Technology law in Singapore is on the cusp of a brand new segment with impending novel rules and moral governance suggestions regarding economic technology (fintech) and artificial intelligence (AI), respectively. There’s also been a flurry of sports on statistics protection, cybersecurity, and Initial Coin Offerings (ICOs) or digital token income.
A new Payment Services Act (PSA) underneath the Monetary Authority of Singapore (MAS) was introduced inside the Singapore parliament on 19 November 2018 and exceeded on 14 January 2019. This new law will adjust many fintech organizations, cover both traditional and virtual charge offerings, and replace the Payment Systems (Oversight) Act (PS(O)A) and the Money-Changing and Remittance Businesses Act (MBA).
The new law will take a threat-based totally approach to modify the following price services under a modular licensing regime (rather than interest-particular licensing):
Domestic money transfer services (i.E., accepting money to execute, or set up the execution of, sure charge transactions in Singapore);
Cross-border cash transfer services (i.E., inbound or outbound remittance);
Merchant acquisition services (i.E., accepting and processing payment transactions that result in the money transfers to merchants regardless of whether the payment provider comes into ownership of the money);
Electronic cash (e-cash) issuance (e-cash being electronically saved economic price denominated in, or pegged to, any currency paid earlier for making payment transactions through a price account, is typical using a person apart from the e-money issuer, and represents a claim on provider);
Digital payment token services (cryptocurrencies or virtual currencies); and Money-changing offerings. On digital charge tokens and cryptocurrencies, preliminary coin services, particularly related to protection tokens, are regulated through other current legal guidelines.
MAS may also designate and impose situations on charge systems that could notably impact bills or economic structures in Singapore, if important, to make sure performance or competitiveness of the price device, or if commonly within the public’s interest. Payment service vendors can be (1) popular charge institutions (SPIs), (2) foremost charge establishments (MPIs), or (3) money-changers (that can simplest provide cash-converting offerings). Each pastime is an issue to approval via MAS; however, no longer licensed, in my view. SPIs are regulated greater gently than MPIs to inspire innovation. The difference among SPIs and MPIs is whether they deal in transactions over a threshold volume and/or have each day e-cash drift above a threshold amount.
Certain sports are excluded from the PSA: (1) restricted purpose e-cash, consisting of public authority pre-paid playing cards and e-cash issued for a fee of products or services supplied by way of the e-money issuer; (2) confined motive digital charge token or digital forex, such as in-game virtual belongings and non-monetary patron loyalty or praise points; and (3) sure fee offerings which can be expressly defined within the first schedule of the PSA. Notably, an entity can be presumed to carry on a business of imparting a charging provider even wherein the fee carrier is simplest incidental to the entity’s primary enterprise.
The PSA and consequential rules are meant to deal with the following key risks: (1) money laundering and terrorism financing (ML/TF); (2) person safety, inclusive of operator insolvency; (three) interoperability of payment systems, including mandating a fair access regime, common platform, and not unusual standards; and (4) era dangers, which includes consumer authentication, facts protection, cybersecurity prevention, and detection. Ongoing compliance requirements will apply. Minimum capital necessities may also apply to payment establishments.
E-cash issuance carrier providers are prohibited from lending customers money, or the usage of any client money, or any hobby earned on any patron cash, to finance thoroughly, or to any cloth extent, any business activity carried on using the licensee. Licensees are also prohibited from providing cash withdrawals in Singapore greenbacks from fee debts storing e-money that Singapore residents can hold. This is to differentiate price provider carriers from banks.
Major payment establishments must protect patron monies from insolvency via (1) a mission by using any bank in Singapore or prescribed financial organization to be completely prone to the consumer for such money; (2) a guarantee by any financial institution in Singapore or prescribed financial institution; (three) a deposit in a accept as true with an account in such way as may be prescribed via MAS; or (4) safeguarding in such other manner as can be prescribed with the aid of MAS.
Personal price debts will be a situation to a stock cap of S$five,000 (US$3,690), which is the maximum amount of price range that may be held within the account at any time, and an annual glide cap of S$30,000, which is the most cumulative quantity of every year outflows from the account other than to the consumer’s exact financial institution money owed. This is meant to restrict clients’ potential loss from e-money money owed, hold e-cash safeguarding measures easy and low-value, and decrease the risk of massive outflows from financial institution deposits to non-bank e-money accounts that may undermine the stability of banks. MAS will offer transitional preparations of between six and 365 days to facilitate an easy transition into the new regulatory framework, permitting enough lead time for compliance.
ICOs or virtual token income
Singapore has been a warm marketplace for ICOs, or virtual token income. On 30 November 2018, MAS issued a revised model of the Guide to Digital Token Offerings. Tokens can be broadly tokens, safety tokens, asset-sponsored tokens, praise tokens, or price tokens. If safety or asset-subsidized tokens are involved, numerous policies may also come into play, including the Securities and Futures Act (SFA) and the Financial Advisers Act. The different forms of tokens may be regulated underneath the PSA.
Depending on a commercial enterprise’ managing tokens, it may trigger diverse regulatory troubles together with the requirement to sign up a prospectus for the provision of securities, the requirement for a capital market offerings and/or economic advisers license, the requirement to be approved or identified as an accredited alternate or recognized market operator. ML/TF necessities apply across the board to numerous sports, whether or not concerning security tokens or otherwise.
In January 2019, MAS warned an ICO issuer now not to continue with its token supply because it deemed that the tokens have been protection tokens that had not absolutely complied with the regulatory necessities beneath the SFA. In precise, the issuer tried to rely on an exemption in the SFA to provide securities to accredited buyers without registering a prospectus. This is a challenge to numerous conditions, such as a restriction on advertising the offer. The company’s criminal advisers put out a public LinkedIn put up, which called interest to the offer. This illustrates the need for token issuers to take a severe view closer to regulatory compliance and MAS’s firm technique in regulating this space while keeping it open to innovation and improvement.
The Singapore International Commercial Court also days heard the primary trial on a legal dispute around Bitcoin. In this case, B2C2 issuing change operator Quoin over a unilateral reversal of numerous trades on its platform because of alleged technical system defects. It is envisaged that as more token issuers and trade operators are registered in or working from Singapore, the Singapore courts will in all likelihood see greater criminal disputes related to virtual tokens and cryptocurrencies. It might be exciting to peer how the courts grapple with the technical evidence, standard contractual clauses in ICO issuances or cryptocurrency exchange structures, and novel software of felony doctrines.
Personal facts protection and cybersecurity
A flurry of regulatory and enforcement activities has additionally been taking place in Singapore concerning non-public statistics safety and cybersecurity. The Cybersecurity Act (CSA) got here into force on 31 August 2018, and a Cyber Security Agency has been set up. The CSA regulates public and private owners of essential records infrastructure (CII) and cybersecurity carrier providers. The Computer Misuse Act, the CSA, and the Personal Data Protection Act (PDPA) form a felony framework for standard information, generation, and cyber chance management.
In November 2018, the Personal Data Protection Commission (PDPC) issued its response to the general public consultation for Managing Unsolicited Messages and the Provision of Guidance to Support Innovation within the Digital Economy. The PDPC proposed a more desirable realistic steering (EPG) framework beneath the PDPA. It will provide steerage on complex or novel compliance queries with the regulatory fact (determinations) under the framework for queries relating to proposed commercial enterprise activities that include sufficiently specified plans, permitting corporations to embark on new and modern facts offerings necessary warranty of PDPA compliance. Such clarifications can be sought with the aid of legal advisers acting for groups.
However, clarifications sought need not be efficaciously requested for criminal advice, which organizations should look to lawyers for. EPG determinations might be generally effective to ‘forestall a locating of the regulatory breach, situation to exceptions. This framework might inspire businesses to adopt novel era services concerning non-public facts with enough clarity on their criminal position.
The PDPC has additionally been kept busy imposing and adjudicating Singapore’s largest cybersecurity breach nowadays. After a committee of inquiry convened by using the Minister for Communications and Information posted its document, the PDPC issued its enforcement selection, retaining Singapore Health Services Pte Ltd (SingHealth) and Integrated Health Information Systems Pte Ltd (IHiS) susceptible to fines of S$250,000 and S$750,000, respectively.
PDPC observed that IHiS did not take good enough safety features to defend non-public records independently as a statistics processor. SingHealth also failed as a statistics controller to appropriately deal with the cybersecurity incidents and overly dependent on IHiS. About 1.5 million sufferers’ personal records were compromised from May 2015 to July 2018 from this episode. This case is a vital lesson for all corporations and service vendors on the essential practical measures required to comply with cybersecurity and facts protection responsibilities.