[1] An “object of power” is proposed to mean “a person who

• • Is a member of a class of possible beneficiaries under the trust; and
  • Is reasonably expected to benefit from the trust, whether or not because
    • The person is referred to as a potential beneficiary by the settlor of the trust in a document relating to the trust such as the letter of wishes; or
    • The class of possible beneficiaries has narrowed for any reason.”

 

The MAS proposes that a financial institution must, in addition to the information prescribed for the existing trust relevant parties, obtain information on the identity of the protector, the identity of the class of beneficiaries and object of power, and of any other natural person(s) exercising ultimate effective control over a trust related party. This included information on beneficial owners of a legal person or a legal arrangement that is a trust relevant party. 

Clarification of Timelines for Filing of Suspicious Transaction Reports 

Financial institutions operating in Singapore, such as holders of a capital market services (“CMS”) licence and payment service providers (“PSPs”), are required to comply with anti-money laundering (“AML”) and countering the financing of terrorism (“CFT”) regulations. One of the key obligations is the timely filing of suspicious transaction reports (“STRs”) with the Suspicious Transaction Reporting Office (STRO), a division of the Commercial Affairs Department (CAD) of the Singapore Police Force
(SPF).

This article provides an overview of the legal requirements, indicators of suspicious transactions, and the process for filing an STR to help financial institutions remain compliant.

Legal and Regulatory Framework

The following key regulations govern the obligation to file an STR:

• Corruption, Drug Trafficking and Other Serious Crimes (Confiscation of Benefits) Act 1992 (“CDSA”)
• Terrorism (Suppression of Financing) Act 2002 (“TSOFA”)
• Notices and guidelines by the Monetary Authority of Singapore (MAS), namely
  • MAS Notice SFA04-N02 for CMS license holders, or
  • MAS Notice PSN01 or PSN02 for payment service providers

Under these laws and regulations, financial institutions must promptly file an STR when they have reasonable grounds to suspect that a transaction is connected to criminal conduct, money laundering (“ML”), or terrorism financing (“TF”). At the latest, they are to submit the STR within 15 business days from their discovery of the suspicious transaction (para. 13-1 Guidelines to SFA04-02 for CMS licence holders and para. 18-1 Guidelines to PSN01 or para. 16-1 Guidelines to PSN02 for PSPs)

STRs filed by Financial Institutions in Singapore

As per information published by the Singapore Police Force (“SPF”)1, the number of STRs filed increased significantly in the past years.

Year     Number of STR Filed    % Increase
2020    33,882
2021    45,897                               35%
2022    49,846                               9%

By far most STRs were submitted by banks. In 2021, they submitted 60% of all STRs, and in 2022, 58%.

Indicators of Suspicious Transactions

All financial institutions should identify red flags common to their type of business and, more specifically, to their company’s specific business. They should list these red flags in their procedures and include them in the AML/CFT training of their staff.

While not exhaustive, the following are common red flags that may warrant an STR filing:

• Transactions involving unusually large amounts with no clear economic purpose;
• Request by a customer for investment management services where the source of funds is unclear or not consistent with the customer’s apparent standing;
• An account operated in the name of an offshore company with structured movement of funds;
• Cross-border transactions involving the acquisition or disposal of high-value assets that cannot be clearly identified as bona fide transactions;
• Transactions linked to high-risk jurisdictions identified by the Financial Action Task Force (FATF);
• Customers unwilling to provide information on the source of funds or the purpose of transactions;
• The customer uses intermediaries that are not subject to adequate AML/CFT laws;
• A customer relationship with a payment service provider in which a customer has a large number of accounts with the same payment service provider and frequently transfers between different accounts;
• Concentration of payments where multiple senders transfer money to a single individual’s account;
• Frequent changes to the customer’s address or authorized signatories;
• Customers are in a hurry to complete the transaction, with promises to provide the supporting information later;
• Funds or digital payment tokens (“DPT”, commonly referred to as cryptocurrencies) used by a customer to settle his obligations are from a source that appears to have no explicit or direct links to the customer;
• Frequent changes in the customer’s identification information, such as home address, IP address, or linked bank accounts/wallet addresses.

Refer to the MAS’ AML Guidelines applicable to your type of business for further examples of red flags that are specific to your type of business (Guidelines to SFA04-N02 for holders of a CMS licence, e.g. for fund management or dealing in capital markets products, Guidelines to PSN01 for PSPs offering fiat payment services such as domestic or cross-border money transfer service, merchant acquisition service, or account issuance service, or Guidelines to PSN02 for PSPs providing digital payment token, i.e. cryptocurrency, service).

Filing an STR: Step-by-Step Process

Identify and Assess the Suspicious Transaction

• Staff carrying out various tasks may identify suspicious transactions either at the time of onboarding or throughout a customer’s relationship life cycle. Suspicious transactions and other new information indicating an ML/TF risk can also be identified through automated monitoring systems. These systems continuously monitor/screen the customers and analyse transaction patterns, customer behaviour, and predefined rules. The systems help flag information and anomalies that could be potential red flags compared to the customer’s profile, prompting further investigation by compliance teams.
• The staff who identifies the suspicious transaction should escalate their suspicion to their compliance team or money laundering reporting officer (“MLRO”), as indicated in your AML/CFT policies and procedures.
• Once escalated to the compliance team or MLRO, they will conduct internal investigations and review the transaction in question.

Complete the STR Form and Submit it to STRO

• The MLRO or a compliance officer may access the STR form via the STRO Online Notices and Reporting (“SONAR”) system and electronically submit the completed STR form.
• In the STR form, you must provide details such as transaction amounts, counterparties, account details, and the basis of suspicion, and supporting documents (e.g., transaction records and emails) should be attached where relevant.

Maintain Confidentiality

The fact that an STR has been filed must not be disclosed to the customer. Tipping-off is an offence under the CDSA and TSOFA. Even internally, this information should only be on a need-to-know basis.

Ongoing Monitoring and Internal Reporting

• Even after the submission, you must continue monitoring the account for further suspicious activity, possibly even conducting enhanced monitoring.
• Moreover, you should consider additional control measures and implement them, as appropriate.
• Don’t forget to maintain proper internal records of the STR submission and any follow-up actions.

Compliance Best Practices

The filing of STRs is part of your comprehensive AML/CFT framework. It must be properly embedded and connected within your entire framework to effectively detect suspicious transactions (and adverse information) and ensure their proper filing through STRs.

• Establish a robust AML/CFT framework, including internal policies and training programs.
• Ensure all employees are aware of their obligations and are trained in identifying suspicious transactions.
• Regularly review transaction monitoring systems to enhance detection capabilities and fine tune to keep them relevant.
• Maintain a log of cases where an STR was filed and circumstances where it was decided not to file an STR with a rationale for the decision.
• File the STR as soon as investigations are completed, and the facts have been established. At the latest, you should file the STR within 15 business days after the discovery of the suspicious transaction.
• Cooperate fully with regulatory authorities and provide additional information when required.

Conclusion

Filing STRs is a critical compliance requirement under Singapore’s AML/CFT regulations. Capital Market Services license holders and Payment Service Providers must establish strong internal controls to detect and report suspicious transactions in a timely and accurate manner. Failure to comply may result in regulatory penalties and reputational damage. Staying vigilant and adhering to legal obligations will help financial institutions contribute to Singapore’s efforts in combating financial crimes.

How We Can Help

We at Ingenia Consultants Pte. Ltd. support our clients in navigating their anti-money laundering requirements, including the filing of STRs. We specialize in helping our clients comply with these regulatory obligations, by developing appropriate policies and procedures. For any further information, please contact:

Vijay Bharadwaj

Director

Ingenia Consultants Pte. Ltd.

vijay.bharadwaj@ingenia-consultants.com

The Payment Services Act 2019 (PS Act) of Singapore is a comprehensive regulatory framework that governs payment service providers to enhance the safety, security, and efficiency of payment systems. One of the critical areas under the PS Act is the safeguarding of customer money, which ensures that customers’ funds are protected from misuse and insolvency risks.

Key Safeguarding Requirements

Under the PS Act, payment service providers (PSPs) offering services, such as e-money issuance, or money transfer, are required to safeguard customer funds. The relevant provisions and requirements include:

1. Segregation of Client Money

Section 23 of the PS Act stipulates that licensees must ensure customer money is segregated from their operational funds. This means maintaining separate bank accounts designated solely for holding customer funds to prevent commingling with the company’s assets. This separation protects customer money in the event of the PSP’s insolvency.

2. Safeguarding Arrangements

A major payment institution must ensure that money received from, or on account of, a customer for domestic or cross-border money transfer services or on account of merchant acquisition is
safeguarded if it continues to hold at the end of the business day.
Similarly, a major payment institution must safeguard customer’s funds, at all times, received in exchange for issuing e-money except where these funds are received for:

• Payments made to reduce a customer’s debt to the institution,
• Refunds or repayments made by the institution to the customer,
• Funds used to pay service fees or charges imposed by the institution,
• Payments made to a recipient as per customer instructions (whether received or not) or
• Money paid to another person who is legally entitled to it.

This safeguarding can be done in one of the following manners:

1. by an undertaking, from a safeguarding institution, such as a bank licensed in Singapore, to be fully liable to the customer for the relevant money;
2. by a guarantee given by a safeguarding institution for the amount of the relevant money;
3. by depositing the relevant money in a trust account maintained with a safeguarding institution.

3. Timely Safeguarding

PSPs are required to safeguard customer money within a specified period, usually by the end of the next business day after receiving the funds. This ensures that customers’ funds are protected from misuse and insolvency risks.

4. Regular Reconciliation

PSPs must reconcile their records of customer funds daily. This process involves verifying that the amounts held in safeguarding accounts match the total funds owed to customers. Discrepancies must be resolved immediately to maintain compliance.

5. Reporting and Auditing

PSPs must regularly report to the Monetary Authority of Singapore (MAS) on their safeguarding arrangements. They are also subject to periodic audits to ensure compliance with safeguarding obligations.

Consequences of Non-Compliance

Non-compliance with safeguarding requirements can lead to severe penalties, including fines, suspension of the PSP’s license, or other regulatory actions by MAS. PSPs must establish robust
internal controls and governance frameworks to ensure adherence to these regulations.

Why Safeguarding Matters

The safeguarding of customer money is vital for maintaining trust and confidence in payment services. It mitigates risks associated with insolvency and misuse of funds, providing customers with assurance that their money is secure.

How We Can Help

We at Ingenia Consultants Pte. Ltd. support our clients in navigating the safeguarding requirements under the PS Act. We specialize in helping PSPs comply with regulatory obligations, including setting up appropriate safeguarding mechanisms.

For any further information, please contact:
Vijay Bharadwaj
Director
Ingenia Consultants Pte. Ltd.
vijay.bharadwaj@ingenia-consultants.com

Licenced fund management companies restricted to servicing qualified investors, namely accredited investors and institutional investors, (“A/I LFMCs”) are generally required to submit quarterly and annual returns to the Monetary Authority of Singapore (“MAS”) to confirm their compliance with capital requirements and provide information for supervisory and statistical purposes.
Every quarter, they must submit the following forms (reg. 27 SF(FMR)R and sec. 3(1) and 5 of the Statistics Act 1973):

• Form 1
• Form 2
• Quarterly Income & Expenditure Statement For Compilation Of Value-Added Of Financial Sector (Financial Institutions Excluding Insurance Companies) (“QIE Form”)

Form 1 and Form 2 must be submitted within 14 days after the end of the quarter end (reg. 27(6) SF(FMR)R). The QIE Form must be submitted within 15 days after the end of every quarter (para. 2 ED S 01/88 dated 18 July 2018). The latest forms can and should be downloaded from MASNET.

Every year, A/I LFMCs must submit the following forms and document (sec. 107(1) SFA, reg. 27(8)-(9) SF(FMR)R):

• Financial statements
• Form 1
• Form 2
• Form 3
• Form 4
• Form 5
• Form 6

All of these documents must be submitted within 5 months after the end of the financial year (sec.107(1)(a) SFA).

A/I LFMCs are expected to submit all forms within the stipulated timelines. Missing submissions and missed deadlines contributed to several enforcement actions by the MAS.[1]

If the A/I LFMC is unable to submit the forms within the stipulated timelines, it should notify its MAS officer-in-charge ahead of the deadline, providing reasons for its inability.

Quarterly Returns

The quarterly returns are based on the management accounts of the A/I LFMC. As the timeline for the submission of the quarterly returns is quite short, the A/I LFMC should clearly convey to its accounting team that the management accounts must be quickly prepared after the end of the calendar quarter, in particular, where the A/I LFMC is engaging an outsourced accountant. It is also important to note that the preparation of the quarterly returns requires the balance sheet as of the end of each month to calculate the average aggregated assets in Form 2.

Form 1

To a large extent, Form 1 is a restatement of the Company’s balance sheet whereby the exposure to the different types of activities under the Securities and Futures Act 2001 is emphasised.

Tips

Contrary to Form 1, the “Unappropriated profit or loss” in Form 1 is the sum of the retained earnings and the current financial year’s profit or loss.

Form 2

Form 2 focuses on the A/I LFMC’s capital requirements: the base capital, financial resources, the total risk requirement, and adjusted assets. A/I LFMCs may note that the section on aggregate indebtedness does not apply to them (reg. 15 SF(FMR)R).

Tips

For the calculation of the base capital, the A/I LFMC must pay particular attention to the statement of its profit or loss. For the calculation of the base capital, the “Unappropriated profit or loss” is the A/I LFMC’s last audited profit or loss, its retained earnings. The current financial year’s loss must be deducted from the base capital whereas the current financial year’s profit must not be added for the base capital calculation but is taken into account for the calculation of the financial resources. It is important to remember that the “unappropriated profit or loss” changes and only changes after the A/I LFMC’s financial audit is completed.

An A/I LFMC also does not need to calculate the counterparty risk requirement, the position risk requirement, the large exposure risk requirement or the underwriting risk requirement as long as its average adjusted assets do not exceed the lower of SGD 10m or five times its financial resources (para. 3.3.1(a) read in conjunction with 3.3.3 SFA04-N13).

In many cases, an A/I LFMC’s operational risk capital is simply SGD 100,000. Until the A/I LFMC has an average gross income of SGD 2m for the three immediately preceding years, the A/I LFMC’s operational risk requirement is SGD 100,000 (para. 4.1.2 SFA04-N13).

QIE Form

The QIE Form is based on the A/I LFMC’s profit and loss statement for the full quarter. It examines the A/I LFMC’s income and expenses for statistical purposes. The first section collects data on the investments and their depreciation. The second section analyses the income and expenses, including employment.

To properly complete the QIE Form, the A/I LFMC must report business transactions with Singapore residents and firms under “In Singapore” and transactions with persons and firms outside Singapore under “Outside Singapore”. The A/I LFMC may need to organise its accounting to extract the figures with this segregation.

Salaries are also reported “In Singapore” and “Outside Singapore”. At the same time, a distinction is made between “Singapore resident employees”, these are Singapore citizens and Singapore permanent residents, and other staff, “Non-Singapore resident employees”. The same distinction is also made for total employment figures as at the end of the quarter. The A/I LFMC may need to inquire with its human resources department to make these distinct amounts available.

Tips

In the transfer of its accounts into the QIE Form, the A/I LFMC should pay particular attention to accounts with a negative figure. The QIE Form (generally) does not allow for negative income or expenses. As a result, a negative income may need to be reported as an expense and vice-versa.

In the QIE Form, values must be stated to the nearest Singapore dollar. This may lead to slight discrepancies when multiple numbers that were individually rounded are added up to a sum, namely the profit/loss before tax. Where the A/I LFMC encounters an error message for a field that is a sum, it is worth examining it for an error due to the rounding of the individual components.

Annual Returns

The annual returns are based on the audited financial statements of the A/I LFMC.

Form 1 and Form 2

The A/I LFMC must submit Form 1 and Form 2 as part of its quarterly returns and as part of its annual returns. Although the forms for the quarterly and the annual returns request the same data, different templates need to be used. Importantly, the figures in the annual submissions must be based on the audited financial statements. Thus, they may differ from the figures submitted for the quarter end that coincides with the financial year-end.

Form 3

Form 3 examines the income of the A/I LFMC based on the types of financial services activities.

Tips

Many activities will not apply to the A/I LFMC because the same form applies to all holders of a capital markets services (“CMS”) licence.

Form 4

In Form 4, the A/I LFMC must catalogue its assets under management, namely based on types of investors and activity.

Tips

For the distinction between “Institutional clients” and “Individual clients”, “Institutional clients” is not equivalent to institutional investors as defined in section 4A(1)(c) of the Securities and Futures Act 2001. This distinction in Form 4 rather reflects the distinction as per the market practice of whether the A/I LFMC’s customer is an individual or an institution.

Where an A/I LFMC is also exempt from the requirement to hold a financial adviser’s licence, the A/I LFMC should also note that the distinction between funds under “discretionary management” and “under advisory service” does not reflect the distinction between the two regulated activities of fund management and financial advice. Funds “under advisory service” means the value of assets for which the A/I LFMC acts as an advisor without the authority to make investment decisions. This targets funds where the primary fund manager engages the A/I LFMC as an advisor/sub-advisor for a fund.

Form 5 and Form 6

Form 5 and Form 6 must be completed by the A/I LFMC’s external auditor. In Form 5, the auditor confirms that it has audited the A/I LFMC’s accounts. However, the auditor also confirms that nothing has come to its attention that causes it to believe that the A/I LFMC has not complied with all conditions and restrictions applicable to the A/I LFMC under its licence, i.e. under applicable regulations and as imposed in its licence. Due to this confirmation, various external auditors insist on a comprehensive review of the A/I LFMC’s internal controls, not just the A/I LFMC’s accounts. In Form 6, the auditor confirms that the A/I LFMC’s financial statements have been properly drawn up. 

Financial Statements

The financial statements that the A/I LFMC submits as part of its annual returns must be true and fair financial statements made up to the last day of its financial year in accordance with the Companies Act 1967 (reg. 27(8) SF(FMR)R) and must include the management letter (if any). These will be the company’s audited financial statements.

Ingenia Consultants Pte. Ltd. supports financial institutions in their compliance, including the preparation of quarterly and annual returns for fund management companies. This support is included in our outsourced compliance services or can be engaged separately.

For any further information, please contact:

Maurice Yap
Senior Manager
Ingenia Consultants Pte. Ltd.
maurice.yap@ingenia-consultants.com

 

[1] For example, “MAS Takes Enforcement Actions Against China Capital Impetus Asset Management, its Executive Director and Former CEO for Breaches of the Securities and Futures (Licensing and Conduct of Business) Regulations” of 31 July 2024, “MAS Reprimands RVP One Pte. Ltd. and its Chief Executive Officer for Breaches of the Securities and Futures (Licensing and Conduct of Business) Regulations” of 30 July 2024.

In today’s dynamic business environment, managing risks effectively is critical to ensuring operational resilience, complying with regulatory requirements, and achieving organisational objectives. The risk control self-assessment (“RCSA”) process is a vital tool that empowers organisations to proactively identify, evaluate, and mitigate risks.

What is the RCSA process?

The RCSA is a structured and collaborative approach to assess risks and controls within the operations.

The process involves engaging various stakeholders to:

1. Identify Risks: Understand potential threats to achieving organisational objectives.
2. Assess Risks: Evaluate the likelihood and impact of identified risks.
3. Review Controls: Assess the effectiveness of current risk controls.
4. Mitigate Risks: Design and implement action plans to address gaps or improve existing controls.

Benefits of RCSA

The awareness of the risks it is exposed to and the RCSA process, in particular, provide several benefits
to the company.

1. Proactive Risk Management: The RCSA helps organisations identify and address risks before they materialise.
2. Enhanced Control Environment: The RCSA ensures controls are aligned with identified risks.
3. Informed Decision-making and Resource Allocation: The RCSA process provides leadership with actionable insights on risk exposure and helps allocate resources based on business needs.
4. Improved Compliance: The RCSA demonstrates due diligence in meeting regulatory and governance requirements, namely where the company applies a risk-based approach.
5. Collaboration and Awareness: The RCSA fosters a risk-aware culture across all levels of the organisation.

Key steps in the RCSA process

The RCSA process commonly follows the steps below to identify and assess the inherent risks and the existing controls, determine the residual risks based on these two factors and, finally, plan for required actions, if any.

1. Risk Identification

The relevant stakeholders identify the inherent risks that the company and its operations are exposed to. You can leverage tools like process maps, past incident reports, and risk libraries for a comprehensive view.

2. Inherent Risk Assessment

The identified inherent risks are rated based on two criteria: likelihood (frequency) and impact (severity). The risk rating is applied based on a risk matrix.

3. Control Evaluation

Existing controls are listed for each identified risk and evaluated for their adequacy, effectiveness, and efficiency. For this purpose, findings from recent quality assurance and internal and external audits should be considered.

4. Determination of Residual Risk

The residual risk of each inherent risk is determined by the rating of the inherent risk and the strength of the respective controls in accordance with a pre-defined matrix. Residual risks in the same category may be consolidated to obtain an easier understanding of the company’s risk exposure.

5. Action Planning

Where necessary, corrective action is developed, namely in case of inadequate controls or where the residual risk exceeds the company’s risk. Deadlines for the action items are determined, and ownership for their implementation is assigned.

6. Monitoring and Reporting

The progress of mitigation efforts is continuously tracked to ensure their timely implementation and, thus, enhanced risk mitigation. Findings are documented, and the reports are shared with key stakeholders for transparency and accountability.

Tailoring the RCSA Process for Your Business

Every organisation is unique, requiring a customised specific RCSA. Tailoring the RCSA to your business ensures that risk identification and mitigation strategies align with the organisation’s unique objectives, industry, and operational context. This customisation enhances the relevance, efficiency, and effectiveness of your risk management efforts.

We at Ingenia Consultants Pte. Ltd. support our clients in setting up enterprise-wide risk management frameworks commensurate with the nature, size and complexity of their operations. Namely, we help with the RCSA process and document it.

• Industry-specific risk libraries: We provide guidance to your company in identifying and assessing applicable risks leveraging our expertise across various sub-sectors of the financial industry, such as fund management, external asset management, payment services and digital asset services.

• Stakeholder engagement: We facilitate workshops and meetings to align teams with RCSA objectives.

• Periodic reviews: We establish a process and assist your company in reviewing your risks and refining the RCSA process based on evolving risks.

 

For any further information, please contact:
Vijay Bharadwaj
Director
Ingenia Consultants Pte. Ltd.
vijay.bharadwaj@ingenia-consultants.com

On 30 October 2024, the Monetary Authority of Singapore (“MAS”) issued an information paper on “AML/CFT Supervisory Expectations from Recent Inspections”. This information paper sets out the MAS’ expectations and good practices noted in recent anti-money laundering (“AML”) and countering the financing of terrorism (“CFT”) inspections conducted across a range of financial institutions (“FIs”), including banks, payment service providers, capital markets services licensees, licensed trust companies and direct life insurers. The information paper encourages financial institutions to benchmark themselves against the practices and supervisory expectations set out in the information paper in a risk-based and proportionate manner and conduct a gap analysis, taking into account the risk profile of their business activities and customers. A separate circular by the MAS emphasises this expectation that financial institutions conduct a gap analysis.

Assessment of Customer Risk

FIs should have a good understanding of their customers’ profiles in order to inform their money laundering (“ML”) and terrorism financing (“TF”) risk assessment of the customer at onboarding and ongoing monitoring of business relations. As part of their inquiries into the customer, FIs should, among other precautions, take reasonable measures to obtain and verify information on their customers’ current and previous nationalities and identities, particularly for higher-risk customers. The FI should then consider all the customer’s current and previous nationalities and identities when assessing potential adverse news screening alerts, including searches in the native languages of countries associated with the customer, and assessing the ML/TF risk. The FI should assess the ML/TF risk, taking into consideration factors such as citizenship and residency by investment (“CBI”/”RBI”) schemes that are assessed to be of higher risk[1], frequent changes in nationalities or key identifiers of the customer, material discrepancies in information or adverse news. However, the MAS also indicates that customers can hold multiple nationalities for legitimate reasons, including via CBI/RBI schemes.

Identification of Material Red Flags

FIs should exercise vigilance in identifying material red flags in documents obtained from customers as part of their customer due diligence (“CDD”) process. Where there are doubts about the legitimacy of documents or representations obtained from or made by the customer, e.g. because of significant discrepancy to publicly available information, accounting anomalies, or lack of official sign-off, further follow-up actions, such as conducting an additional inquiry and independent due diligence on the customer or taking additional risk mitigation measures, such as exiting the business relationship or filing of a suspicious transaction report (“STR”), should be triggered.

FIs should provide clear guidance for their staff on their responsibilities to identify material red flags in documents or representations obtained from or made by customers, including examples and their escalation. The FIs should periodically review their guidance and are encouraged to leverage technology to enhance their detection of potentially fraudulent or tampered documents.

The Monetary Authority of Singapore’s recent circular, issued on 25 October 2024, sets supervisory expectations on anti-scam measures for Major Payment Institutions (“MPIs”) issuing e-wallets, which provide personal payment accounts, i.e., accounts for individuals in Singapore containing e-money.

Effective 15 December 2023, the stock cap for e-wallets has been raised to SGD 20,000 (from SGD 5,000), and the flow cap to SGD 100,000 (from SGD 30,000). MPIs that have already increased the cap are expected to already have the additional requirement (or should otherwise implement them immediately). MPIs wishing to adopt these higher caps must implement specific anti-scam measures beforehand. For MPIs not adopting the higher caps, MAS recommends progressive implementation of these measures to enhance anti-scam resilience.

Below we list a summary of the key requirements of these anti-scam measures that MPIs need to put in place.

Governance and Accountability

➢ Board of directors and senior management oversight: The board of directors and senior management oversee the implementation of anti-scam measures and must ensure that a framework for responding to scams is in place.
➢ A separate unit to assess scam-related disputes independently

Preventive Measures

➢ Restrictions on sending clickable links, QR codes, or phone numbers through SMS, unless specific criteria are met
➢ 12-hour cooling-off period for e-wallet access on new devices
➢ Additional verification for high-risk activities or transfers above SGD 1,000, with warnings about associated risks

Detective Measures

➢ Real-time outgoing transaction alerts and a default transaction threshold set to SGD 0 to detect potential fraud early
➢ Notifications for high-risk activities and new device logins, with user reminders to verify these actions

Remedial Measures

➢ Continuous reporting channels for users to report unauthorised transactions
➢ “Kill switch” allowing users to block their e-wallet if they suspect unauthorised access

 

At Ingenia Consultants Pte. Ltd., we support our clients in drafting policies and procedures and designing controls to comply with regulatory requirements.
For any further information, please contact:

Vijay Bharadwaj
Director
Ingenia Consultants Pte. Ltd.
vijay.bharadwaj@ingenia-consultants.com