Risk In:Review #70 - 01 September 2024
Anthony Hope
Risk & Compliance Executive | Fintech Founder & Innovator | Strategic Leader | Expert Speaker
Welcome to Risk In:Review, your weekly newsletter curating the best of the week’s news stories from the crossroads between risk management and technology in Asia Pacific.
Keep updated with the latest news and insights by clicking on subscribe .
Perspectives
This week’s Perspectives focuses on three key stories from across Asia Pacific: the explosive growth of crypto ATMs in Australia, the alarming rise of deepfake scams in Japan, and Hong Kong's ambitious steps towards a tokenised financial market through its wholesale central bank digital currency (wCBDC) sandbox.
Australia has seen an unprecedented surge in crypto ATM installations, increasing 17-fold in just two years. With 1,162 machines now in operation, the country ranks third globally, although it still lags behind the United States and Canada.
This boom has not come without concerns. The cash-to-crypto industry in Australia has reportedly processed at least USD 160 million in illegal transactions since 2019. The rapid expansion of crypto ATMs has drawn the attention of regulators and law enforcement, who are worried about their potential misuse for money laundering and other illicit activities.
Meanwhile, Japan is grappling with a different but equally concerning issue: the rise of deepfake technology in scams.
Historically, the complexity of the Japanese language offered a natural barrier against certain types of fraud, but advancements in generative AI have reduced this protection. Deepfake incidents have skyrocketed, with Japan seeing a 28-fold increase last year alone.
These sophisticated scams, which can manipulate video, audio, and images to create highly convincing fake content, are challenging traditional security measures and necessitating new approaches to detection and prevention.
Finally, in contrast to these challenges, Hong Kong is positioning itself at the forefront of financial innovation with the launch of its wCBDC sandbox, a critical step towards integrating tokenised assets into its financial system.
The sandbox, part of the Hong Kong Monetary Authority's (HKMA) Project Ensemble, brings together major financial institutions and fintech companies to explore the potential of tokenisation across various sectors, including liquidity management and green finance.
This initiative underscores Hong Kong's commitment to remaining a global leader in digital finance and sets the stage for broader adoption of digital assets in international markets.
While innovations like crypto ATMs and wCBDCs offer unprecedented opportunities for efficiency and growth, they are also introducing new risks that require effective regulation and adaptive risk management strategies. As these trends continue to unfold, the need for robust frameworks to safeguard against misuse while fostering innovation will become more pressing.
This Week In:Review
Australia
China
Hong Kong
India
Korea
Best of the Rest
Australia In:Review
The Commonwealth Bank of Australia (CBA) and Telstra have expanded their Scam Indicator technology to include landline phones, broadening the reach of their anti-scam efforts.
Initially launched for mobile phones in late 2023, the Scam Indicator uses sophisticated algorithms to detect potential scam calls in real-time, allowing CBA to take immediate action to prevent fraud.
This includes placing holds, blocking transactions, and sending real-time alerts to customers through platforms like the CommBank app or NetBank.
The extension to landlines increases the potential coverage of the Scam Indicator by 25%, addressing the significant use of landlines among older Australians. Despite a decline in landline connections overall, over 85% of residential landlines are still registered to Australians over 60. This demographic was the hardest hit by scammers in 2023, losing over AUD 121 million.
The technology was co-developed by CBA and Quantium Telstra, a joint venture between Telstra and data science firm Quantium. The expansion aims to protect vulnerable community members, with recent successes including preventing a customer from losing AUD 70,000.
Australia has experienced a dramatic surge in the number of crypto ATMs, with installations increasing 17-fold over the past two years. The country now ranks as the third-largest market for crypto ATMs globally, boasting 1,162 machines as of August 2024, up from just 67 in August 2022, according to data from Coin ATM Radar.
This rapid expansion includes the addition of 160 ATMs since April 2024, marking Australia as one of the fastest-growing markets in the sector.
Despite its growth, Australia’s share of the global crypto ATM market remains modest at 3%, far behind the United States, which dominates with over 82% of the market, and Canada, which holds 7.8%.
However, this boom has raised concerns among law enforcement and regulators, particularly regarding the potential use of these ATMs for money laundering and other illicit activities.
TRM Labs, a blockchain intelligence firm, highlighted that Australian authorities have identified crypto kiosks as a significant money laundering risk. Since 2019, the cash-to-crypto industry has processed at least USD 160 million in illicit transactions, with scams and fraud accounting for the majority of these volumes.
Some regions have responded by cracking down on crypto ATMs. For instance, Germany’s financial regulator recently seized 13 machines, and the United Kingdom’s Financial Conduct Authority significantly reduced the number of active machines in the country by removing 26 unlicensed units.
Australians have lost an alarming AUD 180 million to cryptocurrency-related investment scams over the past year, according to a recent warning from the Australian Federal Police (AFP). This figure represents nearly half of the total AUD 382 million lost to all investment scams during the 2023-24 financial year, highlighting the growing threat in the digital investment space.
Contrary to the common belief that older individuals are the primary targets of such scams, the AFP revealed that 60% of victims are under the age of 50, indicating that younger Australians are increasingly at risk.
Scammers have adopted sophisticated tactics, including "pig butchering"—a method where victims are groomed over time before being scammed—and the use of deepfake technology to deceive their targets.
Common tactics used by crypto scammers in Australia include fake trading apps, fraudulent trading platforms and wallets that steal access credentials, and bogus tokens or investments.
In response to these threats, the Australian Securities and Investments Commission (ASIC) has been active in combating these scams, taking down 615 fraudulent crypto investment sites in the past year and removing over 7,330 phishing sites since July 2023.
Investment scams remain the most prevalent form of fraud in Australia, with total damages surpassing AUD 1.3 billion in 2023. The AFP has urged the public to exercise caution, especially with investments that seem overly attractive, and to be wary of high-pressure schemes that demand cryptocurrency payments.
China In:Review
Yang Bin, once China’s second-richest man according to Forbes in 2001, has been sentenced to six years in prison in Singapore for orchestrating a fraudulent cryptocurrency investment scheme.
Yang, a Chinese-Dutch national, was also fined SGD 16,000 for leading a multi-million-dollar Ponzi scheme under the guise of a crypto investment operation.
Yang founded A&A Blockchain Innovation in April 2021 without a valid work permit and falsely claimed that the company owned 300,000 cryptocurrency mining machines that could deliver daily returns of 0.5% to investors.
In reality, these machines did not exist, and Yang used funds from new investors to pay earlier ones, typical of a Ponzi scheme. The fraudulent operation attracted over 700 participants who invested around USD 5 million between May 2021 and February 2022.
Yang pleaded guilty to eight charges, including conspiracy to cheat and operating without a valid work permit. The deputy public prosecutor, Wong Shiau Yin, underscored Yang’s critical role in the scheme and the absence of restitution for the victims.
District Judge Brenda Chua highlighted Yang’s significant culpability, noting that his co-accused, Wang Xinghong, who developed an app to fake investment returns, is still facing legal proceedings.
Yang, previously involved in China’s textile industry, had a controversial past, including a 2002 appointment by North Korea to oversee the Sin?iju Special Administrative Region’s economic development, before being placed under house arrest by Chinese authorities on tax evasion charges later that year.
Feixiaohao, a prominent cryptocurrency market data and news provider in China, is reportedly under investigation by local authorities in Inner Mongolia.
According to cryptocurrency journalist Colin Wu, several key executives from Feixiaohao have been arrested as part of an ongoing investigation that has been underway for over six months. The reasons for the investigation remain unclear, and attempts by partners to contact the company have reportedly been unsuccessful.
Feixiaohao, launched in August 2017, has been a major platform for tracking cryptocurrency market data in simplified Chinese, often referred to as the Chinese equivalent of CoinGecko. Despite the uncertainty surrounding the investigation, the platform continues to publish new articles, with the latest updates appearing as recently as 30 August 2024.
The investigation into Feixiaohao comes amidst China’s stringent stance on cryptocurrency, following the "great Bitcoin ban" enforced by the People's Bank of China (PBoC) in September 2021. Despite these restrictions, Feixiaohao has maintained a significant user base, with approximately 200,000 monthly visits as of July 2024, 23% of which came from China.
The ongoing investigation raises questions about the legal status of providing cryptocurrency information services in mainland China, especially given the continued operation of other crypto-related media channels in the country.
Hong Kong In:Review
Hong Kong’s de facto central bank, the Hong Kong Monetary Authority (HKMA), has launched a sandbox for wholesale central bank digital currency (wCBDC) as part of its ongoing efforts to integrate tokenised money into digital asset transactions.
This initiative, known as Project Ensemble, was introduced five months after its announcement to facilitate seamless interbank settlements using wCBDC.
The sandbox has engaged 25 participants in its first experimental round, including major financial institutions such as HSBC, Standard Chartered, and Bank of China (Hong Kong), as well as fintech companies like Ant Group and cryptocurrency exchange HashKey Group.
These participants will test use cases across four key themes: fixed income and investment funds, liquidity management, green and sustainable finance, and trade and supply chain financing. The aim is to explore the scalability and interoperability of tokenised assets within Hong Kong’s financial system.
Eddie Yue Wai-man, CEO of HKMA, emphasised the potential of tokenisation to make financial transactions more efficient, transparent, and cost-effective. The sandbox will allow participants to experiment with the four stages of a tokenised asset transaction: creation, trading, payment, and settlement using tokenised bank deposits and wCBDC for final interbank settlement.
Ant Group announced partnerships with HSBC and Standard Chartered to develop a global liquidity management solution using blockchain technology, enabling 24/7 real-time cross-border payments. Additionally, Ant Group is working on projects to tokenise real-world assets, such as electric vehicle charging stations, to enhance transparency and financing efficiency.
The HKMA, alongside the Securities and Futures Commission (SFC), is also working to establish a common industry benchmark for tokenisation and address challenges in financing the real economy. These efforts are part of Hong Kong’s broader strategy to solidify its position as an international finance hub and a leader in the issuance of digital assets.
The Hong Kong Monetary Authority (HKMA) has fined WeChat Pay Hong Kong Limited (WPHK) HKD 875,000 for breaching anti-money laundering (AML) regulations under the Payment Systems and Stored Value Facilities Ordinance (PSSVFO). The penalty follows an investigation covering the period from 25 August 2016 to 24 October 2021, which revealed that WPHK lacked sufficient systems to comply with AML and counter-financing of terrorism (CFT) guidelines.
The HKMA identified two primary areas of deficiency: WPHK's failure to conduct adequate customer due diligence (CDD) reviews during trigger events and its insufficient application of enhanced due diligence in high-risk situations. These lapses exposed the platform to potential money laundering and terrorist financing risks.
In determining the penalty, the HKMA considered the seriousness of the violations, the importance of sending a deterrent message to the industry, the remedial actions taken by WPHK, the company's self-reporting, its cooperation with authorities, and its clean disciplinary record prior to this incident.
Raymond Chan, HKMA’s Executive Director of Enforcement and AML, stressed the necessity for stored value facility (SVF) licensees to apply effective enhanced due diligence measures in high-risk situations to manage associated financial risks properly.
This disciplinary action underscores the HKMA's commitment to maintaining the integrity of Hong Kong’s financial systems and serves as a stern reminder to all SVF licensees about the critical importance of robust AML and CFT controls.
India In:Review
Prime Minister Narendra Modi emphasised the need for India’s financial sector regulators to intensify efforts to curb cyber fraud and enhance digital literacy to support the growth of startups and fintech companies.
Speaking at the Global Fintech Fest in Mumbai, Modi highlighted that cyber fraud should not become a barrier to India’s fintech expansion, noting that 1.1 million cases of cyber fraud worth ?7,489 crore were reported in 2023, according to data presented in the Lok Sabha.
Modi affirmed the government's commitment to supporting the fintech sector through policy changes, such as the withdrawal of the angel tax, allocating ?1 trillion to encourage research and innovation, and implementing the Digital Personal Data Protection Act.
He pointed out that these initiatives, alongside the ongoing digital transformation, are key to improving the quality of life in India.
The prime minister also praised the impact of India’s fintech ecosystem in democratising financial services, making credit, loans, and insurance more accessible to the masses. He mentioned the PM SVANidhi scheme, which offers collateral-free loans to street vendors, as an example of how fintech is empowering small businesses through digital transactions.
Modi highlighted the significant role of the "Jan Dhan-Aadhaar-Mobile" trinity in shifting the nation away from a cash-dominated mentality, contributing to nearly half of the world’s digital transactions occurring in India. He noted the success of the Unified Payments Interface (UPI), which recorded approximately 131 billion transactions in FY24, and is now operational in seven countries outside India.
Reserve Bank of India Governor Shaktikanta Das, who also spoke at the event, noted that India now hosts approximately 11,000 fintechs, with the sector receiving around $6 billion in investments over the past two years.
Mudrex, a cryptocurrency exchange, has successfully obtained a court order from the Delhi High Court requiring India's Ministry of Communication to take down 38 websites that were fraudulently using the company’s name to carry out scams.
The judgement, issued on 23 August 2024, mandates the Ministry to comply within a week. Mudrex sought legal intervention after approximately 15 individuals reported being scammed, though the company estimates that as many as 1,000 retail investors may have been affected.
The scam involved fraudsters impersonating Mudrex employees on Telegram, luring victims with promises of rewards and work opportunities in exchange for tasks like writing Google reviews. These scammers also operated fake websites under the Mudrex name, soliciting investments from the public and collecting money illegally.
Mudrex initially filed a police complaint in Bengaluru on 23 March 2024, but as scams continued, the company decided to escalate the matter through the courts. Mudrex CEO and co-founder Edul Patel emphasized the need for a more formal approach, leading to the court order.
Patel also noted that the recent USD 234 million hack of another prominent Indian cryptocurrency exchange, WazirX, has heightened concerns among Indian retail investors. However, he expressed hope that Mudrex’s proactive steps to address scams would ultimately reassure investors rather than increase their apprehension.
Mastercard Incorporated (MA) has introduced its Payment Passkey Service globally, beginning with a pilot in India. This service aims to enhance online shopping security and convenience by integrating tokenised payment credentials with biometric authentication, streamlining the checkout process.
The pilot involves key players in the Indian payment ecosystem, including Juspay, Razorpay, and PayU, as well as major online merchants like bigbasket and leading banks such as Axis Bank. Following the pilot, Mastercard plans to roll out the service globally.
The Payment Passkey Service leverages industry standards from EMVCo, the World Wide Web Consortium, and the FIDO Alliance, using device-based biometric authentication methods like fingerprints or facial recognition.
This eliminates the need for traditional passwords or one-time passwords (OTPs), which are increasingly vulnerable to fraud. Instead, consumers can authenticate and complete transactions instantly by selecting their Mastercard at checkout.
Mastercard's move is timely, given the significant rise in digital transactions and the associated risks of online fraud, such as phishing and SIM swapping. The Reserve Bank of India's Annual Report for 2023-2024 highlighted a nearly 300% increase in fraud cases over the past two years, underscoring the need for more secure payment solutions.
This initiative is expected to strengthen Mastercard’s position in India, a rapidly growing digital market, and potentially increase revenues through higher utilization of its value-added services. In the first half of 2024, Mastercard saw a 17% year-over-year growth in this revenue segment, suggesting a strong demand for such innovations.
Korea In:Review
South Korean police have apprehended 14 individuals involved in a fraudulent cryptocurrency mining scheme that defrauded victims of USD 12.1 million. The scheme, led by a suspect identified only as "Mr. A," operated from November 2021 to June 2022, promising investors an 18% monthly return on investments in a fake crypto mining business.
The investigation was initiated following 21 complaints from across the country, which led to the arrest of Mr. A and three accomplices in September 2023. However, Mr. A evaded authorities by failing to appear at a pre-trial detention hearing, prompting a 10-month manhunt.
To avoid detection, Mr. A underwent extensive plastic surgery, including eyelid, nose, and facial contouring procedures, costing around USD 15,900.
Despite his efforts to alter his appearance and evade capture - using multiple burner phones, changing residences frequently, and laundering his proceeds through cryptocurrency - Mr. A was finally apprehended in July 2024.
During the investigation, police confiscated approximately USD 75,500 in cash and seized assets valued at around USD 982,000 from Mr. A’s hideout.
Hyung-soo "Hugo" Lee, the CEO of the South Korean cryptocurrency platform Haru Invest, was stabbed in the neck during his fraud trial on Thursday. The attack occurred in a Seoul courtroom where Lee was testifying. He was rushed to the hospital with injuries that, fortunately, were not life-threatening.
The attacker, identified as 51-year-old Mr. Kang, allegedly smuggled a knife into the courtroom. He waited until Lee was on the stand before rushing at him and stabbing him multiple times. Lee collapsed, bleeding, while Kang was quickly apprehended by the Seoul Yangcheon police on charges of attempted murder.
The police are investigating Kang's motives, with some media sources speculating that he might have been a victim of Haru Invest's platform, though this has not been confirmed.
Haru Invest was known for offering high-yield cryptocurrency investment products. However, like many companies in the lightly regulated crypto industry, it ran into significant financial troubles, leading to allegations of severe mismanagement.
In June 2023, the platform froze all withdrawals, citing issues with a service partner and the need to protect users' assets. The freeze, which came as a shock to investors, has been a point of contention and distress among its users.
Reports indicate that Haru Invest had advertised its investment strategies as risk-free arbitrage, suggesting a diversified approach. However, it was later revealed that 70 to 90 percent of its assets were concentrated with a single investor known as Bang, who has been connected to the collapse of another crypto platform, Delio, and has since been arrested.
Best of the Rest In:Review
The use of deepfakes by fraudsters has surged in Japan, eroding the protective advantage once afforded by the language barrier. Data from Sumsub, a British identity verification service, indicates that the number of deepfake cases in Japan increased 28-fold last year, marking the fifth-largest rise among 224 tracked economies.
In the first quarter of 2024, scams in Japan nearly doubled compared to the same period the previous year.
Deepfakes involve the creation of deceptive videos, photos, or audio recordings using advanced digital technology. These are often employed for fraudulent purposes, including financial scams that target victims through seemingly legitimate content.
A notable example from November 2023 involved altered footage of a Japanese TV news segment that encouraged viewers to register with a fraudulent investment site.
Historically, Japan had a relatively low success rate for scams, partly due to the complexity of the Japanese language. However, generative AI now allows scammers to produce media with near-native fluency in Japanese, removing this barrier.
The increase in phishing emails and other text-based scams also reflects this shift, with Japan experiencing the highest rise in such reports last year, according to US cybersecurity firm Proofpoint.
Tools that generate artificial audio in multiple languages are becoming accessible to fraudsters via platforms like Telegram, though their precision remains uncertain. The risks associated with deepfake technology are significant. For instance, a UK-based company was scammed out of USD 25.6 million during a fake video call.
Japanese authorities are responding to this threat. The National Institute of Informatics in Tokyo has developed a program to detect deepfake facial images, with plans to release a version that can identify deepfake audio later this year.
Malaysian authorities have dismantled a significant cryptocurrency scam operation targeting Japanese nationals, resulting in the arrest of 21 individuals during coordinated raids on two luxury properties in Kuala Lumpur on 19 August 2024.
The Royal Malaysia Police (PDRM) led the operation, apprehending suspects that included 16 Chinese nationals, a woman from Laos, a Hong Kong resident, a man from Myanmar, and one Malaysian.
The fraudulent scheme lured victims through popular dating platforms such as Tinder and Monsters, convincing them to invest in fake cryptocurrency opportunities via fraudulent apps like Bitbank and CoinCheck.
The operation had been active for about a month and was carefully concealed in bungalows protected by tall fences in remote areas to avoid law enforcement detection.
During the raids, authorities seized 55 phones, 17 computers, and various other electronic devices used to perpetrate the scam. While the local suspect was released on police bail after his remand ended on 25 August, the other 20 individuals remain in custody. The investigation is ongoing under Section 420 of the Penal Code, which addresses cheating and fraud.
I hope you find Risk In:Review informative and helpful.