Monetary Authority of Singapore’s Proposed Measures to Regulate DPTSPs and Enhance Customer Protection

By Leon Yee and Yeo Ming Ze

I.              Introduction

The Monetary Authority of Singapore (“MAS”) published the “Response to Feedback Received on Proposed Regulatory Measures for Digital Payment Token Services (Part 1)” (“MAS’ Response to the October 2022 Consultation Paper”) on 3 July 2023, announcing new measures for Digital Payment Token service providers (“DPTSPs”) with regards to the safekeeping of customers’ digital assets. The lack of protection and segregation of customer deposits appear to be the chief concern that MAS intends to tackle with their new slate of measures. It is hoped that with the stricter rules in place, it will reduce the risk of loss or misuse of customers’ assets by DPTSPs and facilitate customer’s fund recovery in the event of a DPTSP’s insolvency. This proactive approach demonstrates Singapore’s commitment to creating a more secure environment – taking lessons from the past experiences of renowned crypto exchanges like Voyager and Celsius. These developments lay the foundation for a resilient and trusted crypto space in Singapore.

These new measures are proposed following the Consultation Paper on “Proposed Regulatory Measures for Digital Payment Token Services” published on 26 October 2022 (the “October 2022 Consultation Paper”) aimed at enhancing investor protection and market integrity in digital payment token (“DPT”) services. MAS is now seeking public feedback on the draft legislative amendments to the Payment Services Regulations 2019 (“PSR”), which is expected to be in force by October 2023.

II.             Hold Digital Assets on Trust

MAS proposes to enact a new Regulation 16C in the PSR which sets out customer assets segregation and custody requirements for licensed DPTSPs. All references to legislation below are based on their draft form.

Previously, safeguarding obligations under section 23 of the Payment Services Act 2019 (“PSA”) only applied to major payment institutions, which were (among other things) institutions that had an average monthly transaction value exceeding S$3 million for one payment service; or S$6 million for 2 or more payment services (as the case may be). However, MAS will now extend the existing requirements on the safeguarding of customers’ moneys to all DPTSP licensees regardless of whether they constitute major payment institutions. As with the existing requirements, customers’ moneys held by DPTSPs will now be required to be safeguarded with financial institutions in Singapore, which will facilitate the recovery of customers’ moneys in the event of a DPTSP’s insolvency.

A.    Safeguarding Customers’ Assets in Custody Accounts

Regulation 16C(1) stipulates that, among other things, a DPTSP that provides a DPT service must, no later than the next business day after any assets (including DPTs) are received from, or on account of, a customer, deposit the assets (including DPTs) belonging to the customer in a custody account held on trust for the customer that is maintained with a safeguarding institution; or return the assets (including DPTs) to the customer.

In addition, Regulation 16C(2) provides that all assets (including DPTs) deposited in the custody account mentioned under Regulation 16C(1) cannot be used for the payment of the debts of the DPTSP; and the assets are not liable to be taken under or pursuant to an enforcement order or a process of any court.

Regulation 16C(3)I further states that a licensed DPTSP must treat and deal with all assets received from a customer as belonging to the customer and deposit all customers’ assets in the custody account.

(1)   Who may act as a safeguarding institution? Must a safeguarding institution also be a custodian licensed to provide custodial services under the Securities and Futures Act 2001 (“SFA”)?

According to Regulation 16C(8)(e) of the PSR, a safeguarding institution refers to the person that the custody account is maintained with. Section 23 of the PSA further defines a safeguarding institution as including a bank or any other financial institution in Singapore.

In the October 2022 Consultation Paper, MAS had considered that it might be useful to require DPTSPs to appoint an independent custodian to hold customers’ assets. However, after reviewing the responses to the consultation paper, MAS decided that it would not mandate the use of independent custodians for customers’ assets since there are only a limited number of independent third-party custodians in Singapore currently. In fact, the licensed DPTSP may maintain the custody account itself pursuant to Regulation 16C(9). However, the DPTSP must ensure operational independence of its custody function from other business units. An example of a DPTSP that is already conducting self-custody on behalf of its customers is the Gemini Trust Company (“GTC”) based in New York. GTC custodies its clients’ digital assets in either a depository account or custody account in trust for its clients.

Putting aside the lack of a statutory definition of “independent”, it is important to note that there is no legislative requirement for the independent custodians (as referred to herein) to hold a Singapore Capital Markets Services (CMS) license for providing custodial services, as the assets being safeguarded are specifically related to DPTs. Nevertheless, investors may feel more confident with DPTSPs that already work with independent custodians for digital assets that possess such CMS licences as well (as they custodise security tokens). According to market sources, an example would be Hydra X which is licensed by MAS to provide independent custody of digital assets. It appears that HydraX is one of the few independent regulated custodians in the region – with an emphasis on providing institution-grade digital asset custody solutions for regulated issuers, marketplaces, and operators. Please note that if any such DPTs are considered as a form of security (i.e. security tokens) or some other type of capital market products, the independent custodian would require a CMS license when providing DPT safeguarding services for such security tokens.

Where it maintains the custody account with a safeguarding institution other than itself:–

(a)   Regulations 16C(3)(a), (e) and (f) provide that the licensed DPTSP must assess and be satisfied of the suitability of the safeguarding institution before opening the custody account with the safeguarding institution and, on an annual basis, keep records of the grounds on which the licensed DPTSP was satisfied;

(b)   Regulation 16C(3)(b)(i) provides that the licensed DPTSP must give written notice to the safeguarding institution and obtain an acknowledgment from the safeguarding institution that:–

(i)            all the customer’s assets deposited in the custody account are held on trust by the licensed DPTSP for the customer;

(ii)           the safeguarding institution must not claim any lien, right of retention or sale over any asset standing to the credit of the custody account, except where the licensed DPTSP has obtained the customer’s written consent or in respect of any charges as agreed upon in the terms and conditions relating to the administration or custody of the customer’s assets; and

(iii)          the account is designated as a trust account, or a customer’s or customers’ account.

(c)   Regulation 16C(3)(b)(ii) provides for the disclosures that the licensed DPTSP must provide to the customers.

B.    No Commingling or Unauthorised Application of Customer’s Assets 

Regulation 16C(3)(d) provides that the licensed DPTSP must not commingle customers’ assets with any other assets. However, the assets belonging to one customer may be commingled with the assets belonging to other customers, but this pool must be kept separate from the DPTSP’s own assets as provided under Regulation 16C(4).

Regulation 16C(3)(g) provides that the licensed DPTSP must not transfer any right, interest, benefit or title in the customer’s assets unless the transfer is in accordance with the customer’s written instructions obtained prior to each transfer or is authorised by law in accordance with Regulation 16C(5).

Regulation 16C(3)(h) provides that the licensed DPTSP must apply the customer’s assets solely for the purposes agreed to by the customer.

III.           Disclosures, Record-keeping and Reconciliation

A.    Adequate Notice of Risk

MAS highlighted that DPTSPs would have to inform customers of the risks of having their digital assets held by the DPTSP. Regulation 16C(3)(b)(ii) provides that the licensed DPTSP must disclose to every customer:–

(a)   that the customer’s assets will be held on behalf of the customer in a custody account with a safeguarding institution;

(b)   whether or not the customer’s assets are commingled with the assets of other customers and, if so, the risks of such commingling;

(c)   the consequences for the customer in respect of the customer’s assets if the safeguarding institution becomes insolvent;

(d)   where the DPTSP maintains the custody account itself, the terms and conditions that would apply to its safeguarding of the customer’s assets (including DPTs); and

(e)   where the DPTSP maintains the custody account with a safeguarding institution, the terms and conditions agreed with the safeguarding institution that would apply to the safeguarding institution’s safeguarding of the customer’s assets (including DPTs).

B.    Book-keeping and Reconciliation Obligations

Regulation 16C(3)(i) provides that the licensed DPTSP must record and maintain a separate book entry for each customer in relation to the customer’s assets, with the details set out in Regulation 16C(6) which include, recording the description and quantity of assets in each transaction; the price and fee arising from the transaction; and the name of the customer on whose behalf the transaction is entered into.

Regulation 16C(11) also provides that the licensed DPTSP must conduct daily reconciliation of customers’ assets, including computing the total amount of assets deposited in the customers’ custody accounts.

IV.           Adequate Systems in Place

Regulation 16C(3)(j) states that the licensed DPTSP must, in a manner that is commensurate with the nature, scale and complexity of its business, maintain adequate systems, processes, controls, human resources, and governance arrangements to:–

(a)   ensure the integrity and security of the transmission and storage of customers’ assets; and

(b)   reduce the risk of any loss of customers’ assets belonging to its customers due to fraud or negligence.

Regulation 16C(3)(l) further provides that the licensed DPTSP must ensure effective controls and segregation of duties to mitigate potential conflicts of interest that may arise from the safeguarding of customers’ assets.

V.            Segregation and Custody Requirements for Exempt DPTSPs

Exempt DPTSPs are DPTSPs that do not require a licence to carry out payment services such as banks licensed under the Banking Act 1970, a merchant bank approved as a financial institution under the MAS Act 1970 or a finance company licensed under the Finance Companies Act 1967. MAS proposes to enact a new Regulation 16D which sets out customer assets segregation and custody requirements for exempt DPTSPs. Regulation 16D is expected to be similar to Regulation 16C and accordingly, exempt DPTSPs will be regulated with the same vigour.

VI.           Market Integrity

MAS also published a consultation paper on market integrity to mitigate unfair trading practices, concomitant with the proposed amendments to the PSR.

A.    Fairly, Orderly and Timely Handling and Execution of Customers’ Orders

To ensure a fair, orderly and timely execution of customers’ orders, MAS has proposed that DPTSPs should maintain the following policies and procedures:–

(a)   The policies and procedures should include the factors which the DPTSP takes into account (such as price, costs, speed, likelihood of execution and settlement, size and nature of the order) and the considerations for determining the relative importance of the various factors (such as the type of customer and the characteristics of the customer’s order), when handling and executing a customer’s orders.

(b)   DPTSPs should not receive any commission or other form of payment from other persons for routing customers’ orders to them.

(c)   When comparable orders are received from different customers, DPTSPs should handle and execute the orders in accordance with the time of receipt.

Additionally, DPTSPs should have procedures to correct or cancel error trades, taking into consideration the nature of transaction execution (e.g., on-chain or off-chain) and the processes required to correct or cancel those transactions. Electronic systems for entering customers’ orders should have pre-trade risk controls to mitigate the occurrence and severity of operational errors (e.g., “fat finger” errors).

The policies and procedures above should also be disclosed to customers for transparency.

B.    Prevention and Detection of Unfair Trading Practices

DPTSPs should conduct surveillance on transactions for signs of unusual or suspicious activities, on a real-time basis. Automated surveillance systems should be used. When there is an unfair trading practice detected, DPTSPs should take an appropriate action like suspending the relevant trade. DPTSPs should also maintain proper records with adequate details of all on-chain and off-chain orders for a period of five (5) years.

C.    Prohibition of Unfair Trading Practices

MAS also intends to introduce statutory provisions to prohibit unfair trading practices for DPTs that are similar to those stipulated in the SFA including, amongst others, prohibitions against false trading, market rigging, market manipulation and insider trading.

D.    Lending or Staking

Lending refers to the process where the DPTSP lends the crypto tokens that it manages on exchanges to other crypto companies to earn interest. Staking refers to the process of locking up the customers’ digital tokens for a period to validate transactions on the blockchain in order for customers to get more tokens as a reward.

MAS has stated that it would restrict DPTSPs from facilitating lending or staking of their retail customers’ tokens, as these activities are not suitable for the retail investor. DPTSPs can however provide such activities for institutional and accredited investors as they are more sophisticated with more investing experience.

E.    Cold Wallet

Cold wallets, which are not connected to the Internet, are less vulnerable to online hacking and internal fraud attempts. In the October 2022 Consultation Paper, it was proposed that customers’ DPTs could be stored in cold wallets to mitigate the risk of loss of customers’ assets due to security breaches or external theft. In MAS’ Response to the October 2022 Consultation Paper, MAS opined that DPTSPs keep at least 90% of their customers’ DPTs in cold wallets. This would strike a balance between safeguarding the DPTs by preventing fraud via cold wallets and having operational efficiency where if the DPTs were stored in a hot wallet, there would be faster access speed.

VII.          Conclusion

It appears that MAS is seeking to ensure the safety of Singapore’s crypto space for all investors, including retail, corporate, and institutional players, through the proposed robust safeguarding measures. These measures seek to prevent a repeat of high-profile failures witnessed in the 2022 crypto industry – such as the recent Gemini lawsuit against Digital Currency Group (“DCG”). The lawsuit alleged a breach of agreement where DCG diverted millions of dollars’ worth of cryptocurrencies intended for an independent custodian, exposing the risks associated with inadequate safeguards. The implementation of these proposed measures by MAS will surely stabilise the crypto market in Singapore and inspire increased demand from investors who will now trust that their assets are protected. With quick regulatory responses aimed at allaying the fears of investors, Singapore’s crypto landscape is poised for a more secure and promising future.

For More Information

If you have any questions about this article, please contact Leon Yee, Chairman of Duane Morris & Selvam  if you would like to discuss this update.

About Duane Morris & Selvam LLP

Duane Morris & Selvam LLP (DMS) is a joint law venture between international firm Duane Morris LLP (DM) and Singapore-based firm Selvam LLC. DMS runs a unique Latin American-Asian practice out of Singapore, with a team of international lawyers qualified in multiple jurisdictions including Singapore, the US, the UK, Canada, Mexico and Colombia, with substantial experience in international transactions and disputes. DMS also has a wide cooperation network with some of the best Latin American and Asian law firms.

Disclaimer: This Alert has been prepared and published for informational purposes only and is not offered, nor should be construed, as legal advice. For more information, please see the firm’s full disclaimer.

© 2009- Duane Morris LLP. Duane Morris is a registered service mark of Duane Morris LLP.

The opinions expressed on this blog are those of the author and are not to be construed as legal advice.

Proudly powered by WordPress