Crypto asset segregation and custody regulations to go live in October

The MAS has issued response to its October 2022 consultation paper on Proposed Regulatory Measures for Digital Payment Token Services. The response (Part 1) focuses on the requirements for segregation and custody of customers’ assets. These requirements will be formalised through Guidelines and legislative amendments to the Payment Services Regulations which is also being publicly consulted. Notably, requirements for handling customers’ moneys and assets will be consistent with the existing requirements imposed on capital markets services licensees under the Securities and Futures Act. Further, the MAS requires 90% of customers’ Digital Payment Tokens need to be kept in cold wallets. The regulator also prohibits lending and staking of retail customers Digital Payment Tokens.

The paper titled ‘Response to Public Consultation on Proposed Regulatory Measures for DPT Services Part 1’, is the response to the consultation paper issued in October 2022 titled ‘Proposed Regulatory Measures for Digital Payment Token Services’. This is the Part 1 of a two-part response (the second part will be issued at a future date). It focuses on the feedback received on the MAS’ proposed requirements for the segregation and custody of customers’ assets by licensed and exempt payment service providers that carry on the business of providing a Digital Payment Token (DPT) service under the Payment Services Act (collectively known as “DPT service providers” or DPTSPs).

Concurrently, the consultation paper titled ‘Proposed Amendments to the Payment Services Regulations’, aims to formalise these requirements by October 2023. DPTSPs should also prepare to comply with these amendments by October 2023, since the policy positions on segregation and custody requirements have been finalised. The MAS will also publish Guidelines setting out its further expectations on the segregation and custody requirements, on or around the date of publication of the finalised amendments to the Payment Services Regulations.

Measures relating to segregation and custody of customers’ assets

DPTSPs will be required to comply with the following measures:

  • Segregation of customers’ assets: DPTSPs will need to hold customers’ assets on trust and segregate them from its own assets. However, DPTSPs can deposit customer’s assets together with assets of its other customers.
    Safeguarding of customers’ moneys: DPTSPs will need to safeguard customers’ moneys with financial institutions in Singapore, as per existing requirements that apply to traditional payment services firms.
  • Daily reconciliation of customers’ assets: DPTSPs will need to perform daily entity-level reconciliation of customers’ assets, including moneys. DPTSPs will also need to keep transaction records, and maintain separate books and records for each customer with details of the customer’s assets at all times. Such details include amount and description of the customer’s assets deposited with the DPTSP, the movement of assets to and from the customer’s custody account, and the names of the safeguarding institutions with whom the customer’s assets are deposited or held.
  • Statement of account: DPTSPs are required to provide monthly statements of account to customers. DPTSPs will be exempted if there is no change to any particulars since the date on which the last statement of account was made, or the customer has requested in writing not to receive the statement of account on a monthly basis from the DPTSP.
  • Risk management controls for customers’ assets:
    • DPTSPs are to maintain adequate systems, processes, controls, human resources, and governance arrangements to ensure the integrity and security of customers’ assets and mitigate the risk of any loss of customers’ assets.
    • DPTSPs to put in place measures to ensure that the movement of customers’ assets is controlled by Senior Managers and personnel who reside in Singapore. These senior managers and personnel should be authorised to facilitate the return of customers’ assets where required by the MAS or in court proceedings.
    • DPTSPs to take proactive steps to adopt technological solutions that enable the development of local custody solutions.
    • DPTSPs to assess and disclose to customers their custody arrangements as to the location of devices, and whether such arrangements affect the ability of the DPTSP and its customers to recover customers’ assets.
    • DPTSPs to keep at least 90% of customers’ DPTs in cold wallets, while allowing up to 10% to be kept in other wallets (e.g. hot wallets).
    • DPTSPs to disclose to customers their policies on storage arrangements for customers’ assets.
    • DPTSPs are also expected to adopt good risk management practices, including best practices stipulated under the MAS’ Technology Risk Management Guidelines.
  • Internal Audit: With the introduction of these segregation and custody requirements, audits will also include an assessment on DPTSPs’ compliance with these requirements.
  • Requiring an independent custodian:
    • The MAS will not be mandating the use of independent custodians, but will require DPTSPs to maintain a separate custody function that is operationally independent from other business units. This means that DPTSPs are required to adopt good risk management practices, including relevant best practices stipulated under the MAS’ Risk Management Practices for Internal Controls.
    • The regulator expects DPTSPs to continually review, identify, assess and implement appropriate arrangements that could further strengthen the overall governance and controls for safeguarding customers’ assets, which may include appointing an independent custodian.
  • Disclosures to customers: DPTSP are required to disclose in writing to its customers:
    • the terms and conditions, including the arrangements for receiving instructions from the customers and providing information to the customers, and applicable fees and costs;
    • that the customers’ assets are segregated from the DPTSP’s own assets, and held for the benefit of the customers;
    • whether the customers’ assets will be commingled with the assets of other customers and, if so, the risks of such commingling; and
    • the consequences for the customers’ assets if the DPTSP becomes insolvent, and the arrangements by the DPTSP to protect customers’ assets.

Measures relating to the lending and staking of retail customers’ assets

The MAS will restrict DPTSPs from facilitating the lending and staking of retail customers’ assets at the moment. There is no restriction for non-retail customers. However, DPTSPs will need to provide a clear risk disclosure document and obtain the non-retail customer’s explicit consent.

How we can help

We regularly help payment services firms including those who offer DPTs with their MAS licence applications. We also provide regulatory and compliance support, including internal audit services.

If you are keen to expand your business footprint in Singapore, particularly in the digital assets space, we will be happy to take you through the MAS’ regulatory landscape.