On 3 July 2023, the Monetary Authority of Singapore ("MAS") published two consultation papers and a consultation response relating to digital payment token ("DPT") services. These publications set out proposed regulatory measures for the segregation and custody of customers' assets and to address market integrity risks and unfair trading practices in respect of DPT services.

1. Introduction

MAS had on 26 October 2022 published a consultation paper which invited feedback on proposed regulatory measures for DPT services (the "DPT Regulatory Measures CP") covering the following areas:

  • consumer access measures;
  • business conduct measures, including segregation of customers' assets and risk management controls;
  • managing technology and cyber risks;
  • market integrity.

Since then, MAS has followed up with a consultation response and two consultation papers. They are as follows:

  • Response to Public Consultation on Proposed Regulatory Measures for Digital Payment Token Services (Part 1) (the "Consultation Response") issued on 3 July 2023;
  • Consultation Paper on Proposed Amendments to the Payment Services Regulations (the "CP on Amendments to the PSR") issued on 3 July 2023; and
  • Consultation Paper on Proposed Measures on Market Integrity in Digital Payment Token Services (the "CP on Market Integrity") issued on 3 July 2023.

The Consultation Response outlines the key requirements for segregation and custody of assets of customers of licensed and exempt payment service providers that carry on a business of providing a DPT service under the Payment Services Act 2019 ("DPT service providers") that MAS intends to implement. It is the first part of MAS' response to feedback from respondents to their DPT Regulatory Measures CP. MAS would in due course be releasing the second part of their response to the feedback on the remaining proposed regulatory measures in the DPT Regulatory Measures CP.

In turn, the CP on Amendments to the PSR sets out proposed legislative amendments to the Payment Services Regulations 2019 ("PSR") to implement segregation and custody requirements for DPT services. They are intended to operationalise the policy positions set out by MAS in the Consultation Response.

Finally, the CP on Market Integrity sets out proposed regulatory measures to address market integrity risks and unfair trading practices in respect of DPT services.

This Client Update highlights the key points from these publications.

2. Proposed regulatory measures for the segregation and custody of assets of customers of DPT service providers

The Consultation Response outlines two sets of regulatory measures: (a) measures relating to segregation and custody of customers' assets; and (b) measures relating to DPT service providers' lending and staking of retail customers' assets.

a. Measures on Segregation and Custody of Customers' Assets

In light of recent failures in the cryptocurrency space, MAS takes the view that it is important for DPT service providers to have effective asset segregation requirements to protect customers' assets.

The Consultation Response discusses seven types of measures relating to the segregation and custody of customers' assets:

  • Segregation of customers' assets: MAS will require DPT service providers to segregate customers' assets from its assets and hold customers' assets on trust for the benefit of its customers. This includes keeping customers' assets on a separate set of blockchain addresses from those containing the DPT service provider's own assets. To this end, DPT service providers will not be allowed to commingle their customers' assets with their own assets even if the customer gives consent.
  • However, MAS will allow a DPT service provider to deposit a customer's assets into a trust account together with assets of its other customers, provided that this pool is kept separate from the DPT service provider's own assets. The risks of such arrangements and the steps taken by the DPT service provider to mitigate the risks must also be clearly disclosed by the DPT service provider to its customers.
  • These measures will be implemented by the introduction of a new regulation 16C into the PSR.
  • Safeguarding of customers' moneys: MAS will extend the existing requirements on the safeguarding of customers' moneys under the PSA to DPT service providers. It will do so by introducing regulations 16A and 16B into the PSR, which would prescribe licensed DPT service providers within the scope of section 23 of the Payment Services Act 2019 ("PSA"). It will also make consequential amendments to regulations 14 to 16 of the PSR (which set out further details on the safeguarding requirements for customers' moneys) and regulation 17 of the PSR (which applies those requirements to exempt payment service providers).
  • Daily reconciliation of customers' assets and transaction records: MAS will require DPT service providers to perform daily reconciliation of customers' assets, including moneys, and for the reconciliation to be performed at the entity-level rather than on a group-level or on a consolidated basis. This would be in line with the reconciliation requirements for capital markets intermediaries under the Securities and Futures (Licensing and Conduct of Business) Regulations ("SF(LCB)R"). It will also require DPT service providers to keep transaction records, and maintain separate books and records for each customer at all times. These measures will also be implemented through the new regulation 16C of the PSR.
  • Statement of Account: MAS will require DPT service providers to either provide monthly statements of account to customers, or provide account information in real time. In line with the position in the SF(LCB)R, DPT service providers will also be exempt from the requirement to provide monthly statements of account to all customers if: (a) there is no change to any particulars since the date on which the last statement of account was made; or (b) the customer has requested, in writing, not to receive the statement of account on a monthly basis.
  • Risk management controls for customers' assets: MAS will, through the new regulation 16C of the PSR, require DPT service providers to maintain adequate systems, processes, controls, human resources, and governance arrangements to ensure the integrity and security of customers' assets and mitigate the risk of any loss of customers' assets, in a manner that is commensurate with the nature, scale, and complexity of their business. Such control measures would include:
    1. instituting processes that restrict any one staff from being able to authorise and effect the movement, transfer or withdrawal of customers' DPTs;
    2. controlling movement or transfer of DPTs between the DPT service provider's pre-approved hot, warm and cold wallets;
    3. implementing operational controls to prevent the loss of cryptographic keys of DPTs that are held or managed by DPT service providers;
    4. storing a suitably high proportion of customers' DPTs in cold wallets; and
    5. establishing a compensation process to handle any loss of such customers' DPTs, arising from incidents that are attributable to the operations of the DPT service provider.
  • Furthermore, DPT service providers are expected to put in place robust and effective measures to ensure that the movement of customers' assets is controlled by senior managers and personnel who reside in Singapore. Such persons should also be authorised to facilitate the return of customers' assets where required by MAS or in court proceedings.
  • MAS will not, at this time, require DPT service providers to have devices storing means of access to customers' DPTs located in Singapore. However, it encourages DPT service providers to take proactive steps to adopt technological solutions that enable the development of local custody solutions and strong risk management expertise. MAS also expects DPT service providers to assess and disclose to customers their custody arrangements, such as the location of the devices, and whether such arrangements affect theirs and the customers' ability to recover customers' assets (as described under the bullet point on "Disclosures to customers").
  • Regarding the storage of customers' DPTs in cold wallets, MAS expects the following:
    1. DPT service providers must keep at least 90% of customers' DPTs in cold wallets, while allowing up to 10% to be kept in other wallets (e.g., hot wallets). This strikes a balance between mitigating the risk of loss of customers' assets due to security breaches or external theft and operational efficiency.
    2. DPT service providers should conduct periodic reviews and consider keeping more than 90% of customers' assets in cold wallets after assessing their business and operational needs as well as other security controls.
    3. DPT service providers should disclose their policies on storage arrangements for customers' assets, including the circumstances under which the DPT service provider keeps the customers' assets in storage media connected to the internet (e.g., hot wallets), their considerations in doing so, measures that are in place to mitigate the risk of loss, and processes for handling losses (e.g., compensation arrangement or insurance).
  • DPT service providers are also expected to adopt good risk management practices, including those stipulated in the Technology Risk Management Guidelines, have stringent processes and controls, and have strong governance and oversight by senior managers. Licensed DPT service providers will also be assessed on their compliance with these requirements as part of their annual audit under the PSA.
  • Independent custodian: MAS will not, at this time, be mandating the use of independent custodians for customer assets. However, MAS will require the DPT service providers to maintain a separate custody function that is operationally independent from other business units. MAS expects DPT service providers to adopt good risk management practices that reduce the risk of any loss of customers' assets due to internal fraud or negligence. In this regard, specific reference is made to MAS Guidelines on Risk Management Practices – Internal Controls. Where a DPT service provider appoints an external service provider to support its custody of customers' assets, the DPT service provider will also need to take measures such as assessing and ensuring that the external service provider maintains adequate risk management controls to ensure the integrity and security of customers' DPTs.
  • Disclosures to customers: MAS will, through the new regulation 16C of the PSR, require a DPT service provider to make the following disclosures to customers in writing before depositing the customers' assets in the custody account:
    1. that the customer's assets will be held on behalf of the customer in a custody account with a safeguarding institution;
    2. whether or not the customers' assets will be commingled with the assets of other customers and, if so, the risks of such commingling;
    3. the consequences for the customers' assets if the DPT service provider becomes insolvent; and
    4. the terms and conditions that would apply to the safeguarding of the customer's assets.
  • While there will not be a prescribed template or form, these disclosures must be made in a clear, legible, and concise manner.

Requirements analogous to the ones in the new regulation 16C of the PSR will also be implemented for exempt DPT service providers through the introduction of regulation 16D into the PSR, with the necessary modifications.

b. Measures on lending and staking of retail customers' assets by DPT service providers

MAS will restrict DPT service providers from facilitating the lending and staking of retail customers' assets. For the purposes of these measures, the term "retail customer" refers to the current classification of retail customers and accredited investors under the Securities and Futures Act 2001 ("SFA").

MAS has strong concerns over the staking and lending of retail customers' assets. It observed that once the assets of the retail customer are lent or staked, they may no longer belong to or be controlled by the retail customer and would not be protected by the segregation and custody requirements imposed on DPT service providers. It also observed that retail customers are generally regarded as having less resources to analyse technical information, obtain professional advice or understand risks meaningfully, and less able to withstand large losses. Furthermore, MAS noted that there are inherent conflicts of interest where a DPT service provider facilitates such staking and lending activities. However, MAS clarified that retail customers are not prohibited from handling their own assets, including lending or staking their own assets, but they will be doing so at their own risk.

For non-retail customers, MAS will not restrict DPT service providers from enabling or facilitating the entry to staking or lending arrangements by these customers. However, DPT service providers will need to provide a clear risk disclosure document and obtain the non-retail customer's explicit consent to doing so.

Click here to view the article in full.

Originally published 11 July 2023

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.