We asked the FinTech startups in the alumni of Startupbootcamp FinTech Singapore what burning questions they had for a FinTech lawyer and in this article, lawyer WanHsi Yeong from ArrowGates LLC simplifies and demystifies regulation around FinTech in Singapore, and offers practical advice for existing and aspiring FinTech entrepreneurs.
The 3 Regulatory Pillars of FinTech
Where is FinTech in Asia headed?
To date, most FinTech activity has been concentrated in the payments space, where mobile and e-commerce has led to real demand from consumers and merchants who were poorly or inadequately served by traditional products and providers. Tech In Asia notes that 3 out of the 4 fintech startups featured by TiA dealt with payments.
Other innovations that are entering the mainstream include alternative finance platforms, including crowdfunding and Peer-to-Peer (P2P) lending.
Future innovations that have been attracting the interest of FinTechs include opportunities enabled by the “internet of things” and Blockchain technologies. In a later article, I will break down major trends affecting the FinTech space (watch out for it later this week!).
Regulations — necessary, challenging but they also create opportunity
FinTech is a particularly rich area for innovation, both because and despite of regulation. Regulations are necessary to protect the stability of the financial system and the consumer.
FinTech startups which are on top or even ahead of the regulations have a great competitive edge in safeguarding their business model (staying out of trouble) and building the necessary partnerships (e.g. with regulators and other partners). It is precisely because, in complying with regulations (in the form of securing licences, crafting strong T&Cs and data privacy policies, developing the necessary partnerships and cementing them with robust contracts), it creates a barrier to entry to potential entrants which do not have the savvy and stamina to navigate the choppy regulatory waters.
The regulatory challenge that all FinTech Startups face
It can be challenging for many FinTech startups. Personal Data Protection Act (“PDPA”), Anti-Money Laundering (“AML”) Regulations, Securities and Futures Act (“SFA”)… Sorting through the various regulations can be tedious because there are multiple regulatory bodies and regulations overseeing different parts of the Fintech legal framework, and they are all important and cannot be overlooked).
It is also challenging to sort through which of these regulations apply across the board to all FinTech business models, and which of these are particularly important to your specific business model. For example, if you collect, process and store personal customer data, PDPA becomes a prominent regulation for you to watch out for and refine your business model/ T&Cs around (more on this later).
In addition to this, regulations are changing very rapidly as regulatory bodies try to keep up with the fast-changing market. This can be frustrating to keep up with it all, but also presents opportunity.
Many FinTechs choose to incorporate in Singapore even if they target other markets in Southeast Asia
Many FinTech startups are incorporated in Singapore mainly for the following reasons:
- Singapore is the headquarters for many banks and financial institutions in the Asia-Pacfic region;
- Strong regulatory environment;
- Good legal framework (Venture Capital firms often ask funds to incorporate here even if market is not SG);
- Increasingly vibrant startup community and availability of funds; and
- Favorable tax structure.
The World Bank has ranked Singapore as the easiest place to do business. INSEAD and the World Economic Forum also named Singapore the most “technology-ready” nation. This isn’t a coincidence but is part of a larger strategy by the Singapore government to put itself at the forefront of progress. Singapore plans to become the world’s first Smart Nation by 2030 which targets to offer better living conditions through extensive use of technology.
Specifically for FinTech, the Monetary Authority of Singapore (MAS) has launched a “Financial Sector Technology and Innovation” scheme, an initiative that aims to allocate S$225 million over the next five years to help foster the domestic fintech sector.
Even if your startup does not have Singapore as a key target market for your client base, it is often useful to benchmark your business model in Singapore because of its strong regulatory environment.
Navigating the Regulatory Landscape – Primary pillars that every FinTech needs to be build
While it is appealing to move fast to develop a minimum viable product and validate your FinTech business idea on a very small and closed test, you will eventually need to get yourself aligned with regulations at some point, sooner rather than later, if you see any kind of traction in your business idea.
The 3 Regulatory Pillars of FinTech
As a lawyer I have delved into the minutiae of the necessary regulations and to simplify the regulatory landscape in Singapore, I would say that there are essentially 3 major pillars you should look to build under your FinTech to make it sustainable and protect your business.
Obtain the necessary licences for your FinTech business model | Make sure that you are compliant with PDPA | If applicable, make sure that you are collecting the right information to conduct sufficient KYC procedures order to be compliant with AML/CFT regulations |
|
|
|
There are some important developments in FinTech regulation:
|
Obtain the relevant licences you require
First, ensure that you obtain the relevant licence required to run your business. Not all FinTech business models require licences at the moment (that might change), but I will elaborate further as to the licences which FIntech firms should look at/are required to obtain for their business model.
Personal Data Protection Act (PDPA) — balancing the need to collect data and the rights of individuals
Secondly, PDPA caused a stir when it was announced and came into effect not so long ago.
One of the main objectives of the PDPA is to position Singapore as a hub for global data management and cloud computing. The PDPA governs the collection, use and disclosure of Personal Data to recognize and balance protecting the right of individuals with the need to collect, use or disclose Personal Data for purposes that a reasonable person would consider appropriate.
Therefore, if you collect, process, use and disclose personal customer data, even something as basic as phone numbers and emails, you are required to be PDPA compliant. I will share how you can do this later.
Anti-Money Laundering — You need to collect the right data to know and verify your clients (Know Your Customer or KYC)
Lastly, FinTech companies have to ensure they have the appropriate Anti-Money Laundering (AML) and Countering of Terrorism Financing (CFT) controls in place.
In general, financial institutions operating in Singapore are required to put in place robust controls to detect and deter the flow of illicit funds through Singapore’s financial system. Money laundering is the process of converting income that was obtained by criminal or illegitimate means to give the appearance of having come from a legal or legitimate source.
Terrorism financing refers to the process of hiding funds to sponsor or facilitate terrorist activity.
FinTech companies, especially those dealing with online payments, or internet-based stored value facility holders, have been identified as one of the higher-risk sub-sectors since they may process significant sums of funds across borders. While most, if not all of these transactions may be legitimate, it remains necessary for FinTech companies (in this case internet-based storage value facility holders) to verify and clear all customers of red flags.
That said, the AML/CFT regulations, supervisory regime and control measures in these sub-sectors relating to Fintech are nascent and relatively new. Global best practices and standards are still being developed. MAS is considering additional supervisory powers and AML/ CFT requirements to mitigate the risks.
Pillar 1 — Know and secure the licences that you require
There is no generic catch-all “FinTech licence” as such at this stage, as much as many startups would like this to simplify it all! To operate your FinTech you might need one, a few or perhaps no licences to do so. It is crucial to determine which regulatory regime is applicable to your FinTech business model and activities since this will determine which licences you need.
Generally, if your business model facilitates outbound payments, you may want to look at the Money Changing and Remittance Business Act. If you provide prepaid wallet or stored value services, you may fall under the Payment Systems (Oversight) Act.
If you provide crowdlending services, you may want to refer to the Securities and Futures Act. Depending on your specific business model, these may or may not be applicable.
Depending on the business model you have, the main licences that are applicable for FinTech in Singapore are set out below. Please do note that this is a fairly comprehensive summary, but still a summary, so do follow the links in the table to get the full details!
Licence/ and under which Statute | Applicable to | Comments – Licensing Requirements and Other Criteria |
Capital Markets Services (CMS) Licence under the Securities and Futures Act (SFA)
Issued by Monetary Authority of Singapore (MAS) |
FinTech which:
Exemptions:
Examples of companies:
|
Requirements:
Cost for a new licence — S$1,000 Annual fees — depends on business |
Financial Advisors (FA) Licence Financial Advisers Act (FAA)
Issued by Monetary Authority of Singapore (MAS) |
FinTech which:
Exemptions:
Examples of companies:
|
Requirements:
Cost of a new licence — S$500 Subsequent annual fee – S$2,000 |
Finance Companies Licence under Finance Companies Act (FCA) Issued by Monetary Authority of Singapore (MAS) |
Companies that accept fixed and saving deposits and/or credit facilities | Requirements:
Annual fee – S$35,000 for head or main office of finance company and $5,000 for each branch office or sub-branch office |
Moneylenders Licence
Under the Moneylenders Act |
Entities that engages in the business of moneylending either as principal or agent), regardless if it has other unrelated businesses
Examples of companies: |
Requirements:
Moneylender’s Test Fee – $130 Licence Application Fee – $600 Annual Licence Fee – $1,320 |
Money-Changers Licence under the Money-Changing and Remittance Business Act
Issued by Monetary Authority of Singapore (MAS) |
Entities that buy or sell foreign currency notes
Examples of companies:
|
Requirements:
New Application Fee – $200 Licence Fee for first place of business – $1,300 |
Remittance Licence under the Money-Changing and Remittance Business Act
Issued by Monetary Authority of Singapore (MAS) |
Entities that accept monies for the purpose of transmitting them to persons resident in another country or a territory outside Singapore
Examples of companies:
|
Requirements:
New Application Fee – $500 Licence Fee for first place of business – $4,000 |
Insurance Licence under the Insurance Act (IA)
Issued by Monetary Authority of Singapore (MAS) |
Entities that:
Examples of companies:
|
Requirements:
Licence fees – on a case by case basis, MAS may prescribe different annual fees for different classes of insurance business or for different types of licenced insurers/insurance brokers. |
Banking Licence under Banking Act (BA)
Issued by Monetary Authority of Singapore (MAS) |
Entities that:
There are currently no online-only fintech banks in Singapore. An example can be found in the UK, Tandem – a digital-only financial services company (granted a UK banking licence) and Atom Bank – an online-only bank (granted a UK banking licence) |
Requirements
New Application Fee – None Additional branch – $10,000 Additional limited purpose branch – $1,000 Licence Fee (for wholesale banking licence) – $100,000 Additional limited purpose branch – $1,000 Licence Fee (for bank incorporated outside Singapore) – $75,000 Additional limited purpose branch – $1,000 |
Pillar 2 — PDPA simplified
What is PDPA?
PDPA is the acronym for the Personal Data Protection Act that came into effect in 2015 to balance the need to collect basic personal data to render services with the need to protect personal data collected.
What qualifies as personal data?
Personal data under the PDPA is defined as any data which can identify an individual, either on its own or in conjunction with any other data held or likely to be held by any organization. The definition applies to all types of data including health, employment and financial standing data, whether electronic or not, and regardless of the degree of sensitivity.
This includes personal data through the use of internet cookies.
Some personal data is exempted
There are a few exemptions to what qualifies as PDPA:
- Business contact information relating to an individual’s name, position, business address, number, email or similar information
- Personal data relating to individuals who have been deceased for over ten years (subject to some exceptions)
- Personal data which has been on record for over 100 years, are all exempt
What kind of FinTech needs to pay extra attention to PDPDA?
As long as your FinTech business model requires the collection and use of personal data, you are required to comply with the PDPA, for example, crowdfunding and crowdlending platforms, payment and remittance service providers, or if the business model requires a client/customer account to be set up.
PDPA applies to the private sector and for any date collected in Singapore
The first thing to note is that PDPA only applies to the private sector in Singapore, irrespective of size and where the organization is geographically located (applies to organisations not located in Singapore), where the personal data in question is collected in Singapore.
It does not apply to Singapore’s public sector.
So, what exactly must I do to comply with PDPA?
Here is a practical list of what you have to do to be sure you are PDPA compliant:
- Must obtain consent of individuals
- Prepare the company’s personal data privacy policy to be made available to the public
- Implement the personal data privacy policy
- Appoint a data protection officer
- Build in physical and computer safeguards to wrongful access of data
- Control and limit access to personal data to key authorized personnel
- Educate employees to avoid any accidental breaches
- Build in physical and computer safeguards to wrongful access of data
Must have and make publicly available a personal data privacy policy |
|
Must obtain consent of individuals in your terms of use / terms & conditions |
|
Appoint a data protection officer |
|
Build in physical and computer safeguards to wrongful access of data |
|
Control and limit access to personal data to key authorized personnel who will need it to do their jobs |
|
Educate employees to avoid any accidental breaches |
|
Make sure that users have access to edit or delete their personal data |
|
Respond to data-related requests promptly |
|
Check the Do-Not-Call Registry before you send marketing content out |
|
Pillar 3 — Anti-Money Laundering & Counter Financial Terrorism Controls
Financial institutions operating in Singapore are required to put in place robust controls to detect and deter the flow of illicit funds through Singapore’s financial system.
To do so, these financial institutions (which include FinTech startups) are required to:
(i) collect the right data to identify, know and verify their customers (KYC)
(ii) Conduct regular account reviews, and
(iii) Monitor and report any suspicious transaction.
Depending on the type of FinTech business model, the specific requirements and standards on the financial institutions are set out in the respective MAS’ Notices on the Prevention of Money Laundering and Countering the Financing of Terrorism (AML/CFT Notices), and MAS Guidance Papers.
It is critical that FinTech firms and investors understand whether and to what extent their businesses are subject to AML laws and regulations. To profile your FinTech’s risk to ML & CTF, you should consider:
- Customers of the company
- Countries and jurisdiction that FinTech is incorporated and operates in
- Products, services, transactions and delivery channels of the company
If they are subject to AML / CFT regulations, then it becomes important for you to undertake efforts to do a minimum due diligence on their clients and stakeholders.
Here is a list of steps you need to take to be AML / CFT compliant.
Identify areas of Money Laundering (ML)/Terrorism Financing (TF) risks in your FinTech company | At minimum, assess across the following five risk categories
|
Ensure that mitigating measures in place are commensurate with the ML/TF risks identified | Put in place mitigating measures
Designate an AML Compliance Officer/Unit |
Reassess risk of AML before launch of any new products, technologies and practices |
|
Conduct AML/CFT Training |
|
Conduct of CDD / KYC Procedure) |
|
Conduct of Simplified CDD if risks of money laundering and terrorist financing are low |
|
Conduct Enhanced customer due diligence (EDD) if the risks are deemed high |
|
Report transactions that are or appear to be suspicious |
|
How to identify PEP
As mentioned above, PEP should be subject to enhanced due diligence (EDD). The term politically exposed person (PEP) generally includes an individual who is or has been entrusted with a prominent public function, their immediate family, and their close associates. This does not mean that they are likely to be involved in suspicious activity but warrants an EDD to be sure:
- EDD is required in all circumstances, for PEPs.
- When establishing the identity of a customer (eg, in account opening form), consider these factors:
- Official responsibilities of the individual’s political office
- Nature of the title (e.g., honorary or salaried)
- Level and nature of authority or influence over government activities or other officials
- Access to significant government assets or funds
- Review the PEP’s income sources, financial information; and professional background; past and present employment as well as general references
Developments in FinTech Regulation
There are some important developments in FinTech regulation which I will not go into detail in this article but that you should know about:
- MAS is creating a Sandbox regime to allow experimentation
- MAS is also relaxing requirements for crowdfunding
- A standalone Cybersecurity Bill will be tabled in Parliament next year to keep pace with the evolving cybersecurity landscape in Singapore and beyond. The new Bill will ensure that the operators of Singapore‟s critical information infrastructure (“CII”) take proactive steps to secure such CIIs and report incidents of cybersecurity breaches.
Putting it all together now
- FinTech in Singapore is growing quickly and transitioning to a dynamic ecosystem, not only for startups to grow but also for FinTech companies to scale up from Singapore to the region
- Legal and regulatory framework within which FinTech developments will continue to grow, evolve and progress
- There are currently no specific regulations that deal with FinTech in Singapore; a FinTech may be regulated under a wide range of legislation such as the Banking Act, Securities and Futures Act, Moneylenders Act
- Expect more change to come — encourage savvy businesses to see this as an opportunity to gain a competitive advantage; keep up to date with regulation and make sure that your FinTech company complies with regulation without getting distracted from your main business
- Focus on the 3 pillars of a good FinTech base to safeguard your business
- Data protection and cyber-security are an ongoing challenges for FinTech companies as a target of cyberattacks due to the volume and sensitivity of data being processed so make sure you protect your FinTech data
- Keep up to speed on developments like the MAS Sandbox, the standalone Cybersecurity bill due next year and the upcoming sector-specific guidelines by the Personal Data Protection Commission
The bottom line is that compliance continues to evolve as the fintech business environment matures and becomes more complicated. Stay informed and take the necessary steps to build a solid foundation under your business to stay competitive and make sure your business doesn’t suddenly run into major roadblocks because you did not take these steps.
Have a question on Fintech that you’d like to ask WanHsi or lawyers like WanHsi?
If you need advice on any aspect of FinTech, you might consider having a Quick Consult with me where I can advise you and answer a specific question you may have on FinTech over a 15-minute discussion on the phone for a transparent, flat fee of S$69 here (or click here and click “Request for Quote” if you want to view other lawyers with similar experience in FinTech).
Alternatively, you could request a quotation from my firm ArrowGates LLC if you know exactly what you need.
Keep reading on this topic
- A breakdown of InsurTech regulations in Singapore
- An updated & practical guide to schemes and grants for startups in Singapore for 2017
- A definitive and practical guide to the regulatory sandbox in Singapore
- Pro Bono: Practical fintech startup legal advice from lawyer WanHsi Yeong and Startupbootcamp fintech director Sam Hall
- FB Live Q&A Video — FinTech (Wan Hsi from Arrowgates LLC and Sam Hall from Startupbootcamp FinTech Singapore)
If you want to know more about finding a lawyer
- Checklist for selecting an online lawyer
- How to find the best Singapore lawyer for your case
- Getting legal advice is no longer difficult or expensive — S$49 with a Quick Consult
- Testimonials for Asia Law Network’s Quick Consult
This article is written by Yeong WanHsi from ArrowgGates LLC and edited by Gabriel The from Asia Law Network.
This article does not constitute legal advice or a legal opinion on any matter discussed and, accordingly, it should not be relied upon. It should not be regarded as a comprehensive statement of the law and practice in this area. If you require any advice or information, please speak to practicing lawyer in your jurisdiction. No individual who is a member, partner, shareholder or consultant of, in or to any constituent part of Interstellar Group Pte. Ltd. accepts or assumes responsibility, or has any liability, to any person in respect of this article.