AML/CFT for DPT Services

Your business description

Unregistered fund manager who wants to start a crypto fund. How should I structure this?

What are the AML/CFT measures imposed on DPT service providers?

MAS regulates DPT service providers for AML/CFT risks. The Payment Services Act requires DPT intermediaries that buy, sell or facilitate the exchange of DPTs for fiat currencies or other DPTs to identify and verify their customers, monitor transactions, keep records and to report suspicious transactions to the Suspicious Transaction Reporting Office.

Where DPT service providers also facilitate the transfer of DPT or provide custodian wallet services as part of their business, MAS intends to require that they apply AML/CFT measures to mitigate the risks posed by such services.

A person providing DPT services under the Payment Services Act 2019 is subject to AML/CFT risk mitigation measures. These requirements are set out in MAS Notice on Prevention of Money Laundering and Countering the Financing of Terrorism - Holders of Payment Services Licence (Digital Payment Token Service) (PSN02). Failure to comply with the requirements set out in the MAS Notice attracts a fine.

The MAS Guidelines to MAS Notice PSN02 on Prevention of Money Laundering and Countering the Financing of Terrorism – Digital Payment Token Service provide guidance on the requirements in the Notice.

The Notice requires, among other things, a DPT service provider to develop and put in place policies and procedures to assess the money laundering and terrorism financing ("ML/TF") risks presented by each customer. It must also assess the ML/TF risks on enterprise-wide level. This shall include a consolidated assessment of the payment service provider’s ML/TF risks that exist across all its business units, product lines and delivery channels. To assess the ML/TF risks presented by its customer, a DPT service provider must conduct customer due diligence to identify and know its customers (including beneficial owners), conduct regular account review and monitor and report any suspicious transaction.

Customer Due Diligence requirements for DPT service providers

PSN01 and PSN02 will require the collection of certain customer-specific information, including at least the following—

(i) full name,

(ii) Unique Identification Number (e.g. customer NRIC or passport number),

(iii) residential address (or registered or business address),

(iv) date of birth (or establishment, incorporation, or registration),

(v) nationality (or place of incorporation or place of registration). Additional identification is required for legal arrangements

What personally identifiable information is required to be shared for the Travel Rule?

For value transfers exceeding S$1,500 (approximately USD 1500), the originating DPT service provider should also add a physical residential address, along with the place and date of birth, and identification number of the customer. Records are required to be kept for at least five years.

AML/KYC challenges faced by the Fintech and Crypto Industry in Singapore

With the exponential growth in the usage of digital payments such as contactless payments, more and more Fintech companies are entering the market to streamline and accelerate financial services. AML/KYC checks are now essential to prohibit any illegal source of income and to uphold the reputation of the company.

Challenges faced in AML/KYC:

Onboarding Stage

  1. Lack of skilled personnel: AML professionals may be too costly to onboard or the company may lack the resources and expertise.
  2. Assigning risk level of customers at onboarding stage: Requires reliable data on transactions undertaken by the customers and consistently changes risk levels accordingly to prevent any forms of false positives.
  3. Identifying beneficial ownership: Complexity of data collection and legal structures of various jurisdictions with a lack of standardized documentations across countries.

    Ongoing Stage
  4. Increased complexity of control: A challenge is posed to manage cross-border and multi- jurisdictional AML-compliance requirements and ever-growing customer due diligence
    requirements.
  5. Complicated processes and technology: A need to compile and consolidate KYC data and systems and to detect any source of suspicious activities.
  6. New ways of money laundering: Firms need to be prepared and be ready against new methods of laundering illicit funds.
  7. Existing low AML risk clients may not remain to be at low risk. Requires consistent check through transactional monitoring to identify any suspicious trading activities.

Moving forward:
These would be possible and feasible solutions that shall be adopted to mitigate the challenges posted by AML/KYC.

  1. To outsource to other service provider companies to onboard temporary AML professionals to conduct the services.
  2. Searches can be improved with technology such as AI to weed out false positives and the ability to look at broader and a better scope of details.
  3. Ensure consistency of the data by standardizing them in order to enable a more centralized analysis of potential frauds or financial crimes.
  4. Consistently change protocols or detective measures to adapt to these ever-growing ways to money laundering. Stakeholders to discuss the potential ways for money laundering to ensure alignment of goals within the company.

Travel Rule requirements

The implementation of the Travel Rule in Singapore is outlined in MAS Notice PSN02.

"Notice PSN02 states that Singaporean companies need to conduct measures connected to the Travel Rule, which means assessing the risks inherent to the operation, performing customer due diligence on all clients, and sending, alongside the value transfer, the verified name and account number of both the sender and the beneficiary to the beneficiary’s Virtual Asset Service Provider (VASP)."

"However, for transfers exceeding SGD 2000 (approximately USD 1500), the originating VASP should also add a physical address, along with the place and date of birth, of the customer. Records are required to be kept for at least five years."

Source: 21 Analytics, last revised on 30 June 2021

According to MAS (Notice)
last revised on 1 March 2022

Subject to paragraph 13.8, in a value transfer where the amount to be transferred exceeds S$1,500, every payment service provider which is an ordering institution shall identify the value transfer originator and verify the value transfer originator’s identity, and include in the message or payment instruction that accompanies or relates to the value transfer the information required by paragraphs 13.4(a) to 13.4(d) and any of the following:

(a) the value transfer originator’s
(i) residential address, or
(ii) registered or business address, and if different, principal place of business, as may be appropriate;
(b) the value transfer originator’s unique identification number (such as an identity card number, birth certificate number or passport number, or where the value transfer originator is not a natural person, the incorporation number or business registration number); or
(c) the date and place of birth, incorporation or registration of the value transfer originator (as may be appropriate).