Getting a MAS license is not the finish line. For payment service providers (PSPs) and licensed fund managers in Singapore, it is the point at which the compliance obligations become more specific, more testable and more actively examined by the Monetary Authority of Singapore.
The Payment Services Act sets out the requirements for licensed PSPs. What it does not spell out is how demanding the ongoing obligations are once you are licensed: the screening accuracy standards, the transaction monitoring thresholds and the data freshness requirements that MAS examiners look for in practice.
Key takeaways:
What Is a MAS License and Why Does the Category Matter?
MAS licenses payment service providers under the Payment Services Act across three tiers. The entry level is Money Changer, covering the narrowest scope. A Standard Payment Institution covers mid-tier activities, and a Major Payment Institution is where most growing PSPs end up once they cross MAS’s volume thresholds for any regulated service.
The category matters because the compliance bar scales with it. A firm operating at the SPI level may manage with lighter transaction monitoring infrastructure. At the MPI level, MAS expects a production-grade FMS, documented AML controls and the ability to demonstrate ongoing monitoring across the entire customer base.
Fund managers and other MAS-licensed financial institutions face the same screening and monitoring obligations, even though their license sits outside the PSA framework. MAS applies consistent AML and CFT expectations across all supervised entities.
What MAS Actually Requires from Licensed PSPs
MAS does not just want you to have a fraud system. It wants to see it working, documented and tested. The two frameworks that matter most are PSN01, which covers AML and transaction monitoring obligations, and the Technology Risk Management guidelines, which cover device security and authentication controls.
Most PSPs focus on PSN01 because it is the obvious compliance checklist. TRM catches them off guard because it sits closer to IT than to compliance, but MAS examines both. A PSP with strong fraud detection but weak device security documentation will still fail.
The practical standard is straightforward. Your system needs to catch fraud in real time and produce an audit trail that MAS can inspect. Getting one right without the other is not enough.
Why MAS Doesn’t Set a Fixed Transaction Threshold
MAS guidance does not prescribe a specific transaction threshold. Instead, it requires licensed institutions to set their own parameters for identifying suspicious transactions, based on their risk profile, customer base and operational context. Those parameters must be documented, independently validated and reviewed periodically.
A prescribed number is easy to configure once and forget, but a risk-based threshold places the burden on the institution to justify why its parameters align with its actual exposure and to defend that justification under examination.
The 25% figure that sometimes gets attached to MAS transaction monitoring actually refers to something unrelated: beneficial ownership. MAS uses a 25% ownership or voting rights threshold to identify the ultimate beneficial owner of a legal entity. It has no bearing on transaction flagging.
Institutions that conflate the two risk building a monitoring system around a number with no basis in MAS’s actual guidance, while leaving the real obligation, a documented, risk-based, independently validated threshold, unmet.
See how SEON’s AML transaction monitoring maps to MAS rule requirements
SEON’s AML Transaction Monitoring
Why Onboarding Checks Do Not Satisfy MAS
MAS requires licensed firms to conduct ongoing due diligence, not just point-in-time checks at onboarding. For many PSPs and fund managers, this means weekly or more frequent screening of the entire customer and counterparty base against PEP lists, sanctions lists and watchlists.
The operational implication is significant. A firm with hundreds of investors or counterparties cannot rely on manual screening to meet this standard. The volume alone makes automated ongoing monitoring a practical requirement, not just a compliance enhancement.
The risk of getting this wrong is specific. If a customer or counterparty becomes sanctioned after onboarding, MAS expects the firm to identify that change and act on it promptly. An institution that only screens at onboarding will miss post-onboarding changes, creating a gap that MAS examinations will surface.
The Screening Accuracy Problem MAS Will Find
Most licensed firms focus on whether they have a screening tool. The harder question is whether they can trust its output. A discrepancy between the number of hits reported by the system and the actual number visible in the dashboard is not just an operational inconvenience, it is a compliance liability.
MAS examiners do not just ask whether screening is happening. They ask whether the institution can rely on the results. A system that reports six hits via automated notification but shows five in the dashboard has a data integrity problem, and under MAS scrutiny, that inconsistency raises questions about the reliability of the entire compliance program.
When evaluating vendors, institutions should ask directly how the system handles database sync delays and what audit trail exists when reported results differ from displayed results. The answer to that question matters more than most other evaluation criteria.
Why Stale PEP and Sanctions Lists Fail MAS Examination
MAS maintains its own PEP and sanctions data and updates it nightly. Vendors who source their lists from third-party data aggregators and update them weekly or monthly are working with data that is already behind MAS’s own standards.
The practical consequence is that a person who becomes politically exposed or sanctioned today may not appear in a vendor’s database for days or weeks. During that window, a licensed firm is screening against stale data without knowing it. MAS examiners will check when lists were last updated — that is a standard examination question.
Institutions should verify with any vendor how frequently their PEP and sanctions databases are refreshed, whether that update frequency is documented and whether the MAS list specifically is sourced directly or inherited from a third-party aggregator.
How to Meet MAS Requirements in Phases
MAS does not require every capability to be live at the same time. A phased approach is viable provided each phase is genuinely operational and documented. The constraint is always the same: if it is not written down with governance approval, it did not happen, as far as MAS is concerned.
AML Screening and Core Transaction Rules
Start here. This covers the most visible MAS requirements and gives the institution a defensible baseline for examination. The 25% balance threshold rule and ongoing screening obligations must be active from day one — these are the elements MAS is most likely to test first.
Device Intelligence and Behavioral Monitoring
Extend coverage to the authentication and account management layers as the platform scales. This is where account takeover risk is concentrated and where MAS’s TRM guidelines become operationally relevant.
Full Audit Trail and STR Workflow
Connect the FMS case management workflow to STR report generation. Each phase needs a written policy, governance approval and an audit trail ready for inspection.
Account Takeovers Risk for Singapore PSPs
Account takeover in Singapore typically targets the gap between mobile app security tools and fraud detection systems. Many licensed PSPs invest in device security detecting rooted devices, emulators and jailbroken handsets, but that security layer operates independently of any fraud scoring.
The result is that a security tool can identify a suspicious device and force-close the app, while the fraud system has no record of why that happened. Integrating device intelligence into the fraud detection layer means the session data that triggers a security response also contributes to the transaction risk score.
The authentication layer is where this integration matters most. A credential change followed by a high-value transfer from an unfamiliar device is a pattern that requires cross-event visibility to catch. Monitoring login events, account edits and transaction initiation as a connected sequence allows a PSP to detect them reliably.
How MAS Expects STR Reporting to Work
MAS requires licensed institutions to file Suspicious Transaction Reports with the Suspicious Transaction Reporting Office when they identify transactions that may indicate money laundering or other financial crime. The obligation is clear. What trips up many PSPs is the workflow behind it.
MAS expects the STR to originate from the FMS case management workflow, with a documented chain from the initial alert through investigation to the filed report. Analysts who rebuild the case narrative in a separate document after the fact create a gap in the chain of evidence.
The standard MAS expects is that the FMS generates the alert, the analyst documents the findings within the platform, and the system produces a structured report ready for submission. At any meaningful transaction volume, that process cannot be manual.
MAS FMS Vendor Checklist
Most vendors will tell you they are MAS-compliant. Few can show you nightly MAS list updates, a documented sync between reported and actual hits and a rule configuration that covers the 25% balance threshold. Those three things separate a vendor that fits the Singapore market from one that does not.
List freshness is the first filter. Ask the vendor directly: how often is the MAS PEP and sanctions list updated? Is it sourced directly from MAS or through a third-party aggregator? Can they show you the update log?
Screening accuracy is the second. Ask how the system handles discrepancies between automated notifications and dashboard results. Ask what the audit trail looks like when a sync delay occurs. If the vendor cannot answer clearly, that is the answer.
MAS rule mapping is the third. The vendor should provide a document demonstrating that their configurable rules meet MAS’s published requirements, including the specific transaction threshold guidance. That document is what you hand to an examiner.
FAQ
MAS issues payment service licenses under the Payment Services Act in three tiers: Money Changer, Standard Payment Institution and Major Payment Institution. Each tier covers a broader scope of regulated payment activities and carries stricter compliance infrastructure requirements. The MPI license applies once a PSP crosses MAS’s volume thresholds for any regulated service.
MAS requires licensed PSPs to monitor transactions in real time and apply specific thresholds to flag suspicious activity. A transaction exceeding 25% of an account balance triggers a mandatory flagging and customer verification obligation. The monitoring system must be documented, configurable and able to produce evidence for MAS examination.
Yes. MAS requires ongoing due diligence, which means continuously screening customers and counterparties after onboarding. Weekly or more frequent screening is the expected standard. A firm that only screens at onboarding will miss post-onboarding changes to PEP or sanctions status and create a gap that MAS examinations will find.
MAS requires licensed institutions to file Suspicious Transaction Reports with the Suspicious Transaction Reporting Office when they identify potentially suspicious activity. MAS expects the report to originate from the FMS case management workflow, with an auditable chain of events from the initial alert through investigation to the filed report. Manual processes outside the FMS create a documentation gap.
