SG PSA: What It Requires and Who It Applies To

What is SG PSA?

The Payment Services Act is Singapore's primary statute for the licensing and oversight of payment services and digital payment token (DPT) activities. Administered by the Monetary Authority of Singapore (MAS), it came into force on 28 January 2020, replacing two earlier laws: the Payment Systems (Oversight) Act 2006 and the Money-Changing and Remittance Businesses Act. The PSA consolidated a fragmented regulatory perimeter into a single licensing framework covering seven defined payment service activities: account issuance, domestic money transfer, cross-border money transfer, merchant acquisition, e-money issuance, DPT services, and money-changing.

The rationale was straightforward. Singapore's fintech and crypto sectors had grown faster than the 2006 framework could manage. By 2019, e-wallets and cryptocurrency exchanges sat outside the regulatory perimeter or under frameworks not designed for them. The PSA introduced a three-tier licensing structure: a Money-Changing Licence for manual currency exchange, a Standard Payment Institution (SPI) Licence for lower-volume operators, and a Major Payment Institution (MPI) Licence for high-volume providers.

The Payment Services (Amendment) Act 2021 significantly expanded the original scope. From April 2022, DPT service providers, including cryptocurrency exchanges, custodians, and DPT transfer facilitators, came under MAS licensing requirements. The Amendment also introduced user protection obligations, interoperability rules, and technology risk requirements that didn't exist in the original Act.

AML/CFT obligations are set out in MAS Notices PSN01 (for MPIs) and PSN02 (for SPIs). Banks providing DPT services remain subject to MAS Notice 626 (SG-MAS) for their AML/CFT programme alongside PSA licensing requirements. The full text of the Act is published on the MAS website.

Who does SG PSA apply to?

The PSA applies to any entity carrying on one or more regulated payment services in Singapore without the appropriate licence. Its territorial reach extends to overseas entities that actively solicit Singapore residents.

Covered entity types include:

• Banks and finance companies: Banks licensed under the Banking Act don't need a separate PSA licence but must notify MAS before providing DPT services and comply with payment-specific obligations.
• Major Payment Institutions (MPIs): Required where monthly transaction volume for any single regulated service reaches SGD 3 million or more, or where the daily e-money float reaches SGD 5 million or more. Base capital is SGD 250,000 for most services and SGD 500,000 for DPT services or cross-border money transfer.
• Standard Payment Institutions (SPIs): Operators below the MPI thresholds. Base capital is SGD 100,000. SPIs have lighter regulatory requirements but still face the full AML/CFT notice programme.
• Money-Changing Licence holders: Any firm providing manual currency exchange, regardless of volume.
• Digital payment token service providers: Firms buying and selling DPTs, operating exchanges, providing DPT custody, or facilitating DPT transfers. This category covers crypto exchanges with a Singapore nexus.
• E-money issuers and e-wallet operators: Firms issuing stored value used for payments, including consumer e-wallet services.
• Cross-border remittance providers: Entities transferring funds internationally for customers.

MAS made the extraterritorial scope explicit in 2021, when it directed offshore exchanges serving Singapore users to apply for a licence or exit the market. VASPs incorporated abroad but actively marketing to Singapore residents are squarely within scope.

What does SG PSA require?

Core obligations under the PSA and its associated MAS notices fall into eight categories:

1. Licence application and maintenance: Obtain the correct licence before commencing operations. MPIs must meet capital adequacy, governance, and risk management requirements at application and on an ongoing basis.

2. AML/CFT programme: Implement a written, board-approved AML/CFT policy covering Customer Due Diligence (CDD) at onboarding and throughout the customer relationship, beneficial ownership identification, and sanctions screening. MAS Notices PSN01 and PSN02 specify the exact programme elements for each licence tier.

3. Suspicious transaction reporting: File suspicious transaction reports with the Suspicious Transaction Reporting Office (STRO) whenever there are reasonable grounds to suspect money laundering or terrorism financing. There is no minimum transaction threshold for filing.

4. Travel Rule compliance for DPT transfers: For DPT transfers of SGD 1,500 or more, originating institutions must pass the originator's full name, account number, and country of residence to the beneficiary institution before or at the time of transfer. This aligns with FATF Rec 16 (FATF) and applies to both inbound and outbound flows. Beneficiary institutions must screen received data against sanctions lists before crediting funds.

5. Record retention: CDD records, transaction records, and STR documentation must be retained for at least five years from the end of the business relationship or from the transaction date, whichever is later.

6. Technology risk management: Comply with MAS Technology Risk Management Guidelines. MPIs must notify MAS within one hour of a service outage affecting customers, conduct annual penetration testing, and maintain a tested incident response plan.

7. User protection (MPIs): MPIs holding customer funds must safeguard those funds in a trust account at a licensed Singapore bank or through a security bond. Daily reconciliation is required. This applies to DPT service providers, e-money issuers, and account issuance services.

8. Fit and proper requirements: CEOs, directors, and individuals holding 10% or more of shares must satisfy MAS's fit-and-proper criteria, covering integrity, competence, and financial soundness.

What evidence do regulators expect?

On an inspection day, MAS examiners focus on documentation that proves a live, tested compliance programme. Policy documents on their own don't pass.

• AML/CFT policy, dated and board-approved: The policy must reflect the current version of MAS Notices PSN01/PSN02 and cover DPT-specific risk scenarios where relevant. Policies that predate the 2022 amendments, with no coverage of expanded DPT categories, raise immediate questions.
• CDD records per customer: Verified identity documentation with a clear record of the verification method, the date performed, and the reviewer's identity. For corporate customers, evidence of Ultimate Beneficial Owner (UBO) identification down to the natural person level, including any individual holding 25% or more.
• Transaction monitoring configuration and tuning logs: Current rule parameters, the date of the last threshold review, and alert closure documentation. Examiners look for evidence that rules have been calibrated to the firm's actual customer base, not left at vendor defaults.
• STR filing register: A complete log of all STRs filed with STRO, including transaction dates, suspected activity categories, and filing dates. Unexplained gaps attract focused scrutiny.
• Travel Rule records: For DPT transfers at or above SGD 1,500, evidence that originator data was collected and transmitted, plus records showing incoming data was screened against sanctions lists before funds were credited.
• Staff training completion records: Annual AML/CFT training logs for all relevant personnel, with test results where modules include assessment.
• Technology risk artefacts: Penetration test reports and remediation timelines, incident records for system outages, and patch management logs.
• Safeguarding evidence: Daily bank statements or trust account records confirming reconciliation of customer funds held under the user protection rules.

Common failure modes

How firms actually get cited under the PSA and its AML/CFT notices:

• Incomplete UBO verification for corporate customers: MAS examiners have repeatedly cited failures to identify and verify beneficial owners of corporate entities, particularly for customers in higher-risk jurisdictions. Opening accounts on director identity alone, without tracing ownership to the natural person level, is the most consistently cited deficiency across the licensed payment sector.
• Unadapted transaction monitoring rules for DPT activity: Porting fiat AML rules to DPT services without adjusting for blockchain-specific typologies. Mixer activity, rapid wallet cycling, and peer-to-peer trading patterns require detection logic that generic rule sets miss. MAS examiners have specifically raised this with DPT providers that went live with off-the-shelf rules unchanged.
• Travel Rule gaps: Failing to transmit required originator information for DPT transfers at or above SGD 1,500, or failing to screen incoming Travel Rule data against sanctions lists. Some firms have processed inbound transfers without any sanctions check on received beneficiary data.
• Operating without a licence: MAS added Binance.com to its Investor Alert List in September 2021 for providing DPT services to Singapore users without a PSA licence. Binance subsequently withdrew from the Singapore market.
• Stale AML/CFT policies: Policies not updated since the 2022 amendments, with no coverage of expanded DPT service categories or the new user protection obligations.
• Safeguarding failures: E-money issuers mixing customer funds with operational accounts, or failing to reconcile trust accounts daily as required under the user protection framework.

Penalties for non-compliance

The PSA's penalty structure has criminal, civil, and administrative dimensions.

Operating without a licence carries a fine not exceeding SGD 125,000 and/or up to three years' imprisonment for responsible individuals, plus a fine not exceeding SGD 250,000 for the entity. MAS can also publicly direct a firm to cease operations, as it did with Binance in 2021.

AML/CFT breaches also engage the Corruption, Drug Trafficking and Other Serious Crimes (Confiscation of Benefits) Act (CDSA) and the Terrorism (Suppression of Financing) Act (TAFA). Tipping off a customer about a filed STR carries a fine up to SGD 30,000 and/or one year's imprisonment.

Civil composition fines: MAS can impose fines of up to SGD 1 million per breach for regulatory violations, including inadequate AML/CFT controls and technology risk failures, without pursuing criminal prosecution.

Licence revocation or suspension: For persistent or serious violations, MAS can revoke or suspend a licence outright. For a payment firm, that's a terminal outcome.

Prohibition orders: Key individuals found to have engaged in misconduct can be barred from managing any MAS-regulated entity.

The scale of MAS's expectations is illustrated by its July 2022 enforcement action: MAS reprimanded and fined OCBC SGD 10.8 million for AML/CFT control failures under MAS Notice 626, covering transaction monitoring gaps and inadequate CDD on high-risk accounts. PSA licensees are held to the same AML/CFT standard.

Related regulations and frameworks

The PSA sits within a network of international standards and regional frameworks.

FATF standards: Singapore is an FATF member and a founding member of the Asia/Pacific Group on Money Laundering (APG). MAS's AML/CFT framework for payment services tracks FATF Recommendations directly, particularly on virtual assets and the DPT Travel Rule. The FATF Updated Guidance for a Risk-Based Approach to Virtual Assets and VASPs (October 2021) is the international standard underpinning MAS's DPT framework, and the FATF VA Guidance (FATF) dossier covers these requirements in full.

MAS Notice 626: Banks providing DPT or payment services run their AML/CFT programme under MAS Notice 626 alongside the PSA obligations in PSN01/PSN02. The two frameworks pursue the same objectives but apply to different licence types and carry different programme specifications.

EU Travel Rule (TFR): The EU's Regulation on Information Accompanying Transfers of Funds and Certain Crypto-assets imposes parallel Travel Rule requirements on EU firms. Singapore firms with EU counterparty flows must satisfy both frameworks simultaneously. Singapore's threshold is SGD 1,500; the EU's is EUR 1,000.

Hong Kong AMLO: Singapore and Hong Kong have developed broadly parallel DPT licensing frameworks. Firms operating in both centres manage the interaction between the PSA and Hong Kong's Anti-Money Laundering and Counter-Terrorist Financing Ordinance (AMLO), which governs virtual asset trading platforms under the HKMA.

PSD2: For EU-facing payment operations, the EU Payment Services Directive (PSD2) imposes equivalent licensing and AML requirements. The PSA is Singapore's functional counterpart: similar service categories, different thresholds, and a distinct treatment of banks versus non-bank payment firms.

How FluxForce supports SG PSA compliance

FluxForce's AI agents automate the compliance workflows the PSA demands from payment firms and DPT service providers. Aiden Flux handles real-time transaction monitoring and suspicious transaction triage. Nova Sentinel screens customers and transactions against MAS watchlists, global sanctions databases, and PEP registries at onboarding and continuously thereafter. The platform's Travel Rule module automates originator data collection, transmission, and inbound screening for DPT transfers above SGD 1,500. Every decision comes with a full audit trail, which is the first thing MAS examiners ask to see. Request a demo to see how the platform maps to PSA compliance requirements.