However, on 30 December 2020, Singapore’s Terrorism Financing National Risk Assessment 2020 (the “NRA Report”) was published. The NRA Report assessed digital payment token service providers to be a medium-low risk sector for TF. In this article, we will review different assessments (in and outside Singapore) on the inherent ML/TF risks of virtual assets, as well as how Singapore financial institutions (“FIs”) should consider the sector for purposes of their enterprise-wide risk assessments (“EWRAs”).
THE NRA REPORT
The NRA Report is published by the MAS, the Ministry of Home Affairs and the Ministry of Finance. It presents an overview of Singapore’s TF risk environment, and identifies the key risk areas within Singapore’s system to counter TF. In the PSN02 Guidelines the MAS states that a VASP should incorporate the NRA Report into its EWRA as follows:
- A payment service provider should incorporate the results of Singapore’s NRA Report and relevant updates from the authorities into its enterprise-wide ML/TF risk assessment process. This includes the report on the ML/TF risks arising from the use of virtual assets in Singapore, in section II of these Guidelines. When performing the enterprise-wide risk assessment, a payment service provider should take into account any financial or non-financial sector that has been identified as presenting higher ML/TF risks. A payment service provider should consider the NRA Report and its enterprise-wide ML/TF risk assessment results when assessing the ML/TF risks presented by customers from specific sectors. (4)
In the NRA Report, TF risks (5) are viewed as “a combination of threats and vulnerabilities (including controls) with consequences deemed as severe.” (6)
Definition of Threat Levels
TF threat is a measure of how terrorists/terrorist groups are known to be using/have used a sector for TF both regionally and locally. Contextual factors may influence the threat level. In the NRA Report, TF threats were rated as follows:
High | Terrorists/terrorist groups are known to be using this sector widely for TF, both regionally and locally. |
Medium- High | Terrorists/terrorist groups are known to be using this sector widely for TF, both regionally, and available information points to the possibility of the sector being used locally. |
Medium- Low | Terrorists/terrorist groups are known to be using this sector in some instances for TF, both regionally, and available information shows no indication of the sector being used locally. |
Low | Terrorists/terrorist groups are known to be using this sector in rare instances for TF, both regionally, and available information shows no indication of the sector being used
locally. |
Definition of Vulnerability Ratings
The vulnerability of a sector being exploited for TF is a function of its level of accessibility, exposure, and the strength of its controls. In the NRA Report, TF vulnerabilities were rated as follows:
High | High chance of the sector being exploited for TF.
The sector can be used by terrorist / terrorist groups because of a high level of accessibility and exposure. In most cases, controls could also be weak. |
Medium- High | Medium-High chance of the sector being exploited for TF.
The sector can be used by terrorist / terrorist groups because of a high level of accessibility and exposure. In most cases, there could be some level of controls. |
Medium- Low | Medium-Low chance of the sector being exploited for TF.
The sector can be used by terrorist / terrorist groups because of a certain level of accessibility and exposure. In most cases, there could be a reasonably good level of controls. |
Low | Low chance of the sector being exploited for TF.
The sector is less likely to be used by terrorist / terrorist groups because of a low level of accessibility and exposure. A high level of controls could also be present in some cases to further bring down the level of vulnerability. |
Definition of Risk Ratings
The NRA Report established a four-point scale to assess the level of TF risks in a given sector:
High | High risk of terrorist / terrorist groups using this sector for TF, taking into account known cases, typologies, as well as levels of accessibility, exposure and controls. |
Medium- High | Medium-high risk of terrorist / terrorist groups using this sector for TF, taking into account known cases, typologies, as well as levels of accessibility, exposure and controls. |
Medium- Low | Medium-low risk of terrorist / terrorist groups using this sector for TF, taking into account known cases, typologies, as well as levels of accessibility, exposure and
controls |
Low | Low risk of terrorist / terrorist groups using this sector for TF, taking into account known cases, typologies, as well as levels of accessibility, exposure and controls. |
The ultimate risk ratings of a sector were determined according to a matrix evaluating threats and vulnerabilities:
Risk Ratings | Vulnerabilities | ||||
Threats | Low | Medium-Low | Medium-High | High | |
High (“H”) | MH | MH | High | High | |
Medium-High (“MH”) | MH | MH | MH | H | |
Medium-Low (“ML”) | ML | ML | MH | MH | |
Low (“L”) | L | L | ML | ML |
The TF Risks of the Virtual Asset Sector
The virtual asset sector was given a TF risk rating of “Medium-Low” (the “Lower Risk Assessment”). Based on the commentary in the NRA Report, we believe that this rating was due to the assessed vulnerabilities of the virtual asset sector rather than the threats posed. In particular, the NRA Report highlighted the anonymity, speed and cross-border nature of transfers associated with digital payment tokens; and the lack of robustness of anti-money laundering and countering the financing of terrorism controls and TF risk understanding due to the nascent regime.
OTHER COMMENTARY RELATING TO THE INHERENT ML/TF RISKS OF THE VIRTUAL ASSET SECTOR
Prior to the publication of the NRA Report, authorities in and outside Singapore have made statements assessing the inherent ML/TF risks of the virtual asset sector. For example:
- In June 2019, the Financial Action Task Force (“FATF”) wrote:
- “Due to the potential for increased anonymity or obfuscation of [virtual asset] financial flows and the challenges associated with conducting effective customer identification and verification, virtual assets and VASPs in general may be regarded as higher ML/TF risks that may potentially require the application of enhanced due diligence measures, where appropriate;” (7) and
- “countries should not necessarily categorize VASPs or virtual asset activities as inherently high ML/FT risks;” (8)
- In December 2019, the MAS wrote “MAS agrees with the FATF’s approach to scope in virtual asset activities, which members of the global standard setting body have at this time [emphasis added] collectively assessed to present higher ML/TF risks.” (9)
- In the PSN02 Guidelines (published in March 2020), the MAS wrote “MAS considers that transactions involving virtual assets carry higher inherent ML/TF/PF risks, due to the anonymity, speed and cross-border nature of the ” (the “Higher Risk Assessment”) (10)
- In December 2020, the United Kingdom assessed cryptoassets to have a risk rating of “medium” for ML and TF. (11)
- On 4 January 2021, in a speech relating to the second reading of the Payment Services Amendment Bill, Mr Ong Ye Kung, on behalf of Mr Tharam Shanmugaratnam, Senior Minister and Minister-in-charge of the MAS, said: “The speed and cross-border nature of [digital payment token] activities carry higher inherent money laundering and terrorism financing risk.
THE SUBJECTIVITY OF THE EWRA
The MAS expects financial institutions (“FIs”) to develop sound and systematic enterprise-wide risk assessment methodologies to effectively (i) identify and analyse inherent ML/TF risks, (ii) assess the adequacy of anti-money laundering and countering the financing of terrorism (“AML/CFT”) controls and (iii) determine residual risks and additional mitigating measures to address these risks. (12)
The subjectivity in ML/TF risk assessments is similar to that which occurs when judging gymnastics. Even when you have a shared evaluation framework, reasonable people can disagree. Meanwhile, FIs business models can vary greatly, which results in the MAS guiding FIs to make their own determination as to the risk weights given to factors in their EWRAs. (13) The Investment Management Association of Singapore has guided FIs to “adjust the risk weight accordingly to your company specific conditions” when conducting a risk assessment. (14)
Many FIs genuinely want to do their part to combat ML/TF. Regardless, a FI’s observance of the PSN02 Guidelines, including its approach to conducting its EWRA, may impact the MAS’ overall risk assessment of the FI itself and the quality of the FI’s board and senior management oversight, governance, internal controls and risk management. (15) Therefore, the MAS’ view of a FI’s EWRA can materially affect the FI’s operations and license.
Nobody gets fired for buying IBM
Can a FI be too conservative in assessing its ML/TF risks for purposes of its EWRA? Yes. However, the risks of an overcautious approach to the EWRA are not regulatory risks. On the other hand, a FI faces regulatory risks if it is insufficiently prudent in assessing it ML/TF risks. In the EWRA Information Paper, the MAS flagged scoring methodologies that are “biased towards more benign ratings for inherent risks, control effectiveness, or residual risks” as an aspect of EWRAs that could be improved.
We believe that when a VASP conducts its EWRA it will likely attempt to reconcile the Lower Risk Assessment with the Higher Risk Assessment and, in the event of uncertainty, the VASP will err on the side of caution and incorporate the Higher Risk Assessment to avoid regulatory risk.
Attempts at Reconciling the Lower Risk Assessment with the Higher Risk Assessment
If we had a good answer to this issue, we would have mentioned it earlier. But for the sake of completeness…
- The Lower Risk Assessment is a relative statement. It could mean that virtual asset transactions carry higher inherent ML/TF risks because the sector is not rated “low risk”. On the other hand, the NRA Report rates the banking sector to have Medium-High TF risks yet the MAS guidelines on ML/TF applicable to banks (16) do not contain a similar statement regarding the higher relative risk of the banking sector.
- The Lower Risk Assessment could only apply to TF risks and not ML risks. However, this conclusion would still leave the two statements unreconciled for purposes of ML risks. It also would differ from the UK NRA Report which rated ML/TF risks equivalently in both 2017 and 2020.
- The Lower Risk Assessment could reflect an evolution in the MAS’ view on the ML/TF risks of the virtual asset sector. The passage of time can change the ML/TF threats and vulnerabilities facing a sector or its ultimate risk assessment. This is particularly true of the virtual asset sector which is continually Weighing against this theory is the fact that the PSN02 Guidelines have not been updated and the lack of any other evidence suggesting an evolution in the MAS’ view of the applicable risks.
CONCLUSION
Setting a FI’s inherent risk rating as high in an EWRA often has material consequences on the FI’s operations, including increased costs, longer onboarding procedures and greater potential liability to a board of directors. From a practical compliance standpoint, it is easier to operate a business that has lower ML/TF risks. Therefore, a conclusion or view that virtual asset transactions carry high inherent ML/TF risks is significant.
As part of their license applications under the PS Act, we believe that many VASPs have prepared their EWRAs on the basis that the virtual asset sector has high inherent ML/TF risks. One could read the Lower Risk Assessment in the NRA Report to suggest that the MAS does not agree with that assessment, at least with respect to current TF risks. We expect industry best practice on this question to evolve and intend to monitor the issue closely and update this article as needed.
At a minimum, the issue is evidence that compliance issues can be grey. For those of you waiting for laws, regulations and guidelines to live up to the coherence theory of truth, 2021 would be off to a rough start. On the bright side, if you have read this whole compliance article, we think you deserve a prize. Please do reach out to us at our details below so you can redeem your free coffee at the barista of your choice. Fear not – we do not have to spend the whole coffee talking about compliance.
Happy New Year from Holland & Marie!
HOLLAND & MARIE
Holland & Marie is a compliance, risk, C-Suite and legal solutions firm based in Singapore. We have extensive experience resolving typical compliance issues including regulatory inspections, satisfying regulatory requirements and maintaining best practices in corporate governance to navigate the rapidly changing regulatory landscape.
For further information, contact:
Chris Holland: Partner | Holland & Marie | 201802481R
7 Straits View, Marina One East Tower, #05-01 Singapore 018936
Disclaimer: The material in this post represents general information only and should not be relied upon as legal advice. Holland & Marie Pte. Ltd. may not act as an advocate or solicitor for purposes of the Singapore Legal Profession Act and is not a law firm.
(1) In this article, references to “virtual assets” and “digital payment tokens” refer to digital assets like bitcoin that are considered a digital payment token for purposes of the Payment Services Ac (No. 2 of 2019) (the “PS Act”).
(2) See II-3-2 of the Guidelines to MAS Notice PSN02 on Prevention of Money Laundering and Countering the Financing of Terrorism (the “PSN02 Guidelines”).
(3) For purposes of this article, VASPs include FIs licensed under the PS Act for provided digital payment token services.
(4) Id, Paragraph 4-11
(5) Unlike the previous version of the NRA Report published in 2013, the NRA Report did not assess
ML risks.
(6) See Annex to the NRA Report.
(7) See Paragraph 58 of the Financial Action Task Force’s Guidance for a Risk Based Approach – Virtual Assets and Virtual Assets and Virtual Asset Service Providers.
(8) Id, Paragraph 16.
(9) See Paragraph 3.11 of the Response to Feedback Received on New Payment Services Notices on Prevention of Money Laundering and Countering the Financing of Terrorism.
(10) See III-1-1 of the PSN02 Guidelines.
(11) See Chapter 8 of the United Kingdom’s National risk assessment of money laundering and terrorist financing 2020 (the “UK NRA Report”)
(12) See the MAS’ Information Paper, “Enhancing Robustness of the Enterprise-wide Risk Assessment on Money Laundering and Terrorism Financing”, published in August 2020 (the “EWRA Information Paper”).
(13) See Paragraph 4-10 of the PSN02 Guidelines.
(14) See IMAS Guidance to Assessing Money Laundering and Financing of Terrorism Risk
(15) Id, Paragraph 1-3.
(16) See Guidelines to MAS Notice 626 on Prevention of Money Laundering and Countering the Financing of Terrorism.