The State of Security Token Regulations in Asia was originally published in R3 Publication on Medium by Antony Lewis and Xiang Ying Cheng, where people are continuing the conversation by highlighting and responding to this story.
Since the crypto and ICO craze in 2017, many countries in Asia have taken steps to clarify their regulations surrounding cryptocurrencies and security tokens. In this article, we focus on the three countries in Asia that have the clearest regulations in place regarding digital assets, though there is still more work to be done.
Within Asia, Thailand has by far the most well-defined legislations in place to govern security token offerings (otherwise known as STO’s) and exchanges. In May 2018, the Thai government has published its Digital Asset Decree (the “Decree”) that establishes the necessary requirements for a business to offer or provide operations for digital assets. The Decree covers both cryptocurrencies as well as digital tokens and is overseen by the Securities and Exchange Commission of Thailand (“SEC Thailand”). The Decree clearly segments between primary issuance activities (ie fundraising), applicable to token offerors and issuers, and secondary market activities (ie trading), applicable to token exchange and trade-related intermediaries.
With the Decree enacted, Thailand has also established 3 types of licenses:
(i) Digital Asset Exchange License;
(ii) Digital Asset Broker License; and
(iii) Digital Asset Dealer License.
These licenses lay out the specific activities that businesses can participate in. The Exchange license is applicable to a centre or network established for the purposes of trading or exchanging of digital assets. The Broker license is applicable to any person who provides services as a broker or an agent with respect to the trading or exchange of digital assets including digital tokens. The Dealer license is applicable to any person who provides services with respect to the trading or exchange of digital assets for its own account outside the digital asset exchange.
Separately, the Decree has restricted token issuances to be done only through approved ICO portals. Thailand has also specifically set out a list of approved cryptocurrencies that may be accepted as investment capital for ICOs, and to be paired with other assets on digital asset exchanges: BTC, ETH, XRP, XLM.
Presently, Thailand’s Ministry of Finance, under the recommendation of SEC Thailand, has approved 5 Digital Asset Exchanges, 3 Digital Asset Brokers, 1 Digital Asset Dealer, and 3 ICO portals.
There is more work to be done: Thailand hasn’t established clear guidelines regarding custody requirements for digital asset and cryptocurrency businesses. Today it is unclear as to whether existing standards applicable to securities should be applicable to digital assets, or if new guidelines and regulations will be established in future.
Closer to home in Singapore, in November 2018, the Monetary Authority of Singapore (“MAS”) issued a set of guidelines entitled “A Guide to Digital Token Offerings”. This clarifies what type of digital assets fall under the Securities and Futures Act (“SFA”). If the digital tokens constitute capital markets products as defined in the SFA (ie securities, derivatives contracts etc), they are regulated under the SFA. In these cases, the existing relevant licenses apply, based on the activities performed by the businesses: whether as a token issuer, exchange platform, advisor or otherwise.
For example, a security token issuance platform must operate under a Capital Markets Services (“CMS”) license for the purpose of dealing in capital markets products (which includes securities). A digital asset exchange that facilitates trading in security tokens must operate under a license as either (i) an approved exchange, or (ii) a recognized market operator.
Unlike Thailand, the SFA in Singapore only applies to digital assets that fall under the definition of capital markets products. Other digital tokens may be classified as payment tokens (eg Bitcoin, Ether, etc), and fall under the Payment Services Act (“PSA”), which is estimated to take effect in late 2019 and has a separate set of licenses.
With both the SFA and PSA active, we can expect that digital asset companies will have a clearer set of regulations to comply with, in line with securities and payment regulations. However, just like Thailand, custody requirements are still unclear at the moment. Given that the existing CMS license covers custodial services for securities, we expect that digital asset custodians will need to operate under a CMS license.
Singapore’s government and related entities have further shown commitment and enthusiasm for developing the industry. In particular, in November 2018, MAS granted a recognized market operator (RMO) license to 1exchange, Singapore’s first private securities exchange that facilitates digital token trading. Singapore’s flagship exchange SGX is an investor in 1exchange.
The MAS is currently working with fintech businesses in a regulatory sandbox environment to figure out the missing pieces, and we expect to see updates within the next six months. It is clear that the Singapore government is supportive of the growth of the digital assets industry, including digital tokens, and it continues to build the ecosystem.
Serving as one of Asia’s key financial hubs, Hong Kong is also establishing its regulations for the crypto scene, digital tokens and security tokens. In September 2017, the Hong Kong Securities and Futures Commission (“SFC Hong Kong”) released a statement on ICOs, then later in November 2018, it published a statement and a circular on the regulatory framework for virtual asset portfolio managers, fund distributors, and trading platform operators. The SFC Hong Kong uses the terminology of “virtual asset”, which it defines as a digital representation of value, which is also known as “cryptocurrency”, “crypto-asset” or “digital token”.
The new publications provide more regulatory clarity with respect to investment and management of funds investing in digital assets such as digital tokens.
In March 2019, the SFC Hong Kong released a Statement on Security Token Offerings, reminding operators that where Security Tokens are securities, unless an applicable exemption applies, any person who markets and distributes Security Tokens (whether in Hong Kong or targeting Hong Kong investors) is required to be licensed or registered for Type 1 regulated activity (Dealing in securities) under the Securities & Futures Ordinance (SFO).
However, Hong Kong is still conceptualizing how it should regulate digital asset exchange platforms. Through its November 2018 publications, SFC called for exchange operators to come forward and join its regulatory sandbox in order to determine the type of license to be granted to exchange operators. Exchange operators may need to be regulated by the SFC and require SFO Type 1 (Dealing in securities) and Type 7 (Provision of automated trading services) licenses.
Per current regulations, custodial activities are not regulated by the SFC but entities acting as custodians have to be set up as a Public Trust Company and apply for the Trust or Company Service Provider (“TCSP”) license, issued by the Hong Kong Companies Registry. It still remains unclear as to whether there will be separate guidelines for digital asset custodians, or if today’s regulations, applicable to traditional custodians, shall be applicable to digital asset custodians as well.
Other governments in the Asia-Pacific region have also taken various steps towards defining a clearer scope of regulatory requirements for digital assets. For example, in the Philippines, the government has set up the Cagayan Economic Zone Authority (“CEZA”) which oversees a special economic zone that focuses on fintech and crypto-related businesses. In tandem, in February 2019, the Securities and Exchange Commission of the Philippines (“SEC Philippines”) issued draft regulations entitled Digital Asset and Token Offerings Rules (“DATO Rules”) as well as proposed Rules for Digital Asset Exchanges (“DAE”). Malaysia has regulations similar to those in Singapore, and is also working on adapting these to cover digital assets.
Plenty of ambiguities exist within today’s legal frameworks, often because they were designed for a non-digital world. Yet technology marches on. Today, larger and larger organizations from finance and technology sectors are building cryptocurrency and blockchain platforms. Such moves have increased the urgency for governments to understand and regulate digital assets, in order to keep up with the ever-changing realities of business.
Although it remains to be seen how STO regulations and the crypto scene will ultimately shape up globally, we expect to see more regulatory developments soon. One thing we can be certain of is that the bulk of the action and innovation will be driven from Asia.
To find out more about R3 and digital assets, head over to our digital assets page.
 See JPMorgan’s JPM Coin, Facebook’s Libra etc
Sign up for our newsletter to receive the latest R3 news, updates, and materials
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
|__cfruid||session||This cookie is set by the provider Cloudflare. This cookie is used for load balancing and for identifying trusted web traffic.|
|ARRAffinity||This cookie is set by websites that run on Windows Azure cloud platform. The cookie is used to affinitize a client to an instance of an Azure Web App.|
|cookielawinfo-checbox-analytics||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".|
|cookielawinfo-checbox-functional||11 months||The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".|
|cookielawinfo-checbox-others||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.|
|cookielawinfo-checkbox-necessary||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".|
|cookielawinfo-checkbox-performance||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".|
|JSESSIONID||session||Used by sites written in JSP. General purpose platform session cookies that are used to maintain users' state across page requests.|
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
|bcookie||2 years||This cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.|
|lang||session||This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.|
|language||This cookie is used to store the language preference of the user.|
|lidc||1 day||This cookie is set by LinkedIn and used for routing.|
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
|_BUID||1 year||This cookie is used to store a universal user ID to identify the same user across multiple clients' domains.|
|_ga||2 years||This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.|
|_ga_1ECB5XX5W0||2 years||This cookie is installed by Google Analytics.|
|_gat_UA-87760032-2||1 minute||This is a pattern type cookie set by Google Analytics, where the pattern element on the name contains the unique identity number of the account or website it relates to. It appears to be a variation of the _gat cookie which is used to limit the amount of data recorded by Google on high traffic volume websites.|
|_gcl_au||3 months||This cookie is used by Google Analytics to understand user interaction with the website.|
|_gid||1 day||This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.|
|_hjAbsoluteSessionInProgress||30 minutes||No description available.|
|_hjFirstSeen||30 minutes||This is set by Hotjar to identify a new user’s first session. It stores a true/false value, indicating whether this was the first time Hotjar saw this user. It is used by Recording filters to identify new user sessions.|
|_hjid||1 year||This cookie is set by Hotjar. This cookie is set when the customer first lands on a page with the Hotjar script. It is used to persist the random user ID, unique to that site on the browser. This ensures that behavior in subsequent visits to the same site will be attributed to the same user ID.|
|_hjIncludedInPageviewSample||2 minutes||No description available.|
|_hjIncludedInSessionSample||2 minutes||No description available.|
|_uetsid||1 day||This cookies are used to collect analytical information about how visitors use the website. This information is used to compile report and improve site.|
|_ym_d||1 year||This domain of this cookie is owned by Yandex.Matrica. This cookie is used to store the date of the users first site session.|
|_ym_isad||20 hours||This domain of this cookie is owned by Yandex.Matrica. This cookie is used to collect information about the user like his characteristics, behaviour on page and targeted actions.|
|_ym_uid||1 year||This cookie is by Yandex.Metrica. This cookie is used to set a unique ID to the visitor and to collect information about how visitor use the website. Thus it help to track the user and the collected informationn is used to improve the site.|
|CONSENT||16 years 5 months 12 days 10 hours||These cookies are set via embedded youtube-videos. They register anonymous statistical data on for example how many times the video is displayed and what settings are used for playback.No sensitive data is collected unless you log in to your google account, in that case your choices are linked with your account, for example if you click “like” on a video.|
|pardot||past||The cookie is set when the visitor is logged in as a Pardot user.|
|vuid||2 years||This domain of this cookie is owned by Vimeo. This cookie is used by vimeo to collect tracking information. It sets a unique ID to embed videos to the website.|
|yabs-sid||session||These are cookies used by Yandex Matrica script belonging to the company Yandex. This cookies are used to measure and analyse the traffic of the website by giving information about how the users use the website.|
|yandexuid||1 year||This cookie is used to identify the users. This cookie collects information about how visitors use the website. This information is used for internal analysis and site optimization.|
|ymex||1 year||This cookie is set by yandex. This cookie is used to collect information about the user behaviour on the website. This information is used for website analysis and for website optimisation.|
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
|_fbp||3 months||This cookie is set by Facebook to deliver advertisement when they are on Facebook or a digital platform powered by Facebook advertising after visiting this website.|
|anj||3 months||No description available.|
|bscookie||2 years||This cookie is a browser ID cookie set by Linked share Buttons and ad tags.|
|fr||3 months||The cookie is set by Facebook to show relevant advertisments to the users and measure and improve the advertisements. The cookie also tracks the behavior of the user across the web on sites that have Facebook pixel or Facebook social plugin.|
|i||10 years||The purpose of the cookie is not known yet.|
|IDE||1 year 24 days||Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.|
|MUID||1 year 24 days||Used by Microsoft as a unique identifier. The cookie is set by embedded Microsoft scripts. The purpose of this cookie is to synchronize the ID across many different Microsoft domains to enable user tracking.|
|NID||6 months||This cookie is used to a profile based on user's interest and display personalized ads to the users.|
|personalization_id||2 years||This cookie is set by twitter.com. It is used integrate the sharing features of this social media. It also stores information about how the user uses the website for tracking and targeting.|
|test_cookie||15 minutes||This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.|
|uuid2||3 months||This cookies is set by AppNexus. The cookies stores information that helps in distinguishing between devices and browsers. This information us used to select advertisements served by the platform and assess the performance of the advertisement and attribute payment for those advertisements.|
|VISITOR_INFO1_LIVE||5 months 27 days||This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.|
|YSC||session||This cookies is set by Youtube and is used to track the views of embedded videos.|
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
|_uetvid||1 year 24 days||No description available.|
|AnalyticsSyncHistory||1 month||No description|
|ARRAffinitySameSite||No description available.|
|bEkAYwpdRGcM||1 day||No description|
|LEAfgqMGWpwUs||1 day||No description|
|li_gc||2 years||No description|
|lpv413292||30 minutes||No description|
|metrika_enabled||session||No description available.|
|UserMatchHistory||1 month||Linkedin - Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor's preferences.|
|visitor_id413292||10 years||No description|
|visitor_id413292-hash||10 years||No description|
|visitorId||1 year||No description|
|yt-remote-connected-devices||never||No description available.|
|yt-remote-device-id||never||No description available.|
|yuidss||1 year||No description available.|