You clicked on this article as you have finally attained your Payment Service Provider (PSP) license from the Monetary Authority of Singapore (MAS) under the Payment Services Act (PSA). Congratulations are in order! This license serves as a milestone for your business in Singapore, signifying MAS’s trust in your ability to provide secure payment services to your customers.

However, obtaining your license is but the first step. Your real challenge lies in maintaining it through robust and ongoing compliance. With MAS maintaining stringent oversight to ensure the stability of Singapore’s financial system, protect consumers, and combat illegal financial activities, it comes as no surprise that ongoing compliance post-licensing is strictly regulated.

This article provides you with a practical checklist on the crucial steps you need to navigate your post-licensing compliance journey successfully. Whether you hold a Standard Payment Institution (SPI) or Major Payment Institution (MPI) license, this checklist applies to one and all.

Your post-licensing compliance checklist

The following is a breakdown of key areas that require your continuous attention.

1. Solidify your internal controls and governance framework

Robust internal controls serve as your first line of defence. Get them right from the get-go to build a solid foundation for your overall compliance framework.

Start by establishing clear policies and procedures. Be as detailed as possible, documenting all your internal policies and standard operating procedures (SOPs) for your licensable activities, operational processes, risk management, and compliance functions. Ensure these are regularly reviewed and updated.

Once your policies and procedures are in place, be intentional in segregating roles and responsibilities amongst your staff. Appoint qualified individuals to fill key roles, including a dedicated Compliance Officer with the authority and resources to oversee the compliance function. In the same vein, avoid multi-hatting as much as possible, ensuring that each member of staff is assigned a clear scope of responsibilities that does not trigger conflicts of interest. To seal the deal, embed compliance into your business’s culture, ensuring everyone is aware and understands their compliance obligations.

You will also need to implement systems that accurately record all transactions and customer interactions as required by MAS and the PSA. Ensure records can be easily retrieved for audits and regulatory requests.

2. Maintain a rigorous anti-money laundering and countering the financing of terrorism (AML/CFT) framework

As a PSP, the onus is on you to serve as the gatekeeper against illicit funds. In keeping with MAS’s focus on AML/CFT risk mitigation, you must build and maintain a framework that is robust, risk-based, and continuously updated. This includes thorough Know Your Customer (KYC) and customer due diligence (CDD) processes when onboarding users.

The table below summarises the key AML/CFT measures and requirements you need to uphold:

This is a summary of the Notice PSN01. For full details, please refer to the document on MAS’s website.

3. Implement a comprehensive risk management framework

In addition to your AML/CFT obligations, you must strengthen your business’s resilience via a risk management framework (RMF). Your RMF must be all-encompassing, spanning operational, cybersecurity, legal, regulatory, financial, and outsourcing risks.

The next step is to develop and execute strategies to mitigate the risks you identified via your RMF. This can include internal controls, insurance, contingency planning, and other mitigation methods as necessary.

Just as the risk landscape in the payments ecosystem does not stay static, so too should your RMF. Ensure that you periodically review and update your RMF to reflect changes in your business, the market, technology, and the regulatory environment.

4. Adhere to technology risk management (TRM) requirements

With technology underpinning most payment services regulated by the PSA, it deserves its own separate point on this checklist.

It goes without saying that you will need to address all technology risks inherent to your payment service. In fact, MAS has stipulated a set of Technology Risk Management (TRM) guidelines that outline requirements for resilience measures in IT governance, system availability, data security, cybersecurity hygiene, and incident response.

To this end, build robust incident response plans that detect, respond to, and recover from technology-related incidents, including cyberattacks and data breaches. Ensure timely reporting to MAS where required.

As with the other steps covered thus far, TRM is an ongoing measure, meaning you will need to perform periodic vulnerability assessments and penetration testing (VAPT) on your critical systems to identify and resolve weaknesses.

5. Safeguard customers’ funds

Now that you have sorted your risk management on multiple fronts, you need to set your sights on protecting your customers’ funds.

If you are an MPI license holder, MAS requires you to protect relevant monies received from customers through segregation in trust accounts with approved financial institutions or by obtaining undertakings and guarantees.

Regardless of your license type, are also expected to perform regular reconciliations of your customers’ funds to ensure accuracy and swiftly identify discrepancies.

MAS also requires payment services to be audited annually by a third party to ensure a fair and unbiased assessment.

6. Uphold Data Protection and Privacy (PDPA)

As a PSP that handles your customers’ sensitive identity data, you are also obligated to comply with Singapore’s Personal Data Protection Act (PDPA). The policies and practices you implement must encompass consent, notification, access, correction, protection, retention, and transfer limitation obligations. You will also need to appoint a designated Data Protection Officer (DPO) to oversee your data protection responsibilities.

7. Manage outsourcing risks diligently

Should you outsource any of your critical functions to third parties, you are ultimately still responsible for their compliance with MAS’s regulations. The first step is to adhere to MAS’s Guidelines on Outsourcing, where you must conduct thorough due diligence on third-party service providers, establish clear contractual agreements and performance monitoring, and build appropriate contingency plans.

As before, managing your third-party service providers is an ongoing process, and the onus is on you to regularly assess their performance and risk management practices.

8. Execute independent audits

Audits provide objective overviews on the effectiveness of your controls and compliance, and should, therefore, be conducted by qualified external auditors. In line with MAS’s Circular on Audit of AML/CFT Policies, Procedures and Controls, these audits must focus on internal controls, AML/CFT, TRM, and safeguarding of customers’ funds. Internally, you should also conduct periodic audits that focus on the same areas.

Once the audits are done, take their findings to develop and implement action plans that target weaknesses and non-compliance practices.

9. Meet regulatory reporting obligations

To tie together the first eight steps covered so far, be timely and accurate in reporting everything to MAS. Aside from familiarising yourself with all applicable reporting requirements and deadlines stipulated by MAS, you also need to ensure your systems capture the requisite data accurately for reporting purposes. Be punctual in filing and submitting your reports to MAS.

10. Stay informed and continuously improve

Last but most certainly not least, bear in mind that the regulatory landscape is constantly evolving, and you must stay abreast of all its changes. Actively monitor MAS’s website for circulars, guidelines, consultation papers, and amendments to the PSA and related regulations, as well as subscribe to relevant industry updates. You may also want to proactively participate in industry forums and engage with peers to stay abreast of best practices and emerging challenges.

11. Maintain your license with Eastern Mezzanine

Maintaining your PSP licence in Singapore requires sustained effort and investment in robust compliance frameworks. Essential it may be, but it does not necessarily need to be complex.

Simplify your license maintenance by partnering with us. At Eastern Mezzanine, our team of legal counsels is well-versed in the vagaries of Singapore’s PSA and other related regulations stipulated by MAS. Leave the regulatory maintenance work to us while you focus on growing and developing your payments business.

Talk to us today to find out how we can help you maintain your payment license in Singapore.