On 4 October 2024, the Monetary Authority of Singapore ("MAS") has published a consultation paper detailing the regulatory framework for Digital Token Service Providers ("DTSPs") under the Financial Services and Markets Act 2022 ("FSM Act"). This framework addresses the licensing, anti-money laundering, countering the financing of terrorism ("AML/CFT") requirements, and technological risk management for DTSPs, particularly those based in Singapore but offering services abroad.1 To effect the objectives of Part 9 of the FSM Act, the MAS intends to prescribe or issue the following instruments: (a) the Financial Services and Markets Regulations ("FSM Regulations"); (b) AML/CFT notices under the FSMA; (c) other notices under the FSMA; and (d) guidelines.
The proposed regulatory framework is meant to complement Singapore's existing crypto regulations under the Payment Services Act 2019 ("PS Act"). While both DTSPs and providers of digital payment token ("DPT") services are regulated, they operate under distinct frameworks. The DTSP framework also supplements regulations under the Securities and Futures Act 2001 ("SFA") and the Financial Advisers Act 2001 ("FAA"). Importantly, service providers already licensed under the PS Act, SFA, or FAA do not need an additional DTSP license for the same activities under the FSM Act.
The key aspects of the consultation paper are set out below.
1. Regulatory Approach for DTSPs
The FSM Act, passed in April 2022, provides the legislative framework for regulating individuals, partnerships, and corporations that provide digital token services ("DT services") outside Singapore but operate from within Singapore. Part 9 of the FSM Act focuses on preventing regulatory arbitrage and minimising risks of DTSPs being used for illicit activities, such as money laundering or terrorism financing ("ML/TF").
MAS's approach aligns with Financial Action Task Force ("FATF") standards, emphasising the risks associated with cross-border, internet-based token services. To mitigate these risks, MAS proposes a prudent and cautious approach to licensing, only granting a DTSP licence under limited circumstances. Applications will be reviewed on a case-by-case basis, with key considerations being economic justification, business model, and compliance with international standards.
In considering whether to grant a DTSP licence, the MAS will take into account whether the applicant meets the criteria set out below:
- The applicant must demonstrate an economically viable business model and provide valid reasons for not carrying on a business of providing DT services in Singapore, despite operating in or being formed or incorporated in Singapore;
- The applicant does not operate in a manner that is of concern to the MAS and is already regulated and supervised for its compliance with relevant internationally agreed standards;
- The MAS must not have concerns regarding the applicant's business structure or its ability to meet regulatory obligations; and
- Any other criteria that may be relevant, as determined by the MAS.
MAS may impose additional licensing conditions if deemed necessary. Licensees will also be required to notify MAS of any significant changes to their operations or business models that may affect compliance.
The MAS does not plan to offer transitional arrangements for DTSPs. Once the DTSP regulatory framework is implemented, existing businesses operating or incorporated in Singapore that provide DT services outside of Singapore must either obtain a license from MAS or cease operations. Without a license or exemption, these entities will not be permitted to continue their activities.
2. Licensing and Ongoing Requirements
To ensure adequate supervision over DTSPs, MAS expects DTSPs to meet several key licensing criteria as follows:
- If the applicant is a corporation, it must appoint at least one executive director who is resident in Singapore. If the applicant is a partnership or limited liability partnership, it must respectively appoint at least one partner, or partner or manager, who is resident in Singapore;
- The applicant must satisfy MAS that it is "fit and proper", in accordance with the Guidelines on Fit and Proper Criteria;
- The applicant must have a permanent place of business in Singapore;
- The applicant should perform a penetration test of its proposed DT services, remediate all high-risk findings identified, and conduct independent validation on the effectiveness of the remediation actions;
- The applicant should have adequate compliance arrangements commensurate with the scale, nature, and complexity of their operations; and
- The applicant should have in place adequate independent audit arrangements and be able to meet statutory annual audit requirements.
Further, the proposed requirements for licensees under the FSM Regulations are as follows:
- Control of provision of DT services – MAS proposes that a DTSP license will be granted on a perpetual basis, and license fees will be payable on an annual basis. If a licensee ceases to provide all authorised DT services and does not resume any of these services for six (6) consecutive months, such DTSP's licence will lapse;
- Financial Requirements – the proposed minimum initial and
ongoing financial requirements applicable to DTSPs are:
- a base capital of $250,000 for corporate DTSPs;
- a total capital contribution of $250,000 for DTSPs that are partnerships or limited liability partnerships; and
- iii. a $250,000 cash deposit for individual DTSPs
The components of base capital take into account losses such as interim losses or dividend pay-outs.
- Business Conduct – the FSM Regulations outline the duties of CEOs, directors, and partners of the licensed DPT service providers, as well as audit requirements.
3. AML/CFT Requirements
The consultation paper emphasises comprehensive AML/CFT requirements for DTSPs. Licensees will need to:
- Take appropriate steps to identify, assess and understand their ML/TF risks;
- Develop and implement policies, procedures, and controls (including those in relation to the conduct of customer due diligence ("CDD"), transaction monitoring, screening, suspicious transactions reporting and record keeping);
- Monitor the implementation of those policies, procedures, and controls, and enhancing them if necessary; and
- Perform enhanced measures if higher ML/TF risks are identified, to effectively manage and mitigate those higher risks.
MAS proposes to allow limited reliance on third-party customer due diligence, but only if those third parties are subject to FATF-compliant AML/CFT regulations. Licensees will be precluded from relying on certain third parties, such as payment services providers under the PS Act or financial institutions holding an equivalent licence and supervised by a foreign authority for compliance with AML/CFT requirements due to the uneven level of AML/CFT controls across the sector.
Additionally, MAS proposes specific rules around the handling of bearer negotiable instruments and cash payouts. Licensees will be prohibited from issuing bearer negotiable instruments and restricted from making cash payouts exceeding SGD 20,000, to reduce anonymity and ML/TF risks.
4. Technology Risk Management and Cyber Hygiene
Given the complex IT environments in which DTSPs operate, MAS outlines rigorous standards for technology risk management and cyber hygiene. MAS proposes that DTSPs must:
- Comply with periodic regulatory submission of information
related to the licensees' DT services on a monthly basis (such
as, account statistics, transaction value, volume, value of DTs
held for safeguarding or administration and other information
required by MAS);
under FSM-N30: - Establish frameworks and processes to identify critical systems;
- Ensure that the maximum unscheduled downtime for each critical system does not exceed 4 hours within any period of 12 months;
- Establish a recovery time objective of not more than 4 hours for each critical system;
- Notify the MAS within the hour upon discovery of a system malfunction or IT security incident that has a severe and widespread impact on the licensees' operations or materially impacts the licensees' service to its customers, and submit a root cause and impact analysis report to the MAS within 14 days;
- Implement IT controls to protect customer information from
unauthorised access or disclosure;
under FSM-N31: - Secure administrative accounts against any unauthorised access or use;
- Establish security standards;
- Implement security patches in a timely manner;
- Put in place network perimeter defence and malware protection; and
- Implement multi-factor authentication for administrative accounts of critical systems and all system accounts used to access customer information through the internet.
5. Conduct, Disclosures, and Communications
Under the FSM Act, DTSPs must comply with conduct and disclosure requirements to ensure that customers understand the risks associated with using their services. MAS proposes a mandatory risk warning statement that DTSPs must provide to customers, along with a requirement that DTSPs accurately represent their regulatory status under the FSM Act.
Licensees must also ensure that they have a Singapore-based representative available to respond to customer complaints or AML/CFT queries at least 10 days per month, for at least eight (8) hours per day during business hours.
6. Guidelines and Transitional Arrangements
MAS intends to amend existing guidelines, such as the Guidelines on Fit and Proper Criteria and those on risk management practices and business continuity. These amendments will apply to DTSPs once the DTSP provisions under the FSM Act come into force.
Conclusion
MAS's proposed regulatory framework reflects Singapore's commitment to maintaining a high level of oversight for DT services provided from within the country but aimed at overseas markets. The consultation seeks to strike a balance between enabling innovation in the digital assets sector and protecting Singapore's reputation against financial crime risks.
The MAS will take a cautious approach in issuing DTSP licenses, with approvals granted only in limited circumstances, based on economic viability, compliance with international standards, and sound business structures.
As FSM Act rolls out, existing licensees and unlicensed affiliates must review their operations to ensure compliance, especially multi-jurisdictional groups handling digital asset services and derivatives, which may now fall under FSM Act's regulatory scope.
Next Step
Stakeholders are invited to provide feedback on the consultation paper by 4 November 2024. DTSPs and related entities should closely review the proposed requirements, especially in areas related to AML/CFT compliance, technology risk management, and capital requirements.
For more information, you may refer to the full MAS Consultation Paper (P010-2024) here.
For More Information
If you have any questions about this article, please contact Duane Morris & Selvam Chairman Leon Yee or Associate Sally Kim if you would like to discuss this update.
Footnote
1. (a) an individual or partnership conducting business that provides any type of DT service outside Singapore from a place of business within Singapore; and (b) a Singapore corporation conducting business, whether from Singapore or elsewhere, that provides any type of DT service outside Singapore.
Disclaimer: This Alert has been prepared and published for informational purposes only and is not offered, nor should be construed, as legal advice. For more information, please see the firm's full disclaimer.