Following the commencement of the Payment Services Act (PSA) in January, the Monetary Authority of Singapore (MAS) recently published an information paper for businesses setting out a framework for how cryptocurrency businesses and other payment services governed by the PSA can measure the efficacy of their compliance programs.
The informational paper sets out MAS’ supervisory expectation of effective
Enterprise-wide Risk Assessment (EWRA) frameworks and processes, and interestingly sets out the outcomes of some inspections conducted by MAS into unnamed financial institutions early in 2020.
Payment Services Act
To recap, the Payment Services Act was passed by Singapore's Parliament on 14 January 2019, and subsequently came into effect on 28 January 2020. The Explanatory Brief published by MAS provides that the PSA is intended to streamline payment services regulation by combining the Payment Systems (Oversight) Act (Cap. 222A) (“PS(O)A”) and the Money-Changing and Remittance Businesses Act (Cap. 187) into a single piece of legislation. Further, the PSA has expanded the scope of regulated payment services in Singapore to ensure that new developments in the industry are appropriately regulated, including crypto-centric payment services.
Not unlike the Australian Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth), the PSA sets out particular requirements for certain digital assets companies, including:
Collection of Know your customer (KYC) information from platform users;
Customer due diligence; and
Suspicious transaction monitoring and reporting.
Enterprise-wide risk Assessment Document
The EWRA provides guidance on how payment services including cryptocurrencies can achieve six key outcomes that would ensure compliance with their anti-money laundering and counter-terrorism financing requirements is maintained after licensing. These desired outcomes include:
Senior management maintain active oversight of EWRA frameworks and processes;
Sound and systematic frameworks and processes to assess inherent risks, control effectiveness, and residual risks for each business line;
Adequate and accurate qualitative and quantitative analyses in assessing risks;
Assessments of the effectiveness of all compliance controls, taking into account policies and procedures, control testing results, and assessments of organisational culture;
Systematic processes to establish and implement control measures to address areas for improvement identified from the EWRA exercise; and
Structured processes to perform gap analysis against guidance papers, and incorporate lessons learnt and good industry practices in their own processes.
Broadly, the information paper found that while generally the financial institutions MAS inspected had established frameworks for conducting EWRAs, the quality of implementation of the EWRA's was more of a patchwork. This is hardly a problem unique to Singapore, with Australian banks copping record from the anti-money laundering regulator AUSTRAC, despite having supposedly stringent AML/CTF programs in place.
Protecting your business from breaching anti-money laundering and counter-terrorism financing requirements is becoming increasingly important in an increasingly globalised and sophisticated payments landscape. If you need advice on anti-money laundering and counter-terrorism financing compliance matters, please contact us and we would be more than happy to assist.