Why is a Major Payment Institution (MPI) licence a key evaluation criterion when selecting a digital assets partner?

mpi licence

Sparrow has recently received the Major Payment Institution (MPI) licence from the Monetary Authority of Singapore (MAS) to formally operate as a regulated provider of Digital Payment Token (DPT) Services under the Payment Services Act (PS Act). This milestone came a few weeks after we were granted in-principle approval

Following the successful attainment of in-principal approval, this coveted licence is the culmination of Sparrow’s efforts in strengthening systems, policies, and procedures already in place to enhance compliance and security rigor.

As a financial institution engaging a digital assets partner, it is helpful to evaluate the importance of such a licence that serves as a testament to an organization’s credibility and reliability. Sparrow discusses the PS Act in detail and the key requirements to meet in order to be a licenced MPI to provide financial institutions with clearer insights on the significance of such a recognition. 

What is the Payment Services Act (PS Act)?

The PS Act came into effect on 28 January 2020 to regulate the following activities:

  • Account issuance services
  • Domestic money transfer services
  • Cross-border money transfer services
  • Merchant acquisition
  • Electronic money issuance
  • Digital payment token services
  • Money-changing services

It aims to build a solid e-payments ecosystem in Singapore while protecting consumer rights and promoting consumer confidence in e-payments usage. It acknowledges new technology developments and innovations in the payment services sector and establishes a licence structure for the different spectrum of payment service operations. Additionally, it expands the range of payment services subject to MAS regulation to incorporate innovative services such as DPT services.

Major Payment Institution licence 

The Major Payment Institution licence is the most extensive of the three kinds of licences available under the PS Act. With it, a licence holder can provide any combination of the seven payment services listed above without being subject to any specified thresholds.

The governance structure, financial situation, track record, suitability and propriety of the controllers and directors, and other considerations are all taken into account by MAS while evaluating an application for an MPI licence. Licensees providing DPT services are required to mitigate two key risks and concerns: Money Laundering and Financing of Terrorism (ML/FT) risks and technology and cyber security risks

Key requirements for a Major Payment Institution (MPI) licensee to be a regulated provider of Digital Payment Token (DPT) services

Money Laundering and Financing of Terrorism risks

Institutional involvement with cryptocurrency has driven demand in the previously niche market. Increasingly recognized for its ability to diversify a portfolio, investors are beginning to consider cryptocurrency as a feasible means to enhance growth.

As digital assets gain steady traction, the risk of cryptocurrency assets being exploited by organized groups and individuals to conduct criminal activities such as money laundering and financing of terrorism are acknowledged by authorities and regulatory bodies in Singapore who adopt a whole-of-government approach to detecting and deterring them. 

Given the immutable, decentralized, speedy, and cross-border nature of DPT, it presents a heightened challenge for DPT service providers to overcome. As such, they must implement adequate measures that encompass: 

  • Recognizing, evaluating, and comprehending licencee’s ML/TF risks. 
  • Creating and putting into place policies, procedures, and controls such as those pertaining to the conduct of customer due diligence, transaction monitoring, screening, suspicious transaction reporting, and record keeping.
  • Keeping track of the utilization of such policies, procedures, and controls and adapting them as appropriate.
  • Performing enhanced due diligence measures to detect and investigate higher ML/TF risks more comprehensively to ultimately mitigate them. 

Sparrow plays its part as a responsible DPT service provider to protect the integrity of Singapore’s financial system. We employ a risk-based approach to identify, assess, and comprehend emerging and existing money laundering and terrorist financing risks within the cryptocurrency ecosystem to implement suitable mitigation measures that correspond with the level of risk

This includes conducting Enhanced Due Diligence (EDD) right from the start of establishing business relationships and on an ongoing basis throughout the client’s journey, monitoring business relations and transactions continually, and identifying, investigating, and reporting suspicious transactions promptly. 

Cybersecurity risks 

Blockchain has risen in prominence — notably for facilitating digital currencies. Despite its potential to upend multifarious industries, the technology that forms the basis of cryptocurrency has its shortcomings. Cyber attacks occurring on cryptocurrency exchanges happen when security measures are inadequate, with lapses in procedures or policies largely responsible.

This reiterates the role of DPT service providers to effectively manage cyber risks prevalent within the cryptocurrency ecosystem such as data breaches, fraud, and malware attacks. For an MPI licensee to operate DPT services in the city-state of Singapore, the organization must set forth technology and cyber hygiene measures that include:

Technology risk management Cyber hygiene requirements
Technology risk governance and oversight:

– Role of the board of directors and senior management
– Policies, standards, and procedures
– Management of information assets
– Management of third-party services
– Competency and background review
– Security awareness and training		 Ensure that every administrative account in  any operating system, database, application, security appliance, or network device is secured to prevent any unauthorized access to or use of such account
Data and infrastructure security:

– Data security
– Network security
– System security
– Virtualization security
– Internet of things		 Apply security patches to address vulnerabilities in every system
Cyber security assessment:

– Vulnerability assessment
– Penetration testing
– Cyber exercises
– Adversarial attack simulation exercise
– Intelligence-based scenario design
– Remediation management		 Ensure that there is a formal set of security standards for every system
Software application development and management:

– Secure coding, source code review, and application security testing
– Agile software development
– DevSecOps management
– Application programming interface development
– Management of end-user computing and applications

Implement controls at network perimeter to restrict all unauthorized network traffic
IT service management:

– IT service management framework
– Configuration management 
– Technology refresh management
– Patch management
– Change management
– Software release management
– Incident management
– Problem management		 Ensure one or more malware security mechanisms are deployed on every system, where they are available and capable of being used to reduce the risk of malware infection
IT resilience:

– System availability
– System recoverability
– Testing of disaster recovery plan
– System backup and recovery
– Data center resilience

Implement multi-factor authentication for all administrative accounts in the operating system, database, application, security appliance, or network device that is a critical system and for all accounts on any system used by the relevant entity to access customer information through the internet

Information extracted from: Technology Risk Management Guidelines by the Monetary Authority of Singapore and Notice PSN06 on Cyber Hygiene by the Monetary Authority of Singapore

Collectively, the above-mentioned measures allow for the coalescence of people, processes, and technology to create a secure environment that is averse to cybersecurity risks for all assets. 

Cybersecurity professionals at Sparrow have the experience and operational knowledge to ensure IT infrastructure, edge devices, networks, and data are encompassed within a secure environment. Utilizing a multi-layered defense strategy that leverages a range of technology and cyber hygiene measures that include SSL inspection, DDoS protection, cloud/network preservation, and data backup, the team’s anticipatory stance on security threats only grows stronger as technology advances.

Why is a Major Payment Institution (MPI) licence a crucial criterion for choosing a partner for digital assets?

DPT service providers must satisfy high standards in order to obtain an MPI licence. Financial institutions who partner with such providers can be assured that the service provider has high standards of technology and cyber hygiene in place. Such aspects have been rigorously checked by authorities before licence issuance — a demanding process which requires heavy investment and commitment to satisfy. This process ultimately results in high standards which reflect an unwavering commitment to quality.

In summary, an MPI licence is a testament that digital assets partners are well-equipped to drive institutional adoption within a secure framework that has been formalized by the authorities. 

Also read: Why should financial institutions engage a digital assets partner?

Sparrow, a Major Payment Institution (MPI) licence holder

Sparrow operates with transparency and integrity by upholding high compliance and cybersecurity standards. Now as an MPI licensee, we have successfully met all requirements stipulated by the Monetary Authority of Singapore to be a regulated provider of Digital Payment Token (DPT) services under the Payment Services Act (PS Act). Speak to one of our Digital Assets Specialists to find out how we can help you formulate a digital assets strategy to meet your growth objectives.

Risk Warning on Digital Payment Token Services:

The Monetary Authority of Singapore (MAS) requires us to provide this risk warning to you as a customer of a Digital Payment Token (DPT) service provider. Before you pay your DPT service provider any money or DPT, you should be aware of the following.

1.Your DPT service provider is licensed by MAS to provide DPT services. Please note that this does not mean you will be able to recover all the money or DPTs you paid to your DPT service provider if your DPT service provider’s business fails.

2.You should not transact in the DPT if you are not familiar with this DPT. This includes how the DPT is created, and how the DPT you intend to transact is transferred or held by your DPT service provider.

3.You should be aware that the value of DPTs may fluctuate greatly. You should buy DPTs only if you are prepared to accept the risk of losing all of the money you put into such tokens.

4.You should be aware that your DPT service provider, as part of its licence to provide DPT services, may offer services related to DPTs which are promoted as having a stable value, commonly known as “stablecoin”.

Source: https://www.mas.gov.sg/-/media/MAS-Media-Library/regulation/notices/PSO/psn08-notice-on-disclosures-and-communications/Notice-PSN08-on-Disclosures-7-Mar-2022.pdf

Disclaimer:

The information provided here is for informational purposes only and is not to be construed as a recommendation or advice to any prospective investor in relation to any legal, tax, financial investment or any other matters. You should consult with an attorney or other professional advisors to determine what may be best for your individual needs.

Sparrow Tech Private Limited (“Sparrow”) does not make any guarantee or other promise as to any results that may be obtained from using our content. In making any decisions regarding our content, prospective users should first consult his or her own financial advisor and rely on their own examination of the terms of the offering, including the merits and risks of investing in the relevant products.

To the maximum extent permitted by law, Sparrow shall not be liable in the event of any information, commentary, analysis, opinions, advice and/or recommendations proving to be inaccurate, incomplete or unreliable, or result in any decisions regarding our content or other losses.

Content contained on or made available through any of our communication channels is not intended to and does not constitute legal advice or investment advice and no attorney-client relationship is formed. Your use of the information on any of our communication channels is at your own risk.

I hereby acknowledge that I have read and understand the contents of the Risk Warning and Disclaimer and I accept and agree with all the terms stated therein.