Why is a Major Payment Institution (MPI) licence a key evaluation criterion when selecting a digital assets partner?

mpi licence

Sparrow has recently received the Major Payment Institution (MPI) licence from the Monetary Authority of Singapore (MAS) to formally operate as a regulated provider of Digital Payment Token (DPT) Services under the Payment Services Act (PS Act). This milestone came a few weeks after we were granted in-principle approval

Following the successful attainment of in-principal approval, this coveted licence is the culmination of Sparrow’s efforts in strengthening systems, policies, and procedures already in place to enhance compliance and security rigor.

As a financial institution engaging a digital assets partner, it is helpful to evaluate the importance of such a licence that serves as a testament to an organization’s credibility and reliability. Sparrow discusses the PS Act in detail and the key requirements to meet in order to be a licenced MPI to provide financial institutions with clearer insights on the significance of such a recognition. 

What is the Payment Services Act (PS Act)?

The PS Act came into effect on 28 January 2020 to regulate the following activities:

  • Account issuance services
  • Domestic money transfer services
  • Cross-border money transfer services
  • Merchant acquisition
  • Electronic money issuance
  • Digital payment token services
  • Money-changing services

It aims to build a solid e-payments ecosystem in Singapore while protecting consumer rights and promoting consumer confidence in e-payments usage. It acknowledges new technology developments and innovations in the payment services sector and establishes a licence structure for the different spectrum of payment service operations. Additionally, it expands the range of payment services subject to MAS regulation to incorporate innovative services such as DPT services.

Major Payment Institution licence 

The Major Payment Institution licence is the most extensive of the three kinds of licences available under the PS Act. With it, a licence holder can provide any combination of the seven payment services listed above without being subject to any specified thresholds.

The governance structure, financial situation, track record, suitability and propriety of the controllers and directors, and other considerations are all taken into account by MAS while evaluating an application for an MPI licence. Licensees providing DPT services are required to mitigate two key risks and concerns: Money Laundering and Financing of Terrorism (ML/FT) risks and technology and cyber security risks

Key requirements for a Major Payment Institution (MPI) licensee to be a regulated provider of Digital Payment Token (DPT) services

Money Laundering and Financing of Terrorism risks

Institutional involvement with cryptocurrency has driven demand in the previously niche market. Increasingly recognized for its ability to diversify a portfolio, investors are beginning to consider cryptocurrency as a feasible means to enhance growth.

As digital assets gain steady traction, the risk of cryptocurrency assets being exploited by organized groups and individuals to conduct criminal activities such as money laundering and financing of terrorism are acknowledged by authorities and regulatory bodies in Singapore who adopt a whole-of-government approach to detecting and deterring them. 

Given the immutable, decentralized, speedy, and cross-border nature of DPT, it presents a heightened challenge for DPT service providers to overcome. As such, they must implement adequate measures that encompass: 

  • Recognizing, evaluating, and comprehending licencee’s ML/TF risks. 
  • Creating and putting into place policies, procedures, and controls such as those pertaining to the conduct of customer due diligence, transaction monitoring, screening, suspicious transaction reporting, and record keeping.
  • Keeping track of the utilization of such policies, procedures, and controls and adapting them as appropriate.
  • Performing enhanced due diligence measures to detect and investigate higher ML/TF risks more comprehensively to ultimately mitigate them. 

Sparrow plays its part as a responsible DPT service provider to protect the integrity of Singapore’s financial system. We employ a risk-based approach to identify, assess, and comprehend emerging and existing money laundering and terrorist financing risks within the cryptocurrency ecosystem to implement suitable mitigation measures that correspond with the level of risk

This includes conducting Enhanced Due Diligence (EDD) right from the start of establishing business relationships and on an ongoing basis throughout the client’s journey, monitoring business relations and transactions continually, and identifying, investigating, and reporting suspicious transactions promptly. 

Cybersecurity risks 

Blockchain has risen in prominence — notably for facilitating digital currencies. Despite its potential to upend multifarious industries, the technology that forms the basis of cryptocurrency has its shortcomings. Cyber attacks occurring on cryptocurrency exchanges happen when security measures are inadequate, with lapses in procedures or policies largely responsible.

This reiterates the role of DPT service providers to effectively manage cyber risks prevalent within the cryptocurrency ecosystem such as data breaches, fraud, and malware attacks. For an MPI licensee to operate DPT services in the city-state of Singapore, the organization must set forth technology and cyber hygiene measures that include:

Technology risk management Cyber hygiene requirements
Technology risk governance and oversight:

– Role of the board of directors and senior management
– Policies, standards, and procedures
– Management of information assets
– Management of third-party services
– Competency and background review
– Security awareness and training
Ensure that every administrative account in  any operating system, database, application, security appliance, or network device is secured to prevent any unauthorized access to or use of such account
Data and infrastructure security:

– Data security
– Network security
– System security
– Virtualization security
– Internet of things
Apply security patches to address vulnerabilities in every system
Cyber security assessment:

– Vulnerability assessment
– Penetration testing
– Cyber exercises
– Adversarial attack simulation exercise
– Intelligence-based scenario design
– Remediation management
Ensure that there is a formal set of security standards for every system
Software application development and management:

– Secure coding, source code review, and application security testing
– Agile software development
– DevSecOps management
– Application programming interface development
– Management of end-user computing and applications

Implement controls at network perimeter to restrict all unauthorized network traffic
IT service management:

– IT service management framework
– Configuration management 
– Technology refresh management
– Patch management
– Change management
– Software release management
– Incident management
– Problem management
Ensure one or more malware security mechanisms are deployed on every system, where they are available and capable of being used to reduce the risk of malware infection
IT resilience:

– System availability
– System recoverability
– Testing of disaster recovery plan
– System backup and recovery
– Data center resilience

Implement multi-factor authentication for all administrative accounts in the operating system, database, application, security appliance, or network device that is a critical system and for all accounts on any system used by the relevant entity to access customer information through the internet

Information extracted from: Technology Risk Management Guidelines by the Monetary Authority of Singapore and Notice PSN06 on Cyber Hygiene by the Monetary Authority of Singapore

Collectively, the above-mentioned measures allow for the coalescence of people, processes, and technology to create a secure environment that is averse to cybersecurity risks for all assets. 

Cybersecurity professionals at Sparrow have the experience and operational knowledge to ensure IT infrastructure, edge devices, networks, and data are encompassed within a secure environment. Utilizing a multi-layered defense strategy that leverages a range of technology and cyber hygiene measures that include SSL inspection, DDoS protection, cloud/network preservation, and data backup, the team’s anticipatory stance on security threats only grows stronger as technology advances.

Why is a Major Payment Institution (MPI) licence a crucial criterion for choosing a partner for digital assets?

DPT service providers must satisfy high standards in order to obtain an MPI licence. Financial institutions who partner with such providers can be assured that the service provider has high standards of technology and cyber hygiene in place. Such aspects have been rigorously checked by authorities before licence issuance — a demanding process which requires heavy investment and commitment to satisfy. This process ultimately results in high standards which reflect an unwavering commitment to quality.

In summary, an MPI licence is a testament that digital assets partners are well-equipped to drive institutional adoption within a secure framework that has been formalized by the authorities. 

Also read: Why should financial institutions engage a digital assets partner?

Sparrow, a Major Payment Institution (MPI) licence holder

Sparrow operates with transparency and integrity by upholding high compliance and cybersecurity standards. Now as an MPI licensee, we have successfully met all requirements stipulated by the Monetary Authority of Singapore to be a regulated provider of Digital Payment Token (DPT) services under the Payment Services Act (PS Act). Speak to one of our Digital Assets Specialists to find out how we can help you formulate a digital assets strategy to meet your growth objectives.