DPT Learn — Brand

Is DPT Pay Safe?

DPT Pay is a financial technology company, not a bank. Here is what the licences, custody arrangements, and account-level security model actually buy you — and what they do not.

TL;DR

DPT Pay is operated by DPT (HK) Limited under a Hong Kong TCSP licence (AMLO Cap. 615). The DPT Visa card is issued by Third National under licence from Visa. Stablecoins deposited into DPT accounts are held in custody by BitGo and segregated from DPT Pay’s own operational funds. Account security includes 2FA, anti-phishing codes, real-time spending notifications, and KYT transaction monitoring. DPT Pay is not a bank, so deposits are not covered by bank deposit insurance schemes — safety here means “licensed partners + segregated custody + account-level controls”, not “sovereign deposit guarantee”.

What “safe” actually means for a non-bank fintech

DPT Pay is a financial technology company, not a bank. Deposits held with DPT Pay are not covered by bank deposit insurance schemes such as the Hong Kong Deposit Protection Scheme, FDIC in the US, FSCS in the UK, or equivalents elsewhere. Asking “is DPT Pay safe?” the way you would ask “is this savings account FDIC-insured?” leads to the wrong answer.

The right frame is the same one regulators use for any non-bank payment institution: is the operator licensed and supervised, is the card issuer authorised by the network, is the custodian regulated, are customer funds segregated from operating funds, and what account-level controls protect the user from third-party fraud? Each of those is a separate safety surface. DPT Pay has a documented answer to each.

The sections below walk through every layer in order, naming the actual partners (Third National, BitGo) and the actual regulatory perimeter (Hong Kong TCSP licence under AMLO Cap. 615) — not in marketing voice, but in the language the Help Center uses.

Source: DPT Help Center — Is DPT a bank?

The licence layer — Hong Kong TCSP under AMLO Cap. 615

DPT Pay is operated by DPT (HK) Limited, a Hong Kong company. DPT (HK) Limited holds a Trust or Company Service Provider (TCSP) licence under the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (AMLO), Cap. 615 — the law governing AML/CFT obligations for non-bank financial-service operators in Hong Kong.

The TCSP licence is administered by the Hong Kong Companies Registry and the Customs and Excise Department. Holding it means DPT Pay is required to: identify and verify the identity of every customer (full KYC, not a tiered shortcut), monitor transactions for suspicious activity, file suspicious-transaction reports where required, maintain customer records for the periods AMLO specifies, and have its AML/CFT programme reviewable by regulators. It does not make DPT Pay a bank, and it does not extend deposit insurance — but it does place DPT Pay inside a supervised perimeter rather than outside it.

For a fintech that touches stablecoins, the licence matters operationally beyond compliance theatre: it forces a real KYC, a real sanctions screen on every transaction (see KYT below), and a real disclosure regime to regulators when something goes wrong.

Sources: DPT Help Center — Who runs DPT?, DPT Help Center — Where is DPT based?, DPT Help Center — What licence does DPT have?

The card-issuing layer — Third National under Visa licence

The DPT Visa card is issued by Third National under licence from Visa. This is the standard “fintech brand on the front, regulated issuer on the back” architecture used by most card-issuing fintechs. DPT Pay does not run a card programme directly — it partners with Third National, which is the principal Visa member responsible for the card itself, the chargeback rights, the dispute process, and the regulatory perimeter that comes with being a card issuer.

What that buys cardholders: standard Visa zero-liability fraud protection applies, standard chargeback rights apply, the card runs on the same Visa rails as any other Visa Platinum or Visa Infinite card at merchant terminals worldwide, and disputes go through the same Visa scheme rules. The card is not a different product because the brand on the front is “DPT Pay” instead of a bank name.

Source: DPT Help Center — Who issues the DPT card?

The custody layer — BitGo

Stablecoins (USDC and USDT) deposited into a DPT account are held in custody by BitGo. BitGo is one of the largest regulated digital asset custodians, with a long-running track record in cold storage, multi-signature key management, and institutional asset segregation. DPT Pay does not custody customer crypto directly on its own infrastructure — the assets sit at BitGo, under BitGo’s regulated custody framework, with DPT Pay as the account operator.

The split matters: even if DPT Pay’s operational systems were compromised, the customer assets are held by an independent regulated custodian rather than commingled with the platform’s own keys. This is the same architecture used by most compliant stablecoin card programmes — the fintech holds the user relationship and the card programme, the regulated custodian holds the assets.

Source: DPT Help Center — Is my money insured or protected?

Fund segregation

Customer funds are held separately from DPT Pay’s own operational funds. This is a key consequence of using a regulated custodian: the assets BitGo holds for DPT Pay customers are accounted for separately from any assets DPT Pay itself uses to run the business. Segregation is what allows the next section to be true.

Segregation is not the same as deposit insurance. If a custodian’s own infrastructure were compromised at the asset layer, segregation alone would not make customers whole — that is what custodian insurance, cold-storage discipline, and operational controls are for. But segregation does make sure customer assets are not part of DPT Pay’s own balance sheet, which means they are not first-loss assets in a corporate-distress scenario.

Sources: DPT Help Center — Is my money insured or protected?, DPT Help Center — What happens to my money if DPT shuts down?

Account-level security

The licensing and custody layers above protect customers from systemic risk. The account-level layer protects each individual user from targeted fraud, phishing, and credential theft. DPT Pay’s stack here is the standard modern-fintech kit:

  • Two-factor authentication (2FA) via passkey or authenticator app. Enabled from Profile → Security in the app. If you lose access to your 2FA device, your registered email is the recovery channel.

  • Anti-phishing code — a custom word or phrase only you know, attached to every official email DPT Pay sends. If an email claims to be from DPT but does not contain your code, it is not from DPT.

  • Real-time spending notifications — every card transaction triggers an immediate push notification, so unauthorised use is visible within seconds.

  • KYT (Know Your Transaction) monitoring — every transaction is screened in real time for sanctions violations, fraud indicators, and illegal-activity patterns. No user action required.

  • Account lockout — five incorrect password attempts auto-lock login access for 24 hours. Your card stays active during the lock; only login is restricted.

  • Card-level lockout — three incorrect CVV / expiry / PIN attempts at the terminal triggers a 24-hour card lock independent of account status.

One important behavioural guardrail: DPT Pay will never ask you for your password, full card number, CVV, or wallet recovery phrase. Any message that does is not from DPT and should be reported.

Sources: DPT Help Center — Two-Factor Authentication, DPT Help Center — Anti-Phishing Code, DPT Help Center — Spending Notifications, DPT Help Center — KYT Transaction Monitoring, DPT Help Center — Does DPT ever ask for my password or CVV?

If your card is lost, stolen, or compromised

The fastest response is to freeze the card directly in the DPT app — no support ticket required. While frozen, no transactions will process. You can unfreeze it yourself at any time when you find the card or activate a replacement.

Freezing is different from locking. Locking is automatic, triggered by three wrong CVV / expiry / PIN attempts at the terminal; the lock lifts after 24 hours without intervention. Freezing is manual, triggered by you in the app, with no time limit. Use freezing when you suspect compromise. Use the auto-lock as a safety net you don’t have to think about.

For unauthorised charges that have already posted: freeze the card, then contact support with the transaction details (date, amount, merchant). Chargebacks must be filed within 60 days of the statement posting date. The dispute then goes through Visa’s standard scheme rules — the same process for any Visa card.

If you suspect your account itself (not just the card) has been compromised: freeze the card, change your password via “Forgot Password” on the login screen, enable 2FA if it is not already on, and review your recent transaction history. Report unrecognised charges through the dispute process above.

Sources: DPT Help Center — How do I freeze my card?, DPT Help Center — Why did my card get locked?, DPT Help Center — How do I report a fraudulent or unauthorized charge?, DPT Help Center — I think my account has been hacked

If DPT Pay shuts down

Because customer funds are held by a regulated custodian (BitGo) and accounted for separately from DPT Pay’s own operational funds, business disruption at DPT Pay’s level does not commingle customer assets with DPT Pay corporate assets. The custodian continues to hold the assets independently of DPT Pay’s corporate situation.

This is the standard arrangement for non-bank fintech custody, and it is materially different from how a bank holds deposits. With a bank, your deposit is the bank’s liability and is protected by sovereign deposit insurance up to a cap. With a non-bank fintech using regulated custody, your assets are not the fintech’s liability — they are your assets held by the custodian, with the fintech as the platform operator. There is no sovereign insurance, but the assets are not corporate balance-sheet items either.

The honest takeaway: shutdown risk is real and exists, but the segregation architecture is designed so that shutdown risk does not equal loss-of-funds risk in the way it would if assets were commingled.

Source: DPT Help Center — What happens to my money if DPT shuts down?

Where DPT Pay is not safe — honest limits

Three places where “safe” has to mean “less than a bank”:

  1. No sovereign deposit insurance. DPT Pay is not a bank. Your balance is not covered by the Hong Kong DPS, US FDIC, UK FSCS, or any equivalent. Custodian-level safeguards exist but are not the same as a sovereign guarantee.
  2. Stablecoin risk is pass-through. Your balance is held in USDC or USDT. The peg risk, issuer risk (Circle for USDC, Tether for USDT), and chain-level risk for whichever network your deposit sat on are not eliminated by DPT Pay holding the asset through BitGo — they are inherent to stablecoins themselves.
  3. Compliance freezes can happen. KYT runs sanctions and fraud screening in real time. Legitimate transactions are not affected, but a deposit traced to a flagged source can be frozen pending review. This is a feature of being inside a regulated perimeter, not a bug, but it is a real constraint on “I can withdraw whenever I want”.

None of this makes DPT Pay unsafe in any absolute sense. It does mean the question is not “is it safe?” but “is the safety model the right one for my use case?”. For everyday spending of stablecoins on a Visa rail with custody, segregation, and a regulated operator behind it — yes. For storing life savings the way you might in an FDIC bank — no, that is not what any non-bank stablecoin platform is.

Frequently asked questions

Is DPT Pay regulated?

Yes, within its perimeter. DPT (HK) Limited holds a Hong Kong TCSP licence under AMLO Cap. 615. The card issuer (Third National) is a Visa-licensed principal member. The custodian (BitGo) is a regulated digital asset custody provider. DPT Pay itself is not a bank and is not regulated as one.

Is my money insured if DPT Pay fails?

Not through a bank deposit insurance scheme. DPT Pay is not a bank, and balances are not covered by the Hong Kong Deposit Protection Scheme, FDIC, FSCS, or equivalents. Customer funds are held in regulated custody by BitGo and segregated from DPT Pay’s own operational funds, so business disruption at DPT Pay’s level does not commingle customer assets with corporate assets. But segregation is not the same as sovereign insurance, and the difference matters.

Has DPT Pay ever been hacked?

Public incident history is not part of the Help Center’s content surface, so we won’t claim a clean record here. Account-level controls — 2FA, anti-phishing code, KYT monitoring, real-time spending notifications, manual card freeze — are the per-user defences. Account-level compromises (phishing, credential reuse, lost devices) are far more common than platform compromises in this category; the security stack is designed accordingly.

Can DPT Pay freeze my account?

Yes, under specific circumstances. KYT (Know Your Transaction) monitoring screens every transaction for sanctions violations, fraud indicators, and illegal-activity patterns. A flagged transaction can pause a withdrawal pending review. This is a regulatory requirement under AMLO Cap. 615, not a discretionary policy, and applies to any compliant non-bank payment institution operating in Hong Kong.

What is the difference between freezing and locking my card?

Freezing is manual — you trigger it in the app, no time limit, lift it yourself when you’re ready. Use this if you suspect compromise. Locking is automatic — triggered by three wrong CVV / expiry / PIN attempts at the terminal, lifts itself after 24 hours, no intervention needed. Both prevent transactions while in effect.

Manage your DPT Pay security

2FA, anti-phishing code, card freeze, and spending notifications all live one tap into Profile → Security in the app.

Get the appBrowse security FAQ