As jurisdictions around the world contemplate how to regulate effectively on AI and ICOs, Singapore’s new law proves it is at the cutting edge of the tech evolution
Technology law in Singapore is at the cusp of a new phase with impending novel regulations and ethical governance guidelines relating to financial technology (fintech) and artificial intelligence (AI), respectively. There’s also been a flurry of activities on data protection, cybersecurity and Initial Coin Offerings (ICOs) or digital token sales.
Fintech and payment services
A new Payment Services Act (PSA) under the supervision of the Monetary Authority of Singapore (MAS) was introduced in the Singapore parliament on 19 November 2018, and passed on 14 January 2019. This new law will regulate many fintech businesses, cover both traditional and digital payment services, and replace the Payment Systems (Oversight) Act (PS(O)A) and the Money-Changing and Remittance Businesses Act (MCRBA).
The new law will take a risk-based approach to regulate the following payment services under a modular licensing regime (as opposed to activity-specific licensing):
Domestic money transfer services (i.e., accepting money to execute, or arrange the execution of, certain payment transactions in Singapore);
Cross-border money transfer services (i.e., inbound or outbound remittance);
Merchant acquisition services (i.e., accepting and processing payment transactions that result in the money transfers to merchants regardless whether the payment service provider comes into possession of the money);
Electronic money (e-money) issuance (e-money being electronically stored monetary value denominated in, or pegged to, any currency paid in advance for making payment transactions through a payment account, is accepted by a person other than the e-money issuer, and represents a claim on issuer);
Digital payment token services (cryptocurrencies or virtual currencies); and
On digital payment tokens and cryptocurrencies, initial coin offerings, particularly involving security tokens, are regulated by other existing laws.
MAS may also designate and impose conditions on payment systems, which can significantly impact payments or financial systems in Singapore, if necessary, to ensure efficiency or competitiveness of the payment system, or if generally in the public’s interest.
Payment service providers may be: (1) standard payment institutions (SPIs); (2) major payment institutions (MPIs); or (3) money-changers (that can only provide money-changing services). Each activity is subject to approval by MAS, but not licensed individually. SPIs are regulated more lightly than MPIs to encourage innovation. The difference between SPIs and MPIs is whether they deal in transactions over a threshold volume and/or have daily e-money float above a threshold amount.
Certain activities are excluded from the PSA: (1) limited purpose e-money, including public authority pre-paid cards and e-money issued for payment of goods or services provided by the e-money issuer; (2) limited purpose digital payment token or virtual currency, including in-game virtual assets and non-monetary customer loyalty or reward points; and (3) certain payment services that are expressly defined in the first schedule of the PSA. Notably, an entity will be presumed to carry on a business of providing a payment service even where the payment service is only incidental to the entity’s primary business.
The PSA and consequential regulations are intended to address the following key risks: (1) money laundering and terrorism financing (ML/TF); (2) user protection, such as operator insolvency; (3) interoperability of payment systems, including mandating a fair access regime, common platform, and common standards; and (4) technology risks, such as user authentication, data protection, cyber security prevention and detection. Ongoing compliance requirements will apply. Minimum capital requirements will also apply to payment institutions.
E-money issuance service providers are prohibited from lending customers money, or using any customer money, or any interest earned on any customer money, to finance wholly, or to any material extent, any activity of any business carried on by the licensee. Licensees are also prohibited from offering cash withdrawals in Singapore dollars from payment accounts storing e-money that are held by Singapore residents. This is to distinguish payment service providers from banks.
Major payment institutions must safeguard customer monies from insolvency through: (1) an undertaking by any bank in Singapore or prescribed financial institution to be fully liable to the customer for such moneys; (2) a guarantee by any bank in Singapore or prescribed financial institution; (3) a deposit in a trust account in such manner as may be prescribed by MAS; or (4) safeguarding in such other manner as may be prescribed by MAS.
Personal payment accounts will be subject to a stock cap of S$5,000 (US$3,690), which is the maximum amount of funds that can be held in the account at any time, and an annual flow cap of S$30,000, which is the maximum cumulative amount of yearly outflows from the account other than to the user’s designated bank accounts. This is intended to limit customers’ potential loss from e-money accounts, keep e-money safeguarding measures simple and low-cost, and reduce the risk of significant outflows from bank deposits to non-bank e-money accounts, which can undermine the stability of banks.
MAS will provide transitional arrangements of between six and 12 months to facilitate a smooth transition into the new regulatory framework, allowing sufficient lead time for compliance.
ICOs or digital token sales
Singapore has been a hot market for ICOs, or digital token sales. On 30 November 2018, MAS issued a revised version of the Guide to Digital Token Offerings. Broadly, tokens may be utility tokens, security tokens, asset-backed tokens, reward tokens or payment tokens. If security or asset-backed tokens are involved, various regulations may come into play, including the Securities and Futures Act (SFA), and the Financial Advisers Act. The other types of tokens may be regulated under the PSA.
Depending on a business’ dealing with tokens, it may trigger various regulatory issues including the requirement to register a prospectus for the offer of securities, the requirement for a capital market services and/or financial advisers licence, the requirement to be approved or recognized as approved exchange or recognized market operator. ML/TF requirements apply across the board to various activities, whether involving security tokens or otherwise.
In January 2019, MAS warned an ICO issuer not to proceed with its token offering as it deemed that the tokens were security tokens that had not fully complied with the regulatory requirements under the SFA. In particular, the issuer attempted to rely on an exemption in the SFA allowing the offer of securities to accredited investors without registering a prospectus. This is subject to various conditions, including a restriction on advertising the offer. The issuer’s legal advisers put out a public LinkedIn post, which called attention to the offer. This illustrates the need for token issuers to take a serious view towards regulatory compliance, and MAS’ firm approach in regulating this space while keeping it open to innovation and development.
The Singapore International Commercial Court also recently heard the first trial on a legal dispute around Bitcoin. In the case, B2C2 is suing exchange operator Quoine over a unilateral reversal of several trades on its platform due to alleged technical glitches. It is envisaged that as more token issuers and exchange operators are registered in or operating from Singapore, the Singapore courts will likely see more legal disputes involving digital tokens and cryptocurrencies. It will be interesting to see how the courts grapple with the technical evidence, typical contractual clauses in ICO issuances or cryptocurrency exchange platforms, and novel application of legal doctrines.
Personal data protection and cybersecurity
A flurry of regulatory and enforcement activities has also been taking place in Singapore regarding personal data protection and cybersecurity. The Cybersecurity Act (CSA) came into force on 31 August 2018 and a Cyber Security Agency has been set up. The CSA regulates public and private owners of critical information infrastructure (CII) and cybersecurity service providers. The Computer Misuse Act, the CSA and the Personal Data Protection Act (PDPA) together form a legal framework for general data, technology and cyber risk management.
In November 2018, the Personal Data Protection Commission (PDPC) issued its response to the public consultation for Managing Unsolicited Messages and the Provision of Guidance to Support Innovation in the Digital Economy. The PDPC proposed an enhanced practical guidance (EPG) framework under the PDPA. It will provide guidance on complex or novel compliance queries with regulatory certainty (determinations) under the framework for queries relating to proposed business activities that contain sufficiently detailed plans, allowing organizations to embark on new and innovative data services with the necessary assurance of PDPA compliance. Such clarifications may be sought by legal advisers acting for businesses.
However, clarifications sought must not be effectively requests for legal advice, which organizations should look to lawyers for. EPG determinations would be generally effective to ‘e-stop’ a finding of regulatory breach, subject to exceptions. This framework would encourage businesses to adopt novel technology services involving personal data with sufficient clarity on their legal position.
The PDPC has also been kept busy enforcing and adjudicating Singapore’s largest cybersecurity breach in recent times. After a committee of inquiry convened by the Minister for Communications and Information published its report, the PDPC issued its enforcement decision holding Singapore Health Services Pte Ltd (SingHealth) and Integrated Health Information Systems Pte Ltd (IHiS) liable to fines of S$250,000 and S$750,000, respectively. PDPC found that IHiS had failed to take adequate security measures to protect personal data in its possession as a data processor. SingHealth also failed as a data controller to handle the cybersecurity incidents appropriately, and was overly dependent on IHiS. About 1.5 million patients’ personal data were compromised from May 2015 to July 2018 from this episode. This case is an important lesson for all organizations and service providers on the necessary practical measures required to comply with cybersecurity and data protection obligations.
As a member of the Singapore Academy of Law Sub-Committee on Robotics and Artificial Intelligence, the PDPC’s proposed model AI Governance Framework issued in January 2019 is welcomed by this author as a pioneering move for the international community.
The framework sets out certain guidelines on issues for consideration and measures to be implemented by AI stakeholders. It focuses on internal governance, decision-making models, operations management, and customer relationship management. The two key principles in the Framework are: (1) that decision-making using AI should be explainable, transparent and fair; and (2) AI solutions should be human-centric.
While the framework is only a proposed set of guidelines, it is likely that any future regulations and legal liability adjudications would take reference from the framework. It is therefore advisable for organizations developing or implementing AI systems to seriously consider the framework. The framework is open for public feedback until 30 June 2019.
Ronald JJ Wong is a director, advocate and solicitor at Covenant Chambers. He can be contacted by email at firstname.lastname@example.org
8 Eu Tong Sen St,
No. 13-83/84 The Central,
Tel: +65 6635 8885
Fax +65 6635 8720