19

Payment Services Act Crypto Provisions and Requirements: What You Must Know in 2026

Payment Services Act Crypto Provisions and Requirements: What You Must Know in 2026

by Richard De Martin

If you're running a crypto exchange, wallet service, or any business handling digital assets, the Payment Services Act crypto provisions aren't just paperwork-they're make-or-break rules. Different countries have different rules, and missing a deadline can mean shutting down overnight. This isn't theory. It’s happening right now, in 2026.

Singapore’s No-Excuses Deadline: June 30, 2025

Singapore’s Monetary Authority (MAS) didn’t ask for compliance. They demanded it. The Financial Services and Markets Act (FSMA) went live on June 30, 2025. No extensions. No grace periods. If your platform wasn’t licensed by then, you’re done. No exceptions.

Here’s what you had to get right:

  • Travel Rule compliance: Every crypto transfer over a certain amount must carry full sender and receiver details-name, address, account number. This applies to Bitcoin, Ethereum, or any token. The system doesn’t care if it’s on Ethereum or Solana. If money moves, data follows.
  • No credit card crypto buys: Retail investors can’t use credit cards to buy crypto. MAS sees this as predatory. High-risk, high-debt, high-failure rate. So they banned it.
  • Risk disclosures: Every user must see clear warnings about volatility, loss potential, and scams. No marketing hype. No "guaranteed returns". Just facts.
  • Custody controls: Platforms must prove they hold users’ assets securely. No commingling. No unbacked reserves.

Platforms like CoinJar and Luno had to overhaul their entire KYC and transaction monitoring systems. Smaller exchanges that didn’t act? Gone.

Europe’s March 2, 2026 Switch: PSD2 Meets MiCA

The European Banking Authority (EBA) dropped its guidance on March 2, 2026. From that day, any crypto service offering payment functions-like converting crypto to euros or sending stablecoins-must be authorized under the Payment Services Directive 2 (PSD2).

But here’s the twist: MiCA (Markets in Crypto-Assets) is the bigger framework. PSD2 only applies if you’re doing payment services. So if you’re just trading Bitcoin for Ethereum? That’s MiCA, not PSD2. But if you let users pay for coffee with USDC? Now you’re under PSD2.

What does PSD2 require?

  • Strong Customer Authentication (SCA): Every time someone accesses a custodial wallet that acts like a payment account, they must log in with two factors-password + biometric or code.
  • Fraud reporting: If a user reports a stolen wallet or unauthorized transfer, you must report it to regulators within 24 hours.
  • Own funds requirements: You must hold enough capital to cover potential losses. Same as a bank.

Here’s what PSD2 ignores for crypto services:

  • IBAN numbers
  • Maximum transaction times
  • Open banking APIs
  • Disclosure of fees (as long as MiCA covers it)

Europe’s approach is "use what already works." If MiCA covers it, don’t double-regulate. But if you’re moving money like a bank, act like one.

Japan’s Systematic Evolution: Cold Wallets and Advertising Rules

Japan didn’t rush. They built step by step.

  • 2009: First allowed non-banks to handle money transfers.
  • 2016: Required crypto exchanges to register with the Financial Services Agency (FSA).
  • 2019: Changed "virtual currency" to "crypto assets" and made cold storage mandatory. No exceptions. If you’re storing users’ coins, 95%+ must be offline.
  • 2022: Added stablecoin rules and a three-tier license: Type 1 (full exchange), Type 2 (simple trading), Type 3 (custody only).
  • March 2025: Cabinet approved new amendments. Details still coming, but expect tighter advertising rules and stricter reporting for derivatives.

Japan’s rules are simple: if you advertise crypto, your ad must say "you could lose all your money" in the same font size as the main message. No flashy "get rich quick" claims. No influencers promising returns. And if you store user funds? Cold wallets only. No excuses.

A regulator blocks unauthorized crypto payments with a shield labeled PSD2 and SCA.

U.S. CLARITY Act: The Three-Category Split

The U.S. didn’t pass one law. They built a map.

The CLARITY Act divides crypto assets into three buckets:

  • Digital commodities: Bitcoin, Ethereum. Regulated by CFTC. Think of them like gold or oil.
  • Investment contract assets: Tokens that promise profits from others’ work. These are securities. Regulated by SEC.
  • Permitted payment stablecoins: USD-pegged tokens used for payments. Regulated under a new framework with Fed oversight.

What does this mean in practice?

  • If you’re a broker-dealer, you can now legally custody Bitcoin (a digital commodity) without SEC approval-just CFTC.
  • Exchanges can list Bitcoin and Ethereum alongside stocks without losing their exemption status.
  • DeFi protocols? The SEC is told to exempt certain decentralized activities if they meet safety standards.
  • Recordkeeping? You can now use blockchain ledgers as official books. No more PDF backups.

The U.S. isn’t banning innovation. It’s just saying: "If you’re doing banking, follow banking rules. If you’re trading a commodity, follow commodity rules. Don’t mix them."

Why This Matters for Global Operators

If you operate in more than one country, you’re juggling four different rulebooks.

  • In Singapore: No credit card buys. Full Travel Rule. No exceptions.
  • In Europe: Use SCA for wallet access. Report fraud fast. Ignore IBANs.
  • In Japan: Cold wallets only. Ads must include loss warnings.
  • In the U.S.: Classify every token. Know if it’s a commodity, security, or stablecoin.

One platform can’t use one system. You need:

  • Separate KYC flows for each region
  • Multiple transaction monitoring engines
  • Localized risk disclosures
  • Legal teams in each jurisdiction

Costs? A small exchange in Singapore spent $2.3 million on compliance in 2024. A European firm spent $1.8 million on PSD2 integration. There’s no shortcut.

A guardian stands before three temples representing U.S. crypto asset categories.

What’s Next in 2026?

The global crypto regulatory race isn’t slowing down. Here’s what’s coming:

  • More countries: Australia, Canada, and South Korea are finalizing their versions of PSA-style rules.
  • Stablecoin scrutiny: All major regulators now treat USD-backed tokens like digital cash. Expect tighter reserve audits.
  • DeFi regulation: The U.S. and EU are testing frameworks to regulate smart contracts without killing decentralization.
  • Interoperability: Regulators are starting to share data. Singapore and the EU are piloting cross-border Travel Rule data sharing.

The message is clear: crypto isn’t the Wild West anymore. It’s a regulated financial system-with rules that change by country, by asset type, and by transaction.

Frequently Asked Questions

Do I need a license if I only trade crypto for crypto?

In Europe, no-if you’re only swapping Bitcoin for Ethereum, you’re under MiCA, not PSD2. In Singapore, you still need a license if you’re running a platform that facilitates trades. In Japan, you need registration. In the U.S., it depends on whether the tokens are classified as commodities or securities. Always check local rules.

Can I use hot wallets for customer funds?

Only in the U.S., and even then, only for small amounts. Japan requires 95%+ cold storage. Singapore requires proof of secure custody, which hot wallets alone don’t satisfy. Europe doesn’t specify, but strong customer authentication applies to any wallet used for payments. Most firms now use cold storage universally to simplify compliance.

What happens if I miss the Singapore deadline?

You must stop all operations immediately. MAS has shut down 17 unlicensed platforms since 2024. Users can’t withdraw funds. Fines are steep. And you can’t reapply for six months. There’s no appeal. If you’re in Singapore, you had until June 30, 2025. That date is over.

Is the Travel Rule the same everywhere?

The core rule is similar: send and receive party info for transfers over $1,000. But implementation varies. Singapore requires full names, addresses, and account IDs. Europe accepts less detail if MiCA covers it. The U.S. hasn’t fully implemented it yet. Japan requires it only for transfers over ¥100,000. Always confirm thresholds and data fields per jurisdiction.

Can I use the same software for all regions?

Not easily. Singapore’s Travel Rule system needs real-time data sharing. Japan requires cold wallet logs. Europe needs SCA triggers. The U.S. needs asset classification engines. Most firms use modular systems: one core platform with region-specific modules. Building one-size-fits-all software is a recipe for non-compliance.

Payment Services Act crypto regulations crypto compliance Travel Rule cold wallet storage

2 Comments

  • Image placeholder

    shreya gupta

    March 20, 2026 AT 07:40
    So let me get this straight - we’re now treating Bitcoin like it’s a bank transfer? And we’re forcing exchanges to collect addresses for every transaction? That’s not regulation, that’s surveillance with a crypto logo. And don’t even get me started on ‘no credit card buys’ - because nothing says financial freedom like the government deciding what risks you’re allowed to take.

    Meanwhile, in India, we’re still trying to figure out if we can even open a wallet without a 12-step KYC process. You call this progress? I call it bureaucratic cosplay.
  • Image placeholder

    Robert Kunze

    March 21, 2026 AT 09:54
    lol i just tried to send eth to my friend and my wallet said 'strong customer auth required' like im at the bank?? bro its crypto its not supposed to be this hard. i just wanna buy some btc with my card and now im filling out forms like im applying for a mortgage. this is why people use p2p. its easier than talking to your ex.

Write a comment

*

*

*

Categories

Menu

© 2026. All rights reserved.