Understanding the MAS Omnibus Act:
What You Need To Know

On 21st July 2020, the Monetary Authority of Singapore (MAS) launched its Consultation Paper on the New Omnibus Act for the Financial Sector, setting out proposals for an expansion and consolidation of its regulatory powers. The proposal will have significant consequences for financial services firms operating in Singapore and especially for service providers working with digital assets (cryptocurrencies). Accordingly, banks, financial service providers, and other obligated institutions should understand how the new rules will affect them and how they should adjust their AML/CFT response to maintain compliance.

Prohibition Orders:

MAS issues prohibition orders (PO) to ban persons from conducting activities or holding roles within the financial industry after cases of serious misconduct. However, the current regime restricts MAS’ ability to issue POs in situations where persons are regulated under other acts that are also administered by MAS. 

The Omnibus Act would harmonize and streamline that regulation and allow MAS to issue POs to any person after a ‘fit and proper’ test of the following elements:

• Honesty, integrity, and reputation
• Competence and capability
• Financial soundness

The Act would also expand the scope of POs to include a prohibition on other functions such as risk management, critical system administration, the handling of funds, and the administration of cryptocurrency services.

Regulation of Virtual Asset Service Providers:

To meet FATF standards on the regulation of virtual asset service providers (VASP), the Omnibus Act would introduce a definition of VASP based on the one set out in Singapore’s Payment Services Act (PSA), along with a requirement for VASPs to obtain jurisdictional licenses to operate within Singapore. Based on that definition of VASP, the licensing requirement would apply to firms that deal with or facilitate the exchange of cryptocurrencies, that safeguard cryptocurrencies, or that offer advisory services relating to cryptocurrencies. 

VASP AML/CFT Requirements:

The VASP licensing criteria in the Omnibus Act would also require firms to apply comprehensive AML/CFT measures to their cryptocurrency services. The Act does not allow scope for lower risk exemptions to the AML/CFT requirement: VASPs must put the full range of AML/CFT controls in place for all customers using the standards set out in the PSA. 

The Omnibus Act would not limit MAS’ oversight to VASPs that operate solely in Singapore. The new rules would mean that overseas VASPs and Singaporean VASPs with overseas operations must ensure that their AML/CFT standards are aligned with those in effect in Singapore. 

Technology Risk Management:

The SFA, FAA, and IA already mandate technology risk management as part of AML/CFT compliance, however, the Omnibus Act would give MAS the power to impose new technology risk management requirements in relation to a firm’s internal systems – regardless of their existing regulatory obligations.

The new requirements have been proposed in anticipation of potential emerging cyber-risks that might pose unforeseen threats and that might not be covered by the existing regulatory infrastructure. Under the rules, MAS would have the power to issue specific directions to financial institutions or introduce new regulations in order to manage technology risks. 

The Omnibus Act would impose penalties of up to S$1 million for breaches of technology risk management compliance requirements.

Additional measures:

The MAS Omnibus Act includes further measures that will affect Singapore’s financial landscape, including: 

• A general duty for financial institutions to take reasonable care not to provide false information to MAS.
• An extension of MAS’ authority to include payment service providers (that are not regulated under the current regime). 
• A requirement for financial institutions to subscribe to an approved dispute resolution scheme.

How to Comply with the Omnibus Act

The Omnibus Act would modernize and consolidate MAS’ AML/CFT oversight, with a focus on bringing firms’ compliance standards into alignment with FATF recommendations. In practice, this means that financial institutions should review their risk-based AML/CFT programs, and adjust their compliance response to accommodate the expanded rules. Under FATF guidelines, a risk-based AML/CFT program should include the following measures and controls:

• Customer due diligence: Firms must establish and verify the identities of their customers and the nature of their business. Higher risk customers should be subject to enhanced due diligence measures. 
• Transaction monitoring: Firms must monitor customer’ transactions for indications that they are involved in money laundering. Suspicious activity should be reported to MAS. 
• Screening: Firms must perform ongoing screening to establish whether they are politically exposed persons (PEP), whether they appear on relevant sanctions lists and watchlists, and whether they are the subject of adverse media stories. 

While the Omnibus Act represents a degree of regulatory clarity for all financial institutions, VASPs must consider their new responsibilities carefully under the new regime. The expanded scope of MAS’ powers means that VASPs will need to enhance AML/CFT scrutiny of their customers and demonstrate compliance not just in Singapore but in overseas territories in order to obtain their operating licenses.