SingaporeHow to draft an Enterprise-Wide Risk Assessment for Singapore Payment Institution License

If you are a company looking to apply for a Singapore Payment Institution License, one of the most important documents that will be required of you will be the Enterprise-Wide Risk Assessment (EWRA). The Monetary Authority of Singapore (MAS) regulates Singapore financial institutions in the fund management, capital markets, banking, insurance, and payments sectors along with the entities contemplating setting up cryptocurrency company in Singapore as there is no cryptocurrency license in Singapore. However, in the year 2020, the Monetary Authority of Singapore (MAS) implemented a new regulation that all cryptocurrency businesses are required to secure the new Payment Institution License.

As licensing processes become more demanding, payment institutions must show that they have the systems and controls needed to manage risk.  As well as completing forms, applicants must provide documentation, including a business plan and the MAS may ask to see your Compliance Manual or parts of it.  The Regulator will almost always have follow-up questions, and it is not uncommon to want to meet in person.

What is EWRA?

The enterprise-wide money laundering and terrorism financing (ML/TF) risk assessment (EWRA) assesses a financial institution’s (FI) inherent ML/TF risks, the effectiveness of the control environment designed to mitigate those risks, and the need to implement additional measures to manage residual risks where necessary. 

The latest requirements and expectations pertaining to an EWRA are stipulated in the Monetary Authority of Singapore (MAS) Notices and Guidelines for the banking and payment institutions in Singapore.

But why is risk assessment & management important?

Using ERM (Enterprise Risk Management) programs is a way for companies to gain a competitive advantage. It is not solely pursuant to a regulatory obligation. Understanding which areas of a business are the most exposed to risks is a way for entities to take preventive measures, prioritize actions and protect their business from unforeseen hazards. Getting insights into how risks are spotted, addressed, and managed is often decisive for the risk acceptance alignment of the upper management and board members’ oversight function.

ERM can be viewed as a crucial stage in the entire business strategy and performance of the organization since it plays a critical role in the categorization of risks (i.e., governance, operational, reputational, strategic, financial, and regulatory risks). Risk assessment enables businesses to seize commercial opportunities in dynamic environments.

It is possible that risk management has never been more crucial than it is right now. Due to the increasing rate of globalization, the risks that business organizations confront have become more complicated. The widespread use of digital technology services by these banking and payment organizations has led to the continual emergence of new hazards, many of which are caused by it.

Traditional risk management vs. enterprise risk management

Nowadays, enterprise risk management has a better reputation than traditional risk management. Both strategies try to reduce hazards that might hurt businesses. Both seek insurance to guard against a variety of hazards, including cyber liability as well as losses from fire and theft. Both follow the instructions given by the major standards bodies. However, according to experts, traditional risk management lacks the mindset and framework necessary to comprehend risk as a crucial component of business strategy and performance.

What are the benefits and challenges of risk management?

Effectively managing risks that could negatively or positively impact capital and earnings brings many benefits. It also presents challenges, even for companies with mature governance, risk, and compliance strategies.

Benefits of risk management include the following:

• Increased risk consciousness within the organization;
• More assurance in the organization’s aims and goals as a result of the risk being taken into account in strategy;
• Since compliance is coordinated, compliance with regulatory and internal compliance obligations is better and more effective;
• Increased operational effectiveness via more consistently implementing risk management procedures;
• Improved workplace safety and security for employees and consumers; and a market-based competitive differentiator

The following are some of the challenges risk management teams should expect to encounter:

• Initial costs rise as a result of risk management programs’ potential need for pricey software and services.
• The rising importance of governance necessitates that business units spend time and resources to comply.
• Reaching an agreement on the level of risk and the best course of action may be a challenging and controversial process that can occasionally result in risk analysis paralysis.
• It is challenging to convince executives of the importance of risk management without being able to provide them with concrete figures.

Important considerations on how to draft an Enterprise-wide Risk Assessment Document for Singapore Payment Institution License

Our team of licensing experts has summarized the most prevalent points on how to draft an enterprise-wide risk assessment document for Singapore Payment Institution License.  Accordingly, when drafting an EWRA, Audits teams should consider using the following list as some of the key factors that an effective EWRA should be able to demonstrate. An EWRA should:  

Maintain consistency of scope

• An EWRA should be a procedure that must be repeated and carried out at least annually. As a result, consistency in scope is crucial to generating an EWRA that is of similar value and gives key stakeholders including regulators, a clear picture of the change in residual risk of an institution from year to year. The whole geographic footprint of the company, all lines of business, and all goods and services should be continuously covered from one assessment period to the next.

Be aligned to the institution’s AML risk appetite

• An EWRA without a Risk Appetite Statement (RAS) will not be able to give quantifiable steps to address identified gaps, whether the RAS is specified at the business unit level or the enterprise level. Additionally, it will not be able to point out instances in which the institution could be coming closer to taking inappropriate risks. The alignment of an EWRA report’s conclusions with an institution’s RAS and the degree to which the RAS has been included into the EWRA should be investigated by auditors.

Be based on hard data that is available and accessible

• As regulators are increasingly leaning toward EWRAs that reflect hard data – (this includes data in relation to customers, products, services, transactions, and geographical coverage or delivery channels) – an institution’s ability to make this data continuously available and accessible for the purposes of critical analysis is crucial. The extent to which an EWRA is the result of quantitative data analysis and if this analysis is supported by “quality” data must be questioned by an auditor. When there are data restrictions, the EWRA report or EWRA methodology must explicitly describe the type of limitation and how it affects the EWRA.

Provide accurate assessment of sub-risk categories

• The cornerstones of the EWRA are an institution’s sub-risk categories (such as Customer Risk, Products and Services Risk, and Geography Risk). The reliability and consistency with which these sub-risk categories have been evaluated throughout the entire institution must be determined by the auditors.

Be supported by a defined and documented methodology

• The approach, as they say, is king; if they do not use it, they should. It is impossible to develop a sustainable and repeatable EWRA when the approach is opaque and not backed by clear artifacts (e.g. a well-defined risk assessment questionnaire). Auditors must evaluate an EWRA’s approach and feel confident in its applicability, viability, and consistency.

Be informed by a multi-dimensional assessment of the control environment

• While an auditor is familiar with the process of evaluating a control’s “design” and “operational” efficiency, it is important to be aware that EWRAs may unnecessarily place more emphasis on the design of a control than on its operational efficiency. As a result, the control rating may be biased, which might affect the EWRA’s overall conclusions. The distinction between centralized and decentralized controls is another aspect of evaluating the control environment for the purposes of an EWRA.
• For example, when a centralized onboarding or transaction monitoring team performs controls for multiple branches of an institution, the relevant controls should be tested at the central base level, rather than picking and choosing isolated branches to test. Where control is centralized, it is important for that control to be assessed centrally and to apply that assessment uniformly across all affected units to avoid inconsistency. This will ensure that all branches are held to the same standards and that any problems that are found in one are uniformly resolved in all.       

Be communicated appropriately to all key institutional stakeholders

• A successful EWRA report should result in actionable tasks, that are owned, delivered in time, and measured through subsequent EWRA cycles. Therefore, the communication channels used to report and track progress against actionable items should be reviewed when auditing an EWRA. 

Be upgraded to automated systems/processes (where possible)

• This last component is reliant on the institutions’ technical maturity. EWRAs are frequently manual and retrospective in nature. As a result, the EWRA is frequently reduced to a check-box exercise and does not always offer a “modern” perspective. Auditors are urged to inquire about how much of an EWRA process can be automated, if not entirely. It would be a wasted opportunity to not automate something as essential as an EWRA in a time when regulatory technology is at the forefront of most institutions’ thinking.

MAS guidelines regarding EWRA

Following the commencement of the Payment Services Act (PSA) in January 2020, the Monetary Authority of Singapore (MAS) recently published an information paper for businesses setting out a framework for how cryptocurrency businesses and other payment services governed by the PSA can measure the efficacy of their compliance programs. 

The informational paper sets out MAS’ supervisory expectation of effective Enterprise-wide Risk Assessment (EWRA) frameworks and processes, and interestingly set out the outcomes of some inspections conducted by MAS into unnamed financial institutions early in 2020. 

The EWRA provides guidance on how payment services including cryptocurrencies can achieve six key outcomes that would ensure compliance with their anti-money laundering and counter-terrorism financing requirements is maintained after licensing. These desired outcomes include:

• Senior management maintains active oversight of EWRA frameworks and processes;
• Sound and systematic frameworks and processes to assess inherent risks, control effectiveness, and residual risks for each business line;
• Adequate and accurate qualitative and quantitative analyses in assessing risks;
• Assessments of the effectiveness of all compliance controls, taking into account policies and procedures, control testing results, and assessments of organizational culture;
• Systematic processes to establish and implement control measures to address areas for improvement identified from the EWRA exercise; and
• Structured processes to perform gap analysis against guidance papers, and incorporate lessons learned and good industry practices in their own processes.

Broadly, the information paper found that while generally the financial institutions MAS inspected had established frameworks for conducting EWRAs, the quality of implementation of the EWRA was more of a patchwork. This is hardly a problem unique to Singapore, with Australian banks copping record from the anti-money laundering regulator AUSTRAC, despite having supposedly stringent AML/CTF programs in place.

Concluding, risk professionals should not forget that risk management is not a “tick-the-box” process. It is a whole system for improving the performance of a business. It is a continuous process that requires a deep understanding of the entity’s business model and its functioning in the specific business and legal environment.

Protecting your business from breaching anti-money laundering and counter-terrorism financing requirements is becoming increasingly important in an increasingly globalized and sophisticated payments landscape. If you need advice on anti-money laundering and counter-terrorism financing compliance matters, please contact us and we would be more than happy to assist.

Conclusion

The life cycle of any company with a non-bank payment license like a Singapore Standard Payment Institution License depends significantly on how reliable the foundation it is built upon. Some start-ups may survive and prosper, but most will not see the growth stage.  To be one of the former, you must take all steps in a calculated manner. Such an approach will help you to achieve success and grow your business exponentially. 

Obtaining a Singapore payment institution license is a crucial step in establishing your fintech company, and providing such payment services.  Tetra Consultants will guide you through the whole process, prepare necessary documents, forms, and applications, and assist you in communication with the relevant authorities. 

Ultimately Tetra Consultants will address your concerns on how to draft an enterprise-wide risk assessment document for the Singapore Payment Institution License preparation of documents required for the payment license application, in addition, to register company in Singapore, finding an office, and corporate bank account opening.

In addition, Tetra Consultants can also assist with attaining other offshore financial licenses depending on your long-term business goals.

Contact us to find out more about how to get a Singapore Standard Payment Institution License and the steps on how to draft an enterprise-wide risk assessment document for Singapore Payment Institution License.  Our team of experts will revert within the next 24 hours.