MAS finalises measures to limit crypto harm

The MAS has issued the second part of its response to the Digital Payment Token Services consultation paper, focusing on customer access measures, enhanced business conduct requirements and technology risk management. Notably, Digital Payment Token service providers are prohibited from offering retail customers incentives to trade in cryptocurrencies, providing financing, margin or leverage transactions and accepting locally issued credit card payments. MAS also requires these service providers to implement robust conflict of interest management and complaints handling. With guidelines being planned for early to mid-2024, now is the time to begin implementing robust measures to ensure consumers are protected from illicit crypto activity.

The paper: ‘Response to Public Consultation on Proposed Regulatory Measures for DPT Services Part 2’, is the response to the consultation paper issued in October 2022 titled ‘Proposed Regulatory Measures for Digital Payment Token Services’. This is Part 2 of a two-part response (we covered Part 1 of the response here). It focuses on the feedback received on MAS’ proposed requirements for retail consumer access, enhanced business conduct requirements, and technology and cyber risk management by licensed and exempt payment service providers that carry on the business of providing a Digital Payment Token (DPT) service under the Payment Services Act (collectively known as DPT service providers or DPTSPs).

To implement these measures, the MAS plans to issue Guidelines in mid-2024 with a nine-month transitional period. However, the technology and cyber risk management requirements will be implemented earlier by expanding the scope of MAS Notice PSN05 in early-2024 with a 9-month transitional period.

Measures relating to consumer access

Scope

DPTSPs will be required to apply consumer access measures to all retail customers – that is customers who are not Accredited Investors (AI) or Institutional Investors (II) – regardless of their residency. The definitions of AI and II will be aligned with that in the Securities and Futures Act (SFA), and there will also be an “opt-in” regime for AIs. However, there will not be an Expert Investor classification in the DPT context. In practice, this means DPTSPs are to treat all customers (except IIs) as retail customers by default, and where a customer meets the criteria of an AI, provide the customer with the choice to be treated as an AI.

Determining AI eligibility

DPT holdings can be taken into account to determine AI eligibility. However, given the volatility and lack of economic fundamentals underpinning DPT value, MAS requires a minimum 50% haircut to be applied to the valuation. There will also be a cap of S$200,000 on the overall value of DPTs when considering an individual’s net worth. This treatment does not apply to MAS-regulated stablecoins, which can be treated in the same manner as fiat.

Risk awareness assessment

DPTSPs will be required to put in place appropriate internal policies and procedures that ensure fair and robust assessment of whether a retail customer has sufficient knowledge of the risks of DPT services (including for existing retail customers), before providing the services.

For retail customers who have been initially assessed to have insufficient knowledge of the risks, re-assessments are allowed without a cooling-off period between them. However, DPTSPs should implement appropriate policies and procedures to facilitate and encourage retail customers to build their understanding and knowledge of the risks involved prior to being re-assessed. Subsequent assessments should remain equally robust, for example, by having a sufficiently diverse question bank and system to generate different questions.

There will not be a validity period on the risk awareness assessment and periodic re-assessment is not required. However, as DPT markets continue to develop and mature, DPTSPs should have in place internal processes to review and update the risk awareness assessment administered and assess if retail customers should be required to undertake an updated risk awareness assessment or part thereof.

Restrictions on offering of incentives

The MAS has chosen to adopt a prudent approach at this juncture and prohibit DPTSPs from offering incentives, monetary or otherwise, to prospective and existing retail customers. This restriction will broadly apply to sign-up incentives, referral incentives, trading incentives, and also “learn and earn” programmes.

Restrictions on debt-financed and leveraged DPT transactions

DPTSPs will be restricted from: (i) providing to a retail customer any credit facility to facilitate their purchase or continued holdings of DPTs; and (ii) entering into any leveraged DPT transaction with a retail customer or facilitate a retail customer’s entry into any leveraged DPT transaction with any other person. This restriction applies on top of the existing prohibition in the Payments Services Act, restricting DPTSPs from granting any credit facility to any individual in Singapore. Furthermore, the MAS will not allow DPTSPs to accept credit card or charge card payments by retail customers, except from foreign-issued credit cards or charge cards.

Measures relating to business conduct

Identification and mitigation of conflicts of interest (COI)

DPTSPs will be required to implement effective policies and procedures to identify and address COI, and disclose to customers the nature of activities and sources of COI, and the relevant measures and controls that the DPTSPs have put in place to mitigate the COI.

A DPTSP and its related entities should not trade on markets that they operate, unless for the purposes of matched principal trading. . Where a DPTSP conducts the following combinations of DPT activities within the same entity, it should put in place the following measures:

  • Operating a market and acting as a broker: Set up separate legal entities with separate management teams such that the two functions are independent of one another, and provide clear client disclosures.
  • Acting as a broker and transacting on own account: Put in place proper functional segregation (e.g., separate reporting lines), effective Chinese walls, and provide clear client disclosures so that the customer is aware of the capacity and manner in which the DPTSP is executing the customer order.

At this juncture, the MAS has chosen to take a disclosure-based approach to mitigate potential COIs for DPTSPs (or related entities) by issuing its own (or related tokens) and/or has proprietary holdings of token, while listing these tokens on its markets or trading platform. Such DPTSPs will be expected to make appropriate disclosures in relation to the listing and trading of all DPTs, including:

  • the potential conflicts and risks arising from own or related token listings
  • specific steps and measures that have been put in place to effectively address the risks and COI, including any segregation of surveillance function from trading or market function
  • proprietary holdings of any tokens at the point of token listing.

DPTSPs are also required to assess the effectiveness of mitigating measures to address any potential COI on a regular basis, and take a prudent approach should the measures be assessed to be inadequate to effectively address COI.

Disclosure of DPT listing and governance policies

DPTSPs will be required to publicly disclose their listing and governance policies for tokens listed and offered on their markets and trading platforms. All DPTSPs should assess whether they have provided sufficient and understandable information to allow customers to make informed decisions about how they have applied their evaluation criteria before making a DPT available for trading on their DPT trading platform. Senior managers need to be given the responsibility, control and oversight over the DPTSP’s listing and governance policies, including being responsible for listing, suspension and de-listing decision.

DPTSPs should also consider appropriate measures to address COI, including any which may arise from commercial decisions that may impede the effectiveness and independence of its DPT listing and governance policies and procedures.

All disclosures should be made to all customers in a clear, legible and concise manner, and in a way that does not trivialise the risks of DPT trading.

Complaints handling and dispute resolution

DPTSPs will be required to put in place complaints handling policies and procedures that are broadly aligned with the scope and rules set out under the Financial Advisers (Complaints Handling and Resolution) Regulations 2021. Such policies and procedures should apply minimally to DPTSPs’ dealings with retail customers, and to all complaints relating to DPTSPs’ provision of DPT services.

DPTSPs are expected to properly monitor and track complaints and complaints trends, so as to handle and resolve customer complaints in a fair and timely manner, and to provide such information to MAS when requested. The unit in charge of handling customer complaints should not be directly involved in the provision of DPT services.

DPTSPs should resolve disputes with retail customers using any of the principal modes of dispute resolution available in Singapore, such as mediation, arbitration and litigation in the Singapore courts.

Measures relating to technology and cyber risk management

MAS will expand the scope of MAS Notice PSN05 to include DPTSPs, including  notifying the MAS within one hour upon the discovery of a relevant incident. DPTSPs will be required to perform a risk assessment and determine the system recovery and business resumption priorities.

DPTSPs are also required to implement an effective and swift recovery strategy for systems where a system failure will lead to a severe and widespread impact on its operations or materially impact the DPTSP’s customers (‘critical systems’). However, MAS has clarified that the four-hour Recovery Time Objective will not apply to the underlying public blockchain of DPTs.

How we can help

We help payment services firms including those who offer DPTs with their MAS licence applications. We also provide regulatory and compliance support, including internal audit services.

If you are keen to expand your business footprint in Singapore, particularly in the digital assets space, we will be happy to take you through the MAS’ regulatory landscape.

Menu