The Monetary Authority of Singapore recently published the second part of its response to the consultation paper proposing regulatory measures for providers of digital payment token services under the Payment Services Act 2019. Its response focuses on business conduct, consumer access measures, and technology and cybersecurity risk requirements.

On 26 October 2022, the Monetary Authority of Singapore (MAS) issued a consultation paper setting out its proposed regulatory measures for licensed and exempt payment service providers that carry on the business of providing digital payment token (DPT) services under the Payment Services Act 2019 (PS Act).

The paper focused on balancing the desire to develop an innovative and responsible digital asset ecosystem in Singapore, while protecting consumers against the risks associated with cryptocurrency trading and speculation. The consultation closed on 21 December 2022.

MAS published the responses to the consultation feedback in parts. Part 1 of the consultation response, which focused on the requirements for segregation and custody of customers’ assets and the safeguarding of assets under a statutory trust, was published on 3 July 2023. Part 2 of the consultation response, focusing on business conduct, consumer access measures and technology and cybersecurity risk requirements, was published recently on 23 November 2023.

BUSINESS CONDUCT MEASURES

MAS has significant concerns regarding the potential consumer harm that arises from certain combinations of DPT activities conducted within the same DPT service provider and its related entities. Under the new measures, DPT service providers are required to establish and implement effective policies and procedures to identify and address conflicts of interest (COI) and disclose to customers the nature of activities and sources of COI, and the relevant measures and controls that they have put in place to mitigate the COI.

Depending on the combination of DPT activities, DPT service providers should put in place specific mitigating measures that can address and minimise consumer harm, such as the following:

• Where a DPT service provider operates a market and also acts as a broker, it should set up separate legal entities with separate management teams such that the two functions are independent of one another and provide clear client disclosures.
• Where a DPT service provider acts as a broker and also transacts on its own account, it should put in place proper functional segregation (e.g., separate reporting lines) and effective Chinese walls, to avoid unfair trading practices by the DPT service provider. The DPT service provider should also provide clear client disclosures so that the customer is aware of the capacity and manner in which the DPT service provider is executing the customer order.
• Where a DPT service provider or its related entity (1) issues its own or related tokens and/or (2) has proprietary holdings of tokens and lists these tokens on its market or trading platform, a disclosure-based approach will apply. A DPT service provider will be required to make appropriate disclosures, including on (1) the potential conflicts and risks arising from its own or related token listings; (2) specific steps and measures that have been put in place to effectively address the risks and COI, including any segregation of its surveillance function from its trading or market function; and (3) proprietary holdings of any tokens at the point of token listing. DPT service providers may also consider further disclosures, such as the quantum or size of such proprietary holdings, and provide a suitable frequency of periodic updates of these holdings following the token listing, which may be useful information for customers.

In addition, MAS expects DPT service providers to assess the effectiveness of the mitigating measures to address any potential COI on a regular basis and take a prudent approach should the measures be assessed to be inadequate to effectively address COI. Examples of effective mitigating measures include segregating the functions or activities into separate legal entities with independent management oversight or to discontinuing the relevant activities completely.

As part of the regular review process, DPT service providers should also conduct close monitoring of their employees’ trading activities, and their access to material non-public information to safeguard clients’ interests.

Disclosure of DPT Listing and Governance Policies

DPT service providers will also be required to publicly disclose their listing and governance policies for tokens listed and offered on their markets and trading platforms. MAS expects senior managers to have responsibility, control, and oversight over the DPT service provider’s listing and governance policies, including being responsible for listing, suspension, and de-listing decisions.

There is no prescribed template or form for disclosure, but disclosures should be made to all customers in a clear, legible, and concise manner and should not trivialise the risks of DPT trading.

Complaints Handling and Dispute Resolution

DPT service providers will be required to put in place complaints handling policies and procedures. Such policies and procedures should apply minimally to the dealings of DPT service providers with their retail customers, and to all complaints relating to the provision of DPT services by DPT service providers.

MAS will not at this point in time require DPT service providers to submit regular returns on complaints data to MAS, but DPT service providers are expected to properly monitor and track complaints and complaints trends, such that customer complaints are handled and resolved in a fair and timely manner, and to be able to provide such information to MAS when requested. To minimise conflicts of interest, the unit in charge of handling customer complaints should not be directly involved in the provision of DPT services.

MAS also clarified that DPT service providers should resolve disputes with retail customers using any of the principal modes of dispute resolution available in Singapore, such as mediation, arbitration, and litigation in the Singapore courts. This is because retail customers would be disadvantaged if the recourse process is difficult to access or becomes protracted in a disproportionate manner.

CONSUMER ACCESS MEASURES

Summary of Consumer Access Measures

To discourage retail customers from cryptocurrency speculation and limit potential consumer harm, MAS will proceed with consumer access measures applicable to retail customers (namely, customers who are not accredited investors (AIs) or institutional investors each as defined in the Securities and Futures Act 2001 of Singapore). These measures include requiring DPT service providers to:

• determine a customer’s risk awareness to access DPT services;
• not offer any incentives to trade in cryptocurrencies;
• not provide financing, margin, or leverage transactions;
• not accept locally issued credit card payments; and
• limit the value of cryptocurrencies in determining a customer’s net worth.

Scope of Consumer Access Measures

Given the cross-border nature of DPT services, DPT service providers regulated in Singapore are required to apply the consumer access measures to all retail customers, regardless of residency. This approach is intended to reduce the risk of DPT service providers setting up in Singapore with the intent to primarily serve foreign retail customers who are not subject to the consumer access measures.

Determination of Accredited Investor Eligibility

MAS will adopt a “opt-in” regime for AIs for the application of the above consumer access measures. In practice, this would mean that DPT service providers would treat all customers (other than institutional investors) as retailer customers by default, and where a customer meets the criteria of an AI, the customer would have the choice of opting to be treated as an AI.

To determine AI eligibility, holdings of DPT are permitted to be taken into account but will be subject to a minimum 50% haircut to their valuation due to the volatility and lack of economic fundamentals underpinning valuation of DPTs. DPT holdings that can be taken into account in determining AI eligibility will hence be set at (1) the DPT valuation after applying a 50% haircut or (2) SGD $200,000 (USD $150,230), whichever is lower.[1]

However, DPT service providers may adopt their own valuation models as long as they “achieve the same or more prudent outcome.” For MAS-regulated stablecoins, MAS will allow them to be treated in the same manner as fiat, and stablecoins will not be subject to the same “haircut” treatment as DPTs for the purposes of assessing a customer’s AI eligibility.

Risk Awareness Assessment

DPT service providers will be required to assess if a retail customer has sufficient knowledge of the risks of DPT services before providing DPT services to that customer. As an overarching principle, MAS will require DPT service providers to put in place the appropriate internal policies and procedures to ensure a fair and robust assessment. The risk awareness assessment should also include business conduct risks arising from varying business models of DPT service providers (e.g., risks stemming from conflicts of interest, custody of DPTs, etc.), limitations of regulatory protection, and more broadly, risks associated with DPTs. The list of risks that will be set out in the guidelines is, however, non-exhaustive, and DPT service providers should include any additional risks in its assessment that are relevant to its provision of DPT services.

DPT service providers are expected to conduct the risk awareness assessment for all retail customers prior to providing any DPT service after the new guidelines become effective.

For retail customers who have been initially assessed to have insufficient knowledge of the risks, DPT service providers are allowed to conduct reassessments. MAS has decided against implementing cooling-off period between assessments for the time being.

MAS will not impose a validity period on the risk awareness assessment or require DPT service providers to reassess retail customers at regular intervals given that new risks associated with DPT services may arise as DPT markets continue to evolve. However, DPT service providers should have in place internal processes to review and update the risk awareness assessment administered and assess if retail customers should be required to undertake an updated risk awareness assessment or part thereof.

Restrictions on Offering of Incentives

DPT service providers are prohibited from offering incentives, monetary or otherwise, to prospective and existing retail customers. This restriction will broadly apply to sign-up incentives, referral incentives, and trading incentives aimed at enticing consumers to trade in DPTs, including “learn-and-earn” programmes, as these typically overemphasize the “earn” component.

Restrictions on Debt-Financed and Leveraged DPT Transactions

Under the new measures, DPT service providers are restricted from (1) providing to a retail customer any credit facility to facilitate retail customers’ purchase or continued holdings of DPTs; and (2) entering into any leveraged DPT transaction with a retail customer or facilitating a retail customer’s entry into any leveraged DPT transaction with any other person. Such transactions would include margin trading, DPT futures, options, and other derivative transactions.

DPT service providers are also not allowed to accept credit card or charge card payments, except from foreign-issued credit cards or charge cards. MAS is of the view that credit card and charge card usage would allow retail customers easy access to debt financing, running counter to MAS’s policy intent to restrict purchases of cryptocurrencies on credit.

Payments by foreign-issued credit cards are permitted, as MAS recognises that there are limited payment alternatives available for a foreign retail customer, compared to a retail customer in Singapore who has access to other modes of payment.

MEASURES RELATING TO TECHNOLOGY AND CYBER RISK

MAS Notice PSN05, issued under the PS Act, sets out requirements for a high level of reliability, availability, and recoverability of critical information technology (IT) systems and for such entities to implement IT controls to protect customer information from unauthorised access or disclosure. Under the new measures, the requirements under MAS Notice PSN05 will apply to DPT service providers.

IMPLEMENTATION TIMELINE

Implementation details for the new measures will initially be provided in the form of guidelines to be published in mid-2024 with a nine-month transition period for implementation. MAS encourages the industry to start early preparations to implement these measures and will continue to engage industry players on the progress of implementation.

OBSERVATIONS AND COMMENTS

Given the relatively short time frame given for the implementation of the new measures, DPT service providers will need to adapt to the new requirements quickly and may have to restructure parts of their business processes and operations in order to comply, particularly DPT service providers that deal with retail customers.

DPT service providers should review their existing policies, procedures, and business model to ensure compliance with the new measures, in consultation with legal and compliance professionals. While these new measures may lead to increased compliance costs in the short term, the clearer and more robust regulatory framework may also stablise the market and strengthen investor confidence in the DPT market.

[1] This treatment of DPTs will also apply to the determination of AI eligibility under the Securities and Futures Act 2001 of Singapore (SFA), and this will be clarified through existing SFA FAQs on the definition of AI and the AI opt-in regime.

[View source.]