Risk In:Review #37 - 12 November 2023
Anthony Hope
Risk & Compliance Executive | Fintech Founder & Innovator | Strategic Leader | Expert Speaker
Welcome to Risk In:Review, your weekly newsletter curating the best of the week’s news stories from the crossroads between risk management and technology in Asia Pacific.
Keep updated with the latest news and insights by clicking on?subscribe.
Perspectives
Following last week’s conclusion of the FTX trial, we have seen a quieter, but no less interesting week in the risk technology space.
First up, the UK government has confirmed it is moving forward to establish the UK as a global hub for crypto assets and technologies. The UK’s move is unsurprising given developments in competing financial centres, such as Singapore, Hong Kong, and the UAE.
The proposed phasing of the regulation follows an established pattern, with the Financial Conduct Authority (FCA) initially regulating fiat-backed stablecoins and the proposed extension of payment services legislation to stablecoins in UK payment transactions.
What is interesting about the UK’s approach is that the UK government plans to manage the risk of systemic failure in the digital asset space. The Bank of England will supervise digital settlement asset (DSA) firms that are deemed to pose systemic risk, with HM Treasury outlining a special administrative regime for these firms.
Once established, this mechanism could set a pathway for other markets that want to reduce the risk of digital asset firms deemed too big to fail, or that otherwise pose a systemic risk to crypto or digital infrastructure.
Elsewhere, the continued evolution of mBridge is also in the headlines. For those who are unaware of this initiative, mBridge is a joint venture between the Bank for International Settlements and the central banks of Hong Kong, China, Thailand, and the UAE, focused on testing CBDCs for cross-border trade.
mBridge is one of the most advanced cross-border CBDC infrastructures and could pose a challenge to the dominance of SWIFT over the long-term. This project may also provide an alternative to those seeking ways to finance trade outside of the US-dominated financial system, which raises questions for how compliance processes would need to be adapted to cope with this new payment mechanism.
Finally, at the International Counter Ransomware Initiative conference, 40 countries pledged to stop making ransomware payments. While this pledge may help disincentivise criminals from attacking public or government infrastructure, it does not extend to private companies, and is unlikely to affect corporates for whom recovery costs often exceed the cost of a ransom payment.
The conference did however establish agreement to share information on cryptocurrency accounts used for ransomware payments. These wallets will be included on a US Department of Treasury blacklist of digital wallets known for receiving ransomware payments, which will in turn make it easier to monitor the movement of funds received by these and connected wallets.
This Week In:Review
Australia
China
Hong Kong
India
Singapore
Best of the Rest
Australia In:Review
In response to escalating losses from fraud, the Australian government is set to enhance the security of its myGov system. Starting in 2024, Australians will have the option to use facial and fingerprint biometrics for accessing government services. This move, highlighted in a report from The Guardian and announced by Government Services Minister Bill Shorten, aims to modernise myGov and protect against phishing scams that exploit personal information.
The government's decision follows significant financial losses, with over AUD 3.1 billion lost in 2023 due to sophisticated scams, including "scams-in-a-box" sold on the dark web. These scams typically involve fake alerts directing users to fraudulent myGov portals, where personal and banking details are compromised. Common targets include Centrelink, the Australian Tax Office, and Medicare accounts, all accessible through myGov.
To further secure myGov, a special advisory committee has been established, led by former NSW Minister for Customer Service and Digital Government Victor Dominello. The eight-member team, comprising academics, policy officials, and private sector representatives, is part of a strategic response to the recent audit recommending myGov be treated as critical infrastructure with secured funding.
These measures are in response to a growing trend of scams and data breaches in Australia, as evidenced by the major data breach at Australian telco Optus in September 2022, which compromised the personal information of over a million customers.
The Australian Securities and Investments Commission (ASIC) has enforced a payment of AUD 13.1 million by Binance Australia Derivatives, also known as Oztures Trading Pty Ltd, for incorrectly classifying users as wholesale rather than retail. This misclassification resulted in Binance Australia Derivatives failing to provide mandatory legal protections to its retail clients. Consequently, the firm has compensated users for their net trading losses and fees.
Earlier this year, Binance Australia Derivatives surrendered its Australian Financial Services License following ASIC's targeted review and a notice of hearing. This led to office raids and the termination of banking relationships with key Australian financial institutions like Cuscal and Westpac.
ASIC's press release not only addresses Binance's non-compliance in Australia but also highlights global regulatory actions against the company. It specifically mentions the Commodities Futures Trading Commission lawsuit in the United States and warnings from the UK, Japan, Italy, Singapore, the Netherlands, Canada, and Thailand.
Furthermore, ASIC's vigilance extends to other cryptocurrency firms. It has taken action against Finder for its crypto lending product, Finder Earn, and was investigating FTX during its collapse. This indicates ASIC's ongoing commitment to regulating the cryptocurrency sector and safeguarding investors.
CoinSpot, a leading cryptocurrency exchange based in Melbourne, Australia, has suffered a security breach, resulting in over AUD 2 million being drained from accounts. This incident marks a significant compromise for the exchange, which is one of the largest in Australia with over 2.5 million customers.
The Australian Financial Review confirmed the theft through blockchain tracking firm Chainalysis, which labelled the funds as stolen. Approximately AUD 2.3 million in ether (ETH), associated with the Ethereum network, was moved from two CoinSpot wallets. The funds were then channelled through bridging services THORChain and Wan Bridge, typically used for transferring digital assets across different blockchains. These transfers suggest a breach in the security of private keys, which authenticate the real owner of the cryptocurrency.
The founder of CoinSpot, Russell Wilson, and other backers had received AUD 700 million in dividends over the past two years, highlighting the exchange's profitability. However, despite its success, the breach raises concerns about the security of digital assets on exchanges. It also underscores the risks of "hot wallets" where digital assets are stored online, as opposed to "cold wallets" that store private key information offline.
The Australian government has announced plans to require crypto exchanges to hold a financial services licence, focusing on asset security. CoinSpot's breach illustrates the pressing need for enhanced regulatory measures and security practices within the cryptocurrency exchange sector.
China In:Review
China has intensified its efforts against the 'pig butchering' scam networks, which have been exploiting victims globally. These scams, named for the process of 'fattening up' victims with a fake romantic relationship before defrauding them with bogus investment advice, are often conducted by Chinese syndicates operating from Southeast Asia, primarily Myanmar. Many of these scammers are trapped in modern-day slavery, lured by fake job advertisements and held captive in prison-like complexes.
In a cooperative 'special joint operation' with Thailand, Laos, and Myanmar, China has made significant progress, arresting thousands of suspects. On 10 October, China's Ministry of Public Security announced the repatriation of 2,317 scam suspects from northern Myanmar. By the end of September, 387 key figures in these cyber scam networks were caught. In total, nearly 5,000 Chinese nationals involved in illicit activities have been repatriated.
However, despite these crackdowns, experts warn that these groups are resilient and will continue to find vulnerable areas to exploit. The United Nations estimates over 120,000 individuals in Myanmar and 100,000 in Cambodia are coerced into these scam operations.
Victims of these scams have lost substantial amounts of money. The US Treasury Department has highlighted the severity of these scams, with Americans losing a record USD 2.57 billion to cryptocurrency investment fraud in the last year, marking investment fraud as the fastest-growing scam in the US.
The Chinese government has announced a significant legal stance towards the theft of digital collections, including nonfungible tokens (NFTs), classifying such acts as property theft. This development, revealed on 10 November, represents a major shift in China's regulatory approach to digital assets.
The government's statement presents three perspectives on categorising the theft of digital collections. The first two views consider it as either data theft or digital property theft. The third and most critical perspective treats these collections as both data and virtual property, falling under the category of "co-offending." This approach highlights the dual nature of digital asset theft, involving unauthorised access to computer systems and the theft of virtual property.
In this new classification, digital collections are recognised as "network virtual property," establishing their status as property in criminal law. This implies that digital collections, including NFTs, can be the subject of property crimes in China.
Despite China's 2021 ban on most cryptocurrency-related activities, this move signals a nuanced perspective towards digital assets like NFTs. Interest in NFTs in China is growing, evidenced by Alibaba’s Xianyu lifting restrictions on NFT-related search terms and the state-run China Daily announcing plans for its own NFT platform, with a budget of CNY 2.813 million.
Hong Kong In:Review
Hong Kong is considering allowing exchange-traded funds (ETFs) that invest directly in cryptocurrencies, aiming to establish itself as an Asia-Pacific digital-asset hub while addressing the challenges posed by the JPEX scandal. Securities and Futures Commission Chief Executive Officer Julia Leung expressed openness to such proposals, provided they address new risks and meet regulatory concerns.
Crypto ETFs are seen as a means to mainstream digital assets, offering accessibility to a broader range of investors. Currently, Hong Kong and the US permit futures-based crypto ETFs, but their uptake has been limited. Hong Kong lists ETFs like the Samsung Bitcoin Futures Active, CSOP Bitcoin Futures, and CSOP Ether Futures ETFs, with combined assets of about USD 65 million.
领英推荐
The popularity of spot funds remains uncertain following the 2022 digital asset market downturn and the fallout from the FTX fraud scandal. Hong Kong introduced a virtual-asset regulatory framework in June to attract companies and ensure investor protection. Retail investors in Hong Kong can trade major tokens like Bitcoin and Ether on licensed exchanges, with rules for stablecoins expected by 2023-2024. The city is also exploring tokenisation, having sold its first digital green bonds and updated regulatory guidance for tokenised products for retail investors.
The SFC has eased restrictions on security token offerings, now open to all investors, not just professionals. This change aligns with the Hong Kong Monetary Authority's plans to provide guidance for banks on digital-asset custodial services, essential for developing a digital-asset ecosystem. Hong Kong competes with regions like Singapore, Dubai, the European Union, and faces contrasting approaches like the US's clampdown in its pursuit to become a digital-asset hub.
India In:Review
The increasing accessibility of artificial intelligence tools has led to a surge in deepfake technology, posing a significant threat in audio, video, and photo formats. A recent incident involving a deepfake video of Bollywood actor Rashmika Mandanna has heightened concerns, prompting action from both the industry and the Indian government. The Delhi Police has registered an FIR in connection with this deepfake video.
Deepfakes are created using neural networks known as Generative Adversarial Networks (GANs), which learn facial features from numerous images and videos. These networks become increasingly proficient, making it harder to discern if a video is genuine or altered. Experts suggest that deepfakes can be identified through unnatural eye movements, facial expressions, inconsistencies in appearance, and audiovisual discrepancies.
To tackle the deepfake threat, India Inc. is focusing on detection, forensic algorithms, audit processes, and building the necessary talent. Strengthening verification processes like multi-factor authentication and investing in tools to identify deepfakes are key strategies. Stricter guidelines for the use of AI and AI-generated watermark guidelines are also recommended to ensure content authenticity.
Legal action is another critical approach, with stringent laws and regulations needed to address deepfake cybercrime and protect victims' rights. Technologies like blockchain, digital watermarking, biometric authentication, and AI can play a pivotal role in detecting, verifying, and countering deepfake content. Blockchain technology, in particular, offers a permanent reference point for verification, deterring the creation and distribution of deepfakes and aiding in tracing the culprits.
Indian authorities have arrested 18 individuals, including four police officers, in connection with a massive USD 300 million cryptocurrency scam in Himachal Pradesh that affected approximately 100,000 people. The scheme, which may have started as early as 2018, involved a local cryptocurrency named Korvio Coin (or KRO coins) and other digital currencies used on fake websites. One of these was subject to a "rug pull," where the project was abandoned after investments were made.
The involvement of police personnel in the scam added to its perceived legitimacy. Over 1,000 police officers were implicated, with many being deceived, some profiting significantly, and others actively promoting the scheme. The Special Investigation Team (SIT), along with the Enforcement Directorate and regional police teams, led an extensive investigation, resulting in the filing of 56 complaints over two years. Searches conducted in late October uncovered around 250,000 identification cards linked to suspects.
The investigation revealed that more than 100 people profited by about USD 240,000 each, and another 200 made around USD 120,000 each from the scam. Despite the arrests, the alleged kingpin, Subhash Sharma, remains at large, with several properties linked to him being seized. The Enforcement Directorate is also investigating the involvement of five women suspected of acting as agents or promoters for Sharma. The Himachal Pradesh State Police has yet to respond to requests for comment.
In the financial year 2022–2023, the Narcotics Control Bureau and the Indian Cyber Crime Coordination Centre significantly enhanced their training efforts in cryptocurrency forensics and investigations. According to the annual report from India's Ministry of Home Affairs (MHA), 141 officials under the Narcotics Control Bureau were trained in investigating darknet and cryptocurrencies, digital footprint analysis, and evidence gathering from open sources and social media.
In addition to these efforts, the Indian Cyber Crime Coordination Centre provided extensive training to over 2,800 cyber police officials. These training sessions focused not only on crypto forensics but also on emerging technologies such as anonymisation networks and investigating the misuse of mobile applications in cyberspace.
As India gears up to address potential crypto-related crimes amid increasing adoption of digital currencies, the country is also exploring mainstream applications of blockchain technology. In a notable development, Hindustan Petroleum (HPCL), a state-run oil and gas company, has recently implemented a blockchain system to automate the verification of purchase orders (POs). This was achieved in collaboration with Zupple Labs, a blockchain software firm. The new system integrates blockchain technology with HPCL's internal e-PO system to generate tamper-evident, verifiable POs, thereby enhancing the efficiency and security of the verification process.
Singapore In:Review
The Monetary Authority of Singapore (MAS) is exploring the use of artificial intelligence (AI) in combating money laundering, according to its managing director Ravi Menon. This announcement comes ahead of the Singapore FinTech Festival, where AI will be the primary focus.
MAS is currently utilising AI for fraud detection and analysis of vast data sets, including financial reports and news articles. However, the recent billion-dollar money laundering case in Singapore has highlighted the need for enhanced surveillance and information sharing across financial institutions. To address this, MAS plans to implement AI on the upcoming COSMIC platform, designed for financial institutions to share information on suspicious customers or transactions.
In addition to focusing on money laundering, the FinTech Festival will discuss AI's role in reimagining financial systems for the underserved. The festival will also highlight the rapid advancements and widespread adoption of AI, particularly generative AI, in financial services.
Updates are expected on various initiatives, including instant cross-border payments with the integration of Singapore’s PayNow system and Malaysia’s DuitNow. Project Greenprint, aimed at improving sustainability data, will also see further developments announced.
MAS is also advancing in the field of cross-border payments, working on instant settlements using central bank digital currencies (CBDCs). Collaborations with the Federal Reserve Bank of New York and central banks of France and Switzerland have shown promising results in achieving atomic settlement of cross-border transactions in seconds, demonstrating the potential of distributed ledger technology in enhancing the efficiency of cross-border payments.
Best of the Rest In:Review
The UK government is advancing its regulatory framework for cryptoassets and digital assets under the Financial Services and Markets Act (FSMA) 2023. HM Treasury has confirmed key policy positions to establish the UK as a global hub for cryptoasset technologies. Phase 1 focuses on regulating fiat-backed stablecoins, excluding algorithmic stablecoins or tokens not backed by fiat currency. This phase will require UK issuers of fiat-backed stablecoins to be regulated by the Financial Conduct Authority (FCA) and extend payment services legislation to these stablecoins in UK payment transactions.
Additionally, the government plans to manage the failure of systemic digital settlement asset firms, addressing potential systemic risks. The Bank of England will supervise certain digital settlement asset (DSA) firms that pose systemic risks, with HM Treasury confirming a special administration regime for these firms.
Phase 2 involves regulating a broader range of cryptoassets and activities, with HM Treasury planning to introduce legislation in 2024. This phase will bring several cryptoasset activities under regulation for the first time, requiring businesses to meet standards similar to traditional financial services. The government is still developing policies in key areas such as staking and decentralised finance (DeFi). The Bank of England will open a discussion paper on the regulatory regime for systemic DSA firms, and legislation for Phase 2 is due in 2024.
In fiscal year (FY) 2023, the United States Commodity Futures Trading Commission (CFTC) reported a historic increase in enforcement actions, particularly in the digital asset sector. The CFTC’s Division of Enforcement (DOE) initiated 96 enforcement proceedings for various violations, including fraud and manipulation, across different markets. These actions resulted in penalties, restitution, and disgorgement totaling over USD 4.3 billion.
Remarkably, approximately 50% of the cases in FY 2023 involved cryptocurrencies. Of these, the CFTC filed 47 actions in the digital asset commodities sector, accounting for over 49% of all cases during this period. These actions encompassed a range of issues, including fraudulent activities by exchanges, individual Ponzi schemes, a legal victory against a decentralized autonomous organization, and a digital asset futures platform. The CFTC also undertook innovative litigation related to cross-market manipulation in blockchain technology.
Chairman Rostin Behnam highlighted the CFTC’s dedication to combating fraud and manipulation, especially in the digital asset realm, leading to a record number of cases. He also praised the staff's efforts in ensuring accountability among registrants and market participants in CFTC-regulated markets.
Notable among the CFTC's actions were lawsuits against Sam Bankman-Fried, Gary Wang, Caroline Ellison, and Nishad Singh for an alleged fraudulent scheme involving digital asset commodities, which led to over USD 8 billion in losses of FTX customer assets. In July, the CFTC charged Celsius and its former CEO, Alex Mashinsky, with fraud relating to a digital asset commodity pool scheme, and also took action against a digital asset lending platform for unregistered commodity pool operations.
The mBridge project, involving 23 central banks including the BIS, represents a significant development in the realm of central bank digital currencies (CBDCs). It aims to bypass the US dollar-based global financial system and is nearing operational readiness. mBridge stands out in the CBDC landscape for several reasons:
1. Scope and Scale: mBridge is a joint venture between the BIS innovation arm and central banks of Hong Kong, China, Thailand, and the UAE, focused on testing CBDCs for cross-border trade. This platform aims to streamline payments between commercial banks across jurisdictions.
2. Diverse Participation: Beyond the main participants, 25 other official entities, including the IMF, World Bank, and central banks from various continents, have joined as observers. The project also involves significant players like Goldman Sachs, HSBC, SocGen, and others in blockchain-based security issuance, insurance payments, and trade finance.
3. Technological Infrastructure: Initially running on a proprietary blockchain based on Ethereum’s Solidity language, mBridge is transitioning to the Dashing protocol, developed by the PBoC's Digital Currency Research Institute. This shift highlights China's prominent role in the project.
4. Operational Model: Each participating central bank operates a validator node, contributing to network consensus, with commercial banks running non-validator nodes.
5. Comprehensive Development: mBridge addresses critical issues such as legal frameworks, policy implications, governance, AML compliance, and more. It is significantly ahead of other cross-border CBDC initiatives.
6. Geopolitical Implications: While mBridge might not challenge SWIFT's dominance immediately due to its vast network, it indicates a shift in the global financial balance of power. This project caters to countries seeking alternatives to the US-dominated financial system, potentially impacting international trade and geopolitical dynamics.
The launch of mBridge, albeit ambitious, is a major step towards changing the established financial order and showcases the growing influence of blockchain and CBDCs in global finance.
The Financial Services Commission (FSC) of Mauritius is actively seeking feedback from industry stakeholders and the public on integrating the metaverse into the financial services sector. During November, the FSC is focusing on understanding the strategic developments and potential impacts of the metaverse, as outlined in a recent consultation paper.
The initiative reflects Mauritius's goal to prepare its regulatory and business environments for the rising global adoption of the metaverse. The FSC is drawing inspiration from the efforts of offshore regulators in regions like the European Commission, the United Kingdom, Dubai, Indonesia, China, South Korea, and Singapore, all of whom are actively accommodating this emerging technology.
The FSC's approach involves posing seven metaverse-related questions to stakeholders and the general public, with responses due by 30 November. The collected feedback will contribute to forming a multidisciplinary working group, which will focus on future policy and regulatory frameworks concerning the metaverse.
In parallel, Mauritius is on the verge of launching the pilot phase of a digital rupee in November 2023. This step, emphasised by the governor of the Bank of Mauritius, Harvesh Kumar Seegolam, aligns with his 2020 priority to develop a central bank digital currency (CBDC). The digital rupee is seen as instrumental in enhancing monetary sovereignty and aiding in Anti-Money Laundering/Combatting the Financing of Terrorism (AML/CFT) efforts. The official release date of the digital rupee is still pending.
At the International Counter Ransomware Initiative conference, 40 countries, including the United States and members of the European Union, pledged to stop making ransomware payments, a policy primarily applicable to government entities. This decision could significantly impact local governments, especially in the United States, which receives nearly half of the world's ransomware attacks.
The pledge does not extend to private companies, which often choose to pay ransoms due to cost considerations and business continuity. For example, a recent case involving Las Vegas casinos Caesars and MGM highlighted the difference in approach, with Caesars negotiating a USD 15 million ransom payment compared to MGM's expected recovery costs of at least USD 100 million after refusing to pay.
The conference, now in its third year, also established cooperative programs like agreements to share information on cryptocurrency accounts used for ransomware payments. Israel, the UAE, and Lithuania will create platforms to centralize this information, and participants agreed to utilize a US Department of Treasury blacklist of digital wallets known for receiving ransomware payments.
Furthermore, the possibility of applying AI analysis to blockchain for tracking ransomware payments was discussed, though no new law enforcement measures were specifically addressed. The effectiveness of using AI in this context depends on the specifics of the developed systems. Ransomware attacks have increasingly targeted government agencies, with significant impacts in smaller countries like Costa Rica and Chile. This initiative is part of a broader effort to dismantle the financial systems facilitating ransomware payments.
I hope you find Risk In:Review informative and helpful.?