Payment Services Act Crypto Provisions and Requirements: What You Must Know in 2026

• DATE: 15 01 26
• BY: Stellan Marwick

By January 2026, if you're running a crypto exchange, wallet service, or stablecoin platform anywhere in the world, you’re not just dealing with code and blockchain tech-you’re navigating a minefield of legal rules that vary wildly from country to country. The Payment Services Act crypto provisions aren’t a single law. They’re a patchwork of conflicting, fast-moving regulations that can shut you down overnight if you get one thing wrong.

Singapore’s No-Excuses Deadline

In Singapore, the clock ran out on June 30, 2025. The Monetary Authority of Singapore (MAS) didn’t ask nicely. They didn’t offer extensions. If your crypto platform wasn’t licensed under the Financial Services and Markets Act (FSMA) by that date, you’re done. No more trading. No more deposits. No more operations. Period.

It’s not just about getting a license. You have to prove you can protect users. That means strict rules on how you market crypto. No more ads saying "Get rich quick with Bitcoin." No more letting people buy crypto with credit cards. MAS banned that in September 2024 because too many retail investors lost money they couldn’t afford to lose.

Then there’s the Travel Rule. If you send or receive a crypto transfer over $1,000, you must share the sender’s and receiver’s full names, addresses, and account numbers with the other platform. Doesn’t matter if it’s Bitcoin, Ethereum, or some obscure token. The rule applies across all blockchains. You need systems that capture, store, and transmit this data automatically. Many small platforms failed because they thought they could handle it manually. They couldn’t.

Japan’s Systematic Evolution

Japan’s Payment Services Act has been evolving since 2009, but the big shift came in 2019 when they stopped calling crypto "virtual currency" and started calling it "crypto assets." That wasn’t just semantics-it meant the law now treated them like real financial instruments.

One of the toughest requirements? Cold storage. All customer crypto assets must be stored offline. No exceptions. If you’re holding user funds, they can’t sit on hot wallets connected to the internet. That’s how you prevent hacks. The 2022 update added a three-tier licensing system: Type 1 for full-service exchanges, Type 2 for limited services, and Type 3 for small operators. Each has different capital and compliance requirements.

In March 2025, Japan’s Cabinet approved new amendments to the Payment Services Act. Details aren’t fully public yet, but insiders say they’re targeting DeFi platforms and automated trading bots. Expect tighter rules on how you disclose risks, how you handle token listings, and how you report suspicious activity. Japan doesn’t move fast-but when they do, they move hard.

Europe’s PSD2 and MiCA Overlap

In the EU, things are messy because two big laws are stepping on each other’s toes: PSD2 and MiCA. The European Banking Authority (EBA) stepped in to clarify things in early 2026. Here’s the bottom line: if you’re moving crypto from one person to another as a payment, you need a PSD2 license. But if you’re just swapping Bitcoin for Ethereum, you don’t. MiCA covers that.

From March 2, 2026, all crypto platforms offering payment services must apply for PSD2 authorization. But here’s the catch: if you already have a MiCA license as a Crypto-Asset Service Provider (CASP), you can use that info to speed up your PSD2 application. The EBA wants to cut red tape, not double it.

But you still need to follow PSD2’s core rules. Strong Customer Authentication (SCA) is non-negotiable. If someone logs into their custodial wallet to send crypto, they must verify their identity with at least two factors-something they know, something they have, or something they are. You also have to report fraud. And if someone loses money because your system was hacked, you’re liable unless you prove you took all reasonable steps to prevent it.

What’s excluded? Exchanging crypto for fiat (like EUR or USD) and swapping one crypto for another. Those fall under MiCA, not PSD2. So if you’re only doing those, you don’t need a PSD2 license-but you still need a MiCA one.

The U.S. CLARITY Act: A New Map

The U.S. doesn’t have a "Payment Services Act," but the CLARITY Act, passed in late 2025, created something just as important: clarity.

Before this law, the SEC and CFTC were fighting over who got to regulate crypto. The SEC said everything was a security. The CFTC said most were commodities. The CLARITY Act ended that. It divided crypto into three buckets:

• Digital commodities (like Bitcoin and Ethereum) → regulated by CFTC
• Investment contract assets (tokens that promise profit from others’ efforts) → regulated by SEC
• Permitted payment stablecoins (pegged to USD, fully backed, audited) → regulated by both, but with a clear path to legal operation

This matters because now you know what rules apply to your product. If you’re issuing a stablecoin, you can’t just mint it and sell it. You need to prove you hold $1 in reserves for every $1 you issue. You need quarterly audits. You need to disclose where the reserves are held. And you can’t use them for speculative trading.

Broker-dealers can now legally custody and trade digital commodities. Exchanges can list them alongside securities without losing their exemption status. Recordkeeping rules were updated to accept blockchain-based ledgers. For the first time, the U.S. has a legal on-ramp for innovation-not just enforcement.

Why This Matters for Global Platforms

If you operate in more than one country, you’re not just managing one compliance system. You’re managing three or four at once.

Singapore says: no credit card buys, Travel Rule always, deadline passed. Japan says: cold storage only, three-tier licensing, new rules coming. Europe says: PSD2 for payments, MiCA for swaps, SCA mandatory. The U.S. says: classify your asset first, then follow the right regulator.

There’s no global standard. No one-size-fits-all solution. A platform that’s compliant in Singapore might be breaking the law in the U.S. because it’s offering credit card purchases. One that’s fine in Japan might be missing SCA under EU rules.

That’s why most global platforms now run separate legal entities for each region. Singapore entity. EU entity. U.S. entity. Each with its own compliance team, tech stack, and audit trail. It’s expensive. It’s slow. But it’s the only way to survive.

What Happens If You Ignore This?

In Singapore, you get shut down. Your website disappears. Your bank accounts freeze. Your executives could face fines or even criminal charges.

In the EU, regulators can fine you up to 5% of your global revenue. They can ban your services. They can force you to return customer funds.

In the U.S., the SEC can sue you. The CFTC can impose penalties. The IRS can come after you for tax evasion. The DOJ can charge you with operating an unlicensed money transmission business.

And in Japan? You lose your license. You can’t apply again for five years.

There’s no "we didn’t know" defense anymore. Regulators assume you’ve done your homework. They expect you to know the rules. And they’re watching.

What Should You Do Right Now?

If you’re running a crypto service in 2026, here’s your checklist:

1. Map out every country you operate in-or plan to operate in.
2. Identify which crypto activities you’re doing: trading, custody, payments, stablecoin issuance, DeFi lending?
3. Match each activity to the correct regulation: FSMA, PSA, MiCA, PSD2, CLARITY Act.
4. Verify your tech stack can meet Travel Rule, SCA, cold storage, and audit requirements.
5. Review your marketing materials. Are you promising returns? Using credit card ads? That’s a red flag in Singapore and the EU.
6. Get legal counsel familiar with all four jurisdictions. Don’t rely on general crypto lawyers.

Compliance isn’t a cost center. It’s your license to operate. Skip it, and you’re not just risking fines-you’re risking your entire business.