This article traces the evolution of the Payment Services Act 2019 (“PSA”) and explores the recent Monetary Authority of Singapore (“MAS”) guidelines aimed at enhancing consumer protection in the rapidly growing digital payment token (“DPT”) space.
History leading to the enactment of the PSA
Prior to the enactment of the PSA, MAS regulated various types of payment services under the Payment Systems (Oversight) Act 2006 (“PS(O)A”) and the Money-Changing and Remittance Business Act 1979 (“MCRBA”).
Since then, the payment services landscape had changed considerably, beyond the scope of activities and type of risks regulated under the PS(O)A and MCRBA. Additionally, new payment business models had blurred the lines between activities regulated under the respective legislations.
The PSA was meant to streamline payment services under a single legislation by combining the PS(O)A and the MCRBA. Considering new developments in payment services and the associated risks, the PSA expands the scope of regulated payment services.
There are two regulatory frameworks under the PSA:
(1) a designation regime to designate significant payment systems and regulate operators, settlement institutions and participants of these designated payment systems; and
(2) a licensing regime to regulate the provision of payment services. Providers of payment services as prescribed by the PSA will be required to hold a licence accordingly. The activity-based licensing framework provides a modular approach to ensure that regulations are appropriately calibrated according to the risks that specific payment services pose for different business models.
Amendments to the PSA
More recently, on 2 April 2024, MAS has expanded the scope of regulated payment services, amended ongoing compliance requirements, and imposed user protection requirements on DPT service providers.
In relation to anti-money laundering and countering the financing of terrorism (“AML/CFT”), MAS’ Notices on the “Prevention of Money Laundering and Countering the Financing of Terrorism” applicable to payment service providers (including digital payment token service providers) have been revised to apply to the expanded scope of regulated payment services. MAS’ notices typically impose legally binding requirements on a specified class of financial institutions or persons.
New requirements in licence application process
The license application process has previously been thorough and time-consuming, often involving several rounds of queries by the MAS and detailed clarifications by the applicant following the initial submission. While the application process remains rigorous, it has become more streamlined, allowing applicants to demonstrate their understanding of regulatory obligations in a more efficient manner.
The key amendments to the Guidelines on Licensing for Payment Service Providers, which took effect on 26 August 2024, include requirements for legal opinion and independent external audit. As a general note, MAS’ guidelines set out best practices that govern the conduct of specified institutions or persons. Contravening guidelines is not a criminal or civil offence, but how well guidelines are observed may have an impact on MAS’ overall risk assessment of the relevant institution or person.
Requirement for legal opinion
The legal opinion requirement is applicable to all new applicants seeking a licence under the PSA, as well as existing PSA licensees applying to vary their licence to add a DPT service. The legal opinion should, non-exhaustively, cover (a) a clear and concise summary of the applicant’s business model and each of the service(s)/product(s) the applicant intends to offer; (b) an assessment on whether the applicant’s proposed service(s)/product(s) are regulated payment services under the PSA; (c) a detailed explanation of how a relevant exemption or exclusion from regulation applies (if any); and (d) an acknowledgement that the legal opinion will be disclosed to MAS.
The legal opinion should be issued by a law firm that has experience in advising on matters relating to the PSA. MAS may request for a second legal opinion if the initial legal opinion is unclear.
Requirement for independent audit by external auditor
New applicants and existing PSA licensees who intend to provide DPT services are required to appoint a qualified independent external auditor to assess their policies, procedures and controls in relation to AML/CFT and consumer protection.
The independent assessment report must have been issued and signed off by the external auditor within the last three months from the date of application submission and must be submitted with the requisite Form 1 or Form 2.
MAS may require the applicant to appoint another external auditor to perform the independent assessment again if there are concerns over the quality and/or comprehensiveness of the external auditor’s independent assessment.
There are prescribed minimum requirements on the criteria for external auditor(s) appointed to perform the independent assessment, specifically in relation to (a) the qualifications, credentials, and track record of the external auditor and its lead engagement partner; and (b) independence.
MAS Guidelines on Enhancing Consumer Protection
MAS published the Guidelines on Consumer Protection Measures by Digital Payment Token Service Providers (PS-G03) (the “Guidelines”), which took effect on 4 October 2024.
The non-exhaustive list of MAS expectations below outlines the key measures that a DPT service provider should have in place to address consumer protection risks:
(a) segregation of customers’ assets: DPT service providers can manage customer asset trust accounts directly or use a third-party ("safeguarding person"), with regular reviews of arrangements;
(b) trust account maintenance with safeguarding person: DPT service providers must assess the safeguarding person’s suitability before engagement and disclose the relevant terms and conditions to customers;
(c) risk management: amongst others, DPT service providers must secure customer assets by storing at least 90% offline and ensuring that senior personnel who control asset movement are resident in Singapore;
(d) conflicts of interest: DPT service providers must have policies to manage potential conflicts between safeguarding assets and their business interests;
(e) customer disclosures: DPT service providers must inform customers about asset safeguarding, fees, and how instructions will be handled; and
(f) account statements: DPT service providers must issue monthly account statements and respond to requests for account statements from customer requests promptly.
Commentary on the current licensing regime
The current licence application process focuses on understanding the applicant’s business model and identifying the specific business activities that are regulated. The application process was previously lengthy, involving multiple rounds of detailed explanations of the applicant’s business activities, due to the industry's evolving nature and the large volume of applicants. However, the recent updates to the licence application process represents a step forward in the right direction for prospective applicants, offering a more streamlined and efficient process. It is now anticipated that, following the initial submission, engagement with MAS will place less emphasis on how the applicant’s business model aligns with the regulatory framework, as these considerations are more comprehensively addressed in the legal opinion submitted with the application, offering a consistent analysis of business activities and processes by legal professionals. While MAS has yet to provide a concrete timeline for the application process, it is expected that the current licence application process is poised to facilitate a swifter assessment of each applicant.
It is crucial for applicants to be fully prepared to meet the licensing criteria to ensure a smooth application process.
In view of the concerns relating to the collapse of FTX, increased protection of consumers relying on their personal assets to participate in DPT related activities should be considered. Effective and robust arrangements by the DPT service providers, for the identification and segregation of customers’ assets, are key to mitigating the risk of loss or misuse of customers’ assets during the DPT service provider’s ordinary course of business. Such arrangements are also aimed at facilitating the return of customers’ assets in the event of the DPT service provider’s insolvency.
Written by:
Ian Phung
Director