Singapore’s Payment Services Act 2019 (PSA)

In recent years, Singapore has seen rapid developments in its FinTech sector. The government and the country’s regulator – the Monetary Authority of Singapore (MAS) – have made significant efforts to ensure the country’s regulatory framework keeps up with this growth. One of the most important regulatory developments in this context is the Payment Services Act (PSA) of 2019. This act consolidated previous legislation to create a streamlined approach covering both new and traditional payment services. It came into effect in January 2020.

What is Singapore’s Payment Services Act (PSA)?

The Payment Services Act (PSA) in Singapore is a regulation that oversees and governs payment services and digital payment transactions. Passed into law on January 14, 2019, and into legal effect on January 28, 2020, the PSA combines the previous Payment Systems (Oversight) Act 2006 and the Money-Changing and Remittance Businesses Act 1979 to form a single legal framework.

Intended to prepare Singapore’s payments industry for the future without stifling FinTech innovation, the PSA sets out regulatory requirements for payment service providers in Singapore and gives the Monetary Authority of Singapore (MAS) legal oversight of payments systems.

Accordingly, the PSA serves two parallel regulatory frameworks: 

• The first protects Singapore’s financial stability and ensures fair competition;
• The second enables MAS to implement a licensing regime and directly supervise payment systems and payment service providers by imposing AML/CFT regulations. 

To comply with the Payment Services Act, Singapore’s payment service providers must be familiar with its regulatory scope and the AML/CFT obligations it entails.

Payment Services Act regulatory scope

The Payment Services Act (PSA) governs a range of payment services within Singapore. This includes services involved in issuing payment accounts to customers and operations necessary for a payment account’s functioning; notable examples are non-bank credit cards and e-wallets. 

Moreover, the PSA encompasses services facilitating the domestic transfer of funds across Singapore, which can be offered through online payment gateways and physical payment kiosks. 

Alongside this, international money transfer services, enabling cross-border fund transfers to and from Singapore, fall under the PSA’s regulation. 

Additionally, the act covers merchant acquisition services where service providers handle payment processing on merchants’ behalf, with payment gateways and point-of-sale card terminals being prime examples. Lastly, money-changing services, crucial for the buying and selling of foreign currencies within Singapore – including those provided by online platforms and physical currency exchange outlets – are regulated under the PSA. 

Amendments to the PSA in 2019 expanded its scope to better align with Financial Action Task Force (FATF) standards and to extend its regulatory reach to services associated with virtual assets and currencies. Accordingly, the PSA also applies to:

• E-money issuance services: Services that facilitate the issuance of e-money that customers can store in e-wallets, transfer to others and use to pay for goods and services.
• Digital payment token (DPT) services: These include providers offering exchange services or platforms for buying and selling DPTs, also known as cryptocurrencies, within Singapore.

AML requirements for PSPs under the Payment Service Act

Under the PSA, Singapore payment services must take a risk-based approach to the money laundering and terrorism financing threats they face and implement the following measures as part of an internal AML/CFT policy:

• Customer due diligence (CDD): Firms must take steps to verify their customers’ identities and the nature of the business in which they are involved. Financial institutions (FIs) may conduct simplified due diligence (SDD) if their risk assessment suggests that it is safe. However, they must also implement enhanced due diligence (EDD) when their customers present a greater level of criminal risk.
• Transaction monitoring: Payment services firms must monitor their customers’ transactions for signs of money laundering and terrorism financing. The monitoring process should be built around a set of criteria, including transaction thresholds, irregular transaction patterns, and transactions to and from high-risk countries. 
• AML screening: Payment services firms should screen their customers against relevant international sanctions lists, such as the UNSC sanctions list and MAS’ sanctions list. Firms should also conduct ongoing screening for politically exposed persons (PEPs) and adverse media checks for their customers.
• Reporting and record-keeping: Payment services firms must have a process for submitting suspicious transaction reports to MAS and maintain detailed records of their customers’ account activity for AML/CFT purposes.

A Guide to AML/CFT for Singaporean FinTechs

The Guide to AML/CFT for Singaporean Fintechs provides firms with useful guideposts and pointers on approaching common risks to help them address key issues around AML/CFT.

Download your copy

AML requirements for DPT services

The application of the PSA to DPT service providers is a significant regulatory step for the use of cryptocurrency in Singapore. Under the PSA, providers of cryptocurrencies and cryptocurrency exchange services must, like other service providers, obtain a license from MAS to operate and comply with a range of AML/CFT requirements. The new rules expand the definition of digital payment token services to any provider that transfers cryptocurrency across accounts (or arranges that transfer) within Singapore or beyond its borders.

The PSA imposes certain specific AML/CFT regulations on DPT service providers. These include:

• Monitoring cross-border value transfer: Special monitoring of cross-border transfers of DPT, including the prohibition of transactions with designated persons and entities. 
• Occasional transaction thresholds: The FATF has proposed lowering the threshold for conducting CDD on occasional transactions involving DPT to USD/EUR1,000. However, under the PSA, MAS has not specified a transaction threshold, and service providers must conduct CDD on all DPT occasional transactions regardless of the amount involved.

However, in April 2024, MAS announced changes to the PSA and its subsidiary legislation. These changes expand MAS’ regulation of payment services and introduce requirements for user protection and financial stability related to DPT service providers. As a result, the following activities are now regulated under the PSA:

• Providing custodial services for DPTs.
• Facilitating the transmission and exchange of DPTs between accounts, even if the service provider does not take possession of the money or DPTs.
• Facilitating cross-border money transfers, even if the money is not accepted or received in Singapore.

Transitional arrangements will be made for entities currently conducting activities under the expanded scope of the PS Act. These entities must notify MAS within 30 days and submit a license application by October 2024 to continue their activities on a temporary basis while MAS reviews their license applications. The license application must be accompanied by an attestation report of the entity’s business activities and compliance with AML/CFT requirements, duly completed by a qualified external auditor by January 2025.

Entities that do not meet the above requirements are required to cease their activities when the amendments come into effect.

The amended Payment Services Regulations on safeguarding assets belonging to customers of DPT service providers will take from October 2024. These regulations include: 

• Segregating customers’ assets.
• Placing them in a trust account for their benefit.
• Maintaining proper books and records.
• Ensuring the implementation of effective systems and controls to protect the integrity and security of customers’ assets.

To fulfill their CDD responsibilities, MAS requires DPTs to collect a customer’s name, nationality, unique ID number (such as passport or NRIC number), residential or business address, and date of birth (or date of incorporation).

A Guide to Anti-Money Laundering for Crypto Firms

This guide is a practical resource for compliance professionals in the crypto industry, covering the essentials of building and scaling a crypto AML program, navigating regulatory change, and identifying emerging use cases and threats.

Download your copy

Impact and challenges of the PSA on the payment industry

Since its introduction in 2019, the PSA has significantly impacted Singapore’s payment industry, strengthening the supervision of the digital payments industry and increasing consumer protection. However, keeping up with an ever-evolving regulatory landscape can create a variety of challenges for firms as they strive to grow their business while mitigating risk and remaining compliant. Some of these challenges include:

• The rising cost of compliance and operational changes: Obligated entities must notify MAS and apply for a PSA license, which can involve significant administrative effort and costs. Firms may also need to review and update their systems to comply with new AML/CFT measures and consumer protection guidelines introduced in April 2024, which could require investment in advanced technology and staff training. In fact, FIs in Singapore spent S$7.8 billion (US$5.7 billion) to fight crime and meet regulatory obligations in 2023 – marking a 50 percent increase from 2022. 
• Increased regulatory scrutiny: With more entities falling under the PSA’s purview, smaller firms and start-up companies will indubitably feel an increased compliance burden. Without the right tools in place, continuous monitoring, screening, and reporting can also impose an ongoing regulatory burden, necessitating dedicated resources and expertise.
• Market entry and heightened competition: Stringent regulatory requirements outlined in the PSA could deter new entrants into Singapore’s payments market, potentially stifling innovation and competition. On the flip side, existing licensed entities might have an advantage over new entrants, possibly leading to market consolidation.
• Technological and security challenges: Ensuring the security of customer assets and data in compliance with MAS guidelines is complex, especially given the continuous emergence of sophisticated cyber threats. 

Best practices to comply with PSA’s AML obligations

To ensure compliance with the PSA and its AML obligations in Singapore, PSPs should review the following best practices:

• Implement real-time payment screening tools to detect suspicious transactions and high-risk activities promptly, in accordance with the PSA’s requirement for effective transaction monitoring (Section 28).
• Leverage advanced machine learning (ML) algorithms to analyze transaction patterns and identify anomalies. 
• Assess the risk profile of customers and transactions, applying appropriate levels of scrutiny as outlined in MAS Notice PSN01.
• Educate employees on AML regulations, red flags, and the importance of compliance, as mandated by the MAS guidelines.
• Establish clear protocols for reporting suspicious activities to the Suspicious Transaction Reporting Office (STRO) in a timely manner, as stipulated by the PSA.