Search for:
AML & Financial Services Regulatory

Singapore: Additional regulatory requirements proposed for digital payment token service providers

By , and 7 Mins Read

In brief

The Monetary Authority of Singapore (MAS) has issued a consultation paper proposing additional regulatory safeguards, particularly around retail customer access, business conduct measures and technology risk management for cryptocurrency players. The MAS seeks to extend its regulatory focus beyond money laundering and terrorism financing risks, to holistically strengthen the regulatory framework, limit consumer harm and better address fraud protection in light of recent incidents, while acknowledging the need not to hamper digital innovation. The MAS proposes that these new requirements, once issued in the form of guidelines, will apply not only to licenced digital payment token (DPT) service providers licenced under the Payment Services Act 2019, but also to those currently operating under a transitional exemption from licencing while their licence applications are being reviewed (collectively, DPTSPs). 

Key proposed measures

We summarize the key proposed regulatory measures for DPTSPs below.

Limiting customer access

Consumer access measures for retail customers– The consumer access measures below are only applicable to Singapore residents who are accredited investors or institutional investors (i.e., retail customers) 
– This non-retail eligibility status should be periodically assessed
– The MAS is considering extending the scope to retail customers outside Singapore
Risk awareness assessment– DPTSPs must conduct a risk awareness assessment of retail customers to ensure sufficient risk awareness before DPT service provision, including, without limitation, the following:
a. Sharp price fluctuations
b. Possible loss of all monies
c. Consequences of market illiquidity or system outages
d. Consequences of technological or operational issues (including loss of private keys or DPT access)
e. Consequences of fraud, theft, sabotage or cyberattacks
– At least three plausible multiple choices should be provided per question 
– The next steps following an insufficient risk awareness assessment may include the following:
a. Providing educational materials
b. Setting a cooling-off period between assessments
c. Using a diverse question bank for generating subsequent assessments
Restriction on incentives– No monetary or nonmonetary incentives should be provided to retail customers to participate in, or to any person to refer to retail customers, a DPT service
Restriction on leverage– No facilitation of any leverage in connection with any DPT service for retail customers (including accepting payments from electronic wallets that are topped up by credit cards)

Improving business conduct

Segregation of customers’ assets– Customers’ assets should be segregated from the DPTSPs’ own assets (may be commingled with the assets of other customers) and held for the benefit of customers
– The MAS is seeking views on requiring an independent custodian
Written disclosures– Written disclosures should be provided on the following:
a. Terms and conditions of the DPT service, including the following:
i. Instruction receipt and information provision arrangements
ii. Applicable fees and costs
iii. Customer order execution processes (e.g., counterparty trading or trade matching facilitation)
iv. Capacity of customer order execution (e.g., agent or principal)
b. The fact that customers’ assets are segregated and held for their benefit
c. Whether there is commingling with other customers’ assets and the associated risks
d. Consequences and protection for customers’ assets during insolvency
Statement of accounts and reconciliation– Daily and timely reconciliation of all customers’ assets should be conducted
– A monthly (minimum) statement of accounts should be provided, comprising information on the customer’s assets and transactions 
Private key management– Internal controls for private key management should be established, based on “never alone”, “segregation of duties” and “least privilege” principles, which may include the following:
a. No staff with the ability to individually authorize and effect the movement, transfer or withdrawal of customers’ DPTs
b. Controlling transfers between preapproved hot, warm and cold wallets
c. Implementing operational controls to prevent loss of cryptographic keys that are held or managed
d. Storing a suitably high proportion of customers’ DPTs in cold wallets
e. Establishing a compensation process to address attributable loss of customers’ DPTs
Regulation of crypto staking and lending– No mortgage, charge, pledge or hypothecation of any retail customer’s DPTs
– Clear risk disclosures to be provided, and explicit consent obtained, to mortgage, charge, pledge or hypothecate any non-retail customer’s DPTs
Conflicts of interest– DPTSPs should implement conflicts of interest policies, and disclose to customers the general nature and sources of conflicts of interest and mitigatory steps. Where multiple business lines are involved, there should be a segregation of duties, independent reporting lines and information barriers.
– No misuse of any information relating to customers’ orders (by DPTSPs or employees)
– No own account buying or selling of DPTs by DPTSPs, or their related corporations, on the DPTSP’s DPT trading platform
Specific disclosure of DPT listing and governance policies– DPTSPs that operate a trading platform should disclose the following:
a. Decision-making process, evaluation criteria and fees applied to list a DPT
b. Trading, suspension and removal conditions for listed DPTs
c. Listed DPT removal process and customers’ attendant rights 
d. Market integrity requirements (no unfair or disorderly trading practices)
e. Settlement procedures
Complaints handling– There should be adequate handling of customer complaints, which may include establishing the following: 
a. Oversight by an independent senior management member or independent committee
b. An independent complaints-handling unit
c. A fair and timely resolution process, including the following:
i. Assessing the merits of each complaint
ii. Setting senior management escalation criteria
iii. Setting a reasonable resolution timeframe
iv. Providing written rejection reasons
v. Ensuring that information regarding the complaints-handling process is publicly available
vi. Tracking and recording complaints management
– No prevention of retail customers from bringing disputes before Singapore courts (e.g., by requiring arbitration)

Technology and cyber risk management

Extension of notice of technology risk management – DPTSPs will need to observe the existing technology risk management requirements applicable to other financial institutions, which will include the following: 
a. Identifying critical systems
b. Ensuring that the maximum unscheduled downtime for each critical system does not exceed a total of four hours within any period of 12 hours
c. Establishing a recovery time objective of no more than four hours for each critical system
d. Notifying the MAS no later than one hour upon discovering a system malfunction or IT security incident that has a severe and widespread impact on the DPTSP’s operations or materially impacts the DPTSP’s service to its customers, and submitting a root cause and impact analysis report to the MAS within 14 days
e. Implementing IT controls to protect customer information from unauthorized access or disclosure

Market integrity

Unfair trading practice deterrence– DPTSPs that operate a trading platform are encouraged to adopt market integrity best practices, which include the following: 
a. Setting out, disclosing and enforcing rules governing trading practices
b. Monitoring trading activities on DPT trading platforms (e.g., by employing real-time surveillance systems) in a commensurate manner

Implementation timeline and next steps

The MAS seeks consultation on this paper by 21 December 2022. If you have any feedback or questions, please let us know. 

As a next step, the MAS will issue guidelines setting out these additional regulatory requirements. The MAS proposes a transition period of six to nine months from the publication of these new guidelines for DPTSPs to comply.  

Thereafter, the MAS will consult on the details of regulatory requirements and subsidiary legislation in due course.

The above is not intended to be exhaustive or to constitute legal advice. Please do reach out to the lawyers listed in this alert if you have any feedback or questions on any of the matters above. 

* * * * *

LOGO_Wong&Leow_Singapore

© 2022 Baker & McKenzie.Wong & Leow. All rights reserved. Baker & McKenzie.Wong & Leow is incorporated with limited liability and is a member firm of Baker & McKenzie International, a global law firm with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a “principal” means a person who is a partner, or equivalent, in such a law firm. Similarly, reference to an “office” means an office of any such law firm. This may qualify as “Attorney Advertising” requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.

Categories:
Author

Stephanie Magnus co-heads the Asia Pacific Financial Institutions Group and heads up the Financial Services Regulatory Practice Group in Singapore. Stephanie is ranked Band 1 for FinTech in Singapore by Chambers FinTech 2020. She is also ranked as a Leading Individual for Financial Services Regulatory: Local Firms in Singapore by Legal 500 Asia Pacific 2020. She is recognised as a leading lawyer for Banking & Finance: Regulatory in Singapore by Chambers Asia Pacific and Chambers Global 2020. Stephanie was quoted in Chambers Asia Pacific for her "timely, practical and business-oriented" advice, with a "deep understanding of the regulatory regime." She is also recognised as "very business-savvy and brilliant every time," and is admired for her "very strong grasp of the legal issues from both a technical and practical perspective."

Author

Eunice is a principal in the Financial Services Regulatory practice group of Baker McKenzie's Singapore office. She specialises in regulatory, legal and compliance matters in the financial services and fintech sectors. Eunice is recognised in Legal 500 Asia Pacific as the Next Generation Partner for Financial Services Regulatory, where she was "singled out for being smart and having the ability to navigate the Singapore regulatory landscape" and "is responsive, pleasant and willing to explore different parameters" and "is outstanding in that she always carefully and clearly explains the situation and background of the issue so that we can fully understand it, she always has a quick response and she has a deep understanding of the financial industry and our company." Eunice is a frequent speaker at legal and financial industry seminars and forums. She also regularly assists clients in coordinating industry responses and participate in consultation with the Monetary Authority of Singapore on policy and legislative changes.

Author

Ying Yi is a local principal in the Financial Services Practice Group of Baker McKenzie Wong & Leow in Singapore. She focuses on regulatory and compliance issues in the financial services sector.

Related Posts

Write A Comment