On 23 November 2023, the Monetary Authority of Singapore (MAS) released proposed measures relating to consumer access, business conduct and technology and cyber risk management that digital payment token (DPT) service providers (DPTSPs) must implement. MAS’s response is a follow-up to the initial proposed protection measures for customers of DPT services (see our article on those protection measures).

Consumer Access Measures for Retail Customers

A DPTSP must:

• assess retail customers’ knowledge and risks of DPT services and, if those are found lacking, educate and re-assess them before providing services to them;
• implement internal policies and processes to ensure that customer assessments are fair, robust and up-to-date;
• not offer monetary or other incentives to retail customers to engage in DPT activities, including through “learn and earn” programmes where customers get DPT rewards for participating in educational sessions; and
• not provide credit facilities to, or enter into any leveraged DPT transactions with, retail customers and not accept Singapore-issued credit card or charge card payments from them.

For this purpose, “retail customers” refer to all customers, in Singapore or overseas, who are not accredited investors (AIs) [Note 1] or institutional investors (IIs)(as those terms are defined in the Securities and Futures Act 2001). All customers (other than IIs) will be classified as retail customers by default, unless they choose (i.e., “opt-in”) to be an AI.  This ensures that every customer is fully aware of their status when they invest in DPTs. In determining AI status, DPT values will be considered but subject to a minimum haircut of 50% or S$200,000, whichever is lower.  This is to prevent investors from using too much DPT value to count towards the AI threshold amount, given the volatility of DPTs. However, MAS-regulated stable coins will be treated as fiat.

Business Conduct Measures

Conflicts of Interest

A DPTSP must:

• develop and implement robust policies and processes to identify and address conflicts of interest;
• disclose to its customers the nature and sources of, and its measures and controls to mitigate, conflicts of interest, including where it lists own or a related entity’s token;
• not trade on its own market, except for purposes of matched principal trading;
• have separate legal entities and clearly disclose when it acts as a broker and runs a trading platform;
• have separate reporting lines and effective Chinese walls, and clearly disclose, when it acts as a broker and transacts on its own account;
• regularly assess the effectiveness of its mitigation measures to address conflicts of interest; and
• closely monitor its employees ’trading activities, including their access to material non-public information.

DPT Listing and Governance Policies

A DPTSP must publicly disclose its listing and governance policies for tokens traded on its trading platform and ensure that customers have sufficient and clear information about how those policies are applied. A DPTSP’s senior management is responsible for listing-related decisions.

Complaints Handling and Dispute Resolution

A DPTSP must implement complaints handling policies and procedures, to manage complaints fairly and timely, and independently of the business team. A DPTSP should also resolve disputes with retail customers through a principal mode of dispute resolution in Singapore, such as mediation, arbitration and litigation in Singapore.

Technology and Cyber Risks Management

A DPTSP must:

• implement a framework to identify critical systems – i.e., systems whose failure significantly disrupt the DPTSP’s operations or materially impact its customers;
• ensure that it has an effective strategy to achieve a 4-hour recovery time objective for its critical systems (excluding any underlying public blockchain); and
• apart from complying with any data breach notification requirement under the Personal Data Protection Act 2012, notify MAS  within 1 hour of any system malfunction or IT security incident which has a severe and widespread impact on the DPTSP’s operations or materially affects its services to customers.

Implementation and Transition

The consumer access and business conduct measures will be detailed in guidelines scheduled for release in mid-2024, alongside an updated MAS Notice PSN05 on Technology Risk Management addressing the technology risk management requirements to be issued in early 2024.  Both the guidelines and the updated MAS Notice will have a 9-month transition period to give DPTSPs time to work toward compliance.

Conclusion

DPTSPs should review their existing internal policies and procedures and develop appropriate and robust systems and controls to ensure compliance with the proposed requirements.

For More Information

OrionW regularly advises clients on FinTech matters.  For more information about the regulation of DPT services in Singapore, or if you have questions about this article, please contact us at fintech@orionw.com.

Disclaimer: This article is for general information only and does not constitute legal advice.
‍

[1] An AI includes (a) an individual with more thanS$2 million in net personal assets, more than S$1 million in net financial assets or at least S$300,000 in income over the preceding 12 months and (b) a corporation with more than S$10 million in net assets.