The Monetary Authority of Singapore (MAS) last week (finally) introduced amendments to the Payment Services Act (PS Act) and its subsidiary legislation to expand the scope of payment services regulated by MAS, and to impose user protection and financial stability-related requirements on digital payment token (DPT) service providers - read the MAS notice here
Many consultants, lawyers and auditors have given their take on the immediate implications for the market. See for instance this article by ClyDeco or this interview with Chris Holland which is particularly concise and helpful.
We’re not a law firm and I have no intention of outdoing the summaries that others already have published, but let me make a few observations about timelines and what is required from the firms affected.
By May 3 this year payment service
providers – dealing with Digital Payment Tokens or more traditional modes of
payment – that are currently not regulated need to indicate to MAS if they will
apply for a license or will cease their (to be regulated) activities in
Singapore.
That means that each PSP had 19 (!)
working days (and counting) to make an impact assessment. The regulation had
been pending for years so many firms are well prepared but there will be
companies panicking to get their act together. A thorough, yet fast, risk
assessment and impact analysis will be required likely with external help from
a specialist consultant.
Assuming a positive decision is taken and the PSP decides to apply for a license - and notifies MAS of that decision – another 5 months of hard work lie ahead because by October 3, 2024 that license application needs to be submitted. Followed by an attestation done by an external auditor latest early January 2025 to demonstrate that the PSP is indeed compliant.
From our experience it is first of
all of key importance not to underestimate the work to be done and focus on the
following 5 areas.
1. Start
building your management information beginning with collecting and
organising data from 2022 and 2023, using the same data set to build up in 2024
and 2025. This to be able to demonstrate relevant information on clients and
transactions for internal use but also to be used towards the regulator and the
compulsory audit in January 2025.
2. Do
a thorough yet fast risk assessment and plan the implementation of short-term
risk mitigation measures.
3. Review
and update the design of your AML Program.
4. Make
a training plan and ensure all staff is trained.
5. Implement
and monitor progress on an ongoing
basis.
Most likely you need help with this,
given the short timeframe. Keep in mind that you don’t just need advise, you
need to build something that works. Operational compliance is key.
