Digital Payment Token Service Providers to Comply with Enhanced Technology Risk Management Requirements with Effect from 6 November 2024

On 6 February 2024, the Monetary Authority of Singapore (“MAS“) issued the revised MAS Notice PSN05 Notice on Technology Risk Management (“PSN05“) to extend its application to include all holders of a payment services licence under the Payment Services Act 2019 that carry on a business of providing digital payment token services (“DPT Service Licensees“). The revised PSN05 will take effect on 6 November 2024.

Currently, DPT Service Licensees are required to comply with cyber hygiene requirements set out in the MAS Notice on Cyber Hygiene and the MAS Technology Risk Management Guidelines, which require financial institutions generally to establish sound and robust technology risk governance and maintain cyber resilience.

To improve information technology (“IT“) resilience, as well as maintain trust and confidence in digital payment token services, MAS has mandated the requirements in PSN05 for DPT Service Licensees, which include:

(a)     Putting in place a framework and process to identify critical systems;

(b)    Making all reasonable efforts to maintain high availability for critical systems (maximum unscheduled downtime for each critical system not to exceed a total of four hours within any period of 12 months);

(c)     Establishing a recovery time objective of not more than four hours for each critical system;

(d)   Notifying MAS as soon as possible, but not later than one hour, upon the discovery of a system malfunction or IT security incident, which has a severe and widespread impact on the licensee’s operations or materially impacts the DPT Service Licensee’s service to its customers, and submitting a root cause and impact analysis report to MAS, within 14 days or such longer period as MAS may allow, from the discovery of the relevant incident; and 

(e)      Implementing IT controls to protect customer information from unauthorised access or disclosure.

For details, please refer to the revised PSN05, the Amendment Notes to PSN05 and the updated accompanying FAQs – Notice on Technology Risk Management.

DPT Service Licensees will also note that there will be other new regulatory measures on consumer access and business conduct that will be prescribed for DPT Service Licensees in 2024. For more information, please refer to our Legal Update on “Digital Payment Token Service Providers to Comply with Enhanced Regulatory Measures from 2024“.

For background, please refer to the following links:

CONTACTS

Head, Financial Institutions Group
+65 6232 0456
Singapore,
Deputy Head, Financial Institutions Group
+65 6232 0482
Singapore,
Partner
+65 6232 0686
Singapore,
Partner
+65 6232 0941
Singapore,
Head, Technology, Media & Telecommunications
+65 6232 0751
Brunei, Singapore,
Deputy Head, Technology, Media & Telecommunications
+65 6232 0786
Singapore,
Deputy Head, Technology, Media & Telecommunications
+65 6232 0738
Singapore,
Partner
+65 6232 0752
Singapore,
Partner
+65 6232 0453
Singapore,
Partner
+65 6232 0791
Singapore,
Chief Economic and Policy Advisor
Partner
+65 6232 0298
Singapore,

Country

EXPERTISE

SECTORS

Share

Rajah & Tann Asia is a network of legal practices based in Asia.

Member firms are independently constituted and regulated in accordance with relevant local legal requirements. Services provided by a member firm are governed by the terms of engagement between the member firm and the client.

This website is solely intended to provide general information and does not provide any advice or create any relationship, whether legally binding or otherwise. Rajah & Tann Asia and its member firms do not accept, and fully disclaim, responsibility for any loss or damage which may result from accessing or relying on this website.

© 2024 Rajah & Tann Asia. All Rights Reserved. All trademarks are property of their respective owners.