April 10, 2024

The Monetary Authority of Singapore (MAS) last week (finally) introduced amendments to the Payment Services Act (PS Act) and its subsidiary legislation to expand the scope of payment services regulated by MAS, and to impose user protection and financial stability-related requirements on digital payment token (DPT) service providers. Read the MAS announcement here.

Many consultants, lawyers and auditors have given their take on the immediate implications for the market. See for instance this summary by Clydeco or this interview with Chris Holland which is particularly concise and helpful.

We’re not a law firm and I have no intention of outdoing the summaries that others already have published, but let me make a few observations about timelines and what is required from the firms affected.

By May 3 this year payment service providers – dealing with Digital Payment Tokens or more traditional modes of payment – that are currently not regulated need to indicate to MAS if they will apply for a license or will cease their (to be regulated) activities in Singapore.

That means that each PSP had 19 (!) working days (and counting) to make an impact assessment. The regulation had been pending for years so many firms are well prepared but there will be companies panicking to get their act together. A thorough, yet fast, risk assessment and impact analysis will be required likely with external help from a specialist consultant.

Assuming a positive decision is taken and the PSP decides to apply for a license – and notifies MAS of that decision – another 5 months of hard work lie ahead because by October 3, 2024 that license application needs to be submitted. Followed by an attestation done by an external auditor latest early January 2025 to demonstrate that the PSP is indeed compliant.

 

 

From our experience it is first of all of key importance not to underestimate the work to be done and focus on the following 5 areas.

  1. Start building your management information beginning with collecting and organising data from 2022 and 2023, using the same data set to build up in 2024 and 2025. This to be able to demonstrate relevant information on clients and transactions for internal use but also to be used towards the regulator and the compulsory audit in January 2025.
  2. Do a thorough yet fast risk assessment and plan the implementation of short-term risk mitigation measures.
  3. Review and update the design of your AML Program.
  4. Make a training plan and ensure all staff is trained.
  5. Implement and monitor progress on an ongoing basis.

Most likely you need help with this, given the short timeframe. Keep in mind that you don’t just need advise, you need to build something that works. Operational compliance is key.

Any thoughts?

Find us at www.i-kyc.com or mail us at info@i-kyc.com