The new Payment Services Act in Singapore

 The Monetary Authority of Singapore (MAS) last week (finally) introduced amendments to the Payment Services Act (PS Act) and its subsidiary legislation to expand the scope of payment services regulated by MAS, and to impose user protection and financial stability-related requirements on digital payment token (DPT) service providers - read the  MAS notice here

 

Many consultants, lawyers and auditors have given their take on the immediate implications for the market. See for instance this article by ClyDeco or this interview with Chris Holland which is particularly concise and helpful.

We’re not a law firm and I have no intention of outdoing the summaries that others already have published, but let me make a few observations about timelines and what is required from the firms affected.

By May 3 this year payment service providers – dealing with Digital Payment Tokens or more traditional modes of payment – that are currently not regulated need to indicate to MAS if they will apply for a license or will cease their (to be regulated) activities in Singapore.

That means that each PSP had 19 (!) working days (and counting) to make an impact assessment. The regulation had been pending for years so many firms are well prepared but there will be companies panicking to get their act together. A thorough, yet fast, risk assessment and impact analysis will be required likely with external help from a specialist consultant.

Assuming a positive decision is taken and the PSP decides to apply for a license - and notifies MAS of that decision – another 5 months of hard work lie ahead because by October 3, 2024 that license application needs to be submitted. Followed by an attestation done by an external auditor latest early January 2025 to demonstrate that the PSP is indeed compliant.

From our experience it is first of all of key importance not to underestimate the work to be done and focus on the following 5 areas.

1.    Start building your management information beginning with collecting and organising data from 2022 and 2023, using the same data set to build up in 2024 and 2025. This to be able to demonstrate relevant information on clients and transactions for internal use but also to be used towards the regulator and the compulsory audit in January 2025.

2.    Do a thorough yet fast risk assessment and plan the implementation of short-term risk mitigation measures.

3.    Review and update the design of your AML Program.

4.    Make a training plan and ensure all staff is trained.

5.    Implement and monitor progress on an ongoing basis.

Most likely you need help with this, given the short timeframe. Keep in mind that you don’t just need advise, you need to build something that works. Operational compliance is key.

Trace Together and other government apps

 

The announcement – summarised by the Straits Times here is of course good news and not really surprising. Although I guess it’s news because many people would not have been surprised if the government would have announced that they keep the data a little longer…. for whatever reason.

But that didn’t happen.

 However, just a few weeks ago there was a public outcry over the new EZ link card mostly focused on the fact that it was inconvenient and not needed.

Comments related to the government not having put enough efforts into explaining the need. But maybe there was no need at all, at least not from the point of view of the average public transport user.

Then there is the Singapore HealthHub app in which (on the back of the vaccination drives during the pandemic) not only the covid vaccinations but essentially all personal medical data, appointments and what have you are registered.

All properly secured via the SingPass app but still… I assume the government has access to these data as well.

Then… over the weekend I wanted to go for a swim at one of the Swimming Centres – you used to be able to pay cash or with your (old style) EZ link card but that is no longer possible. You need to register (with SingPass or a photo-id) on the ActiveSG app.. another  government controlled app, with all sorts of personal (behavioural) data.

So maybe there is no master plan from the  Singapore government around or behind all this…. Fact is though that apps – government controlled or government supported apps – contain a lot of data that – when combined and/or used for unintended purposes could pose all sorts of dangers.

 

 

Any thoughts? Am I overthinking things here or seeing ghosts??

Find us at www.i-kyc.com or mail us at info@i-kyc.com