AML/CFT Requirements for Payment Service Firms
New Payment Services Act (“Act”) came into effect 28 January 2020. Along with the Act, the Monetary Authority of Singapore (“MAS”) has introduced several notices and guidelines to be adhered to by Payment Services Licence Holders (“regulated entities”) With the new licensing regime, firms who were not required to be regulated previously are now required to be regulated. These firms are now subject to new financial and compliance ongoing obligations including obligations on Anti-money laundering / Countering of Financing of Terrorism (“AML/CFT”) requirements.
MAS has introduced the following relevant notices and guidelines pertaining to AML/CFT:
- Notice PSN01 Prevention of Money Laundering and Countering the Financing of Terrorism – Specified Payment Services – requirements for payment service providers (other than a digital payment token service provider)
- Notice PSN02 Prevention of Money Laundering and Countering the Financing of Terrorism – Digital Payment Token Service – requirements for digital payment token service providers to put in place robust controls to detect and deter the flow of illicit funds through Singapore’s financial system
- PSN03 Notice on reporting of suspicious activities and incidents of fraud – requirements for all payment service providers to report any suspicious activity or incident of fraud that will affect their safety, soundness or reputation.
- PSN01A Prevention of Money Laundering and Countering the Financing of Terrorism – Persons Providing Account Issuances Services who are Exempted under the Payment Services (Exemption for Specified Period) Regulations 2019 – intended to substantially apply to persons who are exempted under the Payment Services (Exemption for Specified Period) Regulations 2019 during the transition period.
- PSN10 Prevention of Money Laundering and Countering the Financing of Terrorism – Exempt Payment Service Providers – sets out the application of AML/CFT Notices to persons exempt under Payment Services Act 2019 in relation to the provision of payment services for a specified product that involves account issuance, domestic money transfer and e-money issuance services
- Guidelines to Notice PSN02 on Prevention of Money Laundering and Countering the Financing of Terrorism – Digital Payment Token Service
- Guidelines to Notice PSN01 on Prevention of Money Laundering and Countering the Financing of Terrorism – Specified Payment Services
Scope of AML Requirements
Regulated entities are requirement to ensure they have put in place appropriate AML/CFT policies and procedures including enterprise-wide risk assessment for the entity. Regulated entities who are providing services which are classified as low risk are not required to comply with AML/CFT Notices.
The following are some low risk scenarios:
|Regulated Activity||Low Risk Scenario|
|Account issuance services||Entities which:
– do not allow physical cash withdrawal;
– do not allow physical cash refunds above S$100, unless the regulated entity performs identification and verification of sender; and
– do not have an e-wallet capacity that exceeds S$1,000.
|Domestic money transfer services||Entities which:
– only allow users to pay for goods and services where payment is from an identifiable source such as with a regulated financial institution (e.g banks);
– only allows users to pay for transactions below S$20,000; or
– only allows users to make payments which are funded from identifiable payment source and where transaction is under S$20,000.
|Cross-border money transfer services||Entities which:
– only allows users to pay for goods and services and where payment is funded from an identifiable source.
Where regulated entities are regulated for AML/CFT and offers products that are classified as exempted products, they would not need to comply with all AML/CFT requirements indicated in the notices and guidelines. These firms may apply reduced AML/CFT measures.
Third Party Reliance
Regulated entities are permitted to rely on third party service providers to perform some elements of the customer due diligence (“CDD”) measures as required by the AML/CFT notices and guidelines.
In order to rely on third party service providers, regulated entities must:
- be satisfied third party service providers are subject to and supervised for AML/CFT requirements consistent with FATF standards;
- take appropriate steps to identify, assess and understand ML/TF risks particular to the countries or jurisdictions the third party service providers operate from;
- ensure third party services providers are not precluded by MAS from replying upon; and
- ensure third party service providers are able and willing to provide, without delay, upon request, the documents obtained.
Regulated entities must always bear in mind, they are still ultimately responsible for AML/CFT for their entities.
Risk Based Approach
Regulated entities must apply risk-based approach when determining the level of due diligence procedures to subject the customer to. MAS permits regulated entities to apply simplified due diligence procedures for low risk customers such as those who are regulated entities or listed entities in FATF compliant jurisdictions. At the same time, regulated entities must apply enhanced due diligence measures for high risk customers such as those coming from high risk jurisdictions and are deemed as politically exposed persons.
Where regulated entities conduct simplified due diligence measure, they are still required to conduct screening and ongoing monitoring of business relations with the customers.
All higher risk customers must be subject to stringent monitoring process to ensure risk of these clients is managed at all times.
Correspondent Account Services
Regulated entities are required to perform necessary risk mitigation measures when providing correspondent account services to another financial institution or when engaging another financial institution for correspondent services.
In addition to conducting normal CDD measures, regulated entities are required to assess the suitability of the financial institution by assessing their AML/CFT controls, understand responsibilities of the respective financial institution and obtain approval from senior management prior to engaging with new financial institutions for correspondent account services.
Bearer Negotiable Instruments and Cash Payouts
Cash and bearer negotiable instruments are anonymous in nature and are subject to higher money laundering and terrorism financing risks. To mitigate these risks, regulated entities engaging in such instruments are subject to certain restrictions.
AML /CFT for Digital Payment Token Services Providers (“DPT”)
The Act imposes certain specific AML/CFT regulations on DPT service providers which include:
- Must conduct monitoring of cross-border value transfers. Special monitoring of cross-border transfers of DPT including prohibition of transactions with designated persons an entities;
- Must conduct CDD on all DPT occasional transactions regardless of the amount involved.
In relation to collection of CDD information, MAS has suggested other alternative CDD information to be collected to better identify the customers. These include:
- DPT sending/receiving addresses
- Receipts /documents on original purchase of cryptocurrency from an exchange or similar intermediary
- Transaction details of the DPT such as time stamp, size of transaction and value of transaction
- Reasons for purchase of DPT
- Reasons for current transactions (if applicable)
It is important to ensure that you have built a detailed AML/CFT policy and procedure that adheres to the requirements spelt out in the AML/CFT notices and guidelines. It is also important to ensure that the procedures in the AML/CFT policy reflect actual processes that will be carried out by the Company.
Policy must be approved by senior management prior to adopting them.
As a third line of defense, regulated entities must conduct internal audit and audit their policies and procedures. This enables you to evaluate the effectiveness of your policies and identify gaps in your policies as well as procedures.
Whenever there are significant changes to policies and procedures, regulated entities are required to engage an external independent service provider to carry out an assessment of the new policies and procedures and submit a report to the MAS no later than one year after the implementation of changes in the policies and procedures.
How can Argus (now Waystone Compliance) Assist
We are an experienced regulatory consulting firm who understand the payment services sector well and have assisted several firms in putting in place AML/CFT requirements, policies and procedures. As an independent service provider, we have also assisted firms in conducting gap analysis on their policies against MAS requirements and provided recommendations for improvements.
Please contact us today at [email protected] for a chat.
Follow us on LinkedIn.