MAS consultation
The DTSP framework was first proposed by the MAS in a July 2020 consultation paper, and the foundational provisions for the licensing and regulation of DTSPs were subsequently enshrined in Part 9 of the Financial Services and Markets Act 2022 (FSM Act), which is not yet in effect. On 4 October 2024, the MAS issued a consultation paper setting out the more detailed proposed requirements for DTSPs.
The DTSP framework will supplement Singapore’s existing crypto regulatory framework, the Payment Services Act 2019 (PS Act), which has been in place since 2020. Providers of DT services under the FSM Act should not be confused with providers of ‘digital payment token’ (DPT) services under the PS Act (who are already subject to regulation in Singapore). Additionally, the DTSP framework will supplement the regulatory frameworks under the Securities and Futures Act 2001 (SFA) and the Financial Advisers Act 2001 (FAA). A service provider holding a licence, approval or exemption under the PS Act, SFA or FAA will not additionally require a licence for DT services under the FSM Act to conduct the same activities.
The purpose of the DTSP framework is to fully align the territorial scope of Singapore regulation with the Financial Action Task Force (FATF) guidelines for the regulation of virtual asset service providers. In particular, the current rules do not adequately capture certain businesses whose operations are outside Singapore but have Singapore touchpoints.
Scope of the DTSP framework
DTs include both DPTs (e.g., Bitcoin or Ethereum) and digital representations of capital markets products as defined under the SFA (e.g., tokenised securities).
DT services comprise dealing in (buying and selling) DTs, facilitating the exchange of DTs, providing DT transfer services, inducing or attempting to induce DT buy-sell transactions, DT safeguarding services and DT advisory services. The DTSP framework therefore applies potentially to a broad range of service providers in the digital assets space, ranging from exchanges and market-makers to custodians and advisory firms, encompassing platforms that support cryptocurrencies as well as those that support tokenised real-world assets. The DTSP framework does, however, contain an exclusion from licensing for providers of technology services (e.g., information technology and data connectivity services) equivalent to the corresponding exclusion found in the PS Act.
The DTSP framework applies to DT services that are provided outside Singapore, namely, (1) an individual or partnership conducting business that provides any type of DT service outside Singapore from a place of business within Singapore and (2) a Singapore corporation conducting business, whether from Singapore or elsewhere, that provides any type of DT service outside Singapore. Territorially, the DTSP framework therefore supplements the PS Act, which applies only to the provision of DPT services within Singapore, as well as the SFA and FAA, which do regulate capital markets services and financial advisory services on an extraterritorial basis but which may not yet capture the intended scope of services provided outside Singapore.
The MAS is particularly cautious about DTSPs that have a limited nexus to Singapore but purport to provide financial services outside the country. Such entities may pose a higher risk of being misused for illicit purposes, potentially harming Singapore's reputation. This is a key factor behind the DTSP framework’s focus on addressing money laundering and terrorism financing (ML/TF) risks.
Ongoing requirements for DTSPs
The MAS consultation proposes comprehensive ongoing key requirements for licensed DTSPs, including:
1. Governance and staffing in Singapore
- A DTSP that is a corporation must appoint at least one executive director who is resident in Singapore. A DTSP that is a partnership or limited liability partnership must appoint at least one partner or manager who is resident in Singapore.
- DTSPs must have a permanent place of business in Singapore.
- DTSPs should perform a penetration test of their proposed DT services, remediate all high-risk findings identified and conduct an independent validation of the effectiveness of the remediation actions.
- DTSPs should have adequate compliance arrangements commensurate with the scale, nature and complexity of its operations (taking the form either of an independent compliance function in Singapore or compliance support from a holding company or overseas related entity).
- DTSPs are expected to have a suitably qualified, management-level compliance officer based in Singapore.
- DTSPs should have adequate independent audit arrangements and be able to meet statutory annual audit requirements.
2. Anti-money laundering and countering the financing of terrorism (AML/CFT)
- DTSPs must take appropriate steps to identify, assess and understand their ML/TF risks.
- They must develop and implement policies, procedures and controls for customer due diligence (CDD), transaction monitoring, screening, suspicious transaction reporting, record-keeping and compliance with value transfer requirements (known as the ‘Travel Rule’).
- Enhanced measures must be performed if higher ML/TF risks are identified.
- DTSPs are required to perform CDD measures for all customers, including those onboarded before obtaining the DTSP licence.
- Reliance on third parties for CDD measures is permitted under specific conditions, ensuring the third party is subject to and supervised for compliance with AML/CFT requirements consistent with FATF standards.
3. Technology risk management and cyber hygiene
- DTSPs must identify critical systems and ensure high availability, with a maximum unscheduled downtime of four hours in any 12-month period.
- A recovery time objective of not more than four hours must be established for each critical system.
- DTSPs must notify the MAS within one hour of discovering a relevant incident and submit a root cause and impact analysis report within 14 days.
- IT controls must be implemented to protect customer information from unauthorised access or disclosure.
- Cyber hygiene practices include securing administrative accounts, applying security patches, establishing security standards, implementing network perimeter defence, malware protection and multifactor authentication.
4. Reporting requirements
- DTSPs must report suspicious activities and incidents of fraud to MAS within five working days of discovery.
- Periodic regulatory submissions are required, including account statistics, transaction value and volume, and the value of digital tokens held for safeguarding or administration.
- Information on transactions involving higher-risk customers and high-risk countries/jurisdictions must be reported.
5. Conduct and disclosures
- DTSPs must maintain accurate records of transactions and issue receipts to customers.
- Exchange rates and fees must be prominently displayed, and customers must be notified of normal business hours.
- DTSPs must provide customers with a risk warning statement and ensure accurate representation of the scope of their licences.
6. Financial requirements
- DTSPs must meet initial and ongoing financial requirements, including base capital of S$250,000 for corporations or a total capital contribution of S$250,000 for partnerships and limited liability partnerships.
- Individuals must maintain a security deposit of S$250,000 with the MAS.
Practical considerations for service providers
Service providers who operate with Singapore touchpoints and whose activities relate to cryptocurrencies and/or tokenised real-world assets should assess whether they may be caught by the DTSP framework, especially if they do not hold a licence, approval or exemption for those activities under the PS Act, SFA or FAA.
Service providers who consider themselves in scope of the DTSP framework and who intend to remain in scope going forward should consider taking practical steps to align with the requirements of the DTSP framework and prepare to apply for a DT services licence.
The MAS does, however, indicate that it will approach the licensing of DTSPs in a prudent and cautious manner as it envisages that there will be extremely limited circumstances under which it will grant DTSP licences. The MAS will review applications for a DTSP licence on a case-by-case basis, taking account of whether the applicant’s business model makes economic sense, complies with international standards and has a sound structure that enables regulatory compliance, among other factors.
The DTSP framework does not represent a streamlined (let alone guaranteed) pathway to licensing, and depending on how the MAS applies it in practice, it may function ultimately as a deterrent to service providers who previously may have sought to arbitrage the territorial gaps of the Singapore regulatory frameworks.
Timeline and next steps
The MAS consultation closes on 4 November 2024. The MAS will then publish the relevant legislation and guidelines at least four weeks before commencement of the DTSP framework. The MAS has indicated that the framework may take effect before the end of 2024.
There will be no transitional arrangements. Upon the DTSP framework taking effect, persons in scope will need to cease or suspend operations unless they obtain a licence from the MAS or are otherwise exempt from licensing.
Reed Smith LLP is licensed to operate as a foreign law practice in Singapore under the name and style Reed Smith Pte Ltd (hereafter collectively, "Reed Smith"). Where advice on Singapore law is required, we will refer the matter to and work with Reed Smith's Formal Law Alliance partner in Singapore, Resource Law LLC, where necessary.
Client Alert 2024-211