123/A, Miranda City Likaoli Prikano, Dope
+0989 7876 9865 9
+(090) 8765 86543 85
info@example.com
example.mail@hum.com
A Standard Payment Institution (SPI) licence is a regulatory authorisation granted by the Monetary Authority of Singapore (MAS) under the Payment Services Act (PS Act) to a firm to engage as a payment institution in one or more regulated payment service activities within specified payment service transaction thresholds. The Standard Payment Institution License guide framework sits between the high-volume players that hold Major Payment Institution (MPI) licences and the only money-changer-type operators, which hold money-changing licences, in Singapore’s payment services licensing structure, which was introduced when the PS Act came into force on 28 January 2020. The SPI licence is especially suited for payment service providers that do not anticipate reaching the payment thresholds for their first months of operations — and thus is the logical place for most Singapore fintech payment start-ups to begin.
The SPI licence is an activity-based authorisation – the firm must obtain a separate regulatory endorsement for each regulated payment service it offers, and the licence may cover one or more service types, depending on the firm’s business model. Any regulated payment service that occurs without the required endorsement on the SPI licence is an unlicensed payment service under the PS Act, even if the firm holds a licence for a different type of payment service. The first step in the Singapore SPI License application process is to determine exactly which regulated payment services a firm’s business model entails and ensure that the SPI app covers all services applicable to the business.
The SPI licence is the legal pathway for regulated payment business activities in Singapore for fintech and payment service businesses. The failure to use a payment service provider before obtaining an SPI licence, or to obtain an SPI licence before using the service, may result in criminal liability, a civil monetary penalty, and closure of the business for the firm, its directors, and key employees. Even if a company is certain that its proposed activities fall under a statutory exemption, it is advisable to obtain specific legal advice on the exemption’s applicability before operating, given that an unlicensed activity is an ongoing offence from the first day.
In addition to the legal requirement size, the SPI licence is a major trade resource for the fintech payment business. Banking partners, who are critical for accessing payment companies’ accounts, facilitating payment settlements, and providing access to payment rails, have consistently requested confirmation of MAS payment institution licensing before setting up or maintaining accounts with fintech payment companies. Retail distribution partners, enterprise customers, and institutional investors also view the MAS licensing status as a threshold indicator of the firm’s maturity and compliance culture. The SPI licence is thus a legal permission to operate, but also a commercial credential that allows the payment services business to access the financial infrastructure and commercial relationships that it requires to grow in Singapore.
First introduced in 2019, the Payment Services Act (PS Act) was passed into law on 28 January 2020 and marks Singapore’s most far-reaching payment services regulatory reforms in over 10 years. The Act superseded two existing laws, the Payment Systems (Oversight) Act and the Money-Changing and Remittance Businesses Act, and introduced a single, broadly based, activity-based licensing system that adopts a technologically neutral approach and allows for growth to encompass the wide range of payment service activities. The PS Act encompasses seven types of payment service, namely account issuance, domestic money transfer, cross-border money transfer, merchant acquisition, e-money issuance, digital payment token services, and money-changing. It foresees three types of licence, namely the SPI licence, the MPI licence and the money-changing licence, the type of licence to be applied depending on the size of the firm’s business.
To launch payment services, a firm must be authorised by the regulator for the specific service in question, rather than a blanket licence for all financial services. This design is consistent with the MAS’s approach of tailoring standards to the risks of different types of payment services, rather than applying a one-size-fits-all approach to payment service providers. Where the business model involves multiple payment service activities (such as a digital wallet provider that offers account issuance and domestic money transfer services), all payment service activities to which the licence applies should be endorsed on the SPI licence and compliance obligations for each payment service activity are separate.
MAS has four related regulatory duties in the payment services industry that help set the landscape for all SPI licensees.
MAS issues licences to firms that fulfil the relevant admission criteria, and does not issue licences to firms that do not. This helps to ensure that firms issuing licences have adequate governance, compliance and financial capacity to provide regulated payment services to Singapore businesses and consumers.
MAS monitors SPI licensees by examining periodic regulatory returns, notifying of events, conducting thematic regulatory industry reviews of specific payment service categories, and conducting on-site inspections of SPI-licensed firms’ premises, systems, and compliance records.
MAS consults on and develops regulatory principles and frameworks under the PS Act by issuing consultation papers, notifying updates to notices and guidelines, and publishing findings from its supervision to convey changing expectations to the licensed community. SPI licensees are expected to keep a close watch on these regulatory developments and ensure that their compliance programmes reflect them.
MAS has broad enforcement powers under the PS Act, including imposing civil monetary penalties, directions, conditions, and restrictions on licences; suspending or revoking licences; and referring cases to the Public Prosecutor for prosecution. It can use these powers to act against regulatory breaches by SPI licensees and their key personnel.
Knowing which of the PS Act’s seven payment service categories a firm’s business model falls under is the initial step in the licensing assessment process and is often done incorrectly by new firms making their first application.
This includes the establishment and use of payment accounts, such as digital wallets and stored-value accounts, in which customers store their funds and make payments. If any firm allows its users to keep funds in an account and pay them through that account, it is likely engaged in account issuance services, which require an SPI or MPI licence.
Domestic Money Transfer refers to transferring money between remitters and beneficiaries who are both within Singapore. The term “cross-border money transfer” refers to international remittances and cross-border payments. Both are controlled independently and require customer due diligence for both the sending and receiving parties.
Merchant acquisition includes payment transaction processing and settlement for merchants. E-money issuance includes the issuance of electronic monetary value instruments that can be exchanged for goods, services, or fiat money. Both are frequently used side by side in payment platforms and business models, and both require specific approval under the SPI licence.
The DPT services include facilitating and trading digital payment tokens, which encompass the vast majority of cryptocurrency exchange and trading activities. DPT services are subject to additional regulatory requirements under the PS Act due to their higher AML/CFT risk, and DPT service providers are subject to restrictions on marketing DPT services to retail members of the public.
The Standard Payment Institution License guide outlines a type of regulatory authorisation under the PS Act that allows a firm to provide one or more regulated payment services, subject to transaction caps that limit the maximum scale at which an SPI licensee can operate. The SPI licence is issued to a legal entity, that is, a company incorporated in Singapore or a branch of a foreign company, and is subject to the conditions imposed by MAS when it is granted and during the licence’s validity. Unlike the MPI licence, the SPI licence is perpetual. It is expected to be a lifetime licence that remains in force until it is revoked by MAS, surrendered by the licensee, or changed to MPI status as the number of transactions increases.
The most significant feature of the SPI licence is that its transaction volume is capped. The average amount of regulated payment service transactions, excluding e-money issuance and money changing, that an SPI licensee can conduct per month in any single type of regulated payment service or per month in total across all types of regulated payment service, on a rolling 12-month basis, is capped at S$3 million per month and S$6 million per month, respectively. The amount of e-money outstanding (the balance of all e-money held on issue at any time) should not exceed S$5 million for e-money issuance services. These thresholds are not only aspirational limits; actually breaking the limit while operating under an SPI licence is a breach of the regulations and must be addressed immediately: by applying for a licence variation to MPI status and by notifying MAS.
The SPI licence is appropriate for a specific type of PSP – one that is anticipated not to require the flexibility of operation found in an MPI licence and will be subject to the operational limits of the SPI licence for the initial few years of operation.
The typical Fintech in the initial growth phase (establishing payment wallets, peer-to-peer transfer applications, remittance platforms or QR code payments for a specific early adopter customer base) tend to be within the SPI threshold and the lighter compliance burden of the SPI, while building up the regulatory track record and customer base in Singapore.
Specialist remittance companies that focus on specific migration corridors, such as those serving defined diaspora groups with more or less homogeneous transaction sizes, are often able to operate for several years without breaching SPI thresholds and are ideally suited to SPI as their primary regulatory tool.
A closed-loop payment system can hold an SPI licence if it meets the licence conditions and processes payments below the thresholds. There is also a possibility of PS Act exemptions for some closed-loop structures, which regulatory counsel should evaluate.
For companies moving from using the MAS regulatory sandbox to becoming fully licensed, and for international payment companies making their debut in Singapore, the licensed operations are usually commenced with an SPI licence — which offers a more manageable regulatory starting point for operations until the company’s operations in Singapore reach a scale where MPI licensing becomes appropriate.
The transaction threshold framework is the biggest ongoing compliance obligation for SPI licensees, as it means that once you cross the thresholds that apply to you, you must apply for an MPI licence variation. Knowing exactly how the thresholds are calculated and the systems required to ensure accurate rolling 12-month monitoring start on the first day of operations, as part of SPI licence compliance.
Table 1: SPI Transaction Threshold Framework
From the date they are licensed, SPI licensees will be required to monitor transaction volumes on a rolling 12-month basis and have procedures in place to identify when volumes are approaching thresholds and to initiate the licence variation planning process in advance of reaching them. MAS expects SPI licensees to start the process of applying for a variation to the SPI before the thresholds are breached and not after. Starting the variation only after a breach has taken place is an additional failure, on top of the initial threshold violation, and constitutes a failure of regulatory compliance.
The two licences (SPI and MPI) are not simply a distinction within the same category of payment volume operations; they are different compliance standards corresponding to different systemic risks of payment operations at different sizes.
The SPI licence is designed to be better suited to smaller-scale payment service providers that fall within the defined transaction limits. It’s also commercially viable for early-stage operators because of its lighter compliance burden, which includes not requiring a security deposit, among other things, and a shorter MAS review timeline of about 60 business days. However, SPI licensees are required to adhere to strict AML/CFT controls, governance, and staffing requirements, and to actively manage their transaction volumes against the applicable thresholds.
This change in the transaction volume limits in the SPI is offset by a more demanding compliance regime, which includes a minimum base capital of S$250,000; a security deposit of between S$100,000 and S$200,000; user fund safeguarding in segregated accounts; an annual need for an independent audit; and a longer MAS review timeline of around 120 business days. Payment service businesses (PSBs) that are not within the scope of payment instruments (SPIs) or have reached their scale limit are required to submit to the MPI.
Table 2: SPI vs MPI — Key Regulatory Comparison
The table above highlights key regulatory differences between SPI and MPI licensing. When choosing a licence type, firms should evaluate not only their current size of transactions but also their 12–24 months expected growth rates — firms with projected growth that will breach the SPI thresholds within 18 months of operating should consider applying for an MPI licence from the start, rather than having to go through the licence variation process after they begin operating and risk disruption.
One of the most widely licensed regulated payment service categories under the PS Act is account issuance, which entails establishing and operating payment accounts, including payment wallets, stored-value accounts and e-money accounts, in which the customer keeps funds and makes payments. A fintech or payment platform that offers ways for users to deposit money into their account and then pay for goods or services from the deposited funds, either to merchants or to another user or external account, is probably engaged in account issuance services. The SPI licence endorsement for account issuance allows the licensee to issue and operate these accounts within the SSPI-imposed limits on the number of transactions and the amount of e-money that may be floated.
Account issuance services are often combined with other regulated payment services on a single platform. A digital wallet is a wallet where users can store money, transfer money to friends (domestic money transfers), and pay merchants (merchant payments). It may also need endorsements for all three service types on the SPI licence. The compliance requirements for each service type (including AML/CFT controls, customer due diligence procedures, and transaction monitoring requirements) need to be included in the firm’s compliance programme and addressed on the licence for each service type.
Traditional remittance service providers are primarily engaged in “domestic and cross-border money transfer services,” and these activities are increasingly integrated into the offerings of digital payment platforms. For SPI licensees offering these services, it is important to know the compliance requirements for each type of transfer service.
Domestic money transfer refers to the transfer of money from one payee to another within Singapore, such as transfers between peers, payroll payments by businesses, and payments from one user to another on a platform. SPI licensees must carry out customer due diligence measures on the sender and receiver and monitor for any patterns of money laundering or other financial crimes.
Cross-border money transfer refers to money transfers and payments made to individuals outside Singapore. Other AML/CFT obligations apply to this service type in light of the increased risk posed by international fund flows, such as higher due diligence for transactions to higher-risk jurisdictions in some instances, implementation of the FATF Travel Rule for transactions exceeding prescribed thresholds, and beneficiary identification requirements.
The FATF Travel Rule requires licensees that offer cross-border money transfer services to gather and send data on the originator and beneficiary of international transfers. MAS has introduced the Travel Rule for inter-currency transfers of digital payment tokens amounting to S$1,500 or more – and licensees that offer digital payment token cross-currency services are required to implement the technical infrastructure to comply with the Travel Rule’s information transmission requirements.
Transaction monitoring requirements for domestic and cross-border money transfer services need to be tailored to the risk profile of each service, including the size distribution of transactions, the geographic corridors covered, and customer profiles. Uncalibrated monitoring systems will lead to either false-positive alerts (increasing operational inefficiencies) or will fail to capture real suspicious patterns (AML/CFT compliance risk).
Merchant acquisition includes processing and settling payments on behalf of merchants, allowing businesses to accept payments from their customers via cards, QR codes, digital wallets, and other electronic methods. The merchant acquisition service endorsement is primarily used by payment processors, payment facilitators, acquiring banks, and merchant service providers. SPI licensees offering merchant acquisition solutions should be able to manage the specific AML/CFT risks associated with merchant onboarding, such as the risk of merchants engaging in fraudulent activity or acting as conduits for laundering money through the payment system.
Compliance for merchants starts with the merchant onboarding process, which should include a risk assessment of each merchant’s business type, transaction volume, and compliance level before their admission to the payment platform. There should be increased due diligence and ongoing monitoring of higher-risk merchant categories, such as cash-intensive businesses, merchants associated with higher fraud risk, and online gambling. The merchant acquisition services (MAS) licensees should also include monitoring of merchant transaction patterns in their AML/CFT programme, such as an unusual increase in refunds, a rapid increase in transaction volume, or transactions inconsistent with the merchant’s business description.
Digital payment token (DPT) services and the issuance of e-money are among the regulatory categories of payment services under the PS Act that carry compliance obligations beyond the requirements of the general SPI framework.
SPI licensees offering DPT services are required to implement additional AML/CFT obligations, including increased customer due diligence requirements, Travel Rule controls on DPT transfers exceeding prescribed limits, and limitations on retailing DPT services to members of the public. MAS has clearly set out the regulatory expectations for DPT service providers and licensees; DPT service providers and licensees should take the guidance MAS published on DPT regulatory expectations as a minimum, rather than aspirational.
SPI licensees who offer issuance services for e-money are required to closely monitor and control their e-money outstanding balances to ensure that they do not exceed the S$5 million limit. This will require end-to-end monitoring of the total outstanding e-money value at any given time, along with an internal trigger for management to take action when the float reaches S$5 million. Going over the float limit is a regulatory violation that needs to be reported to MAS and addressed either by reducing the outstanding float or by requesting an MPI licence variation from MAS.
SPI licensees that offer DPT services are not permitted to actively market or advertise their services to the general public in Singapore. DPT services can be offered only to institutional or accredited investors. This restriction does not apply to any online advertising, social media marketing, or other marketing activities that interact with retail consumers, and retail consumers must be protected from the activities of SPI Licensees offering DPT services through internal controls implemented to ensure compliance with this restriction.
Many digital payment platforms offer both DPT and account issuance and e-money services. They must therefore seek endorsements for more than one type of regulated payment service and comply with the compliance programmes for each type of service. The compliance programme for a multi-service SPI should treat the AML/CFT requirements, transaction monitoring obligations, and obligations to inform customers of AML/CFT requirements separately for each service type, and not on a one-size-fits-all basis.
MAS uses the Fit and Proper Criteria (Guidelines FSG-G01) for all proposed directors, the CEO and key management personnel of an SPI licence applicant. The four dimensions assessed for fit and proper include honesty, integrity, and reputation; competence and capability; financial soundness; and other factors such as conflicts of interest or time commitments. The burden of demonstrating fitness lies with the applicant and is an individual burden of proof: the applicant must prove their fitness, not necessarily the team’s, and each assessed individual must demonstrate their own fitness, not the team’s average fitness.
The most frequently examined dimensions of the MAS SPI License requirements fit, and proper assessment are honesty and integrity (criminal record, prior regulatory proceedings, civil proceedings for payment services or financial services misconduct in any jurisdiction) and competence (CEO’s relevant payment services or financial services experience and the firm’s overall management capability). The failure to disclose any material adverse matters in a particular person’s fit and proper declaration is considered by MAS an integrity failure that is itself disqualifying, irrespective of whether the failure to disclose such material adverse matters would have been disqualifying on its own. Applicants are required to ensure that all persons who are required to be subject to fit and proper assessment know of this disclosure standard and that their declarations are complete and candid.
The capital and financial needs of an SPI licence are set at a lower level because payment operations at the SPI scale are less systemically risky than at the MPI scale. But the lack of a minimum capital requirement for the SPI applicant doesn’t imply that capital is unimportant.
MAS does not prescribe a minimum paid-up capital for an SPI applicant, but expects that all SPI applicants have sufficient financial resources to continue their operations, meet their obligations to regulators, and maintain their compliance programme for a reasonable period without the need to raise additional outside capital. In practice, this expectation will be judged by the financial forecasts included in the application pack.
Projections accompanying the SPI application should be based on realistic, verifiable assumptions, not on projections to meet a minimum viability threshold on paper. MAS reviewers evaluate: (i) consistency of projected revenue with the payment institution’s proposed business model; and (ii) the projected operating cost to include the actual cost of establishment and maintenance of the compliance infrastructure necessary for a licensed payment institution.
SPI applicants are required to provide evidence of adequate working capital for implementing the compliance infrastructure, such as AML/CFT technology, compliance staffing, legal advisory expenses and MAS inspection readiness activities, necessary for a licensed payment institution. If an applicant’s capital position would not cover those costs at the date of licensing, he/she is likely to face a challenge in MAS’s financial adequacy assessment.
After licensing, a SPI licensee needs to maintain ongoing financial management to ensure the firm’s financial resources are sufficient for its size and risk profile. The firm’s changes in the deterioration of its financial position, such as significant deviations from its anticipated revenues, unanticipated operating losses, or a reduction of investors that had agreed to provide continued funding, should be taken into account and may have to be disclosed to MAS if they are material.
MAS’s expectations regarding the governance of all applicants for its payment services licence demonstrate how essential good governance is for ongoing compliance with the regulations in the payment services industry. The requirements of the SPI framework for governance are less onerous than those imposed on MPI licensees (due to the lower scale and systemic importance of SPI operations); however, they do impose real governance arrangements that provide effective oversight of the firm’s payment service activities and compliance programme.
The real office of the SPI licensee is located in Singapore, and not at his registered address, a virtual office, or a shared service centre, where his payment service activities are carried out. During the processing of an application for a licence, and in the event of a supervisory inspection, MAS will check the firm’s operations in Singapore.
The senior manager (either the CEO, Managing Director or equivalent) must be ordinarily resident in Singapore and regularly engaged in the full-time management of the firm’s payment service businesses. This person must meet the MAS fit-and-proper requirements and be personally responsible for the firm’s compliance with the regulations.
The firm should have a proper board of directors that provides appropriate oversight of the payment services business — not just a “directorship” arrangement. One of the directors shall be ordinarily resident in Singapore. Minutes and notes of board and governance meetings must show that they have considered compliance issues, not just reached a conclusion.
The compliance function shall be separate from the revenue-generating payment service operations, with the compliance officer reporting directly to the CEO and the board of directors. It shall be sufficiently resourced to cover the firm’s entire compliance requirements under the PS Act. A compliance function that is subordinate to the business development or product management function is not structurally independent, as expected by MAS.
The staffing requirements for an SPI licence are intended to ensure the firm has the staffing and professional competence needed to manage its regulated payment service activities and compliance effectively.
The PS Act does not specify a minimum number of staff required for an SPI license. Still, MAS will expect the applicant to have adequate staffing from the date of licensing to perform its regulated activities and meet its continuous compliance obligations, including knowledge of and competence in payment services. MAS’s operational readiness requirement will not be met by a two-member founding team lacking compliance knowledge.
The compliance officer shall be a person with regulatory expertise and experience in implementing and monitoring the firm’s AML/CFT programme, reporting to the regulator, and effectively supervising the firm’s payment service activities. A founder who appoints himself as the compliance officer but has no experience in payment services compliance will be challenged on MAS’s competency assessment for this position.
MAS will expect technology firms that offer payment services using technology, such as digital wallets, DPT platforms or automated payment processing systems, to have members of its management team who possess the necessary competency in technology and operations to be able to oversee the management of the firm’s technology risk in accordance with MAS’s Technology Risk Management (TRM) Guidelines. Companies that lack tech leadership are likely to have to demonstrate how they will obtain the required technology through advisers or outsourced arrangements.
All staff with compliance-sensitive duties, such as customer onboarding, transaction processing, and AML/CFT monitoring, should be trained in the firm’s compliance policies and procedures before taking up their roles. The firm has to keep training records for all staff involved in the activity and have an existing training programme to ensure staff are kept up to date on developments in MAS’s regulatory requirements and the firm’s own compliance procedures.
The first step in preparing for an application process for an SPI License is the very careful definition of the firm’s proposed activities – mapping each commercial service proposed in the firm to the technical definitions of each of the types of payment services regulated under the PS Act to see exactly which service type endorsements will be needed under the SPI licence. This exercise in mapping is not a commercial one, as the definitions in the PS Act are technical and the impact of a wrong identification of a service, whether due to over-inclusion (which may create unnecessary compliance obligations on the firm) or under-inclusion (which may lead to unlicensed regulated activities), will remain with the firm throughout its regulatory lifecycle.
MAS has been auditing all new licence applications for SPI and MPI since 2024 to ensure that the types of services offered, including products, are in line with the requirements of the PS Act by requiring applicants to provide a legal opinion from an appropriate law firm. This legal opinion requirement, to be prepared by a Singapore-admitted solicitor with the requisite expertise in the PS Act, is essentially a requirement to conduct a regulatory mapping exercise and to provide MAS with an opinion on the classification of the applicant’s service type. Commissioning a legal opinion is costly, as firms that prepare the opinion themselves or use advisers who lack PS Act expertise risk obtaining an opinion that MAS does not accept, thereby necessitating a new opinion.
One of the most prevalent areas of application weakness is the absence of a complete, institution-specific compliance framework in the SPI licence application package. Non-customised templates will not meet MAS.
The actual risk profile of the firm’s proposed payment services, in terms of the type of customers their proposed services will be for, the type of payment services they will provide, the geographic corridors in which the services will be offered and the distribution channels that will be used for customer onboarding, should be reflected in the Money Laundering and Terrorist Financing Risk Assessment – which serves as the risk foundation of the AML/CFT compliance programme. A Risk Assessment that could apply to another payment institution or to this particular company, with its specific business model, is not sufficient to meet MAS’ expectations.
The CDD procedures are required to include the following information: the types of customers for which the identification requirements will apply; identification of beneficial owners of corporate customers; a periodic review schedule; and how customers whose circumstances change materially after being onboarded will be dealt with. These procedures need to be ‘operationally ready’ and consistently applied in real customer interactions from the first day of licensed operations.
The transaction monitoring framework should define the monitoring method, alert logic, escalation and STR process for each regulated type of payment service the firm provides. For companies that rely on automated transaction monitoring systems, alert settings should be tailored to the firm’s specific risk profile, not to default settings common in the industry that don’t necessarily reflect the firm’s actual risk profile or its customers’ transactional profiles.
The application should include a compliance monitoring plan detailing internal testing activities, testing frequency, reporting lines for results, and escalation and remediation plans. This plan shows MAS that the firm has a realistic and explicit programme in place to track its ongoing compliance with its regulatory duties – not just to say it has a compliance programme.
The business plan and financial projections submitted with the SPI application must be substantial, specific, and internally consistent. MAS uses a business plan to review the viability and compliance implications of the proposed business model and will involve information requests that will lengthen the overall review period if the business model is based on revenues that grow too quickly, or if the expected costs to meet compliance obligations are too low, or if the expected revenues are not consistent with the technical specifications of the proposed payment platform.
The business plan should include: a description of the proposed regulated payment services and the technical mechanism(s) for their delivery; a realistic plan to acquire customers and the number of transactions to be expected over a period of at least 24 months; a methodology for fees and revenue generation that shows how the business will become commercially sustainable; a description of the distribution and marketing channels; and the governance and compliance arrangements. The cost of compliance should not be limited to just the technology platform and customer acquisition costs. Still, it should also include the full cost of the compliance programme, such as AML/CFT technology, compliance staffing, legal advisory costs, and technology risk management.
At a minimum, the key personnel, such as the CEO or senior manager, proposed directors, and compliance officer, should be confirmed, at least conditionally, before submitting the SPI licence application. A material part of the MAS’ licensing review timeline is its fit-and-proper assessment of each key individual.
The proposed directors and the CEO need to be identified, and personal declarations submitted along with the initial application. These statements should include the person’s full employment record, qualifications, regulatory history, criminal history, financial history and any other factors that would be relevant to the fit and proper assessment. One of the most frequent reasons for information request cycles in the MAS licensing process is incomplete personal declarations.
A proposed compliance officer should be identified before making an application, and their compliance credentials, experience, and proposed time commitment should be evaluated against MAS expectations for this role. For smaller companies with a smaller risk profile and payment services businesses where the compliance officer role is proposed to be filled on a part-time or shared basis, MAS will evaluate whether such a structure is suitable for the proposed payment services business and the size and risk profile of the company.
The legal opinion firm should be engaged before finalising the application package, because the opinion will require consideration of the specific services and products outlined in the business plan. A legal opinion that conflicts with the business plan description of proposed services – for instance, when the legal opinion was prepared before the completion of the business plan – will need to be amended before applying.
MAS provides pre-application consultation meetings for individuals or firms interested in applying for an SPI licence at the FinTech Office and the Capital Markets Intermediaries Department. These consultations are free and available on request, allowing applicants to obtain a preliminary opinion from the MAS on a specific element of their proposed business model, governance structure, or proposed type of service before submitting their formal application. Original or complex business models would be ideal applications for this opportunity.
The process of obtaining an SPI License starts with preparing the complete application package, covering all the documentary requirements of MAS for an SPI licence application. In most cases, the quality and completeness of this package will be the deciding factor in how quickly and efficiently MAS is able to review applications; applications are likely to be returned for additional information if they are missing documents, do not have all the documents, or do not comprehensively address the regulatory requirements.
The documents that will be required for an application for an SPI include: the completed MAS application form (submitted via MAS’s online licensing portal); personal declarations of all proposed directors, the CEO and key management personnel; business plan (including a service type mapping, customer profile, financial projections and a description of the firm’s governance); AML/CFT compliance framework (including the ML/TF Risk Assessment, CDD procedures, transaction monitoring framework and compliance monitoring plan); evidence of the firm’s capital position and financial resources; the technology risk management framework; organisational chart; documentation of the governance framework; and, where the firm proposes to provide DPT services, specific documentation addressing MAS’s enhanced requirements for DPT service providers, including the marketing restrictions compliance framework.
SPI licence applications are submitted via MAS’s licensing portal. The submission process is organised around the portal’s prescribed application form, which includes the various sections of information the applicant needs to complete and upload the required documents.
Applications are submitted via MAS’s licensing portal and involve setting up a firm account and completing the mandatory application form, which includes information on the firm’s proposed services, governance structure, and key personnel. Supporting documents must be uploaded via the portal in the proper format (usually PDF) and within the portal’s size limits.
When a submission is made, MAS does a preliminary completeness check to ensure that all necessary information is included and all required forms are attached. If a completeness check is unsuccessful, the applicant receives the returned application with a list of missing items, and the review clock will not start running until a complete application is received. A completeness check is a minimum standard, not a standard for the quality of the substantive part of the application; it does not mean that the substantive part of the application is satisfactory for passing the check.
The application fee is nonrefundable and must be paid at the time of application. Please ensure the current fee for an SPI licence application is checked with MAS’s published fee schedule before submission. There is no fee distinction based on the number of regulated payment service types included in the application.
After submitting an application, the applicant should indicate a principal point of contact (usually the compliance officer or external regulatory adviser) for all communication with MAS on the application. This individual should be reachable by MAS for prompt responses during the review period and should be knowledgeable about all facets of the application to provide accurate and complete answers to MAS’s questions.
The MAS review of an SPI licence application is an in-depth analysis of the business model, governance structures, regulatory compliance, capital position, and the suitability and propriety of the applicant’s key personnel. The Payment Services Department of MAS conducts a review that usually covers a series of steps: an initial completeness check, assignment of a review team, a substantive assessment of the business plan and compliance framework, a fit-and-proper assessment of key individuals, and, finally, the licensing decision (conditional or unconditional approval or rejection).
In the substantive review, MAS issues written requests for further information or clarification on various elements of the application that require elaboration, support, or correction. Every information request is accompanied by details of what is sought and the time period during which the applicant is expected to provide the information; every response resets the effective period to the date AS receives the complete response. Applicants who have worked with experienced SPI License consultants in Singapore in the review process have reported that they have been able to resolve information requests with MAS in a faster time frame and a better review result in general compared to those who answered with partial information, generic answers, or answers that were tangential to the questions asked by MAS, which then required additional rounds to get the information complete.
MAS aims to review the application for a complete SPI licence within 60 business days of its receipt. It is important to be aware of the factors that typically push this timeline further and to manage them in advance so that the applicant can make commercial commitments based on a defined licensing timeline.
The factors that most frequently result in SPI applications taking more than 60 business days are as follows: incomplete or inadequately prepared initial SPI applications that require several rounds of requests to the foreign jurisdiction for information; proposed key persons with complex regulatory or personal background who require detailed information to assess with; new or complex business models that require additional business analysis before they can be correctly classified under the PS Act; AML/CFT frameworks that are not sufficiently detailed or tailored to the specific risk profile of the proposed services; and delays in receiving the legal opinion or regulatory references from foreign jurisdictions.
MAS may grant conditional licence approval for SPI — approval to commence limited or restricted operations until a particular assessment element is resolved. Conditions can entail restrictions on the nature and number of services that may be delivered, compliance requirements that must be met before services are fully operational, or restrictions on the number of customers allowed to be onboarded. Conditional approvals are more likely to be granted to applicants with a different business model or with less operating history.
It is important to note that the banking relationships required to run a licensed payment institution, such as accounts to receive customer funds, process payment settlements, and cover business expenses, can take as long as, or longer than, the licensing review process. The MAS application process should be conducted in parallel with the initiation of banking relationships with applicant firms, with most banks confirming accounts only after MAS licensing is confirmed.
The approval of the SPI licence is not the end of the process; the firm will need to ensure there is no delay in implementing all operational systems (payment platform, AML/CFT technology, compliance reporting systems), all key personnel (appointed directors, CEO, compliance officer) and compliance documentation (policies, procedures, training records) before the first customer can be onboarded. MAS expects licensed payment institutions to have compliance in place from day one and not develop compliance infrastructure in the months after they are approved as payment institutions.
The most basic and non-negotiable continuous requirement for every Singapore-licensed payment institution compliance party is compliance with AML/CFT. The major AML/CFT notice relevant to payment institutions, and also applicable to all SPI licensees, is MAS Notice PSN01, which outlines the specific requirements that must be satisfied from the date of licensing, without exception. The AML/CFT framework should be risk-based; that is, the intensity of the controls applied to any customer, transaction or service should be proportionate to the degree of risk of money laundering or terrorist financing that such customer, transaction or service undertakes and not uniformly applied at a single level to all customers and transactions, irrespective of the level of risk they pose.
The AML/CFT requirements of the core MAS Notice PSN01 apply to all SPI licensees and include: customer identification and verification (CDD); identification of ultimate beneficial owners (UBO) for corporate customer; enhanced due diligence (EDD) for higher-risk customers and transactions; continuous monitoring of customer transactions for unusual patterns; Suspicious Transaction Reports (STRs) to be filed with the Suspicious Transaction Reporting Office (STRO) where reasonable suspicion is identified; comprehensive AML/CFT records to be kept for at least five years; and an annual AML/CFT training programme for all relevant employees. All of these responsibilities must be implemented through documented policies and procedures that are effective in practice, not just on paper, starting on the first day of licensed operation.
CDD is the initial process by which SPI licensees interact with and verify their customers, determine their risk profiles, and monitor their customer relationships to identify any changes in their customers’ circumstances that could impact their AML/CFT risk rating.
In the case of individual customers, the standard CDD involves identification against a reliable and independent source (usually a government-issued identity document) and the collection of adequate information about the customer’s background, the purpose of the payment services relationship, and the source of funds for an accurate initial risk assessment. Electronic identity verification methods (eIDV), which involve document image capture and biometric liveness checks, can be employed for digital-first payment platforms when they offer the same level of certainty as face-to-face identity verification.
In cases where an SPI licensee is rendering services to a corporate entity, partnership or other non-individual customer, it is required to identify and verify the identity of the entity, its directors and authorised signatories, and the UBOs, or ultimate beneficial owners, of the entity, which are those having ownership or control of 25% or more of the entity. For corporate customers with a complex ownership structure, beneficial ownership may need to be identified with the involvement of legal/compliance advisers in that jurisdiction to untangle multiple layers of ownership.
Enhanced due diligence should be applied to customers identified as having increased AML/CFT risk, such as Politically Exposed Persons (PEPs) and immediate family members and close associates; customers from higher-risk jurisdictions identified by FATF; and customers whose business activities or transaction patterns suggest increased money laundering risk. Senior management approval for onboarding the higher-risk customer, enhanced source-of-funds and source-of-wealth verification, and more regular periodic reviews of the customer relationship should be part of the EDD procedures.
CDD needs to be reviewed and updated at regular intervals based on each customer’s risk level, with more frequent reviews for higher-risk customers. If a customer’s situation changes significantly after onboarding (such as changes in business activity, geographic location, or transaction volume), the customer’s risk ratings should be re-evaluated and their CDD records updated. Periodic review records are kept and are regularly checked by MAS inspectors as part of compliance inspections.
Transaction monitoring is a continuous monitoring function that enables an SPI licensee to identify unusual patterns in their payment service operations, patterns that may not be obvious when viewing any individual transaction, but which are observable when looking at a collection of transactions against a customer’s profile, against historical baselines and against money laundering typologies relevant to the SPI’s service offering. MAS requires the implementation of a transaction monitoring system for all payment service types regulated by the firm, designed to trigger alerts when transactions do not match the identified customer profile, exceed predetermined thresholds, or exhibit characteristics that overlap with known money laundering typologies.
An SPI licensee has an obligation to submit an STR to STRO within such a reasonable period of time as would be practicable, rather than after an extended internal investigation just to be more certain of the suspicion. Reasonable suspicion arises from the formation of reasonable suspicion, and no filing was required; a failure to file, even when reasonable suspicion was formed, is a regulatory violation, regardless of whether an investigation occurs or ultimately results in a finding. The reasons for filing and (if not) for not filing a filing decision must be recorded for STR filing.
Comprehensive record-keeping is an independent regulatory requirement and is also the evidence required for an SPI licensee to satisfy titsAML/CFT and other reporting obligations.
All transaction records and documentation for CDDs will be retained for at least 5 years from the transaction date or the end of the customer relationship, whichever is later. Records should be kept in an easily retrievable format, not in email inboxes, unstructured shared drives, or systems that cannot provide immediate access to specific records upon request.
SPI licensees are required to make periodic regulatory returns to MAS on transaction volume by service type, changes in business activities, key personnel status and compliance certifications. The major reporting requirement for SPI licensees is the monthly transaction volume report, which is submitted within 14 working days of the end of every calendar month and provides MAS with a way to track whether licensees are nearing or exceeding their SPI thresholds.
SPI licensees are required to inform MAS within stipulated deadlines of any material events, such as changes in key personnel, changes in shareholding and control of the entity, major cybersecurity incidents, and violations of licence conditions, including any SPI transaction volume threshold exceedance. A recurring issue in MAS’ supervisory examinations is the timeliness of event-driven notifications that are not submitted, or not submitted on time, because the MAS licensee lacks a trigger system to monitor events.
SPI licensees will be required to file monthly transaction volume reports and submit an annual regulatory return covering their entire payment service activities, governance structure, key personnel, and compliance certifications. The annual return should be precise, coherent and consistent with other public statements filed under the regulations for the reporting period.
SPI licensees do not have to adhere to the user fund safeguarding requirements for MPI holders (e.g., maintaining all customer funds in segregated accounts with approved financial institutions). However, they must still follow general requirements relating to the responsible handling of user funds and the safeguarding of customer data, in compliance with the Personal Data Protection Act (PDPA) and MAS’ technology risk management standards. It does not mean that SPI licensees are not responsible for protecting customer funds – it means that the specific requirements for daily reconciliation and segregation, etc., imposed on MPI holders do not apply to SPIs. However, the overall duty of care in the handling of customer funds still applies.
To ensure customer data security, the MAS Technology Risk Management Guidelines and the PDPA (which governs the collection, storage, use and disposal of personal data collected during customer onboarding and when providing services) require SPI licensees to take the necessary steps. Personal data kept by payment institutions, not just identity data but also transaction data, device data, and behavioural data from the use of payment platforms, is sensitive data that must be properly protected by strong access controls, data encryption and data breach response mechanisms. MAS expects a personal data breach response plan to be documented and communicated to licensees, outlining procedures for escalating the situation, notifying MAS, and communicating with customers should a personal data breach occur.
Under MAS’ Technology Risk Management (TRM) Guidelines, technology risk management is an integral part of the regulatory responsibility of all SPI licensees. Payment platforms are high-value targets for cybercriminals, and technology failures — such as system downtime, payment processing failures, and data breaches — can have a direct impact on customers and create substantial regulatory risk.
SPI licensees are required to keep payment systems highly available and resilient, including systems that withstand system failures or external events and meet defined recovery time and recovery point objectives. When a system is down and customers are unable to access their funds or pay transactions, it can be a customer service problem and, if it is extended or repetitive, a possible regulatory issue.
A comprehensive cybersecurity control framework, which includes access management, network security, data encryption, vulnerability management, and security monitoring, must be in place and regularly tested. MAS requires that SPI licensees carry out their own penetration tests of their payment systems at appropriate times and address vulnerabilities identified within specified timeframes. The results of penetration tests and vulnerability assessments should be reviewed by senior management.
The occurrence of significant technology incidents (such as cybersecurity incidents, system outages that could impact the availability of payment services, and data loss) shall be reported to MAS within the timelines specified in MAS’s TRM Guidelines. Critical incidents should be notified within 1 hour of detection, and a comprehensive incident report should be submitted within a predetermined time. SPI licensees are required to have a documented incident response plan in place, identifying the MAS notification workflow and that can be activated within minutes of detection of a triggering event.
SPI licensees should follow due diligence procedures for all material technology vendors and require these providers to implement and maintain the security controls expected of them as regulated financial institutions. MAS requires compliance with the TRM of third-party technology providers (TPs) of MAS licensees, even if contractual obligations are assigned differently.
Third-party service providers are also frequently used by SPI licensees for fundamental operations, such as fund administration, payment rails access, customer identity verification, AML/CFT screening and compliance technology. The specific requirements for outsourcing arrangements of payment institution licensees are prescribed in MAS Notice SFA 04-N14 (and the PSA outsourcing guidelines, if applicable). The fundamental rule of the outsourcing framework is that the SPI licensee remains responsible for the quality and regulatory aspects of all outsourced functions and cannot delegate this responsibility under the contractual outsourcing arrangement.
Material outsourcing arrangements, for functions that are key to the regulated payment services provider’s capacity to offer its regulated payment services or to satisfy its regulatory obligations, should be evaluated in line with MAS’s outsourcing requirements prior to entering into the arrangement. This evaluation includes the service provider’s financial stability, capacity to operate, regulatory compliance, and security of data. The outsourcing agreement needs to address the scope of services, service level requirements, SPI’s right to audit the service provider, the SPI licensee’s right to terminate and transition services and the security of data and confidentiality. Material service providers must be monitored and documented, including through regular service quality monitoring and re-evaluation of the provider’s regulatory and financial status.
The business continuity plan (BCP) of an SPI licensee should be prepared for all potential operational issues that may arise and are likely to impact the firm’s capacity to continue delivering its regulated payment services or to fulfil its regulatory obligations.
A business continuity plan for all critical payment service operations, such as customer onboarding, transaction processing, AML/CFT monitoring and regulatory reporting, should be kept and regularly tested. The plan should define the backup procedures, failover processes and recovery times for each critical function, and should be able to provide continuity of payment services in the event of a failure in the primary system, key personnel unavailability or physical disruption of the office.
If a cybersecurity event, failure of a payment system, or data breach is detected, a plan should be in place to respond to it within a few minutes as soon as the payment system is first licensed. The plan should include escalation actions, MAS notification process, impacted customer communications, root cause remediation actions. MAS will ask for tests of the incident response plan as part of supervisory review.
The business continuity plan should explicitly cover the steps the SPI licensee will take to fulfil its regulatory obligations in the event of disruption to its operations, such as filing with the regulators, STR filing and notification to MAS. Regulatory obligations do not stand still in the face of operational emergencies and SPI licensees whose continuity plans are not sufficiently responsive to regulatory continuity are likely to be subject to regulatory non-compliance at the worst of times.
The SPI licensee shall perform a documented post incident review following any significant operational incident, including cyber security incidents, system outages, data breaches, etc., to determine the root cause of the incident, effect on the customers and operations, the effectiveness of the incident response, and remediation efforts to prevent reoccurrence. The findings of a post incident review should be presented to senior management and, if significant, to the board.
The most frequent reason for longer SPI licence review times is incomplete or insufficient information in the application. Multiple rounds of information requests are most likely the result of the same. The common application gaps have included: lack of mapping of proposed payment services to service type definitions in the PS Act; general AML/CFT frameworks, not one that reflects the specific risk profile of the proposed payment services; personal declarations that fail to cover adverse matters for key personnel; financial projections that do not consider the full costs of compliance infrastructure; and legal opinion which is missing or insufficient since 2024. These weaknesses create individual MAS information requests that need to be addressed prior to the next step in the review process, and a cycle of information requests can take weeks to process.
The result is that the investment needed to create a good, complete initial application is always lower than the investment needed to deal with multiple information request cycles with MAS. SPI License consultants Singapore who have direct application experience with the MAS PS Act can provide a review of a draft application to the MAS, and identify and correct likely MAS concerns, which will decrease the amount of information requirement cycles and improve the overall review period. SPI applicants who have commercial timelines where the speed of licensing becomes commercially important find that this pre-submission service is one of the highest return on investment services that they can make.
The most prevalent type of adverse regulatory findings by MAS on SPI licensees are compliance framework deficiencies, which are detected during the licensing review process and/or in post-licensing supervisory activities, and constitute the greatest regulatory risk for SPI licensees.
In MAS reviews of payment institutions, the most often observed compliance shortcoming is the use of generic AML/CFT programmes that are not tailored to the payment services, customer base and geographical spread of the particular payment institution licensee. The approach of MAS to the assessment of AML/CFT frameworks is not just for the presence of specific policy sections, but also to determine if the framework is based on a true and accurate AML/CFT risk analysis and if the controls are effective.
Too many false-positive alerts arrive in the compliance department due to transaction monitoring systems which are not properly targeted to the nature of the payment service’s customer base and transaction flow, and too few alerts are issued for suspicious transactions, also due to transaction monitoring systems. SPI licensees need to invest in ensuring that their transaction monitoring systems are properly calibrated before deployment, not generic logic that has been designed for a different risk profile.
Documentation weaknesses in governance consistently observed in payment institutions’ supervisory checklists, such as sparse board minutes, lack of policy approval minutes, and governance documentation that documents the conclusions without capturing the deliberative process, are identified as weaknesses. The deficiencies are frequent because the founders have not seen the governance documentation as a management tool but as part of the administrative process, leading to poor MAS results and a lack of evidence of compliance.
Late or incorrect monthly transaction volume reports (which are the main on-going reporting requirement for all SPI licensees) are deemed separate failures by MAS, irrespective of how good the payment service compliance is. SPI licensees with substandard compliance programmes not having a sufficient, formal reporting system will build up a backlog of non-compliances that will attract undue supervisory attention relative to their actual compliance quality.
The regulatory and operational expenses of an SPI licence, such as compliance staffing, AML/CFT technology, regulatory reporting, legal advisory, technology risk management and AML/CFT technology costs, are a significant part of the cost base of a payment institution. From the beginning of the licensing process, these costs need to be considered in the firm’s financial projections and business model design, as under-estimating compliance costs is a common source of financial problems after licensing which may jeopardise the sustainability of the licensed operation and thus may lead to regulatory risks if the compliance programme is under-resourced.
Effective compliance cost management for an SPI licensee involves strategic considerations that incorporate the quality and breadth of the compliance programme and the cost of doing this within the firm’s financial means. For early stage SPI licensees, the most cost effective and effective compliance programmes are likely to involve an integration of basic in-house compliance skills/resources — adequate to handle day-to-day AML/CFT monitoring, regulatory reporting and internal policy maintenance — with the targeted engagement of external advisers for specialist activities such as the design and implementation of an ML/TF Risk Assessment, a regulatory return review, and/or SPI compliance and audit support services. It gets the best of both worlds: having all compliance work done by outside advisers at full commercial rates while avoiding the quality risk of a wholly in-house compliance function that lacks specialist knowledge, and instead having a dedicated specialist team.
The move from SPI to MPI is a transitional period, planned ahead of any SPI breaches; that measure is a success indicator for the commercial side.
SPI licensees are required to have a rolling 12 month tracking of volumes from the date of licence, and have some internal escalation points that trigger action from management, which should be at 70% and 90% of each volume threshold. Firms that first learn about threshold proximity when they are close to breaching are in a bad spot to finish the MPI variation application before the breach.
The variation of the MPI licence process is aimed to review a complete application for a period of around 120 business days, as opposed to the SPI initial application timeline. SPI licensees should prepare the variation application at least 6-9 months prior to anticipating breaching any thresholds to ensure that the new MPI licence comes into effect before threshold breach and banking relationships, safeguarding arrangements and compliance infrastructure are ready for MPI status from the date the variation takes effect.
To become an MPI, one must have a minimum base capital of S$250,000, make a security deposit of S$100,000 to S$200,000, and set up compulsory safeguarding for user funds. These extra financial and operational requirements need to be planned, and budgeted, at least a year prior to the license variation application — rather than as tasks to be completed after the application.
Variation review period for payment service operations of SPI licensees who wish to become MPI. This involves operating in compliance with the SPI standards for the review period, informing banking partners and technology providers of the upcoming licence change and implementing all the operational compliance changes necessary to meet the requirements of the MPI licence prior to the effective date of the variation.
The most effective way for an SPI licensee to become aware of and resolve compliance shortcomings would be to keep conducting compliance reviews on a regular basis, in a systematic manner, supported by the board’s oversight of governance.Compliance reviews carried out regularly and systematically by the compliance function, with board oversight, would be the key way for an SPI licensee to identify and resolve compliance weaknesses before they culminate in MAS supervisory findings. A well structured compliance review programme for an SPI licensee includes the following: The currency and risk calibration of the AML/CFT programme including the ML/TF risk assessment and CDD procedures; The accuracy and completeness of the regulatory filing records; The effectiveness of the transaction monitoring system; The quality and completeness of compliance documentation relating to the VCFM, and their adherence to the SPI transaction volume thresholds.
A structured quarterly compliance review programme (plus an enhanced annual programme which addresses all aspects of AML/CFT and governance requirements) offers a sustainable programme for maintaining the quality of compliance without overburdening the compliance team in terms of operational capacity. The results of each compliance review must be captured, reported to senior management and the Board and to be addressed through a remediation plan with timeframes and named responsible owners for each identified gap. Compliance review programmes that yield compliance outcomes without remediation are not providing sufficient protection from MAS supervisory risk and demonstrate a compliance culture that focuses on “showing up” compliance rather than “showing it”.
Internal policies are the operational foundation of the SPI compliance programme and the currency, specificity and accessibility of the policies to staff have a direct influence on the consistency of the application of compliance standards throughout the payment service business.
All material compliance policies (AML/CFT policy, technology risk management policy, conflicts of interests policy, data protection policy) are to be reviewed annually and updated whenever necessary to meet the latest MAS requirements, the current business model of the firm and changes in the regulatory environment since the previous review. The review cycle should be recorded in the compliance calendar and be monitored as a compliance requirement.
The material changes to the MAS’ regulatory requirement, such as the updated MAS Notice PSN01, revised TRM Guidelines and outcomes of amendment to the PS Act, shall be subject to a review of the firm’s policy inventory to identify the need to update the policies, and the updated policies shall be implemented and approved within a clear timeline. Common causes of compliance gaps are regulatory changes that are not captured in internal policies within a reasonable time period.
Any changes to the policy should be approved by senior management/board, and version control should be maintained (version number, effective date, summary of changes, etc.). Version Control Documentation provides MAS proof that the compliance policies of the SPI licensee are being actively monitored and are not just a paper set of compliance rules that have not been reviewed since they were first written.
All relevant staff to be notified of the revised policies as soon as possible following approval and policies to be available via a document management system, which enables staff to easily find and refer to individual policies when working. The evidence of staff recognition of material policy updates must be documented (that is, the staff has read and understood the updates) and kept as evidence of the SPI licensee’s commitment to integrating compliance standards into actual staff behaviour.
The effectiveness of staff training is the key to bridging the gap between written compliance policy and consistent operational compliance — if staff training is ineffective, the compliance programme is not going to achieve compliance — and compliance is going to look fake.
All staff who have compliance sensitive roles should be trained in AML/CFT at least once a year, which should include updates on the firm’s AML/CFT procedures, updated developments in the MAS’s regulatory requirements and typology guidance, and their respective roles and responsibilities in identifying and reporting any suspicious activity. Training should be updated where appropriate with any changes or amendments to the MAS guidelines or the firm’s procedures since the previous training cycle.
The staff induction program is mandatory for all new employees before they engage in any compliance-related processes, such as new customer onboarding, transaction processing or review of AML/CFT alerts. MAS requires new staff to complete onboarding training to ensure that the new employee has been provided with the relevant onboarding training before taking up his duties and onboarding training completion records must be kept and made available for inspection by MAS.
Training should be tailored to the compliance obligations of each staff role – and include training on CDD procedures for staff who meet with customers face-to-face, training on monitoring obligations and STR escalation procedures for staff who process transactions, and training on all aspects of MAS regulatory obligations and supervisory expectations for staff of the compliance team. Limited compliance protection is achieved if the training is generic and not tailored to the job.
A compliance function should evaluate training effectiveness using post training assessments and regular staff knowledge checks as well as tracking training completion rates and should keep training records of all staff which can be inspected as part of a MAS supervisory review. Training records in which knowledge test scores have been consistently achieved but the knowledge test scores have declined indicate that, although the training programme is formally correct, it is not operationally effective.
MAS may at any time, without prior notice, make inspections of SPI licensees. One of the most significant investments in operational discipline that any SPI licensee can make is in ensuring the constant readiness to be inspected by MAS, so that the compliance documentation is up to date and can be retrieved on demand, compliance systems can be demonstrated in real time, and all staff are fully prepared to interact honestly and accurately with inspectors from MAS.
Practical preparation measures for an inspection under the SPI include: A documentation index which enables the firm to locate any required compliance record in a few minutes; Briefing all staff, not just the compliance team, on their obligations during inspection, including the requirement for the firm to provide honest and accurate information at all times; Periodic mock inspections to simulate the process of the inspection under the SPI and the information which the firm will be expected to provide to MAS, using the common findings described in Section 10 of this guide as the basis for the mock inspection process; A regulatory correspondence archive, comprising all correspondence to and from MAS, all supervisory findings, all information requests and the firm’s responses, giving the firm a complete record of its relationship with MAS under the SPI, which can be reviewed before an inspection. Compliance and audit support services by seasoned compliance advisers can help SPI licensees to carry out pre-inspection readiness assessment to address specific gaps prior to a true MAS audit.
This guide has offered a step-by-step guide on the framework for the Standard Payment Institution License guide — the foundation of the regulatory context, the eligibility requirements, the application process, compliance requirements, and best practices for maintaining the regulatory quality throughout the SPI licence lifecycle. The key principles for any company that is embarking on the SPI licensing journey are as follows:
The whole SPI licensing journey is built on a correct categorisation of the regulated payment service types that a business model involves. The impact of getting this wrong may be felt throughout the firm’s regulatory journey, whether through under-inclusion (which may drive unlicensed activity) or over-inclusion (which may create undue compliance requirements). The 2024 legal opinion requirement effectively requires all new SPI applicants to have expert PS Act regulatory counsel.
The time to license hinges on the quality and completeness of the initial application package. A thorough and well-prepared application – that includes all necessary documents, a robust AML/CFT framework, a strong business plan and complete personal declarations of directors and/or officers of the organisation – minimises the number of information requests and enhances the overall review process. This investment always delivers improved results in comparison with the number of rounds of follow-up from the MAS with an incomplete application.
SPI licensees will be required to put in place rolling 12-month transaction volume monitoring from day 1 and will be expected to have robust internal early warning indicators for the start of the MPI licence variation process long before SPI thresholds are reached. Threshold monitoring is not just a reporting task, it is an ongoing operational responsibility in which transactions need to be monitored for all licensed service types in real-time or near-real time.
MAS’s key measure of the health of its compliance culture of an AML/CFT programme is its quality, specificity and operational effectiveness. Supervisory outcomes are consistently worse with generic, template-based programmes with no risk calibration, and equally worse with programmes that are not risk calibrated but are routinely reviewed.
Regulatory complexity of the payment services licensing process in Singapore, coupled with the commercial risk stemming from delays in licensing and failure to comply with the post-licensing requirements, makes payment services licensing consultants Singapore and payment services licensing advisory services one of the best investments for any payment service institution (PSI) at any stage of the regulatory cycle. It is more cost-effective to use these experienced advisers early in the process rather than when problems occur.
As a sustainable payment services business, it must be both commercially innovative and hold regulatory credibility by delivering competitive payment products while adhering to a compliance and governance framework that is expected of payment institutions licensed by MAS. These two objectives are not mutually exclusive: businesses that truly invest in compliance quality will have better business outcomes and be more successful than those that view compliance as a cost centre as their regulatory credibility will lead to better banking relationships, business partnerships and investor confidence – all of which are enablers of sustainable business growth. The stakes are high with the payment services, and so are the regulatory requirements demanded by the MAS in the SPI License framework; payment institutions that comply with them are what regulators, banking partners and customers look for.
This guide is designed to give compliance professionals and founders at all stages of the SPI License application process and operational teams the basic knowledge and framework for navigating the payments landscape in Singapore with confidence. By investing in compliance quality, engaging with the MAS in a proactive way and gaining the professional advice and guidance required to deal with the complexities of regulations, the conditions are set for a payment services business that can continue to develop its operations in Singapore with regulatory credibility, consumer trust, and the long-term commercial success they can bring.
