MAS Releases New Investor Protection Measures for Digital Payment Token Service Providers

On July 3, 2023, the Monetary Authority of Singapore (MAS) announced new investor protection measures for Digital Payment Token (DPT) service providers. The measures  intend to address two primary risks: 

• Protection from misuse or loss of customer assets. 
• Provisions to allow asset recovery should a DPT provider become insolvent.

Call for Feedback: Customer Protection Amendments

The current Payment Services Regulations draft amendments are open for public consultation until August 3, 2023. The measures follow a previous 2022 public consultancy in which participants supported vital steps to protect customers, requiring firms to: 

• Separate customer assets from firm assets and hold them in trust. 
• Protect customer funds.
• Reconcile customer assets daily and ensure adequate documentation.
• Ensure operational controls and access are maintained for customers’ Singapore-based DPTs.
• Operationally segregate the custody function from other teams.
• Clearly disclose risks to customers regarding having the DPT service provider hold their assets.

In response to the 2022 consultancy feedback, MAS highlighted the importance of strictly segregating customer assets on a different blockchain address. The authority rejected the proposal to allow the commingling of assets with customer consent, citing recent virtual asset vulnerabilities as creating too significant a risk.

Facilitation of Staking for Retail Customers Prohibited

In one of the more debated measures, MAS stated that DPT service providers would not be permitted to facilitate crypto staking for their retail clientele. The rationale for this prohibition is tied to a higher risk of asset loss to customers who have staked their digital currency. 

As an alternative to proof-of-work validation models, proof-of-stake models generate new crypto coins through a process requiring customers to stake their assets for a set time in hopes of being selected for a reward. Because the method requires customers to tie up assets for days, it is subject to volatility and exposes customers to potential loss of value. 

However, supporters of the practice point out the work that has gone into making the practice secure, alongside its speed and eco-friendliness, compared to much-discussed proof-of-work models. MAS stated it will “monitor market developments and consumer risk awareness as these evolve, and will take steps to ensure that our measures remain balanced and appropriate.”

Controls and Governance Requirements

In the same response to the earlier consultation, MAS emphasized that it would proceed with requirements for DPT service providers to “maintain adequate systems, processes, controls, human resources, and governance arrangements to ensure the integrity and security of customers’ assets.” The regulator highlighted that this includes segregation of duties, “operational controls” protecting customers’ cryptographic keys, and following risk management best practices outlined in its 2021 Guidelines on Risk Management Practices – Technology Risk.

It also called for the implementation of technological resources for sound risk management, stating:

MAS strongly encourages DPTSPs to take proactive steps to adopt technological solutions that enable the development of local custody solutions and strong risk management expertise, including putting in place appropriate and practical arrangements to keep such devices locally, that will strengthen the risk management controls of their business in Singapore.

Source: Monetary Authority of Singapore

Firms should study the consultation and remain on the lookout for upcoming related guidance, which the MAS will publish to support compliance.