In January 2020, Singapore’s Payment Services Act (PSA) came into effect. It’s the nation’s first law providing a legal definition for cryptocurrencies and licensing framework for cryptocurrency businesses, as well as compliance requirements that fall in line with FATF recommendations. Already, the PSA makes Singapore one of the more advanced countries in terms of cryptocurrency regulation.
In August, the Monetary Authority of Singapore (MAS) took another positive step when it released an informational paper earlier this month laying out the Enterprise-wide Risk Assessment (EWRA), a framework for how cryptocurrency businesses and other payment services governed by the PSA can measure the efficacy of their compliance programs.
Resources like the EWRA are a logical next step for financial regulators in countries like Singapore that have already passed strong, FATF-aligned cryptocurrency regulations.The EWRA equips companies with a framework to measure how successful their compliance program is in meeting regulations, allowing them to identify gaps and vulnerabilities. Below, we’ll run through some of the key points in both the PSA and EWRA informational paper.
The Payment Services Act
The PSA combines two pre-existing laws to establish frameworks for designating and licensing payment services of several different types, in both crypto and fiat, as well as for identifying the largest of these services for additional regulation. The PSA is the first Singaporean law to provide a legal definition for cryptocurrencies, referring to them as digital payment tokens. Under the PSA, digital payment tokens are any digital representation value that:
- Is expressed as a unit
- Is not denominated nor pegged to any currency
- Is, or is intended to be, a medium of exchange accepted by the public as payment for goods or services or for the discharge of a debt
- Can be transferred, stored or traded electronically.
Likewise, the PSA defines digital payment token services as any that:
- Deals in digital payment tokens
- Facilitates the exchange of digital payment tokens.
Under the PSA, all payment services, including cryptocurrency businesses, must obtain one of two licenses to operate in Singapore:
- The default is the standard payment institution license. These businesses must meet several business conduct requirements including the establishment of a registered physical office in Singapore, submission of audit reports, and meeting of capital and security deposit requirements.
- Payment services whose average monthly transaction value exceeds $3 million USD over a calendar year must obtain a major payment institution license and meet higher capital and security deposit requirements.
Finally, the PSA lays out risk-based AML/CFT requirements largely mirroring those recommended by FATF. These include:
- Collection of KYC information from platform users
- Customer due diligence
- Suspicious transaction monitoring and reporting.
The PSA provides clear compliance requirements for cryptocurrency businesses that, crucially, align with FATF recommendations.
Enterprise-wide risk assessment document
Earlier this month, the MAS published an informational paper laying out the enterprise-wide risk assessment (EWRA), a framework for designated payment services, including cryptocurrency businesses, to build a risk-based compliance program that keeps them in line with the PSA. The EWRA provides guidance on how payment services can achieve six key outcomes that, taken together, would ensure compliance is maintained after licensing:
- Senior management at payment services maintain active oversight to ensure compliance requirements are met
- Payment services have systematic frameworks for assessing risk and effectiveness of compliance programs
- Payment services use quantitative and qualitative analysis to assess risk
- Payment services assess the effectiveness of all compliance controls, including policies and procedures, testing results, and assessments of organizational culture
- Payment services maintain a systematic process to address areas for improvement they identify in ongoing assessments, including third-party audits
- Payment services maintain a structured process to perform gap analysis on their compliance programs against guidance papers and incorporate best practices to fill those gaps as needed
You can read the EWRA informational paper itself to see MAS’s specific recommendations for how to achieve each desired outcome, including detailed case studies on conducting risk assessments across a number of variables, using data analytics for AML/CFT purposes, addressing compliance program deficiencies, and more.
We applaud MAS for releasing such detailed, prescriptive guidance that makes it clear how Singapore-based cryptocurrency businesses can establish effective, constantly improving compliance programs.