On 5 July 2019, the Monetary Authority of Singapore (MAS) published a Consultation Paper on Payment Services Notices and Guidelines under the Payment Services Act 2019 (PSA). The public consultation is open until 5 August 2019.
Payment Services Notices
MAS has previously consulted on the Payment Services Regulations (please see our article here) and on notices on the prevention of money laundering and countering the financing of terrorism applicable to payment services providers (PSPs) (please see our article here). In this consultation, MAS proposes to issue notices on the following topics:
- Reporting of suspicious activities and incidents of fraud (PSNO3): PSA licensees and operators and settlement institutions of designated payment systems (DPS) must lodge a report on suspicious activities and incidents of fraud with MAS within five working days after the discovery of the activity or incident. Incidents of fraud must also be reported to the police.
- Submission of regulatory returns (PSNO4) and submission of statement of transactions and profit/loss (PSNO4A): PSA licensees must regularly submit information to MAS relating to the payment services they provide, such as account statistics, transaction value and volume, e-money float and (where applicable) money subject to safeguarding requirements. This will allow MAS to understand, monitor and supervise each licensee’s payment activities.
A 6-month transition period will be granted to money-changing licensees and remittance licensees under the Money Changing and Remittance Business Act (MCRBA) and approved holders of a widely accepted storage value facility under the Payment Systems (Oversight) Act (PSOA) before they will be required to comply with PSNO4. During the transition period, these licensees and approved holders must submit a statement of transactions and profit/loss under PSNO4A.
- Technology risk management (PSNO5): DPS operators and settlement institutions must have a framework to identify critical systems, limit unscheduled downtime, establish recovery time objectives, notify MAS of a relevant incident and submit a root cause and impact analysis report to MAS. MAS does not intend to apply PSNO5 to PSA licensees at this time.
- Cyber hygiene (PSNO6): PSNO6 prescribes basic cyber security measures applicable to PSA licensees and DPS operators to establish baseline defences against cyber threats. These measures include implementation of security standards, network perimeter controls and malware protection systems, and use of security patches and multi-factor authentication. PSNO6 is proposed to take effect in July 2020, at the same time the Notice on Cyber Hygiene issued to other financial institutions will commence.
- Conduct (PSNO7): PSA licensees, exempt PSPs, and DPS operators and settlement institutions are required to comply with certain conduct requirements depending on the type of payment services they provide, such as (where applicable) keeping a record of transactions, issuance of receipts to customers, keeping proof of receipt of transferred money or issuance of e-money and displaying exchange rates and fees. However, account issuance services providers will not be required to comply with these requirements since the payment transactions that they process would also be processed in other payment activities to which the requirements apply.
PSNO7 also sets out the criteria to determine the applicable exchange rate to compute the amount of money which a major payment institution must safeguard and to determine whether a person is a resident in or outside Singapore under certain PSA provisions.
- Disclosure and communications (PSNO8): PSNO8 requires PSA licensees and certain exempt PSPs to conspicuously display statements to customers regarding the extent a PSP is regulated and customer money is protected under the PSA. There are different prescribed risk disclosure statements for standard payment institutions, major payment institutions (MPIs), exempt PSPs, digital payment token services providers and money-changing service providers.
Payment Services Guidelines
MAS will amend existing e-payments user protection guidelines (to apply to all MPIs and exempt PSPs that issue payment accounts containing specified e-money) and guidelines on fit and proper criteria. Existing guidelines on technology risk management, business continuity management and outsourcing will apply unamended to all regulated entities under the PSA.
The Consultation Paper also set out MAS’s proposal to issue regulations:
- prescribing the exchange rate that licensees may use to calculate the Singapore dollar equivalent of foreign currency amounts for the purposes of determining licence class, security deposit requirements and e-wallet restrictions under the PSA; and
- permitting all remittance licensees under the MCRBA to either keep customers’ funds separate under Section 26 of the MCRBA or comply with the safeguarding requirements under Section 23 of the PSA for a transitional period of 12 months after the PSA’s commencement date. If a MCRBA remittance licensee opts to comply with Section 26 of the MCRBA, then even after the transitional period and until all money in the customers’ account is withdrawn, it must (a) not withdraw money from a customers’ account (except where permitted under the MCRBA) and (b) ensure that such money is not liable to be attached, sequestered or levied upon for any claim against such licensee.
All notices and guidelines for PSPs will become effective on the PSA’s commencement date, save for a few exceptions (such as PSNO6). MAS intends to publish the commencement notification and the finalised versions of PSA subsidiary legislation and guidelines at least four weeks before the PSA’s commencement date. As the PSA will repeal the PSOA and MCRBA, the notices and guidelines issued under the PSOA and MCRBA, including MAS’s Stored Value Facility Guidelines, will be cancelled upon the PSA’s commencement.