Singapore: Additional regulatory requirements proposed for digital payment token service providers

In brief

The Monetary Authority of Singapore (MAS) has issued a consultation paper proposing additional regulatory safeguards, particularly around retail customer access, business conduct measures and technology risk management for cryptocurrency players. The MAS seeks to extend its regulatory focus beyond money laundering and terrorism financing risks, to holistically strengthen the regulatory framework, limit consumer harm and better address fraud protection in light of recent incidents, while acknowledging the need not to hamper digital innovation. The MAS proposes that these new requirements, once issued in the form of guidelines, will apply not only to licenced digital payment token (DPT) service providers licenced under the Payment Services Act 2019, but also to those currently operating under a transitional exemption from licencing while their licence applications are being reviewed (collectively, DPTSPs). 


Contents

Key proposed measures

We summarize the key proposed regulatory measures for DPTSPs below.

Limiting customer access

Consumer access measures for retail customers
  • The consumer access measures below are only applicable to Singapore residents who are accredited investors or institutional investors (i.e., retail customers) 
  • This non-retail eligibility status should be periodically assessed
  • The MAS is considering extending the scope to retail customers outside Singapore
Risk awareness assessment
  • DPTSPs must conduct a risk awareness assessment of retail customers to ensure sufficient risk awareness before DPT service provision, including, without limitation, the following:
    1. Sharp price fluctuations
    2. Possible loss of all monies
    3. Consequences of market illiquidity or system outages
    4. Consequences of technological or operational issues (including loss of private keys or DPT access)
    5. Consequences of fraud, theft, sabotage or cyberattacks
  • At least three plausible multiple choices should be provided per question 
  • The next steps following an insufficient risk awareness assessment may include the following:
    1. Providing educational materials
    2. Setting a cooling-off period between assessments
    3. Using a diverse question bank for generating subsequent assessments
Restriction on incentives
  • No monetary or nonmonetary incentives should be provided to retail customers to participate in, or to any person to refer to retail customers, a DPT service
Restriction on leverage
  • No facilitation of any leverage in connection with any DPT service for retail customers (including accepting payments from electronic wallets that are topped up by credit cards)

 

Improving business conduct

Segregation of customers' assets
  • Customers' assets should be segregated from the DPTSPs' own assets (may be commingled with the assets of other customers) and held for the benefit of customers
  • The MAS is seeking views on requiring an independent custodian
Written disclosures
  • Written disclosures should be provided on the following:
    1. Terms and conditions of the DPT service, including the following:
      1. Instruction receipt and information provision arrangements
      2. Applicable fees and costs
      3. Customer order execution processes (e.g., counterparty trading or trade matching facilitation)
      4. Capacity of customer order execution (e.g., agent or principal)
    2. The fact that customers' assets are segregated and held for their benefit
    3. Whether there is commingling with other customers' assets and the associated risks
    4. Consequences and protection for customers' assets during insolvency
Statement of accounts and reconciliation
  • Daily and timely reconciliation of all customers' assets should be conducted
  • A monthly (minimum) statement of accounts should be provided, comprising information on the customer's assets and transactions 
Private key management
  • Internal controls for private key management should be established, based on "never alone", "segregation of duties" and "least privilege" principles, which may include the following:
    1. No staff with the ability to individually authorize and effect the movement, transfer or withdrawal of customers' DPTs
    2. Controlling transfers between preapproved hot, warm and cold wallets
    3. Implementing operational controls to prevent loss of cryptographic keys that are held or managed
    4. Storing a suitably high proportion of customers' DPTs in cold wallets
    5. Establishing a compensation process to address attributable loss of customers' DPTs
Regulation of crypto staking and lending
  • No mortgage, charge, pledge or hypothecation of any retail customer's DPTs
  • Clear risk disclosures to be provided, and explicit consent obtained, to mortgage, charge, pledge or hypothecate any non-retail customer's DPTs
Conflicts of interest
  • DPTSPs should implement conflicts of interest policies, and disclose to customers the general nature and sources of conflicts of interest and mitigatory steps. Where multiple business lines are involved, there should be a segregation of duties, independent reporting lines and information barriers.
  • No misuse of any information relating to customers' orders (by DPTSPs or employees)
  • No own account buying or selling of DPTs by DPTSPs, or their related corporations, on the DPTSP's DPT trading platform
Specific disclosure of DPT listing and governance policies
  • DPTSPs that operate a trading platform should disclose the following:
    1. Decision-making process, evaluation criteria and fees applied to list a DPT
    2. Trading, suspension and removal conditions for listed DPTs
    3. Listed DPT removal process and customers' attendant rights 
    4. Market integrity requirements (no unfair or disorderly trading practices)
    5. Settlement procedures
Complaints handling
  • There should be adequate handling of customer complaints, which may include establishing the following: 
    1. Oversight by an independent senior management member or independent committee
    2. An independent complaints-handling unit
    3. A fair and timely resolution process, including the following:
      1. Assessing the merits of each complaint
      2. Setting senior management escalation criteria
      3. Setting a reasonable resolution timeframe
      4. Providing written rejection reasons
      5. Ensuring that information regarding the complaints-handling process is publicly available
      6. Tracking and recording complaints management
  • No prevention of retail customers from bringing disputes before Singapore courts (e.g., by requiring arbitration)

 

Technology and cyber risk management

Extension of notice of technology risk management 
  • DPTSPs will need to observe the existing technology risk management requirements applicable to other financial institutions, which will include the following: 
    1. Identifying critical systems
    2. Ensuring that the maximum unscheduled downtime for each critical system does not exceed a total of four hours within any period of 12 hours
    3. Establishing a recovery time objective of no more than four hours for each critical system
    4. Notifying the MAS no later than one hour upon discovering a system malfunction or IT security incident that has a severe and widespread impact on the DPTSP's operations or materially impacts the DPTSP's service to its customers, and submitting a root cause and impact analysis report to the MAS within 14 days
    5. Implementing IT controls to protect customer information from unauthorized access or disclosure

 

Market integrity

Unfair trading practice deterrence
  • DPTSPs that operate a trading platform are encouraged to adopt market integrity best practices, which include the following: 
    1. Setting out, disclosing and enforcing rules governing trading practices
    2. Monitoring trading activities on DPT trading platforms (e.g., by employing real-time surveillance systems) in a commensurate manner

 

Implementation timeline and next steps

The MAS seeks consultation on this paper by 21 December 2022. If you have any feedback or questions, please let us know. 

As a next step, the MAS will issue guidelines setting out these additional regulatory requirements. The MAS proposes a transition period of six to nine months from the publication of these new guidelines for DPTSPs to comply.  

Thereafter, the MAS will consult on the details of regulatory requirements and subsidiary legislation in due course.

The above is not intended to be exhaustive or to constitute legal advice. Please do reach out to the lawyers listed in this alert if you have any feedback or questions on any of the matters above. 

 

* * * * *

LOGO_Wong&Leow_Singapore

© 2022 Baker & McKenzie.Wong & Leow. All rights reserved. Baker & McKenzie.Wong & Leow is incorporated with limited liability and is a member firm of Baker & McKenzie International, a global law firm with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a "principal" means a person who is a partner, or equivalent, in such a law firm. Similarly, reference to an "office" means an office of any such law firm. This may qualify as "Attorney Advertising" requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.


Copyright © 2024 Baker & McKenzie. All rights reserved. Ownership: This documentation and content (Content) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms). The Content is protected under international copyright conventions. Use of this Content does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All Content is for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulations and practice are subject to change. The Content is not offered as legal or professional advice for any specific matter. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any Content. Baker McKenzie and the editors and the contributing authors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The Content may contain links to external websites and external websites may link to the Content. Baker McKenzie is not responsible for the content or operation of any such external sites and disclaims all liability, howsoever occurring, in respect of the content or operation of any such external websites. Attorney Advertising: This Content may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Content may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. Reproduction: Reproduction of reasonable portions of the Content is permitted provided that (i) such reproductions are made available free of charge and for non-commercial purposes, (ii) such reproductions are properly attributed to Baker McKenzie, (iii) the portion of the Content being reproduced is not altered or made available in a manner that modifies the Content or presents the Content being reproduced in a false light and (iv) notice is made to the disclaimers included on the Content. The permission to re-copy does not allow for incorporation of any substantial portion of the Content in any work or publication, whether in hard copy, electronic or any other form or for commercial purposes.