Regulations for accepting crypto payments

As a business that facilitates the acceptance of crypto payments, what risks does MAS require me to mitigate?

To mitigate money laundering risks, crypto companies, otherwise known as Virtual Asset Service Providers (VASPs), are to adhere to "Travel Rule" that refers to Financial Action Task Force (FATF) Recommendation #16.

Source: Sumsub, last revised on 16 December 2021

"The Monetary Authority of Singapore (MAS) implemented the crypto travel rule in Singapore through Notice PSN02 Prevention of Money Laundering and Countering the Financing of Terrorism – Digital Payment Token Service, published on December 5, 2019, and in effect since January 28, 2020."

It requires VASPs to collect personal data on participants in transactions exceeding SGD 1,500. This means gathering Personally Identifiable Information (PII) such as names and account numbers of both senders and recipients.

There are some specific requirements for data gathered on senders in particular. This includes additionally collecting either their physical address, unique ID number (national identity number, etc.), customer identification number, or date and place of birth.

Source: Notabene, last revised on 28 January 2020

What are the record keeping requirements for DPT value transfers (Travel Rule)?

According to MAS (Notices)
last revised on 1 March 2022

Subject to paragraph 13.8, in a value transfer where the amount to be transferred exceeds S$1,500, every payment service provider which is an ordering institution shall identify the value transfer originator and verify  the value transfer originator’s identity, and include in the message or payment instruction that accompanies or relates to the value transfer the information required by paragraphs 13.4(a) to 13.4(d) and any of the following:

(a) the value transfer originator’s
(i) residential address, or
(ii) registered or business address, and if different, principal place of business, as may be appropriate;
(b) the value transfer originator’s unique identification number (such as an identity card number, birth certificate number or passport number, or where the value transfer originator is not a natural person, the incorporation number or business registration number); or
(c) the date and place of birth, incorporation or registration of the value transfer originator (as may be appropriate).

The Travel Rule also requires crypto platforms to share sender and recipient data with each other during transactions. That is why this regulation is called the “Travel Rule,” because the personal data of the transacting parties ‘travels’ along with their transfers.

The travel rule is further regulated through MAS' Guidelines to Notice PSN02, which most relevantly clarifies that transactions with non-custodial wallets are not subject to travel rule requirements but should be perceived and treated as carrying higher ML/TF risks.

“The speed, anonymity and cross-border nature of VASP activities make them inherently more vulnerable to ML/TF risks,” the Monetary Authority of Singapore (MAS) said in a statement Monday."

Following the ammendment bill, the definition of VASP in Singapore is expanded "to include any entity which provides custodian wallet services for virtual assets, or facilitates exchanges of virtual assets – even if it may doesn’t hold those assets at any point in the transaction."

Source: AML Intelligence, last revised on 2 November 2020