Internal audit and independent assessment for Payment Services Licence holders
New Payment Services Act (“Act”) came into effect 28 January 2020. Along with the Act, the Monetary Authority of Singapore (“MAS”) has introduced several notices and guidelines to be adhered to by Payment Services Licence Holders (“regulated entities”). The Notices PSN01 and PSN02 Prevention of Money Laundering and Countering of Terrorism specifically carries important requirements for Payment Services Licence Holders (PSLH) to abide by.
Non-face-to-face Know-Your-Customer Requirements (NFTF)
PSLH who are conducting NFTF transactions or business relations with customers are required to put in place policies and procedures to address any specific risks associated with the process. Policies and procedures are also required to be implemented when conducting periodic due diligence checks on customers who were originally onboarded using NFTF manner. Where PSLH conducts its first NFTF business contact, must appoint an external auditor or an independent qualified consultant to assess the effectiveness of any the technology solutions used to manage impersonation risks. The report must be submitted to MAS no later than one year after conduct of the first NFTF business.
PSLH are also required to appoint an external auditor or an independent qualified consultant to carry out assessment of their policies and procedures when there has been substantial changes in relation to NFTF process. Similarly, within one year, the report must be submitted to MAS.
Internal Audit Requirements
PSLH are required to have in place adequate independent audit arrangements to regularly assess the adequacy and effectiveness of the policies, controls and compliance with regulatory requirements. This audit may be conducted by an internal audit function within the company, independent audit team from head office or can be outsourced to a third party service provider.
PSLH who are especially conducting NFTF are expected to have policies and procedures that are at least as stringent as those that would be required to be performed if there was face-to-face contact. Generally, NFTF customer onboarding process is deemed to hold greater anti-money laundering and terrorism financing risks. Increasing technology sophistication presents new threats in terms of identity theft and conducting NFTF certainly exposes financial institutions to higher risks.
PSLH should review their policies and procedures and ensure the technology solutions embedded within the customer onboarding process is sophisticated enough to address impersonation risks. Additional processes to be considered includes conducting real time video conference, requesting for certified true copies of identification and verification documents, using biometric facial recognition, and technology solutions to confirm authenticity of government issued documents.
PSLH should not assume that doing the internal audit process would be sufficient to address the need to provide an independent report to MAS on the effectiveness of NFTF customer onboarding process. PSLH should be reminded that internal audit can be done by the internal team or head office team. However, the independent NFTF report to MAS has to be conducted only by independent external auditors or qualified consultants.