Singapore to tighten rules on cryptocurrency trading

Once touted as "crypto paradise", Singapore is now moving ahead with its plans to tighten rules on cryptocurrency trading by retail customers. The Monetary Authority of Singapore (MAS) has proposed a suite of measures aimed at reducing the risk of consumer harm from cryptocurrency trading.

This article summarises these proposals and briefly considers how they compare with developments in Hong Kong, the EU and the UK. Cryptocurrency players should review their business plans and structures to see if they might be impacted.

CHANGE IS IN THE AIR

In August 2022, the MAS put the cryptocurrency industry on notice that Singapore's cryptocurrency regulations would be tightened in due course to reduce consumer harm arising from cryptocurrency trading. This followed MAS dealing with the fallout from several high-profile cryptocurrency collapses in the country and a global push towards better governance of the industry.

In October 2022, the MAS released a consultation paper proposing a suite of regulatory measures for digital payment token (DPT) service providers1 (DPTSPs) aimed at reducing the risk of consumer harm from cryptocurrency trading. These proposals are aimed at licensed and exempt payment service providers that carry on a business of providing a digital payment token service under the Payment Service Act 2019. These proposals stop short of an outright ban of retail access, which the MAS acknowledged is not likely to work.

The MAS has chosen to adopt a risk-focused approach in regulating the digital asset ecosystem. In particular, the MAS is concerned about the risks posed by cryptocurrency speculation.

In parallel, the MAS also issued a separate consultation paper on enhancing the standards of stablecoin-related activities.

SUMMARY OF MAS' PROPOSALS

Broadly, the proposed measures for DPTSPs cover these areas: (i) consumer access; (ii) business conduct; (iii) technology risks; and (iv) market integrity.

Consumer access

The proposed consumer access measures are meant to complement MAS' existing consumer education efforts. The proposals are intended to protect

retail customers resident or incorporated in Singapore. Generally, these refer to non-sophisticated customers whose net personal assets or net financial assets fall below a certain threshold.

Key proposals include:

DPTSPs will be required to assess retail customers' knowledge of risks of trading in cryptocurrencies, ideally through an industry-agreed template. For retail customers who are assessed not to have sufficient knowledge of the risks, the MAS is considering having DPTSPs provide educational materials and cooling off periods as possible next steps;
DPTSPs are not allowed to offer incentives, monetary or otherwise, to retail customers or for any person to refer cryptocurrency services to retail customers; and
DPTSPs must not allow the use of credit facilities and leverage by retail consumers for cryptocurrency trading and must not accept payment for cryptocurrency services via credit cards or charge cards.

MAS is also considering whether and how the value of cryptocurrency holdings should be taken into account in a customer's net personal assets or net financial assets when determining retail or non-retail treatment of such customer. Options include: (i) fully excluding the value of cryptocurrency holdings owing to their volatile nature; or (ii) imposing a cap on the value of cryptocurrency holdings that may be included in the calculation – the MAS proposed to recognise up to only 10 per cent, or S$200,000 of a customer's net personal assets in cryptocurrency, for the purposes of determining if the customer may be treated as a non-retail or accredited investor.

Business conduct

MAS intends to establish baseline conduct norms for DPTSPs, noting that business conduct practices vary across the industry. Key proposals include:

DPTSPs are to implement proper segregation of customers’ assets. To this end, the MAS is also seeking views on whether having an independent custodian to hold customers' assets is appropriate
DPTSPs are to provide written disclosures of the arrangements and risks (such as whether customers' assets will be commingled with those of other customers and, if so, the risks of such commingling) involved in having customers' assets held by the DPTSPs
DPTSPs are to conduct daily reconciliation of all customers' assets which are held by them
DPTSPs should provide a statement of account on a monthly basis at a minimum
DPTSPs are to implement controls to safeguard the private keys and storage of customers' cryptocurrencies
DPTSPs are not to mortgage, charge, pledge or hypothecate retail customers' cryptocurrencies. DPTSPs may do so for non-retail customers, provided the non-retail customers are provided with a clear risk disclosure document and have explicitly consented
DPTSPs are to implement policies and procedures to identify, disclose and mitigate conflicts of interest. In particular, DPTSPs should disclose the manner in which they handle and execute customer orders and the capacity in which they are doing so
DPTSPs should not misuse and should prevent the misuse of, information relating to customers' orders
DPTSPs are to establish complaints handling policies and procedures. In particular, they should not hinder retail customers from bringing disputes before the Singapore courts.

DPT trading platform operators will not be permitted to conduct proprietary trading of cryptocurrencies and must not permit related corporations to do so either. DPT trading platform operators will also be required to disclose their cryptocurrency listing and governance policies and procedures.

It should be noted that unlike the consumer access measures, these business conduct measures appear to be aimed at protecting both retail and non-retail customers. If implemented, these proposals will affect a majority of cryptocurrency players in Singapore.

Technology risks

It is proposed that DPTSPs will also be subject to requirements to maintain high availability and recoverability of their critical systems, in accordance with the same standards required of other financial institutions such as banks. These standards include a strict incident reporting timeframe of one hour upon the discovery of a significant system malfunction or IT security incident.

Market integrity

To address market integrity risks, DPT trading platform operators are also required to set out, disclose and enforce rules governing trading activities on their platforms. These rules should promote fair, orderly and transparent trading of cryptocurrencies. DPT trading platform operators are also required to implement market surveillance mechanisms, to detect and deter unfair trading practices.

Implementation

MAS' proposals are open to public consultation until 21 December 2022. Once the MAS has finalised its proposals, it intends to issue guidelines and provide a transition period of six to nine months for DPTSPs to meet the guidelines.

Details on the regulatory requirements and subsidiary legislation will be consulted upon separately in due course.

HONG KONG

On 31 October 2022, the Hong Kong Government issued a policy statement to unveil several fundamental virtual asset-friendly changes to the city's regulatory stance towards virtual assets (VAs). (See our article: Hong Kong to allow retail access to virtual asset ETFs and considering legalizing retail virtual asset exchange) The new policy will allow retail investors to access VA futures exchange traded funds to be listed on the Hong Kong Stock Exchange, subject to certain requirements specified by the Securities and Futures Commission (SFC)'s 'Circular on Virtual Asset Futures Exchange Traded Funds' published on the same day. Moreover, the SFC is undergoing soft consultation with the industry and will consult the public regarding whether to allow retail investors to access VA on licensed exchanges, and is expected to permit a specified scope of retail VA trading in due course.

With regards to regulation of retail access to VA trading platforms, currently, VA products traded on SFC licensed exchanges are only available to professional investors. A new licensing regime under the Anti-Money Laundering and Counter-Terrorist Financing Ordinance is under way to implementation in early 2023, under which VA exchanges involving non-securities VA will also be required to be licensed. This would permit retail trading of non-securities VA on SFC licensed exchanges.

Noting security token offerings are gaining traction amongst traditional financial institutions, the SFC has announced that it is prepared to allow wider access if proper safeguards are put in place. In particular, the SFC clarified that tokenised securities will not be blanket classified as "complex product" merely because it is traded on a blockchain, if it has similar terms, features and risks as traditional securities. The SFC is expected to set out a detailed modified security token regime in due course.

The Hong Kong Government and the regulators are exploring various pilot projects to test the technological benefits brought about by VAs and their future applications in the financial markets. For example, the Government is considering tokenising Government Green bond issuance for subscription by institutional investors to test the use of distributed ledger technology in the bond lifecycle, as well as exploring the launch of e-HKD, Hong Kong's retail central banking digital currency.

EU

In the European Union (EU), there are no equivalent restrictions around retail access to cryptocurrency trading but new and wide-ranging licensing, conduct of business and operational resilience rules will shortly be introduced for cryptocurrency firms.

The EU's markets in crypto-assets regulation (MiCA) aims to create a harmonised regulatory framework for the issuance of, intermediating and dealing in cryptoassets, and is much broader that the current MAS proposals. It will introduce licensing and conduct of business requirements for cryptoasset service providers (CASPs), issuers and exchanges, as well as a crypto market abuse regime.

The requirements for CASPs include detailed governance requirements, including systems and controls and location rules, and disclosure and prudential requirements, including that they maintain prudential safeguards, either in the form of own-funds regulatory capital or by taking out insurance.

MiCA is going through the final stages of the legislative process now, with certain provisions anticipated to come into force from early 2024. (See our article: MiCA – EU reaches agreement on the crypto-assets regulation)

In parallel with the legislative process for MiCA, the EU has also agreed a new regulation on digital operational resilience (DORA) that will apply broadly to financial entities within the EU including CASPs to ensure that they can withstand, respond to and recover from all types of ICT-related disruptions and threats. DORA introduces a range of requirements including in relation to identification, prevention and detection of ICT risks, response and recovery and reporting requirements. (see our article, DORA: What the new European framework for digital operational resilience means for your business.)

UK

In the United Kingdom (UK), there are no equivalent restrictions around retail access to cryptocurrency trading (other than a ban on sale of crypto derivatives to retail clients) and operational resilience rules will not apply to many cryptocurrency firms. However, there are registration and conduct of business requirements that apply to certain cryptocurrency firms including exchanges.

Firms which carry on certain cryptoasset-related activities in the UK - notably cryptoasset exchange providers and custodian wallet providers - are subject to the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations and required to register with the Financial Conduct Authority.

They are subject to ongoing obligations, such as requirements to take steps to identify and manage the risks of money laundering and terrorist financing. Exchanges may be subject to other regulatory requirements depending on the characterisation of the types of cryptoassets that are traded, and the activities that the firm conducts. For example, if the cryptoasset qualifies as a transferable security or other financial instrument, the operator may need to be authorised as the operator of a trading facility.

While there are no equivalent retail access restrictions in the UK, in January 2022 the UK Government confirmed that it would include cryptoassets within the financial promotions regime which restricts unauthorised firms from making financial promotions unless an exemption applies or the financial promotion is approved by a UK-licenced firm. This is expected to significantly restrict the way in which cryptoassets can be marketed to retail customers in the UK.

The UK's rules on operational resilience will not currently apply to cryptocurrency firms and exchanges unless the firm is also authorised to carry on other regulated activities in the UK. However, the Financial Services and Markets Bill which was introduced into Parliament in summer 2022 is expected to introduce a broader regulatory framework for firms carrying on activities relating to stablecoins (and possibly other types of cryptoassets), which is likely to include operational resilience requirements.

IMPACT

Cryptocurrency players with an interest in Singapore should scrutinise their business structures to assess how the MAS' proposals might affect them. Developments in other key jurisdictions like Hong Kong, the EU and the UK may also drive a re-assessment of their business plans.

Once implemented, these proposals translate into future compliance and operations cost, and may impact the bottom line of cryptocurrency firms, something which venture capital firms should also take note of. Adding friction to retail access to cryptocurrency trades in Singapore may also consequently fuel trades in cryptocurrency derivatives, an area that is currently largely unregulated.