The Monetary Authority of Singapore (MAS) has announced revisions to the Payment Services Act (PS Act) and related regulations, marking a significant expansion in the regulation of payment services within the country.
The amendments, which are set to be implemented in phases starting from 4 April 2024, aim to encompass a broader range of payment services under MAS oversight and introduce new user protection and financial stability requirements for providers of digital payment tokens (DPTs).
Under the revised PS Act, the regulation will now extend to include custodial services for DPTs, facilitation of DPT transactions between accounts, facilitation of DPT exchanges, and the facilitation of cross-border money transfers, regardless of whether the transactions involve physical possession of money or DPTs within Singapore.
The amendments empower MAS to enforce regulations addressing anti-money laundering, countering the financing of terrorism, user protection, and ensuring financial stability in the rapidly growing digital payment sector.
Here’s are four key takeaways from the guidelines:
1. Distinction between retail and accredited investors
Retail customers are automatically classified as such unless they actively opt into being considered as accredited investors by satisfying specific financial thresholds.
To qualify as an accredited investor, an individual must demonstrate considerable financial robustness, evidenced by owning more than S$2 million in net personal assets—with the valuation of a primary residence capped at S$1 million—or possessing over S$1 million in net financial assets, or earning an annual income exceeding S$300,000.
DPT service providers must employ a prudent valuation methodology that involves a mandatory application of at least a 50% haircut to the market value of the digital payment tokens and capping the valuation of these holdings at the lesser of the post-haircut value or S$200,000.
Furthermore, MAS’s guidelines permit DPT service providers the discretion to implement a valuation cap lower than S$200,000, offering them the flexibility to adopt even more conservative measures in determining an individual’s status as an accredited investor.
2. Segregation of customers’ assets
DPT service providers are given the flexibility to either maintain custody of customers’ assets themselves or to entrust another party with this responsibility.
This arrangement is designed to effectively segregate customers’ assets from those of the service provider, thereby enhancing controls against potential conflicts of interest and ensuring the integrity of customers’ assets.
MAS does not specifically require that the trust account for safeguarding customers’ assets be maintained with an external party. However, DPT service providers may opt for such an arrangement as a strategic measure to segregate customers’ assets from their own.
It’s critical that DPT service providers periodically review their safeguarding arrangements. This includes assessing the independence of the safeguarding person, if one is used, to ensure that the arrangement continues to serve the best interest of protecting customers’ assets.
Regardless of whether the trust account is self-maintained or held by another party, DPT service providers must adhere to the same regulatory expectations and guidelines.
For example, DPT service providers are expected to utilise distinct blockchain addresses for storing customers’ assets separately from their own assets.
3. Operational and Risk Management Controls
Digital payment token service providers must implement comprehensive risk management systems and controls, under the guidance of senior managers possessing the necessary expertise and experience.
The control systems must, at a minimum, prevent any individual from unilaterally authorising or executing the movement, transfer, or withdrawal of customers’ assets.
Additionally, they must regulate the movement or transfer of these assets across the provider’s storage systems and devices and prevent unauthorised access or loss of digital payment token instruments related to the customers’ assets.
Service providers must establish controls for the secure storage and transmission of customers’ assets. For instance, if the digital payment token instruments granting access to customers’ assets are stored on a physical device, such as a computing device, access to this device must be strictly controlled.
In scenarios where multi-party computation is utilised for asset storage and transmission, key shares must be distributed among several parties to ensure that no single party can authorize asset movements independently.
Service providers are obliged to disclose their policy on storage arrangements for customers’ assets, including the conditions under which assets are stored outside of cold wallets, the considerations for such decisions, and the measures implemented to mitigate the risk of asset loss due to cyber attacks.
4. Additional Considerations for Retail Customers’ Assets
DPT service providers are prohibited from enticing or carrying out transactions on behalf of a retail customer that would allow the customer to mortgage, charge, pledge, or hypothecate any of their assets.
Moreover, these guidelines forbid the lending or arrangement to lend any assets belonging to the retail customer, as well as any staking or arrangements to stake such assets.
Before executing any transaction that could involve the assets of a customer who is not classified as retail, digital payment token service providers must provide clear, written disclosures outlining the risks associated with the transaction.
Moving forward: What DPT service providers need to know
In light of these changes, entities currently operating under the expanded scope of the PS Act are required to inform MAS within 30 days and submit a license application within six months from the commencement date.
These applications must include an attestation report on business activities and compliance with anti-money laundering and counter-terrorism financing, verified by a qualified external auditor, to be submitted within nine months.
Entities failing to meet these new requirements will need to discontinue their activities once the amendments are enforced.
Additionally, the revised Payment Services Regulations pertaining to the safeguarding of customer assets by DPT service providers will become effective six months following the implementation date.
These regulations mandate the segregation of customer assets into trust accounts, maintaining accurate records, and implementing robust systems and controls to secure the integrity and safety of customer assets.
The MAS has also released guidelines and documentation to assist entities in navigating the changes and ensuring compliance with the new regulatory framework.