“Code is law.” While the catchphrase has caught on with the crypto crowd, it has little cache with the crew that actually formulate law — legislators and those who execute the law — regulators.
And therein lies one of the biggest challenges of regulating the cryptocurrency space — lawmakers are literally writing law on paper, while the blockchain is built on code.
And while regulators can produce reams of legislation, few (if any) can write a single line of code.
Even as the law struggles (at best) to keep pace with technological advances, rushing to regulate in a piecemeal manner can and often does result in unintended consequences.
Right Code Not Law
Take for instance Singapore’s Payment Services Act (“PSA”).
When the idea of the PSA was first mooted, it was heralded (especially by those in the cryptocurrency industry) as a forward-looking piece of legislation that would help cement Singapore’s position as a global hub for digital assets.
Whilst the PSA may have been hyped as the first attempt by a major financial center to regulate the rough-and-tumble cryptocurrency sector, a bit of legislative history would reveal that its thrust and parry was far more limited both in scope, scale and ambition.
In the aftermath of the initial coin offering (ICO) bubble and bust, instead of using existing legislation (as has been the approach in the U.S.) and enforcement action to bring the cryptocurrency industry to heel, lawmakers in Singapore chose a different approach — to start (sort of) from scratch.
The Monetary Authority of Singapore (MAS), which serves as both the central bank and regulator for financial services in Singapore, mooted a bill that would cover not just digital tokens, but payments as well.
Before the PSA came into effect in January 2020, payment service providers were regulated by the Payment Systems (Oversight) Act (“PSOA), while money changers and remittance companies by the Money-Changing and Remittance Businesses Act (“MCRBA”).
There were overlaps between the PSOA and the MCRBA and at the time it was believed that since cryptocurrencies were growing in usage, there was a need to regulate them in a more effective manner, especially since the nascent asset class didn’t fit neatly within the existing legal framework.
Instead of trying to rework existing legislation, Singapore’s approach was to start over and bring everything under one piece of legislation.
Enter the Payment Services Act
At its core, the PSA was intended to do two things — streamline the existing two pieces of legislation, the PSOA and the MCRBA, and create an “activity-based” piece of law that would better cope with everything from digital payments (such as digital wallets in apps) to digital tokens (such as cryptocurrencies).
At first blush, Singapore’s approach to regulating cryptocurrencies looked promising.
On the one hand MAS would have expanded powers under the designation regime of the PSA to ensure innovations in payment systems would not undermine financial stability, while on the other hand, a licensing regime would be put in place covering not just existing payment services providers, but aspiring cryptocurrency companies as well.
Under the PSA, there are seven key payment services that attract licensing requirements:
- account issuance services;
- domestic money transfer services;
- cross-border money transfer services;
- merchant acquisition services;
- e-money issuance services;
- digital payment token services; and
- money-changing services.
Relevant to the cryptocurrency industry were licensing requirements under 5 and 6, e-money issuance services and digital payment token services and the licensing regime consisted of two broad categories:
- Money-changing License
- Standard or Major Payment Institution License (with the distinction between the two being one of amounts processed and base capital requirements)
With Singapore’s licensing regime now in place, crypto companies (both foreign and domestic), eager to burnish their credentials and appearance of compliance in an industry rife with fraud, raced to apply.
Whose license is it anyway?
Unfortunately for the legion of “Crypto Bros” intending to apply for a license under the auspices of the PSA, the list of admission requirements was long and daunting, and for most of them, given their lack of experience in financial services, unfamiliar.
An e-money issuance service for the purposes of the PSA allows users to use e-money to pay merchants or transfer e-money to another individual and a plain interpretation of the act would cover everything from stablecoins to prepaid digital wallets.
Digital payment token services under the PSA on the other hand dealt only with buying or selling digital payment tokens (“DPTs”), otherwise known as cryptocurrencies, or providing a platform to allow persons to exchange DPTs.
The main issue of course is that the PSA can’t (nor was it designed to), capture all of the activities ancillary to e-money and DPTs, under the umbrella of a payment services license.
For instance, a cryptocurrency exchange operating in Singapore would be required to apply for a license under the PSA, but outside of the following ongoing requirements for maintaining such a license, almost no guidance is provided for how it should operate the exchange:
- AML/CFT requirements
- Periodic Returns — e.g. volume of transfers
- Cyber Hygiene — primarily cybersecurity
- Business conduct — including safeguarding of customers’ monies, record of transactions, issuance of receipts, etc.
- Disclosures and Communications — accurate representations on the scope of its license and activities to customers
- Annual audit requirements
Nowhere in the PSA or its attendant legislation and regulations does it mention that a crypto exchange operating in Singapore needs to hold client’s crypto separate from its own, or that its owners ought not also have their own proprietary trading firm that can trade against customers on its exchange.
The PSA certainly does not stipulate any restrictions on common shareholding between the owners of a crypto exchange and a market maker that plies the same exchange, despite the glaring conflict of interest.
Such requirements are found instead in an entirely different piece of law — the Securities and Futures Act (“SFA”), a well-established piece of legislation that governs activities in the capital markets and ensures such basics as the need for exchanges to maintain independent custodians and other common sense measures to avoid conflicts of interest.
At its core of course is the struggle with what exactly a cryptocurrency is.
While U.S. Securities and Exchange Commission Chairman Gary Gensler considers that most cryptocurrencies fall under the definition of securities, the Chimera-like quality of many of them resists easy classification.
And at the time that the PSA was mooted, cryptocurrencies were treated as distinct and apart from traditional securities.
Because of the classification bifurcation, regulators operating under the PSA would be hard pressed to properly police the space, let alone oversee it.
To Securitize or Not Securitize, That is the Question
For instance, what if a Singapore company was to offer crypto lending and borrowing activities in Singapore, how exactly would that be governed?
According to the PSA, the definition of a “digital payment token service” means:
(a) any service of dealing in digital payment tokens (other than any such service that the Authority may prescribe);
(b) any service of facilitating the exchange of digital payment tokens (other than any such service that the Authority may prescribe);
Presumably, borrowing and lending crypto would fall under “dealing” for the purposes of the PSA.
Yet neither the PSA nor its ancillary regulations provide for how such “dealing” ought to be conducted.
How much can you borrow and how much can you lend?
Who should you lend to and who can you borrow from?
How much of customer assets can you lend out to and to whom?
There are no requirements that Singapore-based crypto companies segregate users’ crypto from their own, or maintain capital reserves in case some of that lending goes awry, only an obligation to “safeguard” customer monies, whatever that means.
Also absent from the PSA are requirements that licensees maintain sufficient reserves to meet withdrawals or other well-established risk management measures required by the SFA and the Banking Act.
But it should come as no surprise that the PSA couldn’t cover all these scenarios — it was never designed to nor is it clear that it was ever intended to in the first place.
Gimme a License, Make it Two
Because the PSA offers a licensing regime, crypto companies with a license, receive an almost instant halo-like stamp of approval from a regulator in a major global financial center.
And that halo doesn’t even need to be crystalized to bear fruit, as was the case for Hodlnaut, a Singapore company that offered eye-popping yields on crypto deposits and was granted an in-principle license under the PSA.
On August 8, 2022, one day before Singapore’s National Day (Independence Day), Hodlnaut shocked customers by announcing that it was freezing all customer withdrawals citing “recent market conditions.”
In reality, Hodlnaut, which in March 2022, had been granted an “in-principle” PSA license was off to the races by April of that same year, taking exposure to the ultimately doomed algorithmic stablecoin UST.
Upon receiving its “in-principle” qualification to receive a PSA license from MAS, yield-hungry depositors flocked to Hodlnaut.
Only a month after being sprinkled with MAS pixie dust, Hodlnaut was offering 14% annualized returns on 180-day fixed deposits, that it deployed to the ultimately doomed Anchor Protocol using UST, an algorithmic stablecoin where it earned yields of almost 20%, clearing a cool 6% in the process.
When UST eventually lost its peg and its sister token LUNA became almost worthless, thousands of Hodlnaut’s customers, lured by the promise of 14% annualized returns, would soon find that they were no longer able to withdraw money from the platform.
Part of the problem of course was that companies like Hodlnaut don’t actually have “assets” in the traditional sense — they have liabilities.
When you deposit money with a bank, that’s not the bank’s asset, it represents an unsecured loan to the bank (apart from government deposit insurance to a fixed amount) and a liability on the bank’s books.
In return for having the privilege of borrowing money from you, banks need to maintain what’s known as capital adequacy ratios — the ratio of a bank’s capital in relation to its risk-weighted assets and current liabilities.
If the bank carries a lot of risky assets on its books, it wouldn’t be able to receive very much as deposits, which is why banks carry a lot of Tier 1 capital (CET1), the highest quality of regulatory capital, which has the ability to absorb losses immediately should they occur.
Hodlnaut’s customers enjoyed no such privilege.
While companies like Hodlnaut boasted of their assets under management, these “assets” were really unsecured loans that the company owed to its customers.
But because these “assets” were cryptocurrencies and Singapore has specific legislation governing DPTs — they didn’t come under the auspices of the SFA or the Banking Act, but the PSA instead, legislation that is particularly ill-suited to cover such scenarios as in the case of Hodlnaut.
If it Acts Like a Bank, Regulate it Like One
It’s been said that if it looks like a duck, walks like a duck and quacks like a duck, odds are it’s a duck.
Although companies such as Hodlnaut aren’t banks, they behave as if they are and ought to be regulated as if they were — using a combination of the SFA, Banking Act and the PSA.
Instead, the PSA provided companies like Hodlnaut with a veneer of legitimacy and regulatory stamp of approval as if they were operating to the same standards as companies governed by the Banking Act and the SFA, without holding them accountable to such.
So was Singapore wrong to have cobbled together the PSA in such a hurry?
“Yes” and “no.”
The PSA represents a progressive piece of legislation emanating from one of the world’s major financial centers, and stitched together by lawmakers intent on building the future.
Often mentioned in the same breath as New York, London, Zurich and Hong Kong, but lacking the same hinterlands and geographical advantages of those cities, Singapore is merely doing what it can to maintain its edge as a financial center.
Which explains why in 2018, Singapore embarked on a process to take a stab at governing what many other regulators had determined was “ungovernable” — cryptocurrencies.
Because Singapore doesn’t benefit from the massive hinterland like New York, or the strategic location of Hong Kong and London, it has to leverage the advantages that it does have — speed and agility.
Unfortunately, legislating for any new technology, especially cryptocurrencies, calls for a “Goldilocks Approach” — not too fast, but not too slow either.
And perhaps legislators can lean on the Hippocratic Oath for guidance — primum non nocere — first, do no harm.
While a haste to regulate doesn’t prima facie do harm, arguably the creation of a licensing regime without the necessary infrastructure to support such a framework does.
First Do No Harm
Rather than try and fit the round peg of cryptocurrencies into the square hole of the PSA, an alternative could have been to not issue licenses to begin with.
Singapore could have used all the existing tools at the disposal of regulators to police the cryptocurrency industry which U.S. Securities and Exchange Commission Chairman Gary Gensler famously labeled the “Wild West.”
And that means the PSA, SFA and Banking Act, whilst catering for such exceptions and carve outs where existing law proved cumberson and inapplicable.
External observers may be quick to judge Singapore’s early experiment with regulating cryptocurrencies to have failed based on the number of high-profile insolvencies and collapses associated with the city state.
But that observation would be misguided.
Cryptocurrencies aren’t (yet) part of the greater financial system and it’s unclear if they ever will be.
By carving out crypto and protecting the most feckless of investors from unnecessary exposure, it could be argued that at the very least, Singapore’s lawmakers are committing to “do no harm.”
And while many of recent high-profile crypto failures are proximate to Singapore, lawmakers in the financial center could hardly be said to have been their proximate cause.
Disgraced crypto hedge fund Three Arrows Capital (“3AC”) may have had its office in Singapore, but its fund and approved investment manager were in the British Virgin Islands.
By the time 3AC’s founders Kyle Davies and Zhu Su ghosted investors, its investment management license issued by MAS had long lapsed.
Terra-Luna’s Terraform Labs may have had an office and been incorporated in Singapore, but it wasn’t regulated by MAS and its founders and principal staff were not from the city state.
And even if Singapore’s investors bemoan how the city state’s sovereign wealth fund’s investment in FTX gave the cryptocurrency exchange the aura of “investability” and “reliability,” neither the exchange nor its officers are regulated by MAS nor is the company incorporated in Singapore.
Instead, cryptocurrency investors and traders regardless of jurisdiction need to recognize that keeping their assets safe ultimately falls on personal responsibility more than anything else.
Regulation, licensing and official endorsement will do almost nothing to guarantee funds are SAFU — to move forward, law and regulation alone is a paper tiger, legislation needs to be combined with technology.
No More Paper Tigers
One possible way of giving teeth to legislation is requiring practical implementation of safeguards for customers.
For instance, a license under the PSA, whether in-principle or otherwise, could require a declaration of all public wallet addresses managed by the license-seeking entity to the regulator.
Even if the licensee is loathe to make its public wallet addresses known to all and sundry (doubtful at best, else how would you take deposits?), surely the authority issuing the license ought to be entitled to oversight?
Third party companies or auditors could then be tasked for validating and verifying assets within those wallets are sufficient to meet customer withdrawals, and instead of periodically, this monitoring could be done in real-time.
Regulators could leverage the very blockchain technology that they seek to govern, utilizing its inherent transparency as a tool for oversight, rather than relying on it posthumously after things have gone wrong.
Whereas financial institutions operate in a far more structured environment, lawmakers who want to properly police the cryptocurrency sector need to use the very infrastructure that the industry depends on for adequate policing.
And that includes real-time crypto asset monitoring, unsecheduled inspections and wallet identification — the ability to do so already exists, but active policing and whistleblowing has been left largely to the community.
This can’t be the way forward.
Last November, the Financial Times suggested Hong Kong was well-positioned to wrestle the crypto capital crown from Singapore, given the latter’s recent setbacks and its knee-jerk response to hold back on all things crypto-related — but such a view would be somewhat premature.
Singapore is often lauded as an example of a startup country that succeeded, but that process was not without trial and error and the PSA is likely to be no different.
Whilst expedient, the PSA and its implementation needs to evolve, but perhaps at a faster pace than already quick regulators and lawmakers in Singapore are already accustomed to.
The speed at which Singapore rolled out the PSA is no small feat, but far from resting on its laurels, lawmakers in the country could do more to make it useable and to spread its ambition beyond its current iteration.
If the raison d’etre of licensing is to provide a safe framework for stakeholders to operate in, then arguably, the PSA has moved too quickly.
Without adequate infrastructure to support a comprehensive licensing regime, which includes using technological tools to oversee the licensed, the PSA risks becoming nothing more than a marketing tool, providing licensees with a coat of credibility, even as they “crypto” covertly.
All Comments