Enhanced Regulatory Framework for Corporate Service Providers

The Accounting and Corporate Regulatory Authority (“ACRA”) which governs Corporate Service Providers (“CSPs”), public accountants and companies in Singapore, enhances professional standards to be aligned with recommendations by the global Financial Action Task Force (“FATF”) that aims to safeguard against money laundering and terrorism financing on an ongoing basis. This means that the Service Providers are responsible to apply due diligence requirements and KYC onto their own clients.

CSPs are firms that provide corporate services to other businesses and file transactions on their behalf with ACRA, of which typically include:

1. Formation of local companies and registration of foreign companies in Singapore.
2. Provision of Registered Address service.
3. Acting as company secretary.
4. Provision of local resident director.
5. Filing of annual returns with ACRA.
6. Filing of changes to corporate structure for the client company such as changes in directors, shareholders, share capital, etc.

What are the KYC documents for your Company?

ACRA has released a set of Enhanced Regulatory Framework to allow CSPs to reduce compliance risks by setting out specific requirements for CSPs. Should you be engaging a CSP to provide the above corporate services for your business, your CSP may minimally request for the following to ensure verify and identify your identity:  

• Identification proof (Valid IDs, Residence, Date of Birth, Nationality of shareholders and members of the beneficial owners)
• Copy of the company’s Business profile
• Copy of the company’s Memorandum and Articles of Association

What additional information does a Service Provider usually require?

Your CSP will also consider your background, business activities, source of income, country of origin and residence, nature and purpose of your accounts and persons acting on your behalf and assess on a comprehensive range of factors to determine your entity’s risk level.  They may review the risk level of its clients whenever necessary. It is expected of them to conduct regular inspections based on risk assessment procedures.

The benefits of high ethic and met compliance requirements with your Corporate Service Provider

While these new measures may seem tedious and time consuming, regulatory compliance is necessary to uphold Singapore’s business environment. It is also important to note that many countries are taking similar steps to prevent money laundering and financing of terrorist activities. Engaging in a corporate service provider with a team of qualified professionals would ensure your firm’s transparency and accountability.

Going through the KYC Regulations exercise in Singapore is also beneficial for companies willing to safeguard themselves from reputational risks. Completing the KYC is a step forward the complete compliance in regard of local regulations and international standards.

If you appreciate our content, you will also appreciate our other articles:

• Understand how the ONE Pass and how to apply for this special Pass in Singapore.
• Apply for an EP in Singapore and understand the new COMPASS framework.
• Tax Residency in Singapore: If I work overseas do I pay taxes?

The post Corporate Service Compliance: How to Navigate KYC Regulations in Singapore appeared first on MyBusiness in Asia.

Your business’ DPO can be either an employee or a third-party. However, take note that your business is not exempted from fulfilling its data protection obligations just because you have appointed a DPO for it.

This article sets out the responsibilities that you may task your DPO with, and discusses how you can help your DPO fulfil these responsibilities more effectively.

• What are the responsibilities of a Data Protection Officer?
• How can you help your Data Protection Officer fulfil their responsibilities?

What are the responsibilities of a Data Protection Officer?

The PDPA does not state the responsibilities that your DPO has to undertake. However, you could task your DPO with:

• Crafting and implementing processes and policies for the handling of personal data, in accordance with your business’ data protection obligations;
• Increasing your stakeholders’ awarenesss of both these data protection policies and your business’ data protection obligations;
• Handling queries and complaints regarding your business’ protection of personal data;
• Informing management of any data protection-related risks which may arise; and
• Liaising with the Personal Data Protection Commission (PDPC), which administers and enforces the PDPA, where necessary.

Given the importance of such tasks, should you decide to appoint an employee as your DPO, you may consider appointing someone from the middle to senior management levels.

How can you help your Data Protection Officer fulfil their responsibilities?

Here are several ways in which you can enhance your business’ capabilities to help your DPO fulfil his/her responsibilities more effectively:

• Send your DPO for a data protection course: Through these courses, your DPO can gain a better understanding of the scope of his/her responsibilities and the steps he/she can take to ensure your business complies with the PDPA.
• Keep your DPO up-to-date on the latest data protection matters.
• Evaluate your business’ data management processes and frameworks and determine if they are consistent with the 9 mains obligations under the PDPA.
• Evaluate which of your business’ databases contain personal data and determine who can access such data, how such data is stored and how long it will be kept.
• Identify the areas where the personal data in your business’ possession might be compromised, and craft and implement measures to reduce such risks.
• Ensure that your employees are familiar with your business’ data protection processes, frameworks and policies.
• Implement a procedure to be followed should a member of the public have a query or complaint on how your business handles personal data.
• Finally, although the DPO is not required to be physically present in Singapore, they should be readily accessible from Singapore and operational during Singapore business hours.

The role of a DPO is far from straightforward. Therefore, to ensure compliance with the PDPA, it is crucial that your business work alongside your DPO in implementing the relevant data protection policies, processes and frameworks, as well as conducting regular employee training and internal audits.

The post Appointing a Data Protection Officer for Your Business in Singapore appeared first on MyBusiness in Asia.

Businesses are handling more and more personal data as technology advances make this easier each year. In response, the government and legislators are continuously issuing new guidance and requirements to keep consumers informed and their data safe.

Regulations vary between countries, and it can be challenging to ensure compliance when you operate in multiple jurisdictions.

Ideas covered in this article:

• What is Personal Data and the PDPA?
• Obligations under the PDPA
• Data Protection Officers (DPO)
• Do Not Call (DNC) Registry
• PDPA and GDPR

What is Personal Data and the PDPA?

Personal data refers to data about an individual who can be identified from that data, or from that data together with other information to which the organisation has or is likely to have access to. Most organisations hold personal data. This may include the personal data of their clients, suppliers and even their employees. The PDPA provides guidelines to protect such information.

The PDPA provides a baseline standard of protection for personal data in Singapore. It works in addition to other regulatory frameworks and any applicable sector-specific legislation (for example the Banking Act and Insurance Act). The PDPA comprises various requirements governing the collection, use, disclosure and care of personal data in Singapore. This does not mean that you are not allowed to handle personal data in Singapore. On the contrary, the PDPA recognises the need to protect individuals’ personal data and the need of organisations to collect, use or disclose personal data for legitimate and reasonable purposes. The legislation acts to ensure that personal data is not misused. It maintains consumer and investor trust in organizations and strengthens Singapore’s position as a trusted business hub. We will examine some of the key provisions of the PDPA below.

Obligations under the PDPA

The PDPA outlines ten main obligations for businesses to consider when creating their policies and processes in relation to handling personal data:

• Consent – You must obtain explicit consent from individuals to handle their personal data. You must also ensure that customers can withdraw their consent.
• Purpose limitation – You may only collect personal data that a reasonable person would consider appropriate in the circumstances.
• Notification – You must notify individuals that you are collecting their data and how it will be used.
• Access and Correction – Individuals have the right to request access to and to correct their personal data held by organisations.
• Accuracy – You should take steps to verify that the information you have gathered is accurate if you are using the data in a way that affects the individual or if you are transferring the data to another organisation.
• Protection – You must keep personal data safe. This includes both physical safety such as locked cabinets and online safety such as encryption and other cyber security solutions.
• Retention limitation – You may only retain personal data for a reasonable period to meet the purpose for which it was obtained.
• Transfer limitation – You may not transfer personal data to organisations outside Singapore unless you maintain control of the data.
• Data Breach Notification – Where required, you must notify individuals and/or the Commission of any data breach.
• Accountability – Organisations are required to take steps in order to ensure they meet their data protection obligations.

Many of these items can be covered in your Privacy Policy and Terms and Conditions. These are key documents so make sure they are readily available and easy for customers, suppliers and partners to understand.

Data Protection Officers (DPO)

Under the PDPA, Singapore registered companies are required to appoint at least one individual as the DPO to oversee data protection responsibilities and ensure the company is compliance with the PDPA. The DPO is to be appointed via ACRA filing and the details of the appointee must be available to the public.

The responsibilities of a DPO include, but are not limited to:

• Ensuring compliance with PDPA when developing and implementing policies and processes for handling personal data;
• Fostering a data protection culture among employees and communicating personal data protection policies to stakeholders;
• Managing personal data protection-related queries and complaints;
• Alerting management to any risks that might arise with regard to personal data; and
• Liaising with the PDPC on data protection matters, if necessary.

Do Not Call (DNC) Registry

The PDPA provides for the establishment of a national Do Not Call Registry. Through this service, individuals can register their telephone numbers to ensure they do not receive unwanted calls or marketing messages.

Organizations are prohibited from sending marketing messages or making marketing calls to numbers on the DNC Register. When sending marketing messages to other numbers, you must ensure that you provide an opt-out function. There are some exceptions to DNC requirements, such as messages about charitable causes and surveys. Additionally, if you have explicit consent, you may send marketing messages without checking the DNC Register.

PDPA and GDPR

The European Union General Data Protection Regulation, widely known as GDPR, is the EU-wide personal data protection legislation. GDPR may apply to organisations in Singapore if they offer goods or services to customers in the EU. The PDPA and GDPR regimes have different requirements, so compliance with one does not mean automatic compliance with the other. However, they are well aligned in many aspects and recent changes to the PDPA legislation have brought them closer.

The safety and appropriate use of personal data is important to both regulators and individuals. Developing sound policies and processes that are easily accessible is the best way to ensure compliance.

The post Data Protection Regulation and Requirements in Singapore appeared first on MyBusiness in Asia.