Navigating Singapore’s Evolving Regulatory and Business Landscape

Disclaimer: Please be advised that this recorded webinar has been edited from its original format, which may have included a product demo. To set up a live demo or to request more information, please complete the form to the right, or, if you are currently not on CSC Global, there is a link to the website in the description of this video. Thank you.

Kuan Yoe: Well, good afternoon, everyone, and welcome to today's seminar or webinar where we're going to talk about navigating through Singapore's evolving regulatory and business landscape. My name is Kuan Yoe, and I am a business development director at CSC GFM here in Singapore, and I will be your moderator. Joining us today are Jovi Gan from Lymon Private Limited and Agnes Chen from CSC GFM. Allow me to introduce them both, starting off with Jovi.

He has more than 15 years of experience in the industry across various jurisdictions including Singapore, New York, and Albany. His experience includes providing directorships, regulatory compliance, fund operations, and assurance services to various clientele of fund managers, hedge funds, private equity, and private debt funds. Jovi is a chartered accountant of Australia and New Zealand and a registered director with the Cayman Islands Monetary Authority.

Next Agnes is Agnes. Agnes is our managing director of CSC Global Financial Markets in Asia-Pacific. She's responsible for our offices in Hong Kong, Shanghai, Shenzhen, and Singapore. She has more than 15 years of experience in operational executive management in the banking, trust, and wealth management planning, structuring, compliance, and fund administrative services sector.

Throughout her career, she has held many key roles representing licensed trust companies for corporate and fund services as well as private and corporate trust companies in Singapore, Hong Kong, and other key jurisdictions. Agnes earned her bachelor's degree in finance, and she's also a qualified trust and estate practitioner under the Society of Trust and Estate Practitioners, also known as STEP, and is a qualified practitioner in international compliance and anti-money-laundering under Central Law Training.

With that, let's welcome Jovi and Agnes.

Today, we'll be speaking about the following topics. It's about discussing the most recent guidelines that the Monetary Authority of Singapore, otherwise known as MAS, as has released across the following topics. It's the guidelines to Notice VCC-N01 regarding the prevention of money laundering and countering of the financing of terrorism.

Second, we're going to speak about accredited investor documentation for fund administrators and compliance practitioners, technology risk management guidelines to combat heightened cyber risks, and, lastly, managing the risk of remote working in financial institutions. So this webinar will be kind of like a discussion that I'll be having as moderator with Agnes and Jovi about the topics that are highlighted on the topic screen earlier.

Okay. Here we go. AML continues and will continue to be a core regulatory focus of authorities, and given the guidelines on prevention of money laundering and countering the financing of terrorism for VCCs was introduced back in December 2020, how different are these requirements for the VCC to that of asset managers regarding the VCC Notice 01.

Jovi, would you like to take us away?

Jovi: Sure. Thank you, Kuan Yoe. So as many of you are aware, the guidelines to the VCC Notice N01 was released in December 2020, and, in short, this is largely similar to the requirements that have been proposed by inspectors from MAS with regards to other regulatory financial institutions. So in the next few slides, I'm going to quickly bring you through some of the key requirements and what to look out for when it comes to complying with the same notice and guidelines.

Okay. Firstly, the board of a VCC retains the ultimate responsibility for complying with the AML/CFT obligations under the notice. So it's imperative for the board to understand the ML/TF risk involved and also to have an appreciation on how the control frameworks operate to mitigate those risks. To do this, the board will need to ensure that it has already assessed [inaudible 00:05:32] information on a variety of things, including the overall level of ML/TF risk that the VCC is exposed to, the operating effectiveness of the current AML/CFT controls, and any of these relevant legal and regulatory developments that may have an impact to its operations.

A VCC is required to appoint an eligible financial institution to assist with its performance of the relevant checks and measures under the guidelines and notice. So when you're appointing an EFI, these are some of the key items to look out for.

Firstly, there must be a proper formal documentation in place detailing the scope of responsibilities, the key personnel involved in undertaking the work, and other relevant information.

Secondly, the AML policies and procedures must be established at the VCC level. It must be updated periodically and has to be approved by the board. In the event that the EFI appointed is that of the fund manager, it is important to take note to have the proper segregation of duties when it comes to dealing with the VCC customers, performing the necessary checks and measures, and also undertaking the internal audit process.

Also, a VCC may rely on a third party on the AML work that's been performed by the third-party for one of its customers. When an EFI is relying on the work performed by a third party, it needs to ensure that this third party is either an existing EFI or it is a financial institution that is regulated by a foreign authority with similar AML requirements as that of [inaudible 00:07:57]. Of course, the VCC board remains ultimately responsible for its AML applications and oversight of the EFI.

Lastly, the VCC needs to ascertain that the EFI has the appropriate depth of expertise and proper procedures and processes in place to undertake the work.

To understand the overall penalty of risk at the VCC level, it is a requirement to perform a holistic risk assessment. And the broad [inaudible 00:08:35] of risk factors to consider are the VCC customers, its products and services and delivery channels, and the countries and jurisdictions that these operate in or its customer [inaudible 00:08:51]. Lastly, it is also important to incorporate the results of the Singapore NRA report into this risk assessment.

When we are undertaking the customer due diligence process, one of the key aspects is to identify the customer. The notice sets up the minimal level of information required such as the full name, identification number, residential or registered address, date and place of birth, or dates of incorporation. So the information on this slide here are some of the more commonly, I would say, obtained information to satisfy the minimum. As a general rule, the best document to verify their identity is often one that is the hardest to obtain illicitly or to counterfeit.

If there is any change to the beneficial owner or directors of the VCC, [inaudible 00:09:53] must be updated within 14 days, and the relevant register of the VCC that's either kept at the office of the VCC or the fund manager at the EFI has to be updated no later than two business days after the information has been provided. So it is important for the VCC to consider implementing measures such as that of reminders or periodic review to the relevant stakeholders to ensure that such changes are captured in a timely manner.

Ongoing monitoring of customers is a fundamental aspect of the overall AML risk management process and needs to be conducted for all business relations [inaudible 00:10:38] depending on the risk level assigned to the individual customer.

From a transaction monitoring perspective, it is important to take note of various criteria such as the nature of the transaction, the amount involved, whether these transactions are made, you know, with the intention to avoid the threshold, the origin and destination of the transaction, and, of course, the parties involved.

Okay. As mentioned earlier, an EFI may rely on a third party to perform the CDD for one of the VCC customers. In a typical third-party-reliance model, the third party often has a direct relationship with the customer, and it will perform the CDD work in accordance with its own policies and procedures. This differs from an arrangement between the EFI and the VCC whereby the work is performed in accordance with the VCC's policies and procedures. So when there is such a reliance in place, it is important to take note of the potential gaps and to actively manage these gaps. It's also important that the EFI must not rely on a third party to carry out ongoing monitoring.

When establishing the business relationship with a customer but the verification of the customer's identity has yet to be completed, if this delay is 30 days or more, you will need to suspend business relations with the customer and refrain from carrying out further transactions. If this timeline is 120 days or more, you will need to terminate business relations with the customer. It is important to incorporate these limitations into the VCC policies and procedures and its monitoring [inaudible 00:12:41].

From a training front, all relevant employees and officers are to be trained as soon as possible from the point of their onboarding. Refresher training is to be conducted at least once every two years or more regularly as appropriate. The effectiveness of such training can be, I would say, measured through the use of tests after the training or looking at the quality and quantity of the internal reports as an example. It is also important to take note that this training record must be maintained for audit purposes.

Kuan Yoe: Wow. Thanks, Jovi. That's a very comprehensive answer to the different requirements with regards to this VCC Notice 01. I'm also very curious to hear from you, Agnes. What do you see from the service provider side with regards to this question?

Agnes:Yes. Thank you, Kuan Yoe and Jovi. Very interesting information up there. I think it's very comprehensive as well. So we spoke about a few things from the VCC Notice 01 that the board and senior management involvement is key to establishing these risk policies and procedures.

It's quite interesting because in a traditional fund setting, especially if we're looking at a Cayman or a Singapore traditional fund setting, you would have noticed that a lot of the procedures are actually on the fund manager. So, basically, the risk policies, the risk assessments, and all are actually based on the policies of the fund manager.

The VCC Notice 01 works in a very refreshing way and also a very unique way. It means that the VCC is an entity altogether as a regulator entity. So, basically, what it says is that, aside from your fund management aspects where you need to ensure that you have policies, you need to now also maintain your policies under the VCC itself and adhere to the board and also the senior advisory or the senior management, which is rather unique.

And I think this is something quite refreshing, especially in the Singapore fund where VCC has now been kind of the new and emerging structure. It's something very key for our audiences to learn and also for the fund managers to learn that this needs to be kind of implemented.

So in a lot of ways we see fund managers relying or kind of basing it on their fund management policies or their risk management policies on the fund management level, but now they need to know that they need to also base this on the VCC policies. So I think that this is quite unique in a way.

I'd also like to mention about the eligible financial institutions here because a lot of clients actually ask us, "As a fund administrator, can you then be the eligible financial institution?" I certainly have to say, "No, we cannot," because, firstly, under the Singapore Fund Administration meeting or rather if there is a meeting in the future, we will be regulated. But for now, most of the administrators that you see are either having an RSA, which is a registered filing agent license – that is a company's [inaudible 00:16:22] license – or they have no licenses at all.

So, hence, we don't qualify for the EFI in this case, the eligible financial institution. For a lot of our clients, our advice is really that the EFI in this case makes sense to be the fund management company, which is the financial institution. I'll leave Jovi more to speak about that, but this is basically what we've seen in the market on the EFI because most of the time, like what Jovi has mentioned, a lot of the touch points are with the EFI with the VCC board of directors and [inaudible 00:17:00].

So, a contentious issue. We'll move on to really have that links into the GDPR discussion.

What actually happens is that the EFI, however, could base some of the support with the fund administrators, especially, for example, investor onboardings, etc. But again Jovi has mentioned to ascertain that they are the ones monitoring the board of directors of the VCC signing off and also not relying on a third party for monitoring itself.

So it's a check and balance in terms of everybody doing their part in terms of the AML counter-money-laundering measures per se where the fund administrators do our part in actually screening the investors and also ongoing monitoring. The fund managers, on the other hand, and the VCC board of directors would have to be putting in place their risk policies measures as well.

So, yeah, over to you, Jovi. Do you have any probably more in-depth information to share about that?

Jovi: Thanks, Agnes. What you mentioned is pretty much in line with what I have in mind. Especially, it's important to take note that this appointment of the EFI more often than not will go back to the fund manager because the existing AML obligations for establishing a business relationship with the same set of customers is really being placed on the manager as part of the licensing condition. So this is what I would expect from most VCC participants as well.

Kuan Yoe: TWell, thanks, both. It sounds like, you know, it's important. Thanks, first of all, Agnes, for clarifying the different roles, you know, especially of being eligible as an EFI service provider. I think with that it has been clarified to the audience what they would need to do if they have not done so. And if so, of course, we are here. Both Lymon and CSC are here to help.

What do you think? Let's move on to our second topic that we'd like to discuss. Maybe on a separate note, an important aspect in relation to onboarding is that of the accredited investor assessments, and one area of focus is with regards to the types of documentation that is accepted as proof. Can you share with us, Jovi and Agnes, what are some of the common pitfalls that you would like to advise the audience on? Maybe, Jovi, can you start off with this one?

Jovi: Sure. Thanks, Kuan Yoe. Before we proceed, I will just do a quick reminder to everyone on the definition of an accredited investor. For an AI who is an individual, it would mean that your net personal assets must exceed either $2 million or your financial assets must exceed the value of $1 million or your income in the preceding 12 months is not less than $300,000. For an AI that is corporate, your net assets must at least exceed $10 million in value or you are a trustee of such other person that the authority may prescribe.

So from the documentation perspective, you need universal documentation to provide to justify you as an AI. The more common ones for an individual, for example, would be [inaudible 00:20:39], your income tax statement, which also applies for corporate, and, for example, the value of the property and the [inaudible 00:20:50].

So, you know, what I'm saying here is that there may be standard, I would say, lists among different service providers [inaudible 00:21:01] for what is common, but it doesn't mean that we can't accept other reliable forms of documents to justify that, you know.

I have an interesting example here to share. I came across a case whereby the accredited investor statements of an individual is basically . . . the value largely is because of inheritance through a piece of land [inaudible 00:21:33] piece of land that was granted by the royal family. So in this instance we had to look at the title deeds, and we had to look at other documentation involved to ascertain that this was actually indeed given by the royal family to the individual, and indeed it checked out.

So, Agnes, do you have any examples in terms of documentation that you wanted to share from a fund management perspective?

Agnes: Indeed. Thank you, Jovi. So this is our typical favorite topic from fund managers, especially when they're onboarding their investors and doing the closing of subscriptions. Many times the clients will call us or other [inaudible 00:22:24] and say, "Okay. What do you think we should collect, etc.?"

Sometimes because of this day and age where we are in the pandemic zone, sometimes it's also difficult to ascertain a few documentations. For example, if they need documents from the regulators, etc., it's a lot longer than before to collect documents. That question points back to the fund manager in terms of how your risk assessments and how your kind of operational policies are, and I think Jovi would be very familiar with [inaudible 00:23:03] that for most clients of yours. How do you as a fund management company also have policies for ascertaining your AI investors itself?

So there are very kind of tailor-made rules and also checklists where they kind of ascertain the AI investors. So there may be in this case then very standard documents that they collect. So there are also fund managers that are very fluid in this case where they adhere with the changing times but they keep in compliance with what MAS requires under the definition of an AI investor.

So this is where clients will sometimes work together. We as fund administrators, of course, do not dictate what you collect to determine AI investors because a lot of that assessment itself is actually done at a fund management level where you have internal policies.

So for us it's really helping, especially if we're investor relationship liaisons with the investors. Then we work with the fund managers to collect that. Some fund managers actually have closer relationships with their investors. They, on the other hand, would actually prefer to keep the liaison with themselves and also us supporting them as the fund administrators.

So it will be quite interesting, Jovi. Do you see any kind of unique risk policy assessments or kind of a checklist that has been wrote out by fund managers?

Jovi: Thanks, Agnes. In terms of a checklist brought up by fund managers, what I've seen is actually quite standard in a way whereby, you know, you ask for the usual suspects in terms of [inaudible 00:25:00].

I think a few points to note here is that if someone were to make a declaration that they financial assets of, say, $10 million, it doesn't mean that we have to go and ascertain that they have an entire $10 million. We just need to make sure that they meet the minimum or ascertain the minimum and that will suffice. Secondly, from a net personal assets perspective . . . because remember that it's always easier to, I would say, ascertain the assets side of things. But from the liability side of things, how are we going to address that?

So I want to say there's no hard and fast rule. It really depends on the individual involved and their circumstances. But from what I've seen, this liability part of [inaudible 00:25:48] is always an area, I would say, of debate per se.

Agnes: Yes, certainly. We see the same thing as well. So most times it's not part of our kind of scope as a fund administrator to ascertain whether the investor is an AI, but most of the time we assist in a way, because of the close relationship we have with our fund managers, how to support them in terms of the documents to collect. So that's where we typically work with advisors like yourself where you're supporting the client in advising their operational risk framework, etc., and we work together with them. That's exactly what we see as well.

Kuan Yoe: That sounds good, both. I mean, it sounds like this is a very fluid process in the sense that it's not static and would always need to be reviewed in a timely manner to ensure that documentation is, yeah, I would say, up-to-date.

Well, thanks for that. Let's move on. I see that a question has come in, but I just would like to address to the audience that the Q&A session will be at the end of this webinar. So that's when we'll address your questions. So thank you for that.

Given the growing use of cloud technologies and application programming interfaces or APIs, MAS has since revised its technology risk management guidelines in January, as everyone knows, of this year to emphasize the importance of incorporating sound security controls for financial institutions.

So what are some of the key changes involved? Because this is not the first time that they have done this. This is kind of like an updated release of guidelines, right? Jovi?

Jovi: Thanks, Kuan Yoe. In the next couple of slides, I'm going to quickly take everyone through the key takeaways on this very recent [inaudible 00:28:05] TRM guidelines.

High-level descriptions of the ICANN models are on your screen now. And I don't want to dwell too much on these, but it's important to see how they move through the process.

I mean, the first key change involves [inaudible 00:28:13] personnel, most notably the board and senior management. So now there is a requirement for the board to be comprised of members who have knowledge and expertise when it comes to managing cyber and technology risks. This differs from the previous guidelines where it only required the board to be involved in key IT positions.

Also, there's now a requirement to appoint a CTO or equivalent to manage such risks, and the original list of responsibilities for the board or the senior management has also been expanded, you know? So the expansion has a focus on the oversight of the FI's technology strategy, operations, and risk.

The next key change is that of due diligence and assessment. So now FIs are expected to establish standards and procedures for vendor assessment or, should I say, vendor evaluation prior to engaging them. And some of the key criteria involving the assessment include detailed analysis of the vendor's capability to develop the software involved and its security and quality assurance practices.

FIs are also expected to implement a vetting process for assessing a third party who wishes to connect to the FI through the use of an application programming interface or, in short, API. So some of the key aspects of the vetting criteria are the nature of the third party's business, the industry reputation, track record, and, most importantly, it's cybersecurity readiness.

Moving on, FI are also expected to conduct periodic access reviews of user rights to ensure that or to identify rights that have been given to, say, redundant users, dormant users, or even inappropriate users.

Privilege access to systems is now to be granted on a need-to basis, and the activities are to be logged, monitored, and reviewed regularly.

There is also a requirement now to use strong authentication access controls such as that of multifactor authentication or token authentication for users who wish to connect remotely. In the past guidelines, there's only a requirement to use 2FA instead of MFA.

Lastly, remote access to information assets at the FI level are only allowed from devices that are really secure to its external security standards.

Moving on to cyber resilience, this entire section here is somewhat new in the guidelines. It wasn't really mentioned in the previous set of guidelines. So what are the expectations here?

So an FI is expected to procure cyber intelligence monitoring services, to keep itself updated on the threats involved, and modify its risk assessment processes accordingly. It should implement surveillance systems to detect suspicious and malicious activities and conduct vulnerability assessments on systems and penetration testing on its online services at least annually or more frequently in the event there is a major update or change in the system.

The FI is also expected to establish a cyber management response plan and to basically isolate and neutralize cyber threats and secure and resume affected services. This includes establishing a process to investigate and identify the deficiencies and to respond with procedures to address such deficiencies. Do know that this plan is to be reviewed and tested annually.

The guidelines also provide that FIs should carry out regular cyber exercises, scenario-based, to validate their response and recovery plan. Such exercises should include the business function, senior management, technical teams who are involved in cyber threat detection, and other relevant stakeholders.

Kuan Yoe: Thanks, Jovi. So it sounds like in this last slide you talk about an exercise that would be part of a BCP, right, a basic continuity policy. Just out of curiosity, these are just guidelines. Do you expect any punitive measures coming from MAS, you know, as cyber risks are increasing across the board and especially since the pandemic? Everybody's, you know, forced to work from home. What do you think?

Jovi: Yes, Kuan Yoe. So these [inaudible 00:33:55], but these are MAS expectations, so compliance with these guidelines is deemed, I would say, necessary [inaudible 00:34:04]. So it is imperative that all FI adhere to these guidelines as close as possible, but, of course, the level of adherence and the implementation procedures involved, you know, have to commence with the size and nature of each business.

Kuan Yoe: Well, with that, it brings me to my next question. So what do you think? Does this have any impact to the current remote working arrangement as a result of the pandemic? Jovi, would you mind commenting from a fund management point of view?

Jovi: Sure, Kuan Yoe. So, yes, I believe it does have an impact predominantly from two fronts, mostly from security. When remote working, we are transitioning from a secure corporate environment where there are appropriate safeguards, firewalls, etc., to a less secure . . . I wouldn't say unsecure, but it's a less secure home domain of public networks or a mobile data network environment.

So security is something that everyone needs to consider when implementing their remote working practices. In the joint paper that was issued by ABS and MAS on remote working, which we'll be covering shortly, participants can refer to Section B, Subsection 2 where there are useful insights on how to address this particular risk.

And the next consideration or, I would say, the next impact would be, I would say, BCP resilience. Before COVID or before remote working was the norm, working from home for many was the BCP. So what is the BCP now if remote working is the norm? What is the organization? What is BCP version two? What is your BCP version two?

Kuan Yoe: Agnes, maybe you would like to take this rhetorical question of Jovi's?

Agnes: Yes, certainly. So in the past, especially if you run a regulator entity, for example, or a trust company or a fund management company where you are expected to adhere to BCP requirements and drastic recovery requirements, etc., in the past, BCP and BRs are very standard. So when your building gets into a fire, etc., and your documents are all burned, etc., what happens?

Now the BCP, like what Jovi has mentioned, is a new normal where we are working from home. We are assessing the documents remotely. We are actually using more technology platforms, whether you're using Microsoft Teams or Zoom, etc., or Box to access documentation. So the nature of the BCP has changed a lot, and because of that and also very in line with the cybersecurity risk that we have kind of just discussed, it becomes very, very important that you are revising your BCP.

For us, we kind of adhere to or kind of work on our BCP plans drastically over the period where we are using a lot of technology and also, I would say, world-class technology functions to ensure that we are inhabiting, for example, the multifactor authentication even on our logins, for example.

So, interestingly, CSC runs a cyber risk security unit as well that provides to clients the cybersecurity support. So having said that, we adhere to world-class kind of equipment as well as security measures, but a lot of what Jovi mentioned is also very relevant.

What if you are an emerging manager that may not actually pass a lot of support and technology or in terms of the BCP measures? Then a lot of that is also based on skill and also based on the advisory of your compliance risk policies that you kind of adhere and change accordingly.

Our clients always ask us, "Have you practiced your BCP?" That's a very standard DDQ question, actually. "Have you been practicing your BCP?" And our response is always, "Since March last year, we have always been on BCP."

And I think now the new normal is what happens based on a normal BCP when you're working from home? And, of course, with 75% of the workforce encouraged back to the workforce itself, maybe I would say attendees are actually working more in the office now, but we will actually have to also adhere to the remote working environment, etc.

And I think this paper that ABS and MAS have actually turned out is really, really relevant because it addresses issues we have to encounter in a short phase and be able to get the economy and market going but at the same time, from a long-term perspective, what's your next-generation BCP?

Kuan Yoe: Or BCP 2.0, so to say. Well, thanks, both of you, for [inaudible 00:40:10]. That brings us, actually, to the last question that I would like to discuss with the both of you. It has to do with the following. In the risk management resilience [inaudible 00:40:27] that has been issued by MAS and the ABS or the Association of Banks in Singapore, what are the key takeaways? Can you take this away, please?

Jovi: Okay. Thanks, Kuan Yoe. So in the next couple of slides, I'm going to share with you the key takeaways.

Firstly, a quick one. What is remote working? I mean, it shortly means basically working outside of your office and you're assessing your office applications indirectly through the use of your home, public, or mobile data networks. An important point to note is that if you are working from your other offices or a designated site set up for BCP purposes, this does not constitute remote working.

So what are the key areas of consideration for risk management when it comes to remote working? Firstly, of course, because of the changing controlled environment whereby you are moving from your office to off-site, you know, you would need to review your working practices and arrangement to identify the risks involved as a result of this change and implement necessary controls in place to mitigate this risk.

The FI will also need to reassess and evaluate changes or potential changes to the [inaudible 00:40:27] risks involved with remote working and implement a corporate safe class and contingency plan to ensure continuity of services.

From a BCP perspective, you will need to enhance your strategy to consider the large-scale, I would say, dispersion of your workforce over different locations. From an information governance perspective, one would need to consider the risk and implication of information loss when determining what services can be performed remotely. Controls also need to be implemented to ensure that the devices, including personal devices of the staff who are working remotely, are secure.

FIs are expected to continue to adopt sound and robust technology risk-management practices to manage hardware and software deployment. You also need to keep yourself updated on potential fraud issues as a result of this remote working arrangement.

You should also consider implementing a consequence-management framework or incentive to encourage the right behavior from staff who are currently working remotely. You will also need to enhance, you know, the monitoring activities of the transactions that are undertaken by all staff who are in high-risk roles.

FIs are also expected to consider legal and regulatory implications when setting up their remote-working practices. Lastly, they should also pay attention to staff morale and welfare and provide resources for their emotional and mental support.

Kuan Yoe: Thanks, Jovi. What about you, Agnes? What is your point of view from the administrative point?

Agnes: Yes. So, certainly, I think a few aspects here that we can see from the slide is basically outsourcing is obviously very concerning as in it concerns the fund administrators quite a bit because that's where your due diligence as a fund manager or your service providers is important. Under the MAS guidelines, you would already have to screen your outsourcing provider, which is your fund administrator as one of them.

So this continues to be one of the key risk factors, but it escalates in the case of working from a home environment. Are your outsourcing agents or vendors adhering to, I would say, security measures, risk management actions, etc. to ensure that your data and your clients' data is secure, for example? This also gives a review in terms of what your outsourcing vendor is adhering to on a day-to-day basis on the administrative level. For example, how are their teams working from home? Do they have their own laptops, or is it a smaller team where they do not have an official laptop and some are logging in through home, for example?

These are a few key questions that typically will be asked by managers as well because it's very critical if you are using your home laptop and your home laptop has malware, for example, on it and you are accessing client data. Then is it a security risk? So that also points back to the cybersecurity risk guidelines as well as the risk-management actions of the remote working.

The other point I felt has typically come up especially is the verification of identity on a face-to-face level, especially for your investors and us onboarding fund managers. So in a way, if you're a Singapore manager – and most of our audience here are Singapore managers – it's rather easy for us to do a verification because you have your Singapore NRRC [SP], etc. Verification is generally quite fuss-free.

But a lot of you will have realized that during the pandemic itself or during even this period, a lot of verification is done through videoconferencing, especially if you notice bank account openings have also [inaudible 00:47:10] for some things where you have your relationship managers dialing into a secure network and you verify your ID where you show them your IDs, etc., and this is you. They ask you a few questions, etc.

The remote working guidelines have also recommended that these policies also be looked at, especially what controls you have in terms of making sure that your data verification and your identity verification is secure and is also in place. So you have guidelines in terms of that. Are you going to do [inaudible 00:47:48] in a case when you're allowed to actually meet? Are you going to meet the person in person for verification?

And I think these of the controls where the guidelines would also determine whether you as a fund manager are rolling that out. It's the same way as we do, for example, when our fund managers ask us, "Do you need the originals of the subscription agreement?" For example, I think this is a typical question.

Although some of the documentation can be received in a digital copy if you have your additional authorization and identification policies [inaudible 00:48:29], we would also recommend in this day and age to also follow up with originals because there is a risk of fraud in terms of the controls. You don't know who is signing, etc. And all this actually maps with your kind of recent controls over remote working guidelines.

Of course, we work with the fund managers to also follow their kind of guidelines. At the same time, we would recommend ours as well in the case of any identity fraud or any risk-management issues, etc. We typically would want our clients to also be protected and also consider that they have put in the controls.

So this is where I felt that it's also very interesting in this case, especially when you're working remotely. I think the rest would be generally very standard. How do you verify you're authorized [inaudible 00:49:27] where the payments authorization is verified, etc.? Those would be part and parcel of the fund administrator's checklist and procedures.

But I think very much in a remote working environment, a lot of it is, for us as administrators, verification face-to-face of our fund managers and our fund managers [inaudible 00:49:51] investors. So I think that's generally the few points that I see popping up these days.

I'm not sure, Jovi, if you have anything to add.

Jovi: Yes. From a verification perspective, it is now becoming, I would say, more common for verification of ID through the use of online, I would say, applications, especially on Zoom. You know, even then, this is [inaudible 00:50:24] locally. I shouldn't say even. It is accepted locally even by some of our banks. So I think this remote working norm now is bringing about a paradigm shift in the way we have been undertaking the work not just from a due diligence perspective but, you know, the way we conduct business as a whole.