Paynow‑upi in Singapore: Legal Checklist for Merchants & Payment Providers

The PayNow‑UPI cross‑border linkage between Singapore and India has moved rapidly from pilot curiosity to mainstream payment rail, and the compliance landscape surrounding PayNow UPI Singapore acceptance is tightening in step. The Monetary Authority of Singapore (MAS) launched the real‑time linkage to enable instant, low‑cost transfers between the two countries, while the Association of Banks in Singapore (ABS) published scheme rules and participating‑bank requirements that every merchant and payment service provider (PSP) must now navigate.

At the same time, updated guidance from the Personal Data Protection Commission (PDPC) on cross‑border data transfers, intensified AML/KYC expectations under the Payment Services Act, and growing merchant adoption through aggregators such as HitPay mean the regulatory surface area has expanded well beyond simple QR‑code acceptance. This article delivers a single, structured legal checklist, covering PDPA obligations, AML/KYC controls, MAS licensing thresholds, and contract‑drafting essentials, designed for heads of payments, in‑house counsel, fintech founders, and merchants evaluating whether and how to accept UPI via PayNow in Singapore.

Quick Compliance Decision Box, Merchant vs PSP

Can Merchants Accept UPI via PayNow in Singapore?

Yes, merchants in Singapore can accept UPI payments through the PayNow‑UPI linkage, provided they are integrated with a participating bank or a licensed PSP that supports the scheme. The MAS media release confirming the launch made clear that the linkage enables users in India to pay Singapore‑based merchants by scanning a PayNow QR code or entering a Unique Entity Number (UEN) directly from a UPI‑enabled app. The ABS PayNow‑UPI FAQ confirms that payments are routed via NPCI International (NIPL) on the India side and the relevant Singapore participating bank on the receiving side.

Merchant Acceptance Models: In‑Store, E‑Commerce, and Inbound Tourist Flow

Merchants have three principal routes to accept UPI via PayNow in Singapore:

• Direct bank integration. The merchant holds a PayNow‑registered account with a participating bank (such as DBS/POSB, OCBC, or UOB) and displays a static or dynamic PayNow QR code at the point of sale. The payer in India scans the code using their UPI app, and funds settle into the merchant’s Singapore bank account.
• PSP / aggregator model. The merchant onboards through a payment aggregator, for example, HitPay or Liquid Group, that maintains the participating‑bank relationship and provides a unified checkout. Industry reports indicate that PSP‑led adoption has accelerated merchant coverage significantly, particularly for small and medium enterprises without direct bank integration capacity.
• E‑commerce checkout. Online merchants can embed a PayNow‑UPI payment option through their PSP’s API or hosted payment page, enabling Indian customers to complete cross‑border payments singapore merchants would otherwise process through card rails or wire transfers.

Regardless of the model, the merchant must verify that its bank or PSP is a confirmed participant in the PayNow‑UPI scheme and that the integration supports the specific transaction types the merchant needs (person‑to‑merchant, dynamic QR, refunds). The DBS PayNow‑UPI product page and the POSB promotional materials provide practical examples of how bank‑side onboarding works at the retail level.

Cross‑Border Funds and Data Flows: Parties, Clearing, and Settlement

Understanding the full transaction chain is essential for mapping compliance obligations across every entity involved in a PayNow UPI Singapore transaction. The linkage involves multiple parties on both sides of the corridor, and personal data moves with the payment instruction at every hop.

Transaction Flow, Step by Step

• Step 1, Initiation. The payer in India opens a UPI‑enabled app and scans the Singapore merchant’s PayNow QR code or enters the merchant’s UEN / mobile‑linked proxy.
• Step 2, UPI processing. The payer’s bank in India authenticates the transaction and routes the instruction to NPCI (National Payments Corporation of India), which forwards it to NPCI International (NIPL).
• Step 3, Cross‑border routing. NIPL transmits the payment instruction to the Singapore participating bank (the merchant’s acquiring bank or the PSP’s settlement bank). The instruction carries payer identification data, transaction amount, and timestamp.
• Step 4, Credit and settlement. The Singapore participating bank credits the merchant’s PayNow‑registered account. Foreign‑exchange conversion is handled at the point of settlement by the participating banks or their appointed clearing partners, as described in the ABS scheme documentation.
• Step 5, Confirmation. Both the payer (via UPI app notification) and the merchant (via bank or PSP notification) receive real‑time confirmation.

Points of Regulatory Control, Who Holds Personal and Payment Data

From a compliance perspective, personal data, including payer name, UPI Virtual Payment Address (VPA), mobile number, and transaction metadata, is handled by the payer’s bank, NPCI, NIPL, and the Singapore participating bank or PSP. Each of these entities is a potential data controller or processor under the applicable data protection regime. For organisations subject to Singapore’s Personal Data Protection Act (PDPA), the critical question is which data elements the merchant or PSP receives, stores, or processes, and whether any of that data is transferred outside Singapore during reconciliation, dispute resolution, or reporting.

NIPL’s operational guides confirm that limited payer data is transmitted to the receiving side, but even limited personal data triggers PDPA obligations if it falls within the definition of personal data under the Act.

PDPA and Cross‑Border Data Transfers: Practical Steps for PayNow UPI Compliance

Any organisation in Singapore that collects, uses, or discloses personal data in connection with PayNow‑UPI transactions must comply with the PDPA. The PDPC’s guidance on cross‑border data transfers is particularly relevant because the payment flow inherently involves data movement between India and Singapore.

The PDPA requires organisations transferring personal data outside Singapore to ensure that the recipient provides a standard of protection comparable to what the PDPA requires. The PDPC has outlined several acceptable mechanisms for achieving this, and merchants and PSPs should treat PDPA cross‑border transfers as a Day 1 compliance priority rather than a downstream afterthought.

When Consent Is Sufficient vs When Contractual Safeguards Are Required

Under the PDPA, an organisation may transfer personal data overseas if the individual consents to the transfer after being informed that the data will be sent outside Singapore. However, relying solely on consent is often impractical for high‑volume payment flows where the payer is located in India and may never interact directly with the Singapore merchant’s privacy notice. Industry observers expect that most merchants and PSPs will need to rely on contractual safeguards, typically a binding agreement with the overseas recipient ensuring comparable protection, rather than individual consent alone.

Actionable steps for merchants and PSPs:

• Map data flows end to end. Document every point at which personal data enters, transits through, or exits your systems in connection with PayNow‑UPI transactions. Include payer data received from the bank or PSP, transaction metadata, and any data shared with third‑party processors.
• Conduct a transfer impact assessment. Evaluate the data protection regime in each jurisdiction through which personal data passes (primarily India). Assess whether contractual safeguards, binding corporate rules, or other mechanisms are needed.
• Update privacy policies and notices. Ensure your privacy notice discloses that personal data may be transferred outside Singapore in connection with cross‑border payment processing, and identify the countries involved.
• Implement contractual safeguards. Execute data protection clauses with each counterparty (bank, PSP, NIPL settlement partner) that receives personal data, requiring them to protect the data to a standard comparable to the PDPA.
• Appoint and empower a Data Protection Officer (DPO). Ensure the DPO has visibility over cross‑border payment data flows and is involved in onboarding decisions for new PSPs or bank partners.

Data Minimisation and Retention for Payments

The PDPA’s data minimisation and retention obligations require organisations to collect only the personal data necessary for the stated purpose and to cease retaining it when it is no longer needed. For PayNow‑UPI transactions, this means merchants should not store payer UPI VPAs or mobile numbers beyond the period required for reconciliation, refunds, and regulatory record‑keeping. PSPs should implement automated data purge schedules aligned with both PDPA retention limits and AML record‑keeping requirements (which may mandate longer retention, see below).

Sample PDPA Cross‑Border Transfer Clause (Template, Seek Counsel Review)

“The Receiving Party shall protect all Personal Data transferred under this Agreement to a standard at least comparable to the protection afforded under the Singapore Personal Data Protection Act 2012. The Receiving Party shall not transfer such data to any third party or further jurisdiction without the prior written consent of the Disclosing Party and shall implement technical and organisational safeguards reasonably necessary to prevent unauthorised access, use, or disclosure.”

This template is illustrative. Organisations should obtain legal advice to tailor the clause to their specific transaction flows and counterparty arrangements. For a deeper treatment of PDPA cross‑border data transfer obligations for fintechs, including additional clause templates and worked examples, see our forthcoming guide on PDPA cross‑border obligations for fintechs.

AML/KYC Obligations and Transaction Monitoring for PayNow UPI Singapore

Anti‑money laundering and know‑your‑customer obligations in AML KYC Singapore payments are distributed across the transaction chain, and the allocation of responsibility differs significantly depending on whether an entity is a merchant, a PSP, or a bank.

High‑Risk Indicators for UPI Cross‑Border Remittances

Cross‑border payment corridors carry elevated AML risk by nature. For PayNow‑UPI flows, PSPs and acquiring banks should calibrate their transaction monitoring systems to flag:

• Unusual transaction volumes or velocity, sudden spikes in UPI‑originated payments to a single merchant account.
• Structuring behaviour, multiple transactions just below reporting thresholds within a short period.
• Mismatched business profiles, a merchant whose declared business type does not align with the volume or nature of UPI payments received.
• High‑risk jurisdictions, transactions involving intermediary entities or settlement paths through jurisdictions flagged by the Financial Action Task Force (FATF).

Customer Due Diligence for Merchants

Merchants accepting PayNow‑UPI payments are generally not required to perform KYC on the Indian payer, that obligation sits with the payer’s bank in India under the Reserve Bank of India’s (RBI) regulations. However, merchants must cooperate with their acquiring bank or PSP by providing requested information, maintaining accurate transaction records, and reporting any suspicious activity they observe. Merchants operating in sectors classified as higher risk (such as high‑value retail, luxury goods, or travel) may face additional due diligence expectations from their PSP or bank. For organisations interested in how other jurisdictions approach payment‑operator licensing, our comparative guide on obtaining an IMTO licence in Nigeria illustrates a parallel regulatory framework.

MAS Licensing, Sandbox, and Regulatory Obligations for PSPs

Whether a PSP or aggregator needs a licence from MAS depends on the specific payment services it provides. Under the Payment Services Act 2019 (PS Act), MAS regulates a range of payment services including domestic money transfer, cross‑border money transfer, merchant acquisition, and e‑money issuance. Any entity that facilitates cross‑border money transfer as part of the PayNow‑UPI flow, rather than merely accepting payments as a merchant, is likely to require MAS payment licensing.

The PS Act establishes a tiered licensing framework:

• Standard Payment Institution (SPI) licence, for entities whose payment transaction volumes or e‑money float remain below prescribed thresholds.
• Major Payment Institution (MPI) licence, required once an entity exceeds the SPI thresholds for any single payment service or on an aggregate basis.
• Money‑Changing licence, relevant where the entity’s primary activity is foreign exchange, which may intersect with UPI settlement FX.

PSPs that are in the process of building out their PayNow‑UPI capability but are not yet ready to apply for a full licence may explore the MAS regulatory sandbox, which permits live testing of innovative financial services within defined boundaries and timeframes. The sandbox pathway does not exempt entities from AML/KYC obligations but may provide temporary relief from certain licensing requirements while the business model is validated.

Checklist for Applying for a MAS Licence or Entering the Sandbox

• Classify your services. Map every payment activity you perform (acquisition, cross‑border transfer, domestic transfer, e‑money) against the PS Act definitions to determine which licence class applies.
• Assess thresholds. Calculate current and projected transaction volumes and e‑money float against SPI and MPI thresholds.
• Prepare governance documentation. MAS requires detailed information on directors, shareholders, AML policies, technology risk management, and business continuity plans.
• Engage MAS early. Pre‑application consultations with MAS can clarify whether a sandbox entry is appropriate or whether a full licence application should be filed directly.
• Budget for compliance infrastructure. Ongoing obligations include PRISM reporting, outsourcing risk assessments, technology risk management, and annual AML audits.

Ongoing Compliance: PRISM, Reporting, and Outsourcing

Licensed PSPs must comply with MAS’s ongoing supervisory requirements, including regular reporting through the MAS Electronic Payment System (MEPS+) and the Payment and Reconciliation Information System for MAS (PRISM), as applicable. Outsourcing arrangements, including the use of third‑party technology vendors for QR‑code generation, reconciliation, or fraud detection, must comply with MAS outsourcing guidelines, which require PSPs to conduct due diligence on service providers, maintain oversight, and ensure that outsourced functions remain subject to MAS examination. For a comparative perspective on payment‑licensing regimes outside Singapore, see our guide on MSB licensing in Canada.

Commercial and Contracting Checklist for PayNow UPI Legal Compliance

Contract architecture is where compliance obligations become enforceable between parties. Whether you are a merchant onboarding a PSP or a PSP negotiating with a participating bank, the following clauses should feature in every PayNow‑UPI‑related agreement:

• PDPA cross‑border transfer clause. As templated above, require the counterparty to protect personal data to PDPA‑comparable standards and restrict onward transfers.
• AML cooperation clause. Obligate each party to cooperate with AML investigations, provide requested records within specified timeframes, and notify the other party of any regulatory inquiry relating to PayNow‑UPI transactions.
• Indemnity for settlement failures. Allocate financial responsibility for failed, delayed, or misdirected settlements, including FX losses arising from delayed conversion.
• Service‑level agreements (SLAs). Define settlement timelines (e.g., T+0, T+1), uptime commitments, and reconciliation deadlines. Include penalties or service credits for breach.
• Refund and chargeback allocation. Specify the process and financial responsibility for refunds initiated by the payer or required by scheme rules.
• Regulatory change clause. Permit either party to renegotiate or terminate if a change in MAS, PDPC, or RBI/NPCI regulations materially affects the economics or legality of the arrangement.
• Termination triggers. Include termination rights linked to loss of MAS licence, material AML breach, data breach, or scheme de‑participation.

Sample AML Cooperation Clause (Template, Seek Counsel Review)

“Each Party shall maintain and enforce an anti‑money laundering and counter‑terrorism financing programme that complies with the laws and regulations applicable to it, including the Payment Services Act 2019 and MAS Notices. Each Party shall, upon reasonable request, provide the other Party with information and records necessary to fulfil its AML/CFT obligations and shall promptly notify the other Party of any regulatory investigation or enforcement action relating to transactions processed under this Agreement.”

Sample Indemnity for Settlement Failures (Template, Seek Counsel Review)

“The PSP shall indemnify the Merchant against any direct financial loss arising from a settlement failure attributable to the PSP’s systems, processes, or participating bank arrangements, including foreign‑exchange losses incurred due to delayed settlement beyond the SLA timeline, provided that the Merchant has complied with all reconciliation and notification obligations under this Agreement.”

Merchants and PSPs exploring broader fintech structuring options, including setting up an investment fund alongside a payments business, should ensure that contractual frameworks account for multiple regulated activities.

Technical and Operational Checklist: Integration, Settlement, and Refunds

Legal compliance and technical implementation must be aligned from the outset. The following operational checklist covers the key integration and risk‑management steps for merchants and PSPs enabling PayNow UPI Singapore acceptance:

• QR code and VPA mapping. Confirm that your PayNow QR code or UEN is correctly registered with your participating bank and that UPI apps in India can resolve it. Test with multiple UPI apps before going live.
• Reconciliation. Implement daily automated reconciliation between your bank/PSP settlement statements and your internal transaction records. Flag discrepancies within 24 hours.
• Refund handling. Define a clear refund workflow in your merchant‑PSP contract. Confirm whether refunds are processed via the PayNow‑UPI rail or through an alternative channel, and document the timeline for payer credit.
• Settlement timelines. Verify the settlement cycle with your bank or PSP (typically real‑time credit for the merchant, with FX settlement following within one to two business days). Build SLA terms around confirmed timelines.
• Fraud response and notification. Establish an incident‑response playbook covering unauthorised transactions, suspected fraud, and data breaches. Ensure the playbook includes notification to MAS (for licensed PSPs), PDPC (for data breaches meeting the notification threshold), and affected individuals.

Risk Register Template (Sample)

Operational teams should treat this register as a living document, reviewing and updating it quarterly or whenever a material change occurs in scheme rules, MAS guidance, or transaction volumes. To find experienced technology and payments counsel in Singapore, consult the Global Law Experts lawyer directory for Singapore.

Conclusion: Next Steps for PayNow UPI Singapore Compliance

The PayNow‑UPI linkage represents a significant opportunity for Singapore merchants and PSPs to capture cross‑border payment flows from one of the world’s largest digital‑payments markets. However, the compliance burden is real and multi‑layered, spanning PDPA cross‑border data transfers, AML/KYC obligations calibrated by entity type, MAS licensing thresholds, and contract architecture that must withstand regulatory scrutiny. Early indications suggest that regulators on both sides of the corridor will continue to tighten expectations as transaction volumes grow through 2026 and beyond.

To move from assessment to implementation, organisations should:

• Complete the data‑flow mapping and PDPA transfer impact assessment before onboarding any new PSP or bank partner.
• Classify all payment activities against the PS Act to confirm whether MAS licensing is required.
• Execute contracts that include the PDPA transfer, AML cooperation, and settlement indemnity clauses outlined above.
• Establish a cross‑functional compliance team (legal, payments, technology, DPO) to manage ongoing obligations.
• Engage qualified legal counsel to review your specific transaction flows, licensing position, and contractual arrangements.

For expert guidance on PayNow UPI Singapore compliance, MAS licensing, and PDPA data transfer obligations, consult a qualified payments and technology lawyer through the Global Law Experts directory.

Sources

1. Monetary Authority of Singapore, Media Release: Launch of Real‑Time Payments Between Singapore and India
2. Association of Banks in Singapore, PayNow
3. DBS, PayNow‑UPI Product Page
4. NPCI International (NIPL), UPI PayNow Linkage
5. Personal Data Protection Commission (PDPC), Singapore
6. MAS, Payment Services Licensing & Guidance
7. FintechNews Singapore, HitPay UPI Merchant Acceptance
8. POSB, PayNow‑UPI Promotion Page