News

Singapore Proposes Additional AML/CFT Requirements for FIs

Richard Marley
July 13, 2021
3 minutes read
91

Monetary Authority Singapore has issued a consultation paper proposing the scope of AML/CFT to be extended to financial institutions dealing with precious stones, precious metals and precious products.

Monetary Authority Singapore (MAS) has proposed further AML/CFT obligations for financial institutions (FIs) that deal with precious stones, precious metals and precious products (abbreviated to PSM). In particular, the consultation paper adds requirements for PSM dealings involving digital payment tokens, and customers that may be considered higher risk shell companies.

According to the PSM proposal, all FIs that directly deal with PSMs or act as an intermediary will be liable to comply with the AML/CFT requirements. This involves activities conducted by the FIs such as the manufacture, import, sale, purchase for resale of PSM, in addition to the selling or redeeming of any related asset-backed tokens.

The PSM proposal highlights the following conditions, where customer due diligence must be implemented by financial institutions:

The FI establishes an account relationship with any customer for the purpose of dealing in PSM
The FI undertakes any PSM transaction involving more than SGD 20,000, regardless of the payment mode
The FI suspects money laundering or terrorism financing or has doubts about the veracity or adequacy of any information previously obtained

To further enhance Singapore’s financial sector and prevent criminal activities such as money laundering and terrorism financing, the consultation paper also proposes to update the current MAS notices regarding AML/CFT compliance for FIs and VCCs (Variable Capital Companies).

The proposal will expand the scope of AML/CFT requirements to Digital Payment Tokens (DPTs) and Digital Tokens that are Capital Markets Products (DCMPTs). Similar to the requirements introduced in the Payment Services Act, FIs would be required to conduct Customer Due Diligence from the first dollar for occasional transactions involving DPTs or DCMPTs.

Additionally, the PSM Notice will also require financial institutions to collect and record information regarding beneficial owners when they transmit or arrange for the exchange of DPTs on behalf of customers. FIs will also have to immediately and securely submit this information to beneficiary DPT service provider, and screen the value transfer originators and beneficiaries against relevant information sources for AML/CFT risks.

FIs and VCCs have also been directed to implement adequate risk assessment for the timely detection of shell companies that pose higher ML/TF risks. MAS will also be laying down guidance regarding the red flags of money laundering, including examples of unusual transactions and behavioural caution points.

Additional guidance regarding the alignment of AML/CFT obligations for credit card or charge card licensees will also be introduced in the Notice, as introduced by the Payment Services Act.

The consultation paper is open for comment until 10 August 2021.

Disclaimer: No warranty is herein provided that the information contained in this document is accurate, up-to-date, and/or complete. In no circumstance(s), does such information constitute legal or any other advice. Any person who intends to use, rely, pass-on, or re-publish the information contained herein in any way is solely responsible for the same. We suggest to verify the information and/or obtain expert advice independently if required.

Latest News

News
HKMA Issues Guide for Regtech Adoption in Customer Monitoring
The second guide published by the HKMA will allow banks to test their internal measures and infrastructure capabilities for the adoption of Regtech solutions.

As part of a two-year roadmap, the Hong Kong Monetary Authority (HKMA) has published its second issue, the Regtech Adoption Practice Guide, to promote the adoption of regtech solutions in the banking sector. The new issue follows the first guide, which focused on the adoption of cloud-based regtech solutions.

In January, the HKMA published case studies that highlighted the benefits of adopting regtech solutions, particularly for meeting Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) compliance targets.

The new guide adds to the previous publication and focuses more on the benefits of adopting regtech solutions in the area of customer monitoring – a task that is necessary for banks to perform to stay AML/CFT compliant.

The guide states that these solutions are of the essence, as manual processes are becoming a thing of the past. Additionally, regtech solutions can enable banks to stay up-to-date and collect necessary information related to customers and their transactions.

“This information is essential to understanding whether the purpose and intended nature of the customer’s activities are commensurate with its risk profile and the nature of the business relationship”, the guide states.

The HKMA adds that while the adoption of advanced technologies such as machine learning and cognitive solutions is still in its emergent stage, they are the prime areas of growth.

HKMA Issues Guide for Regtech Adoption in Customer Monitoring – Regulation Asia: HKMA Issues Guide for Regtech Adoption in Customer Monitoring Regulation Asia https://t.co/GdiOxrrPNY pic.twitter.com/I6UF1tJGRc

— Financely (@financelygroup) July 27, 2021

The Guide also highlights the major bottlenecks and pain points that banks face during customer monitoring, which regtech solutions can easily address. Key developments in the industry and possible regtech applications are also outlined.

The Guide consists of practical guidelines that banks can follow to automate ongoing monitoring of customers.

The Regtech Adoption Practice Guide can be viewed here.

Suggested Read: RegTech facilitates effortless AML Compliance

Recent Posts

Blog
Indonesia's First-ever Comprehensive Law on Data Privacy - the PDP Bill
Being the largest economy in Southeast Asia, Indonesia is experiencing enormous growth in the digital ecosystem. By 2020, the country had 338.2 million mobile connections, 175.4 million internet users, and 160.0 million social media users. However, this growth has introduced challenges for ensuring personal data protection (PDP).

With personal data leaks, data thefts, and ID fraud becoming a recurring problem, the Indonesian government submitted the PDP Draft Bill to the Chairperson of the Indonesian House of Representatives in 2020. The bill is set to become law later this year, introducing key updates such as data transfer rules, ownership rights, data processing guidance and much more. This blog will shed a light on the highlights of the PDP bill.

What is Personal Data Privacy?

Personal data privacy, also known as information privacy, refers to protecting sensitive data such as an individual’s Personally Identifiable Information (PII), intellectual property data, and financial information. Personal Data Protection (PDP) is essential for ensuring regulatory compliance to privacy laws, as well as ensuring the confidentiality and immutability of the data.

Why is the Indonesian PDP Law Important?

While there are several personal data protection laws existing in the country, they remain scattered under various regulations. The main point of reference for data protection is the Law on Electronic Information and Transactions in Indonesia. The PDP law will become the first Indonesian law that includes specific, comprehensive guidance regarding the protection of personal data via both, electronic and non-electronic systems.

Secondly, it should be noted that the legislation is based on the EU’s General Data Protection Regulation (GDPR). This means that businesses and consumers within Indonesia will be subject to the same data rights and processing procedures as the EU.

Who Does it Apply to?

The Personal Data Protection law will be applicable to all business entities that deal with the personal data of Indonesian citizens, regardless of their geographical location. These business entities can fall in either category, private or public sector, whether located aboard or within Indonesia. The primary aim of the law is to protect all sensitive information being processed manually or digitally by individuals or corporations.

Key Takeaways of the PDP Law

Indonesia’s updated data protection bill will soon be introducing changes to revamp the country’s data privacy rules. Here is a brief summary of the PDP law.
1- Personal Data Definition and Categories

The definition of personal data mirrors the definition provided by the EU’s General Data Protection Regulation. Additionally, the type of data has been subdivided into two main categories; general and specific.

General Personal Data: This includes data such as an individual’s full name, age, religion, and citizenship which is collected for the purpose of identity verification.

Specific Personal Data: This type of data includes financial information, healthcare data, biometric information, genetic data, life/sexual orientation, political stance, criminal records, child data, and so on.

2- Rights of Personal Data Owners

While the rights of personal data owners were not explicitly explained previously, the updated draft outlines eleven rights, similar to the ones mentioned under the GDPR. This includes the right to terminate the processing of personal data, deletion of personal data, the right to sue and receive compensation over data privacy violations, and much more.

3- Identification of Key Roles

The PDP law separates the roles of “data controller” and “data processor”.

Personal Data Controller (PDC): This is the party responsible for determining the purpose of collecting data, processing the personal data, and defining its retention period. Before data processing begins, the PDC is required to obtain consent from the Personal Data Owner, either in written or recorded form.

Personal Data Processor (PDPr): This party processes the information collected on the behalf of the data controller.

4- Appointment of a Data Protection Officer

To ensure that the data collected is being used for public service, both the PDC and PDPr are required to appoint a data protection officer. In addition to this, the data protection officer will also be responsible for ensuring the PDC implements activities for regular monitoring of personal data and the processing of large-scale personal data related to criminal offences.

5- Transfer of Personal Data

The transfer of personal data between two PDCs have been permitted, provided that the consent has been obtained from the personal data owner and the transfer is done in accordance with the PDP Bill. For transferring data outside Indonesia, two requirements need to be met. Firstly, the receiving country must have a law equivalent to, or higher than the PDP bill. Secondly, there must be a treaty between the receiving country and Indonesia.

6- Administrative and Criminal Sanctions

Two types of sanctions have been introduced for parties that fail to comply with the PDP Bill. These include the following:

Administrative Sanctions: forms: a written warning, temporary halt of processing personal data, deletion or destruction of personal data, compensation, and administrative fines.

Criminal Sanctions: Misconduct of personal data privacy can lead to imprisonment for up to seven years and confiscation of assets, on top of fines up to 70 Billion IDR (US$4.8 million).

How To Maintain Compliance with the Personal Data Protection Bill

To stay compliant with the PDP bill, entities will be given two years to implement necessary policies and procedures. The following action plans can be implemented to stay compliant.

Review the current data protection procedures to ensure end-to-end data protection

Review current contracts/consent with customers to include all the necessary clauses, such as the data owner’s rights, data transfer regulations, obligations when processing personal data, etc.

Assess the business processes to ascertain the implementation of adequate procedures

Ascertain proper implementation of PDP law by third parties to secure the collection and processing of personal data

Invest in RegTech technologies and software to streamline compliance with regulatory requirements by automating compliance procedures

Summing it up

The GDPR-influenced Personal Data Protection Bill is soon to be introduced this year and is set to become Indonesia’s first comprehensive law on data privacy. This is a step in the right direction, given the vast crimes committed through breach of confidential data. By acknowledging the rights of the stakeholders involved, introducing precise sets of definitions, and presenting non-compliance penalties, the PDP bill is on its way to becoming one of the strongest data privacy laws among the fourteen Asian countries which currently have such laws in place.

Need more information? Talk to our experts!
Talk to Us

Singapore Proposes Additional AML/CFT Requirements for FIs

Why is the Indonesian PDP Law Important?

Who Does it Apply to?

Key Takeaways of the PDP Law

1- Personal Data Definition and Categories

2- Rights of Personal Data Owners

3- Identification of Key Roles

4- Appointment of a Data Protection Officer

5- Transfer of Personal Data

6- Administrative and Criminal Sanctions

How To Maintain Compliance with the Personal Data Protection Bill

Summing it up

Let’s prove your

customer’s identity

with Shuftipro.

Let’s prove your customer’s

identity with Shuftipro.

Singapore Proposes Additional AML/CFT Requirements for FIs

What is Personal Data Privacy?

Why is the Indonesian PDP Law Important?

Who Does it Apply to?

Key Takeaways of the PDP Law

1- Personal Data Definition and Categories

2- Rights of Personal Data Owners

3- Identification of Key Roles

4- Appointment of a Data Protection Officer

5- Transfer of Personal Data

6- Administrative and Criminal Sanctions

How To Maintain Compliance with the Personal Data Protection Bill

Summing it up

Let’s prove your

customer’s identity

with Shuftipro.

Let’s prove your customer’s

identity with Shuftipro.