Singapore’s Payment Services Act (PSA) was introduced to address the emerging criminal risks of payment technology and to consolidate previously separate payment services regulations. Passed into law on January 14, 2019, and into legal effect on January 28, 2020, the PSA combines the previous Payment Systems (Oversight) Act 2006 and the Money-Changing and Remittance Businesses Act 1979 to form a single legal framework.
What is the Payment Services Act?
Intended to prepare Singapore’s payments industry for the future without stifling fintech innovation, the PSA sets out regulatory requirements for payment service providers in Singapore and gives the Monetary Authority of Singapore (MAS) legal oversight of payments systems.
Accordingly, the PSA serves two parallel regulatory frameworks: the first is to protect Singapore’s financial stability and ensure fair competition, while the second enables MAS to implement a licensing regime and directly supervise payment systems and payment service providers by imposing AML/CFT regulations. To comply with the Payment Services Act, Singapore’s payment service providers must be familiar with its regulatory scope and the AML/CFT obligations it entails.
The regulatory scope of the PSA covers the following payment services:
- Account issuances services: Any services that issue payment accounts to customers or that involve operations required by a payment account. Examples include non-bank credit cards and e-wallets.
- Money transfer services: Services that facilitate the domestic transfer of funds within Singapore, such as online payment gateways and physical payment kiosks.
- International money transfer services: Services that allow for cross-border transfers into and out of Singapore.
- Merchant acquisition services: Service providers that process payments on behalf of merchants. Examples include payment gateways or point-of-sale card terminals.
- Money-changing services: Services that facilitate the buying and selling of foreign currencies in Singapore, including online payment service providers and any firms profiting from the exchange of physical currency.
Amendments to the PSA in 2019 expanded its scope to better align with Financial Action Task Force (FATF) standards and to extend its regulatory reach to services associated with virtual assets and currencies. Accordingly, the PSA also applies to:
- E-money issuance services: Services that facilitate the issuance of e-money that customers can store in e-wallets, transfer to others and use to pay for goods and services.
- Digital payment token services: Providers of exchange services for digital payment tokens (DPT) or platforms for the purchase and sale of DPT, also known as cryptocurrencies, within Singapore.
The application of the PSA to digital payment tokens is a significant regulatory step for the use of cryptocurrency in Singapore. Under the PSA, providers of cryptocurrencies and cryptocurrency exchange services must, like other service providers, obtain a license from MAS to operate and comply with a range of AML/CFT requirements. The new rules expand the definition of digital payment token services to any provider that transfers cryptocurrency across accounts (or arranges that transfer) within Singapore or beyond its borders.
Under the Payment Services Act, Singapore payment services firms must take a risk-based approach to the money laundering and terrorism financing threats they face and implement the following measures as part of an internal AML/CFT policy:
Customer due diligence: Firms must take steps to verify their customers’ identities and the nature of the business in which they are involved. Financial institutions may conduct simplified customer due diligence (SCDD) if their risk assessment suggests that is safe but must also implement enhanced due diligence (EDD) when their customers present a greater level of criminal risk.
Transaction monitoring: Payment services firms must monitor their customers’ transactions for signs of money laundering and terrorism financing. The monitoring process should be built around a set of criteria, including transaction thresholds, irregular transaction patterns and transactions to and from high-risk countries.
Screening: Payment services firms should screen their customers against relevant international sanctions lists, such as the UNSC sanctions list and MAS’ sanctions list. Firms should also conduct ongoing screening for politically exposed persons (PEPs) and for adverse media stories about their customers.
Reporting and record-keeping: Payment services firms must have a process in place to submit suspicious transaction reports to MAS. Firms must also maintain detailed records of their customers’ account activity for AML/CFT purposes.
The PSA imposes certain specific AML/CFT regulations on DPT service providers. These include:
- Monitoring cross-border value transfer: Special monitoring of cross-border transfers of DPT, including the prohibition of transactions with designated persons and entities.
- Occasional transaction thresholds: The FATF has proposed that the threshold for conducting CDD on occasional transactions that involve DPT be lowered to USD/EUR1,000. However, under the PSA, MAS has not specified a transaction threshold, and service providers must conduct CDD on all DPT occasional transactions regardless of the amount involved.
In order to fulfill their CDD responsibilities, MAS requires DPTs to collect a customer’s name, nationality, unique ID number (such as passport or NRIC number), residential or business address, and date of birth (or date of incorporation). Given the high AML/CFT risk associated with cryptocurrency, MAS is looking into requirements for additional identifying information as part of PSA compliance.
Under the PSA, payment service providers are permitted to outsource their AML/CFT CDD, screening, and monitoring processes to third parties.