Singapore law and the frontiers of technology

As jurisdictions around the world contemplate how to regulate effectively on AI and ICOs, Singapore’s new law proves it is at the cutting edge of tech evolution

Technology law in Singapore is at the cusp of a new phase with impending novel regulations and ethical governance guidelines relating to financial technology (fintech) and artificial intelligence (AI), respectively. There’s also been a flurry of activities on data protection, cybersecurity and initial coin offerings (ICOs) or digital token sales.

A new Payment Services Act (PSA) under the supervision of the Monetary Authority of Singapore (MAS) was introduced in the Singapore parliament on 19 November 2018, and passed on 14 January 2019. This new law will regulate many fintech businesses, cover both traditional and digital payment services, and replace the Payment Systems (Oversight) Act (PS(O)A) and the Money-Changing and Remittance Businesses Act (MCRBA).

The new law will take a risk-based approach to regulate the following payment services under a modular licensing regime (as opposed to activity-specific licensing):

• Account issuance services (i.e., issuing a payment account – an account used for the initiation and/or execution of payment transactions – or services in relation to any operation for operating a payment account);
• Domestic money transfer services (i.e., accepting money to execute, or arrange the execution of, certain payment transactions in Singapore);
• Cross-border money transfer services (i.e., inbound or outbound remittance);
• Merchant acquisition services (i.e., accepting and processing payment transactions that result in the money transfers to merchants regardless of whether the payment service provider comes into possession of the money);
• Electronic money (e-money) issuance (e-money being electronically stored monetary value denominated in, or pegged to, any currency paid in advance for making payment transactions through a payment account, is accepted by a person other than the e-money issuer, and represents a claim on issuer);
• Digital payment token services (cryptocurrencies or virtual currencies); and
• Money-changing services.

On digital payment tokens and cryptocurrencies, initial coin offerings, particularly involving security tokens, are regulated by other existing laws. MAS may also designate and impose conditions on payment systems.

Payment service providers may be: (1) standard payment institutions (SPIs); (2) major payment institutions (MPIs); or (3) money-changers (that can only provide money-changing services). Each activity is subject to MAS approval, but not licensed individually. SPIs are regulated more lightly than MPIs to encourage innovation. The difference between them is whether they deal in transactions over a threshold volume and/or have daily e-money float above a threshold amount.

Certain activities are excluded from the PSA: (1) limited purpose e-money, including public authority pre-paid cards and e-money issued for payment of goods or services provided by the e-money issuer; (2) limited purpose digital payment token or virtual currency, including in-game virtual assets and non-monetary customer loyalty or reward points; and (3) certain payment services that are expressly defined in the first schedule of the PSA. Notably, an entity will be presumed to carry on a business of providing a payment service even where the service is incidental to the entity’s primary business.

The PSA and consequential regulations are intended to address the following key risks: (1) money laundering and terrorism financing (ML/TF); (2) user protection, such as operator insolvency; (3) interoperability of payment systems, including mandating a fair access regime, common platform, and common standards; and (4) technology risks, such as user authentication, data protection, cyber security prevention and detection. Ongoing compliance requirements will apply. Minimum capital requirements will also apply to payment institutions.

E-money issuance service providers are prohibited from lending customers money, or using any customer money, or any interest earned on any customer money, to finance wholly, or to any material extent, any activity of any business carried on by the licensee. Licensees are also prohibited from offering cash withdrawals in Singapore dollars from payment accounts storing e-money that are held by Singapore residents. This is to distinguish payment service providers from banks.

Major payment institutions must safeguard customer monies from insolvency through: (1) an undertaking by any bank in Singapore or prescribed financial institution to be fully liable to the customer for such moneys; (2) a guarantee by any bank in Singapore or prescribed financial institution; (3) a deposit in a trust account in such manner as may be prescribed by MAS; or (4) safeguarding in such other manner as may be prescribed by MAS.

Personal payment accounts will be subject to a stock cap of S$5,000 (US$3,690), which is the maximum amount of funds that can be held in the account at any time, and an annual flow cap of S$30,000, which is the maximum cumulative amount of yearly outflows from the account other than to the user’s designated bank accounts. This is intended to limit customers’ potential loss from e-money accounts, keep e-money safeguarding measures simple and low-cost, and reduce the risk of significant outflows from bank deposits to non-bank e-money accounts, which can undermine the stability of banks.

MAS will provide transitional arrangements of between six and 12 months to facilitate a smooth transition into the new regulatory framework, allowing sufficient lead time for compliance.

Singapore has been a hot market for ICOs, or digital token sales. On 30 November 2018, MAS issued a revised version of the Guide to Digital Token Offerings. Broadly, tokens may be utility tokens, security tokens, asset-backed tokens, reward tokens or payment tokens. If security or asset-backed tokens are involved, various regulations may come into play, including the Securities and Futures Act (SFA), and the Financial Advisers Act. The other types of tokens may be regulated under the PSA.

Depending on a business’s dealing with tokens, it may trigger various regulatory issues including the requirement to register a prospectus for the offer of securities, the requirement for a capital market services and/or financial advisers licence, the requirement to be approved or recognized as approved exchange or recognized market operator. ML/TF requirements apply across the board to various activities, whether involving security tokens or otherwise.

A flurry of regulatory and enforcement activities has also been taking place regarding personal data protection and cybersecurity. The Cybersecurity Act (CSA) came into force on 31 August 2018 and a Cyber Security Agency has been set up. The CSA regulates public and private owners of critical information infrastructure and cybersecurity service providers. The Computer Misuse Act, the CSA and the Personal Data Protection Act (PDPA) form a legal framework for general data, technology and cyber risk management.

In November 2018, the Personal Data Protection Commission (PDPC) issued its response to the public consultation for Managing Unsolicited Messages and the Provision of Guidance to Support Innovation in the Digital Economy. The PDPC proposed an enhanced practical guidance (EPG) framework under the PDPA to provide guidance on complex or novel compliance queries with regulatory certainty (determinations) under the framework for queries relating to proposed business activities that contain detailed plans, allowing organizations to embark on innovative data services with the necessary assurance of PDPA compliance. Such clarifications may be sought by legal advisers acting for businesses.

However, clarifications sought must not be effectively requests for legal advice, which organizations should look to lawyers for. EPG determinations would be generally effective to ‘e-stop’ a finding of regulatory breach, subject to exceptions. This framework would encourage businesses to adopt novel technology services involving personal data with sufficient clarity on their legal position.

As a member of the Singapore Academy of Law Sub-Committee on Robotics and Artificial Intelligence, the PDPC’s proposed model AI Governance Framework issued in January 2019 is welcomed by this author as a pioneering move for the international community.

The framework sets guidelines on issues for consideration and measures to be implemented by AI stakeholders. It focuses on internal governance, decision-making models, operations management, and customer relationship management. The two key principles in the framework are: (1) decision-making using AI should be explainable, transparent and fair; and (2) AI solutions should be human-centric.

While the framework is only a proposed set of guidelines, it is likely that any future regulations and legal liability adjudications would take reference from the framework. It is therefore advisable for organizations developing or implementing AI systems to seriously consider the framework. The framework is open for public feedback until 30 June 2019.