An Overview by Aaron Chua of Ingenia Consultants
Merkle Science’s RegWatch provides expert commentary on the impact of recent regulatory developments from our partners. This article has been contributed by Aaron Chua, Manager at Ingenia Consultants a Singapore-based financial services compliance consultancy
With the introduction of the Payment Services Act 2019 (‘’PS Act”), the Notice PSN02 was introduced on the 5th December 2019, and came into effect on the 28 January 2020. Subsequent to that in March 2020, the MAS published the AML Guidelines that shall be read in conjunction with the Notice PSN02 which provides guidance to all digital payment token service providers on the requirements in Notice PSN02.
Whilst a significant portion of the AML Guidelines took reference from the existing guidelines that were provided for the other segments of the financial service industry e.g., entities regulated under the Securities Futures Act, Banking Act, etc., there are a few notable differences to Notice PSN02, possibly to address the differences in the conduct of business for a financial institution that carries out digital payment token service.
Non-face-to-face business relations
MAS and regulators from various jurisdictions are cognizant of the shift in consumers’ expectations of fully digital experiences as online financial services platform gain global traction. To reflect this shift, MAS has in the AML Guidelines expanded on the additional checks that digital payment token service providers could take to verify the identity of the customer to manage the risk of impersonation.
While MAS encourages the use of MyInfo as a verified source of identification information, MAS supports the use of technology solutions that can mange the impersonation risks. Other measures include collection of customer device identifiers, IP addresses, with associated time stamps, geo-location data, real-time conferencing that is comparable to face-to-face communication.
To assess the effectiveness of any technology solutions used to manage impersonal risks, the payment service provider shall engage an independent qualified consultant to assess the effectiveness of the technology solution in managing the risk of impersonation.
Ongoing Monitoring & Transaction Monitoring System
MAS has spelt out in the Guidelines that enhanced monitoring should be conducted for higher risk situations and extend beyond the immediate transaction between the payment service provider or its customer or counterparty e.g., payment service provider may need to trace previous transactions of the digital payment token as far back as necessary to reasonably assess whether the circumstances are unusual or suspicious.
Additionally, the payment service provider shall also make further enquiries when the following circumstances happen:
- frequent and cumulatively large transactions with no apparent reason;
- frequent transfers of digital payment tokens to the same recipient;
- frequent transactions to buy or sell digital payment tokens over a short period of time;
- multiple transfers of digital payment tokens such that amount of each value transfer is not substantial, but the total of which is substantial.
The payment service provider is also required to determine what constitutes suspicious, complex, unusually large or unusual pattern of transactions which includes analysing transaction characteristics that are abnormal in size and frequency to customers of similar profile, coming to and from a higher risk country, etc. More examples are provided by MAS in the AML Guidelines what situations would constitute suspicious transactions and if any transaction is deemed to be reportable to the STRO, should be reported through SONAR.
The payment service provider is also required to immediately freeze any funds, financial assets or economic resources owned or controlled, directly or indirectly, by the specific individuals and entities identified by UN Security council to be contributor of particular threat, or breach of international peace and security that the payment service provider has in its possession, custody or control, which includes digital payment tokens and a STR to be filed promptly.
Additionally, MAS has indicated that virtual assets can be exploited as a payment method, marketed product or targeted item. Payment methods where ransom payment in virtual assets are paid; marketed product where scams sell virtual assets; targeted items where unauthorised transactions are involved with virtual assets through hacking.
Consequently a payment service provider that provides digital payment token services should have robust customer due diligence measures to ensure that there are adequate checks on the source of wealth and source of funds and to have sufficient ongoing monitoring mechanisms to mitigate the risks that the payment service provider is not being abused for ML/TF either by complicit involvement of the account holders, or due to unusual movements arising from hacks or scams.
For more details read the full guidelines published by the MAS here.
How Merkle Science Can Help
Merkle Science provides blockchain transaction monitoring and intelligence solutions to help Singapore based digital payment token service providers to identify, investigate and report suspicious DPT transactions as per the PSN02’s ongoing monitoring and transaction monitoring system requirements:
- A payment service provider shall perform enhanced risk mitigation measures where the transaction involves a transfer of a digital payment token to or a receipt of a digital payment token from an entity other than: (i) a financial institution as defined in section 27A(6) of the MAS Act; or (ii) a financial institution incorporated or established outside Singapore that is subject to and supervised for compliance with AML/CFT requirements consistent with standards set by the FATF — Merkle Science Risk Monitor identifies entities to which clients are transferring DPTs to and from and enables DPT service providers to whitelist and blacklist specific entities.
- A payment service provider shall pay special attention to all complex, unusually large or unusual patterns of transactions, undertaken throughout the course of business relations, that have no apparent or visible economic or lawful purpose — Merkle Science helps firms to flag suspicious transaction activity based on customized risk parameters.
- For the purposes of ongoing monitoring, a payment service provider shall put in place and implement adequate systems and processes, commensurate with the size and complexity of the payment service provider to (a) monitor its business relations with customers; and (b) detect and report suspicious, complex, unusually large or unusual patterns of transactions undertaken throughout the course of business relations. — Merkle Science facilitates ongoing monitoring of DPT client wallet addresses and transactions to flag any potentially suspicious activity.
- A payment service provider shall promptly submit reports on suspicious transactions (including attempted transactions), regardless of the amount of the transaction, to STRO, and extend a copy to the Authority for information — Merkle Science enables DPT service providers to generate one-click STR reports on suspicious addresses and transactions that can be easily sent in PDF format to the MAS and customized to match internal reporting templates. We also provide Enhanced Due Diligence reports that are detailed investigations into suspicious entities or activity compiled by our team of dedicated intelligence analysts for the purpose alleviating the burden of reporting from compliance teams.
- Besides the requirements above, in Appendix B — Examples of Suspicious Transactions, B-5 Other Types of Transactions, includes: Transactions where funds are deposited from or withdrawn to virtual asset addresses with direct or indirect links to known suspicious sources (e.g. darknet marketplaces, mixing/tumbling services, or addresses associated with illegal activities such as ransomware attacks) — Merkle Science Risk Monitor will alert DPT service providers to any inbound or outbound transactions associated with high risk entities that have been tagged in our database. This permits them to take the appropriate action to prevent criminals from exploiting their platforms.
Merkle Science is also currently focussed on developing solutions to ensure FATF travel rule compliance in partnership with other compliance focussed technology providers.
For more information about how we could help your firm meet Singapore’s PSA transaction monitoring requirements contact us at email@example.com.
For any questions regarding the PSA and other compliance requirements please contact Ingenia Consultants.