Response to Public Consultation on Proposed Regulatory Measures for Digital Payment Token Services
Response to Public Consultation on Proposed Regulatory Measures for Digital Payment Token Services
On Thursday, 23 November 2023, the Monetary Authority of Singapore (MAS) published a response to the Public Consultation on Proposed Regulatory Measures for Digital Payment Token Service issued on 26 October 2022 in two parts; the first part focusing on the segregation and custody of customer’s assets and the lending and staking of retail customers assets, the second part focusing on consumer access, business conduct and the management of technology and cyber risks.
Enclosed is a summary of material amendments to the existing regulations resulting from this consultation, which will be formalized through guidelines and legislative amendments to the Payment Services Regulations.
1. Measures Relating to Segregation and Custody of Customers’ Assets
Segregation of Customer Assets
The MAS will require digital payment token service providers (“DPTSPs”) to properly segregate their customers' assets from their own assets, keeping them in a separate set of blockchain addresses. DPTSPs cannot commingle their customers' assets with their own assets, even with customer consent. However, DPTSPs will be allowed to deposit a customer's assets in the same trust account as other customers' assets. The risks of these arrangements must be disclosed to the customers, including steps taken to mitigate them.
Safeguarding Customers’ Money
The MAS will extend the existing requirements imposed on payment service providers transacting in fiat money under the Payment Services Act 2019 (“PS Act”) to DPTSPs so that DPTSPs are required to safeguard customers’ money with financial institutions in Singapore, which will facilitate the recovery of customers’ money in the event of a DPTSP’s insolvency.
Daily Reconciliation of Customers’ Assets
The MAS will require DPTSPs to conduct daily reconciliations of customers' assets and sums of money at an entity level. DPTSPs will be required to keep transaction records and always maintain separate books and records for each customer with details of their assets. DPTSPs will not be required to publish a "proof of reserves" but will be independently audited on their compliance with segregation and custody requirements.
Statement of Account
The MAS will require DPTSPs to provide monthly statements of account to customers but will also allow DPTSPs to provide account information on a real-time basis instead of monthly statements. DPTSPs will also be exempted from providing monthly statements if there are no changes since the last statement of account or if the customer has requested not to receive monthly statements.
Risk Management Controls for Customers’ Assets
The MAS will require DPTSPs to maintain adequate risk management controls to ensure the integrity and security of customers' assets and to mitigate the risk of loss of customers' assets.
DPTSPs will need to put in place measures to ensure the movement of customers' assets is controlled by senior managers and personnel who reside in Singapore. DPTSPs will also need to implement operational controls to prevent the loss of cryptographic keys of digital payment tokens.
The MAS considers that a minimum level should be set for DPTSPs to store customers’ DPTs in cold wallets. As such, MAS considers that an appropriate balance to strike is to have DPTSPs keep at least 90% of customers’ DPTs in cold wallets while allowing up to 10% to be kept in other wallets. DPTSPs are also expected to conduct periodic reviews and consider keeping a higher than 90% proportion of customers’ assets in cold wallets.
Requiring an Independent Custodian
The MAS has decided not to mandate independent third-party custodians for customer assets but instead requires DPTSPs to maintain a separate custody function that operates independently from the other business units to mitigate the risk of fraud and misappropriation of customer assets. DPTSPs should adopt good risk management practices and periodically review their risk management framework, duties segregation, and responsibilities of key personnel. DPTSPs may appoint independent custodians and should continually review their arrangements to strengthen governance and controls for safeguarding customer assets. If a DPTSP appoints an external service provider to support its custody of customer assets, it should ensure the provider maintains adequate risk management controls and disclose safeguarding measures and risk involved.
Disclosures to Customers
DPTSPs will be required by the MAS to disclose in writing to their customers the terms, conditions, applicable fees, and costs and that customers' assets are segregated from DPTSP's assets. The disclosure includes whether customers' assets will be commingled with those of other customers, the risks of such commingling, and the consequences and arrangements to protect customers' assets if DPTSP becomes insolvent. Disclosures should be clear, legible, concise, and specific to the DPTSP's arrangements. The industry may develop standard formats to help customers understand the risks.
2. Measures Relating to DPTSPs’ Lending and Staking of Retail Customers’ Assets
The MAS has decided to restrict DPTSPs from facilitating the lending and staking of retail customers’ assets due to the significant consumer harm that may result from these activities. Retail customers can engage in lending or staking by themselves but should exercise extreme caution when engaging in such unregulated activities to avoid potential significant losses. Given the risks associated with such activity, DPTSPs will be restricted from facilitating staking arrangements for retail customers. Restrictions will not apply to non-retail customers if DPTSPs provide clear risk disclosures and obtain explicit consent before lending or staking customers' assets.
3. Measures Relating to Consumer Access
Scope of Consumer Access Measures:
The MAS will apply consumer access measures to retail customers who are not accredited investors (“AIs”) or institutional investors (“IIs”). The definitions of AI and II in the Guidelines will be aligned with that in the Securities and Futures Act 2001 (“SFA”). The MAS agrees with the suggestion to adopt an “opt-in” regime for AIs, like the SFA, to apply consumer access measures for DPT services. DPTSPs would treat all customers (other than IIs) as retail customers by default, and where a customer meets the criteria of an AI, the customer would have the choice of opting to be treated as an AI.
The MAS does not see merit in creating an additional classification of “Expert Investors” for DPTs, given the extreme volatility and highly speculative nature of cryptocurrencies. The MAS agrees to apply consumer access measures to all retail customers regardless of their residency to reduce consumer harm for retail investors.
Treatment of DPT Holdings for Determining AI Eligibility
The MAS has allowed DPTs to be considered when determining AI eligibility, but a minimum 50% haircut should be applied to their valuations because of their volatility and lack of economic fundamentals. FIs, including DPTSPs, could apply a higher haircut based on their internal models and risk appetite. In addition, the MAS has set an overall cap on the value of DPTs at SGD 200,000, which is used to determine AI eligibility to avoid an overreliance on DPTs. For the qualification of an AI, the FI may take 50% of the DPT valuation or SGD 200,000 into account, whichever is lower. Nonetheless, for MAS-regulated stablecoins, the MAS will allow them to be treated like fiat currencies when checking a customer’s AI eligibility.
Risk Awareness Assessment
The MAS will require DPTSPs to assess retail customers' risk awareness before providing DPT services to them. The DPTSPs should implement the appropriate internal policies and procedures to ensure a fair and robust assessment. The MAS noted the strong support from respondents and industry associations regarding their interest in developing a common industry template. The MAS encourages the industry to take on this initiative, as this would be very helpful in developing consistent standards and harmonizing the approach for the industry and customers.
For retail customers who have been initially assessed to have insufficient knowledge of the risks, MAS will allow DPTSPs to conduct re-assessment(s) and for the retail customer to re-take the risk awareness assessment. MAS expects DPTSPs to have appropriate policies and procedures to facilitate and encourage retail customers to build their understanding and knowledge of the risks involved (e.g., through the provision of reliable, clear, and independent educational material that explain the nature of activities and the associated risks involved in those activities) prior to being re-assessed. Subsequent assessments must be equally robust, for example, by having a sufficiently diverse question bank and system to generate different questions for subsequent assessments. The MAS will not impose a validity period on the risk awareness assessment or require DPTSPs to re-assess retail customers at regular intervals. DPTSPs should have in place internal processes to review and update the risk awareness assessment administered and assess if retail customers should be required to undertake an updated risk awareness assessment.
Restrictions on Offering of Incentives
The MAS notes that any gift or incentive may unduly influence the decision of retail customers to trade in DPTs without fully considering the risks involved. The MAS has decided to proceed with the proposed restriction whereby, DPTSPs should not offer monetary or other incentives to prospective and existing retail customers. This restriction will broadly apply to sign-up incentives, referral incentives, and trading incentives that intend to entice consumers to trade in DPTs. The MAS further clarified that this restriction would apply to activities such as “learn and earn” programs.
Restrictions on Debt-Financed and Leveraged DPT Transactions
The MAS will proceed with the proposal to restrict DPTSPs from providing any credit facility or entering leveraged DPT transactions with retail customers. The restrictions apply to new transactions when the guidelines become effective. These restrictions will apply alongside section 20(1) of the PS Act, which prohibits carrying on any business of granting credit facilities to any individual in Singapore. The MAS will also not permit DPTSPs to accept credit card or charge card payments, except foreign-issued credit cards or charge cards, to restrict purchases of cryptocurrencies on credit.
4. Measures Relating to Business Conduct
Identification and Mitigation of Conflicts of Interest
The MAS will proceed with the proposal for DPTSPs to establish and implement effective policies and procedures to identify and address conflicts of interest (“COI”) and disclose to customers the nature of activities and sources of COI, and the relevant measures and controls that the DPTSP has put in place to mitigate the COI. The MAS has significant concerns over the potential consumer harm that arises from certain combinations of DPT activities conducted within the same DPTSP entity and its related entities.
The MAS is of the view that the potential for consumer harm is most acute when a DPTSP operates a market (referred to in the consultation paper as a “DPT trading platform operator”), and it or its related entities also transacts on its own account on that market.
Where a DPTSP conducts the following combinations of DPT activities within the same entity, the DPTSP should put in place the indicated measures:
- Operating a market and acting as a broker: Where a DPTSP operates a market and acts as a broker, it should set up separate legal entities with separate management teams such that the two functions are independent of one another and provide clear client disclosures.
- Acting as a broker and transacting on its own account: Where a DPTSP acts as a broker and transacts on its own account, it should put in place proper functional segregation (e.g., separate reporting lines) and effective Chinese walls. This is because the DPTSP is susceptible to unfair trading practices, such as front running of customer orders. The DPTSP should also provide clear client disclosures so that the customer is aware of the capacity and manner in which the DPTSP executes the customer order.
In addition, a DPTSP should make appropriate disclosures, regarding:
- the potential conflicts and risks arising from own or related token listings;
- specific steps and measures that have been put in place to effectively address the risks and COI, including any segregation of its surveillance function from its trading or market function; and
- proprietary holdings of any tokens at the point of token listing.
DPTSPs may also consider further disclosures, such as the quantum or size of such proprietary holdings and provide a suitable frequency of periodic updates of these holdings following token listing, which may be useful information for customers.
The MAS expects DPTSPs to assess the effectiveness of the mitigating measures to address any potential COI on a regular basis and take a prudent approach should the measures be assessed to be inadequate to address COI effectively.
DPTSPs should also closely monitor their employees’ trading activities and their access to material non-public information to safeguard clients’ interests.
Disclosure of DPT Listing and Governance Policies
DPTSPs will be required to disclose publicly their listing and governance policies for tokens listed and offered on their markets and trading platforms. The disclosure must be in a manner that allows customers to make informed decisions about how they have applied their evaluation criteria before making a DPT available for trading on their DPT trading platform.
The MAS expects senior managers to have responsibility, control, and oversight over the DPTSP’s listing and governance policies, including being responsible for listing, suspension, and de-listing decisions.
DPTSPs are ultimately accountable and responsible for the DPTs made available for trading on their trading platforms, including the use of any third-party outsourcing arrangements, the proper and adequate disclosure of their listing and governance policies, and for their customers’ awareness that they need to be able to understand and assess the information risks of trading in DPTs.
DPTSPs should not disclose the policies and procedures in a way that trivializes the risks of DPT trading.
Complaints Handling and Dispute Resolution
The MAS will require DPTSPs to establish and implement policies and procedures to identify and address complaints. Such policies will be aligned with the Financial Advisers (Complaints Handling and Resolution) Regulations 2021 and will minimally apply to DPTSPs when dealing with their retail customers and complaints related to DPT services.
Although DPTSPs are not required to submit regular returns of complaint data to the MAS, they are expected to manage and track complaints and trends for proper handling and resolution of customer complaints. To reduce conflicts of interest, the unit responsible for handling customer complaints should not be directly involved in DPT services, and it must sit independent of the business-facing functions, for example, with the compliance function.
DPTSPs should resolve disputes with customers using principal modes of dispute resolution available in Singapore, and they may use the Financial Industry Disputes Resolution Centre’s (FIDReC's) services on an ad-hoc basis for an agreed case fee. However, they are not obliged to subscribe to FIDReC's services.
5. Measures Relating to Managing Technology and Cyber Risks
The MAS will mandate the requirements in MAS Notice PSN05 to DPTSPs. It agrees that DPTSPs should perform a risk assessment and determine the system recovery and business resumption priorities. However, in the context of “critical systems” as defined in the MAS Notice PSN05, DPTSPs are required to implement an effective and swift recovery strategy for systems where a system failure will lead to a severe and widespread impact on its operations or materially impact the DPTSP’s customers.
The MAS clarified that:
- A “critical system” means a system, the failure of which will cause significant disruption to the operations of the financial institution or materially impact the financial institution’s service to its customers. It also suggested that DPTSP should assess which systems should be identified as a “critical system.”
- DPTSP should establish a proper framework and process to assess and identify the type of threshold of such “severe and widespread impact.”
- The 4-hour recovery time objective (“RTO”) will not apply to the underlying public blockchain of DPTs.
The MAS further clarified that the objective of the 1-hour notification requirement of IT security incidents and system malfunctions is to provide sufficient lead time to the MAS to assess the wider impact of the incident on the industry and the public, as well as to coordinate with DPTSPs to provide responses to the stakeholders. DPTSPs should notify the MAS of IT incidents according to the Notice’s requirement and notify the PDPC of any data breaches as required under the Personal Data Protection Act 2019 (“PDPA”).
6. Implementation Options
The MAS published the consultation response and the proposed amendments to the subsidiary legislation in July 2023 about Asset Segregation and Custody Measures. The final subsidiary legislation will be published in due course, and there will be a 6-month transition period for DPTSPs to implement these requirements.
For other measures covered in this response paper, the MAS will initially provide guidelines, which are expected to be published in mid-2024. The DPTSPs will be provided with a 9-month transition period to implement these requirements.
The MAS will also mandate the requirements in Notice PSN05 to DPTSPs in early 2024 with a 9-month transition period for implementation.
For any further information, please contact:
Vijay Bharadwaj
Senior Manager
Ingenia Consultants Pte. Ltd.