Legal Updates

Legal Updates for April 2024

Singapore's Cybersecurity Regime Set to Undergo Update - Cybersecurity (Amendment) Act Introduced in Parliament
In Singapore, the Cybersecurity Act regulates cybersecurity threats and incidents, critical information infrastructure ("CII"), and cybersecurity service providers. To keep pace with emerging threat factors and operational practicalities, the Cyber Security Agency of Singapore ("CSA") has introduced the Cybersecurity (Amendment) Bill ("Bill"). The main amendments in the Bill include the following:

• Updating existing provisions relating to the cybersecurity of CII;
• Expanding CSA's oversight to cover the cybersecurity of Systems of Temporary Cybersecurity Concern; and
• Creating two new classes of regulated entities – Entities of Special Cybersecurity Interest and Foundational Digital Infrastructure.

New Regulated Activities under Payment Services Act and New User Protection Requirements for Digital Payment Token Service Providers from 4 April 2024
On 4 April 2024, the Payment Services (Amendment) Act 2021 came into effect, revising the Payment Services Act 2019 in the following main areas:

1. Broadening the definition of "digital payment token" ("DPT") services;
2. Widening the definition of "cross-border money transfer" services; and
3. Empowering the Monetary Authority of Singapore ("MAS") to impose additional measures to regulate DPT service providers to enhance consumer protection and maintain financial stability.

MAS Launches COSMIC Platform for FIs to Share Information on Customers Exhibiting Red Flags to Combat ML/TF
On 1 April 2024, the Monetary Authority of Singapore ("MAS") launched COSMIC (Collaborative Sharing of Money Laundering / Terrorism Financing (ML/TF) Information & Cases), the first centralised digital platform to facilitate the sharing of customer information among prescribed financial institutions ("Prescribed FIs") to combat money laundering ("ML"), terrorism financing ("TF"), and proliferation financing ("PF") globally.

On the same day, the Financial Services and Markets Act 2022 ("FSMA") was amended to set out the legal basis and safeguards for such sharing. On 28 March 2024, the MAS Notice FSM-N02 Prevention of Money Laundering and Countering the Financing of Terrorism - Financial Institutions' Information Sharing Platform ("COSMIC Notice") was issued, providing MAS' requirements for the Prescribed FIs to establish and implement robust controls to facilitate the sharing of risk information on COSMIC and protect the confidentiality of the information being shared and the interests of legitimate customers. The COSMIC Notice took effect on 1 April 2024, save for the provisions dealing with outsourcing arrangements which will take effect on or after 11 December 2024, together with the coming into effect of the MAS Notice 658 on Management of Outsourced Relevant Services for Banks.

With the launch of COSMIC, the Prescribed FIs in this initial phase (expected to last for approximately two years after its launch) currently comprise the six banks who co-developed COSMIC together with MAS (DBS, OCBC, UOB, Citibank, HSBC, and Standard Chartered Bank). As a start, COSMIC will focus on three key financial crime risks in commercial banking: (i) misuse of legal persons; (ii) misuse of trade finance for illicit purposes; and (iii) PF. Under COSMIC, FIs can securely share with one another information on a "relevant party" who exhibits multiple "red flags" that may indicate potential financial crime concerns along the lines of (i) to (iii), if stipulated conditions and thresholds are met. A "relevant party" is a person who is, or who seeks to be, or who has been, a customer of a Prescribed FI, and who has been prescribed as such under subsidiary legislation.

This Update outlines key requirements under the FSMA and the COSMIC Notice.