TL;DR - To comply with new AML/CTF requirements, crypto companies in Singapore are partnering with compliance companies like Notabene. We are deeply committed to data security and privacy, and as such, we have taken significant steps to meet MAS’s new requirements for technology service providers. We have also successfully completed an Independent Assessment from ACCESS and are working on a SOC2 Audit. Our efforts will help companies streamline the vendor assessment process and allow them to start implementing the Travel Rule quicker.
Singapore’s financial regulator, the Monetary Authority of Singapore (MAS), has been at the forefront globally in implementing a regulatory framework for crypto companies operating in the country. In short, crypto companies will need to follow similar AML/CTF requirements to traditional financial institutions. They also have to apply for a Payment Service Provider Licence (activity type: digital payment token service) under the Payment Services Act (PSA) to continue operations.
Once the first licenses are issued, it will be a boon for these businesses as it allows them to expand services to the traditional financial world. We are seeing many international crypto companies applying for licenses in Singapore to take advantage of these benefits.
Most of the focus has been on the new AML/CTF processes that licensees will have to implement such as the Travel Rule and non-custodial wallet identification. We are working closely with many Singaporean PSA license applicants to solve these issues.
There is a lot more to it than AML though. Data security, privacy, and customer protection are equally important.
In particular, MAS requires licensees to implement the following:
Most of these requirements are about protecting customers’ data and financial transactions. The Outsourcing Guidelines specifically deal with how regulated financial institutions in Singapore have to deal with service providers like Notabene.
The Technology Risk Management Guidelines are a new set of guidelines issued on January 18th, 2021, and require financial institutions to assess whether third party vendors employ a high standard of care and diligence in protecting data confidentiality and integrity as well as ensuring system resilience.
Financial institutions need to assess whether technology vendors can fulfill their security obligations, and then ensure that this is reflected in legal agreements with them. During a time when companies are looking to quickly adopt new AML/CTF tools quickly, we understand that this can be a challenge and delay the procurement process.
To make this process more seamless for our Singaporean customers, we have taken the following steps:
First, ACCESS completed an Independent Assessment of our service.
The report contains an assessment of various aspects of our business as required by the outsourcing guidelines, including data security and business continuity processes. Per their assessment of both the Notabene product as well as these guidelines, we satisfy the requirements put forth by MAS.
ACCESS also engaged an external vendor to conduct a rigorous cybersecurity assessment of the Notabene product using the Gray Box Testing Method and then benchmarked against Open Web Applications Security Project (OWASP) standards. The objective was to uncover vulnerabilities in our API by setting up a rogue VASP with malicious intent. No vulnerabilities were identified.
The report has been shared with MAS, FATF and IDAXA. If you are an ACCESS member, you can purchase the report here. We are able to provide a limited amount of codes that will allow you to download it at no cost. Please reach out to us for a code.
Second, we are making progress on our SOC2 Audit.
While it takes awhile to get the full audit, we have partnered with Vanta to provide potential customers with a real-time report, which also covers data security, business continuity, and data privacy.
Finally, we are one of the first third-party vendors to meet the new Technology Risk Management guidelines put forth by MAS.
This is now reflected in a special version of our commercial agreement, which includes specific addendums surrounding personal data protection, outsourcing guidelines, and technology risk management. We are offering this as an option to Singaporean companies.
Has your company applied for the Digital Payment Token Service License in Singapore, or are you considering it? With our end-to-end Travel Rule solution, we can help you meet the latest requirements. You can reach out to us at firstname.lastname@example.org.