Payment Services Act commencing January 2020: application forms, notifications, exemptions, regulations, requirements, compliance

The Payment Services Act (“PSA”) will commence on 28 January 2020.

MAS has issued the Guidelines on Licensing for Payment Service Providers, Guideline No: PS-G01 (18 December 2019), specimen forms for the PSA and various notices and guidelines.

Summary of Considerations for Payments Service Providers

  1. If you provide any service, incidental to your core business or otherwise, which involves payments, consider if you are regulated under the PSA.
  2. Consider whether your service falls within any exemptions under the PSA.
  3. If you have been offering certain services prior to the PSA’s commencement, notify MAS of the same between 28 January and 27 February 2020 to enjoy a limited period of licence-exemption.
  4. Prepare for all necessary requirements, including policies and procedures to achieve compliance with the PSA, PS Regulations and MAS Notices. These include:
    1. Governance and ownership requirements
    2. Base capital requirements
    3. Security furnished to MAS
    4. Safeguarding clients funds
    5. Competency and fit & proper requirements of key individuals
    6. Registered office and place of business
    7. Compliance arrangements
    8. Technology risk management
    9. Audit arrangements
    10. Anti-money laundering and countering financing of terrorism arrangements
    11. Cyberhygiene and security
    12. Business conduct requirements
    13. Periodic reporting to MAS
    14. Disclosures and communications
    15. E-payment user protection
  5. Make the necessary licence application to MAS.

Table of Regulated Activities

 

Activity Type Brief Description
 

Activity A

Account issuance service

The service of issuing a payment account or any service relating to any operation required for operating a payment account, such as an e-wallet (including certain multi-purpose stored value cards) or a non-bank issued credit card.
Activity B

Domestic money transfer service

Providing local funds transfer service in Singapore. This includes payment gateway services and payment kiosk services.
Activity C

Cross-border money transfer service

 

Providing inbound or outbound remittance service in Singapore.

 

Activity D

Merchant acquisition service

Providing merchant acquisition service in Singapore where the service provider processes payment transactions from the merchant and processes payment receipts on behalf of the merchant. Usually the service includes providing a point-of- sale terminal or online payment gateway.
Activity E

E-money issuance service

Issuing e-money to allow the user to pay merchants or transfer to another individual.
Activity F

Digital payment token service

Buying or selling digital payment tokens (“DPTs”) (commonly known as cryptocurrencies), or providing a platform to allow persons to exchange DPTs.
Activity G

Money-changing service

 

Buying or selling foreign currency notes.

Exclusions / Non-Exclusions from Regulated Activities

 

  1. No incidental service exemption:
    • There is no exemption for payment services that are incidental to a core business. Incidental payment services are expressly regulated in the PSA (sections 2(4), 5(2)).[i] Express disapplication of the holding in Chinpo Shipping Co (Pte) Ltd v. Public Prosecutor [2017] 4 SLR 983 (HC),[1] where the court held that the MCRBA prohibits unlicensed business of accepting moneys for transmission to persons outside Singapore rather than the mere act to that effect, and the provision of remittance as a service in its own right rather than simply as an incident to a core business.
    • MAS has given the example of online marketplace operators offering payment services to facilitate transactions in the marketplace—such operators must have a licence.[2] MAS views that such incidental services carry similar regulatory risks to payment services that are not related or not incidental.
    • However, payment services provided by any person regulated or exempt under the (i) Financial Advisers Act; (ii) Insurance Act; (iii) Securities and Futures Act; (iv) Trust Companies Act, that is solely incidental to or necessary solely for the carrying on of any regulated activity under these Acts are excluded from the PSA as the AML CTF risks are regulated under other MAS regulations.[3]

 

  1. Excluded: limited purpose e-money.
    • Part 2 and Part 3 of First Schedule, PSA defines excluded payment services. This includes any service relating to only limited purpose e-money.[ii] This includes:
    • e-money used to pay for goods or services by the issuer (or limited network of providers which has arrangement with issuer);
    • loyalty programs e-money / credit,
    • e-money that can only be used for payment or part payment of goods or services provided by merchants within the physical premises operated, owned or managed by the issuer (or its related corporations or associated companies) (subject to conditions, e.g. no refund or withdrawal, not exceeding $1,000 in account).

 

  1. Excluded: limited purpose digital payment tokens / virtual currencies.
    • Means non‑monetary customer loyalty or reward point, any in‑game asset, or any similar digital representation of value that (a) cannot be returned to its issuer, transferred or sold in exchange for money; and (b) may only be used–
      • in the case of a loyalty or reward point, for payment or part payment of, or in exchange for, goods or services, or both, provided by its issuer or any merchant specified by its issuer; or
    • for in‑game asset, for the payment of, or in exchange for, virtual objects or virtual services within an online game, etc.

 

Types of Licences

 

  1. There are three types of licences as set out in section 6 of the PS Act:
  • apply for a money-changing (“MC”) licence if it only intends to carry out money-changing service; or,
  • in any other case, apply for:
    • a Standard Payment Institution (“SPI”) licence if it intends to conduct payment services below the specified thresholds; or
    • a Major Payment Institution (“MPI”) licence if it intends to conduct payment services without being subject to the specified thresholds.
  1. The thresholds are set out in section 6(5) of the Act and are, in summary:
    • S$3m monthly transactions for any activity type
    • S$6m monthly transactions for two or more activity types
    • S$5m of daily outstanding e-money
  2. Main difference between SPI and MPI:
    • Base Capital – SPI: S$100,000; MPI: S$250,000.
    • Security: monthly ≤ S$6 million $100,000; > S$6 million: $200,000.
    • MPI providing (a) a domestic money transfer service; (b) a cross‑border money transfer service; (c) a merchant acquisition service; (d) an e‑money issuance service, must safeguard e-money floats or customers’ funds: 1) an undertaking or guarantee by any bank in Singapore or prescribed financial institution to be fully liable to the customer for such monies; 2) a deposit in a trust account; or 3) any other safeguards as may be prescribed by MAS.
    • Other compliance requirements likely the same for SPI and MPI in terms of type but different in terms of degree.
  3. Variation or change of licence – A licensee must apply for a variation or change of licence in Form 2 if it intends to (i) add or remove any payment service, or (ii) change its licence
  4. Designated payment systems. MAS may designate any payment system under PSA (s 42). Similar to current scheme in POSA.
    • DPS generally are payment systems with potential significant adverse impact on the wider financial system of Singapore, e.g. it’s widely used or recognised.
    • MAS may impose additional conditions or restrictions on DPS. Obligations under PSA (s 47-71) include: to notify MAS of certain prescribed events, including new businesses and acquisitions, to submit periodic reports to MAS, to seek MAS and Court approval for transfers of the business, to seek MAS approval for change in shareholder controllers of the DPS and appointments of CEOs and directors, and annual audit.
    • Different category from SPI and MPI. SPI or MPI may be designated.

 

Notification & Exemption

 

Persons who, before the commencement date of the PSA, carried on an account issuance service, domestic money transfer service, merchant acquisition service, e-money issuance service and/or DPT service (specific payment services), should notify MAS of the date on which they commenced the business of providing the specific payment services.

MAS has issued a sample of the Notification Form for the Purpose of Exemption for Holding a Licence under the Payment Services Act for the Specified Period (Notification Form).

Notifications will be accepted via the online version of the Notification Form on MAS website between 28 January 2020 and 27 February 2020.

Persons who make a successful notification will be exempt from having to apply for and hold a licence with respect to the specific payment services for the specified period (six months from 28 January 2020 for providers of a DPT service and 12 months from 28 January 2020 for the other relevant payment services).

 

Admission Criteria

 

  1. Governance and ownership requirements
Entity type Governance/Ownership requirements
Sole-proprietor ·        The applicant must be a Singapore citizen.

·        The applicant must have a minimum of 1 year’s relevant working or business experience on a full-time basis.

Partnership or Limited Liability Partnership (LLP) ·        The majority of its partners should be Singapore citizens. If there are only two partners, only one needs to be a Singapore citizen.

·        Each partner must have a minimum of 1 year’s relevant working or business experience on a full-time basis.

Singapore-owned Company ·        More than 50% of the equity shareholdings should be beneficially owned and effectively controlled by Singapore citizens.

·        A majority of the board of directors of the company should be Singapore citizens. If there are only two directors, only one of the directors needs to be a Singapore citizen.

·        Each executive director must have a minimum of 1 year’s relevant working or business experience on a full-time basis.

Singapore incorporated wholly-owned subsidiary of a foreign bank, or a foreign company primarily engaged in money- changing ·        The parent company must:

o   Be of significant size. In case of a foreign bank, it needs to rank among the top banks in the country where it is incorporated.

o    Possess a good track record and reputation.

o   Be adequately regulated and supervised by its home supervisory authority for AML/CFT.

 

Table A1-2 – Governance/Ownership Requirements for Standard or Major Payment Institution Licence

 

Entity type Governance/Ownership requirements
Singapore- incorporated company ·        At least one Executive Director[4] of the applicant is a Singapore citizen or permanent resident; or,

·        At least one Executive Director of the applicant is a Singapore Employment Pass holder and at least one other director of the applicant is a Singapore citizen or permanent resident

Singapore branch of a foreign- incorporated company

 

  1. Fit and Proper requirements[5]
  2. Competency of Key Individuals – sufficient experience, educational qualifications and professional certification in payment services or financial services.
  3. Permanent place of business or registered office – office area where books and records securely held. At least one person to be present to address any queries or complaints from [6]
  4. Base Capital – SPI: S$100,000; MPI: S$250,000
  5. Security – cash deposit with MAS or a bank guarantee in the prescribed

 

 

Category

Security Requirement
The average, over a calendar year, of the total value of all payment transactions in one month does not exceed S$6 million for any one payment service  

 

S$100,000

All other cases S$200,000
  1. Compliance Arrangements – commensurate with nature, scale and complexity of “Ultimate responsibility and accountability rest with sole-proprietor, partners, or directors and CEO, and compliance officer”.
    • An independent compliance function – staff who are suitably Compliance staff may perform other non-conflicting and complementary roles such as that of an in-house legal counsel.
    • Compliance support from holding company or overseas related entity – compliance support from an independent and dedicated compliance team at its holding company, or at an overseas related entity, provided that it is able to demonstrate that there is adequate oversight by the applicant’s compliance officer, sole-proprietor, partners, or directors and CEO and other senior management.
    • The applicant must also develop appropriate compliance management arrangements, including at least, the appointment of a suitably qualified compliance officer at the management level. This individual is expected to have sufficient expertise and authority to oversee the compliance function of the applicant, although he may be assisted by other staff in day-to-day
    • If this officer has yet to be employed at the point of application, he/she must, at the minimum, have been identified at the point of application and must be employed and appointed prior to the applicant commencing business.
  2. Technology Risk Management – for online financial services, penetration test of proposed online financial services, remediate all high-risk findings identified, and conduct independent validation on the effectiveness of the remediation
    • Identify risks and develop SOPs regarding IT systems, cloud computing & storage, outsourced IT vendors, software migration, cybersecurity, encryption, data loss & backup, system availability and recovery, data centre, user access control.
    • It’s a risk management framework, i.e. highly dependent on your specific business operations and systems.
    • Penetration testing should be conducted prior to commissioning new system which offers internet accessibility and open network interfaces.
    • Source code review for vulnerabilities, errors, poor coding practices.
  3. Audit Arrangements – independent audit arrangements regarding procedures, controls, and compliance with regulatory requirements. Audit may be conducted by an internal audit function within the applicant, an independent internal audit team from the head office of the applicant, or outsourced to a third party service provider.
  4. Annual Audit Requirements – section 37 of the PS Audit of accounts and transactions, and compliance with the relevant regulations and requirements.
  5. Letter of Responsibility and/or Letter of Undertaking – from the applicant’s majority shareholders, parent company and/or related
  6. Other Factors – MAS may also take into consideration factors such as:
    • track record and financial condition of the applicant, its holding company or related corporations, where applicable;
    • operational readiness of the applicant, including ability to comply with regulatory requirements;
    • whether the applicant, its holding company or related corporations are subject to proper supervision by a competent regulatory authority;
    • commitment of the applicant’s holding company to operations in Singapore; and
    • whether the public interest will be served by granting a licence.

Ongoing Requirements

  1. Anti-Money Laundering and Countering the Financing of Terrorism (“AML/CFT”) Requirements – Notices on the Prevention of Money Laundering and Countering the Financing of Terrorism [PSN01 and/or PSN02] and Notice on Reporting of Suspicious Activities & Incidents of Fraud [PSN03].
  2. Periodic Returns – submit periodic regulatory returns in accordance with the PSR. The requirements are set out in the Notice on Submission of Regulatory Returns [PSN04].
  3. Cyber Hygiene Notice on Cyber Hygiene [PSN06] (effective 6 August 2020) and put in place appropriate safeguards to protect customer information.
    • Secure admin accounts. Security patches applied to address vulnerabilities to every system timely. Written set of security standards for every system. Network perimeter to restrict unauthorized network traffic. Malware protection. Multi-factor authentication for all admin accounts and accounts to access customer info.
  4. Business Conduct – PSA, PSR and Notice on Conduct [PSN07]. Include safeguarding of customers’ monies, record of transactions, issuance of receipts, adhering to the prescribed time period for transmission of money, display of exchange rate and fees, and notification of normal business hours. Comply with all prohibitions and restrictions, including personal payment account stock and flow restrictions,[7] as well as prohibited business
  5. Disclosures and Communications – Accurate representation on the scope of its licence and provide the disclosures set out in the Notice on Disclosures and Communications [PSN08] . Ensure customers receive timely updates regarding any material changes to the
  6. Annual Audit Requirements – annual audit of accounts and transactions, and compliance with regulations and requirements. Auditor must submit a report to MAS in Form 4.
  7. Licensees should also understand and apply the relevant MAS Guidelines such as the Guidelines on Technology Risk Management and E-payments User Protection Guidelines, and keep abreast of regulatory
  8. E-payments user protection guidelines obligations include:
    • Informing account holder of their user protection duties.
    • Notify account holders of outgoing transactions.
    • Allow account user to confirm payment transaction and recipient credentials.
    • Have reporting channel for unauthorized or erroneous transactions.
    • Assess and investigate claims by account holders of unauthorized transactions, process holders’ claims.

[1] Case summary https://www.supremecourt.gov.sg/news/case-summaries/chinpo-shipping-company-private-limited-v-public-prosecutor

[2] Response to Feedback Received on Proposed Payment Services Bill MAS P0212017.

[3] Paragraph 2(i) of First Schedule: any payment service mentioned in Part 1 of this Schedule that is provided by any person licensed, approved, registered or regulated, or exempt from being licensed, approved, registered or regulated, under any of the following Acts, in any case where the payment service is solely incidental to or necessary solely for that person to carry on that person’s business in any regulated activity for which that person is so licensed, approved, registered, regulated or exempt from being licensed, approved, registered or regulated:

(i)    Financial Advisers Act (Cap. 110);

(ii)   Insurance Act (Cap. 142);

(iii)  Securities and Futures Act (Cap. 289);

(iv) Trust Companies Act (Cap. 336);

[4] As set out in section 2 of the PS Act, executive directors should be involved in the day-to-day running of and making of executive decisions on behalf of the business or operations of the applicant. They are expected to be resident in Singapore to oversee the activities of the licensee. Nominee directors such as investors, legal advisers or corporate secretaries are not Executive Directors. Non- Executive Directors provide oversight as members on the Board of Directors, but are not involved in the day-to-day business or operations of the licensee. The job titles and designations of directors should reflect the substance of the role and responsibilities of the individual.

[5] Sole-proprietor, partners, or directors and CEO, shareholders and employees, as well as the applicant itself, are fit and proper, in accordance with the Guidelines on Fit and Proper Criteria [FSG-G01]. The entity and group should not have any adverse reputation, particularly with regard to financial crime.

[6] As set out in MAS Notice PSN07, licensees must appoint at least one person to be present at its permanent place of business or registered office for a minimum of 10 days a month and a minimum of eight hours on each of those days during its normal business hours, unless:

  • it has notified all its customers in writing and in advance of any planned non-operating days that will prevent it from meeting the specified days and hours; or
  • there are circumstances beyond the control of the licensee that could not reasonably have been foreseen that prevent it from meeting the specified days and

[7] Personal payment accounts will be subject to a stock cap, which is the maximum amount of funds that can be held in a personal payment account at any given time. They will also be subject to an annual flow cap. This is the maximum cumulative amount of yearly outflows from the personal payment account, other than to the user’s designated bank accounts. The stock and flow caps were calibrated with due regard to consumer needs and existing industry practices, and will be set initially at $5,000 and $30,000 respectively: https://www.mas.gov.sg/news/speeches/2019/payment-services-bill

 

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.