Panel Discussion: In Pursuit of The PSA Licence

Currently, the travel rule contention within the Crypto industry is still not resolved.
The Travel Rule is a regulatory requirement officially adopted by the Financial Action Task Force (FATF) in 2019. This Travel Rule extended Anti-Money Laundering and Counter-financing of terrorism (AML/CFT) obligations to crypto-related transactions valued at USD 1000 or more for Virtual Asset Service Providers (VASPs) such as cryptocurrency exchanges and companies providing crypto services. This Travel rule requires the relevant financial institution to pass on some transaction and Ultimate Beneficial Owner (UBO) information to the next financial institution.

However, this is a challenge for the VASPs due to the pseudonymity nature of cryptocurrency, where there is limited amount of information that can be transferred. Only until the blockchain technology is prepared to have a bigger data allocation size, it will never be something that can be resolved on chain. And if it is not resolved on chain, there will be a need for an off-chain solution which is a very difficult and cumbersome as participants will need to be involved.

Here is one of the off-chain solutions shared by Jonathan from DigiFinex, which DigiFinex applies this methodology to its exchange to demonstrate effective control over un-hosted wallets. 

The idea is beneficial control where DigiFinex goes down to the customer level.
For example, DigiFinex will send a small amount of cryptocurrency to the customer and would require the customer to send them back inversely. This is where if they can do that then they would effectively demonstrated that they can have beneficial control over the un-hosted wallet address.

Megan Li from Regtank believes that there is still a long way to go for the Travel Rule. Although, there are some solutions available in the market, which could help facilitate the exchange of information between different networks. More detailed requirements from regulators related to un-hosted wallet and crypto transactions will be needed. As for now, the reporting guidelines does not explicitly state the reporting details.

At an industrial and technical level, if all organisations are willing to work together to build a system to share this information, this could be resolved.

For the process of applying for the license or any kind of compliance in any jurisdiction, there is a significant cost to be incurred. The high cost of compliance is not only for crypto businesses, but even for traditional Financial Institutions (FIs), one of the challenges for executives is the costs incurred for compliance with regulations.
These traditional and conventional FI pour lots of money on human resources, where professionals are needed in manual work for compliance matters like internal procedures, security policy, solving issues like False Positives and to know what the organisation do not know – identify security posture gaps.
However, the entire industry is evolving, where there are better solutions coming up. If organisations can streamline those manual compliance process and turn them into a technological format, where there is certified and audited ways to ensure that these processes cannot be junked/ manipulated/ altered externally without approved control or access, they can be more cost-efficient.
And this explains the booming regulatory technology (RegTech) industry, where to a large extent, these RegTech can automate some of these compliance processes to help companies save some costs, especially for start-ups. Taking the example of False Positive, it used to be a manual process, but now with technology like Artificial Intelligence (AI), simple algorithms to define the limits that organisation can implement at policy level can help reduce false positive.
The digital assets (crypto) industry is a very young industry where regulators are very forthcoming in the use of technology. The idea is to understand the regulatory requirement well and to meet those regulatory requirements using technology and not using manual process.

Here is a suggestion given by Jonathan to a start-up:
Set out all your governance policies and procedures first and then test them in the sandbox. This exercise is not expensive, where you do not need much manpower resources to do it. Once tested out in the sandbox, where you run them through a machine, you will have a good idea of whether those processes/algorithm that was put in place make sense or not. Keep repeating the process until you have a perfect set of algorithms running your policies and procedures. 

There is a very specific roadmap that I have to praise the regulators for doing this, because they started off with enthusiasm. They then started to calibrate the roadmap and change the deliverables and expectations, where it sorts of filters out the businesses that will and will not do well.

For the longest time, I thought this application will last for 6 months and I was prepared to go into it for 6 months. However, it is almost a year and half and we still have not gotten our license yet, where we are still in the state of exemption. However, we do see applicants getting their license like FomoPay for the Digital Payment Token (DPT) License and other DPT exchanges who have granted in-principal licenses. We can see that the regulators are coming to close on the kind of applicants and criteria that they are expecting. I foresee the roadmap to be iron out, where it will be an uniform application across all the applicant within the next 6-12 months
So, if you make an application now, where MAS seem to have clear in-principal approval requirements from the existing applicants, they will implement the same level and degree of standard and due diligence for new applicants. 

Yes, you may be an exemptee but it does not mean that you are exempted from all the regulatory and statutory requirements. You still must comply to all prevailing regulatory and compliance requirements, such as the Monetary Authority of Singapore Technological Risk Management (MAS TRM) guideline, Anti Money Laundering (AML), Know Your Customer (KYC), Counter Financing Terrorism (CFT), disclosure notices and many more. The authorities will question and inspect the exemptee, and they will expect the exemptee to answer and meet the compliance that was set out forth.
Putting yourself in the shoes of the regulators, if the exemptee is not able to demonstrate a certain degree of compliance during the exemption period, how can they trust you to meet the compliance standard after granting the licence?

If you are dealing with digital assets, it is inevitable that you will hold custody over your customer’s digital assets to have effective control. And it does not make sense for an organisation to tell the regulators that they are going to outsource the custody of your digital assets to a third party. As in that sense, the regulators might as well give the licence to the service provider whom you outsourced to.

It is up to the organisation to impress upon the regulators using technological explanation and standards in how you will be able to meet a high degree of security for your customers’ assets. You will have to apply a great degree of risk management and logical understanding of the business and its risks to show the regulators your ability to safeguard these assets.

However, in the situation where the industry, regulators or your organisation have not anticipated a risk beyond that, an advice for the management would be to get an insurance. If the organisation did not think about insurance, then the organisation clearly does not have the level of competency to safeguard your customer’s assets. The organisation needs to go out there to think of ways to safeguard their own customer’s assets.

If the event of anything, you must have reserved an insurance first. If your organisation or your digital payment custody provider (eg: third party wallet provider like Fireblocks or coin-based wallet which Jonathan from DigiFinex sincerely do not recommend), you must have your own technology or understanding (of the business). If an organisation is using a third-party technology that they do not understand, then they would a risk to the financial ecosystem, where a regulator should not grant a licence to them.  

The organisation will need to understand the technology well, and after they understand the technology, they can go over and above and acquire the additional assurance to the regulator and the community at large. And if you tanked or get hacked one day and you lose your customer assets, you have the capability to repay them through reserves or insurance. 

The list of Custody Service Providers is available in the Monetary Authority of Singapore (MAS) information directory to look up on both payment service providers and capital market license holders (CMSL), where some of them have digital payment services.
You can take a look at the kind of regulated activities that are able to provide before engaging them. However, having somebody who is licensed is not a reasonable excuse to outsource such a critical function of your business. And if you really do so, you must have good reasons and risk management in place to ensure (business continuity). If not, if the whole world will start to outsource to them, they will be a concentration of risk, and if they tank, everybody goes down. So definitely, as an organisation, you will need to exercise clear logical mind to reason out the validity of this decision. It could be the case that your organisation do not have the technological capability, but will still want to carry out certain process, and would like to take shot to outsource to a third party vendor. However, good risk management to mitigate the risk in the event the third-party tank or default needs to be in place. 

I don’t think it is a question on whether organisations are open or not, but it is an inevitable process. I think it is necessary, as you see the regulators implementing it (compliance) at the applicant stage, where they ask you to go in and explain to them what your compliance processes are, for example, Technological Gap Analysis or they will ask how you are conducting certain kind of internal audit function. Risk management is always forefront and centre for an organisation If you cannot identify your risks, you have a big problem. Audit is a requirement for every financial institution where it is an expected from regulators across jurisdiction. 

Indeed KYC/AML has been around for a long time, but in the context for blockchain and cryptocurrency, things are different. Some of the old methods/approaches cannot solve the problems in the decentralised network (of crypto) with the pseudonymity features of this technology. Hence, we do believe that if we make use of a certain kind of blockchain technology itself and the smart contract will be a chance to resolve these problems. Also, it is a chance for the regulatory technology in the Crypto Context.
But for this to happen, we will need the whole industry to work on this together. This includes crypto companies, service providers who are willing to accept and implement the new methods of KYC/AML solutions, and RegTech companies who continue to innovate and come up with new solutions for the industry. More importantly, the regulators need to accept the new technology or methods to resolve the KYC/AML issues.

Looking at Singapore, it is doing quite well, where regulators are ready to accept the new innovative technology and methodology and open to listening to the different kinds of solutions the applicants/ companies are proposing to them.

For problems that we cannot resolve at this moment like Defi (Decentralized finance) and un-hosted wallets, there are upcoming technology solutions like NFT (Non-Functionable Token). This could be one of the solutions for KYC or identity checks, in which an individual’s KYC information can be converted to an NFT. This token can then be used by the different platforms, and they can have certain control of the private key to either view the information only or to get the result of the information as a result of the KYC check. But the key issue here is still about the regulators and the regulatory requirements on whether they accept this kind of new solution. As it may not meet the needs of ongoing monitoring that regulators expect, another suggestion could be to do a review of the person’s profile every 3 or 6 months.