Payment Services (Amendment) Bill

Order for Second Reading read.

4.47 pm

The Minister for Transport (Mr Ong Ye Kung) (on behalf of the Prime Minister): Mr Speaker, I beg to move, "That the Bill be now read a second time."

The Payment Services Act, or PS Act, came into force in January last year. Since then, payment services have continued to evolve rapidly, with innovative activities and new business models emerging. One significant development is in the area of digital payment tokens, or DPTs. These are cryptocurrencies – such as Bitcoins – which are not denominated in any currency but can be used as a form of payment.

The speed and cross-border nature of such DPT activities carry higher inherent money laundering and terrorism financing or ML/TF risks. They need to be regulated and service providers need to carry out proper customer due diligence and monitoring of transactions.

Global standards setting bodies, regulators and policy makers around the world are focused on addressing these risks. As a major financial centre and fintech hub, Singapore has played an active role in shaping international standards, including at the Financial Action Task Force, or FATF, which sets standards for combating ML/TF.

The Monetary Authority of Singapore (MAS) is therefore enhancing its regulatory framework and updating the PS Act to keep pace with changes to international standards and to better mitigate ML/TF risks related to DPTs.

MAS has conducted a public consultation on the Bill and noted the broad support from respondents. MAS has considered the feedback received and, where appropriate, has taken them into account in finalising the Bill. The Bill makes amendments to the PS Act in three broad areas.

First, mitigating ML/TF risks. Under the PS Act, MAS currently regulates service providers dealing in DPTs and facilitating the exchange of DPTs where the service provider comes into possession of monies or DPTs. These are common business models of DPT service providers that operate in Singapore.

The scope of the PS Act will be expanded under this Bill to confer on MAS powers to regulate service providers of DPTs that facilitate the use of DPTs for payments and may not possess the monies or DPTs involved. The FATF standards term these service providers as virtual asset service providers.

In regulating these virtual assets service providers, the Bill will expand the scope of DPT services in the PS Act to include the following three activities: one, facilitating the transmission of DPTs from one account to another; two, custodial services for DPTs; and three, facilitating the exchange of DPTs where the service provider does not come into possession of the moneys or DPTs involved.

The Bill will require an entity that provides any of these services as a business in Singapore to be licensed and subject to rules and regulations set by MAS in subsidiary legislation. This will help minimise the risk of DPT service providers being exploited by criminals to launder illicit proceeds or hide illicit assets.

The Bill will also pre-emptively address ML/TF risk that is outside of the DPT space. The Bill will broaden the definition of cross-border money transfer service to include facilitating transfers of money between persons in different jurisdictions where money is not accepted or received by the service provider in Singapore. That way, such service providers will come under the regulatory ambit of MAS even if the monies do not flow through Singapore.

The second set of amendments provides MAS with powers to impose measures on DPT service providers to ensure better consumer protection and to maintain financial stability and safeguard the efficacy of monetary policy.

The risks to consumers are not significant currently because of the relatively low usage of DPTs in Singapore today. However, user adoption of DPTs could gain traction quickly as the industry comes out with products to attract customers. We have seen recent development of new forms of DPTs which values are pegged to stable assets to gain users' confidence. It is therefore important for MAS to be able to respond to market developments and address new risks in a timely manner.

The Bill will enable MAS to impose user protection measures on DPT service providers when necessary. This could include, for example, requiring a DPT service provider to segregate customer assets from its own assets. This will augment current powers that allow MAS to require DPT service providers to safeguard customer money from loss in the event of insolvency.

MAS will also be empowered to impose additional measures on certain DPT service providers to maintain stability in Singapore's financial system, safeguard the efficacy of the monetary policy or where it is in the interest of the public to do so. The scope of this new power is necessarily broad so that MAS can respond flexibly and swiftly in the fast-moving DPT landscape. MAS will consult the public and the industry when drafting subsidiary legislation on the specific measures.

Finally, the Bill will make three other miscellaneous amendments to the Act.

Firstly, the PS Act currently accords protection to consumers, whether they are payers or payees, during a domestic money transfer. As financial institutions are sophisticated entities that can protect themselves, the Act carves out the situation where a financial institution is part of the transaction. However, that means that an individual involved in a domestic money transfer transaction with a financial institution is not accorded protection under the Act. The Bill will therefore broaden the scope of protection of the PS Act to carve out only situations where both payer and payee are financial institutions.

Secondly, only major payment institutions providing services like e-money issuance are currently required to safeguard customer money. With the fast-evolving landscape, user protection concerns associated with other types of licensees can also arise. The Bill will thus allow MAS to prescribe, where necessary, additional classes of licensees conducting specific payment services to be subject to the requirement to safeguard customer money.

Thirdly, the PS Act today requires an individual to use reasonable care to ensure that any information he or she provides to MAS under the PS Act is not false or misleading in any material particular. The Bill will clarify that this general duty of care applies to all persons, whether or not the person is an individual.

Mr Speaker, Sir, this Bill will enhance the regulatory framework for payment services in line with global regulatory standards and will allow MAS to be nimble and responsive in addressing various risks in the payment landscape. Mr Speaker Sir, I beg to move.

Question proposed.

Mr Speaker: Mr Louis Ng.

4.55 pm

Mr Louis Ng Kok Kwang (Nee Soon): Sir, the proposed amendments in this Bill will expand anti-money laundering and counter-terrorism financing regulations to cover more categories of payment service providers. The list will include those providing services centered on Digital Payment Token (DPT) and those facilitating cross-border money transfers where the money does not pass through Singapore.

I agree with this step. The fight against money laundering and terrorism financing is the fight to make sure that crime does not pay. This mission, by necessity, must include all players of our finance industry.

Before I continue, let me thank MAS for conducting a public consultation which shaped the proposed amendments we see today. Public consultations help us formulate better policies and I hope MAS will continue this good practice.

I have three points of clarification to make on this Bill.

My first point is about anonymity in our payment eco-system. In its public consultation, MAS made clear that this Bill will obligate DPT service providers to conduct customer due diligence to guard against money laundering and terrorism financing.

These requirements mean that short of peer-to-peer trading, there is no way to trade cryptocurrencies in Singapore anonymously. This removes one benefit of cryptocurrency, which is its anonymity.

I will say, first, that I fully agree with the intent of this Bill – bad actors must not be allowed to use Singapore's financial system for their purposes. But cryptocurrency's quest for anonymity is perhaps one we can empathise with. Today's world is plagued by compulsive tracking. You cannot access any digital services without someone storing every little bit of information about where you are, what you do and who you are.

Today's world is also plagued by massive data leakages and malicious hackers. A month does not go by before some company we know spills our private information and order history into the wild.

Having sought the views of the public and the industry, can the Minister share whether MAS has reached a final policy stance on whether it envisions providing any space for anonymised financial transactions in Singapore?

My second point relates to user protection. The Bill provides powers for MAS to enact regulations on licensed DPT service providers. Many of the regulations pertain to the DPT service provider's maintenance of and safeguarding of assets belonging to users.

I support these powers. User protection is essential. It helps keep our financial system stable and it protects the assets of Singaporeans.

As part of its efforts to protect users, will MAS consider introducing other forms of user protection measures? In particular, will MAS consider regulating DPT servicer providers to ensure they do not engage in misleading or deceptive conduct concerning their offerings?

DPTs are fresh, different and interesting. Service providers will likely latch onto these qualities when marketing to unsuspecting consumers. Regulating how DPTs at an earlier point when they are marketed to consumers would complement regulations at a later stage on money management by service providers. After all, it will be harder to defraud or otherwise harm a customer who knows what they are getting themselves into.

My third point relates to the illegal wildlife trade. This Bill expands our regulatory scrutiny of international money transfers and that is a good thing.

In this spirit, I ask that we work more closely with financial institutions to ensure that their internal controls can accurately identify signs of illegal activity, particularly when it comes to illegal wildlife trade. This is not a new idea from me. It is a best practice recommended in a June 2020 report by the Financial Action Task Force (FATF), titled "Money Laundering and the Illegal Wildlife Trade".

I quote, "There is a need for both the public sector to share additional information with reporting entities, including feedback on [suspicious transaction reports] filed, and for reporting entities to review whether current internal controls against money laundering from the illegal wildlife trade are in line with identified risks... Where competent authorities have shared information, financial institutions have been able to incorporate this into their transaction monitoring systems and, in turn, provide richer intelligence for [law enforcement authorities]."

My team spoke to some employees of local financial institutions who monitor transactions. They agreed with this recommendation. Some shared their concerns that they may only receive generic responses from the authorities with regard to the suspicious transaction reports they file. This creates two problems.

One, the employees do not know whether the signals they are looking out for are relevant or not. The feedback from the authorities with regard to the suspicious transaction reports is not specific enough to motivate meaningful operational changes.

Two, the employees have little information on the status or outcomes of Government investigations. This means they struggle to take internal follow-up actions to adjust the risk levels of these clients. Better feedback will help our Government get more relevant reports as well as help financial institutions take strong internal actions against bad actors.

Industry experts say the same thing. At a seminar held by the Association of Certified Anti-Money Laundering Specialists (ACAMS) last October, the panelists from the industry noted that there has not been sufficient focus on the financial aspect of tackling the illegal wildlife trade.

Will the Government consider sharing feedback with greater details when financial institutions do provide suspicious transaction reports, including on the illegal wildlife trade? To ensure that its feedback is relevant, will the Government also consider holding discussions with ground staff at financial institutions to assess the efficacy of its existing feedback?

Sir, notwithstanding my clarifications, I stand in support of the Bill.

5.01 pm

Mr Leon Perera (Aljunied): Mr Speaker, Sir, in recent years Singapore has built up its reputation as a fintech hub. To preserve that, we have to ensure that our regulations strike the right balance between carefully managing risks and encouraging innovation.

In 2018, Singapore was the second most popular country in the world for ICOs, and as of November 2020, 234 blockchain companies were operating in Singapore. E-money has also received high adoption rates here and our consumers need to be protected. Seventy-seven percent of Singaporeans already used digital wallets, though there is still much room for improvement in the adoption of digital payments, as my Parliamentary colleague, Mr Louis Chua Kheng Wee we will expand on. We have to ensure consumer confidence has not misplaced. Trust in people is earned, not given. Trust in business is also earned and this is where a sound regulatory framework plays a crucial role.

The Payment Services (Amendment) Bill is a step in the right direction of proactive regulation of the payment space. Sir, I shall focus the remainder of my speech and raising questions and suggestions in relation to the attributes of proportionality and possibility and transparency in relation to the Bill.

I declare my interest as the CEO of a Research Consultancy that undertakes work in the fintech space, among other sectors.

Firstly Sir, I shall speak on the expanded definition of DPT service provider in this Bill. The expanded definition of DPT service provider will capture more activities, but more guidance is needed from MAS as to what constitutes certain activities such as, control, inducing and arranging. The expanded definition of DPT service provider will capture entities who offer token custody services or entities will market or advertise token sales. Such entities will have to be licensed and regulated to the same extent as a token exchange.

While it is laudable that the Payment Services Act or PSA is amended to greater meet the Financial Action Task Force or FATF standards, it maybe onerous for certain payment service providers to meet the same licensing requirement despite posting different or lower levels of risk. Here, I would like to note in passing, that my parliamentary colleague, Assoc Prof Jamus Lim will be making a similar argument in the context of the moneychangers actor and small businesses.

Sir, the PSA licensing regime currently requires DPT service providers to meet relevant MAS requirements on cyber hygiene, periodic returns, business conduct disclosure and communications as well as annual audit requirements, amongst others. However, a token marketer or token custodian such as, a wallet service provider, for example, may not pose the same risks as a token originator or a token exchange to warrant such regulation by the MAS PSNO requirements.

Specifically, for a token marketer limb E of the proposed inclusion, states that an entity who induces a person to buy or sell a DPT ought to be regulated, although this entity may not come into possession of the DPT at all. While some marketing may be performed by a DPT custodian, other entities such as, for example, a professional public relations company asked to design or execute an ICO campaign or even a blogger writing about hot ICOs, may conceivably be caught in the net. What then is the purpose of requiring such an entity to meet periodic returns and our audit requirements if they are merely in the service of marketing a token and might it be too onerous for such an entity to meet the whole suite of MAS PSNO requirements?

Also, industry feedback suggests that the definition of arranging or inducing an individual to enter into a transaction is vague. Perhaps, the Minister could provide further clarifications on the exact types of activities that fall within the definition of "arrange" or "induce". On token custodians, there are also concerns from stakeholders in the DPT space that the definition of control in the proposed limbs F through H is somewhat vague. While MAS had clarified that I quote, "A DPT service provider will have control of a DPT if it has the ability to control access to any DPT or to execute transactions involving the DPT", further regulatory guidance as to what this control exactly is, would be helpful.

I would also suggest that MAS consider in the fullness of time offering relaxation on MAS requirements, for entities who pose less of a threat. For example, relaxing the audit requirements or periodic returns requirements for a token advertiser.

Next, Sir. Current companies who one, have a capital markets licence, and two, provide a token custody service must still hold a payment service licence with an exception available, if a token's function is merely incidental to the business of that payment service provider. In the prior crypto wave in 2017, companies who dealt in digital tokens were required to hold a capital markets licence if such tokens resembled security or shares. Now, these companies have to also hold a major payment institutional licence or standard payment institutional licence under the PSA, if the tokens that they custodise hold the payment function. Perhaps, more guidance and defining incidentality would be helpful for entities to make an assessment as to whether a token's payment function is merely incidental to its core business function of providing custodial service.

In addition, Sir, it is unclear who the onus is on to determine whether a token is a DPT or not. Whether that falls on the custody service provider to assess whether a token it seeks to custodise is a DPT thus having a payment function warranting a licence application, or whether it falls on the token originator to warrant that its token is not a DPT and thus the custody service providers have no need to apply for a PSA licence. For example, must a wallet service provider conduct its own analysis as to whether a token that it seeks to custodise falls under the definition of a DPT under the PSA or whether it may carry out its custody service, as long as the DPT provider is already a licence entity?

Perhaps, there should be further consideration as to whether the PSA should provide an exemption for custody service providers in the event that the token issuer is already licensed. This is to prevent unnecessary dual licensing.

Secondly, Sir, I would like to speak on how the perception of increased regulatory powers by MAS may spark fears of over-regulation and potentially excessively stifled innovation, especially among smaller players. The amendment Bill before us provides additional powers to the MAS to, firstly, impose user protection measures on certain DPT service providers; and secondly, impose additional measures on any DPT service provider or class of DPT service providers by way of subsidiary legislation.

While consumer protection is an important concern, feedback from the industry, especially smaller firms, suggest that this is a cause for concern by them. For instance, the proposed amended section 21(A) may be too onerous in the view of some in the industry. It should be borne in mind that excessive regulation could curb entrepreneurship in a sunrise industry and crowd out smaller players and start-ups leaving only the bigger players to dominate. This in turn would be bad for entrepreneurship and innovation in the longer term. I would like to ask what steps would be taken by MAS to ensure that smaller companies and new entrants to the industry are able to meet these enhanced regulatory standards.

Thirdly, Sir, the expanded definition of cross-border money transfer services raises questions in terms of its enforceability and benefits for Singapore, in terms of congruence with other competing jurisdictions. This amendment Bill expands the definition of cross-border money transfer service to require licensing of service providers like brokers in Singapore that actively facilitate cross-border money transfers between entities in different countries, although monies are not accepted or received in Singapore.

Under the current PSA, such providers are not covered. While it is laudable that Singapore is taking the lead on cross-border regulation of VASPs and adopting FATF recommendations, there are two concerns. Firstly, this may be difficult to monitor and enforce if the flow of money is from one foreign country to another foreign country. How does the Government intend to monitor and enforce this?

Secondly, while I acknowledge that this amendment is necessary to uphold the reputation of Singapore as a trusted financial hub, it is unclear if other countries are doing the same with regard to monitoring the movement of illicit funds or suspicious transactions with regard to DPTs from Singapore to a third country or vice versa.

While according to an FATF review and I quote, "Twenty jurisdictions advised that they have extended their regime to include value-added service providers or VASPs conducting operations from their jurisdiction", the review did not appear to identify the specific jurisdictions or provide specific details about these regimes. Furthermore, the review then noted that such a diversity in approach and I quote, "may present challenges in identifying which VASPs are regulated by each jurisdiction".

In respect of other jurisdictions specifically, for instance, there do not appear to be similarly expansive definitions, which have been implemented or proposed with regard to cross-border money transfers in Hong Kong or the Cayman Islands, even though these jurisdictions have proposed to enact or have enacted legislation in connection with the FATF guidelines. Hence, I would like to ask if the MAS will, going forward, monitor the extent of international regulation of VASPs in line with the FATF recommendations and calibrate the onerousness of our own regime in line with what is being done internationally, with an eye to our competitiveness.

Fourthly, Sir, I would like to speak about the need for greater transparency and less of a black box approach in the payment service licence application process. The payment service licence process required for firms covered under the PSA is perceived by some industry players as a completely black box. Many companies reportedly find themselves stuck on the waiting list for long periods.

Moving beyond a completely black box approach to a greater degree of transparency, could provide more support to viable businesses to get licence and go to market faster. It may also enhance Singapore's attractiveness as a fintech Hub. While MAS does provide some basic criteria, for example, base capital requirements, fit and proper requirements of shareholders and employees, no entity is familiar with the actual determining factors that make or break a licence application.

Companies may apply for exemption status to continue operating on a small scale for six months while waiting for the licence but cannot scale up during that time. These companies also struggle to account to their investors or shareholders and their future plans and as a result, go into hibernation or may leave the country.

There are 366 firms who applied for exemption from holding a licence under the PSA for specific payment services for a specified period while waiting for their licence. And there are likely even more in the pipeline, namely those who directly applied for the licence without seeking exemptions, those who are still seeking legal advice and have not yet applied, and those who will only apply after this amendment passes. For example, DPT marketers and custodian service providers. There are 439 firms who currently hold the payment licence.

While it is understandable that the full licensing criteria cannot be disclosed due to the risk that some applicants may game the system, as it were, this has to be balanced against the need for some transparency, so as to enhance Singapore's attractiveness as a fintech hub.

With that in mind, I would like to ask the Minister for information regarding the proportion of successful applicants to total number of applicants and the average duration companies have had to wait for an outcome.

I would also like to ask if the MAS would consider providing:

(a) a clearer fixed timeline and process including an appeal process so applicants know when to expect an outcome;

(b) more resources to help innovative businesses understand and navigate the licencing process. For instance, project innovate by the UK's financial conduct authority targeted support to innovative businesses in navigating the FCAs at the authorisation process. This achieves good results. Firms coming through this programme in the UK are being authorised on average 40% faster than the standard applicant.

I note that the MAS launch the payment Regulatory Evaluation Programme in 2019, meant to assist payment service providers and seeking legal advice from registered Singapore law practises relating to the PSA. This entails a sample questionnaire for potential applicants to approach law firms with, and the list of legal practitioners who can provide advice in relation to the PSA, but it does not provide targeted support like what is being done in the UK. Furthermore, this programme will cease in January 2021, one year after the PSA has come into force and the transitional period has ended; and

(c) I would like to ask if the MAS can provide high-level guidance on the criteria determining approval or rejection of a licence.

Mr Speaker: Order. I propose to take a break now. I suspend the Sitting and will take the Chair at 5.35 pm.

Sitting accordingly suspended

at 5.15 pm until 5.35 pm.

Sitting resumed at 5.35 pm.

[Deputy Speaker (Mr Christopher de Souza) in the Chair]

Payment Services (Amendment) Bill

Debate resumed.

Mr Deputy Speaker: Assoc Prof Jamus Lim.

5.35 pm

Assoc Prof Jamus Jerome Lim (Sengkang): Mr Deputy Speaker, the proposed amendments in the Payment Services Act of 2019 takes a number of important steps to accommodate new innovations in payment systems and services. The very fact that an amendment is needed so soon just one year after the enactment of the original Act demonstrates the speed by which technological developments can render even the best laid legislation rapidly obsolete or, at the very least, struggling to catch up.

While I understand the premise behind the proposed amendments with regard to scope to essentially ensure adequate regulatory coverage of the Bill to all MAS licensees, I wish to raise three cautionary points, all related to potential unintended consequences.

Before I proceed, I wish to declare that I am the Chief Economist (Emeritus) of a homegrown investment advisory firm, which had previously been involved in payment services.

For changes set forth in clause 4, the applicability of the Bill to payment services providers that hold either moneychanging, standard payment institutions or major payment institution licences, there is also the need to take into account current economic realities. While the latter two groups have, by and large, rode through the pandemic relatively unscathed, this is not the case for moneychangers. I have residents operating such businesses that have reported declines in business of up to 90% and who do not anticipate any improvement to business in the months ahead.

Accordingly, while MAS has plans to grant a six-month exemption for newly regulated entities under this amendment Bill, I wonder if there is scope for an even longer phased-in grace period applying only to moneychangers in light of their extremely challenging business climate at the moment.

Clause 7(e) seeks to widen the scope of digital payment token service providers. Understandably, it attempts to cast a wide net. It is worth cautioning, however, that by defining such providers broadly, a number of very small players may unfortunately be caught in this expanded regulatory net. For instance, stipulating that any service involved in accepting digital payment tokens is unobjectionable if applied to large clearing houses, but it becomes a concern if it is applied to small-time intermediaries collecting payments on behalf of his or her clients.

As another example, a service arranging the transmission of digital payment tokens sounds appropriately targeted at custodians and brokers but may raise awkward questions of whether Cousin Angie by doing her Uncle Victor a favour by storing some of his e-cash in her digital wallet may inadvertently find herself subject to MAS rules, if she also happens to be a licensee.

In the public consultation process, I believe that MAS has indicated that the law's applicability is "fact dependent", and I quote here, and it is based on, again quote, "detailed assessment of activities" and would generally apply to agents that are already currently subject to licensing. Even so, by no longer limiting the Act's applicability with the term "major" to now include "all licensees", the language no longer automatically precludes small players. My colleague, Mr Leon Perera has spoken more extensively about the detrimental effects of over-regulating small players, especially insofar as stifling innovations is concerned.

Now, these are not just artificial constructs. In remote villages in developing countries, a local youth may routinely play the intermediary role. Such actions ultimately gave birth to formidable national institutions like M-Pesa in Kenya and Grameen Bank in Bangladesh. While Singapore is not a developing economy, a payment services law that does not consciously allow regulatory forbearance for small and medium enterprises may overburden these emerging firms with compliance to the long shadow of the law and hence stifle their growth.

Relatedly, as far as I can gather, the legislation will treat all digital payment tokens equally. Well, there is merit in not picking a specific privately issued DPT to support, it strikes me as odd that the same treatment is extended even to official DPTs. After all, we currently afford special status to official fiat currency as we should, not least to our local money, the Singapore dollar. And so, as long as there is not any fraud, it is entirely reasonable to privilege an MAS-issued DPT. If so, then it would seem fair to exercise somewhat easier regulatory conditions for institutions transacting in e-Sing dollars.

Finally, on the demand side, a general concern is that digitally sophisticated users of digital tokens, such as hawkers or the elderly, may inadvertently run afoul of MAS rules, perhaps because they may have signed up to terms and conditions that have devolved certain responsibilities or compliance from financial intermediaries to them. This would serve to further undermine their confidence in digital payments where a number have already had negative experiences due to unscrupulous customers that have defrauded them and weakened their overall willingness to actively participate in the digital economy.

Notwithstanding these legislations, Mr Deputy speaker, I offer my support for the proposed amendments.

Mr Deputy Speaker: Ms Ng Ling Ling.

5.45 pm

Ms Ng Ling Ling (Ang Mo Kio): Mr Deputy Speaker, Sir, I stand in support of the Payment Services (Amendment) Bill, for its extended protection against money laundering and terrorists financing by digital payment token (DPT) service providers, as well as the introduction of the power to impose user protection measures on certain DPT service providers.

However, allow me to raise some considerations in its implementation from a more social perspective, especially to safeguard more vulnerable user segments. The group of users that I am most concerned about are the seniors because of the good, the bad and the unintended developments in the digital payment token service space.

First, the good. The COVID-19 pandemic has changed the way we socialise and interact with each other. From how we work and play to how we make purchases for our daily needs, almost every aspect of our life has been impacted in one way or another. The need to reduce human contact has accelerated the need and pace for digitalisation.

Financial services have been going cashless and moving online with more new types of players beyond the traditional financial institutions with more sophisticated financial products, such as the DPT that is fast innovating and growing. This acceleration, though challenging, is generally good for the economy at large and also helps the public to keep pace with digitalisation.

As such, the Payment Services (Amendment) Bill and the requirement for entities carrying on a business of providing payment services in Singapore, including a DPT service, to be licensed and meet standards for mitigation of risks relating to money laundering and terrorism financing are steps in the right direction to develop the financial services industry and to encourage digital innovation in the fintech space with the necessary safeguards.

The Payment Services (Amendment) Bill further regulates activities across a wider range of digital payment services as well as expands the definition of "digital payment token services" to regulate activities of virtual asset service providers like digital exchanges, cryptocurrency firms and e-wallet services. This is timely, especially when the accelerated shift of financial services towards the digital will also likely increase the risks of misuse of such services and scams. The amendments will further ensure responsible and safe innovation in the financial services industry.

While accelerating digitalisation, such as the DPT innovation and development, is good for the economy, it has also exposed an uneven understanding and adoption of technology among segments of the population, especially the seniors. The closure of physical touch points has accelerated banking and payment services online and, overnight, the seniors needed to learn how to transact with banks and merchants digitally.

Research in the seniors' perceptions towards digital payment is sparse and is specific to countries. Nonetheless, taking reference from a report published in November 2018 by AgeUK, those aged 65 and above who are online appear to place a higher emphasis on communication and information-finding and less on transactions, such as internet banking, needless to say sophisticated products like digital payment token transactions.

Closer to home, the 2019 IMDA Annual Survey on Infocomm Usage in Households and by Individuals also highlighted that while there was a considerable increase in Internet usage by seniors aged 60 and above, this same age group registered the lowest proportion for payment activities, such as transferring of funds, using online payment services, Internet fund transfers, peer-to-peer fund transfers and having an eNETS virtual account. Not surprisingly, seniors were also the largest group that did not have the confidence in making online transactions and had the lowest level of trust that their privacy and data will be respected when performing online transactions.

In both these reports, the seniors' lack of trust, privacy concerns and lack of skills and confidence in being able to navigate the online world have been cited as reasons for them not going online and interacting digitally.

The unintended consequences would be that, firstly, the seniors may begin to lag in the adoption of digital payment services and this gap may continue to widen as the acceleration towards digitalisation increases with new innovations in the payment services space. If we do not actively work to include the seniors, they could find themselves excluded from some important financial services or, worse, getting themselves involved in financial transactions or transfers, including cross-border ones, without fully understanding the risks of being used in crimes like money laundering or scams.

We can also expect new digital payment platforms, new service providers and new technologies that will be introduced. The seniors will not only have to contend with a steep learning curve but also with having to choose which platform to use. We need to educate, build trust and confidence towards digital payment services with these seniors. They represent a large untapped market for digital payment token service providers.

Thus, the Payment Services (Amendment) Bill, which expands the definition of "digital payment token services" to include marketing activities of the licensee is a welcome one to ensure that the marketing to these seniors, which is a big untapped market, would be done responsibly.

I propose to include safeguards when soliciting the seniors to subscribe to and transact in payment services using digital payment tokens as the underlying mechanics are complex and the risks may not be fully understood or accepted. Some of the safeguards could be in the form of: (a) ensuring that, as part of the marketing and know-your-customer process, MAS to require providers to explicitly highlight the risks involved, especially with digital payment tokens; (b) ensuring that seniors must have gone through a risk assessment by the providers on the understanding of digital payment tokens; (c) lastly, ensuring that providers have algorithms to identify suspicious transactions prior to processing and delaying these suspicious transactions to enable customers, especially the seniors, to have time to think through. This will provide transactional level safeguards that will reduce scams and fraud targeting at the seniors.

Sir, we are in the midst of the fourth industrial revolution and in a digital transformation that is being accelerated by the pandemic situation. As a nation, we need to continue to break new grounds so that we can take advantage of opportunities even in uncertainties and challenges. The Payment Services (Amendment) Bill and the additional requirements to be imposed are steps that will enable Singapore to remain competitive and attractive to the best talents to build the next breakthrough in digital banking and digital payment token services.

But as a society, we must also take steps to ensure that everyone, including the seniors, can participate and benefit from this transformation. I look forward to seeing new digital banking and payment service regulations that will enable an industry to develop products that will make lives of Singaporeans easier and more fulfilling, done in a responsible, inclusive and safe way.

On that note, Mr Deputy Speaker, I support the amendment Bill.

Mr Deputy Speaker: Mr Derrick Goh.

5.53 pm

Mr Derrick Goh (Nee Soon): Mr Deputy Speaker, Sir, innovation in payments will contribute to domestic economic growth and improve the lives of our Singaporeans by facilitating convenience of transactions at a lower cost. At the same time, such alternatives to physical cash can promote digital financial literacy and economic efficiency.

Sir, before I continue, I would like to declare myself as the Group Head of Audit at DBS Bank.

This amendment Bill, in my view, represents progressive legislation and I commend the focus on identifying potential incremental risks covering broad areas that include financial stability, monetary policy and also financial crime prevention – in particular, anti-money laundering and countering the financing of terrorism. There is also some focus on technology risks, which include risks around data.

Apart from seeking the Minister's assurance that there will be a robust requirement of anti-money laundering tools to ensure token purity checks and so on so that tokenised payments are not misused for illicit purposes, it is on the theme of technology and data, which is fundamental to digital payment service providers, that I would like to identify incremental risk areas which I feel are known or reasonably foreseeable and, therefore, warrant more attention and strengthening.

I reflect on recent examples in Singapore that were reported in the media, such as KuCoin, a Singapore-headquartered digital asset exchange and Grab. KuCoin made global headlines with a reported US$280 million digital coins stolen from a cyber hack recently in September 2020. Industry observers noted this to be the third largest crypto hack in history. Similarly, Bloomberg, on 13 September 2020, reported that Grab, our payments' unicorn, had four repeated technology glitches over two years in technology applications relating to exposure of private data. In its September report, the technology magazine CPO headline read, I quote, "Fourth privacy breach in two years for Grab. Given low fines, does the company have a reason to care?" Unquote.

Before I go on, I want to emphasise that there is regulatory scrutiny by the Monetary Authority of Singapore and the Personal Data Protection Commission, which have made considerable efforts to balance the bright future of technology and data with its attendant risks. What I am saying is that the rate of change in this area should spur us on to greater efforts. Today, we already know that no technology security is fool-proof and we now see exponential use of AI, cloud infrastructure, the emergence of 5G and quantum computing. These developments have deep implications on the future of cybersecurity and responsible use of data and demand a corresponding requirement to uplift our population.

This rate of technology change is accompanied by a concern which we need to remember that, payments fintech, on its own, is driven fundamentally by investor valuations. It is well understood that profit margins are thin in the payment services. So, such firms strive to create a data eco-system in the hope of profiting from adjacent businesses. This is where technology risk management could be relegated to a lower priority until a hack happens.

Given this, there are three areas that I would like to propose for the Minister's consideration to encourage firms in the e-payment space to undertake the necessary focus without too much regulatory burden.

Firstly, having differentiated standards for technology and cybersecurity risk where minimum standards are required for those in the Standard Payment Institutions category or otherwise require them to do a structured self-assessment against benchmark standards. This is already being practised in other major financial centres, such as Hong Kong, where its monetary authority has put in place its cyber resilience assessment framework to mitigate hacks, fraud and data leakage risks.

Secondly, providing a simple rating system to help the public make better choices amongst payment service providers. This is no different from how our other regulators do this, such as the Singapore Food Agency providing food hygiene ratings to hawker stalls or the Building Construction Agency providing the Quality Mark and performance scores of developers and contractors to help homebuyers make informed decisions. In this way, ordinary consumers can easily understand and make their own informed assessment when selecting payment providers even as we make more efforts to upskill their digital literacy.

Thirdly, requiring such firms to ensure adequate efforts and resources are devoted to educating and protecting customers in terms of how their data is secured and how it is being used responsibly, including in the digital eco-system. This can help ensure that industry players are culturally attuned from day one and ensure that digital public education is as much the responsibility of industry players as it is the Government's.

As a related point, as we think through these issues, I advocate that we continue to maintain our successful whole-of-Government approach to regulate and ensure that the no material systemic issues fall through the cracks between areas of responsibility.

Mr Deputy Speaker, Sir, as digital payments become a way of life in Singapore, it is crucial that our regulatory frameworks continue to keep pace with the behaviours of market participants so as to ensure minimum standards of technology, cybersecurity and data safeguards and to allow us to take a leadership position in the world in defining these standards. We should move boldly, but skillfully execute with a commitment to manage known or foreseeable risks. Sir, I support this Bill.

Mr Deputy Speaker: Mr Don Wee.

6.00 pm

Mr Don Wee (Chua Chu Kang): Mr Deputy Speaker, Sir, I declare that I am a bank employee and a Council Member of the Institute of Singapore Chartered Accountants. I will begin my speech in Mandarin.

(In Mandarin): [Please refer to Vernacular Speech.] I rise in support of the Payment Services (Amendment) Bill.

The Bill provides clear compliance requirements for cryptocurrency businesses that will align our legislation with the enhanced standards adopted by the international Financial Action Task Force (FATF). The additional requirements are necessary to counter money laundering and terrorist financing risks associated with some virtual asset service providers which are not already regulated as financial institutions. The expanded definitions of digital payment token (DPT) service and cross-border money transfer service will also enable MAS to have a more comprehensive oversight.

With the amendments, Singapore will have one of the clearest and most pragmatic regulatory frameworks in the world to manage cryptocurrency services. Digital payment token service providers now have a complete rule book to comply with the MAS’ licensing requirements.

We will be able to position ourselves as a progressive destination for financial investors and service providers in both the digital and traditional asset sectors. Greater regulatory clarity would be attractive to global crypto businesses.

(In English): As virtual asset service providers will need to perform screening, customer due diligence (CDD), collection of Know Your Customer (KYC) information from platform users, transaction monitoring and reporting, and record keeping, there will be greater transparency and trust in the system. Higher public confidence will be beneficial to the developments and innovations in this sector. However, the verification process is quite demanding.

Hence, I would like to ask if MAS can prescribe a centralised or integrated platform for the DPT service providers to research on the transaction details, share information and improve efficiency.

Anti-money laundering and countering terrorist financing requires DPT service providers to monitor cross-border value transfers and collect alternative CDD information. Some of these transactions may involve physical goods movement. Collection of transaction information is not that difficult, especially when the criminals have the intention to launder money. It is important for the DPT service providers to comply with the spirit of the regulations and assess if the information furnished makes business sense. Money launderers inflate the transaction values to move their funds, in our case, it will be the DPTs, around. For example, if a pair of Hello Kitty soft toys are valued at $50,000 and the client explains that these are limited edition ones, how does the service provider authenticate the value of these Hello Kitties?

Would MAS prescribe that the service providers must invest in search engines like international maritime bureau (IMB) systems which can track and authenticate shipments, or Bloomberg systems so that the commodity prices can be verified? We must not allow the collation of customer due diligence process to become a box-ticking exercise.

Next, I would like to voice my support for the new user protection measures. It is important to protect individual investors and consumers who may be encouraged to invest in digital tokens. The recent gravity-defying rally of Bitcoin shows that it and other cryptocurrencies are getting more widely accepted as an asset class. At the same time, the crash of XRP is a reminder that, all over the world, governments are trying to figure out how to regulate this sector.

Heavy-handed regulation may stifle innovation. MAS’ risk-based supervisory approach provides greater user assurance and regulatory safeguards for areas with high risks, and unregulated spaces to allow exploration of improvements and more efficient approaches.

I would like to ask the Minister if the current regulatory framework is sufficient to deal with the emergence of new payment instructions that straddle between e-money and DPTs, such as stablecoins. Stablecoins are a new class of cryptocurrencies. They can maintain a stable value relative to another asset or a basket of assets. They could potentially perform the functions of money and can be traded, too.

I seek MAS’ assurance that DPTs will not be allowed to be used as collateral to grant working capital facility to the DPT holders as this is one form of encashment. Would the Ministry require capital adequacy ratios, similar to those for banks, for DPT service providers to protect the DPT depositors?

This amendment Bill is yet another milestone in Singapore’s digital payments landscape in our journey to becoming a Smart Nation. Broader implications include investor protection, consumer protection, data and privacy, systemic risk, monetary risk policy and national security. A few jurisdictions have initiated regulatory reforms to address digital payment tokens as a means of payment. Whether Singapore will accept a token-based payment system on a wider scale remains to be seen. Nonetheless, I am heartened by the Government’s support for innovation in this area. I am confident that the Bill will help strengthen industry-Government partnerships and lead to new investments and businesses here in the years to come.

Mr Deputy Speaker: Mr Yip Hon Weng.

6.06 pm

Mr Yip Hon Weng (Yio Chu Kang): Mr Deputy Speaker, Sir, I stand in support of the Bill. The Bill will bring about increased regulations and scrutiny over DPT. In the era of e-payments, and with DPTs gaining popularity worldwide, this is a necessary move. Fintech is an integral component of our Smart Nation vision. Singapore's friendly position on cryptocurrencies will attract tech start-ups and businesses here. This, in turn, creates good employment opportunities. Stepping up on regulations would elevate our status as a global cryptocurrency and blockchain hub.

Regulating DPTs will be welcomed by industry professionals. I believe that after the Bill is passed, we may see an uptick in businesses accepting cryptocurrencies as payment. However, the act of regulating cryptocurrency can be misinterpreted. The layman may perceive the Government endorsing cryptocurrency investments and giving it a stamp of approval.

Many may also question whether regulating DPTs makes it legal tender. Of course, it is not legal tender. Notwithstanding, some businesses in Singapore already accept cryptocurrency payments. What if the cryptocurrency somehow loses its value and status and businesses decide that they no longer want to accept it as a payment form? What if the issuing company for the DPT goes bust? Would not the token lose its value? Businesses must be aware of this. What happens to customers who stocked up on the cryptocurrency, believing that it could always come in handy for real-world transactions? Would the Government monitor the situation and intervene to prevent such situations? And since it is an individual decision, how can the Government moderate this area?

The reverse could also happen. Cryptocurrencies’ value fluctuate greatly. Imagine if one had signed a two-year lease in January 2019 for an apartment, agreeing to pay a quarter bitcoin per month. The value of the bitcoin soared in the later part of that year. This tenant would be paying more and more each month. This will be more than a six-fold increase over the two years. The Government cannot regulate the value of cryptocurrency. But what about businesses that accept cryptocurrency as a payment method, especially for long-term contracts for payment instalments? And if a dispute arises, as in this example, what is the legal redress?

Mr Deputy Speaker, Sir, as cryptocurrency becomes more widely accepted, this could also lead to a rise in related scams. These scams are much like the online financial scams that we have seen a rise in Singapore in the past year, only that the funds involved are in cryptocurrency. Unsuspecting victims have been tricked into becoming money mules by scammers. Such victims accept funds into their own bank accounts and deposit a portion into a crypto kiosk.

An increased interest in cryptocurrency would also mean that more amateurs would dabble recklessly in cryptocurrency. This is particularly so in the current climate when people are grappling with job and income losses. They may turn to cryptocurrencies as a get rich quick scheme. This is particularly so with recent news about the bitcoin hitting all-time high prices.

With increased scrutiny on DPT service providers, will the Government police online marketing of cryptocurrencies? There are various irresponsible marketing content on the Internet promising consumers an "instant way to get rich". Fraudulent investments would have criminals pitching a new and developing cryptocurrency, such as an ICO, offering large monetary returns for a short-term, small investment. In reality, the investment money is swallowed for personal gain. Excuses about the complexities of cryptocurrency will be used to keep customers in the dark.

Mr Deputy Speaker, Sir, my greatest concerns are for seniors. Earlier, Member Ms Ng Ling Ling raised a similar concern. They are often the favourite targets of digital investment fraud. Retirees are always interested in passive ways to grow their income. I already have seniors asking me about investment in cryptocurrencies during my house visits. They are getting familiar with digitalisation and online payment tools. This is a good thing. Credit to campaigns like the Seniors Go Digital movement. However, there are still areas where seniors are not particularly knowledgeable about, which renders them vulnerable. This is especially so if scammers hook them with phrases like "Government-regulated". These scams usually start off focusing on the growth rates of various cryptocurrencies, while neglecting to highlight the high degree of volatility. Once they have their interest, they may persuade victims to grant them access to remote-desktop tools or their personal information. Thereafter, they steal their information to commit other cybercrimes, or have them transfer funds to cryptocurrency wallets that the victim does not have access to.

Our concern is not only about the law-abiding citizens, but those who are scammers looking to conceal their ill-gotten gains. Bitcoin transactions are, in fact, transparent and logged into a public ledger which anyone can access. These transactions can be traced right back to the day they are mined, which is helpful for law enforcers. However, reconciling transactions across individual and private ledgers to individuals requires a lot of time and resources.

Would the Government make it mandatory for all licensed crypto exchanges to require customers to be verified? Would only crypto assets that are transparent be eligible for licensing? Do Government agencies have the powers to confiscate ill-gotten gains in digital wallets? Can they freeze cryptocurrency accounts as they could with banks? Will the Government look into equipping our Home Team to prevent and combat not just cryptocurrency money laundering but also frauds and scams?

Mr Deputy Speaker, Sir, in conclusion, the subject of cryptocurrency is highly complex and multi-faceted. Its growing popularity will attract blockchain developer talents and those who want to do good with it. Conversely, it can also attract scammers and crooks looking to make a quick buck. The Government will need to consider a public education campaign, so that everyone can benefit from the technology while avoiding the pitfalls. Mr Deputy Speaker, Sir, I support the Bill.

Mr Deputy Speaker: Mr Shawn Huang.

6.13 pm

Mr Shawn Huang Wei Zhong (Jurong): Mr Deputy Speaker, Sir, I stand in support of this amendment.

In Asia, the annual growth of payments is at 15% CAGR, fueled by the adoption and growth of alternative digital payments mechanisms with a strong push to reduce the use of cash. Asia-Pacific dominates the global payments revenue pool. Customers are also seeking payment solutions that will reduce their pain points, especially for cross-border transactions and one-stop solutions that are well-integrated throughout the entire payments value chain.

Banks have historically enjoyed a defensible moat of consumer trust. However, this moat is gradually eroding. A US digital payments survey indicates that consumers are more comfortable entrusting their financial transactions to non-banking entities. And as this landscape continues to evolve and customer patterns shift, what can we do to ensure consumers continue to be protected?

We must have a keen understanding of how valuable customer data is to businesses. More than 80% of the total payment revenues are captured at the end of the value chain where the customer relationship is. As important the customer is to the business, how we protect the consumer is also of paramount importance. In the world of cloud computing, payments as a service, banking as a service and the rise of APIs, customer data is often traded and analysed to offer more curated services and products for value capture. We need to ensure that deviations from the additional requirements can be audited, detected and enforced.

Trust is a key attribute for a successful financial eco-system and digital payment plays a significant role. Every entity in the eco-system plays a role of shared responsibility. Most if not all the additional requirements stated in section 21A are meant to build trust within the Singapore digital payment eco-system. I welcome these additional requirements.

Today, many new digital companies have an outreach of millions of B2B and B2C customers. They are well positioned to provide financial services traditionally provided by incumbent banks. These digital companies either partner with banks to build their networks or directly compete with them. Banks are also quickly evolving to build partnerships and develop their own customer-centric eco-systems.

Over the last three years, transaction fee growth for payments has been muted because of the competitive pressures that have continued to depress margins. Margins can be as low as 0.2%. This means that when additional requirements are implemented, additional regulatory and compliance cost will be passed on to the consumer, increasing business cost. We must be cognisant of the competitive and ever-evolving digital payment landscape.

For our survival and relevance to the world, we must ensure that there is fairness, accountability and transparency and yet have the agility to safeguard the reputation and competitiveness of the Singapore financial eco-system – to be a home for future global fintech champions. Mr Deputy Speaker, I support the amendments.

Mr Deputy Speaker: Mr Louis Chua.

6.17 pm

Mr Chua Kheng Wee Louis (Sengkang): Mr Deputy Speaker, I would like to declare my interest as an employee of a financial institution in Singapore.

Mr Deputy Speaker, the last I checked, Bitcoin was at a record high of around US$31,000, having risen almost fourfold over the course of 2020, far surpassing the previous highs of around US$19,800 set in December 2017, just before its precipitous crash in the months after.

Many have called Bitcoin and cryptocurrencies a massive bubble, but fast forward to today, as alluded by other Members of this House, industry players see 2020 as a year where Bitcoin was perhaps being institutionalised.

Conventional asset managers such as Ruffer and MassMutual now have Bitcoins as part of their asset allocation. PayPal is enabling cryptocurrency as a funding source for digital commerce and our very own DBS and SGX have launched the DBS Digital Exchange in December 2020 to welcome the mainstream adoption of digital assets and currency trading.

This is a further testimony to how banks and institutional investors, both local and abroad, are trying to keep up with the times to ensure that they remain relevant in the financial service offerings. Indeed, the recent approval of the new digital banking licences in December is indicative that Singapore is taking a leap forward in attempting to become even more competitive as a global financial hub.

Against this backdrop, it is heartening to note that the MAS is also very quick to update the Payment Services Act 2019 so as to strengthen the regulatory frameworks, especially with regards to anti-money laundering and countering terrorism financing.

In keeping with the spirit of progress, we should also consider the progress made in assessing payment service provider applications and the pace at which approvals are given. Now, I note that while the Act came into force on 28 January 2020, there remains about 361 companies that are still on the exemption list and awaiting the outcome of their PSA licence application.

I understand that the MAS has a list of admission criteria but these are not meant to be exhaustive.

Will the Minister provide greater clarity as to the factors and their respective weightings in MAS' considerations in granting or rejecting PSA licensees? More importantly, what is the number of applicants at the various stages of approval and what is holding back MAS from approving or rejecting these applications? Is the team overseeing the approvals adequately staffed to support the timely developments in this arena?

On that note, I would also like to seek clarifications on some of the proposed amendments to the Payment Services Act.

The first is with regard to user protection measures. Section 21 of the amendment gives MAS the power to impose user protection measures. However, there is no clarity for now as to what these measures might be at the moment, although MAS will consult the public and the industry on any implementation of such measures. MAS has also highlighted in an April 2020 FAQ paper that it does not intend to provide any regulatory safeguards for investments in digital payments, the safety and soundness of DPT service providers or the proper processing of DPT transactions.

In light of concerns surrounding business failures and cybersecurity, I believe a clear framework should be adopted and put in place as a pre-emptive measure, which aims to imbue users with greater confidence in the payment service infrastructure in Singapore. A wider adoption of digitalisation can only be built up when consumers have adequate trust that the system works and that adequate circuit breakers or minimal fail safes are present to mitigate any damage. An example of which is the deposit insurance scheme in the case of monies in banks.

A balance has to be struck, however, as mentioned by my colleague Leon Perera. There is the perception that increased regulatory powers by MAS may spark fears of over-regulation and excessively stifle innovation. In this regard, both end users and companies could benefit from greater regulatory and operational clarity sooner rather than later.

The second point I would like to highlight is with regards to the potential upward revision of the current limits on e-wallet users. Under the current Payment Services Act, e-wallet users can hold no more than $5,000 in their accounts while they can transact no more than $30,000 each year. According to MAS, these limits are in place to safeguard the risk of excess monetary outflows from bank deposits to non-bank e-money.

With the signing of the new trade agreement with the UK, MAS has said that it would review these payment limits.

I would like to ask when is the review expected to be concluded and, with the expected passing of the Payment Services Act's amendments, could the review then being expedited? Because a higher limit would mean that firms can potentially offer more services to their customers, which in turn, encourages wider adoption and usage of digital payments in line with our hope for developing a Smart Nation.

Finally, and more broadly, I would like to touch on the fact that despite the great strides we have made in advancing technological adoption, it appears that cash is still king in Singapore. With COVID-19, we have been forced to adopt digital contact tracing, which, much like digital payments, make use of the scanning of QR codes. I am sure Members would agree with me that the scanning of SafeEntry QR codes is now second nature to Singapore residents.

Yet the uptake for digital payment remains low as compared to a country like, say, China, where the authorities had to intervene to ensure that merchants still accept cash as a mode of payment – quite the opposite of Singapore's experience today, with "Cash Only" signs still quite commonplace at small businesses in Singapore.

I note that the SG Digital Office was established in May 2020 under IMDA, but beyond Hawkers Go Digital or Seniors Go Digital, we could perhaps ask ourselves, why is it that the uptake of digital payment still remains low in Singapore and if more can be done to encourage the uptake of digital payment in the near future.

Mr Deputy Speaker, to conclude, the payment industry is a rapidly developing one with huge potential for growth and I am heartened that we are riding this wave in the hopes that we will remain competitive for many years to come. At the same time, of course, let us not forget that the older generation might not be as proficient technologically and we should push for progress while also being cognisant of not leaving anyone behind.

Mr Deputy Speaker: Mr Saktiandi Supaat.

6.25 pm

Mr Saktiandi Supaat (Bishan-Toa Payoh): Mr Deputy Speaker, Sir, first of all, I would like to declare that I am a bank employee.

I applaud the new amendments which will build consumer confidence in the use of digital payments while encouraging a robust e-payment eco-system.

The Government's position on regulating digital tokens, specifically cryptocurrency, has garnered a significant amount of interest. Cryptocurrencies are now required to be protected and each cryptocurrency transaction must be processed properly. This will certainly be a good step. It is also good news for technology start-ups which view cryptocurrencies, particularly Initial Coin Offerings or ICOs, as a quick way to fund their innovations. The Government's move to take an active stance to regulate and safeguard customers' virtual assets will encourage more to partake in new technology businesses.

I wish to raise my concerns on a few topics: first, cybersecurity issues about cryptocurrency; second, social engineering problems; third, manipulation of crypto exchanges and issuance of digital tokens.

Even with licensing and regulations, crypto exchanges are fraught with risks and liabilities. Any financial activity that takes place through cyberspace would be a target for cybercriminals. All activities involving cryptocurrencies occur online. Crypto exchanges are hot targets for hackers and losses by the millions have captured headlines in the past five years. Although the security systems designed to protect the exchanges and customers have been enhanced over the years, the plunder by hackers continued through the past year.

Half of crypto-related hacks are reportedly from DeFi protocols and exchanges.

I would like to ask what is the Government's stand on De-Fi or decentralised finance?

These are financial services using smart contracts, which are automated enforceable agreements that do not need intermediaries like a bank or a lawyer. They just use online blockchain technology instead. The concept has grown in popularity in the past year but they are also controversial because they are attractive to criminal hackers.

Cryptocurrencies, too, are subject to cyberattack methodologies like phishing and data breaches. Hackers can exploit cross-site scripting issues to change a customer's withdrawal address and draw money from the customer's account into their own – according to a Forbes article about the risks of crypto exchanges. As both accounts are legitimate, these activities would resemble normal transactions and it may take some time before the illegal activity is flagged. By then, it may be too late for any action.

Two-factor authentication, or 2FA, is widely considered the gold standard for protecting online accounts. Yet, in the case of a server-side vulnerability in a crypto exchange, hackers can bypass 2FA checks entirely through remote code execution, or RCE. A research revealed in December 2017 that nearly 90% of all RCE attacks are driven by crypto-mining. So, 2FA would avoid account takeover through password theft, but a customer is still vulnerable to inadequate systemic protection measures.

I wish to ask, under the amendments, if a hack is to occur and millions of funds are lost, how will customers be compensated and what penalties will be issued? Should we perhaps look into the feasibility of deposit insurance for providers of digital payments and crypto services?

Fortunately, there are ways to identify crypto exchanges which are relatively secure and safe to work with. When cryptocurrency was largely unregulated, customers were required to do their own extensive research, which often requires deep reading and technical knowledge. With enhanced regulations for the industry, I hope the Government is also taking into consideration security factors when granting or renewing the licenses.

For example, crypto exchanges must present adequate security measures before they are licensed. These would include security audits of smart contracts and front-end application servers and regular bug bounty programmes to stay ahead of hackers. I hope this will open up more opportunities for local white hackers and cybersecurity talents to hone their skills and land good jobs and development opportunities in the industry.

Besides cyberattacks, frauds and social engineering are challenges to contend with, as with any online financial activities and transactions. The past year saw an uptick in victims being scammed or unwittingly involved in Ponzi schemes. Moreover, online criminals have devised all kinds of complex methodologies to attack crypto exchanges from multiple fronts, not only targeting the exchanges but also customers and third-party service providers associated with the exchanges.

A recent example was a cyberattack on several cryptocurrency websites after employees at a hosting company were targeted and socially engineered to give access to the targeted websites. Although no funds were lost, the hacker was believed to have obtained personal information and documents from the user database. These included sensitive information like government-issued IDs, addresses and passwords. Service providers who failed to protect consumer's data must be penalised under the Personal Data Protection Act.

Unrelated to cybersecurity, but also having an insidious impact on the stability of crypto exchanges, is crypto market manipulation. Back in 2019, allegations on cryptocurrency exchanges manipulating data to attract traders to their platforms had rocked the industry. A series of crackdowns alleviated this problem, but it is still present to a lesser degree. Meanwhile, sophisticated traders who have purchased large amounts of cryptocurrency may manipulate the market across several exchanges in parallel. This is commonly cited as the equivalent as the "pump-and-dump" securities fraud in the stock market. Although reputable exchanges tend to be regulated with anti-manipulation protocols in place, manipulation across multiple exchanges is difficult to detect.

As all these variables continue to plague the crypto exchanges, I am particularly concerned about the inevitable surge in interest from newcomers once the new regulations come into effect. They may be lulled into a false sense of security and invest recklessly. We may also see a rise in cybercrimes if victims fail to adopt all the necessary precautions to protect their assets. We can license and regulate, but the volatility of the industry means that reviewing the laws must be an on-going and frequent process. Anyone who wants to participate must continuously educate themselves and stay abreast with news on the technology.

I am pleased to note that there are several crypto and blockchain courses available in Singapore and some are under SkillsFuture.

Given the complexity of cryptocurrency investment, some may prefer to turn to corporate finance advisers, who have shown increasing interest in offering clients exposure to cryptocurrency. My question is, what is MAS' response to advisers in Singapore who want to include these products in their clients' portfolios? To what extent are they allowed to facilitate crypto transactions for clients, and would they require a special licence for such activities? It would be good to know if there is proper credentialing for financial advisers who want to market cryptocurrency to customers as an investment.

I now move to my last topic on token issuance. A more stable and well-regulated fintech industry will be a boost for technology start-ups particularly for those who wish to get funding via Initial Coin Offerings or ICO. I wish to clarify whether under the new amendments, would issuers of tokens require a licence? How long or complex is the typical process for a company to get into the business of issuing tokens? Ultimately, we want to strike a fine balance between accessibility and security. We want to encourage our tech entrepreneurs to leverage on a vibrant fintech economy, while maintaining stability and security through anti-money laundering and cybersecurity regulations.

Mr Deputy Speaker, Sir, developed economies are moving ahead with digital token assets and we must not be left behind in the dust. Moreover, well-regulated developments in the industry will serve to stimulate other areas like technology advancements and cybersecurity, which in turn, creates employment. I support the Bill.

Mr Deputy Speaker: Minister Ong Ye Kung.

6.34 pm

Mr Ong Ye Kung: Mr Deputy Speaker, Sir, I thank Members who have spoken on the Bill and for their support of its introduction. There were quite a number of comments about protecting consumers, protecting seniors, educating the public on the risk of DPTs or digital payment tokens. But there are also others who commented that we should not over-regulate and we have to encourage entrepreneurship.

This is in essence what this Bill is about, to strike that balance, and in that process, take a risk-differentiated approach.

When we passed this Bill, I did so in January 2019, and we explained this. It is fundamentally the entire architecture of the Payment Services Act to have different classes of licences, differentiated approach and adopt the principle of taking a risk-based approach.

Let me address Members' questions. There are quite a number of them. Let me try my best.

First, let me deal with the risks that the Bill mainly seeks to address – money laundering, terrorism financing and other illegal activities.

Mr Louis Ng suggested sharing more information and feedback with financial institutions to improve the efficacy of suspicious transaction reporting. Mr Louis Ng asked his question in the context of identifying illegal wildlife trade, but really, the broader purpose is to counter all illegal activities in general.

Financial institutions are required to report suspicious transactions to the Suspicious Transaction Reporting Office in the Singapore Police Force. Relevant agencies have shared case studies and red flag indicators on risks with financial institutions to help them better detect and report these illicit activities. Agencies also provide feedback to financial institutions to sharpen their efforts in reporting suspicious transactions. So, the efforts as suggested by Mr Ng is on-going.

Mr Don Wee also asked if there could be a centralised platform for DPT service providers to research on transaction details, share information and improve efficiency. We agree with this suggestion, the principle of it. MAS has been working with the industry and relevant associations, on the sharing of emerging risks and typologies, and best practices to collectively raise Anti-Money Laundering/Combating the Financing of Terrorism or AML/CFT standards, and improve their effectiveness and efficiency.

Mr Louis Ng asked if there is a space for anonymised financial transactions. Usually, that is cash, that is the most anonymised. But if it is digital, indeed, in this digitised world, everything we do, from buying something online to even surfing the net, we leave a digital trail that is in someone's possession. Yet, we willingly do so. And usually the data is used to push to you the next advertisement that you should take note of.

For financial transactions, where there are real concerns of money laundering or terrorism financing, it is all the more necessary to have regulations that require the keeping of data and records. Hence, MAS imposes stringent AML/CFT requirements on licensed DPT service providers in Singapore to mitigate against the risks of abuse of our financial centre by bad actors.

Mr Yip Hon Weng also raised questions on whether these service providers would be required to identify and verify their customers. In line with the Financial Action Task Force or FATF standards, DPT service providers must conduct know-your-customer measures for this purpose. Payment service providers are also required to retain the necessary information on customers and transactions to maintain proper audit trails and facilitate investigations by law enforcement agencies.

Mr Don Wee asked if MAS requires DPT service providers to use search engines, like in the maritime sector, to authenticate shipments. MAS expects DPT service providers to apply a risk-based AML/CFT approach that is appropriate for the risks of their business and nature of transactions. Hence, MAS does not prescribe the use of specific systems. However, DPT service providers should take enhanced risk measures such as ascertaining the purpose of the transaction or source of funds using relevant sources of information when they encounter higher risk situations.

Mr Leon Perera raised several questions. He raised various instances where DPT service providers need not be subject to perhaps the full suite of regulatory measures. These are valid concerns and indeed, we, as I explained earlier, that is why we take a risk-based, modular approach for the Payment Services Act. And in fact, that defines the entire architecture of this Act.

For example, it is not the intent of the Payment Services Act to capture entities that conduct general marketing or advertising activities. Whether an entity is caught by the Act, is dependent on the facts and circumstances of each case. The exact rules will be spelled out in subsidiary legislation or guidelines on licensing for licensees; and we will consult the public and the industry as MAS do so.

I want to assure Mr Leon Perera that our rules are aligned to the FATF as well as international best practices. This includes the regulation of cross-border remittance of monies. We are active in this space internationally and we keep abreast of the developments and certainly not running ahead of international best practices. So, whatever the legislation we are proposing, US, Japan, Australia, Switzerland, several EU members have already passed similar legislation to regulate their DPT service providers.

On monitoring cross-border flows that Mr Leon Perera asked, our rules require licensees to keep transaction records and we have supervisory oversight to review them. So, monitoring and enforcement is more ex post than ex ante. And of course, we rely on active cooperation with foreign counterparts and sharing of intelligence.

Also, as mentioned by Mr Leon Perera, MAS has carved out from regulation, any payment service that is solely incidental to carrying on a business that is already regulated under the Securities and Futures Act. And this is to avoid double regulation.

On the need to provide clearer definition of the word "incidental", it is already defined in the Payment Services Act, which is that a payment service is incidental if it is "to support the other business and provided by the person in connection with carrying on of the other business". If necessary, MAS can issue further guidance on this, as we receive more feedback from the industry.

Next, I will address crypto-related developments which were brought up by Mr Saktiandi and Mr Don Wee, specifically on stablecoins and decentralised finance or DeFi. These services are still nascent in Singapore but it can change quickly. MAS has therefore issued a consultation paper to review if further changes are needed to address risks associated with stablecoins. DeFi is currently the most common form of DPT services which will be captured with the expanded scope introduced today. But if there is a need to evolve our regulatory regime further in future, we will be ready.

Next are questions on technology and cybersecurity risks, as well as data privacy standards.

Mr Derrick Goh proposed differentiated technology and cybersecurity requirements for payment institutions, and in particular, for standard payment institutions to perform self-assessment of their technology and cyber risks.

The underlying principle behind Mr Goh's suggestion is that MAS should take a risk-based approach when applying technology and cyber security requirements on different types of financial institutions and we agree with this underlying principle.

Payment service providers must meet MAS' standards on technology risk management and cyber hygiene practices. Examples of these regulatory requirements include establishing robust security controls to mitigate the risk of malware infection and data loss, and ensuring strong user authentication for systems that are used to access customer information. New entrants who are not able to meet these standards will not be allowed to commence business. MAS imposes more stringent requirements on payment service providers as they become significant players in the payment industry.

Payment service providers are expected to independently perform risk assessment against these MAS requirements. However, as part of our on-going supervision, it is still necessary for MAS to periodically assess the cyber resilience of payment service providers by reviewing the effectiveness of their processes and controls.

The amendments under the Bill will allow MAS to impose additional requirements on DPT service providers to protect customers' data, precisely for the reasons raised by Members. For instance, MAS can impose stricter controls and processes to protect data from unauthorised use, in addition to the Personal Data Protection Act.

Mr Derrick Goh suggested a ratings system for payment service providers. But unlike the food and property development industries, payment service providers are licensed and subject to on-going supervision by MAS. I would thus encourage consumers to ensure that the payment service providers they engage, such as the platform they use to buy or sell DPTs, are licensed by MAS.

Mr Saktiandi also asked if cyberattacks lead to massive losses, how will customers be compensated and what are the penalties. In such an event, MAS will oversee the payment service provider’s dispute resolution process to ensure that they handle customer claims fairly and promptly. Further, if the entity is found to have breached MAS’ cyber hygiene requirements, it can be subject to fines of up to $100,000 on conviction.

The next set of risks raised by Members – Ms Ng Ling Ling, Mr Louis Ng, Mr Yip Hon Weng and Mr Saktiandi – pertain to fraud and scams.

The first set of actions to prevent this is to have a rigorous, robust, regulatory regime. MAS grants licences only to entities that have in place proper governance and risk management processes.

Further, MAS and the Commercial Affairs Department or CAD will take enforcement actions against entities that operate illegally or fail to comply with regulatory requirements.

In response to Mr Yip Hon Weng’s specific questions, our enforcement agencies have the power to investigate, seize and confiscate assets in their pursuit of DPT-related scam and fraud cases. For example, two persons were convicted in 2020 for promoting an illegal pyramid scheme involving a purported fraudulent digital token called "OneCoin". The CAD has also, to-date, removed or blocked more than 150 advertisements and websites promoting suspicious investments featuring or involving DPTs.

Next, investment risks. Members are concerned that today’s enhancements could give consumers a false sense of security and encourage them to jump into DPT-related investments. Some Members may recall we had this same debate, when we first tabled the Payment Services Bill in this House in January 2019, except the tables were then turned. Then, there were requests that MAS regulate DPTs more strictly. I explained that we were not ready to do so, because DPTs were still at a nascent stage of development and we should be mindful that more regulation may have a legitimising effect.

Compared to January 2019, while the usage of DPTs in Singapore remains low today, recent developments, such as stablecoins, can spur greater adoption of DPTs within a short time. So, it is timely to have new powers to be able to tighten the regulation, notwithstanding the concern of a legitimising effect.

The fact is DPTs remain unsuitable for most retail investors. Placing funds in DPTs like bitcoins comes with very high risk. Today’s amendments introduce additional user protection powers in the Payment Services Act, but it is not possible for laws to protect against investment losses.

Ultimately, investors need to exercise extreme caution. They should seek to understand the product, its characteristics and risks before committing their money.

Ms Ng Ling Ling is especially concerned about seniors and rightfully so. She suggested risk disclosures and suitability assessments for seniors. Mr Louis Ng also asked if there are measures to prevent false marketing to mislead customers.

MAS requires licensed DPT service providers to clearly disclose to their customers that they should buy DPTs only if they are familiar with the product and are prepared to accept the risk of losing all the money put into the DPTs.

If DPT service providers make a statement that suggests that investment in DPT is protected under the Payment Services Act, MAS will require them to immediately correct or remove the statement, and they will be subject to enforcement actions.

In response to Mr Saktiandi’s question, any entity which facilitates DPT transactions as described in the Payment Services Act today or in the amendments under today’s Bill, including persons facilitating transactions, will be required to obtain a licence. Financial advice received in relation to DPTs may be separately regulated under the Financial Advisers Act. However, potential investors should be aware that not all advice they receive in relation to DPT investments is regulated by MAS. Only advice concerning investment products are regulated under the Financial Advisers Act.

Investors should check with their financial institutions if the particular DPT investment they are considering is a regulated investment product and understand the risks of dealing in unregulated investment products.

Where the digital tokens are used by issuers as a way to raise capital from the public, the issuers will be subject to the full set of regulatory requirements applicable for securities issuance —

Mr Deputy Speaker: Excuse me, Minister Ong, if I may ask you to give way to Leader for the purposes of Exempted Business.

Mr Ong Ye Kung: Yes.

6.48 pm

Mr Deputy Speaker: Thank you. Leader.

Debate resumed.

Mr Deputy Speaker: Minister Ong.

6.49 pm

The Minister for Transport (Mr Ong Ye Kung): Thank you, Leader and Deputy Speaker. Let me repeat.

Where the digital tokens are used by issuers as a way to raise capital from the public, the issuers will be subject to the full set of regulatory requirements applicable for securities issuance, such as the need to issue a prospectus.

Let me address another question by Mr Leon Perera as well as Assoc Prof Jamus Lim. They voiced the concern of small players and licence holders being caught under the consumer protection requirements. But this is where we also need to strike a balance. We want to encourage entrepreneurship but, at the same time, need to protect consumers especially given the current circumstances that DPTs can become more popular, companies can come up with products that are more attractive. And, today, what we are doing, we believe, is an appropriate and calibrated response.

As suggested by several Members, MAS will continue to educate the public on DPTs, through the national financial education programme, MoneySense. We will also explore ways to better reach out to seniors, such as through mainstream media channels, working with agencies such as IMDA and SkillsFuture Singapore, and through the communities. MAS and the CAD have also rolled out consumer education initiatives to raise public awareness of the risks of putting their money in DPTs.

Since 2017, several advisories have been issued to warn the public of the risks and of common tactics used by scammers, to cheat people of their money or make use of them to carry out money laundering activities. We will continue our efforts, together with the industry and the community.

Let me address one more comment on what Mr Louis Chua raised. He said that digital payment uptake is not fast enough. But, actually, digital payment uptake in Singapore is quite rapid. We can see many merchants taking up, individuals using, and this is after years of work putting in place infrastructure such as the FAST and PayNow system, which makes things a lot more convenient. And then, the Singapore Quick Response Code (SGQR), a unified point-of-sale system. So, all these helped create a very strong momentum of digital payment uptake.

But when it comes to hawkers in coffeeshops, they are actually one of the hardest to convert. But we will continue to work on them. There are improvements that we can make including on the software, on the user interface as well as the user experience. This is something that MAS will continue to work with agencies, such as IMDA, to continue to push the process.

Finally, Members asked about the risks to consumers and businesses who accept or hold DPTs for payments or as collateral for lending to DPT owners. As DPTs have little or no intrinsic value, and their market value is highly volatile, they have not taken off in a big way as an accepted payment mode in Singapore. And it is actually quite a sensible outcome.

Mr Don Wee asked for an assurance that DPTs should not be used as collateral to grant working capital loans. Businesses and lenders must understand the nature of DPTs, and those that wish to accept DPTs either as payments or collateral for lending to DPT owners would thus have to bear the risk of value depreciation.

MAS conducts thematic checks on banks’ collateral management practices to ensure that they maintain prudent credit risk management. There are, in fact, many alternatives to facilitate the normal conduct of business.

Mr Saktiandi suggested a scheme similar to deposit insurance, to safeguard customers against potential losses. Mr Don Wee asked whether capital adequacy ratios would be imposed on DPT service providers.

Banks take in deposits and on-lend these funds. They play a critical intermediating role in the economy and are, therefore, subject to stringent prudential regulation and supervision, including deposit insurance and capital adequacy ratios.

DPT service providers are not banks, do not perform similar economic functions or pose similar systemic risks. We should use alternate means in our regulatory toolbox to deal with risks associated with DPT, which is what the Payment Services Act seeks to do. That is why the Payment Services (Amendment) Bill today provides MAS the powers to require DPT service providers to put in place consumer protection safeguards.

Today, under the Payment Services Act, major payment institutions are required to safeguard customer monies by depositing them in a separate trust account, or obtaining either an undertaking or guarantee from a bank in Singapore. Such safeguards currently do not apply to DPT service providers. With the provisions made, MAS will review the need to impose safeguarding measures on DPT service providers.

To ensure all our regulations are not so onerous that we stifle entrepreneurship, let me reiterate the basic architecture of the Payment Services Act, which is that it is risk-based, three different licences, three different tiers, with requirements calibrated to the risk they pose, and taking a modular approach.

Assoc Prof Jamus Lim raised some questions. I want to assure him that the intent of the Act is to regulate entities that are carrying out payment services as a business and not for individuals. I also want to assure Assoc Prof Jamus Lim that DPT service provided in respect of a central bank DPT function is also carved out in the Act currently.

The new user protection powers introduced under section 21A of the Act is to empower MAS to impose user protection requirements when needed. It will not be implemented immediately, as I have explained. The adoption of DPTs remains small in Singapore and it remains that we are regulating for ML/TF.

If MAS was to exercise the powers, the industry can be assured that we will keep to the principle of the Payment Services Act – risk-based, modular. As such, it is likely that requirements will be imposed for major payment institutions first and if we do not detect the same concern for standard payment institutions.

Assoc Prof Jamus Lim also asked about moneychangers and he highlighted that business is affected, and indeed so. But it is really not due to this legislation. Because of COVID-19, tourism has been affected badly, that has affected moneychangers' business quite adversely as well. Also, they are affected by technology, as there are now alternatives to remittances.

We have a six to 12 months' grace period for existing players to transit into the new regulatory framework, so this applies also to moneychangers. So, new applicants that are seeking to enter the market will not enjoy this six months' grace period, which I think is reasonable.

Several moneychangers have made requests to MAS to temporarily cease their licences due to poor business. Several requested for further extensions beyond the six months and MAS will consider their request on a case-by-case basis.

As for higher limit on the stock and flow cap of e-money, as raised by Mr Louis Chua, we will continue to study the issue. These caps are actually enshrined in the main Act, so if there are any changes to remove the caps, we will have to consult and come back to the House to make the necessary changes.

On Mr Leon Perera and Mr Louis Chua's request for a success rate of application for DPT service provider licences, it is too early to provide a representative success rate currently. MAS has received over 300 applications so far. Many require very close consultations, even hand-holding and guidance due to their unfamiliarity with AML requirements and the applicability of the Payment Services Act to their business. So, everyone is learning in this very fast moving and evolving space and MAS will continue to review how best to speed up the process and strike a good balance between encouraging entrepreneurship and regulation.

Mr Deputy Speaker, Sir, the regulatory issues for payment services are multi-faceted and dynamic as the industry continues to innovate and evolve. MAS seeks to ensure that its regulatory regime is aligned with international standards and that it has the necessary tools to respond quickly to market developments. With that Mr Deputy Speaker, Sir, I beg to move.

Mr Deputy Speaker: No clarifications? Okay.

Question put, and agreed to.

Bill accordingly read a Second time and committed to a Committee of the whole House.

The House immediately resolved itself into a Committee on the Bill. – [Mr Ong Ye Kung].

Bill considered in Committee; reported without amendment; read a Third time and passed.