Singapore to Impose New Custody Rules on Crypto Service Providers

July 31, 2023

摘要

The Monetary Authority of Singapore (MAS) is set to impose new rules on digital payment token service providers (DPTSP) in Singapore aimed at safeguarding customer assets and money. MAS will also prohibit DPTSPs from facilitating the lending and staking of digital payment tokens by retail customers. The new measures are expected to come into effect by October 2023.

In October 2022, MAS issued a consultation paper proposing to impose a comprehensive set of regulatory measures on digital payment token (DPT) service providers in Singapore to reduce the risk of consumer harm in light of the fact that consumers in Singapore are increasingly trading in cryptocurrencies despite consistent warnings issued by MAS regarding the hazards of cryptocurrency speculation. The consultation period closed in December 2022.

On July 3, 2023, MAS issued the first tranche of its response to feedback received on the consultation paper (Response), focusing on the requirements for segregation and custody of customers’ assets and money. MAS indicated in the Response that it will be introducing new investor protection requirements on DPT service providers in Singapore as further explained below.

New Measures

Safeguarding of Customer Assets

MAS will proceed to introduce new requirements on DPT service providers regarding segregation and custody of customers’ assets. Under the new measures, DPT service providers will be required to deposit assets (including DPTs) received from, or on account of, a customer in a custody account held on trust for the customer and maintained with a safeguarding institution. Individual customer assets may be commingled in the same custody account, but this must be kept separate from the DPT service provider’s own assets (e.g., keeping customer assets on a separate set of blockchain addresses).

A DPT service provider may choose to either maintain the custody account itself (via a separate custody function that is operationally independent from other business units) or with a safeguarding institution, but in either case the DPT service provider is expected to put in place risk control measures or ensure that the safeguarding institution puts in place such measures to ensure the integrity and security of the transmission and storage of customer assets and reduce the risk of any loss of customer assets due to fraud or negligence.

Safeguarding of Customer Money

The existing rules on safeguarding of customer moneys as set out in the Payment Services Regulations 2019 (PSR) will be extended to DPT service providers. This means that DPT service providers will be required to safeguard all moneys received from, or on account of, a customer by obtaining an undertaking from a Singapore safeguarding institution to be fully liable for the customer money, obtaining a guarantee from a Singapore safeguarding institution for the amount of customer money, or depositing customer money into a trust account maintained with a Singapore safeguarding institution.

Prohibition on Lending and Staking of Retail Customers’ Assets

Following the recent collapses of crypto asset lending and staking programmes involving retail customers globally, MAS has decided to prohibit DPT service providers from facilitating the lending and staking of a retail customer’s assets (including DPTs). MAS has observed that there can be significant consumer harm that results from staking and lending activities, and risk disclosures are insufficient to mitigate the potential consumer harm.

The prohibition will relate to a DPT service provider’s facilitation of lending and staking activities involving retail customers’ assets. Retail customers will not be prohibited from lending or staking their own assets outside of the DPT service provider’s platform, but they will be doing so at their own risk.

There will be no restrictions imposed on DPT service providers enabling or facilitating the lending and staking of assets belonging to non-retail customers, but clear risk disclosures must be provided and the customer’s explicit consent must be obtained for undertaking such activities.

Further details on the new measures to be imposed is set out in the Annex.

Implementation Approach

The new measures will be formalized through guidelines and legislative amendments to the PSR.

MAS issued a further consultation paper on the proposed legislative amendments to the PSR on July 3, 2023.

MAS expects to publish guidelines setting out its further expectations on the segregation and custody requirements on or around the date of publication of the finalized amendments to the PSR.

Implementation Timing

Interested parties are invited to provide their feedback to the proposed amendments to the PSR by August 3, 2023.

The new requirements are expected to come into effect by October 2023.

Given that MAS has published its policy position on the new custody requirements, MAS will expect DPT service providers to comply with the policy positions by October 2023.

Annex

The table below sets out a summary of the forthcoming investor protection measures to be imposed on licensed and exempt DPT service providers (DPTSPs) in Singapore.

Subject	Summary of New Measures
Segregation of Customers’ Assets	A DPTSP must deposit assets (including DPTs) received from, or on account of, a customer in a custody account held on trust for the customer and maintained with a safeguarding institution(or itself). Individual customer assets may be commingled in the same custody account, but this must be kept separate from the DPTSP’s own assets. Assets in the custody account may not be used to pay the debts of a DPTSP. A DPTSP must apply a customer’s assets solely for the purposes agreed to by the customer. A DPTSP may not transfer any right or interest in the customer assets except where the transfer is in accordance with the customer’s written instructions obtained prior to each transfer, or is authorised by law.
Custody Account Requirements	A DPTSP may choose to either maintain the custody account itself or with a safeguarding institution. Where the custody account is maintained with a safeguarding institution, the following requirements should be met: The DPTSP must assess and be satisfied of the suitability of the safeguarding institution before opening the custody account and on an annual basis thereafter, and keep records of the grounds on which the DPTSP was satisfied. The DPTSP should provide written notice to the safeguarding institution and obtain an acknowledgement that (i) all assets deposited in the custody account are held by the DPTSP on trust for its customers, (ii) the account is designated as a trust or customer’s account, and (iii) the safeguarding institution may not claim any lien over any assets in the custody account except in certain circumstances. The DPTSP must assess and ensure that the safeguarding institution maintains adequate risk management controls to ensure the integrity and security of the transmission and storage of customer assets, and reduce the risk of loss of assets due to fraud or negligence. Where the custody account is maintained by the DTPSP itself, the DPTSP must ensure effective controls and segregation of duties to mitigate potential conflicts of interests.
Customer disclosures	A DPTSP must disclose to its customers the safeguarding arrangement adopted by the DPTSP, including whether the assets will be commingled with other customer assets, the consequences if the safeguarding institution becomes insolvent, and the terms and conditions that would apply to the safeguarding of the customer assets.
Safeguarding of Customers’ Money	The existing rules on safeguarding of customers’ money as set out in the PSR will be extended to DPTSPs. This means that going forward, DPTSPs will be required to safeguard all moneys received from, or on account of, a customer by: obtaining an undertaking from a Singapore safeguarding institution to be fully liable for the customer money; obtaining a guarantee from a Singapore safeguarding institution for the amount of customer money; or depositing customer money into a trust account maintained with a Singapore safeguarding institution.
Daily Reconciliation and Record Keeping	A DPTSP must reconcile on a daily basis the total amount of assets deposited in its customers’ custody accounts, and the total amount of customer assets required to be deposited in custody accounts. A daily reconciliation requirement will likewise be imposed in respect of customer money. A separate book entry must be recorded and maintained for each customer in relation to the customer’s assets, containing the particulars prescribed in the PSR.
Risk Management Controls	A DPTSP must, in a manner that is commensurate with its business, maintain adequate systems, processes, controls, human resources and governance arrangements, to: ensure the integrity and security of the transmission and storage of customer assets (including DPTs); and reduce the risk of any loss of customer assets due to fraud or negligence. Movement of customer assets should be controlled by senior managers and personnel who are resident in Singapore. MAS expects DPTSP to keep at least 90% of its customers’ DPTs in cold wallets, while the remaining 10% may be kept in other wallets (e.g. hot wallets). MAS will not, at this time, require a DPTSP to ensure that devices storing means of access to a customer’s DPT is located in Singapore. However, DPTSPs are strongly encouraged to adopt technological solutions that enable the development of local custody solutions and strong risk management expertise.
Statement of Account	A DPTSP must provide monthly statements of account to customers unless the DPTSP already provides account information on a real-time basis, there is no change to any particulars since the date of the last statement of account, or the customer has requested in writing not to receive the statements on a monthly basis.
Facilitating the Lending and Staking of Retail Customer Assets	A DPTSP may not facilitate the lending and staking of a retail customer’s assets (including DPTs). Retail customers will not be prohibited from lending or staking their own assets outside of the DPTSP’s platform, but they will be doing so at their own risks. A DTPSP will not be restricted from enabling or facilitating the lending and staking of assets belonging to non-retail customers, but clear risk disclosures must be provided and the customer’s explicit consent must be obtained for such activities.

For further details on the new measures to be imposed, please refer to the Response and the Consultation Paper on Proposed Amendments to the Payment Services Regulations dated 3 July 2023.

Sidley Austin LLP provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship.

Attorney Advertising - For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300; One South Dearborn, Chicago, IL 60603, 312.853.7000; and 1501 K Street, N.W., Washington, D.C. 20005, 202.736.8000.

联系方式

刘聪燕
Josephine Law

资深顾问律师

jlaw@sidley.com +65 6230 3916

新加坡
蔡汝诗
Reina Chua

资深主办律师

reina.chua@sidley.com +65 6230 3904

新加坡