Risk In:Review #78 - 17 November 2024
Anthony Hope
Risk & Compliance Executive | Fintech Founder & Innovator | Strategic Leader | Expert Speaker
Welcome to Risk In:Review, your weekly newsletter curating the best of the week’s news stories from the crossroads between risk management and technology in Asia Pacific.
Keep updated with the latest news and insights by clicking on subscribe.
Perspectives
This week’s Perspectives reflects on three headlines – two stories pertaining to increased regulatory focus on ‘duty of care’, and one story that highlights the increasing friction between banks and the technology companies engaging with the payments ecosystem.
Turning first to Australia, the country is set to implement pioneering online safety legislation that will require social media platforms to proactively address foreseeable risks, ranging from youth mental health crises to illegal content dissemination. The “Digital Duty of Care” framework places the onus squarely on platforms to adopt safety-by-design measures.
While this positions Australia as a leader in safeguarding against digital harms, critics fear that barring users under 16 from platforms like TikTok and Instagram could reduce incentives to create safer environments. However, the industry group DIGI supports the initiative, citing its members' commitment to safety.
In the same vein, Singapore’s new Shared Responsibility Framework for minors' bank accounts will provide for robust security measures, such as real-time alerts and transaction limits tailored for the accounts of minors.
Aligning with the Monetary Authority of Singapore’s (MAS) broader strategy for consumer protection, this initiative underscores the city-state's commitment to secure financial inclusion. Frameworks like OCBC’s youth-centric bank accounts reflect an emphasis on combining education with security, fostering financial literacy from a young age.
It is likely that similar regulatory frameworks will emerge across Asia Pacific, as governments and regulators look to safety-by-design to mitigate online and banking risks to minors.
Lastly, CBA CEO Matt Comyn’s critique of Apple underscores mounting tensions between banks and tech giants. His calls for levies and competitive scrutiny of Apple’s NFC policies bring into focus the challenges of regulatory parity in the payments ecosystem.
The slow legislative progress in addressing these tensions adds complexity, suggesting that this debate will remain a persistent issue for regulators and the broader fintech sector.
This Week In:Review
Australia
China
Hong Kong
India
Korea
Singapore
Best of the Rest
Australia In:Review
Australia is set to mandate that social media platforms address online harms such as bullying, predatory behaviour, and harmful algorithm-driven content, Communications Minister Michelle Rowland announced on 16 November 2024.
Under proposed amendments to the Online Safety Act, the “Digital Duty of Care” framework will require digital platforms to proactively mitigate foreseeable risks to users’ safety.
The legislation, informed by safety-by-design principles, will target issues including youth mental health, harmful practices, and illegal activities. Companies will be obligated to adapt continually as technologies evolve. While no timeline for Parliament introduction or breach penalties has been disclosed, the approach aligns with regulations in the UK and EU.
Critics fear that barring users under 16 from platforms like TikTok and Instagram could reduce incentives to create safer environments. However, the industry group DIGI supports the initiative, citing its members' commitment to safety.
Digital media expert Belinda Barnet called the duty of care “pioneering,” emphasising its potential to shift responsibility to platforms for the content they host.
The legislation aims to tackle rising social media-linked issues such as suicide and eating disorders, making Australia a global leader in online safety governance.
Commonwealth Bank of Australia (CBA) CEO Matt Comyn has called for greater regulatory oversight of Apple and other large technology firms, accusing them of "free-riding" on Australian banks' investments.
Speaking at the ASIC Annual Forum on 16 November 2024, Comyn advocated for a levy on tech companies akin to those imposed on banks, as well as a competitive review of Apple’s control over its iPhone’s NFC (near-field communication) chips used for payments.
Comyn accused Apple of limiting functionality for bank apps while profiting from tap-and-go payments, earning a fraction of every AUD 100 processed. He also highlighted Apple's minimal tax contributions in Australia compared to the full 30% paid by CBA.
Comyn argued the Australian Competition and Consumer Commission (ACCC) should scrutinise Apple’s terms for NFC access, which are subject to strict confidentiality agreements.
Comyn criticised delays in passing legislation to empower the Reserve Bank to oversee tech platforms' payment systems. He also accused Macquarie Bank of avoiding its fair share of payment infrastructure costs while targeting profitable customer segments.
Comyn's comments follow long-standing concerns over tech giants' competitive practices and echo frustrations over the slow regulation of financial services like buy now, pay later systems.
China In:Review
After a prolonged three-year wait, Qiantang Credit Rating, a firm backed by Ant Group, has received approval from the People's Bank of China (PBOC) to operate personal credit-reporting services.
This makes Qiantang the third agency in China licensed to collect credit data on individuals. The licence, effective through November 2027, was announced on 18 November 2024.
Qiantang, based in Hangzhou, Zhejiang province, applied for the licence in November 2021. The joint venture is 35% owned by state-owned Zhejiang Tourism Investment Group and 35% by privately-held Ant Group, with registered capital of CNY 1 billion.
The approval follows Ant’s extensive restructuring into a financial holding company after its record-breaking USD 34 billion IPO was halted in 2020.
This move aligns with the PBOC's efforts to encourage private sector involvement in credit services, supplementing its own Credit Reference Centre. The licence will allow Qiantang to target individuals and small businesses, a key area of focus in China’s evolving financial landscape.
Daren Li, a dual citizen of China and St. Kitts and Nevis, has pleaded guilty to conspiracy to commit money laundering in connection with a USD 73.6 million cryptocurrency scam. The 41-year-old admitted to laundering funds from crypto investment scams using a network of shell companies and international bank accounts, according to the US Department of Justice.
Li instructed co-conspirators to open US bank accounts for shell companies and managed the conversion of victim funds into USDT, a stablecoin, which was then distributed to wallets controlled by the perpetrators.
Despite committing the crimes abroad, Li was arrested in April at Atlanta's Hartsfield-Jackson International Airport and transferred to the Central District of California.
"Pig butchering" scams, like this one, involve fraudsters building trust with victims before persuading them to invest large sums, only to steal the funds. Regulators, including the Commodity Futures Trading Commission, have expressed growing concerns about such schemes. Li faces up to 20 years in prison, with sentencing scheduled for 3 March 2025.
Hong Kong In:Review
The Hong Kong Monetary Authority (HKMA) issued a warning on 15 November 2024, cautioning residents about overseas cryptocurrency companies misrepresenting themselves as banks. The central bank stated that such actions may violate Hong Kong’s Banking Ordinance, which restricts the use of the term "bank" to licensed entities.
The HKMA highlighted cases involving two crypto firms operating in Hong Kong. One falsely claimed to be a bank, while the other described a product as a "bank card." These representations could mislead consumers into believing the firms are authorised by the HKMA or providing services under its supervision.
Recommended by LinkedIn
Under Hong Kong law, only licensed banks, restricted licence banks, and deposit-taking companies are permitted to offer banking services. The HKMA emphasised that unlicensed firms using the term "bank" in business descriptions or representations face legal consequences.
India In:Review
Delhi police have apprehended Masud Alam, a suspect linked to the theft of USD 230 million in cryptocurrency from India’s WazirX exchange earlier this year. Alam, from West Bengal, was arrested on Thursday, marking a major breakthrough in the investigation.
Authorities allege Alam created a fraudulent WazirX account, later sold to another individual on Telegram, which was used to execute the breach. Cybercriminals reportedly targeted the exchange’s “hot” wallet, used for online transactions, and attempted to compromise its “cold” wallet, which stores funds offline with higher security.
WazirX, in a July statement, acknowledged that attackers had breached its security measures despite efforts to safeguard customer assets. However, Cointelegraph reports that the hack stemmed from external access through deceptive practices, rather than vulnerabilities in WazirX’s systems.
The investigation has faced hurdles, particularly with Liminal Custody, the Singapore-based firm responsible for securing WazirX’s wallets. Liminal Custody has declined to provide requested data, hindering efforts to trace the stolen funds. The firm maintains that its infrastructure remains secure and operational.
Founded in 2017, WazirX is one of India’s largest cryptocurrency exchanges, holding reserves of approximately USD 500 million as of June 2024. Following the hack, police have seized laptops and are scrutinising the use of WazirX’s multi-signature wallets, which offer additional security layers.
This arrest sheds light on the complexities of securing digital assets and the evolving threats facing cryptocurrency platforms. Efforts continue to recover the stolen funds and strengthen safeguards in the Indian crypto ecosystem.
Korea In:Review
South Korean authorities have arrested 215 individuals in connection with the country’s largest cryptocurrency fraud case, involving a financial influencer who allegedly orchestrated a scheme defrauding over 15,000 people.
Of those arrested, 12 remain in custody, including the suspected ringleader, identified only as "Mr. A," a YouTuber and investment advisor with 620,000 followers. Mr. A fled to Australia but has since been detained.
The alleged scam began after Mr. A faced demands for refunds following poor stock advice in 2020. He is accused of establishing a network of fraudulent companies to solicit USD 232.7 million from investors between December 2021 and March 2023. This included selling 28 cryptocurrencies, six of which were manipulated by Mr. A's team.
Many victims, often middle-aged or elderly, were pressured to sell assets such as their homes to participate.
Authorities have confiscated 22 Bitcoins and are pursuing additional assets linked to the scam. The incident highlights South Korea’s rising digital asset fraud, prompting stronger cryptocurrency transaction monitoring and severe legal penalties, including life imprisonment.
South Korea’s Financial Intelligence Unit (FIU) has flagged an estimated 500,000 to 600,000 suspected Know Your Customer (KYC) violations at Upbit, the country’s largest cryptocurrency exchange. The findings arose during a review of Upbit’s business licence renewal application.
The FIU’s inspection, which began in August 2024, highlighted deficiencies in Upbit’s customer verification processes. Breaches reportedly include approving accounts with incomplete or unclear identification documents, potentially enabling money laundering and other illicit activities.
Each violation could result in fines of up to USD 75,000, potentially posing substantial financial consequences for the exchange.
Upbit has long been a focus of regulatory attention due to its dominance in the South Korean crypto market, where it accounts for the largest trading volume in the region. Its token listings have previously caused market fluctuations, leading to allegations of manipulation and practices like "pump and dump" schemes by traders.
Upbit has also faced criticism over its influence on the "Kimchi premium," exploiting price gaps between domestic and international exchanges.
Despite these challenges, Upbit has taken measures to improve its regulatory standing. In July 2024, it issued its first public disclosure under the Virtual Asset User Protection Act, showcasing its financial stability and compliance efforts.
Internationally, Upbit secured a Digital Payment Token Services License from Singapore’s Monetary Authority of Singapore (MAS) in January 2024, underscoring its commitment to global regulatory standards.
The FIU’s findings could have far-reaching impacts, both for Upbit and South Korea’s crypto industry. Beyond potential fines and reputational damage, the case may drive discussions about KYC practices and regulatory compliance in the country’s rapidly growing cryptocurrency market.
Singapore In:Review
Deputy Prime Minister and Monetary Authority of Singapore (MAS) Chairman Gan Kim Yong has detailed enhanced security measures for bank accounts for minors under 16. In a parliamentary reply, Gan clarified that minors’ accounts must be opened by parents as either joint accounts or sole-name accounts, with strict safeguards, such as:
The Shared Responsibility Framework, applicable to all accounts, mandates that banks compensate scam victims if institutional responsibilities are breached. Investigation timelines remain standard, with banks resolving straightforward fraud cases within 21 business days and complex cases within 45.
These safeguards align with initiatives like OCBC’s launch of Singapore’s first bank account for children aged seven and above, promoting financial literacy through tools enabling parental control. The measures are further detailed in the E-Payment User Protection Guidelines and the Shared Responsibility Framework, effective 16 December 2024.
The Monetary Authority of Singapore (MAS) has received fewer than five complaints annually over the past five years regarding online financial influencers, or "finfluencers," Parliament was informed during a recent session. Most complaints concerned individuals whose comments did not constitute financial advice, leaving them outside MAS regulation.
MAS Board member Alvin Tan clarified that financial institutions using finfluencers for advertising must ensure balanced and clear presentations of financial products, including risks and key features.
Finfluencers who provide financial advice must be licensed under the Financial Advisers Act, particularly if they are paid for recommendations or provide such advice consistently, even without payment. General educational content is exempt from these requirements.
Tan confirmed that MAS, along with the Commercial Affairs Department (CAD), takes action against unlicensed individuals providing financial advice. Over the past three years, six individuals have faced enforcement action for unlicensed financial activities, though none were finfluencers.
Best of the Rest In:Review
US prosecutors have filed a lawsuit to recover USD 40 million in bribes allegedly paid by former FTX CEO Sam Bankman-Fried (SBF) to Chinese officials in 2021. The bribes were reportedly used to unfreeze nearly USD 1 billion in cryptocurrency wallets linked to Alameda Research, FTX’s sister trading firm.
According to court documents filed on 12 November 2024 in the Southern District of New York, the bribes were made in two installments - USD 28 million and USD 12 million - in USDT stablecoins. These funds were funneled through multiple crypto wallets to conceal their origin.
Prosecutors also allege that a Binance account, holding USD 8.6 million in crypto as of December 2023, was used to launder the bribe, with the funds distributed across five deposit accounts. Favorable market conditions have reportedly increased the bribe’s value to USD 185 million.
This lawsuit is part of broader efforts to recover assets linked to FTX’s collapse, which left millions of investors facing significant losses. Once valued at over USD 30 billion, FTX filed for bankruptcy in November 2022 amidst allegations of fraud, money laundering, and mismanagement.
As legal proceedings continue, US authorities are working to seize assets and distribute recovered funds to investors, a process that may take up to two years.
Researchers from Georgia Tech and the University of Hong Kong have developed Chameleon, an innovative model designed to safeguard personal photos from unauthorised facial recognition while maintaining image quality.
Chameleon creates personalised privacy protection (P-3) masks that are visually similar to the original images but render them unrecognisable to facial recognition systems.
Unlike existing tools that generate varied masks for each photo, Chameleon uses a bespoke P-3 mask tailored to the user’s facial features. Once applied, photos appear as belonging to someone else during unwanted scans, thwarting web scrapers and other bad actors who collect facial images for identity fraud, stalking, and targeted ads.
Led by Professor Ling Liu and a team including Sihao Hu, Tiansheng Huang, and Ka-Ho Chow, Chameleon outperformed leading facial recognition protection models in tests, offering better privacy and visual fidelity while being faster and more efficient.
Future applications could include protecting images from unauthorised use in AI training models. The team plans to make Chameleon’s code available on GitHub, fostering innovation in privacy-preserving technologies. This model underscores the importance of responsible AI development and advancing privacy in the digital age.
In a collaborative operation, Binance and the Royal Malaysia Police successfully traced and recovered USD 1.6 million of a USD 4.5 million ransom paid for the release of a 59-year-old businessman abducted on 13 October 2024. The victim, kidnapped en route to the airport, was released the same day after the ransom was paid in cryptocurrency and cash.
Binance’s Financial Intelligence Unit utilised advanced blockchain analysis to trace the cryptocurrency transactions linked to the kidnappers. This enabled law enforcement to "follow the money trail," leading to the arrest of 14 suspects and the recovery of significant assets.
These included MYR 1.95 million, SGD 1 million, cryptocurrency worth MYR 1.75 million, a firearm, ammunition, and handcuffs.
ASP Nurul Aqila of the Commercial Crime Investigation Department praised the operation, emphasising the critical role of blockchain analysis in solving the case.
Erin Fracolli, Binance’s Global Head of Investigations, highlighted this case as an example of cryptocurrency being exploited in criminal activities while showcasing Binance’s capability to support law enforcement. She urged businesses and individuals to adopt robust security measures to mitigate such threats.
I hope you find Risk In:Review informative and helpful.