Fintech Regulation in Singapore — What you need to know, simplified

Reading Time: 20 minutes

We asked the FinTech startups in the alumni of Startupbootcamp FinTech Singapore what burning questions they had for a FinTech lawyer and in this article, lawyer WanHsi Yeong from ArrowGates LLC simplifies and demystifies regulation around FinTech in Singapore, and offers practical advice for existing and aspiring FinTech entrepreneurs. 

The 3 Regulatory Pillars of FinTech

Where is FinTech in Asia headed?

To date, most FinTech activity has been concentrated in the payments space, where mobile and e-commerce has led to real demand from consumers and merchants who were poorly or inadequately served by traditional products and providers. Tech In Asia notes that 3 out of the 4 fintech startups featured by TiA dealt with payments.

Other innovations that are entering the mainstream include alternative finance platforms, including crowdfunding and Peer-to-Peer (P2P) lending.

Future innovations that have been attracting the interest of FinTechs include opportunities enabled by the “internet of things” and Blockchain technologies. In a later article, I will break down major trends affecting the FinTech space (watch out for it later this week!).

Regulations — necessary, challenging but they also create opportunity

FinTech is a particularly rich area for innovation, both because and despite of regulation. Regulations are necessary to protect the stability of the financial system and the consumer.

FinTech startups which are on top or even ahead of the regulations have a great competitive edge in safeguarding their business model (staying out of trouble) and building the necessary partnerships (e.g. with regulators and other partners). It is precisely because, in complying with regulations (in the form of securing licences, crafting strong T&Cs and data privacy policies, developing the necessary partnerships and cementing them with robust contracts), it creates a barrier to entry to potential entrants which do not have the savvy and stamina to navigate the choppy regulatory waters.

The regulatory challenge that all FinTech Startups face

It can be challenging for many FinTech startups. Personal Data Protection Act (“PDPA”), Anti-Money Laundering (“AML”) Regulations, Securities and Futures Act (“SFA”)… Sorting through the various regulations can be tedious because there are multiple regulatory bodies and regulations overseeing different parts of the Fintech legal framework, and they are all important and cannot be overlooked).

It is also challenging to sort through which of these regulations apply across the board to all FinTech business models, and which of these are particularly important to your specific business model. For example, if you collect, process and store personal customer data, PDPA becomes a prominent regulation for you to watch out for and refine your business model/ T&Cs around (more on this later).

In addition to this, regulations are changing very rapidly as regulatory bodies try to keep up with the fast-changing market. This can be frustrating to keep up with it all, but also presents opportunity.

Many FinTechs choose to incorporate in Singapore even if they target other markets in Southeast Asia

Many FinTech startups are incorporated in Singapore mainly for the following reasons:

1. Singapore is the headquarters for many banks and financial institutions in the Asia-Pacfic region;
2. Strong regulatory environment;
3. Good legal framework (Venture Capital firms often ask funds to incorporate here even if market is not SG);
4. Increasingly vibrant startup community and availability of funds; and
5. Favorable tax structure.

The World Bank has ranked Singapore as the easiest place to do business. INSEAD and the World Economic Forum also named Singapore the most “technology-ready” nation. This isn’t a coincidence but is part of a larger strategy by the Singapore government to put itself at the forefront of progress. Singapore plans to become the world’s first Smart Nation by 2030 which targets to offer better living conditions through extensive use of technology.

Specifically for FinTech, the Monetary Authority of Singapore (MAS) has launched a “Financial Sector Technology and Innovation” scheme, an initiative that aims to allocate S$225 million over the next five years to help foster the domestic fintech sector.

Even if your startup does not have Singapore as a key target market for your client base, it is often useful to benchmark your business model in Singapore  because of its strong regulatory environment.

Navigating the Regulatory Landscape – Primary pillars that every FinTech needs to be build

While it is appealing to move fast to develop a minimum viable product and validate your FinTech business idea on a very small and closed test, you will eventually need to get yourself aligned with regulations at some point, sooner rather than later, if you see any kind of traction in your business idea.

The 3 Regulatory Pillars of FinTech

As a lawyer I have delved into the minutiae of the necessary regulations and to simplify the regulatory landscape in Singapore, I would say that there are essentially 3 major pillars you should look to build under your FinTech to make it sustainable and protect your business.

Obtain the necessary licences for your FinTech business model	Make sure that you are compliant with PDPA	If applicable, make sure that you are collecting the right information to conduct sufficient KYC procedures order to be compliant with AML/CFT regulations
Check if you qualify for the MAS Sandbox programme Identify if and which licences your business model needs Take steps to make sure you meet the necessary requirements to apply for your licence If the licences are too difficult to obtain, explore partnerships with partners who already have the licence	Obtain consent of individuals for your collection and use of their personal data Have a privacy policy, to be made available to the public Implement the privacy policy Appoint a data protection officer Build in physical and computer safeguards to prevent wrongful access of personal data Control and limit access to personal data Educate employees to avoid accidental breaches Make sure that users have access to modify or delete their personal data Respond to data-related requests promptly Check the Do-Not-Call Registry before you send marketing content out	Determine your FinTech business model’s risk of money laundering and financial terrorism If your risk is low, do a simplified customer due diligence If your risk is high, do enhanced due diligence Promptly report any suspicious activity
There are some important developments in FinTech regulation: MAS is creating a Sandbox program to allow experimentation MAS is also reducing requirements for crowdfunding (lower capital and reporting requirements) There will be a standalone Cybersecurity Bill to keep ace with the evolving cybersecurity landscape

Obtain the relevant licences you require

First, ensure that you obtain the relevant licence required to run your business. Not all FinTech business models require licences at the moment (that might change), but I will elaborate further as to the licences which FIntech firms should look at/are required to obtain for their business model.

Personal Data Protection Act (PDPA) — balancing the need to collect data and the rights of individuals

Secondly, PDPA caused a stir when it was announced and came into effect not so long ago.

One of the main objectives of the PDPA is to position Singapore as a hub for global data management and cloud computing. The PDPA governs the collection, use and disclosure of Personal Data to recognize and balance protecting the right of individuals with the need to collect, use or disclose Personal Data for purposes that a reasonable person would consider appropriate.

Therefore, if you collect, process, use and disclose personal customer data, even something as basic as phone numbers and emails, you are required to be PDPA compliant. I will share how you can do this later.

Anti-Money Laundering — You need to collect the right data to know and verify your clients (Know Your Customer or KYC)

Lastly, FinTech companies have to ensure they have the appropriate Anti-Money Laundering (AML) and Countering of Terrorism Financing (CFT) controls in place.

In general, financial institutions operating in Singapore are required to put in place robust controls to detect and deter the flow of illicit funds through Singapore’s financial system. Money laundering is the process of converting income that was obtained by criminal or illegitimate means to give the appearance of having come from a legal or legitimate source.

Terrorism financing refers to the process of hiding funds to sponsor or facilitate terrorist activity.

FinTech companies, especially those dealing with online payments, or internet-based stored value facility holders, have been identified as one of the higher-risk sub-sectors since they may process significant sums of funds across borders. While most, if not all of these transactions may be legitimate, it remains necessary for FinTech companies (in this case internet-based storage value facility holders) to verify and clear all customers of red flags.

That said, the AML/CFT regulations, supervisory regime and control measures in these sub-sectors relating to Fintech are nascent and relatively new. Global best practices and standards are still being developed. MAS is considering additional supervisory powers and AML/ CFT requirements to mitigate the risks.

---

Pillar 1 — Know and secure the licences that you require

There is no generic catch-all “FinTech licence” as such at this stage, as much as many startups would like this to simplify it all! To operate your FinTech you might need one, a few or perhaps no licences to do so. It is crucial to determine which regulatory regime is applicable to your FinTech business model and activities since this will determine which licences you need.

Generally, if your business model facilitates outbound payments, you may want to look at the Money Changing and Remittance Business Act. If you provide prepaid wallet or stored value services, you may fall under the Payment Systems (Oversight) Act.

If you provide crowdlending services, you may want to refer to the Securities and Futures Act. Depending on your specific business model, these may or may not be applicable.

Depending on the business model you have, the main licences that are applicable for FinTech in Singapore are set out below. Please do note that this is a fairly comprehensive summary, but still a summary, so do follow the links in the table to get the full details!

Licence/ and under which Statute	Applicable to	Comments – Licensing Requirements and Other Criteria
Capital Markets Services (CMS) Licence under the Securities and Futures Act (SFA) Issued by Monetary Authority of Singapore (MAS)	FinTech which: Deal in securities (minimum group shareholders’ funds of S$200M) Trade futures contracts Finance securities Providing custodial services for securities Trade leveraged FOREX Advise on corporate finance matters Manage funds (>S$1B of global funds) Manage REITs Exemptions: Banks, merchant banks, finance companies, and insurance companies Individuals acting on the behalf of someone who already holds a CMS licence or is exempt Examples of companies: CoAssets – digital crowdfunding platform (granted CMS Licence from MAS) Crowdo — digital crowdfunding and lending, requires investors to be accredited (received provisional CMS from MAS, only for Singapore operations) Infinity Partners — high-end Singapore financial advisory (holds CMS licence) Funding Societies, MoolahSense and Capital Match (will now have to apply for a CMS Licence)	Requirements: Must be a corporation Established track record, management skills and financial soundness for past 5 years Operate out of a physical space in Singapore Have future business plans Have strong internal compliance Satisfy minimum financial requirements set out by the SFA Satisfy base capital requirements Covered by professional indemnity insurance CEO or director must be Singaporean At least 2 members on board At least 2 full-time employees for each regulated activity that the corporation is seeking licence for Each of said employees to have a representative’s licence for activity Cost for a new licence — S$1,000 Annual fees — depends on business
Financial Advisors (FA) Licence Financial Advisers Act (FAA) Issued by Monetary Authority of Singapore (MAS)	FinTech which: Advise on investment products Issue reports on investment products Market any collective investment schemes Arrange life insurance products Exemptions: Banks, merchant banks, finance companies, insurance companies, insurance brokers and holders of a CMS Licence Individuals acting on the behalf on an exempt person (from FA licence) Singaporean residents who acts as a financial adviser who gives advice on investment products (excluding life insurance policies) <30 “accredited investors” Examples of companies: iFast Corporation – internet-based investment products distribution platform (holds both FA Licence and CMS Licence) In comparison, WeInvest (does not require FA Licence) is a wealth-management  platform that aggregates financial info to let users search and compare over 20,000 products and matched to a broker (does not give financial or investment advice)	Requirements: Must be a corporation Has established physical presence in Singapore Established track record, management skills and financial soundness for past 3 years Have future business plans Have strong internal compliance Satisfy base capital requirements Covered by professional indemnity insurance (>$500k and allowable deductible <20% of applicant’s NAV) CEO & Executive Director must each have >5 years experience in financial advisory, >3 years in management capacity and proper academic qualifications CEO or director must be Singaporean At least 2 members on board At least 2 full-time employees for each activity seeking licence for Cost of a new licence — S$500 Subsequent annual fee – S$2,000
Finance Companies Licence under Finance Companies Act (FCA) Issued by Monetary Authority of Singapore (MAS)	Companies that accept fixed and saving deposits and/or credit facilities	Requirements: Must be a corporation Has established physical presence in Singapore Have strong internal compliance Satisfy minimum capital requirements Including employees, officers and substantial shareholders Annual fee – S$35,000 for head or main office of finance company and $5,000 for each branch office or sub-branch office
Moneylenders Licence Under the Moneylenders Act Issued by Insolvency and Public Trustee’s Office (ITPO) – Ministry of Law and the Registry of Money Lenders	Entities that engages in the business of moneylending either as principal or agent), regardless if it has other unrelated businesses Examples of companies: Capital Match —  peer-to-peer lending (excluded and does not require a Moneylenders Licence as it lends only to companies) If P2P platform lends to individual, it is an uncertain area as there are  no precedents.	Requirements: May be sole-proprietorship, partnership or a company Person responsible for the management of the moneylending business has to pass a Moneylender’s test prior to applying for licence Business premises has to be deemed suitable by the Registrar for Moneylending Security deposit of S$20,000 for every place of business Moneylender’s Test Fee – $130 Licence Application Fee  – $600 Annual Licence Fee – $1,320
Money-Changers Licence under the Money-Changing and Remittance Business Act Issued by Monetary Authority of Singapore (MAS)	Entities that buy or sell foreign currency notes Examples of companies: There is Cash2Cash, which is a peer-to-peer currency exchange platform in Singapore. It allows people to exchange foreign currency using their mobile phones (not licensed, as it is purely peer-to-peer) However, an example may be found in the UK. freemarketFX – a currency exchange platform wherecompanies can directly match their currency requirements with their peers for a fixed commission charge of 0.2% (authorised by the Financial Conduct Authority in the UK)	Requirements: May be a company or partnership Established track record, management skills and financial soundness previous years Has established physical presence in Singapore If sole proprietorship, must be a Singapore citizen If company, >51% of equity controlled by Singaporean citizen Wholly-owned Singapore subsidiary of a foreign bank, or a foreign company primarily engaged in money-changing — track record Anti-money laundering in place Additional criteria for board New Application Fee – $200 Licence Fee for first place of business – $1,300
Remittance Licence under the Money-Changing and Remittance Business Act Issued by Monetary Authority of Singapore (MAS)	Entities that accept monies for the purpose of transmitting them to persons resident in another country or a territory outside Singapore Examples of companies: MatchMove Pay — fintech startup that aims to bring online and mobile payments to Southeast Asia (granted a remittance Licence) Toast — blockchain-powered remittance company catering to Singapore’s migrant workers (currently applying for a Remittance Licence)	Requirements: May be a company Established track record, management skills and financial soundness previous years >51% of equity controlled by Singaporean citizen Wholly-owned Singapore subsidiary of a foreign bank, or a foreign company primarily engaged in money-changing — track record Business plans that include anti-money laundering and countering the financing of terrorism policies and procedures Satisfy minimum capital requirements (at least S$100,000) Additional criteria for board New Application Fee – $500 Licence Fee for first place of business – $4,000
Insurance Licence under the Insurance Act (IA) Issued by Monetary Authority of Singapore (MAS)	Entities that: Assumes risk or undertakes liability in Singapore under policies Receives proposals for policies in Singapore Issue policies in Singapore Collect or receive premiums on policies in Singapore Examples of companies: Direct Asia Insurance which has the goal of changing the insurance business in Asia by providing customers with the ability to buy insurance products directly, cutting out middlemen and brokers.	Requirements: Must be a corporation Established track record, management skills and financial soundness previous years Have business plans that reflect the risk profile Robust risk management systems and processes that are commensurate with the size and complexity of business Satisfy minimum capital requirements (funding solvency & capital) Licence fees – on a case by case basis, MAS may prescribe different annual fees for different classes of insurance business or for different types of licenced insurers/insurance brokers.
Banking Licence under Banking Act (BA) Issued by Monetary Authority of Singapore (MAS)	Entities that: Receives money on current or deposit account Pays and collects cheques drawn by or paid in by customers Makes advances to customers There are currently no online-only fintech banks in Singapore. An example can be found in the UK, Tandem – a digital-only financial services company (granted a UK banking licence) and Atom Bank – an online-only bank (granted a UK banking licence)	Requirements Must be a corporation Established track record, management skills and financial soundness previous year Applies to any parent company or major shareholders. Factors to be taken into consideration – Ranking of the applicant and its parent institution in the world and home country in terms of total assets and capital strength, strength of the home country supervision and the willingness and ability of the home supervisory authority to cooperate with MAS Satisfy the minimum financial requirements (Paid up Capital not less than $1.5 billion if incorporated in Singapore) Maintain a capital adequacy ratio of not less than 12% Have well-considered strategy in banking or financial service Have business plans which include a detailed assessment of the sustained economic viability as well as the nature and criticality of the business Robust risk management systems and processes that are commensurate with the size and complexity of proposed business New Application Fee  – None Licence Fee (for full banking licence) – $125,000 Additional branch – $10,000 Additional  limited purpose branch – $1,000 Licence Fee (for wholesale banking licence) – $100,000 Additional  limited purpose branch – $1,000 Licence Fee (for bank incorporated outside Singapore) – $75,000 Additional  limited purpose branch – $1,000

---

Pillar 2 — PDPA simplified

What is PDPA?

PDPA is the acronym for the Personal Data Protection Act that came into effect in 2015 to balance the need to collect basic personal data to render services with the need to protect personal data collected.

What qualifies as personal data?

Personal data under the PDPA is defined as any data which can identify an individual, either on its own or in conjunction with any other data held or likely to be held by any organization. The definition applies to all types of data including health, employment and financial standing data, whether electronic or not, and regardless of the degree of sensitivity.

This includes personal data through the use of internet cookies.

Some personal data is exempted

There are a few exemptions to what qualifies as PDPA:

• Business contact information relating to an individual’s name, position, business address, number, email or similar information
• Personal data relating to individuals who have been deceased for over ten years (subject to some exceptions)
• Personal data which has been on record for over 100 years, are all exempt

What kind of FinTech needs to pay extra attention to PDPDA?

As long as your FinTech business model requires the collection and use of personal data, you are required to comply with the PDPA, for example, crowdfunding and crowdlending platforms, payment and remittance service providers, or if the business model requires a client/customer account to be set up.

PDPA applies to the private sector and for any date collected in Singapore

The first thing to note is that PDPA only applies to the private sector in Singapore, irrespective of size and where the organization is geographically located (applies to organisations not located in Singapore), where the personal data in question is collected in Singapore.

It does not apply to Singapore’s public sector.

So, what exactly must I do to comply with PDPA?

Here is a practical list of what you have to do to be sure you are PDPA compliant:

• Must obtain consent of individuals
• Prepare the company’s personal data privacy policy to be made available to the public
• Implement the personal data privacy policy
• Appoint a data protection officer
• Build in physical and computer safeguards to wrongful access of data
• Control and limit access to personal data to key authorized personnel
• Educate employees to avoid any accidental breaches
• Build in physical and computer safeguards to wrongful access of data

Must have and make publicly available a personal data privacy policy	Must have a personal data privacy policy which sets out the FinTech firm’s collection, use, purpose, disclosure and retention of an individual’s personal data, including how the individual may access and withdraw consent to his/her personal data being collected and used Said Privacy Policy must be made available to the public, usually to be put online on the website
Must obtain consent of individuals in your terms of use / terms & conditions	Inform the individual that their personal data will be collected and how it will be used in a way that a reasonable person would consider appropriate in the circumstances Must require positive action to confirm individual really consented; must use an opt-in mechanism and not an opt-out mechanism Consent must be voluntarily provided, usually when an individual takes an action like creating an account or buying a product / service
Appoint a data protection officer	PDPA specifically requires that organisations designate one or more individuals to be the organisation’s data protection officer His role — ensure organization complies with PDPA Business contact information of data protection officer needs to be made known to the public
Build in physical and computer safeguards to wrongful access of data	Implement generally accepted standards of technology and operational security to protect the personal data in its possession Make sure there are physical and computer security and access controls to the personal data Also make sure that confidential documents containing the personal data are properly disposed of The PDPC has a guide to securing data in electronic medium links
Control and limit access to personal data to key authorized personnel who will need it to do their jobs	Limit access to personal data to only authorized personnel Ensure that only authorized personnel have agreed to ensure confidentiality of this information
Educate employees to avoid any accidental breaches	Employees may unwittingly / accidentally share personal information which exposes you to infringements of PDPA Educate your employees on PDPA regulation Set up Standard Operating Procedures for the collection, use, disclosure, access to, and retention, of personal data
Make sure that users have access to edit or delete their personal data	Individuals must be provided the option to correct and error or omission, update their personal data or withdraw consent to the use/collection/disclosure of their personal data If and once an individual withdraws consent, you have to destroy their data unless there are legal or business reasons to justify keeping it
Respond to data-related requests promptly	Respond to all data-related requests within 30 days
Check the Do-Not-Call Registry before you send marketing content out	The DNC allows individuals to opt out of receiving unsolicited marketing messages Check whether intended recipients are registered with the DNC before doing so (operational since 2 January 2014) Exemption — businesses are, however, allowed to promote related products and services to individuals with whom they have an “ongoing  relationship” without having to consult the DNC

 

---

Pillar 3 — Anti-Money Laundering & Counter Financial Terrorism Controls

Financial institutions operating in Singapore are required to put in place robust controls to detect and deter the flow of illicit funds through Singapore’s financial system.

To do so, these financial institutions (which include FinTech startups) are required to:

(i)  collect the right data to identify, know and verify their customers (KYC)

(ii) Conduct regular account reviews, and

(iii) Monitor and report any suspicious transaction.

Depending on the type of FinTech business model, the specific requirements and standards on the financial institutions are set out in the respective MAS’ Notices on the Prevention of Money Laundering and Countering the Financing of Terrorism (AML/CFT Notices), and MAS Guidance Papers.

It is critical that FinTech firms and investors understand whether and to what extent their businesses are subject to AML laws and regulations. To profile your FinTech’s risk to ML & CTF, you should consider:

• Customers of the company
• Countries and jurisdiction that FinTech is incorporated and operates in
• Products, services, transactions and delivery channels of the company

If they are subject to AML / CFT regulations, then it becomes important for you to undertake efforts to do a minimum due diligence on their clients and stakeholders.

Here is a list of steps you need to take to be AML / CFT compliant.

Identify areas of Money Laundering (ML)/Terrorism Financing (TF) risks in your FinTech company	At minimum, assess across the following five risk categories Clients (e.g. client type, ownership, industry, activity, profession and/or business) Products and Services Channel (e.g. delivery channels, account origin, involvement of third parties and intermediaries) Geographic location Other Qualitative Risk Factors (e.g. integration of IT systems, reliance on third party providers, account/client growth)
Ensure that mitigating measures in place are commensurate with the ML/TF risks identified	Put in place mitigating measures AML Corporate Governance Management Oversight and Accountability KYC procedures; Client Due Diligence (“CDD”); Enhanced Due Diligence (“EDD”) Record Keeping and Retention Monitoring of risk areas Training of employees Detection and SAR filing (see below) Designate an AML Compliance Officer/Unit
Reassess risk of AML before launch of any new products, technologies and practices	Prior to the launch or use of new products, practices and technologies, the company should undertake a risk assessment to identify and assess the ML/TF risks that are associated with such new products, new business practices and the use of new technologies
Conduct AML/CFT Training	Train designated AML/CFT compliance officers and senior management on AML/CFT risks Conduct trainings for administration staff who are in a role where they could be handling activities that are potentially be ML/FT related. Training can include: Legal framework, background and history pertaining to money laundering controls and terrorist financing Penalties for AML violations, including criminal and civil penalties, fines, jail terms and internal sanctions How to react to customers who want to circumvent KYC procedures or reporting requirements; What to do when faced with a suspicious client or transaction; Internal processes, procedure and policies on customer identification, verification procedures, and customer due diligence/KYC Reporting requirements Duties of employees
Conduct of CDD / KYC Procedure)	Must have a clear customer acceptance policy that lays down explicit criteria for acceptance of customers Such criteria should be clearly defined in terms of the location of customer and his clients, mode of payments, source of customer’s funds, nature of his business activity, social and financial status etc) Develop customer identification procedures: Identify customers, natural persons appointed to act on a customer’s behalf and beneficial owners Verify their identity using reliable, independent sources (eg, sighting of passport/NRIC, certified true copies, coupled with utility bils) Retain copies of all reference documents used to verify the identity of these persons Ask for source of monies, origin of payment and method of payment Determine if customer is a politically exposed person (“PEP”) With this collected data, conduct KYC; “KYC” refers to the steps taken to: Establish the identify of the customer Understand the nature of the customer’s activities (primary goal is to satisfy that the source of the customer’s funds is legitimate) Assess money laundering risks associated with that customer for purposes of monitoring the customer’s activities Especially for account opening (eg, for crowdfunding, peer-to-peer lending platforms, payment and remittance service providers)
Conduct of Simplified CDD if  risks of money laundering and terrorist financing are low	Check if the customer originates from or is based in a country/jurisdiction known to have inadequate AML/CFT measures – If customer originates from listed country, conduct Enhanced CDD Also conduct Enhanced CDD if you suspect that money laundering or terrorist financing is involved
Conduct Enhanced customer due diligence (EDD) if the risks are deemed high	Check for the following situations – in such circumstances, enhanced measures are required to be taken: When dealing with Politically Exposed Persons (‘PEPs’) When dealing with types of customers, business relations or transactions the financial institution assesses to present a higher risk for money laundering and terrorist financing; and When dealing with business relations and transactions with any person originating from or based in countries and jurisdictions known to have inadequate AML/CFT measures EDD steps may include senior management approval, additional due diligence investigations, on-site visits, contractual certifications, third-party audits, source of funds certifications, gathering additional information to verify the customer’s identity or source of income, conducting an adverse media check You might choose to utilize a service like Thomson One World-Check to conduct your EDD
Report transactions that are or appear to be suspicious	Report any suspicious activity in a Suspicious Activity Reports (SAR) to Commercial Affairs Department of Singapore here Essentially, this is about whistle-blowing against the customer or client As long as the nature of the transaction is suspicious, report the SAR; guidelines have been given by MAS for certain industries as to what constitutes a suspicious activity (e.g. for Money-Changing and Remittance)

How to identify PEP

As mentioned above, PEP should be subject to enhanced due diligence (EDD). The term politically exposed person (PEP) generally includes an individual who is or has been entrusted with a prominent public function, their immediate family, and their close associates. This does not mean that they are likely to be involved in suspicious activity but warrants an EDD to be sure:

• EDD is required in all circumstances, for PEPs.
• When establishing the identity of a customer (eg, in account opening form), consider these factors:
  • Official responsibilities of the individual’s political office
  • Nature of the title (e.g., honorary or salaried)
  • Level and nature of authority or influence over government activities or other officials
  • Access to significant government assets or funds
• Review the PEP’s  income sources, financial information; and professional background; past and present employment as well as general references

Developments in FinTech Regulation

There are some important developments in FinTech regulation which I will not go into detail in this article but that you should know about:

• MAS is creating a Sandbox regime to allow experimentation
• MAS is also relaxing requirements for crowdfunding
• A standalone Cybersecurity Bill will be tabled in Parliament next year to keep pace with the evolving cybersecurity landscape in Singapore and beyond. The new Bill will ensure that the operators of Singapore‟s critical information infrastructure (“CII”) take proactive steps to secure such CIIs and report incidents of cybersecurity breaches.

Putting it all together now

• FinTech in Singapore is growing quickly and transitioning to a dynamic ecosystem, not only for startups to grow but also for FinTech companies to scale up from Singapore to the region
• Legal and regulatory framework within which FinTech developments will continue to grow, evolve and progress
• There are currently no specific regulations that deal with FinTech in Singapore; a FinTech may be regulated under a wide range of legislation such as the Banking Act, Securities and Futures Act, Moneylenders Act
• Expect more change to come — encourage savvy businesses to see this as an opportunity to gain a competitive advantage; keep up to date with regulation and make sure that your FinTech company complies with regulation without getting distracted from your main business
• Focus on the 3 pillars of a good FinTech base to safeguard your business
• Data protection and cyber-security are an ongoing challenges for FinTech companies as a target of cyberattacks due to the volume and sensitivity of data being processed so make sure you protect your FinTech data
• Keep up to speed on developments like the MAS Sandbox, the standalone Cybersecurity bill due next year and the upcoming sector-specific guidelines by the Personal Data Protection Commission

The bottom line is that compliance continues to evolve as the fintech business environment matures and becomes more complicated. Stay informed and take the necessary steps to build a solid foundation under your business to stay competitive and make sure your business doesn’t suddenly run into major roadblocks because you did not take these steps.

---

Have a question on Fintech that you’d like to ask WanHsi or lawyers like WanHsi?

If you need advice on any aspect of FinTech, you might consider having a Quick Consult with me where I can advise you and answer a specific question you may have on FinTech over a 15-minute discussion on the phone for a transparent, flat fee of S$69 here (or click here and click “Request for Quote” if you want to view other lawyers with similar experience in FinTech).

Alternatively, you could request a quotation from my firm ArrowGates LLC if you know exactly what you need.

---

Keep reading on this topic

• A breakdown of InsurTech regulations in Singapore
• An updated & practical guide to schemes and grants for startups in Singapore for 2017
• A definitive and practical guide to the regulatory sandbox in Singapore
• Pro Bono: Practical fintech startup legal advice from lawyer WanHsi Yeong and Startupbootcamp fintech director Sam Hall
• FB Live Q&A Video — FinTech (Wan Hsi from Arrowgates LLC and Sam Hall from Startupbootcamp FinTech Singapore)

If you want to know more about finding a lawyer

• Checklist for selecting an online lawyer
• How to find the best Singapore lawyer for your case
• Getting legal advice is no longer difficult or expensive — S$49 with a Quick Consult
• Testimonials for Asia Law Network’s Quick Consult

---

This article is written by Yeong WanHsi from ArrowgGates LLC and edited by Gabriel The from Asia Law Network.

This article does not constitute legal advice or a legal opinion on any matter discussed and, accordingly, it should not be relied upon. It should not be regarded as a comprehensive statement of the law and practice in this area. If you require any advice or information, please speak to practicing lawyer in your jurisdiction. No individual who is a member, partner, shareholder or consultant of, in or to any constituent part of Interstellar Group Pte. Ltd. accepts or assumes responsibility, or has any liability, to any person in respect of this article.

---