Regional Report – Asia: India struggles on outsourced AML, Hong Kong fraudsters impersonate banks, Japan regulator reduces onsite exams

The Skinny:

  • In this regional snapshot, Asia is in the spotlight, reviewing how several key powers have worked to counter a global pandemic while not losing ground to criminals, fraudsters and cyber hackers.
  • India, one of the world’s compliance outsourcing capitals, has seen its AML community rush to adapt to working from home – potentially losing the trust of large international banks – and straight into the jaws of rising cyber risks.
  • In Hong Kong, fraudsters and phishermen attempt to impersonate banks in scam, spam blasts.
  • The Land of the Rising Sun, Japan, has stated banking regulators will perform fewer onsite AML exams to protect banks and themselves in a nod to social distancing protocols, choosing instead to focus on banks with checkered pasts.

By Brian Monroe
bmonroe@acfcs.org
April 30, 2020

With much of Asia being in propinquity to the epicenter of the coronavirus pandemic, regional powers are under even more pressure and scrutiny to counter the spread of COVID-19 while not losing ground to rising fraud, money laundering and cyber threats.

Overall, more than 200 countries and territories around the world have reported a total of nearly 3.4 million confirmed cases of the coronavirus COVID-19 that originated from Wuhan, China, and a death toll of 239,443 deaths, according to Worldometer.

Countries, including India, Hong Kong and Japan, have different histories, ideologies, capacity and resources, but are united in a fight against a common relentless enemy. Here are some snapshots about how they are responding related to financial crime and compliance:

India: One of the world’s compliance outsourcing capitals must adapt to working from home, rising cyber risks

India and its financial crime fighting teams have faced a bevy of challenges when attempting to balance compliance in a time of coronavirus – issues that have touched many large global banks due to outsourced anti-money laundering (AML) duties.

The country, with a population of more than 1.3 billion, currently has the largest national COVID-19 lockdown in the world, and it faces some daunting hurdles when it comes to AML compliance, countering a rise in fraud and phishing fusillades and girding cyber defense gaps.

Overall, India coronavirus cases have reached nearly 35,000, with a death toll at more than 1,100, according to Worldometer.

But India uniting against the pandemic, and bolstering fincrime compliance, must do so against a panorama of “diverse states, health inequalities, widening economic and social disparities, and distinct cultural values,” according to media reports.

With so many people working from home, large and small business alike, banks requesting digital details for identifications and transactions and even food and essentials ordered online, that opens the door to criminals breaching systems and stealing data along with individuals accidentally clicking on a diseased link.

“There’s going to be some compromise in security because of digitalization. The numbers of phishing cases have increased immensely in India, with lots of frauds happening around this time masked as Covid19 threats,” said the Global Cyber Security practice, Co-Leader & Partner, KPMG India, Akhilesh Tuteja, as part of a conference on these issues.

The COVID-19 crisis has also “exposed a lot of unfamiliar reliance on globalization and outsourcing – including regulatory compliance,” according to Forbes.

This has directly impacted the ability for some Indian firms to continue taking on out-sourced duties tied to AML and other regulatory requirements, with some financial institutions turning to technology and artificial intelligence firms to bridge the gap in human capital.

With India on a severe lockdown, banks that had outsourced a lot of their compliance work to India “find it can’t be done — the staff can’t go into the office and often the internet is too weak to support work from home.”

The move by Prime Minister Narendra Modi to impose a lockdown March 22 across most of India poses a significant challenge for banks such as JPMorgan Chase & Co., UBS Group, Deutsche Bank and others as well as India’s US$181 billion (S$263 billion) outsourcing industry that “handles everything from trade settlements to airline reservations for British Airways and insurance claims,” according to Bloomberg.

In response to the pandemic, the Reserve Bank of India (RBI), the country’s top financial regulator, took a “number of steps” starting in March, requiring institutions to bolster operational resilience, according to the agency.

“Banks have been required to put in place business continuity plans to operate from their disaster recovery (DR) sites and/or to identify alternate locations for critical operations so that there is no disruption in customer services. Our data show that there was no downtime of internet or mobile banking,” RBI stated April 17th in a governor’s statement.

“As a result, the payment infrastructure is running seamlessly,” RBI said.

Hong Kong: In grip of pandemic, fraudsters, phishermen attempt to impersonate banks in scam, spam blasts

Cognizant of the rise in fraud and cyberattacks, and the general challenges for AML compliance professionals, the Hong Kong Monetary Authority (HKMA) has offered guidance in a bevy of areas, including customer identification and risk ranking at a distance, streamlining due diligence efforts, and more, according to legal analysts.

But that is just the tip of the iceberg for pandemic-related issues for Japan’s financial sector, where criminals are aggressively trying to dupe scared and anxious individuals and corporates.

In recent weeks, Hong Kong has been dealing with an explosion of fraudulent banking websites, in some cases tied to a dedicated phishing attack, attempting to take advantage of consumers desperate to withdraw and move money – for themselves or others, according to the HKMA.

Some of the banks being impersonated by fraudsters include many of the largest in Asia:

  • Bank of China (Hong Kong)
  • Phishing email, CTBC BANK
  • Fraud site, phishing texts, emails related to The Hongkong and Shanghai Banking Corporation Limited
  • Fraud site, Bank of Singapore
  • Phishing email, Bank of Taiwan
  • Fraudulent website related to Hang Seng Bank, Limited
  • Fraud site, China CITIC Bank

As for how banks should respond to these and other COVID-19 related challenges, the regulator in this round focused on laying out guidelines for authorized institutions, such as banks, and prepaid card and related operations, referred to as stored value facility (SVF) licensees.

The HKMA has stated in two circulars it does not expect a “zero failure” outcome from AIs and SVF licensees in AML programs and finding and reporting on every instance of money laundering (ML) or terrorist financing (TF).

The circulars can be accessed here and here

Some key points include:

Remote on-boarding, simplified due diligence

Authorized Institutions:

  • AIs are encouraged to work closely with the HKMA during this period to provide greater convenience (e.g. through use of financial technology) for account opening (e.g. remote account opening) and continued access to essential banking services to the public.
  • To help AIs adapt to COVID-19 containment measures, e.g. social distancing, simplified due diligence measures can be applied to customer on-boarding and account opening for customers that pose lower ML and TF risks. 
  • For customers opening accounts solely for the purpose of the Government’s (recently announced) cash payout scheme, AIs should apply the minimum level of customer due diligence appropriate in the circumstances.

SVF licensees:

  • SVF licensees may conduct customer due diligence measures which are commensurate with the lower risks posed by SVF products based on their stored values, transaction limits and functions.
  • SVF licensees are, similarly, encouraged to work closely with the HKMA to provide greater convenience for account opening and continued payment services to the public.

COVID-19 financial crime risks

  • AIs and SVF licensees should remain vigilant to emerging ML and TF risks (e.g. face mask scams). Such risks should be mitigated through information sharing and by reporting suspicious transactions to the Joint Financial Intelligence Unit (JFIU).  If an AI or SVF licensee encounters issues in reporting to the JFIU, the matter should be discussed with the HKMA (and the JFIU) without delay.

Ongoing support from the HKMA

  • Given the current challenges AIs and SVF licensees are facing, maintaining normal operations of AML/CFT systems may not be achievable in all cases. Where the AI or SVF licensee is unable to meet a particular obligation in the short-term, it should maintain a record of the circumstances, the risk assessment performed as well as any mitigation measures being taken.

Japan: Regulators to perform fewer onsite exams, with focus on banks with checkered pasts

Japan’s top banking regulator has taken a unique tack, and rather than just laying out what financial institutions should do to better manage rising AML, operational and cyber risks during the pandemic, it also helped take the pressure off in a very profound and direct way: fewer on-site exams.

The Bank of Japan, the country’s central bank, stated in a message to the financial sector it is prioritizing AML and cyber risks, and is exhorting institutions to be wary of a rising tide of fraud and ill-gotten gains, but will ensure compliance without as many rigorous onsite visits.

“With regard to operational risk, the Bank will examine, for example, the status of frameworks for cybersecurity management and anti-money laundering controls, both of which have gained importance,” according to the regulator.  

As for onsite exams, they will take place in 2020, but with a much narrower scope.

“Taking into account the recent situation regarding the novel coronavirus and with a view to preventing the spread of the infection, [the Bank] will take necessary measures in conducting on-site examinations while giving the utmost consideration to the situation faced by examinee institutions.”

As well, for globally operating major financial institutions, major group companies, including their overseas branches and subsidiaries, they will be subject on-site examinations “as necessary,” the Bank of Japan said.

What’s more, the focus will be on institutions that have had high-profile financial crime compliance failures.

“Taking into account the administrative burden on branches, [the Bank] will not conduct examinations aimed at confirming operational accuracy except in the case of financial institutions that have particular problems, such as incidents of fraud or accidents in business operations.”