MAS Consults on Proposed Regulations, AML/CFT Notice and Guidelines, for Regulatory Framework for Virtual Asset Service Providers under FSMA

Executive Summary

The Monetary Authority of Singapore (“MAS“) is consulting (until 4 November 2024) on proposed: (i) Financial Services and Markets Regulations (“FSM Regulations“); (ii) notices, including on anti-money laundering and countering the financing of terrorism (“AML/CFT“); and (iii) other applicable guidelines, for the regulatory framework for virtual asset service providers (“VASPs“) under Part 9 of the Financial Services and Markets Act 2022 (“FSMA“).

To implement the Financial Action Task Force’s (“FATF’s“) enhanced standards requiring each country to regulate VASPs created in its jurisdiction to mitigate the risk of regulatory arbitrage, the FSMA’s Part 9 (which has yet to come into effect) will introduce a new class of financial institutions (“FIs“), namely digital token service providers (“DTSPs“), which includes the following persons:

1. Individuals or partnerships who, from a place of business in Singapore, carry on a business of providing digital token (“DT“) services outside Singapore; and

2. Singapore corporations (including limited liability partnerships) which are formed or incorporated in Singapore, and which carry on a business (whether from Singapore or elsewhere) of providing DT services outside Singapore.

The proposed FSM Regulations, AML/CFT notice, and other notices and guidelines under the FSMA, which are the subject of the present consultation exercise, will set out the requirements to operationalise Part 9 of the FSMA, which is targeted to be implemented by the end of 2024.

This Update sets out further details on the MAS’ key proposals and their implications for entities to be regulated as DTSPs.

Background

The FSMA, passed in Parliament on 5 April 2022, is an omnibus Act for the sector-wide regulation of financial services and markets that applies to FIs. It consolidates the provisions and powers that relate to the MAS’ regulatory oversight of different FIs into a single Act. The FSMA is being implemented in phases. For more information, please see our April 2022 Legal Update entitled “Singapore Parliament Passes Bill to Regulate Certain Digital Token Service Providers, Harmonise and Enhance MAS Regulatory Power over FIs”.

Key Proposals

No transitional arrangements

The MAS will not be providing transitional arrangements for DTSPs, but intends to publish: (i) the commencement notification for the FSMA; and (ii) finalised versions of subsidiary legislation (including the FSM Regulations), the notices, and the guidelines (including the amended Guidelines on Fit and Proper Criteria (“FPC Guidelines“) and other applicable guidelines), at least four weeks before the commencement date of the relevant FSMA provisions (Part 9, First and Second Schedules) and other related FSMA amendments (collectively, “DTSP Provisions“). All the notices and the amended FPC Guidelines will come into force upon commencement of the DTSP Provisions. Once the regulatory regime for DTSPs commences, they will be required to suspend or cease operations unless they obtain a licence or are exempted.

Proposed policy approach to licensing of DTSPs

1. Restrictive licensing approach: DTSPs are more susceptible to potential money laundering / terrorism financing (“ML/TF“) risks, given the cross-border and internet-based nature of their DT services. The MAS envisages that in most cases, persons operating from a place of business in Singapore or incorporated or formed in Singapore will carry on a business of providing DT services in Singapore, and thus be subject to licensing and ongoing requirements under other applicable legislation (e.g. the Payment Services Act 2019 (“PS Act“), the Securities and Futures Act 2001 and/or the Financial Advisers Act 2001). Hence, the MAS envisages that there will be extremely limited circumstances under which it will grant a DTSP licence under the FSMA. It will review applications for the same on a case-by-case basis, considering the licensing criteria described below.

2. Key licensing criteria: The MAS intends to set out the following licensing criteria for DTSPs in the MAS’ Guidelines on Licensing for DTSPs (closely modelled after the PS regime) and may also impose any of them as licensing conditions: (i) applicants must have a business model that makes economic sense and demonstrate to the MAS’ satisfaction that they have valid reasons for not offering DT services within Singapore despite operating in or being formed or incorporated in Singapore; (ii) applicants do not operate in a manner that is of concern to the MAS, and are already regulated and supervised for compliance with relevant internationally agreed standards; and (iii) there are no concerns with the applicant’s business structure in relation to ability to comply with regulatory obligations.

3. Additional licensing criteria: The MAS expects applicants to fulfil, among others, the following additional licensing criteria: (i) having at least one executive director, or partner, or partner or manager (as applicable) resident in Singapore; (ii) meeting the fit and proper criteria; (iii) having a permanent place of business in Singapore; (iv) penetration testing of an applicant’s proposed DT services, remediation of all high-risk findings identified, and independent validation on the effectiveness of the remediation actions; (v) adequate compliance and independent audit arrangements commensurate with the scale, nature and complexity of operations; and (vi) ability to meet the annual audit requirements.

4. Post-licensing notifications: DTSP licensees must notify the MAS of any changes to the circumstances set out in their applications or their business model or operations that could affect compliance with licensing criteria. Failure to comply could potentially result in the revocation of the licence.

Proposed FSM Regulations setting out requirements for DTSP licensees

1. Control of provision of DT services: The MAS seeks comments on proposed requirements for: (i) licence applications (e.g. application fees, perpetual duration); (ii) licence fees (payable annually); (iii) document submission deadlines; (iv) licence lapsing; and (v) time, and prorating methodology, for payment of fees.

2. Financial requirements: The MAS seeks comments on the quantum and components of the proposed minimum initial and ongoing financial requirements for DTSPs, including: (i) a minimum base capital of S$250,000 for corporations; (ii) total capital contribution of S$250,000 for partnerships or limited liability partnerships; and (iii) security in the form of cash deposit of S$250,000 to be maintained with the MAS for individuals. This ensures that DTSPs are well-capitalised and committed to maintaining a meaningful presence in Singapore.

3. Business conduct requirements: The MAS seeks comments on the proposed duties of Chief Executive Officers, directors and partners of licensees (as applicable), and the audit requirements, that are set out in the proposed FSM Regulations.

Proposed AML/CFT notice for DTSP licensees

1. Addressing ML/TF risks: The MAS proposes to require DTSPs to: (i) take appropriate steps to identify, assess, and understand their ML/TF risks; (ii) implement policies, procedures, and controls to manage and mitigate identified risks, including customer due diligence (“CDD“), transaction monitoring, screening, suspicious transaction reporting and record keeping; (iii) monitor and enhance the implementation of (ii); and (iv) perform enhanced measures if higher ML/TF risks are identified.

2. Conducting CDD on existing customers and outsourcing to third parties: The MAS proposes to require DTSPs to perform CDD on all existing customers within a specified period after obtaining their licence. DTSPs will be permitted to rely on third parties for CDD if:

• • The DTSP: (i) is satisfied that the third party is subject to and supervised for compliance with AML/CFT requirements consistent with FATF standards and has adequate measures in place to comply; and (ii) takes appropriate steps to understand the ML/TF risks in the third party’s jurisdiction of operation;
  • The DTSP is not specifically precluded by the MAS from relying upon that third party, with the MAS proposing preclusions from reliance on third parties that are payment service provider licensees under the PS Act, or DTSP licensees under the FSMA, or under equivalent licences, via the proposed AML/CFT notice for DTSPs and via proposed amendments to the other AML/CFT notices applicable to other FIs; and
  • The third party is able and willing to provide data, documents or information regarding the CDD measures applied to customers, without delay, upon the DTSP’s request.

The MAS seeks comments on the proposed CDD requirements for existing customers of DTSPs, whether third party reliance is appropriate for the sector, and the proposed amendments to the other AML/CFT notices for other FIs.

3. Risk-mitigation for correspondent account services: The MAS proposes to require DTSPs providing correspondent account services to another FI or engaging another FI for such services, to perform risk-mitigation measures in addition to CDD, including: (i) assessing the suitability of the FI’s AML/CFT controls for adequacy and effectiveness; (ii) understanding and documenting its and the FI’s respective AML/CFT responsibilities; and (iii) obtaining senior management approval. The MAS seeks comments on whether the proposed requirements would be applicable to the sector.

4. Risk-mitigation for payments: The MAS proposes to require DTSPs to use cheques (instead of cash payouts) for payments equal to or exceeding S$20,000 subject to conditions, and to prohibit the issuance of bearer negotiable instruments in any amount, and seeks comments on the same.

5. Risk-mitigation for value transfers (“transfers“): The MAS proposes to require the following, and seeks comments on the type of information accompanying or relating to transfers that would be relevant for law enforcement purposes, the type of records that should be kept, and examples of how the requirements could be operationalised in practice including industry-wide initiatives:

• • Ordering institutions to: (i) identify the value transfer originator (“originator“), take reasonable measures to verify their identity (if not already done as part of Para 6 of the AML/CFT notice) and record adequate details of the transfer so as to permit reconstruction (e.g. the date of transfer, the type and value of DTs transferred, and the value date); and (ii) collect and document specific information on the originator and value transfer beneficiary (“beneficiary“) and immediately and securely submit this to the beneficiary institution;
  • Beneficiary institutions to take reasonable measures (including monitoring) to identify transfers that lack the required originator or beneficiary information; and
  • Intermediary institutions to: (i) retain all information accompanying the transfer; and (ii) implement appropriate internal risk-based policies, procedures and controls to determine when to execute, reject or suspend a transfer lacking required originator or beneficiary information, and the appropriate follow-up actions.

Proposed other notices for DTSP licensees

The MAS also seeks comments on the following proposed other notices applicable to DTSP licensees.

1. Periodic reporting of suspicious activities and incidents of fraud and submission of regulatory returns: The MAS proposes to issue:

• • A notice requiring DTSPs to periodically make reports (in the form, manner and time specified) upon discovery of suspicious activities or fraud incidents; and
  • A notice on submission of regulatory returns i.e. periodic submission of: (i) information relating to the DT services provided (e.g. monthly submissions of account statistics, transaction value and volume, and value of DTs held for safeguarding or administration); and (ii) information that allows understanding and monitoring of the profile of each DT service for more targeted supervision (e.g. information on transactions involving higher risk customers and high-risk jurisdictions, the jurisdictions the DTSP provides DT services in, the list of service providers that the DTSP has service agreements with, the jurisdictions from which such services are delivered to the DTSP, and statistics on transactions involving anonymity-enhancing technologies that pose higher ML/TF risks).

2. Technology risk management: The MAS proposes to issue a notice requiring DTSPs to: (i) establish a framework to identify critical systems, ensure their maximum unscheduled downtime is under four hours within any 12-month period, and establish a recovery time objective of under four hours; (ii) notify the MAS within one hour upon discovery of a system malfunction or information technology (“IT“) security incident with severe and widespread impact on the DTSP’s operations or material impact on its services to its customers, and submit a root cause and impact analysis report within 14 days; and (iii) implement IT controls to protect customer information from unauthorised access or disclosure.

3. Cyber hygiene: The MAS proposes to issue a notice requiring DTSPs to: (i) secure administrative accounts against unauthorised access or use; (ii) establish security standards; (iii) implement security patches timeously; (iv) establish network perimeter defence, malware protection, and multi-factor authentication for administrative accounts of critical systems and system accounts used to access customer information through the internet; and (v) be subject to the MAS’ Guidelines on Risk Management Practices-Technology Risk, which require FIs to establish technology risk governance and maintain cyber resilience (including implementing secure coding, robust cryptographic key management, and controls, to ensure the availability and security of IT systems).

4. Conduct: The MAS proposes to issue a notice requiring DTSPs to ensure that their designated person responsible for being present at their permanent place of business to respond to queries relating to AML/CFT or complaints from their DT service users or customers, will be so present for at least ten days a month for at least eight hours per day during normal business hours, unless an exception applies. The MAS seeks comments on the proposed operating days and hours.

5. Disclosure and communications: The MAS proposes to issue a notice requiring DTSPs to: (i) provide customers with a specified risk warning statement, to ensure that they understand their exposure to the risk of the DTSP losing their value; (ii) accurately represent the scope of regulation of the DTSP under the FSMA; and (iii) correct any false or misleading statement by a third party about such scope (albeit the DTSP is not required to take legal action against the third party), to ensure that the public correctly understands the same. The MAS seeks comments on the disclosure requirements and the requirements concerning the false or misleading scope of regulation.

Proposed guidelines for DTSP licensees

The MAS proposes to also amend the FPC Guidelines to apply to all DTSP licensees upon the enactment of the DTSP Provisions. As for the other guidelines that apply to all FIs (such as the MAS’ Guidelines on Risk Management Practices-Technology Risk, Guidelines on Business Continuity Management and Guidelines on Outsourcing), the MAS notes that no amendments are required and that these guidelines will already also apply to all DTSP licensees. The MAS seeks comments on the application of the guidelines to DTSP licensees.