2024-10-18

Added

Guidelines to MAS Notice FSM-N02 on Prevention of Money Laundering and Countering the Financing of Terrorism – Financial Institutions’ Information Sharing Platform

The Monetary Authority of Singapore issued these guidelines to prescribe operational requirements for prescribed financial institutions participating in the COSMIC information sharing platform. The document mandates the establishment of robust internal policies, procedures, and controls to govern the timely and secure exchange of risk information regarding money laundering, terrorism financing, and proliferation financing. It further details specific obligations for requesting, providing, and publishing risk data while ensuring compliance with anti-tipping-off provisions and ongoing customer due diligence standards.

Monetary Authority of Singapore logo

Singapore

Monetary Authority of Singapore

Click to view thumbnail

Monetary Authority of Singapore GUIDELINES TO MAS NOTICE FSM-N02 ON PREVENTION OF MONEY LAUNDERING AND COUNTERING THE FINANCING OF TERRORISM - FINANCIAL INSTITUTIONS’ INFORMATION SHARING PLATFORM 18 OCTOBER 2024

GUIDELINES TO MAS NOTICE FSM-N02 ON PREVENTION OF MONEY LAUNDERING AND COUNTERING THE FINANCING OF TERRORISM – FINANCIAL INSTITUTIONS’ INFORMATION SHARING PLATFORM 2 Table of Contents 1 Introduction.......................................................................................................... 3 3 Notice Paragraph 3 – Internal Policies ................................................................ 5 4 Notice Paragraph 4 – Request for Risk Information by a Prescribed Financial Institution under Section 28D of the FSM Act...................................................... 9 5 Notice Paragraph 5 – Provision of Risk Information on a Prescribed Financial Institution’s Own Motion under Section 28E of the FSM Act ............................. 11 6 Notice Paragraph 6 – Publication of the Risk Information of a Relevant Party on the Platform under Section 28F of the FSM Act ................................................ 13 8 Notice Paragraph 8 – Platform Access, Information Accuracy and Information Security Safeguards .......................................................................................... 16 9 Notice Paragraph 9 – Record Keeping.............................................................. 19 10 Notice Paragraph 10 – Additional Requirements Relating to Outsourced Relevant Services that Involve the Disclosure of Risk Information.................... 20 For ease of reference, the chapter numbers in these Guidelines mirror the corresponding paragraph numbers in the MAS Notice FSM-N02 on Prevention of Money Laundering and Countering the Financing of Terrorism – Financial Institutions’ Information Sharing Platform (e.g. Chapter 3 of the Guidelines provides guidance in relation to paragraph 3 of the Notice). Not every paragraph in the Notice has a corresponding paragraph in these Guidelines and this explains why not all chapter numbers are utilised in these Guidelines.

GUIDELINES TO MAS NOTICE FSM-N02 ON PREVENTION OF MONEY LAUNDERING AND COUNTERING THE FINANCING OF TERRORISM – FINANCIAL INSTITUTIONS’ INFORMATION SHARING PLATFORM 3 1 Introduction 1-1 These Guidelines provide guidance to all prescribed financial institutions (as defined in section 28B of the Financial Services and Markets Act 2022 (“FSM Act”))1 on the requirements in MAS Notice FSM-N02 on Prevention of Money Laundering and Countering the Financing of Terrorism – Financial Institutions’ Information Sharing Platform (“the Notice”). These Guidelines should be read in conjunction with the Notice. 1-2 The expressions used in these Guidelines have the same meanings as those found in the Notice, except where expressly defined in these Guidelines or where the context otherwise requires. 1-3 The degree of observance with these Guidelines by a prescribed financial institution may have an impact on the Authority’s overall risk assessment of the prescribed financial institution, including the quality of its board and senior management oversight, governance, internal controls and risk management. 1-4 Key Concepts Relevant Party 1-4-1 The term “relevant party” is defined in section 28B of the FSM Act. In relation to a prescribed financial institution, this means a person who: (a) is a customer, is seeking to be a customer or has been a customer of the prescribed financial institution; and (b) is either prescribed by regulations as a relevant party of that prescribed financial institution, or a member of a class of persons prescribed by regulations as relevant parties of the prescribed financial institution.2 1-4-2 Former customers and persons who sought to but did not become a customer of a prescribed financial institution (“prospects”) are also considered relevant parties if they meet the criteria set out in the FSM Act and the FSM Regulations. This applies regardless of whether it was the customer, prospect or the prescribed financial institution that had terminated or decided not to proceed with the customer relationship. A prescribed financial institution should consider sharing information on a former customer or a prospect as and when such information comes to the prescribed financial institution’s attention, but is not expected to proactively conduct a look-back to identify former customers or prospects whose profile or behaviour meets the threshold for sharing on COSMIC. 1 The list of prescribed financial institutions is set out in the Financial Services and Markets (Information Sharing Scheme for Prescribed Financial Institutions) Regulations 2024 (the “FSM Regulations”). 2 Please see regulation 3 of the FSM Regulations.

GUIDELINES TO MAS NOTICE FSM-N02 ON PREVENTION OF MONEY LAUNDERING AND COUNTERING THE FINANCING OF TERRORISM – FINANCIAL INSTITUTIONS’ INFORMATION SHARING PLATFORM 4 Risk Information 1-4-3 The term “risk information” is defined in section 28B of the FSM Act. The FSM Act allows the sharing of risk information on a relevant party through COSMIC in the specific circumstances set out in the FSM Act. Such information may include identifying information on a relevant party’s authorised signatories, beneficial owners and officers. 1-4-4 Prescribed financial institution should consider including in its Request, Disclosure and/or Listing relevant risk information on the relevant party, such as the relevant party’s particulars and, where applicable, those of its directors or beneficial owners. These particulars may include their name, date of incorporation or birth, residential and/or business address, nationality or place of incorporation, and unique identification number. The transactions or other information that led to the risk information being shared may be included, to assist in accurately identifying the ML/TF/PF Risk concern involved. Information that has no relevance to the transaction or suspicion that triggered the sharing (for example, transactions that have no relevance to the underlying concerns or are unduly dated from the time period in question) should not be shared.

GUIDELINES TO MAS NOTICE FSM-N02 ON PREVENTION OF MONEY LAUNDERING AND COUNTERING THE FINANCING OF TERRORISM – FINANCIAL INSTITUTIONS’ INFORMATION SHARING PLATFORM 5 3 Notice Paragraph 3 – Internal Policies 3-1 The policies, procedures and controls that a prescribed financial institution must establish and implement are fundamental and provide guidance to its officers in ensuring compliance with the relevant requirements relating to the information sharing scheme in Part 4A of the FSM Act. It is important that a prescribed financial institution regularly reviews its policies, procedures and controls to take into account new operational, legal and regulatory issues and developments relevant to the information sharing scheme in a timely manner. Notice Paragraphs 3.2 to 3.3 3-2 Internal Policies, Procedures and Controls 3-2-1 In addition to the areas mentioned in paragraph 3.2 of the Notice, a prescribed financial institution’s internal policies, procedures and controls should also: (a) address the provision of adequate training to relevant officers of the prescribed financial institution, so that they are adequately trained to implement the requirements of the Notice and the prescribed financial institution’s internal policies, procedures and controls. This includes training to ensure the proper use of platform information for ML/TF/PF Risk assessments of a relevant party. Timely training should also be conducted when there are changes to such internal policies, procedures and controls; (b) ensure that processes will be put in place to ensure the fair treatment of prospects and customers, including seeking clarifications from relevant parties, where relevant, to adequately address ML/TF/PF Risk concerns or before terminating or declining to establish business relations with relevant parties; 3 and (c) enable it to request and provide risk information in a timely manner, in accordance with the expected timelines communicated separately by the Authority to the prescribed financial institution. 3-3 Internal Policies, Procedures and Controls relating to a Request 3-3-1 A prescribed financial institution should include in its policies, procedures and controls adequate arrangements to ensure that when making a Request, in addition to ensuring that the applicable threshold criteria for the Request is satisfied, it also explains in its Request how the risk information requested would assist it in assessing whether the relevant party to whom the Request relates may have been or may be concerned in money laundering (“ML”), 3 Please note in particular section 57 of the CDSA on tipping-off.

GUIDELINES TO MAS NOTICE FSM-N02 ON PREVENTION OF MONEY LAUNDERING AND COUNTERING THE FINANCING OF TERRORISM – FINANCIAL INSTITUTIONS’ INFORMATION SHARING PLATFORM 6 terrorism financing (“TF”), or the financing of the proliferation of weapons of mass destruction (“PF”). 3-4 Internal Policies, Procedures and Controls relating to a Response 3-4-1 A prescribed financial institution should include in its policies, procedures and controls adequate arrangements to ensure that where it is uncertain if a Request it has received meets the conditions set out in section 28D(6) of the FSM Act, it seeks clarification from the prescribed financial institution that made the Request (i.e. the requester). 3-4-2 A prescribed financial institution should also include in its policies, procedures and controls adequate arrangements to ensure that it: (a) responds to a Request; and (b) notifies and communicates the reasons for rejecting a Request to the requester using the on-platform communication channels, in a timely manner, in accordance with the expected timelines communicated separately by the Authority to the prescribed financial institution. In cases where the discloser requires more time to provide the requested information (such as when the discloser has to retrieve information from its database, or in exceptional cases, where the discloser assesses that it is necessary to engage the relevant party for more information3 ), the discloser should inform the requester accordingly. Such information should nevertheless be provided within the expected timelines communicated separately by the Authority to the prescribed financial institution for complex cases. The discloser should ensure that the reasons for the longer time taken for making the Response is properly documented. 3-5 Internal Policies, Procedures and Controls relating to a Disclosure 3-5-1 A prescribed financial institution’s internal policies, procedures and controls should include the following – (a) Steps on engaging the relevant party, where necessary, to clarify the ML/TF/PF Risk identified and provide the relevant party with adequate opportunity to explain the activities or behaviour of concern prior to the prescribed financial institution making a Disclosure. Such steps should include (but are not limited to) the form and manner of engaging the relevant party. In this regard, a prescribed financial institution should also: (i) have controls and processes in place to ensure that any such engagement does not breach section 57 of the CDSA on tipping￾off;

GUIDELINES TO MAS NOTICE FSM-N02 ON PREVENTION OF MONEY LAUNDERING AND COUNTERING THE FINANCING OF TERRORISM – FINANCIAL INSTITUTIONS’ INFORMATION SHARING PLATFORM 7 (ii) consider the information provided by the relevant party further to such engagement as part of the prescribed financial institution’s assessment of whether the threshold criteria for making a Disclosure are met; and (iii) where the prescribed financial institution assesses that the disclosure of risk information is warranted even without prior engagement of the relevant party, document the basis of its assessment. Such cases could include circumstances where any prior engagement with the relevant party may put the prescribed financial institution at risk of tipping-off the relevant party, or where the relevant party remains unresponsive after a period of active engagement by the prescribed financial institution. (b) Adequate arrangements to ensure that Disclosures are made in a timely manner in accordance with the expected timelines communicated separately by the Authority to the prescribed financial institution. In cases where more time is required to make the Disclosure, such as where the prescribed financial institution has to engage the relevant party3 , the prescribed financial institution should ensure that the reasons for the longer time taken for making the Disclosure is properly documented. Disclosures should nevertheless be made within the expected timelines communicated separately by the Authority to the prescribed financial institution for complex cases. 3-6 Internal Policies, Procedures and Controls relating to a Listing 3-6-1 A prescribed financial institution should include in its internal policies, procedures and controls adequate arrangements to ensure that Listings will be made in a timely manner, in accordance with the expected timelines communicated separately by the Authority to the prescribed financial institution. In cases where more time is required to make the Listing, the prescribed financial institution should ensure that the reasons for the longer time taken to make the Listing is properly documented. Listings should nevertheless be made within the expected timelines communicated separately by the Authority to the prescribed financial institution for complex cases. 3-6-2 As set out in section 28F(1)(b) of the FSM Act, a prescribed financial institution must have declined or decided to decline to establish a relationship with the relevant party, or have terminated or decided to terminate a relationship with the relevant party, prior to publishing any risk information of the relevant party on the platform. The prescribed financial institution should include in its policies, procedures and controls adequate arrangements to ensure the requirements in MAS Notice 626 on “Prevention of Money Laundering and Countering the Financing of Terrorism – Banks” (“MAS Notice 626”) are met and put in place appropriate risk mitigation controls in the interim, such as enhanced transaction

GUIDELINES TO MAS NOTICE FSM-N02 ON PREVENTION OF MONEY LAUNDERING AND COUNTERING THE FINANCING OF TERRORISM – FINANCIAL INSTITUTIONS’ INFORMATION SHARING PLATFORM 8 monitoring and restrictions on activities in the account, while the relationship with the relevant party is still ongoing. 3-7 Approval Framework 3-7-1 In relation to the internal approvals mentioned in paragraph 3.2(c) of the Notice, such approvals may include (but are not limited to) the conduct of “four-eye checks” or checks by an appropriately senior and/or qualified officer, prior to the prescribed financial institution making a Request, Response, Disclosure or Listing, to ensure that the conditions set out under the respective sections of the FSMA, as stipulated in paragraph 3.2(a) of the Notice, are satisfied. Notice Paragraph 3.4 3-8 Audit 3-8-1 In relation to paragraph 3.4 of the Notice, the frequency and extent of the audit should be commensurate with the volume of Requests, Responses, Disclosures and Listings made or received by the prescribed financial institution. 3-8-2 The results of any audit performed in relation to paragraph 3.4 of the Notice should be documented and made available to the Authority upon request. 3-8-3 Prescribed financial institutions are encouraged to supplement these audits checks with regular compliance testing and/or quality assurance checks (“Compliance and QA Checks”), to ensure ongoing effectiveness of the prescribed financial institution’s internal policies, procedures and controls and compliance with the requirements for information sharing under the platform (such as the adequacy of controls to safeguard platform access and information security, the use of risk information obtained from COSMIC for risk assessment, and information accuracy). The Compliance and QA Checks should typically be performed by an appropriately independent function, such as the compliance or risk management units within the prescribed financial institution. Findings from the Compliance and QA Checks, as well as the audit checks, should be reported to the prescribed financial institution’s board and senior management. Prescribed financial institutions should put in place a clear audit and assurance/testing plan on an annual basis that is approved by senior management, to ensure adequate coverage of the requirements.

GUIDELINES TO MAS NOTICE FSM-N02 ON PREVENTION OF MONEY LAUNDERING AND COUNTERING THE FINANCING OF TERRORISM – FINANCIAL INSTITUTIONS’ INFORMATION SHARING PLATFORM 9 4 Notice Paragraph 4 – Request for Risk Information by a Prescribed Financial Institution under Section 28D of the FSM Act Responsibility of the requester 4-1 For effective management and mitigation of ML/TF/PF Risk, a prescribed financial institution should put in place systems and processes to ensure that, upon receipt of risk information received as part of a Response, officers who are tasked with undertaking an assessment (i) have timely access to the risk information received, and (ii) are adequately trained on the proper use of platform information for customer risk assessments. 4-2 A prescribed financial institution should undertake the risk assessment mentioned in paragraph 4.1(a) of the Notice in a timely manner. 4-3 The results of the risk assessment must be properly documented and should be approved by an appropriately senior and/or qualified compliance officer of the prescribed financial institution. 4-4 A prescribed financial institution is also reminded to ensure that it complies with its AML/CFT obligations under MAS Notice 626. In particular, after receiving risk information as part of a Response to its Request – (a) where the requester becomes aware that it lacks sufficient information about the relevant party concerned or its Key Individuals (as defined in paragraph 6-10-5A of the Guidelines to MAS Notice 626), or that the information is not up-to-date, it should undertake a review of existing CDD data, documents and information of the relevant party or its Key Individuals (as relevant), in accordance with paragraph 6.24 of MAS Notice 626; and (b) it should pay particular attention to whether the risk information it has received would trigger its obligations under paragraphs 6.3(f), 6.3(g), 6.20, 6.21, 6.23 and 6.25 of MAS Notice 626. Where there is a suspicion of ML/TF or it has doubts about the veracity or adequacy of any information previously obtained, it should apply appropriate risk mitigation measures in accordance with its obligations under the MAS Notice 626, including paragraph 6(VI) on ongoing monitoring and paragraph 8.7 on enhanced CDD measures. 4-5 Upon the completion of the risk assessment mentioned in paragraph 4.1(a) of the Notice, a prescribed financial institution should consider if – (a) the relevant party has exhibited red flag behaviour that meets the threshold for making its own Disclosure or Listing on the relevant party, and make such Disclosure or Listing if this is the case; and

GUIDELINES TO MAS NOTICE FSM-N02 ON PREVENTION OF MONEY LAUNDERING AND COUNTERING THE FINANCING OF TERRORISM – FINANCIAL INSTITUTIONS’ INFORMATION SHARING PLATFORM 10 (b) the circumstances warrant the filing of an STR. A prescribed financial institution should bear in mind that whilst it may not share information it has received through the platform with other prescribed financial institutions, it may share its overall risk analysis on a relevant party with other prescribed financial institutions (without disclosing the specific information it had previously received) on the platform, if the requirements for sharing under Part 4A of the FSM Act are met. 4-6 In relation to paragraph 4.2 of the Notice, examples of exceptional circumstances where the prescribed financial institution may decide to terminate or decline to establish business relations without engaging the relevant party may include – (a) where engaging the relevant party may put the prescribed financial institution at risk of tipping-off the relevant party3 ; (b) where the relevant party is no longer a customer of the prescribed financial institution; (c) where the relevant party is under investigation for a crime related to the ML/TF/PF Risk identified; and (d) where the relevant party remains unresponsive or uncooperative in providing clear information after a period of active engagement by the prescribed financial institution. The prescribed financial institution should document the basis of its assessment to not engage the relevant party.

GUIDELINES TO MAS NOTICE FSM-N02 ON PREVENTION OF MONEY LAUNDERING AND COUNTERING THE FINANCING OF TERRORISM – FINANCIAL INSTITUTIONS’ INFORMATION SHARING PLATFORM 11 5 Notice Paragraph 5 – Provision of Risk Information on a Prescribed Financial Institution’s Own Motion under Section 28E of the FSM Act Notice Paragraph 5.1 5-1 For effective management and mitigation of ML/TF/PF Risks, a prescribed financial institution should put in place systems and processes to ensure that officers who are tasked with undertaking an assessment upon receipt of risk information received as part of a Disclosure (i) have timely access to the risk information received, and (ii) are adequately trained on the proper use of platform information for customer risk assessments. 5-2 A prescribed financial institution is also reminded to ensure that it complies with its AML/CFT obligations under MAS Notice 626. In particular, after receiving risk information as part of a Disclosure – (a) where the prescribed financial institution becomes aware that it lacks sufficient information about the relevant party concerned or its Key Individuals (as defined in paragraph 6-10-5A of the Guidelines to MAS Notice 626), or that the information is not up-to-date, it should undertake a review of existing CDD data, documents and information of the relevant party or its Key Individuals (as relevant), in accordance with paragraph 6.24 of MAS Notice 626; and (b) it should pay particular attention to whether the risk information it has received would trigger its obligations under paragraphs 6.3(f), 6.3(g), 6.20, 6.21, 6.23 and 6.25 of MAS Notice 626. Where there is a suspicion of ML/TF or it has doubts about the veracity or adequacy of any information previously obtained, it should apply appropriate risk mitigation measures in accordance with its obligations under the MAS Notice 626, including paragraph 6(VI) on ongoing monitoring and paragraph 8.7 on enhanced CDD measures. Notice Paragraph 5.2 5-3 In relation to paragraph 5.2 of the Notice, examples of exceptional circumstances where the prescribed financial institution may decide to terminate or decline to establish business relations without engaging the relevant party may include: (a) where engaging the relevant party may put the prescribed financial institution at risk of tipping-off the relevant party3 ; (b) where the relevant party is no longer a customer of the prescribed financial institution;

GUIDELINES TO MAS NOTICE FSM-N02 ON PREVENTION OF MONEY LAUNDERING AND COUNTERING THE FINANCING OF TERRORISM – FINANCIAL INSTITUTIONS’ INFORMATION SHARING PLATFORM 12 (c) where the relevant party is under investigation for a crime related to the ML/TF/PF Risk identified; and (b) where the relevant party remains unresponsive or uncooperative in providing clear information after a period of active engagement by the prescribed financial institution. The prescribed financial institution should document the basis of its assessment to not engage the relevant party.

GUIDELINES TO MAS NOTICE FSM-N02 ON PREVENTION OF MONEY LAUNDERING AND COUNTERING THE FINANCING OF TERRORISM – FINANCIAL INSTITUTIONS’ INFORMATION SHARING PLATFORM 13 6 Notice Paragraph 6 – Publication of the Risk Information of a Relevant Party on the Platform under Section 28F of the FSM Act Notice Paragraphs 6.1 to 6.2 Responsibility of the Lister 6-1 In relation to paragraph 6.1 of the Notice, examples of exceptional circumstances where it may not be practicable for a prescribed financial institution to engage the relevant party before a Listing may include – (a) where engaging the relevant party may put the prescribed financial institution at risk of tipping-off the relevant party3 ; (b) where the relevant party is no longer a customer of the prescribed financial institution; (c) where the relevant party is under investigation for a crime related to the ML/TF/PF Risk identified; and (d) where the relevant party remains unresponsive or uncooperative in providing clear information after a period of active engagement by the prescribed financial institution. The prescribed financial institution should document the basis of its assessment to not engage the relevant party in such cases. 6-2 In relation to paragraph 6.2(a) of the Notice, a Lister that becomes aware of new information (e.g. new information that is provided to the prescribed financial institution by the relevant party after the Listing) concerning the factors that led the relevant party to be the subject of a Listing that the Lister had previously made should consider whether the new information adequately addresses the ML/TF/PF Risk concerns previously identified, such that the criteria for the Listing are no longer met. 6-3 In relation to paragraph 6.2(b) of the Notice, an example of an erroneous Listing is a procedural lapse leading to the wrong customer being Listed. 6-4 Where the circumstances in paragraph 6.2(a) or (b) are met, a Lister should remove the Listing as soon as possible, no more than two business days from the time it assesses that the threshold criteria applicable for that Listing are no longer met, or the time when the Lister becomes aware of that the Listing was made erroneously, as the case may be.

GUIDELINES TO MAS NOTICE FSM-N02 ON PREVENTION OF MONEY LAUNDERING AND COUNTERING THE FINANCING OF TERRORISM – FINANCIAL INSTITUTIONS’ INFORMATION SHARING PLATFORM 14 Notice Paragraphs 6.3 to 6.6 Screening and other responsibilities 6-5 The platform screening list contains an extract of key particulars of the risk information published on the platform under section 28F of the FSM Act relating to all relevant parties and is updated on a daily basis. The latest version will be made available for all prescribed financial institutions to download daily on the platform. 6-6 In relation to paragraph 6.3(b) of the Notice, prescribed financial institutions should ensure that screening against the platform screening list is done in a timely manner upon updates to the list. 6-7 In relation to paragraph 6.6 of the Notice, examples of exceptional circumstances where the prescribed financial institution may decide to terminate or decline to establish business relations without engaging the relevant party include – (a) where engaging the relevant party may put the prescribed financial institution at risk of tipping-off the relevant party3 ; (b) where the relevant party is no longer a customer of the prescribed financial institution; (c) where the relevant party is under investigation for a crime related to the ML/TF/PF Risk identified; and (d) where the relevant party remains unresponsive or uncooperative in providing clear information after a period of active engagement by the prescribed financial institution. The prescribed financial institution should document the basis of its assessment to not engage the relevant party. 6-8 A prescribed financial institution is also reminded to ensure that it complies with its AML/CFT obligations under MAS Notice 626. In particular, in the course of performing the risk assessment mentioned in paragraph 6.5 of the Notice – (a) where the prescribed financial institution becomes aware that it lacks sufficient information about the relevant party concerned or its Key Individuals (as defined in paragraph 6-10-5A of the Guidelines to MAS Notice 626), or that the information is not up-to-date, it should undertake a review of existing CDD data, documents and information of the relevant party or its Key Individuals (as relevant), in accordance with paragraph 6.24 of MAS Notice 626; and

GUIDELINES TO MAS NOTICE FSM-N02 ON PREVENTION OF MONEY LAUNDERING AND COUNTERING THE FINANCING OF TERRORISM – FINANCIAL INSTITUTIONS’ INFORMATION SHARING PLATFORM 15 (b) it should pay particular attention to whether its obligations under paragraphs 6.3(f), 6.3(g), 6.20, 6.21, 6.23 and 6.25 of MAS Notice 626 are triggered. Where there is a suspicion of ML/TF or it has doubts about the veracity or adequacy of any information previously obtained, it should apply appropriate risk mitigation measures in accordance with its obligations under the MAS Notice 626, including paragraph 6(VI) on ongoing monitoring and paragraph 8.7 on enhanced CDD measures.

GUIDELINES TO MAS NOTICE FSM-N02 ON PREVENTION OF MONEY LAUNDERING AND COUNTERING THE FINANCING OF TERRORISM – FINANCIAL INSTITUTIONS’ INFORMATION SHARING PLATFORM 16 8 Notice Paragraph 8 – Platform Access, Information Accuracy and Information Security Safeguards Notice Paragraphs 8.1 to 8.4 Requirement to Maintain Security and Integrity of Platform Information 8-1 In relation to paragraph 8.1 of the Notice, examples of the systems and processes that a prescribed financial institution should establish and implement include “four-eye checks”, reviews by an appropriately senior and/or qualified officer, or regular quality assurance sample checks on information provided on the platform. 8-2 In relation to paragraph 8.2 of the Notice – (a) a prescribed financial institution should correct any inaccurate or incomplete risk information within two business days after it becomes aware of the error or omission by: (i) in the case of a pending Request, cancelling and submitting a new Request with the corrected risk information; and (ii) in the case of a Response, Disclosure or Listing, correcting the inaccurate or incomplete risk information it had provided in such Response, Disclosure or Listing on the platform; (b) in considering whether risk information that it has provided is accurate, a prescribed financial institution should consider this with reference to the time of the making of the Request, Response, Disclosure or Listing (as the case may be). For the avoidance of doubt, a prescribed financial institution is not expected to update such Request, Response, Disclosure or Listing where there are subsequent changes to the identifying information of a relevant party, if the information was accurate as at the time of making such Request, Response, Disclosure or Listing. For example, changes to passport numbers or addresses need not be updated on the platform if the information provided was accurate at the material time; and (c) a prescribed financial institution should also bear in mind paragraph 6.2 of the Notice and remove Listings if the revised information changes its assessment of whether the threshold criteria for the Listing is satisfied. 8-3 In relation to paragraph 8.3 of the Notice, the IT controls which a prescribed financial institution should implement include –

GUIDELINES TO MAS NOTICE FSM-N02 ON PREVENTION OF MONEY LAUNDERING AND COUNTERING THE FINANCING OF TERRORISM – FINANCIAL INSTITUTIONS’ INFORMATION SHARING PLATFORM 17 (a) ensuring that remote access to the platform is only allowed from approved official devices that have been secured in accordance with the prescribed financial institution’s security standards; (b) maintaining logs or audit trails of all access and amendments to platform information, including the making of Requests, Disclosures and Listings, as well as the disclosure of risk information in Responses, by the prescribed financial institution; (c) ensuring strong encryption access controls for all platform information stored (whether at rest and in transit) within the prescribed financial institution; and (d) performing regular quality assurance checks to ensure that the data and infrastructure security safeguards are working as intended. 8-4 A prescribed financial institution should refer to the Technology Risk Management Guidelines in the design of its IT controls. 8-5 In relation to paragraph 8.4(c) of the Notice, the prescribed financial institution should notify the Authority of the security breach using section A of the incident reporting template4 as soon as possible, within one hour to its MAS Review Officer (“RO”). Prescribed financial institutions may contact its RO via email or phone during office hours and the MAS duty officer via the 24-hour MAS BCM hotline (Tel: 6229 9526 / 6229 9527) outside of office hours. Notice Paragraphs 8.5 to 8.6 Requirement to Safeguard Access to Platform Information 8-6 In relation to paragraph 8.5 of the Notice on the maintenance of a register of the details of the officers that may access platform information: (a) the register should specify the extent and nature of access that has been granted to each officer, the period of access granted, and the reason for access; (b) the register should include both officers who will be able to access the platform directly (for instance, officers that are able to log onto the COSMIC platform, whether through the web user interface or API), as well as the officers that may need to know that information has been obtained from the platform and the details of the information obtained as part of their 4 The incident reporting template can be found at https://www.mas.gov.sg/regulation/forms-and￾templates/incident-reporting-template, and the instructions on incident reporting and reporting to MAS can be found at https://www.mas.gov.sg/regulation/forms-and-templates/instructions-on-incident￾notification-and-reporting-to-mas.

GUIDELINES TO MAS NOTICE FSM-N02 ON PREVENTION OF MONEY LAUNDERING AND COUNTERING THE FINANCING OF TERRORISM – FINANCIAL INSTITUTIONS’ INFORMATION SHARING PLATFORM 18 oversight responsibilities, but do not necessarily require or have direct access to the platform (for instance, senior management staff who are responsible for making key AML/CFT decisions); and (c) prescribed financial institutions should ensure that the extent of access granted to an officer is proportionate and necessary for the effective functioning of the officer’s role and responsibility. The register should be kept up to date, and reviewed regularly to ensure that they remain relevant. Access rights should be revoked in a timely manner where appropriate (e.g. where the officer has transferred to another function that does not require access rights to platform information, or the officer has resigned). 8-7 In relation to paragraph 8.6(a) and (b) of the Notice, a prescribed financial institution should ensure that adequate safeguards for information sharing are in place. Such safeguards should include, at minimum, controls and processes to anonymise the identities of the prescribed financial institutions and the Authority (including their officers) that provided the platform information or were named in the information received.

GUIDELINES TO MAS NOTICE FSM-N02 ON PREVENTION OF MONEY LAUNDERING AND COUNTERING THE FINANCING OF TERRORISM – FINANCIAL INSTITUTIONS’ INFORMATION SHARING PLATFORM 19 9 Notice Paragraph 9 – Record Keeping 9-1 Prescribed financial institutions that are banks in Singapore are reminded that the record keeping requirements set out in paragraph 12 of MAS Notice 626 are applicable in tandem with any relevant record keeping obligations under this Notice. Where information received through the platform is relevant to and has been used by such prescribed financial institution to fulfill its obligations under MAS Notice 626, the record retention policies under both the Notice and MAS Notice 626 apply and the prescribed financial institution should be able to produce records as required under both notices.

GUIDELINES TO MAS NOTICE FSM-N02 ON PREVENTION OF MONEY LAUNDERING AND COUNTERING THE FINANCING OF TERRORISM – FINANCIAL INSTITUTIONS’ INFORMATION SHARING PLATFORM 20 10 Notice Paragraph 10 – Additional Requirements Relating to Outsourced Relevant Services that Involve the Disclosure of Risk Information 10-1 Prescribed financial institutions that are banks in Singapore should also refer to the Guidelines on Outsourcing (Banks) for more information on MAS’ expectations and risk management practice pertaining to the management of outsourced relevant services.