Singapore: Updates to the Guidelines on Licensing for Payment Service Providers
-
Développement en droit 12 août 2024 12 août 2024
-
Asie-Pacifique
-
Technology risk
On 26 July 2024, the Singapore financial regulator published its revised Guidelines on Licensing for Payment Service Providers. The changes to the guidelines will take effect on 26 August 2024.
In this client alert, we have summarised the key amendments to the Revised Guidelines below:
1) Submission of Legal Opinion
All new applicants applying for a licence under the Payment Services Act (“PS Act”) will need to submit a legal opinion with their applications. The legal opinion should include a clear and concise summary of the applicant’s business model and an assessment of whether the applicant’s proposed services and/or products are regulated payment services under the PS Act.
Existing licensees applying to vary their licence to add a Digital Payment Token (“DPT”) service will need to submit a legal opinion with their variation applications. Similarly, the legal opinion should include a clear and concise summary of the applicant’s business model and an assessment of whether the applicant’s proposed service(s) and/or product(s) are regulated payment services under the PS Act.
2) Submission of Independent External Auditor Assessment
New applicants intending to provide DPT services must appoint a qualified independent external auditor to perform an independent assessment of its policies, procedures and controls in the areas of anti-money laundering/countering the financing of terrorism (“AML/CFT”) and Consumer Protection.
The onus is on the applicant to ensure that it appoints an appropriate and suitably qualified External Auditor to conduct the independent assessment. Each external auditor engaged by the applicant for the purpose of conducting the independent assessment is to provide to the MAS information on its contact details, track record and relevant experience.
The external auditor’s independent assessment report (“report”) must be submitted together with the applicant’s licence application. The submitted report must have been issued and signed off by the external auditor within the last 3 months from the date of application submission.
The MAS would engage the applicant directly to discuss the observations made by the external auditor. The MAS may also contact the external auditor(s) directly for any clarifications and request them to submit minutes of meetings and/or supporting documents of its assessment as part of the MAS’ review of the applicant’s licence application.
3) Technology Risk Management
Licensees providing DPT services must comply with the Notice on Technology Risk Management [FSM-N13], with effect from 6 November 2024. All other licensees are to refer to the Guidelines on Risk Management Practices. Technology Risk for guidance on technology risk management requirements.
4) Proper Governance Structure
The applicant should put in place proper governance structure to oversee compliance and AML/CFT issues. Depending on the scale of the business and its group structure, the applicant can consider having its compliance officer regularly reporting compliance and AML/CFT issues to the board or a board committee and for decision on matters which is beyond the authority of the compliance officer.
5) In-house local compliance officer for DPT service providers
The MAS expects entities conducting DPT services to have in place an in-house local compliance officer given the higher risk posed and the complexity of the business.
6) Information required in proposed business plan for licence applications
A brief description of any exempted and unregulated activities that it currently conducts or intends to conduct must be included in the proposed business plan as part of the application. This is in addition to the other information listed in Appendix 3 of the Revised Guidelines.
For applicants that are part of a global payment services group:
- Where available, the applicant should provide an estimate of the level of resources (in terms of headcount and time spent) in the other related corporations that will support the operations in Singapore.
- Applicants should provide copy of its licence/ certification of registration or information of its licensing/registration status on the regulators’ websites. Applicants should disclose any regulatory enforcement action/investigation which any of its entities may have been a party to.
Consumer Protection
Applicants intending to provide DPT service should provide the following information and documents that are in line with the nature of the proposed business model:
- Policies and procedures setting out how the applicant would comply with consumer protection requirements prescribed by the Payment Services (Amendment) Regulations 2024 that include, but are not limited to, safeguarding and segregation of clients’ assets, consumer access, complaints handling, user protection, mitigation of conflicts of interest.
Shareholding Chart
- The applicant should provide the complete shareholding chart (up to the ultimate controller(s)) who are natural person(s).
- If the applicant does not have any 20% controller, the applicant will have to provide a written confirmation.
7) Rules of engagement for application review process
Initial Review and Information Request
The review process of an application begins when a case officer is assigned and upon complete submission of all information and documents as required. Depending on the volume of applications received, the case assignment may not take place immediately upon MAS’ receipt of an application. Following a case assignment, the case officer will reach out to the applicant to inform the applicant of the necessary next steps, which may include an opening meeting.
In the course of the review process, there may be multiple rounds of requests for information and clarifications, depending on the completeness of the responses submitted by the applicant.
Where submissions are assessed as grossly incomplete or significantly deficient, MAS reserves the right to reject the applications. In situations where applicants are found to have intentionally obfuscated, hidden or delayed their disclosures to the MAS without good reason, these will be considered as significant deficiencies.
Timeliness and Quality of Responses
The MAS typically provides the applicant with a deadline to respond to requests for information. If the applicant fails to respond within the stipulated time, MAS will deem the application to be withdrawn. Should the applicant require additional time to prepare the response, the applicant should inform the case officer in advance.
Interview after the Initial Review
After the initial review, the case officer will arrange for an interview with the applicant’s key management personnel and/or the compliance officer. The interview is a key determining factor in MAS’ assessment of the application; the purpose of the interview is for the applicant to explain how it intends to manage the business and risks in compliance with regulatory requirements.
Consultants, external legal counsel, and other third parties are not permitted to attend the interview. This is because the applicant remains responsible for meeting its regulatory obligations, even if it outsources any of its functions.
If there are material changes to the application after the interview but before there is an application outcome, the case officer may arrange for additional interview(s) with the applicant. Examples of such changes include any change in appointment of an applicant’s key personnel, or any change in the applicant’s business model.
The MAS’ Review Process
Case officers have an obligation to conduct a comprehensive assessment of the applications. Even at the application stage, the aim of an applicant is to be licensed, and therefore be subject to ongoing supervision and oversight, as per the regulatory regime. The case officer will review the application in this context and expect the applicant to conduct itself as if it were already a regulated financial institution. Applicants who fail to do so will be assessed as potentially significant deficiencies, which could result in a rejection of the application.
Placing Applications On-hold
If there are any changes to the information provided in the application after submission, the MAS should be notified immediately. In cases of significant/major changes to the application, applicants may wish to consider withdrawing their application and reapplying after the changes have been completed in view that the application will not be ready for review until then.
The MAS reserves the right to place any application that is assessed to be insufficiently ready for review, to be on-hold for six months in the event of an applicant’s major corporate restructuring, substantial changes to key management personnel, or material variations in the business model/activities, at any point during the review process.
During this on-hold period, the onus is on applicant to ensure timely resolution/completion of all necessary changes and to provide MAS with the relevant documentation to be assessed at the end of the on-hold period. The default on-hold period is six months and is not extendable. If the significant change is not completed within the on-hold period, the application will be assessed to be insufficiently ready for review and the applicant should consider withdrawing the application.
***
In light of the upcoming changes, if you’d like to know more about how the revised Guidelines might affect you (especially if you are a potential applicant), please get in touch with any of the authors below.
The Singapore office of Clyde & Co has extensive experience advising technology companies (such as e-payment providers, cryptocurrency exchanges, token issuers and FinTech companies) on business establishment and licensing, acquisitions and disposals, portfolio transfers, outsourcing arrangements, cross-border business structures and regulatory compliance in Asia-Pacific.
Fin