MAS Notice PSN02: a practical reading for digital asset service providers.

What the Notice is, and where it sits

MAS Notice PSN02 — formally Notice to Payment Services Providers — Notice on Prevention of Money Laundering and Countering the Financing of Terrorism — Digital Payment Token Service — is the Monetary Authority of Singapore's binding instrument applying anti-money-laundering and counter-terrorism-financing obligations to entities licensed or exempt under the Payment Services Act 2019 to carry on digital payment token (DPT) services.

The Notice operates alongside, not in place of, the Payment Services Act 2019 itself, the Corruption, Drug Trafficking and Other Serious Crimes (Confiscation of Benefits) Act 1992 (CDSA), and the Terrorism (Suppression of Financing) Act 2002 (TSOFA). PSN02 is the operational layer — what you have to do day-to-day to satisfy the underlying statutes.

If your business holds a Major Payment Institution licence with the DPT activity authorised, or you are a Standard Payment Institution carrying on DPT services, or you are an entity transitioning under the Payment Services (Amendment) Act 2021 regime — PSN02 applies to you. If you are an applicant, MAS will assess your readiness against this Notice during licensing.

Customer due diligence: what level, when

The Notice distinguishes three CDD intensities — simplified, ordinary, and enhanced — and prescribes when each is required.

Ordinary CDD applies at the start of every business relationship and before any one-off transaction at or above the relevant threshold. It requires identification of the customer, verification using reliable independent source documents, identification of beneficial owners where the customer is a legal person, and an understanding of the purpose and intended nature of the business relationship.

Enhanced CDD is required where the customer or beneficial owner is a politically exposed person, where the customer is from a jurisdiction with strategic deficiencies identified by the FATF, where the business relationship or transaction is unusually complex or large, and in other higher-risk situations the institution itself identifies through its risk assessment.

Simplified CDD may be applied only where the institution has assessed the customer or product as presenting lower risk, and even then certain core verification steps must still be performed.

For digital payment token services specifically, the verification step is where most implementation pain occurs. A reliable independent source for a natural person typically means government-issued identity documentation plus a liveness-checked biometric — and for legal persons, the certificate of incorporation, register of directors, and beneficial ownership declaration. The Notice does not specify the technical means, but in practice MAS expects you to be able to demonstrate that your verification withstands forgery and synthetic-identity attacks.

Transaction monitoring: continuous, not periodic

The Notice requires institutions to monitor transactions for unusual or suspicious patterns on an ongoing basis. Periodic batch review is not sufficient. The expectation is that your systems can identify, in something approximating real time, transactions that fall outside the customer's expected profile or that match typology indicators set by your risk methodology.

For DPT services this means, at a minimum, monitoring of the on-chain counterparties of every inbound and outbound transaction — including the chain of preceding transactions to a configurable depth. Sanctions screening must cover not only the named customer but the wallet addresses they transact with. Mixer use, peel chains, and exposure to known illicit-finance clusters are typology categories examiners will probe.

FINYON's Compliance Core engine handles this through a single composite signal that combines identity context, on-chain context, behavioural baseline, and policy posture — see the Compliance Core product page for the technical detail.

The Travel Rule, in operational terms

Section 13 of the Notice implements the FATF Recommendation 16 ("R.16") obligations for DPT transfers. In practice this requires that for any qualifying value transfer, the originating institution must transmit the originator's name, account number (or wallet address), and physical or legal address — and the beneficiary's name and account number — to the beneficiary institution before or at the time of the transfer.

For DPT transfers the threshold has been a moving target, and MAS has periodically issued guidance. As of the time of writing, the implementation expectation is full Travel Rule data exchange on all DPT transfers exceeding the prescribed value, with the institution responsible for ensuring that the receiving institution is capable of receiving and protecting the data — which in turn means counterparty due diligence on the recipient VASP.

The operational implementation question — how do you exchange this data with another VASP whose own messaging protocol you have not pre-agreed — is not solved by the Notice itself. The industry has converged on TRP, IVMS 101, and the FATF Travel Rule messaging standards as the interoperable approach. PSN02 does not prescribe one, but it does prescribe outcomes.

Sanctions screening: scope is everything

Section 9 requires sanctions screening at customer onboarding, on a continuous basis thereafter, and on the counterparties to each transaction. The lists in scope are the United Nations Security Council sanctions lists, the lists maintained under Singapore's own MAS Sanctions Regulations and the Terrorism (Suppression of Financing) Act, and — through the institution's risk-based approach — typically also OFAC, EU, and UK consolidated lists.

For wallet-level screening, the question of whose lists apply to which wallet is non-trivial. MAS's expectation is that your screening identifies sanctions-list exposure within a defensible number of hops on the transaction graph — not just direct counterparties. The depth and weighting of this analysis is where the patent-pending compliance engine in FINYON's Compliance Core differs from rule-based screening tools.

Suspicious transaction reporting

Where, in the course of business, your institution has reasonable grounds to suspect that any property, in part or in whole, directly or indirectly, represents the proceeds of, was used in connection with, or is intended to be used in connection with any criminal conduct — you must file a Suspicious Transaction Report with the Suspicious Transaction Reporting Office.

The threshold is suspicion, not certainty. The volume and quality of STRs your institution files is itself a supervisory signal: an institution that files few or none is likely to be questioned about the adequacy of its monitoring; an institution that files volumetric defensive reports without analytical content is likely to be questioned about the quality of its case work.

Record-keeping and supervisory access

Section 17 requires retention of CDD records, transaction records, and case files for not less than five years from the date of the transaction or the end of the business relationship, whichever is later. The records must be available to MAS, law enforcement, and the Suspicious Transaction Reporting Office on request — meaning your storage architecture must support timely retrieval under examination conditions.

In practice, this means a unified case management layer that can produce, for any historical decision, the underlying signals (identity verification result, on-chain analysis output, sanctions screening match or non-match, behavioural baseline at the time, policy applied) — not just the final outcome. Audit trails that show only "approved" or "declined" without the reasoning behind them will not satisfy supervisory examination.

Practical next steps

If you are operating a licensed DPT service in Singapore, or applying for a licence, the operational implications of PSN02 fall into four buckets: (1) onboarding and CDD systems capable of risk-tiered verification with sufficient assurance against synthetic identity; (2) transaction monitoring with continuous on-chain screening including sanctioned-address proximity analysis; (3) Travel Rule data exchange with all transacting VASPs above the threshold; (4) case management with five-year retention and supervisor-ready audit trails.

Each of these is a substantial engineering and operations project. FINYON's Compliance Core exists specifically to compress that project — and for licensed institutions taking on DPT activity inside an existing AML framework, the licensing-side conversation with our team typically begins with a gap analysis against your current setup. Get in touch if it would help.

This briefing is a working reading of MAS Notice PSN02 as it stood on the date of publication. It is not legal advice. Material amendments are common; consult counsel before relying on specifics in any operational decision. Last updated 15 May 2026.