GYK Group Partner Eric Lim // Web3 Accountant Radio Ep13 Transcript
Eric Lim is the Partner of GYK Group
GYK Group have more than 40 years of audit, accounting, tax and advisory (risk and governance) expertise in Singapore focusing on SME businesses and start-ups.
In this conversation, we dive into:
1. AML, KYC requirements for crypto exchanges in Singapore
2. Tools used in facilitating AML, KYC
3. Enhance Customer Due Dilligence vs Customer Due Dilligence
4. Outsourcing of AML, KYC processes
5. Why did Eric decide to enter the Web3 space?
6. One key finance/ compliance lesson from Eric
7. What is Eric looking forward to in the Web3 space?
And more!
__________________________________
Connect with Eric & GYK and Goh Yau Kee & Co👇
Linkedin: / ericlimshihhua/
Website: https://gykco.com/
Email: [email protected]
Hi everyone, welcome to the Web3 Accountant Radio. The podcast where we dive into the fascinating world of the Web3 finance and compliance. In today’s podcast, I’m today’s host Diana and my partner is Wei Xiang.
Hello Wei Xiang. Hi Diana. Today we are very fortunate to have Eric here.
I reached out to Eric after seeing that GYK, his company itself, is on the ISCA list where they can provide crypto attestation, audit, accounting advisory to licensed exchanges in Singapore. So today we are very fortunate to have Eric with a lot of experience with us here today. Eric is a chartered accountant member of ACCA and certified internal auditor, accredited tax practitioner with experience in crypto risk and compliance.
Currently a partner at GYK Group. GYK has more than 40 years of audit, accounting test and advisory risk and governance, advertising in Singapore, focusing on SME business and startups. Welcome Eric.
Nice to meet you. Nice to meet you Wei Xiang and Diana. Thanks for having me on this session.
Thank you Eric. So today we will be discussing the key topic of importance of AML and KYC for licensed crypto exchange and we will also explore best practices in this area. So Eric, maybe you can share a little bit of your background on what have you been doing in the Web3 space recently.
Yes, thanks for this. I just wanted to share a bit more about myself as well. Right now, recently what we are focusing on the Web3 space is compliance, KYC, AML and a bit more of a finance related work and we foresee right now the regulators are coming down a little more on this area and that’s where we are also focusing on and educating our clients especially on Web3 space to be more compliant on regulations.
Yes, thank you Eric. Yes, I see that a lot of with the FATF recommendations, a lot of exchanges are requiring to do AML, KYC and also with the travel rule where information has to be transferred. So maybe can you share with us how can an exchange actually start with the AML or KYC processes if they want to get licensed? What are some of the best practices? Thanks for this and I just wanted to also share a little bit more about AML and KYC.
MAS has introduced the Payment Service Act since 2020 and along the way it has also had this notice PSN02 guidelines on AML, KYC requirements and yes, a lot may ask how do we start from here? And I will share also some of the requirements, the basic ones on a high level basis on how to start by following this guideline as well. One of the key components of the PSN02 is that the DPT service providers are expected to comply with some of the measures here and now I can list down on a few key ones. For example, starting to conduct risk assessment and you probably can start off with developing some policies to mitigate some of the risks that you foresee in your exchanges.
And secondly is to assess the risk in relation to your products, technology and subsequently you can do some customer due diligence from your transactions and of course customer due diligence also comprise of some enhanced due diligence as that for example on PEP or from higher jurisdiction customers that are probably sanctioned. For example, these days we can look at a few like Russia, Vietnam, so all these are countries that we may want to put on a higher risk to look at. And for CDD you can actually look at, to start off with, you can look from the perspective of collecting the data, the right data, for example names, then subsequently you can screen the names using some tools to screen the names and then from there you can see whether they are a true hit or false hit and you can have a basic documentation of all these measures.
And of course, at the end of the day, have an internal policy for compliance and audit training. And what I would suggest is also do an ongoing monitoring relating to your business transactions with regards to AML, KYC. Now all this can cascade down to transaction monitoring where you can use some tools like analytics to really look through all the transactions that are going on between your clients and within your exchanges as well.
The last thing we want is some of the transactions that goes to dark wallets or to finance terrorism. There are tools there and there are also guidelines on how to look at. Sometimes you can look at transactions and you can look at the loops by looking at the loops, first loop, second loop and hopefully it doesn’t go into a dark wallet and that is a good way to look at ongoing monitoring process.
Thank you Eric. Just some clarifications on acronyms that I heard has been used are DPT service providers. These are actually your virtual asset service providers, your exchanges in Singapore, they call it digital payment token service providers.
And then the other one is CDD, this is customer due diligence. This is knowing a little bit more about your customers for people that are looking into this area.
But yeah, thanks Eric for giving a very high level overview of the different steps that people are actually looking forward to. So would you want to give a shout out or to mention some of the name of the tools that you are mentioning, like which brand do you like or which company have you used before or your clients have used before that you think people looking at this, they can look towards such companies to explore transaction monitoring tools. Because between the traditional web 2 world and then the web 3 world, transaction monitoring might be something very different.
Previously in the web 2 world, bank transfer are monitored other than yourself or also by banks. But nowadays on the blockchain, a lot of transactions being transparent. So some of the tools that I typically see and like is Elliptic.
Elliptic you can use, it’s quite robust, you can use it to look at your transaction monitoring. Another one is probably Jumio. Jumio you can perform some of your screenings, profile screenings and all.
These are some of the tools. Finance wise, of course, you can look at Elven, right? Elven who is quite robust to record all your finance transactions. These are some of the tools that I’m looking at.
Thank you Eric. I think Elliptic, I also used Elliptic before. It is very good.
They would flag out the latest wallets that have been tainted and also provide some research or news on a very live basis. And their research reports are also very nice. Thanks for shouting out to this company, Elliptic, Jumio and also Elven.
The other question that I have is, just now you mentioned about customer due diligence and enhanced customer due diligence. Can you explain a little to the listeners about what is the difference in terms of processes for enhanced customer due diligence against customer due diligence, the different types of screenings available? Because some of the comments that I have on the market is, you know, why is it that certain exchanges require more information just because we are a web 3 company when they engage certain exchanges? And as a non-practitioner, they don’t understand. But would we be able to elaborate more on enhanced due diligence? Thanks for this.
Customer due diligence, diligence where you perform possibly the fundamentals one. Enhanced due diligence is where you start zooming in. So these are the differences.
But in essence, the foundation of both are the same. Enhanced due diligence is when based on your company’s appetite and also best to be aligned with the regulations. These are where you discover after your screening, after your initial screening, where you discover that the clients that you have screened are probably on a higher level of scrutiny.
For example, PEPs. For example, higher risk clients from sanctioned countries. That is where you have to perform enhanced due diligence and some of the process or procedure that you have to take in the process of enhanced due diligence are probably you have to take approval.
Definitely you have to speak to your senior management. You have to already escalate it up. That’s number one.
During your ordinary course of screening, once you identify your PEP, your higher risk clients, you also need to quickly zoom in more on their beneficial owners. Probably you have to zoom in more on their source of wealth, source of funds. Now these are very important because with higher risk clients that you must do enhanced due diligence, you must know where their source of funds or beneficial owner.
And this is the part that usually may be harder to get information on. And that’s where you have to speak to your senior management to see whether you want to retain these clients, or you may want to look at alternative onboarding. Or in some cases, you may want to escalate or do a SAR reporting.
But all these are the process that comes with enhanced due diligence. Thank you, Eric. So, STR reporting is suspicious transaction reporting.
In Singapore, if you are part of FI itself, or you are a finance practitioner, or you are real estate agents, if you know or think that a transaction is suspicious, the duty is on you to report it. And if you don’t report it when it’s obviously suspicious, then you are liable. Yes.
So, that one is in Singapore. So, Eric, just discussing your comments on this sentence that I hear a lot among license exchanges. How come we cannot onboard customer A when a competitor has onboarded customer A? So, I think this is a common sentence within among maybe the CS team against the compliance team, the compliance team against senior management.
Oh, our competitor has been onboarding customer A. Why can’t we onboard customer A? So, in terms of onboarding of customers, what is your comments on such a sentence? My view on this is different exchanges have different process, different assessment and risk. Again, the risk appetite, it comes back down to risk appetite. And of course, the robustness of the process.
So, there are certain instances where probably certain exchanges, after they have done their due diligence, their assessment, a lot of discussion internally, and then finally, they, you know, in accordance to their risk appetite, they decided to onboard this customer. Then there is a decision making. I believe there is a decision-making process behind this.
And of course, on certain exchanges, probably you take a more prudent approach. Maybe certain areas are very high risk or something that is beyond the risk of what the exchanges team, the senior management team to be, you know, to be able to swallow on this aspect. And that’s where they may decide to not even onboard this customer.
So, these are my views from this perspective. Thank you, Eric. I think what I’m hearing is a balance between profitability and risk appetite.
Yeah, I mean, if we reject all potential risk customers, then, I mean, where are our customers, yeah, but then we also cannot be too high risk. Yeah, so the other one is, I mean, coming back to AML and KYC, just now you mentioned the high overview. For many of the exchanges that are starting out in Singapore, moving from the unlicensed portion into the licensed portion, having proper AML KYC policy, doing screening, transaction monitoring, it might be a mouthful.
So, I understand that an exchange might be able to look at outsourcing certain portion of the service or seek advisory help so that they can achieve the best practices earlier and look towards successful license application. So, from your comments, which are the sections or areas which you think a license exchange should in-house it and which portion do you think they can look for, you know, outsource service providers to help them with different parts of the process? The key, thanks for this, the key ownership should still be in-house. So, the compliance manager, directors, it should still all be in-house, whereas some of the things that can be outsourced are probably drafting of policies or procedures.
This can be outsourced, however, work hand-in-hand with the compliance manager or director. And on top of that, there’s an ongoing monitoring of KYC requirements. Some of this can be outsourced as well, especially on assistance of screening, documentation, some of this can be outsourced.
However, the decision-making, especially when there are areas where it’s being escalated, all this decision-making process, looking into the case, still must be in-house. Thank you, Eric. So, what I’m hearing, thanks a lot for summarizing, is key decision-making has to be done in-house, it has to be led by the in-house compliance, head of compliance, compliance director, and the outsource support is more providing support itself to make sure that the work still goes through.
Yeah, so I think this is where, you know, the head of compliance, when they select somebody with the relevant experience to lead the compliance, within the license exchange AML and KYC cases. So, the other one is when they actually use outsourced providers to do the screening-wise, right, because I’ve been listening to this, and I find that, does it create an additional layer of independence? Because now to say, when they actually report, does it add an increase to say, oh, the screening is not done in-house, so, you know, it’s a third party helping to do the screening itself, so there is more comfort with regards to AML and KYC. Okay, thanks for this.
It’s again, it’s again a process, it’s a process-driven thing, and basically when the third party are screening, helping to do screening for the exchanges or whatnot, there are already some key metrics or probably risk numbering, right, that they have already been given to or spoken to the respective vendors. And of course, from time to time, they may have to tweak all these numbers, and that’s where the screening process may change. So again, it comes back to the compliance department to own it, and of course, to work very closely with the outsourced vendor to align their work to the requirements of the compliance department.
Thank you, Eric, for sharing a lot of your professional knowledge and deep expertise, but I think the time now has come for us to learn the other side of Eric that is not frequently seen in media. So, Diana, over to you.
Okay, let’s move to today’s free talk session, and this session, I have a few questions about the inspiration for entering the Web 3 field and your outlook for the future. So, the first question is, why did you decide to enter the Web 3 space? Okay. So, coming into the Web 3 space is a little of a, just a surprise, because as I was doing my usual ordinary course of work and consulting work, and you know, there are clients who came, who start coming to us a few years ago for some services, and that’s where we thought this is a market that we can go into, and we explore a bit more, and yes, that’s how we enter the Web 3 space, knowing that this is a space that is growing and upcoming.
Okay. So, maybe it’s a surprise to enter the Web 3 space. So, during your work and your journey in the Web 3 space, can you share maybe one key experience or lesson that you have learned? Coming to Web 3 space, what I’ve learned is there are a lot of noises, a lot of differences in practices, as usual in a new industry where earlier on, not many people understood this industry, and that’s where there are many practices, approaches that are being implemented or used.
So, when we first came in, it was a little more of a trial and error, a lot of fine tuning. It’s a young industry, it’s not a mature industry. So, that was what I found in this Web 3, and that’s where we find it very interesting and exciting because we can learn a lot more in this industry.
They kind of challenge our judgment and our usual thought process in the usual work. Plus, I think, Eric, with your expertise in accounting, tax, and internal audit, entering a new space like crypto itself, especially when we talk about regulations, every other week, I think you would have some new ideas or think about it from a different area, and I think that is what makes it very exciting. Yes.
So, yes, correct. So, how we approach usually is to still benchmark, still come back down to our fundamentals. However, we have to evolve on our thinking and also keep learning as we go on all the changes.
So, it’s a mix of traditional fundamentals plus new stuff that’s going on. So, all these are a mixture of all these and it’s pretty exciting. Okay, and as you mentioned, maybe there are a lot of people are not very familiar with this space.
So, what are you looking forward to in this area? Maybe any idea that you would like to share with the others and make more people to learn about this area? Okay, what I would like to share more about this area is it’s a growing industry. Definitely, it’s probably a blockchain or areas that are a lot more in it than what we see on the media, right? There are a lot more innovation, a lot more things that we can explore, learn, and I would suggest that people be open-minded and look into this industry as well. Yeah, thank you, Eric.
I think this is a very exciting time, especially in Singapore. In April this year, the government came, the MAS came out with new rulings for the Payment Services Act itself which require many new changes, among which it requires license holders to request for attestation letters before they seek their license. It requires funds to be custodied separately.
Such requirements actually increases the demand for interest within the fields itself and it increases the amount of professional work that is required. Yeah, I mean, I think there is a lot that is very good from the government to actually point license exchangers or people who are seeking license towards seeking help from professional service firms because they might be relatively new, maybe lacking manpower given the new and young industry. That is where we are seeing a lot of collaboration between firms and professional service firms even way before at the advisory stage, consulting stage, without reaching at the audit stage.
Yeah, yes, that’s right. Right now, the authorities are coming up with a lot more regulation and that’s where we have to be compliant. My advice is to start early.
You know, as you grow your ventures or business in this space, be at the, have to have at the back of your mind that you have to start be compliant as early as possible. In fact, from day one. Otherwise, once you grow, once you roll out and let’s say after one or two years, and then you start to realize that probably there are certain areas of compliance that may be missing and that, and when you start to roll back and that’s where, you know, things may, things may be getting out, a little bit and so my suggestion is to start early on compliance.
Thank you, thank you. Yeah, we definitely don’t want to be the first crypto exchange in Singapore to be made a scapegoat by the authorities itself to name a certain company and then say, you know, due to compliance issues, you know, something is very wrong. I think that is what we are all trying to move towards.
And I think in the crypto world, they are also very open to say, we are trying to keep key management out of jail. That’s why AML KYC is very important. Yes, correct.
And as you can see, recent times, there are a lot of scrutiny on this area, a lot of fines, a lot of penalty being imposed. That’s why all the more we have to have a proper policy procedure, a process to mitigate all this. It all starts from the source, right from the client onboarding.
From there, you can basically weed out those that may be of a very, very high risk and that will mitigate some of the risk for your company. Yeah, I see. That is very important in the Web3 compliance area.
And maybe it’s time to come to the end of our today’s podcast. Do you have anything else you would like to share with our listeners, Wei Xiang and Eric? No, thank you. Okay.
Yes, not at the moment. And thanks for having me on this session. Okay.
Thank you so much for sharing your insight and experience with us today. And to our listeners, thank you for tuning into the Web3 Accountant Radio. If you enjoyed this radio, please subscribe and leave a review.
Thank you so much. Thank you. Thanks, Wei Xiang.
Thanks, Diana. Thank you, everyone.