Risk In:Review #45 - 04 February 2024
Anthony Hope
Risk & Compliance Executive | Fintech Founder & Innovator | Strategic Leader | Expert Speaker
Welcome to Risk In:Review, your weekly newsletter curating the best of the week’s news stories from the crossroads between risk management and technology in Asia Pacific.
Keep updated with the latest news and insights by clicking on subscribe.
Perspectives
Last week I commented on the HKMA’s proposal to allow Authorised Institutions (banks and deposit-taking companies) to share information on customer accounts for the purposes of preventing and detecting financial crime.
This week two further headlines emphasise the challenge of using modern technologies to collect and use personal data for identification and verification.
In the first, Hong Kong’s privacy watchdog raided the offices of Worldcoin – famously co-founded by OpenAI CEO Sam Altman – due to concerns that the collection of iris information could lead to personal information being compromised.
While iris recognition is a less-used biometric identification method than fingerprints or facial recognition, Hong Kong privacy officials are nonetheless concerned about how this biometric information may be used.
Regulators in other jurisdictions have raised similar concerns, noting that those having their biometric data collected by Worldcoin are not always aware of what was being collected, how it was being stored, or for how long.
The counter-argument is that iris recognition is a more accurate test of ‘humanness’, and that with the increasing quality of deepfakes, such technologies will be necessary for firms looking to verify a person is real, rather than an AI deepfake.
The second headline pertains to lobby groups in Australia calling for exemptions from tough new restrictions on the collection, use, storage and destruction of biometric data, under the federal government’s digital identity scheme.
Facial recognition technology is already used by several clubs and gambling venues in Australia to detect people listed on a self-exclusion register, and lobbyists argue that tougher restrictions could undermine existing social harm reduction measures.
While this may be true, facial recognition comes with a wider stigma associated with its false-positive rate and associated impact on individuals whose images are collected as part of the screening process.
The challenge facing the lobby groups seeking exemptions is that other tools, such as cashless gaming cards, could be equally effective in reducing social harm, while not attracting the same risk of data misuse as facial recognition technology.
Collectively these headlines show the increasing challenge regulators face in determining when it is appropriate to collect and retain biometric data for identification and verification. In particular, as deepfake technology improves, the debate over the balance between individual privacy and using these technologies to enhance our collective safety will accelerate.
This Week In:Review
Australia
China
Hong Kong
India
South Korea
Singapore
Best of the Rest
Australia In:Review
Clubs Australia, representing Australian poker machine venues, has advocated for exemptions from proposed stringent biometric data regulations to continue using facial recognition technology for identifying gambling addicts. The new regulations, part of the federal government's digital identity scheme, aim to enhance privacy by restricting the collection, use, and storage of biometric data. However, Clubs Australia contends these restrictions could compromise existing harm reduction measures, notably the enforcement of self-exclusion registers through facial recognition. This technology is already deployed in South Australia and parts of Queensland and New South Wales, despite privacy concerns. The proposed federal system, pending legislative approval, would interact with state ID systems, potentially altering their operation. Clubs Australia seeks legislative adjustments to retain biometric information necessary for "one-to-many" matches, a practice that would be restricted to authorised officials under the new laws. Critics, including technology policy specialists and digital rights advocates, oppose such exemptions, citing privacy risks, the potential for misidentification, and alternatives like cashless cards for self-exclusion, advocating for a reevaluation of the necessity and security of biometric data use in gambling venues.
Australian blockchain entrepreneur Sam Lee has been charged in the US with conspiracy to commit fraud related to the HyperVerse crypto investment schemes, which are alleged to have defrauded investors of USD 1.89 billion. Described as a "pyramid and Ponzi scheme" in court documents, Lee faces up to five years in jail if convicted. The charges, announced by the US attorney for the district of Maryland, Erek L Barron, include conspiracy to commit securities and wire fraud. The US Securities Exchange Commission (SEC) has also charged Lee with fraud and the unregistered sale of securities. These allegations stem from the operation of various schemes under the HyperTech group, co-founded by Lee and Ryan Xu, targeting global investors with promises of high returns from crypto asset mining. However, investigations suggest these promises were false, with funds from new investors used to pay earlier participants, characteristic of a Ponzi scheme. The SEC emphasizes the scheme's reliance on misleading statements and the absence of a legitimate revenue source other than investor funds. Lee, who has been a prominent figure in the crypto asset space, has not yet appointed a defence attorney. The charges highlight ongoing concerns regarding the regulation and oversight of cryptocurrency investments and the potential for fraud within this space.
In 2023, the Australian Competition and Consumer Commission (ACCC) reported a significant rise in scam reports involving Booking.com, with Australians losing over USD 337,000. Fraudsters infiltrated some accommodation providers' Booking.com accounts, using them to send deceptive messages to guests. These scams involved phishing attempts, with criminals posing as properties, and tricking guests into providing personal and payment information through seemingly legitimate but fraudulent links and communications.
领英推荐
The ACCC noted a nearly 600% increase in such scam reports from the previous year, with 363 incidents linked to Booking.com. One victim shared her experience of being duped into providing credit card details, which were then used for fraudulent bookings worth approximately USD 25,000. Despite her bank refunding the stolen amount, the victim described Booking.com's response as unhelpful and disinterested.
Booking.com acknowledged the phishing attacks on its accommodation partners but maintained that its systems were secure and unaffected directly. The company has implemented measures to protect customers and partners, urging users to verify communications through direct contact with accommodation providers and to be cautious of sharing sensitive information.
The ACCC advises Booking.com users to be wary of phishing scams by verifying emails or messages independently and avoiding sharing financial details via unsecured channels. Despite Booking.com's efforts to mitigate the scam's impact, including enhancing customer and partner protection, the scam persists, affecting users globally.
Cybertrace has warned of a sophisticated deep fake video circulating on Facebook, featuring Australian mining magnate Andrew "Twiggy" Forrest endorsing a bogus crypto trading platform named "Quantum AI." This scam promises significant daily returns, exploiting Forrest's likeness and speech patterns from a legitimate Rhodes Trust event to lend credibility. The deep fake suggests potential earnings of USD 700 to 2,200 daily from a purportedly unparalleled trading software. This incident underscores the increasing sophistication of digital fraud in Australia, where losses to crypto scams topped USD 3 billion in 2022. This case mirrors a broader trend of using deep fakes and social engineering in scams, including fake Elon Musk streams that defrauded viewers of USD 165k.
China In:Review
In response to the challenges posed by the decentralised nature of cryptocurrencies and their use in money laundering, China plans to amend its Anti-Money Laundering (AML) regulations to explicitly include cryptocurrency-related transactions. Despite a blanket ban on crypto use since 2021, technological advancements have enabled mainland users to circumvent restrictions, prompting calls for tighter scrutiny of the crypto industry. Prime Minister Li Qiang led a State Council meeting on 22 January to discuss the revisions, marking the first significant update to China's AML laws since 2007. The revised draft, proposed initially in 2021, is part of the State Council's legislative agenda for 2023 and is expected to be enacted by 2025. Experts, including Peking University Law School professor Wang Xin, highlighted the draft's broad scope and the need for clearer definitions and operational guidelines on handling digital assets involved in money laundering. The update aims to address the gap in current regulations and improve China's ability to combat digital asset-related money laundering activities.
Hong Kong In:Review
Hong Kong's privacy watchdog has conducted raids on six premises associated with Worldcoin, a cryptocurrency venture co-founded by OpenAI CEO Sam Altman, due to concerns over the collection of iris scans for identification purposes. This action follows similar investigations in other jurisdictions, prompted by worries that such biometric data collection could compromise personal information. Worldcoin, which boasts over 3.2 million sign-ups globally, offers users digital identification and free cryptocurrency in exchange for scanning their irises with a device named the Orb. The Office of the Privacy Commissioner for Personal Data in Hong Kong launched a proactive investigation without any specific complaints, focusing on compliance with the Personal Data (Privacy) Ordinance. The investigation aims to ascertain the extent of local participation, the consent obtained for biometric data, and the overall management of such data. Worldcoin, facing international scrutiny, asserts its commitment to regulatory compliance and data protection, ensuring the deletion of verification data by default. The company's approach to biometric identification, particularly through iris recognition, has raised questions about the legality, purpose, and security of collecting sensitive personal information.
Hong Kong is advancing regulations for stablecoins, with significant interest from companies like Harvest Global Investments Ltd., RD Technologies, and Venture Smart Financial Holdings Ltd., which are in talks with the Hong Kong Monetary Authority (HKMA) about participating in regulatory sandbox trials. These trials aim to set supervisory standards for stablecoins, digital tokens typically pegged to fiat currencies and backed by cash and bond reserves. The consultation on stablecoin regulations initiated by the HKMA and the Financial Services and the Treasury Bureau reflects a broader effort to manage the $136 billion stablecoin segment of the $1.7 trillion digital asset market. The move comes amidst concerns over the stability and transparency of stablecoins, highlighted by chaotic crashes and the lack of clarity regarding reserves. Global jurisdictions, including the European Union, Japan, Singapore, Dubai, and now Hong Kong, are striving to regulate the sector to mitigate risks while fostering digital asset innovation. The outcome of Hong Kong's consultation and the start of the sandbox trials remain uncertain, as does the participation of interested firms. The regulatory efforts aim to balance investor protection with the potential for stablecoins to facilitate crypto trading, lending, and potentially broader payment applications.
Hong Kong is poised to introduce a consultation on a regulatory framework for over-the-counter (OTC) crypto trading platforms amid rising concerns over fraud risks. Christopher Hui, the Secretary for Financial Services and the Treasury, emphasized the necessity of regulation, noting the involvement of OTC venues in fraud cases related to unlicensed virtual asset (VA) trading platforms. This initiative follows the launch of Hong Kong's crypto licensing regime in June 2023, which has already granted licenses to two platforms, HashKey and OSL. With a transitional period in place, existing platforms are required to apply for licenses by 29 February, as the Securities and Futures Commission gears up for enforcement actions. Additionally, the Hong Kong Monetary Authority (HKMA) and the Financial Services and the Treasury Bureau have proposed that stablecoin issuers in Hong Kong must obtain a license, with consultations ending this month. Plans for a regulatory sandbox to explore stablecoin issuance further underscore Hong Kong's commitment to integrating stablecoins into the digital payment ecosystem, emphasising the importance of stability in these digital assets as they become more intertwined with traditional finance.
Hong Kong's Financial Services Department has issued a strict warning to unlicensed virtual asset service providers (VASPs), mandating that they cease operations by 31 May 2024 if they do not secure the necessary licensing. This directive aligns with the government's firm regulatory stance on virtual assets, aimed at ensuring risk-based and prudent management within the sector. As the deadline for license applications was set for February 29, 2024, this move underscores the principle of "same activity, same risk, same regulation," focusing on mitigating risks related to investor protection and the prevention of money laundering and terrorist financing.
Only two licensed platforms are currently authorised to offer trading services in Bitcoin (BTC) and Ethereum (ETH) to retail investors. These platforms are under the rigorous oversight of the Securities and Futures Commission (SFC), highlighting the commitment to investor protection. VASPs in operation prior to the licensing regime were granted a transitional period to apply for licenses. Those failing to apply by the deadline, or who are deemed non-compliant, must shut down by the specified date in 2024.
India In:Review
India's Finance Minister Nirmala Sitharaman did not address the digital asset industry's requests for reduced taxation in the interim Budget 2024-25, presented on 01 February. The budget precedes the formation of a new government after upcoming elections, with the Web3 industry hopeful for favorable changes in the subsequent budget expected in July. Currently, India imposes a 30% tax on digital asset income and a 1% tax deducted at source (TDS) on digital asset trades exceeding INR 10,000 (USD 120), with no provision for offsetting losses against gains. Additionally, a penalty equal to TDS for non-deduction, 15% annual interest for late payments, and possible imprisonment for up to six months were introduced in 2023 for non-compliance.
The industry has requested a reduction of TDS to 0.01%, the ability to offset losses, and equitable treatment of virtual digital assets (VDAs) income. Despite the absence of tax adjustments in the interim budget, optimism remains for comprehensive crypto regulations and improved tax policies in the forthcoming full budget. Amidst efforts to regulate the digital asset space, India has taken actions against overseas exchanges for non-compliance with anti-money laundering norms, underscoring its cautious yet evolving approach towards embracing digital assets while aiming for a developed nation status by 2047.
A significant data breach, reported by Indian cybersecurity firm CloudSEK, has compromised the personal information of 750 million Indian citizens, nearly 85% of the country's population. This breach, the largest of its kind to date, includes sensitive data such as names, mobile numbers, addresses, and the unique 12-digit Aadhaar card numbers. The compromised database, which pertains to mobile network subscribers across multiple countries, poses grave privacy and security risks, especially for Indian users due to the inclusion of Aadhaar numbers, heightening the threat of identity theft, financial fraud, and cybercrime. The data, now being sold on platforms like Telegram and Breach Forums for USD 3,000, originated from a 1.8TB collection compressed to 600GB. CloudSEK's investigation indicates major telecom providers are affected, with two cybercrime groups, CYBO CREW-affiliated CyboDevil and UNIT8200, actively selling the data. The magnitude of this breach underscores the urgent need for telecom providers and the government to strengthen security measures and for individuals to remain vigilant against potential phishing attempts and monitor their accounts closely. CloudSEK has alerted impacted entities and authorities about the breach, advising users to take preventive actions to secure their information.
Korea In:Review
South Korea is grappling with a significant rise in crypto-powered drug trading, leading to widespread concern over public spaces being used for "dead drops" of narcotics. A recent report highlights instances where individuals stumbled upon drugs, including methamphetamine and cannabis, hidden in various locations such as hills, mailboxes, and even under doorknobs in public areas. The trend involves dealers using Telegram for communication and cryptocurrencies for transactions, facilitating anonymous and untraceable drug sales to buyers, including teenagers. Dealers typically hide drugs in accessible public spots, directing buyers via messages to retrieve them. This method has led to accidental discoveries by the public and intensified police efforts to combat the distribution network, which now spans "almost all everyday spaces" according to law enforcement observations.
The epidemic has also penetrated the military, with reports of drug deals occurring within army bases. The Ministry of Defence is tightening measures by introducing drug tests for conscripts. Legal responses have become more stringent, with a crypto-powered drug dealer recently receiving a seven-year jail sentence in Busan, indicating the seriousness of the issue and the government's commitment to addressing this new challenge in drug trafficking.
Singapore In:Review
In Singapore, there has been a notable increase in crypto wallet drainer attacks, facilitated through sophisticated phishing campaigns and the exploitation of smart contracts. Criminals use Drainer-as-a-Service software to gain unauthorised access to victims' cryptocurrency funds by enticing them to click on malicious links, then tricking them into connecting their wallets and authenticating with private keys on fraudulent websites. The final step involves victims interacting with a deceptive smart contract, purportedly to claim free tokens, which ultimately allows hackers to drain their assets. These stolen funds are often sent to crypto mixers to obfuscate their origin, making recovery efforts challenging.
Crypto security firms have raised alarms over the growing prevalence of such malicious applications, with communities dedicated to wallet drainers expanding rapidly. For instance, a Solana wallet drainer community reportedly had over 6,200 users. The year 2024 has already seen $77 million lost to crypto scams. High-profile incidents include the compromise of multiple accounts owned by Ripple Labs CEO, Chris Larsen, and a sophisticated supply chain attack on Ledger Connect Kit users, where a malicious payload was injected into a software component to gain access to decentralised applications linked to users' wallets. Additionally, SIM-swap attacks remain a significant threat, with criminals manipulating mobile operators to hijack victims' mobile numbers, facilitating access to crypto applications and leading to substantial financial thefts.
Best of the Rest
The Metropolitan Police in London seized over GBP 1.4 billion worth of bitcoin linked to a substantial investment fraud originating from China, marking one of the largest cryptocurrency seizures globally. The seizure was disclosed during the trial of Jian Wen, 42, accused of laundering bitcoin for her ex-employer, Yadi Zhang, an alleged fugitive from Beijing. The UK police recovered more than 61,000 bitcoin from devices in a safety deposit box and a property shared by Wen and Zhang in 2018, with the total value reaching approximately GBP 1.4 billion by July 2021. Zhang, real name Zhimin Qian, is accused of defrauding over 128,000 investors out of roughly GBP 5 billion between 2014 and 2017, subsequently converting the stolen funds into bitcoin and fleeing to London under a false identity. While Wen is not implicated in the fraud itself, she faces charges for allegedly assisting Zhang in converting the bitcoin into cash, jewellery, luxury items, and property, fully aware that these were proceeds of crime. The trial reveals Wen's attempts to purchase a GBP 12.5 million London property for Zhang and highlights her previous work in Chinese takeaway restaurants before meeting Zhang in 2017. The trial is ongoing.
I hope you find Risk In:Review informative and helpful.