Payment Services Act Crypto Provisions and Requirements: What You Must Know in 2026

If you're running a crypto business or using crypto services in 2026, you can't afford to ignore the Payment Services Act (PSA) and its global ripple effects. This isn't just another regulatory update-it's a full overhaul of how digital assets are treated as financial instruments. Different countries have taken wildly different paths, and getting it wrong could mean losing your license, facing fines, or even shutting down operations overnight. There's no gray area anymore. The clock is ticking, and the rules are strict.

Singapore’s Absolute Deadline: No Extensions, No Mercy

Singapore’s Monetary Authority of Singapore (MAS) didn’t just set a deadline-they drew a line in the sand. By June 30, 2025, every crypto platform offering digital token services had to be fully licensed under the Financial Services and Markets Act (FSMA). No grace period. No exceptions. If you weren’t compliant by then, you’re done. No warnings. No appeals.

This isn’t about paperwork. It’s about behavior. MAS requires platforms to prove they can protect retail investors just like banks do. That means clear, unavoidable risk disclosures before any trade. No more flashy ads promising quick profits. No more letting people buy crypto with credit cards-those transactions are outright banned. You also can’t just assume a user knows what they’re doing. You must assess their experience, risk tolerance, and financial situation before letting them trade.

And then there’s the Travel Rule. If you send or receive crypto worth more than a set threshold (usually $1,000 or equivalent), you must share full details about both parties: name, address, account number, and transaction purpose. It doesn’t matter if it’s Bitcoin, Ethereum, or a stablecoin. The rule applies to every blockchain. Your system has to capture, store, and transmit this data automatically. Failure means non-compliance-and MAS doesn’t mess around.

Europe’s Balancing Act: PSD2 Meets MiCA

In Europe, the story is more complex. The European Banking Authority (EBA) issued guidance in early 2026 that crypto transfers can be treated as payment services under PSD2, but only under strict conditions. As of March 2, 2026, any firm offering crypto payment services must get authorized under PSD2. But here’s the twist: if you’re already licensed under MiCA as a Crypto-Asset Service Provider (CASP), you can use that information to speed up your PSD2 application. It’s not double work-it’s smarter work.

But not everything under PSD2 applies. Once you’re authorized, regulators won’t push you to follow every PSD2 rule. You don’t need to use IBANs. You don’t have to meet the same execution time rules. You don’t need to follow open banking protocols. What you do need to nail? Strong Customer Authentication (SCA). If someone logs into a custodial wallet that acts like a payment account, they must go through two-factor authentication. You must report fraud immediately. And you must calculate your capital reserves the same way a bank would-no shortcuts.

Here’s what doesn’t count as a payment service under this rule: swapping one crypto for another (like BTC for ETH) or exchanging crypto for fiat currency. Those fall under MiCA’s direct jurisdiction, not PSD2. That’s critical for platforms that focus on trading, not payments. Know the difference-or risk misclassifying your services and getting hit with penalties.

Japan’s Systematic Evolution: Cold Storage, Advertising, and Licensing

Japan’s Payment Services Act has been evolving since 2009, but the 2025 amendments show they’re not done yet. The big change? They made cold wallet storage mandatory. If you’re holding users’ crypto, at least 95% of it must be stored offline-no exceptions. Hot wallets are for small, daily transactions only. The rest? Locked away in air-gapped systems. This isn’t a suggestion-it’s a legal requirement.

Advertising? Heavily regulated. You can’t say crypto is “safe” or “guaranteed.” You can’t use influencers to push tokens without clear risk disclaimers. Even your website’s homepage has to show warnings before users can access trading. The 2019 shift from “virtual currency” to “crypto assets” wasn’t just semantic-it meant legal clarity. Now, if a token gives you a share of profits? That’s a security under the Financial Instruments and Exchange Act. You can’t treat it like a coin.

Japan also has a three-tier licensing system: Type 1 for full-service exchanges, Type 2 for domestic-only services, and Type 3 for limited operations. Each has different capital requirements and reporting obligations. The March 2025 cabinet approval hints at more changes coming-possibly around DeFi and stablecoins-but the core rules are already locked in. If you operate in Japan, you need to know your type. No guesswork.

The U.S. CLARITY Act: Classify or Get Out

The U.S. doesn’t have a single “Payment Services Act,” but the CLARITY Act (Clarifying Law Around Intent of Congress To Regulate Your) is the closest thing. It’s designed to end the chaos of “regulation by enforcement.” Instead, it gives clear categories:

• Digital commodities (like Bitcoin and Ethereum) → overseen by CFTC
• Investment contract assets (tokens sold as profit opportunities) → overseen by SEC
• Permitted payment stablecoins (backed 1:1 by USD or reserves) → treated like electronic money

Platforms can now broker, trade, or custody digital commodities without SEC interference-as long as they’re registered with the CFTC. The SEC can’t block an exchange just because it lists Bitcoin alongside a security. That’s huge. It means platforms can offer both without fear of being shut down.

Recordkeeping? Modernized. You can now use blockchain-based ledgers for books and records-no more PDFs and spreadsheets. And for DeFi? The SEC is instructed to create exemptions for decentralized protocols that don’t have a central operator. It’s not a free pass, but it’s a path forward.

Why This Matters for Global Operators

If your business operates in more than one country, you’re not dealing with one rulebook-you’re juggling three or four. Singapore demands real-time Travel Rule compliance. Europe wants SCA and fraud reporting. Japan insists on cold storage. The U.S. wants you to classify every token correctly.

There’s no one-size-fits-all solution. You can’t use one KYC system for all regions. You can’t use the same wallet architecture. You need separate compliance teams, different tech stacks, and localized legal oversight. A platform that works in Singapore might fail in Japan because their cold storage rules are stricter. A U.S.-based exchange might think they’re fine until they start serving European users and get hit with PSD2 fines.

The cost? High. The risk? Higher. But the alternative? Shutting down. No regulator is bluffing. Singapore enforced its deadline. Europe is auditing. Japan is inspecting. The U.S. is filing lawsuits.

What You Need to Do Now

Here’s what to check if you’re still operating:

1. Where do you operate? Map your user base. Are you serving Singapore? Europe? Japan? The U.S.? Each has different rules.
2. What services do you offer? Are you trading? Custody? Payments? Stablecoin issuance? Each triggers different regulations.
3. Are you using cold storage? If you’re in Japan or planning to be, 95% of assets must be offline.
4. Are you sharing Travel Rule data? If you’re in Singapore or dealing with EU entities, you must transmit sender/receiver details on transfers above threshold.
5. Are you using SCA? If you’re in Europe and your wallet acts like a payment account, two-factor login is mandatory.
6. Have you classified your tokens? If you’re in the U.S., you must determine if each token is a commodity, security, or stablecoin.

Don’t wait for a notice. Don’t assume your lawyer knows everything. Regulatory bodies are actively monitoring. They’re not asking-they’re enforcing. The window for excuses is closed.