Speech by Mr. Derrick Goh, MP for Nee Soon GRC, at the Second Reading of the Payment Services (Amendment) Bill (Bill No. 41/2020)
1. Mr Speaker Sir, Innovation in payments will contribute to domestic economic growth and improve the lives of our Singaporeans by facilitating the convenience of transactions at lower cost. At the same time, such alternatives to physical cash can promote digital financial literacy and economic efficiency.
2. This amendment Bill in my view represents progressive legislation and I commend the focus on identifying potential incremental risks, covering broad areas that include financial stability, monetary policy and also financial crime prevention – in particular, anti-money laundering and countering the financing of terrorism. There is also some focus on technology risks which include risks around data.
3. Apart from seeking the Minister’s assurance that they will be a robust requirement of anti-money laundering tools to ensure token purity checks, etc so that tokenise payments are not misused for illicit purposes, it is on the theme of technology and data – which is fundamental to digital payment service providers – that I would like to identify incremental risk areas which I feel are known, or reasonably foreseeable and therefore warrants more attention and strengthening.
4. I reflect on recent examples in Singapore that was reported in the media such as KuCoin, a Singapore-headquartered digital asset exchange and Grab. KuCoin made global headlines with a reported US$280M digital coins stolen from a cyber hack recently in September 2020. Industry observers noted this to be the 3rd largest Crypto hack in history. Similarly, Bloomberg on 13 Sept 2020 reported that Grab, our payments Unicorn had 4 repeated technology glitches over 2 years in technology applications relating to exposure of private data. In its September report, the technology magazine CPO headline read, I quote “Fourth Privacy Breach in 2 years for Grab; Given Low Fines, Does the Company have a reason to Care?” unquote.
5. Before I go on, I want to emphasise that there is regulatory scrutiny by the Monetary Authority of Singapore and the Personal Data Protection Commission which have made considerable efforts to balance the bright future of technology and data with its attendant risks. What I am saying is that the rate of change in this area should spur us on to greater efforts. Today, we already know that no technology security is fool proof and we now see exponential use of AI, cloud infrastructure, and the emergence of 5G and quantum computing. These developments have deep implications on the future of cyber security, responsible use of data and demand a corresponding requirement to uplift our population.
6. This rate of technology change is accompanied by a concern which we need to remember that payment fintechs on its own are driven fundamentally by investor valuations. It is well understood that as profit margins are thin in payments services, so such firms strive to create a data ecosystem in the hope of profitting from adjacent businesses. This is where technology risk management could be relegated to a lower priority until a hack happens.
7. Given this, there are 3 areas that I would like to propose for the Minister’s consideration to encourage firms in the ePayments space to undertake the necessary focus without too much regulatory burden:
– Having differentiated standards for technology and cybersecurity risks where minimum standards are required for those in the Standard Payment Institution category or otherwise require them to do a structured self-assessment against benchmark standards. This is already being practised in other major financial centres such as Hong Kong where its Monetary Authority has put in place its Cyber Resilience Assessment Framework to mitigate hacks, fraud and data leakage risks.
– Providing a simple rating system to help the public make better choices amongst payment service providers. This is no different from how our other regulators do this such as the Singapore Food Agency providing food hygiene ratings to hawker stalls or the Building Construction Agency providing the Quality Mark and performance scores of developers and contractors to help homebuyers make informed decisions. In this way, ordinary consumers can easily understand and make their own informed assessment when selecting payment providers even as we make more efforts to upskill their digital literacy.
– Requiring such firms to ensure adequate efforts and resources are devoted to educating and protecting customers in terms of how their data is secured and how it is being used responsibly including in the digital ecosystem. This can help ensure that industry players are culturally attuned from day 1 and ensure that digital public education is as much the responsibility of industry players as it is of the government.
8. As a related point, as we think through these issues, I advocate that we continue to maintain our successful whole-of-government approach to regulate and ensure that the no material, systemic issues fall through the cracks between areas of responsibility.
9. Mr Speaker Sir, as digital payments become a way of life in Singapore, it is crucial that our regulatory frameworks continue to keep pace with the behaviours of market participants so as to ensure minimum standards of technology, cybersecurity and data safeguards and to allow us to take a leadership position in the world in defining these standards. We should move boldly, but skilfully execute with a commitment to manage known or foreseeable risks.
10. I support this Bill.
Watch the speech here.