The Financial Technology Law Review: Singapore
The Singapore government and related statutory boards have identified fintech as a growth area for the Singapore economy. Following on from this, a not insignificant amount of resources have been channelled into the space. By way of example, the Monetary Authority of Singapore (MAS) has formed a Financial Technology and Innovation Group to drive fintech initiatives, with divisions specifically responsible for developing the Singapore payments ecosystem and cross-border data connectivity, scanning the horizon for cutting-edge technologies with potential financial industry application, and developing and implementing AI strategy for the Singapore financial industry. In addition, Singapore offers an open banking platform via application programming interfaces for faster innovation and integration of new and legacy IT systems within the sector. MAS also launched two 'sandboxes' as safe spaces for fintech companies to experiment and roll out innovative products and solutions within controlled boundaries.
In conjunction with the above, there are several schemes aimed at supporting fintech innovation such as:
- the Technology Enterprise Commercialisation Scheme;
- the Financial Sector Technology and Innovation (FSTI) scheme; and
- the Capabilities Development Grant – Technology Innovation.
For the FSTI scheme, which is intended to support the creation of a vibrant ecosystem for innovation, MAS has committed S$225 million over a five-year period to help financial institutions set up innovation labs in Singapore, fund technology infrastructure to deliver fintech services, and provide support for early-stage development of innovative projects through the FSTI proof of concept initiative.
There are several additional grants, schemes and initiatives which aim to facilitate access to capital for fintech entities in Singapore. These include:
- A.I.SG is a national programme which is expected to involve investment of S$150 million over five years to boost Singapore's artificial intelligence (AI) capabilities.
- The Accelerated Initiative for Artificial Intelligence was recently commenced in April 2019 by the Intellectual Property Office of Singapore (IPOS) to accelerate grants of AI-related patent applications to just six months, compared to a typical period of at least two years or more. This initiative is also available to AI innovators (both individuals and corporate entities) outside of Singapore, allowing them to use Singapore as a base to access markets of their interest speedily.
- [email protected] is a programme through which the Info-Communications Media Development Authority will accredit promising technology product firms, in order to help them establish their credentials and position them as qualified parties to potential buyers and customers. This involves an independent evaluation of the technology product firms on the basis of various factors, including whether their products function in accordance with stated claims.
- Startup SG Accelerator, Startup SG Equity, Startup SG Founder and Startup SG Talent (all operated by Enterprise Singapore), are schemes which provide the Singapore tech start-up ecosystem with government co-investment, mentorship support and start-up capital grants. For example, Startup SG Talent aims to foster a more conducive environment for promising global talent to set up innovative businesses in Singapore and for start-ups to attract global talent to become part of their team (including in particular the EntrePass scheme, which allows eligible foreigners to start and operate a new business in Singapore).
- The Enterprise Development Grant is managed by Enterprise Singapore and is designed to help companies in Singapore build internal capabilities. Under this programme, Singapore companies (with at least 30 per cent local shareholding) may obtain government grants of up to 70 per cent of the qualifying product costs for upgrading initiatives in areas such as increasing productivity, process improvement, product development and market access.
- The Early Stage Venture Fund, an initiative under the National Framework for Innovation and Enterprise, through which the National Research Foundation Singapore invests SG$10 million on a matching basis to seed corporate venture capital funds to invest in Singapore-based early-stage technology start-ups.
i Licensing and marketing
Fintech-related legal work regularly covers a broad range of topics and typical topics include:
- financial regulatory and compliance (e.g., the type of licence that will need to be issued by the relevant authority or licensing exemptions that may be applicable to a fintech product or service);
- data protection (e.g., the obligations imposed on fintech companies in relation to personal data or personally identifiable information that they may handle);
- intellectual property issues (e.g., intellectual property protection and management); and
- financings (e.g., venture capital investments in fintech companies).
A fintech company should consider whether a licence from a regulatory authority is required (i.e., regulatory licensing issues) as a priority. This is to reduce the risk of a potential licence application procedure holding back the roll-out of a fintech product or service. Fintech products and services come in a variety of forms and there is no one 'fintech licence' that applies to all fintech products and services. Different pieces of legislation may apply to different fintech products and services depending on the scope of the product or service being offered. The specific regulatory authority that regulates the activities of the fintech product or service will vary depending on the scope of such product or service. From experience, the regulatory authorities that oversee fintech-related activities will typically be MAS, the Registry of Moneylenders and Enterprise Singapore.
If the fintech product or service requires a licence from an authority, it will likely take months before a particular licence is issued. The speed of the grant of a licence will depend (among other things) on the quality and completeness of the application and the level of regulatory comfort that the fintech company provides to the authority. The authority will typically require some time to consider the details of the licence application and the fintech company may also need some time to respond to questions from the authority on the specifics of the product or service.
Depending on the specific scope of activities of the fintech product or service, the following (non-exhaustive) issues may need to be considered:
- licensing requirements for regulated activities under the Securities and Futures Act (SFA) (e.g., 'dealing in capital markets products' and 'fund management');
- prospectus requirements for the offer of securities to persons in Singapore under the SFA;
- licensing requirements for regulated activities under the Financial Advisors Act (FAA) (e.g., providing financial advisory services);
- licensing requirements for moneylending under the Moneylenders Act;
- licensing requirements for providing payment services under the Payment Services Act; and
- regulatory requirements imposed on the operator of a 'payment system' under the Payment Services Act.
Prior to undertaking any marketing of a fintech product or service, a fintech company should determine if it is undertaking a regulated activity and whether a licence is required for it to operate. There may be restrictions as to the scope of marketing activities that a fintech company can undertake and this will typically revolve around the issue of whether (and how) the activities of the fintech company is regulated. For example, a fintech company that operates a securities crowdfunding platform may be required to hold a capital markets services licence for 'dealing in capital markets products (securities)' under the SFA. In facilitating the offer of shares to persons in Singapore, prospectus registration requirements under the SFA will be triggered. It is possible to rely on a specific prospectus registration exemption for such purposes but the invocation of a prospectus registration exemption may carry certain advertising restrictions (i.e., restrictions on marketing the specific share). Another example is an automated digital advisory or asset management company, whose business activities may be construed as providing financial advisory services under the FAA or undertaking fund management under the SFA. It is possible that the fintech company had proposed (in its licence application to an authority) to only deal with 'sophisticated investors' (i.e., accredited investors and institutional investors as such terms are defined under the SFA). Consequently, the relevant licence granted to the fintech company may have a condition that restricts its dealings to 'sophisticated' investors when carrying out automated digital advisory or asset management activities. Such a condition would restrict the ability of the fintech company to market its services to retail investors.
ii Cross-border issues
There is no concept of 'passporting' of a fintech product or service under Singapore law. The fact that a fintech company is licensed in a foreign jurisdiction does not allow it to undertake regulated activities in Singapore simply on the basis that it is licensed in the foreign jurisdiction. Regardless of its licensing status in another jurisdiction, the offering of fintech products and services to persons in Singapore may trigger licensing requirements in Singapore on the part of the offeror, which depend on the actual type and scope of the products and services being offered.
What happens if a fintech company does not specifically target persons in Singapore in respect of its fintech product or service? The licensing requirements under the FAA and the SFA may still be triggered as they have extraterritorial effect. The relevant legislation provides that 'where a person does an act partly in and partly outside Singapore which, if done wholly in Singapore, would constitute an offence under this Act, that person shall be guilty of that offence as if the act were carried out by that person in Singapore wholly in Singapore, and may be dealt with as if the offence were committed wholly in Singapore'. Furthermore, even where an act is done entirely outside of Singapore, licensing requirements would still apply if such conduct has a 'substantial and reasonably foreseeable' effect in Singapore. In this regard, there is no bright line test as to when conduct will be seen to have a 'substantial and reasonably foreseeable' effect in Singapore and such an analysis should be undertaken on a case-by-case basis. One factor (of many) that should be considered is that there has been no marketing of the fintech product or service to persons in Singapore.
Digital identity and onboarding
For access to electronic services provided by the Singapore government and its statutory boards, such as filing of income taxes and paying parking fines, the Government Technology Agency (GovTech) issues and manages a national digital identity for individuals known as the 'SingPass'. Currently, Singapore citizens and permanent residents, as well as holders of certain documents that permit residency in Singapore (e.g., holders of employment passes and dependent passes), are eligible to register for a SingPass account.
SingPass also controls access to the MyInfo service, which is a store of their personal data either retrieved from Singapore government sources, or provided directly by that individual. While MyInfo was first designed for use by the Singapore government and its statutory boards, over 90 private-sector services including several financial service providers have now been permitted to use MyInfo to do away with the need for users to submit supporting documents when opening new bank accounts, applying for credit cards, purchasing life insurance or carrying out certain property transactions.
GovTech also issues and manages a corporate digital identity known as 'CorpPass'. Both locally and foreign registered entities are eligible to register for a CorpPass account, which in 2019 became the only login method for corporate transactions with the Singapore government.
The national digital identity (NDI) system being developed by GovTech as part of the Singapore Smart Nation initiative will include a national facial recognition service, which will perform verification against the national biometric database over the internet. It is also reported that GovTech has been working with various private sector entities to test the NDI and further develop services that make use of the NDI. These services are expected to eventually include the signing of digital agreements and secure storage of digital documents.
It is potentially possible for financial service providers to carry out fully digitised onboarding of clients. However, they would need to consider (and accept) electronic risk such as the following:
- integrity: the integrity of the electronic record (i.e., that the electronic record has not been altered or tampered with);
- identity: the identity of the parties involved, including whether they are authorised to issue such electronic records; and
- authority: where a client is a corporate entity, there is the additional risk of proving that the party issuing the electronic record or carrying out the electronic transaction has the requisite authority to transact on behalf of the client.
Depending on the particular type of financial services being provided, the provider would also need to consider relevant regulatory licensing issues.
Digital markets, payment services and funding
The marketing and management of collective investment schemes, and the provision of equity crowdfunding platforms, peer-to-peer lending platforms and payment services, will typically fall within the scope of regulated activities in Singapore. Fintech companies that intend to offer such products and services should consider whether they will require a licence and whether licensing exemptions may be relied on (if so desired).
Cryptocurrencies, initial coin offerings (ICO) and security tokens
There is no specific regulation of blockchain technology on its own. However, the manner in which blockchain technology is used and the product or service that is offered (based on blockchain technology) may be construed as a regulated activity.
Depending on the characteristics of the digital token, digital tokens could be construed as a form of security such as a debenture or share, a unit in a collective investment scheme or even a derivatives contract. If the digital tokens issued in an initial coin offering fall within the definition of securities, a collective investment scheme or derivatives contracts under the SFA (or display characteristics similar to such capital markets products), it will raise potential financial regulatory issues under the SFA and other laws pertaining to financial regulation in Singapore. These include (among other things) prospectus registration requirements on the issuer for an offer of securities, units in a collective investment scheme or securities based derivatives to persons in Singapore and, possibly, licensing issues such as those for dealing in capital markets products by the issuer or intermediaries. In addition, platforms facilitating secondary trading of such digital tokens may also have to be approved or recognised by MAS as an approved exchange or recognised market operator respectively under the SFA.
In addition, digital tokens could be characterised as 'e-money' or 'digital payment tokens'. Depending on the nature of their usage or the services that are associated with them, such services could be construed as a payment service under the Payment Services Act. This could in turn mean that such payment services may need to be licensed under the Payment Services Act, unless a licensing exemption applies.
In general anti-money laundering and combating the financing of terrorism (AML and CFT) rules apply to financial institutions that deal in cryptocurrencies and tokens and financial institutions that have customers that deal in cryptocurrencies and tokens. The relevant notices and guidelines that are imposed on financial institutions provide that financial institutions will need to identify the AML and CFT risks in relation to new products and new business practices, including new delivery mechanisms and new or developing technologies that favour anonymity. Given that cryptocurrency transactions often involve anonymous transactions at some level, we would expect MAS to require financial institutions to pay particular attention to cryptocurrency-related transactions or transactions arising from cryptocurrency-related transactions.
Other new business models
There is no mandatory Singapore law that disqualifies self-executing contracts or 'smart contracts' (i.e., those that automatically self-execute if certain conditions are met), from being valid and enforceable under Singapore law.
There is no special legal framework that applies specifically to such contracts. These contracts would, of course, need to be valid under general law (e.g., the contract must fulfil the key elements for the formation of contract under Singapore law, including: offer and acceptance; consideration; and intention to create legal relations).
It is possible to enter into contracts electronically under Singapore law. Subject to exceptions,2 the general rule under the Electronic Transactions Act (ETA) is that information shall not be denied legal effect, validity or enforceability solely on the ground that it is in the form of an electronic record.3 The ETA also provides that in the context of the formation of contracts, an offer and the acceptance of an offer may be expressed by means of electronic communications.4 Where an electronic communication is used in the formation of a contract, that contract shall not be denied validity or enforceability solely on the ground that an electronic communication was used for that purpose.5 A correction mechanism such as arbitration and mediation can be made available – the dispute resolution method could be encoded into the contract.
A fully automated investment process (e.g., 'robo-advice') and third-party websites comparing products or providing information about financial products will typically fall within the scope of regulated activities in Singapore, although the precise scope of the investment process and the particular financial products being offered will affect the analysis. Fintech companies that intend to offer such products and services should consider whether they will require a licence and whether licensing exemptions may be relied on (if so desired). Both of these models will also be subject to intellectual property and data protection considerations, as further discussed in Section VII below.
Some fintech products and services that are relatively new in Singapore include various products built in reliance on blockchain, products that purport to have deep or self-learning or AI aspects, and alternative authentication methods (replacing hardware security tokens). The regulatory and legal issues that they raise are dependent on the precise scope of the product or service being offered as well as the method through which the product is made available to the market. As an example, some products are developed for provision to 'traditional' financial institutions, where that financial institution maintains the client relationship. With this model, different MAS requirements may be relevant – for example, the fintech company may wish to engage the financial institution on the basis that its solution is compliant with Guidelines on Outsourcing Risk Management.
Intellectual property and data protection
Fintech business models and related software may be protected by various intellectual property rights in Singapore. Patent protection may be available, and IPOS recently launched a new FinTech Fast Track initiative that facilitates a faster patent application-to-grant process for fintech inventions. Alternatives to patent protection include copyright or protection as trade secrets or confidential information, depending on the nature of the business model. Software would generally be protected by copyright. It is not necessary to carry out any registration in Singapore to obtain copyright protection.
If an employee develops an original work in pursuance of the terms of his or her employment, the default rule is that ownership of the copyright in the original work vests in the employer. If a contractor develops an original work, the default rule is that the contractor continues to own the original work. However, it is common for employees and contractors to be bound by written contractual obligations that specify ownership of the intellectual property they develop, and these default rules may be overridden. Fintech companies should ensure that their employees and contractors enter into such agreements.
The Personal Data Protection Act 2012 (No. 26 of 2012) (PDPA) would apply to client data to the extent that it comprises personal data, which is defined as 'data, whether true or not, about an individual who can be identified (a) from that data, or (b) from that data and other information to which the organisation has or is likely to have access'. In brief, there are two key parts of the PDPA:
- protection of an individual's personal data, including in relation to requiring consent, granting access and correction rights, requiring reasonable security, and limiting transfers overseas; and
- establishment of a do-not-call registry for individuals to opt out from receiving certain types of marketing messages addressed via Singapore telephone numbers.
Internet protocol solutions may still be subject to the do-not-call registry (e.g., one such solution subject to this regime is WhatsApp).
Client data will also be protected by the common-law obligations of confidentiality. A recipient of data would be subject to confidentiality restraints where data or information in question is:
- confidential as regards the giver of the data or information; and
- imparted under circumstances where the recipient knew or ought to know that the data or information in question was confidential.
If confidential information is disclosed without consent, there is a risk that such disclosure would be in breach of confidence.
Singapore also has sector-specific regimes to protect the privacy and confidentiality of bank customer information and the confidentiality of information relating to trusts, including information of settlors and beneficiaries of trusts. While there are no special rules specifically focused on regulating the digital profiling of clients, it would be relevant to consider the PDPA and the various other data protection and privacy-related regimes in the implementation of a profiling solution, especially for companies providing financial services.
Year in review
The current legal framework governing payment services in Singapore is found in different pieces of legislation and certain parts of such legislation may not be easily applicable to an online context. In 2016, MAS embarked on a review of the regulatory framework governing payment services in Singapore with a view to modernising and streamlining the existing frameworks to encourage the wider adoption of electronic payments (e-payments) in Singapore. Arising from this review, MAS consulted twice on the proposed activity-based Payment Services Bill (the Bill) in August 2016 and November 2017. MAS also consulted on a set of guidelines to standardise and enhance the protection given to users in the context of unauthorised or mistaken payment transactions. On 14 January 2019, the Bill was passed in Parliament. The Payment Services Act came into effect on 28 January 2020 and, perhaps in line with this act, there appears to have been an increase in the number of e-payment companies entering the Singapore market.
Outlook and conclusions
When we first started advising on fintech-related matters, many of the fintech companies were not looking to be licensed and wanted to structure their product or service such that they may rely on available licensing exemptions. Subsequently, as certain models of fintech products and services became more common (e.g., peer-to-peer lending and equity crowdfunding models), MAS provided greater guidance on the regulatory treatment of these models. Following on from this, there was a shift towards fintech companies seeking to be licensed. We believe that the current models of fintech companies will probably persist but the manner in which they will be operationalised will change. In this respect, we believe that many of these models will utilise blockchain technology in their products or services. It is also likely that other models leveraging blockchain technology will appear in the market (e.g., tokenised assets).
1 Adrian Ang V-Meng and Alexander Yap Wei-Ming are partners at Allen & Gledhill LLP.
2 Section 4(1) of the ETA, read together with the First Schedule to the ETA, provides that the entirety of Part II of the ETA does not apply to the following categories of documents: (1) the creation or execution of a will; (2) negotiable instruments, documents of title, bills of exchange, promissory notes, consignment notes, bills of lading, warehouse receipts or any transferable document or instrument that entitles the bearer or beneficiary to claim the delivery of goods or the payment of a sum of money; (3) the creation, performance or enforcement of an indenture, declaration of trust or power of attorney with the exception of constructive and resulting trusts; (4) any contract for the sale or other disposition of immovable property, or any interest in such property; and (5) the conveyance of immovable property or the transfer of any interest in immovable property.
3 'Electronic record' is defined very broadly as 'a record generated, communicated, received or stored by electronic means in an information system or for transmission from one information system to another'. 'Information' includes 'data, text, images, sound, codes, computer programs, software and databases'.
4 'Electronic communication' is defined as 'any communication that the parties make by means of electronic records'.
5 Section 11 of the ETA.