In brief
The Monetary Authority of Singapore (MAS) has issued a consultation paper proposing additional regulatory safeguards, particularly around retail customer access, business conduct measures and technology risk management for cryptocurrency players. The MAS seeks to extend its regulatory focus beyond money laundering and terrorism financing risks, to holistically strengthen the regulatory framework, limit consumer harm and better address fraud protection in light of recent incidents, while acknowledging the need not to hamper digital innovation. The MAS proposes that these new requirements, once issued in the form of guidelines, will apply not only to licenced digital payment token (DPT) service providers licenced under the Payment Services Act 2019, but also to those currently operating under a transitional exemption from licencing while their licence applications are being reviewed (collectively, DPTSPs).
Key proposed measures
We summarize the key proposed regulatory measures for DPTSPs below.
Limiting customer access
Consumer access measures for retail customers | – The consumer access measures below are only applicable to Singapore residents who are accredited investors or institutional investors (i.e., retail customers) – This non-retail eligibility status should be periodically assessed – The MAS is considering extending the scope to retail customers outside Singapore |
Risk awareness assessment | – DPTSPs must conduct a risk awareness assessment of retail customers to ensure sufficient risk awareness before DPT service provision, including, without limitation, the following: a. Sharp price fluctuations b. Possible loss of all monies c. Consequences of market illiquidity or system outages d. Consequences of technological or operational issues (including loss of private keys or DPT access) e. Consequences of fraud, theft, sabotage or cyberattacks – At least three plausible multiple choices should be provided per question – The next steps following an insufficient risk awareness assessment may include the following: a. Providing educational materials b. Setting a cooling-off period between assessments c. Using a diverse question bank for generating subsequent assessments |
Restriction on incentives | – No monetary or nonmonetary incentives should be provided to retail customers to participate in, or to any person to refer to retail customers, a DPT service |
Restriction on leverage | – No facilitation of any leverage in connection with any DPT service for retail customers (including accepting payments from electronic wallets that are topped up by credit cards) |
Improving business conduct
Segregation of customers’ assets | – Customers’ assets should be segregated from the DPTSPs’ own assets (may be commingled with the assets of other customers) and held for the benefit of customers – The MAS is seeking views on requiring an independent custodian |
Written disclosures | – Written disclosures should be provided on the following: a. Terms and conditions of the DPT service, including the following: i. Instruction receipt and information provision arrangements ii. Applicable fees and costs iii. Customer order execution processes (e.g., counterparty trading or trade matching facilitation) iv. Capacity of customer order execution (e.g., agent or principal) b. The fact that customers’ assets are segregated and held for their benefit c. Whether there is commingling with other customers’ assets and the associated risks d. Consequences and protection for customers’ assets during insolvency |
Statement of accounts and reconciliation | – Daily and timely reconciliation of all customers’ assets should be conducted – A monthly (minimum) statement of accounts should be provided, comprising information on the customer’s assets and transactions |
Private key management | – Internal controls for private key management should be established, based on “never alone”, “segregation of duties” and “least privilege” principles, which may include the following: a. No staff with the ability to individually authorize and effect the movement, transfer or withdrawal of customers’ DPTs b. Controlling transfers between preapproved hot, warm and cold wallets c. Implementing operational controls to prevent loss of cryptographic keys that are held or managed d. Storing a suitably high proportion of customers’ DPTs in cold wallets e. Establishing a compensation process to address attributable loss of customers’ DPTs |
Regulation of crypto staking and lending | – No mortgage, charge, pledge or hypothecation of any retail customer’s DPTs – Clear risk disclosures to be provided, and explicit consent obtained, to mortgage, charge, pledge or hypothecate any non-retail customer’s DPTs |
Conflicts of interest | – DPTSPs should implement conflicts of interest policies, and disclose to customers the general nature and sources of conflicts of interest and mitigatory steps. Where multiple business lines are involved, there should be a segregation of duties, independent reporting lines and information barriers. – No misuse of any information relating to customers’ orders (by DPTSPs or employees) – No own account buying or selling of DPTs by DPTSPs, or their related corporations, on the DPTSP’s DPT trading platform |
Specific disclosure of DPT listing and governance policies | – DPTSPs that operate a trading platform should disclose the following: a. Decision-making process, evaluation criteria and fees applied to list a DPT b. Trading, suspension and removal conditions for listed DPTs c. Listed DPT removal process and customers’ attendant rights d. Market integrity requirements (no unfair or disorderly trading practices) e. Settlement procedures |
Complaints handling | – There should be adequate handling of customer complaints, which may include establishing the following: a. Oversight by an independent senior management member or independent committee b. An independent complaints-handling unit c. A fair and timely resolution process, including the following: i. Assessing the merits of each complaint ii. Setting senior management escalation criteria iii. Setting a reasonable resolution timeframe iv. Providing written rejection reasons v. Ensuring that information regarding the complaints-handling process is publicly available vi. Tracking and recording complaints management – No prevention of retail customers from bringing disputes before Singapore courts (e.g., by requiring arbitration) |
Technology and cyber risk management
Extension of notice of technology risk management | – DPTSPs will need to observe the existing technology risk management requirements applicable to other financial institutions, which will include the following: a. Identifying critical systems b. Ensuring that the maximum unscheduled downtime for each critical system does not exceed a total of four hours within any period of 12 hours c. Establishing a recovery time objective of no more than four hours for each critical system d. Notifying the MAS no later than one hour upon discovering a system malfunction or IT security incident that has a severe and widespread impact on the DPTSP’s operations or materially impacts the DPTSP’s service to its customers, and submitting a root cause and impact analysis report to the MAS within 14 days e. Implementing IT controls to protect customer information from unauthorized access or disclosure |
Market integrity
Unfair trading practice deterrence | – DPTSPs that operate a trading platform are encouraged to adopt market integrity best practices, which include the following: a. Setting out, disclosing and enforcing rules governing trading practices b. Monitoring trading activities on DPT trading platforms (e.g., by employing real-time surveillance systems) in a commensurate manner |
Implementation timeline and next steps
The MAS seeks consultation on this paper by 21 December 2022. If you have any feedback or questions, please let us know.
As a next step, the MAS will issue guidelines setting out these additional regulatory requirements. The MAS proposes a transition period of six to nine months from the publication of these new guidelines for DPTSPs to comply.
Thereafter, the MAS will consult on the details of regulatory requirements and subsidiary legislation in due course.
The above is not intended to be exhaustive or to constitute legal advice. Please do reach out to the lawyers listed in this alert if you have any feedback or questions on any of the matters above.
* * * * *
© 2022 Baker & McKenzie.Wong & Leow. All rights reserved. Baker & McKenzie.Wong & Leow is incorporated with limited liability and is a member firm of Baker & McKenzie International, a global law firm with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a “principal” means a person who is a partner, or equivalent, in such a law firm. Similarly, reference to an “office” means an office of any such law firm. This may qualify as “Attorney Advertising” requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.