Keynote Address
The keynote address was an illuminating and informative speech, which highlighted MAS’ “evergreen” enforcement priorities. These priorities are as follows:
(a) Pursuing capital markets misconduct. These cases typically involve individuals who trade on inside information or rig public markets, and that in some cases, financial institutions have been held liable for the improper acts of its client advisors. There is also an increasing focus on holding gatekeepers in capital markets responsible and improving the quality of disclosure in markets.
(b) Enforcing anti-money laundering and countering the financing of terrorism (AML/CFT) requirements. It was noted that as with any open and mature financial centre with significant inflows of money, it is impossible for Singapore to completely prevent illicit fund flows. Singapore nevertheless endeavours to do so to the greatest extent possible; financial institutions are therefore required to have in place AML/CFT measures, and are taken to task when they fall short.
(c) Addressing financial services misconduct. A focus for MAS is the conduct of fund and wealth managers, particularly those that do not have in place an appropriate risk management and monitoring framework.
It was noted that investigations and enforcement work has become, across all areas, increasingly complex and challenging. Misconduct is, for example, rarely localised but often transnational in nature. The volume and variety of digital evidence has also grown exponentially. MAS engaged in the following to address these challenges:
(a) Partnerships. It was emphasised that harnessing partnerships and collaboration at various levels is critical for MAS. MAS has strong relationships with public sector agencies in Singapore and abroad, and has been able to address complex cross-jurisdictional matters such as that involving the massive accounting fraud at the now-insolvent German payment processor and financial services provider and the ongoing S$2.8 billion money laundering case. MAS further provides assistance to its international counterparts where the purpose of such assistance is supervision, investigation or enforcement under the laws of the foreign jurisdiction – this is so even if the relevant person (in respect of whom the assistance is being provided) is not licensed or otherwise regulated under Singapore laws. MAS also partners with financial institutions to combat money laundering and terrorism financing, and such relationships have been fruitful – the AML/CFT Industry Partnership (ACIP) has, for example, led to the successful identification of unlawful activity.
(b) Platforms. The use of technology platforms, including data analytics, has enabled MAS to drive a risk-focused supervisory approach. In addition, MAS is also taking steps to implement an in-house eDiscovery platform.
(c) People. It was noted that as the enforcement landscape becomes increasingly complex and novel areas are brought within the regulatory fold, it is imperative that investigators have the right skillset and training. MAS affirmed its commitment to continually developing its people.
Sanctions Panel
Another highlight of the event was an engaging panel on sanctions (the Sanctions Panel) moderated by David Harris, Partner and Co-Head of the EMEA Investigations Group (NRF London).
The panel discussed the ever-evolving sanctions landscape, which has created significant challenges for sanctions compliance professionals, and the shift in focus by sanctions authorities from implementation to investigations and enforcement. The Sanctions Panel covered a range of topics and observations, including:
(a) Dealing with the lack of alignment in key areas across the major sanctions regimes and understanding the type of sanctions measures in place. It is no longer sufficient to focus on the parties to a transaction and rely on a robust screening system; specialist resource is required to analyse the transaction as a whole, have a process to identify changes in restrictions, determine whether such restrictions are applicable to the business and individual employees, and assess the compliance measures required.
(b) The top enforcement priorities of sanctions authorities, including indirect sanctions risks (e.g. ultimate ownership and/or control of entities) and the focus on investigating the ‘circumvention’ or ‘evasion’ of sanctions. Together with the marked increase in trade-related sanctions, knowing the business of your customer or counterparty and who they are dealing with is a key component of assessing and monitoring transactions.
(c) Regulatory expectations regarding the use of data is increasing and a current area of focus for sanctions authorities is the use of data collected by companies to enhance their sanctions compliance processes. For example, tracking the use of IP addresses and reconciling that data against KYC information provided by customers.
(d) The recent judgment from the Court of Appeal of Singapore in relation to sanctions clauses in the context of documentary credits, and the challenge for companies when balancing the tension between internal risk-based sanctions compliance decision-making and what the company may be able to objectively prove – as a matter of clear evidence – in the event of a contractual dispute. The onus of proving that a company is complying with sanctions increasingly falls on the company itself; it is therefore crucial that companies thoroughly document their sanctions compliance assessments, the steps taken, and the basis for decisions.
(e) Lessons learned from recent enforcement, including the recent multi-billion dollar settlement between a significant global cryptocurrency exchange with various US agencies, and the risks of the long arm of US sanctions enforcement for non-US companies.
(f) While there is inherent unpredictability given the nature of sanctions, a company ought to put itself in the best position to manage sanctions risks by building a strong compliance programme with clear roles and responsibilities, ensuring that it has the right cross-border advisors, and staying up-to-date on relevant developments.
Cybersecurity Panel
Wilson Ang moderated a lively panel comprising on Responding Effectively to Cyber Security Threats (the Cyber Panel)
The Cyber Panel tackled two aspects, namely the evolving cyber threat landscape and how companies manage cyber risks; as well as a simulated ‘live’ cyber incident with panelists reacting to evolving facts.
The evolving cyber threat landscape and managing cyber risks
The panel started with a discussion on the current cyber threat landscape faced by companies today. Ransomware remains a key risk for companies – particularly with the increased attack surface due to digitisation of our societies and the proliferation of the Ransomware-as-a-service (RaaS) model. Recent advances in artificial intelligence (AI) have also enabled cyber criminals to leverage AI to create scripts and deploy more realistic phishing schemes.
There was a broad consensus that cyber incidents are a question of “when, not if” for companies. Therefore, companies should assume a breach mentality to build cyber and business resilience. This means putting in place a strategy for back-up and recovery, as well as rehearsing incident response playbooks through table top exercises to ensure that response procedures are well socialised and become ‘muscle memory’.
The panel also recognised that cyber incidents are no longer just an IT issue. Cyber incidents are now legal issues, as companies face the risk of regulatory liability (with numerous jurisdictions imposing regulatory penalties based on the percentage of a business turnover) and civil claims if they were to be hit by a cyber incident.
Simulated ‘live’ cyber incident
For the simulated ‘live’ cyber incident, panellists were asked to comment on a rapidly evolving ransomware attack against a fictitious healthcare company from their perspective as CISO, in-house counsel, external consultant and outside counsel. Among other things, the panel considered the following issues:
(a) Coordination. The simulated incident contemplated a company without an incident response plan or playbook, which the panel agreed was a significant concern. In such situations, CEO and board involvement would be critical in containing the incident. It is also imperative to bring various stakeholders, such as legal, public affairs, technology / IT together to manage the incident. External experts (forensics, external counsel, public relations) will also need to be activated to provide support. Therefore, a cross-function operational team will need to be quickly constituted to manage and oversee the company’s response to the incident.
(b) Containment, recovery and remediation. Upon discovery of a cyber incident, triage and containment is critical – ensuring that the incident is contained and isolated to prevent further damage. At the same time, forensic consultants will need to be activated to provide support to help the company isolate and eradicate the threat actor from the affected systems before initiating recovery. Early activation of the forensic retainer is also crucial as relevant system logs will need to be preserved, collected and aggregated in order to identify the root cause of the incident and the attack path taken by the threat actor.
(c) Ransom payment and negotiations. While companies may have differing policies on ransom payment, the panel noted that entering into negotiations with a threat actor could be advantageous – even if a company has a strict policy of non-payment of ransom. Negotiating with threat actors could provide the company with useful intelligence on the extent of the attack carried out by the threat actor and help the company buy time to carry out its internal assessments. Additionally, if a company is considering whether to pay the ransom, due diligence will need to be carried out on the threat actor to satisfy itself that the threat actor is likely to deliver on its promise and that paying the ransom will not cause the company to violate sanctions or anti-money laundering / terrorism financing offences.
(d) Incident reporting. The occurrence of a cyber incident may trigger a myriad of regulatory reporting and notification obligations. If personal data were to be impacted, the company may need to make reports to data protection regulators. Given the cross-border nature of business and data flows, a cyber incident in Asia may trigger data breach notification obligations across a number of jurisdictions. A cyber incident may also trigger cybersecurity reporting requirements, especially if the company is considered to be a critical information infrastructure provider. If ransom were to be paid, it may be necessary to file suspicious transaction reports. Listed companies will also need to consider their disclosure obligations under securities law. In this regard, the panel noted that the U.S. Securities and Exchange Commission recently charged a US listed company and its CISO for alleged cybersecurity misstatements and controls failures, which underscores the importance for listed companies to make accurate and timely disclosures for cyber incidents.
Conclusion
The wide ranging content explored in the GIR Live: Asia-Pacific Investigations Summit reflects the spectrum of compliance and investigations issues affecting companies operating in Asia today – which was ably covered by the expert panellists and moderators. We look forward to attending the next edition of GIR Live: Asia-Pacific Investigations Summit in 2024.
