in the Sixth Schedule of the Criminal Procedure Code (CPC) under the Minister's powers provided for under section 427(1) of the CPC.

Madam, the Sixth Schedule lists offences in respect of which deferred prosecution agreements (DPAs) may be entered into between the Public Prosecutor and a subject. The entering into DPAs in lieu of prosecution provides the Public Prosecutor with an important tool to deal with corporate offending without affecting innocent stakeholders such as shareholders. Typically, DPAs provide for detailed remediation on the part of the corporate offender, so as to ensure that proper systems are in place to prevent re-offending. This may, in certain situations, serve public interest better.

Currently, the Sixth Schedule consists of a good number of offences in the AML/CFT arena, particularly the offences under the Corruption, Drug Trafficking and Other Serious Crimes (Confiscation of Benefits) Act 1992 and section 16(4) of the Financial Services and Markets Act 2022.

Given that the proposed offences under the Bill also involve the same subject matter, I believe there is a case for including these offences into the Sixth Schedule.

Mdm Deputy Speaker, it is a public good for us to see the shape of the beast when it is financing great evil in the world. But the difficulty is that the private entities have always had little incentive to produce public good. The current Bill offers some ways for us to harness FIs to this end, and I hope my proposals will not just help us gather more pieces of the puzzle, but ensure that they fit in the right places as well.

Mdm Deputy Speaker: Mr Louis Ng.

2.29 pm

Mr Louis Ng Kok Kwang: Madam, this Bill will establish the COSMIC digital platform for FIs to share information about their customers whose information contains "red flags" relating to economic crime. This makes it harder for criminals to use transfers across multiple FIs to avoid detection.

Despite the difficult economic climate, I am glad that Singapore remains an attractive financial centre, with increased fund inflows from an increase in the number of family offices from 400 in 2020, to over 700. As our transactions and assets increase, our ability to supervise these transactions must also improve.

I support this Bill as this will let us take the lead in detecting and preventing financial crime, strengthening Singapore's position as a major financial hub.

I have three points to make.

My first point is on using COSMIC to tackle illegal wildlife trade. In my speech on the Endangered Species (Import and Export) (Amendment) Bill, I highlighted how there is evidence suggesting that Singapore is a critical nexus in the illegal wildlife trade.

In the past decade, we have seized illegal shipments of animal parts worth hundreds of millions of dollars. Elephants, rhinoceroses, pangolins – these are just a few animals whose dead, dissected bodies are smuggled through Singapore. In April 2019, we broke the record by finding 12.9 tonnes of pangolin scales being smuggled in a shipment from Nigeria. This was worth over $50 million and cost the lives of over 17,000 pangolins. Just a week later, we seized another 12.7 tonnes of pangolin scales. Three months after that, we seized a shipment of 8.8 tonnes of ivory, estimated to come from nearly 300 African elephants. In October 2020, the National Parks Board (NParks) seized 34 kilogrammes of rhinoceros horns from a man travelling from South Africa to Laos through Singapore. This is the largest seizure of rhinoceros horns to-date.

Such seizures are just the tip of the iceberg. Smugglers have found ways to circumvent our border security and bring these animals and their body parts onto our soil.

When you look at the size and value of animal part seizures at our borders, we are talking about operations that must, by logic, involve financing, coordinating and operations on a large, organised scale. A $50 million shipment of pangolin scales is not the work of isolated individuals. These criminals have the know-how to avoid and evade detection through complicated transactions. This is why we need a platform like this.

As MAS develops this platform, will MAS consider including in the scope of the "red flags" identified to those associated with wildlife crime? Will MAS also work with investigators of wildlife crime to ensure COSMIC data is used to both identify perpetrators as well as help banks do so?

By making this data available for stakeholders tackling wildlife crime, our financial sector will be able to play an important part in battling this illegal wildlife trade.

The Financial Action Task Force (FATF) has flagged the illegal wildlife trade as a major transnational organised crime. It is a perfect candidate for the powers under this Bill and I hope MAS will take this into consideration as we develop this platform further.

My second point is about the policing of privacy regulations. This legislation does a good job balancing the goal of reducing economic crime with the concern of privacy. Banks obtaining information via COSMIC will only be able to share it in certain circumstances with a limited set of people, even within their own organisation. Cybersecurity measures must also be in place to protect the information.

But how will MAS ensure that banks hold themselves up to these standards? If a bank officer forwards it to a colleague who should not have access to the information, how will MAS find out? Will there be data audits to track the flow of COSMIC information within and out of banks? Information obtained from COSMIC will be highly sensitive and improper circulation may have serious implications for those targeted. MAS must ensure banks protect the information properly.

My third and final point is on how COSMIC data will be processed. Having aggregated data from multiple FIs like this is a valuable resource with great potential. MAS has stated that the STRO will have access to data from COSMIC for its analysis. Can the Minister clarify whether there are further plans to provide other Government agencies or FIs access to the COSMIC data?

On one hand, this data could be mined to gain valuable insights about suspicious activity. This could even be shared internationally to strengthen enforcement globally. On the other hand, the processing of such data must be carefully governed. It must not be done in a way that might breach confidentiality. It should not be analysed by banks for commercial business purposes.

Since this relates to allegations of criminal conduct, machine learning or artificial intelligence models analysing the data must also be carefully managed to avoid any bias. If there are plans to share COSMIC data with other entities, can the Minister share what safeguards are in place? Madam, notwithstanding these clarifications, I stand in support of the Bill.

Mdm Deputy Speaker: Mr Don Wee.

2.35 pm

Mr Don Wee (Chua Chu Kang): Mdm Deputy Speaker, I declare that I am working with a Singaporean bank but I am not performing compliance nor revenue generating functions. I support the Bill, but I have few points to clarify with the Minister.

Will this new Bill override the regulations stated in the Banking Secrecy Act and the Personal Data Protection Act 2012 (PDPA) so that these six banks can share information with one another?

What are the job roles within these six banks which are authorised to access such information? Assuming the bank's compliance officer is authorised to retrieve the information shared by another bank, is there a Chinese wall that prevents the information from being shared with the salespeople?

How does MAS prevent these banks from abusing the information obtained from their competitors?

All banks are required to participate in the Credit Bureau, which is the central repository of credit information for individuals and businesses in Singapore. It collects and maintains credit-related data, such as credit accounts, repayment records and bankruptcy information from all banks that are licensed by MAS.

This centralised system allows lenders to access a borrower's credit history from a single source rather than having to collect the information themselves. This helps to reduce the risk of lending and makes the lending process more efficient.

Along the same vein, why can MAS not request all banks, especially private banks, to subscribe to COSMIC? Will people with ill-intent not bank with the other FIs which do not subscribe to COSMIC so as to circumvent detection? How are the thresholds being determined and what are the "red flags" and transactions that will be flagged?

Many international trade transactions are settled in United States (US) dollars and the bulk of US dollar remittances are cleared through US banks like JP Morgan, Wells Fargo and Bank of New York. I urge MAS to include Singaporean branches of the abovementioned US banks to participate in COSMIC.

How does MAS intend to synergise the information that it collects via COSMIC with the STR that these six banks file with the STRO so as to strengthen the risk monitoring of the financial sector?

Will the enhanced intelligence be shared with other Government agencies, such as the Singapore Police Force and the Attorney-General's Chambers, to investigate and prosecute money laundering and terrorism financing cases?

How much does it cost to set up COSMIC and is MAS funding the development of this system? Do the participating banks need to pay a subscription fee or transaction fee?

Singapore's position as a finance and business hub is strengthened after COVID-19 and we are seeing a record number of family offices and high net-worth individuals transferring their assets to Singapore. It is important for MAS to share about the risks and implications of money laundering and terrorism financing with their bankers and fund managers. This could include the development of tailored training programmes and seminars, as well as the dissemination of information and guidance materials to promote greater awareness and understanding of these issues, which may implicate Singapore's reputation.

Mdm Deputy Speaker: Mr Yip Hon Weng.

2.38 pm

Mr Yip Hon Weng (Yio Chu Kang): Mdm Deputy Speaker, this Bill is an important piece of legislation. It seeks to safeguard Singapore's status as a key financial centre and node for transactions.

The finance industry today is turbocharged by technology. Money shifts electronically across borders in seconds. This facilitates business and trade, but at the same time, it gives rise to vulnerabilities for easy funding of illicit activities. We must be careful not to sully our hub status by allowing cases of ML/TF/PF to take place.

I would like to raise some clarifications on the Bill.

First, Mdm Deputy Speaker, what are the benefits for banks to join COSMIC? Considering that it is voluntary to participate, what would incentivise banks to do so? After all, client confidentiality is paramount for most banks, especially larger ones that rely on customer loyalty. Many would be concerned with information sharing with affiliates of the participating banks outside Singapore.

Moreover, it is worth noting that certain banks are alleged to have been involved in scandals related to the very transgressions this Bill seeks to remedy. As such, why would they choose to come forward on their own accord and potentially put their business at risk?

Also, given that banks will still have to conduct the usual KYC checks and continue to report suspicious transactions, this new platform, in some way, may overlap with what is already in the market.

Additionally, laws against ML/TF/PF already exist. As such, how will this Bill enhance these efforts?

Banks using COSMIC may also question the source of the information. For example, there may be queries on what information did the reporting banks base their report on? What is or is not good information can also be quite subjective. Some banks may take the view that they should report everything even remotely suspicious.

There may also be unintended consequences of using COSMIC. For instance, clients, potential clients or third parties may even be able to work out which of the banks have stricter or more relaxed ML/TF/PF policies since everyone will eventually be working off the same set of information on COSMIC.

Second, what happens after the discovery of irregularities? If banks share information about transactions suspected of being involved in ML/TF/PF activities, will the transactions be further investigated? Consequently, will the investigations impact other transactions?

There may also be liability issues in instances where one bank acted wrongly or inaccurately, based on information provided by another bank. Would MAS or another agency be double checking the veracity of the information?

Although banks are protected against civil suits, does the Bill grant them immunity from clients for the breach of confidentiality, particularly if the suspicion of illicit transactions is later proven to be unfounded? Likewise, are banks immune from litigation by MAS if their transactions are investigated?

Third, the fact alone that ML/TF/PF activities are often cross-border in nature poses a significant challenge to the feasibility of the framework. As these activities tend to involve multiple banks or branches overseas, how does this Bill aid in this aspect, in getting overseas branches to share information?

Fourth, what are the triggers for information sharing? The Bill states that information sharing will only be permitted if the customer's behaviour or transaction activities exhibit predetermined "red flags" that cross stipulated thresholds, suggesting that potential financial crime could be taking place. Will the predetermined "red flags" and thresholds be listed? What are the safeguards in place to ensure that information is not shared too easily?

In conclusion, Mdm Deputy Speaker, I am heartened that the Bill is forward-looking. Specifically, it provides the necessary groundwork for the Act to include not just banks incorporated in Singapore. It is important that we have a comprehensive and consistent approach to combat financial crime across all FIs operating in Singapore. I support the Bill.

Mdm Deputy Speaker: Minister of State Alvin Tan.

2.43 pm

Mr Alvin Tan: Mdm Deputy Speaker, I thank Members of the House who have shared their views on the Bill and for their support of its introduction. Members' comments and queries can be categorised into a few themes and I will address them in turn.

First, on COSMIC's scope.

Mr Derrick Goh asked how COSMIC will be used to address scams. The scam threat is complex and ever-evolving. This is why the Singapore Government has partnered the industry and is taking a multi-pronged approach to combat the threat of scams.

The Singapore Police Force's Anti-Scam Command collaborates with a network of more than 80 stakeholders, comprising FIs, fintechs, telecommunication companies and online marketplaces, to swiftly freeze bank accounts suspected of scams, recover funds and mitigate losses suffered by victims.

COSMIC is not intended to duplicate or replicate the good work done by the Anti-Scam Command. That said, one of the key financial crime risks that COSMIC will initially focus on is the misuse of legal persons, such as shell companies, which I mentioned in my speech.

Scam syndicates may use shell companies to receive victims' money directly or as a conduit to layer and launder their criminal proceeds. For example, late last year, a Singaporean man was sentenced to six weeks' imprisonment and disqualified from being a director for five years, for assisting to set up four companies that were used to receive scam proceeds from multiple local and overseas victims. COSMIC will enable FIs to share relevant financial crime concerns on such suspicious accounts and transactions relating to shell companies with one another, if the thresholds are met. This is so that the FIs can take the necessary mitigation measures and alert the authorities.

Mr Louis Ng had asked if the scope of COSMIC will be expanded to other risk areas, including wildlife crime and I know we talked about elephants, rhinoceroses and pangolins. However, in the initial phase, COSMIC will focus on the three risk areas I mentioned, which have been identified for prioritisation through our continued risk surveillance. Keeping this focus would also allow participant FIs adequate time to familiarise themselves with this new information-sharing paradigm. Thereafter, MAS will consider expanding COSMIC's scope to other key risks.

Mr Derrick Goh asked if COSMIC may be less effective at the start with only six banks as its initial participants. Mr Goh also asked about plans to include fintech and other digital payment firms on COSMIC. Mr Leon Perera asked about the inclusion of smaller offshore and private banks in the initial phase of COSMIC, given their potential exposure to financial crime risks. Mr Murali Pillai noted that as COSMIC expands to include more FIs, FIs that have lower compliance capabilities and capacities may unfairly leverage off FIs which do. Mr Don Wee also asked if criminals may use FIs that are not on COSMIC to circumvent detection. Please allow me to answer these questions together.

I mentioned that COSMIC will initially focus on the misuse of legal persons as well as trade-based ML and proliferation financing. These risks manifest themselves in the commercial and small- and medium-sized enterprises banking space, of which the initial six participant banks have significant market share. Fintech and digital payment firms are not currently operating at quite the same scale. However, as I mentioned in my speech, MAS will consider expanding the scope of COSMIC to more banks and other FIs in other or future phases. Ahead of this, MAS will continue to work with the industry to improve their capabilities, including using data analytics, to enable their potential participation in COSMIC. MAS will closely monitor the potential risk migration to FIs not yet on COSMIC – so, outside of these six banks – and will take preventive or supervisory measures as necessary.

On Mr Goh's question as to whether any back-testing has been done on past cases that COSMIC could have detected, MAS had, indeed, conducted back-testing of potential ML/TF/PF cases with participant FIs as COSMIC was being developed, and this is to refine the high-risk indicators or, as I mentioned, "red flags", and also our threshold criteria. MAS will continue to work closely with participating FIs to track COSMIC's effectiveness and to make the needed adjustments on an ongoing basis.

I will move on to safeguards and confidentiality of COSMIC information which is of interest to Members.

Mr Don Wee asked how sharing information on COSMIC will interact with the data protection requirements in the PDPA and banking confidentiality obligations in the BA. Mr Louis Ng, Mr Don Wee and Mr Leon Perera asked about the strict safeguards to protect information obtained from COSMIC, including those related to cybersecurity. Mr Derrick Goh also asked about the roles and responsibilities of the participating FIs and MAS, in the event of a cybersecurity incident on COSMIC.

The Bill seeks to strike a balance between protecting the privacy of legitimate customers and also preventing criminal abuse of this protection to conceal serious financial crime. The Bill will permit sharing of information between FIs for financial crime prevention and detection purposes within tightly circumscribed parameters. Participant FIs may share COSMIC risk information as permitted under the Bill despite any restrictions that may be imposed by any written law or contract. Customer consent will not be required for sharing on COSMIC.

These overrides are necessary. Why? Because criminals are unlikely to agree to allow their information to be shared. The Bill will also disapply sections 21 and 22 of PDPA, which relate to access and correction of personal data. FIs will, however, still be required to take measures to ensure the accuracy and completeness of the information shared on COSMIC under the Bill. I will elaborate on this later.

To clarify Mr Leon Perera's query, paragraph 13.4 of the MAS Notice 626 allows a bank to collect personal data, whether by itself or through a third party, for the purposes of complying with the requirements of Notice 626, for example, in the conduct of customer due diligence. This is different from the COSMIC initiative – he asked about the difference between Notice 626 and COSMIC – because COSMIC seeks to allow participant financial institutions to share customer information with one another.

The safeguards of and for information shared on COSMIC apply at two levels.

First, MAS is the owner and operator of the COSMIC platform and MAS will ensure that COSMIC information is exchanged and stored securely, with strict cybersecurity measures, which include data encryption. I mentioned this in my earlier speech. I also mentioned that these controls will be subject to audits, both internal and external, to ensure their effectiveness.

Second, at the participant FI level, they are likewise required to adopt strong safeguards, such as allowing only a small group of the FIs' authorised officers to access COSMIC and also sharing COSMIC risk information only within the boundaries permitted by the Bill. These MAS-regulated FIs are required to institute robust controls, including cybersecurity and data protection controls, to prevent information security breaches. MAS will closely supervise participants' adherence to these measures and will take firm action for any lapses, including breaches which result in customer information leakage. In the event of a cybersecurity breach, MAS will work closely with the FIs to promptly remediate the issue and conduct a postmortem to assess the need on whether to tighten the defences further.

Next, on the effectiveness of voluntary sharing and how we can scale up the sharing. Mr Yip and Mr Murali Pillai asked about the incentive for banks to voluntarily participate in COSMIC. COSMIC is built upon the foundation of the positive experience of sharing between CAD, MAS and banks under the AML/CFT Industry Partnership (ACIP), which the six participant FIs are members of. Case-specific information sharing under ACIP, on a smaller scale than what is envisioned for COSMIC, has already fostered mutual trust. The six participant FIs are keen to build on these early efforts to continue and expand the sharing through COSMIC.

Mr Yip and Mr Derrick Goh were concerned that banks may have varying levels of AML/CFT policies and risk appetite on when to share information on COSMIC. Mr Yip also noted that there must also be safeguards in place to ensure that information is not too readily shared on COSMIC. Mr Leon Perera suggested that there should be sufficiently prescriptive and granular guidelines on when FIs should share information on COSMIC. Mr Derrick Goh asked if this initial voluntary phase could be shortened, given the rapid innovations in financial crime. Mr Murali Pillai also asked whether the COSMIC framework addresses FIs that are too conservative or obstructive in rejecting requests for information, and whether there are penalties for this. Mr Leon Perera also asked how frequently the "red flags" and thresholds would be reviewed.

If I could reference my speech earlier, I explained how MAS has worked with the initial six participating banks to develop clear and objective thresholds for sharing information on COSMIC, as well as expectations on engaging customers. This will ensure that sharing is purposeful and that legitimate customers are not unduly affected. This initial two-year period of voluntary sharing is to allow participant FIs adequate time to familiarise themselves with the new information-sharing paradigm and also for the COSMIC platform, which will be integrated with the FIs' systems, so as to achieve operational stability.

MAS will continue to work closely with the participating FIs to ensure the "red flags" and threshold criteria remain effective in targeting financial crime behaviour and also to review them if necessary. MAS will monitor FIs' usage of COSMIC to ensure that they are consistent in their assessment of when information should be shared on COSMIC. Eventually, we intend to make such sharing mandatory on COSMIC.

Mr Murali Pillai asked about the timelines for FIs to respond to or to provide information on COSMIC. MAS has established with the participant FIs a set of agreed upon service timelines. These timelines are designed to enable FIs to share risk information on a timelier basis, so that they can take earlier mitigation measures. The design of the timeline must also be balanced against the time needed for the FIs themselves to engage customers to clarify the "red flags" and concerns, so that the legitimate customers will not have their information unnecessarily shared on COSMIC. So, you need that time to allow for us to make sure that that is so.

I will move on to the STR filing and the accuracy of COSMIC information. Mr Yip asked about potential overlaps between FIs' obligation to report suspicious transactions and to also share information on COSMIC. Mr Don Wee asked if COSMIC can be built upon existing systems, such as STRO's platform. He also asked if MAS is funding the development of COSMIC and whether participating FIs need to pay any fee.

Sharing of information on COSMIC is meant to strengthen the FIs' ability to collectively detect potential bad actors when stipulated "red flag" thresholds are crossed. Information sharing under the Request or Provide modes will take place even before the threshold for filing an STR is crossed. This will allow more holistic understanding of customers exhibiting sufficient "red flags", and more timely management by the FIs. If the FIs subsequently file an STR, the deeper insights gleaned from COSMIC and included in the STR would be more helpful for law enforcement. As STRO's platform is used by a much wider pool of both FIs and non-FIs to report suspicions relating to financial crime activity that have been established on reasonable grounds, it would not be appropriate to integrate the STRO platform with COSMIC. However, and nonetheless, MAS is exploring if the STR and COSMIC processes could be streamlined to reduce the administrative burden on participant FIs. So, I thank the Member for that feedback.

MAS is the owner of the COSMIC platform and will bear the costs of developing the infrastructure, which we view as serving a public good. Participating banks would not have to pay a subscription fee. However, they are expected to ensure sufficient resourcing to support their effective participation on COSMIC. This includes maintaining and effecting any necessary upgrade of data analytical tools, as COSMIC's information sharing is integrated into their internal platforms.

I will move on to the accuracy of COSMIC information. Mr Yip Hon Weng asked about FIs relying on information from COSMIC and how to ensure the accuracy as well as the reliability of risk concerns that are shared by other FIs. He also asked about FIs' liability from sharing or using information on COSMIC should it turn out to be inaccurate. Mr Murali Pillai also asked why it has not been proposed for FIs which are negligent in making false or misleading disclosures to be guilty of an offence. Mr Derrick Goh also asked how FIs would use information from COSMIC, given their varying risk management standards.

As I mentioned, participant FIs will be required to ensure accuracy and completeness of the information shared on COSMIC and to correct any errors or omissions, for example, in instances where a customer has provided further clarifications.

As Mr Murali Pillai has pointed out, under the new section 28J, a participant FI or an officer of the FIs that knowingly or recklessly makes a false or misleading disclosure on COSMIC will be guilty of an offence.

This same standard is also found in various provisions of other statutes which MAS administers, such as the BA, which relate to the provision of information that is false or misleading. We adopted this standard of care, given the need to balance between ensuring accuracy of information and also not inadvertently deterring participants from sharing information.

COSMIC is meant to provide an additional information source to supplement our FIs' existing sources and to also enhance their risk assessments of their own customers, in line with their internal risk management standards.

As such, MAS expects FIs to also carry out their own due diligence, including conducting further public source checks as well as seeking clarifications with their customers in such risk assessments. As part of MAS' supervision, MAS will consider circumstances of relevant breaches arising from the use of COSMIC information in assessing if there are any appropriate action to be taken.

Mr Murali Pillai also suggested that the proposed offences committed by FIs under COSMIC be considered for listing under the Sixth Schedule of the CPC, which sets out offences in respect of which deferred prosecution agreements may be entered into. We thank Mr Murali Pillai for this suggestion and will keep it in mind for when we roll out future phases of COSMIC.

Finally, let me address the questions on the sharing and use of COSMIC information. Mr Yip Hong Weng asked if participant FIs are required to analyse information they receive from COSMIC and take risk mitigation actions if needed. Mr Louis Ng asked if there are plans to share COSMIC information with other Government agencies besides STRO and, if so, which safeguards would be in place.

Nominated Member Ms Janet Ang had also noted the usefulness of COSMIC information in her speech yesterday on the Corruption, Drug Trafficking and Other Serious Crimes (Confiscation of Benefits) (Amendment) Bill and the Computer Misuse (Amendment) Bill and had asked how COSMIC information might be helpful in the enforcement of both these Bills.

Given the potential sensitivity of COSMIC information, STRO is the only agency, apart from MAS, that will have direct access to COSMIC information to help fulfil its role as Singapore's financial intelligence unit. MAS will include information from COSMIC, including material networks of suspicious actors detected by the COSMIC platform, in our risk analysis and surveillance to target higher risk activities in the financial system for supervisory intervention.

Currently, MAS is able to share information in its possession with domestic authorities, including CAD, to facilitate their investigation, enforcement or supervisory action. This may include information obtained through COSMIC where there is a financial crime concern. Such sharing will be subject to conditions, including confidentiality safeguards.

Mr Yip also asked about the sharing of COSMIC information with overseas branches, given that ML/TF/PF activities are often cross-border in nature. At present, FIs in Singapore can already disclose customer information for risk management purposes within the financial group, including with its overseas branches or subsidiaries. This strengthens group-wide ML/TF/PF risk mitigation, and it prevents bad actors from moving between FIs within the same group and it is aligned with international standards set by the FATF.

In line with this principle, FIs participating on COSMIC will also be permitted to disclose the information they receive from COSMIC within their financial group, only for group-wide ML/TF/PF risk management purposes, on a need-to-know basis, provided additional safeguards set out in the legislation are in place. This is to mitigate the risks of leakage, and unauthorised disclosures and unintended legal risks to FIs that had shared the information. With this, Madam, I beg to move.

Question put, and agreed to.

Bill accordingly read a Second time and committed to a Committee of the whole House.

The House immediately resolved itself into a Committee on the Bill. – [Mr Alvin Tan].

Bill considered in Committee; reported without amendment; read a Third time and passed.