Response to Public Consultation on Proposed Regulatory Measures for Digital Payment Token Services
On Monday, 3 July 2023, the Monetary Authority of Singapore (MAS) announced plans to further protect consumer interests in the digital payment tokens (“DPTs”) sector. Part 1 of the MAS’ response to the Public Consultation on Proposed Regulatory Measures for DPT Services published in October 2022, covered in this paper, focuses on the requirements for segregation and custody of customers’ assets.
With its response to the public consultation, the MAS also published a Consultation Paper on Proposed Amendments to the Payment Services Regulations to implement the discussed amendments. Further, the MAS announced that it will also publish guidelines setting out its expectations on the segregation and custody requirements in more detail. The MAS intends to effect the proposed amendments by October 2023.
Segregation of Customer Assets
A payment institution holding a licence for digital payment token services (a “Digital Payment Token Services Provider” or “DPTSP”) will be required to segregate customers’ assets from its own assets and hold these customer assets on trust for the benefit of the customer. This is to mitigate the risk of loss or misuse of customers’ assets during the DPTSP’s ordinary course of business and to facilitate the return of customers’ assets in the event of the DPTSP’s insolvency. This includes keeping customers’ assets on separate blockchain addresses from those containing the DPTSP’s own assets.
× DPTSPs must not commingle their customers’ assets with their own assets, even with customer consent.
√ DPTSPs can deposit a customer’s assets in a trust account together with the assets of its other customers.
Safeguarding Customer Moneys
The MAS will extend the existing requirements on safeguarding customer moneys to DPTSPs. The DPTSP will be required to safeguard these moneys with financial institutions in Singapore.
Daily Reconciliation of Customer Assets and Statement of Accounts
DPTSPs will be required to carry out daily reconciliation of customers’ assets, including moneys. DPTSPs are also expected to keep transaction records and maintain separate books and records for each customer with details of the customer’s assets at all times.
DPTSPs should provide monthly statements of account to customers except in the following circumstances:
- The DPTSP provides account information on a real-time basis to its customers;
- There is no change to any particulars since the date on which the last statement of account was made; or
- The customer has requested, in writing, not to receive the statement of account monthly from the DTSP.
Risk Management Controls for Customer Assets
Resourcing, Governance & Controls - DPTSPs are to maintain adequate systems, processes, controls, human resources, and governance arrangements to ensure the integrity and security of customers’ assets and mitigate the risk of any loss of customer assets.
Operational Robustness - DPTSPs should put in place robust and effective measures to ensure that the movement of customers’ assets is controlled by senior managers and personnel who reside in Singapore.
Disclosures - DPTSPs should assess and clearly disclose to their customers their custody arrangements as to the location of devices and whether such arrangements affect the ability of the DPTSP and its customers to recover the customers’ assets.
Security Breaches or External Theft – As per revised regulations, DPTSPs should keep at least 90% of customers’ DPTs in cold wallets, thus allowing up to 10% to be held in other wallets for operational needs. DPTSPs are also expected to conduct periodic reviews and consider keeping a proportion higher than 90% of customers’ assets in cold wallets based on their business circumstances to minimise the risk of any losses to customers’ assets. DPTSPs should also disclose to customers their policies on customer assets.
No Need for Independent Third-Party Custodian
The MAS is not mandating the use of independent custodians for customer assets at this moment. However, to mitigate the risk of internal fraud and misappropriation of customer assets, the MAS will require that DPTSPs maintain operational independence of custody operations from the business unit.
Disclosures to Customers
DPTSPs must disclose in writing to their customers:
- the terms and conditions, including the arrangements for receiving instructions from the customers and providing information to the customers, and applicable fees and costs;
- that the customers’ assets are segregated from the DPTSP’s own assets and held for the benefit of the customers;
- whether the customers’ assets will be commingled with the assets of other customers and, if so, the risks of such commingling; and
- the consequences for the customers’ assets if the DPTSP becomes insolvent, and the arrangements by the DPTSP to protect customers’
With the introduction of these requirements around segregation and custody of customer assets, the internal audit program should also include an assessment of the DPTSP’s compliance with these requirements.
Lending and Staking of Retail Customers’ Assets
DPTSPs are restricted from facilitating the lending and staking of retail customers’ assets.
The MAS noted the potential for significant consumer harm from these activities if DPTSPs continue to enable or facilitate retail customers. Consequently, the MAS is taking a more prudent approach at this juncture and restricts DPTSPs from facilitating the lending and staking of retail customers’ assets.
For non-retail customers (accredited and institutional investors), there is no restriction on DPTSPs enabling or facilitating entry to staking or lending arrangements. However, DPTSPs must provide a clear risk disclosure document and obtain the customer’s explicit consent before lending or staking the customer’s assets.
For any further information, please contact:
Ingenia Consultants Pte. Ltd.