The MAS has proposed regulatory measures to protect retail customers from harms related to cryptocurrency speculation and risks from the technology and business practices of digital payment token service providers.


MAS Consults on Regulatory Measures for DPT Services

October 31, 2022

The Monetary Authority of Singapore (MAS) has published a consultation paper seeking public comment on a variety of proposed regulatory measures aimed at protecting retail customers from harms related to cryptocurrency speculation and risks arising from the technology and business practices of digital payment token (DPT) service providers (DPTSPs).

MAS intends the consultation to result in a set of guidelines that DPTSPs would have to satisfy within a transition period of 6-9 months after publication.  MAS intends to consult again at an unspecified future time regarding new regulations that would be derived from the guidelines.

The period for commenting on the consultation paper, Proposed Regulatory Measures for Digital Payment Token Services (P008-2022, 26 October 2022), ends on 21 December 2022.


While MAS has encouraged the development of Singapore’s blockchain ecosystem, it has strongly discouraged the participation of retail customers in the cryptocurrency markets.  In the consultation paper, MAS cites several risks regarding cryptocurrencies that it believes retail customers do not fully understand or appreciate:

  • Prices that are highly volatile and not supported by underlying economic value.
  • Marketing that is misleading and that trivialises the risks of cryptocurrency trading.
  • Risk of loss through security breaches, scams, fraud and theft.
  • Opaque, unethical and illegal business practices of some cryptocurrency businesses.

MAS took a first step towards addressing those risks when it published its Guidelines on Provision of Digital Payment Token Services to the Public in January 2022 (see our article on those guidelines).  Those Guidelines restrict promotion of DPT services to the general public in Singapore, the provision of DPT services in public areas of Singapore (e.g., via crypto ATMs) and the provision of services supporting DPT-related products such as payment token derivatives contracts to the public.  This consultation reflects MAS’s view that too much risky retail customer behaviour regarding cryptocurrencies still occurs and that the risks set out above must be addressed with greater regulatory firepower. 

Consumer Access Measures

MAS proposes one set of guidelines directly aimed at protecting ‘retail customers’ – customers not likely to be able to bear large losses from cryptocurrency trading.  The retail customer segment under the Payment Services Act 2019 (PS Act) would be defined in terms similar to the asset and income tests for the customer segment not qualifying as accredited investors (AIs) under the Securities and Futures Act 2001 (SFA).  MAS has not proposed specific tests for retail customers under the PS Act but suggests that the current SFA thresholds for AIs would be a reasonable starting point, with additional limits on how digital assets will count towards those thresholds. The SFA’s AI thresholds are S$2 million in net personal assets (with a cap of S$1 million on the net value of the individual’s primary residence), or S$1million in net financial assets, or S$300,000 in income over the preceding 12months.

For customers in the retail customer segment, MAS proposes requiring DPTSPs to:

  • Assess the customers’ risk awareness and take steps to educate customers determined not to be sufficiently aware of the relevant risks.
  • Refrain from offering incentives to engage in DPT activities.
  • Restrict debt-financed (including credit card) and leveraged DPT transactions.

Many of the PS Act’s current protections for individual customers, such as e-money stock and flow caps and the promotional guidelines mentioned above, are limited to Singapore customers.  MAS is considering applying the consumer access measures to retail customers outside Singapore as well.

Business Conduct Measures

MAS proposes a variety of business conduct measures based on industry best practices and regulatory approaches in other jurisdictions.

Protection of Customers’ Assets

Noting recent high-profile business failures of DPTSPs and the devastating effects they can have on customers, MAS proposes to improve the protection of customers’ assets by requiring DPTSPs to:

  • Segregate customers’ asset from their own assets (and MAS seeks comments on whether to require customers’ assets to be held by independent custodians).
  • Improve written disclosures of arrangements and risks regarding asset custody.
  • Reconcile customers’ assets daily and provide statements of account holdings and transactions at least monthly.
  • Adopt strong controls regarding the management of private keys for wallets holding customers’ assets.
  • Refrain from lending or creating encumbrances on DPTs of retail customers.

Conflicts of Interest 

MAS observes that many DPTSPs engage in multiple business activities, including operating a trading platform, acting as a broker-dealer and trading for their own account.  MAS proposes to require DPTSPs to identify and mitigate conflicts of interest arising from their business activities, such as having a financial interest in listed DPTs, trading for their own account and market making.

DPT Listing and Governance

To improve customers’ confidence in the quality of the DPTs listed on an exchange, MAS proposes to require DPTSPs to disclose their DPT listing and governance policies.

Handling Customer Complaints

In addition to proposing several specific policies and procedures that DPTSPs would be required to adopt for handling customer complaints, MAS proposes to prohibit DPTSPs from imposing a dispute resolution process that would prevent retail customers from bringing disputes to the Singapore courts.

Technology and Cyber Risks

MAS notes that cyberattacks and system outages have affected some DPTSPs resulting in financial losses for their customers.  Although DPTSPs are subject to the Notice on Cyber Hygiene and the Technology Risk Management Guidelines under the PS Act, MAS proposes to adopt a much stricter Notice of Technology Risk Management that would impose requirements on DPTSPs similar to the requirements imposed on banks.  Those requirements would include:

  • Identifying critical systems.
  • Ensuring unscheduled downtime for critical systems does not exceed a total of 4 hours in any 12-month period.
  • Adopting a 4-hour recovery time objective for critical systems.
  • Notifying MAS within 1 hour of any incident which materially affects services to customers.
  • Implementing IT controls to protect customer information.

Market Integrity

MAS observes that DPTSPs operating centralised exchanges facilitate transactions that are not recorded on blockchains.  Because such off-chain transactions are not transparent to customers in the way on-chain transactions are, unscrupulous exchange operators can more easily engage in unfair trading practices, such as wash trading, pump-and-dump schemes, cornering, trade spoofing and insider trading.  MAS has not made specific proposals to address the market integrity issues it has identified, but seeks comments on effective systems, procedures, and market surveillance methods to promote fair, orderly and transparent trading.

Key Takeaway

MAS takes a risk-based approach to regulation and its proposals indicate that MAS believes the risks of DPT activities for retail customers have increased substantially.  

For More Information

OrionW regularly advises clients on financial technology matters.  For more information about financial technology regulations, or if you have questions about this article, please contact us at

Disclaimer: This article is for general information only and does not constitute legal advice.


Subscribe to
our newsletters

To subscribe, select the newsletter options that interest you (TMT, FinTech or DPC - Data Protection and Cybersecurity) and provide your details.

  • TMT - Technology, Media and Telecommunications
  • FinTech
  • DPC - Data Protection & Cybersecurity
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.