MAS calibrates consumer protection measures to curb crypto trading risks

9 November 2022 | Asia | Articles

The MAS has issued a consultation paper setting out proposed regulatory measures addressing the risks posed by cryptocurrency trading and services to consumers in Singapore. For retail customers increasingly trading in cryptocurrencies, these proposed regulatory changes stress the importance of considering the associated risks, even if opportunities are aplenty.

In this consultation paper titled ‘Proposed Regulatory Measures for Digital Payment Token Services’, the MAS sets out its observations, policy considerations and proposed regulatory measures in three key areas: consumer access; business conduct; and technology. The paper also discusses best-practice when addressing market integrity risks.

It’s no surprise that the proposed consumer access measures make it difficult for less sophisticated retail customers to purchase Digital Payment Tokens (DPTs) in Singapore as this is, after all, the key objective of the MAS. Retail investors must now pass knowledge assessments and are required to fully pre-fund their trades (i.e., borrowing or trading on margin is not permitted). These measures will ensure that only the well-informed and well-resourced retail investors can have access to speculate on DPTs.

The proposed business conduct measures such as safeguarding, segregation, daily computation of customer’s DPTs and complaints handling, align DPT trading with the current rules and regulation for dealing in capital markets products under the Securities and Futures Act. The tried and tested securities regulations have successfully created a fair, transparent, efficient and stable Capital Markets sector in since 2008. Likewise, these business conduct measures for Digital Payment Token Service Providers (DPTSPs), coupled with market integrity measures such as monitoring and trade surveillance, should create a trusted DPT marketplace.

Since 2021, US$6.2 billion in cryptocurrencies were lost to hackers, with US$7.7 billion being lost through scams and fraud in 2021. In Singapore, the number of police reports have jumped five-fold since 2019. Given the sharp rise in consumers losing DPTs to cyber theft and fraud in , the MAS has increased its rigor in managing technology and cyber risks. DPTSPs now need to adopt the same rules as banks when managing these risks. These rules are necessary and should be enforced to be effective.

Although the proposed measures may seem onerous, the MAS believes they are necessary to create a safe digital asset ecosystem for consumers and service providers.

Consumer access measures

Risk awareness assessment

DPTSPs, being the key access point to the DPT market, have a responsibility to guard against consumers participating in a market they don’t fully understand. MAS proposes that DPTSPs should assess that a retail customer has sufficient knowledge of the risks of DPT services such as price volatility, loss of all monies, illiquidity, losing access to DPTs and theft of DPTs before providing any DPT service to that customer. The MAS is also encouraging public comments on possible next steps for DPTSPs, should retail customers be assessed as not having sufficient knowledge of DPT service risks.

Restriction on offering of incentives

Offers of incentives to retail customers can entice them to participate in DPT services without fully considering the risks involved. The MAS proposes an outright restriction of all monetary and non-monetary incentives to those participating in a DPT service, or to any person referring a DPT service to retail customers.

Debt-Financed and Leveraged DPT transactions

Due to the inherent risks of DPTs, retail customers shouldn’t borrow to purchase DPTs. DPTSPs are advised not to provide credit facilities or enter any leveraged DPT transactions with retail customers. DPTSPs must also avoid accept any credit card or charge card payments made by these customers.

Business conduct measures

To establish baseline conduct norms for DPTSPs, the MAS intends to introduce business conduct standards in key areas of concern after taking into consideration industry best-practices and regulatory proposals introduced in other jurisdictions.

Segregation of Customers’ Assets and Risk Management Controls

To minimise the risk of loss or misuse of customers’ assets, DPTSPs should ensure that customers’ assets are segregated from its own assets and held for the benefit of the customer. DPTSPs will be required to provide written disclosures to customers, conduct daily reconciliation of customer assets and provide customers with monthly account statements. The MAS may require DPTSPs to appoint an independent custodian to hold customers’ assets for further protection.

DPTSPs are advised to take effective measures to safeguard the private keys and storage of customers’ DPTs. For example, DPTSPs could:

• Institute processes that restrict staff members from authorising the movement of customers’ DPTs.
• Implement operational controls to prevent the loss of cryptographic keys.
• Store a suitably high proportion of customers’ DPTs in cold wallets.

To safeguard retail customers’ DPTs from the risks of unregulated borrowing and lending, the consultation paper proposes that DPTSPs should not mortgage, charge, pledge or hypothecate  the retail customer’s DPTs. For non-retail customers, DPTSPs should provide a clear risk disclosure document and obtain the customer’s explicit consent.

Identification and mitigation of conflicts of interest

DPTSPs often engage in multiple business activities, which may give rise to conflicts of interest (COI). The paper suggests that DPTSPs should implement effective policies and procedures to identify, address, disclose and mitigate COI. DPTSPs should disclose the way they handle and execute customer orders, and the capacity in which they are doing so. Further, the MAS intends to ban DPTSPs and their related companies from trading for their own account.

Disclosure of DPT Listing and Governance policies

DPT trading platform operators should be ultimately accountable and responsible for the DPTs which are available for trading on their platforms. Operators should disclose their DPT listing and governance policies that address the following:

• The criteria, due diligence, processes and fees applied in making a DPT available for trading on the DPT trading platform.
• The conditions under which DPTs may remain available for trading, be suspended or removed from trading.
• The processes by which DPTs are removed from trading, and the rights available to customers.
• The requirements to address unfair or disorderly trading practices of DPTs on the DPT trading platform.
• The settlement procedures of DPT transactions.

Complaints handling

Customer complaints are important indicators of the problems that customers face with their service providers. The monitoring of complaints allows the service provider to take timely remedial measures to address those problems. To ensure that customer complaints are dealt with in a fair and timely manner, the MAS proposes that DPTSPs have adequate policies and procedures in place to handle customer complaints. For example, a DPTSP could establish a complaints-handling unit that is not directly involved in the provision of DPT services and ensure that information from its complaints handling process is publicly available.

Managing technology and cyber risks

To improve IT resilience, and maintain trust and confidence in DPT services, DPTSPs are encouraged to adopt the requirements set out in the MAS Notice 644 Technology Risk Management, which is also applicable to banks. The Notice requires DPTSPs to:

• Put in place a framework and process to identify critical systems.
• Ensure that the maximum unscheduled downtime for each critical system does not exceed a total of four hours within any period of 12 months.
• Establish a recovery time objective of no more than four hours for each critical system.
• Notify the MAS as soon as possible, but not later than, one hour upon the discovery of a system malfunction or IT security incident severely and widely impacting the DPTSP’s operations or materially impacting the service to its customers.
• Submit a root cause and impact analysis report to the MAS within 14 days. Implement IT controls to protect customer information from unauthorised access or disclosure.

Upholding market integrity

DPT markets have been susceptible to unfair trading practices, market manipulation, misleading conduct and insider trading by nefarious actors. Such conduct distorts the price discovery process and undermines customers’ trust and confidence in the functioning and integrity of DPT markets. As such, DPT trading platform operators are encouraged to implement good industry practices to detect and deter unfair trading practices. These include real-time surveillance systems to monitor trading activities and the disclosure and enforcement of rules governing the trading activities on the DPT trading platforms.

Implementation options

As a first step to implementing these proposals, the MAS is intending to issue guidelines, taking into account responses to this consultation paper. It then aims to publish details on the regulatory requirements and subsidiary legislation.

Given the importance of addressing the risks of consumer harm in a timely manner, a relatively shorter transition period of six to nine months has been suggested for DPTSPs to meet these guidelines.

Implementing the proposed measures will require significant changes to your internal processes and controls. New requirements such as customer asset reconciliation, market surveillance and monitoring will require additional resources and headcount. Policies for complaints, critical systems and COI also need to be developed. There is a lot of work for DPTSPs to do to satisfy these proposed requirements. DPTSPs who successfully navigate and align your business with the MAS’ regulatory framework can expect to reap benefits in the medium to long term such as customer confidence and greater market share in the digital asset ecosystem.

How we can help

We regularly help firms offering digital capital markets products and cryptocurrencies with their MAS licence applications. We also provide regulatory and compliance support, including internal audit services.

If you are keen to expand your business footprint in Singapore, particularly in the digital assets space, we will be happy to take you through the MAS’ regulatory landscape.