MAS to strengthen regulatory measures for digital payment token services

14 December 2023

On 23 November 2023, the Monetary Authority of Singapore (“MAS”) announced the finalised measures relating to business conduct, consumer access and managing technology and cyber risks for digital payment token (“DPT”) service providers (“DPTSPs”).

The finalised measures were set out in the second part of MAS’ response (“Part 2 of the Response”) to feedback on its consultation paper on proposed regulatory measures for DPT services. The consultation paper, which was issued on 26 October 2022, highlighted MAS’ vision to develop an innovative and responsible digital asset ecosystem in Singapore and to strongly discourage cryptocurrency trading and speculation given the significant risks and consumer harms. In the first part of its consultation response, which was published on 3 July 2023, MAS focused on the requirements for segregation and custody of customers’ assets and legislative amendments to safeguard customer assets under a statutory trust.

MAS will issue guidelines to set out its expectations for DPTSPs (“Guidelines”) as a first step towards implementing the business conduct and consumer access measures. MAS will also expand the scope of the Notice for Technology Risk Management (“Notice”) under the Payment Services Act 2019 to implement the technology and cyber risk measures. The Notice does not currently apply to DPTSPs.

Highlights of the finalised measures set out in Part 2 of the Response are outlined below.

Business conduct measures

Identification and mitigation of conflicts of interest

MAS will proceed with the proposal for DPTSPs to establish and implement effective policies and procedures to identify and address conflicts of interest, and to disclose to customers the nature of activities and sources of conflicts of interest and the relevant measures and controls that the DPTSPs have put in place to mitigate the conflicts of interest.

Where a DPTSP conducts combinations of DPT activities within the same entity, the following measures should be put in place:

• Where a DPTSP operates a market and also acts as a broker, it should set up separate legal entities with separate management teams such that the two functions are independent of one another, and provide clear client disclosures.
• Where a DPTSP acts as a broker and also transacts on its own account, it should put in place proper functional segregation (e.g. separate reporting lines) and effective Chinese walls.

Where a DPTSP or its related entity (a) issues its own or related tokens, and/or (b) has proprietary holdings of tokens, and lists these tokens on its market or trading platform, the DPTSP would have the means and incentive to influence the value of these tokens. However, MAS has also observed instances where a DPTSP may have developed a business proposition around tokens that itself or its related entity has issued, and has continued to offer these tokens for trading on its platform. To address this, MAS will proceed with a disclosure-based approach. A DPTSP therefore should make appropriate disclosures, including regarding (i) the potential conflicts and risks arising from own or related token listings, (ii) specific steps and measures that have been put in place to effectively address the risks and conflicts of interest, including any segregation of its surveillance function from its trading or market function, and (iii) proprietary holdings of any tokens at the point of token listing.

Disclosure of DPT listing and governance policies

MAS will proceed with the proposal for DPTSPs to publicly disclose their listing and governance policies for tokens listed and offered on their markets and trading platforms. All DPTSPs should assess whether they have provided sufficient and understandable information to allow customers to make informed decisions about how they have applied their evaluation criteria before making a DPT available for trading on their DPT trading platform.

Complaints handling and dispute resolution

MAS will proceed with the proposal for DPTSPs to put in place complaints handling policies and procedures. This will be broadly aligned with the scope and rules set out under the Financial Advisers (Complaints Handling and Resolution) Regulations 2021.

Consumer access measures

Scope of consumer access measures

MAS will proceed with the consulted position to apply consumer access measures to retail customers, which will be scoped to customers who are not accredited investors (“AIs”) or institutional investors (“IIs”). The definitions of AI and II in the Guidelines will be aligned with that in the Securities and Futures Act 2001 (“SFA”). The consumer access measures would not apply to DPTSP entities seeking services from another DPTSP, if the DPTSP entities seeking the services do not qualify as AI or II.

MAS will adopt an “opt-in” regime for AIs, similar to the SFA, for the application of consumer access measures for DPT services. In practice, this would mean that DPTSPs would treat all customers (other than IIs) as retail customers by default, and customers which meet the AI criteria have the choice of opting to be treated as AIs.

MAS will apply the consumer access measures to all retail customers, regardless of residency, as these measures aim to reduce consumer harm for retail consumers, and given the cross-border nature of DPT services and that currently there is no distinction between foreign-based and local-based retail customers under the SFA or the Financial Advisers Act 2001.

Treatment of DPT holdings for determining AI eligibility

MAS will allow DPTs to be taken into account in determining AI eligibility. However, given the volatility and lack of economic fundamentals underpinning DPT values, the DPT holdings that can be taken into account in determining AI eligibility should be set at (i) the DPT valuation after applying a haircut of 50%, or (ii) S$200,000, whichever is lower.

For consistency, the above treatment of DPTs will also apply to the determination of AI eligibility under the SFA.

MAS will allow MAS-regulated stablecoins to be treated in the same manner as fiat. The above treatment of DPTs will not apply to MAS-regulated stablecoins when assessing a customer’s AI eligibility.

Risk awareness assessment

MAS will proceed with the proposal to require DPTSPs to assess if a retail customer has sufficient knowledge of the risks of DPT services before providing DPT services to that customer. DPTSPs would be required to put in place the appropriate internal policies and procedures to ensure a fair and robust assessment.

For retail customers who have been initially assessed to have insufficient knowledge of the risks, MAS will proceed with allowing DPTSPs to conduct re-assessment(s) and for the retail customer to re-take the risk awareness assessment.

Restrictions on offering of incentives

MAS will proceed with the proposed restriction on incentives. Specifically, DPTSPs should not offer incentives, monetary or otherwise, to prospective and existing retail customers. This restriction will broadly apply to sign-up incentives, referral incentives and trading incentives that have an intent to entice consumers to trade in DPTs. The same restriction will apply to activities such as “learn and earn” programmes.

Restrictions on debt-financed and leveraged DPT transactions

MAS will proceed with the proposal to restrict DPTSPs from (i) providing to a retail customer any credit facility to facilitate retail customers’ purchase or continued holdings of DPTs, and (ii) entering into any leveraged DPT transaction with a retail customer or facilitating a retail customer’s entry into any leveraged DPT transaction with any other person. Such transactions would include margin trading, DPT futures, options and other derivative transactions.

DPTSPs will not be allowed to accept credit card or charge card payments, except from foreign-issued credit cards or charge cards.

Measures relating to managing technology and cyber risks

MAS will mandate the requirements in the Notice, i.e. MAS Notice PSN05 (which sets out requirements for a high level of reliability, availability and recoverability of critical IT systems and for such entities to implement IT controls to protect customer information from unauthorised access or disclosure), to DPTSPs. DPTSPs should perform a risk assessment and determine the system recovery and business resumption priorities. However, in the context of “critical systems”, DPTSPs are required to implement an effective and swift recovery strategy for systems where a system failure will lead to a severe and widespread impact on its operations or materially impact the DPTSP’s customers.

Implementation

Implementation details for the measures covered in Part 2 of the Response will initially be provided in the form of Guidelines to be published in mid-2024 with a nine-month transition period for implementation.

MAS will also mandate the requirements in the Notice to DPTSPs in early 2024 with a nine-month transition period for implementation.

MAS has also stated that for the asset segregation and custody measures, MAS will publish the subsidiary legislation in due course and there will be a six-month transition period for implementation.

Reference materials

The following materials are available on the MAS website www.mas.gov.sg:

• Press release: MAS strengthens regulatory measures for digital payment token services

• Response to Public Consultation on Proposed Regulatory Measures for Digital Payment Token Services (Part 2)