Effective 30th June 2025, Singapore's financial regulatory framework takes a major leap forward. With the full commencement of key provisions under the Financial Services and Markets Act 2022 (FSMA), entities involved in digital token (DT) services, even if their operations are focused offshore, must now navigate a detailed, mandatory licensing regime if operating from or incorporated in Singapore.
Why this regime matters
The Monetary Authority of Singapore (MAS) has implemented this framework to close gaps in oversight for internet-based and cross-border digital token businesses, which carry a higher risk of money laundering and terrorism financing. While Singapore has long held a reputation as a forward-looking digital asset hub, this move cements its stance as a jurisdiction with a stringent compliance framework for digital token activities.
Who falls within the scope?
The FSMA now mandates that the following must apply for a Digital Token Service Provider (DTSP) licence:
- Any individual, partnership or company offering DT services from a Singapore-based business location, serving customers outside Singapore.
- Singapore-incorporated businesses conducting DT activities abroad.
The regime covers a wide range of services, including:
- Buying, selling or transferring digital tokens
- Facilitating token exchanges
- Providing safekeeping services or DT-related advisory
Note: Even if the entire customer base is offshore, these operations fall under Singapore's regulatory perimeter.
Strict licensing standards with no grace period
No transitional period applied for complying with this requirement. Any in-scope operator that did not hold a DTSP licence by 30 June 2025 was required to immediately suspend or terminate operations. A four-week notification issued prior to this date served only as a final alert, not a window for grace-based compliance.
Moreover, MAS has clarified that licences will be granted only under "exceptional conditions." Applicants must demonstrate:
- A clear business rationale for excluding Singaporean clientele
- Strong AML/CFT controls aligned with international benchmarks
- Transparent ownership and operational structures that pose no regulatory red flags
Exemptions for Pre-Regulated Entities
Entities already licensed under any of the following statutes do not need a separate DTSP licence for overlapping activities:
- Payment Services Act (PS Act)
- Securities and Futures Act (SFA)
- Financial Advisers Act (FAA)
These businesses, however, remain subject to FSMA's broader compliance expectations, including those on technology risk and audit.
Compliance Obligations for DTSP Licence Holders
Financial Services and Markets (Digital Token Service Providers) Regulations 2025 and MAS Guidelines on Licensing for Digital Token Service Providers prescribe the following obligations:
1. Capital and Licence Fee Requirements
- Base capital: Minimum SGD 250,000
- Annual licence fee: SGD 10,000 (flat, regardless of size or scope)
Compliance highlights:
Verify capital and monitor capital adequacy: Ensure your entity has at least SGD 250,000 in base capital. Set up periodic reviews to stay above the minimum requirement.
Prepare documentation: Keep records ready to show capital source and sufficiency during the licence application.
Track license renewal dates and budget for fees: Allocate SGD 10,000 annually for the DTSP licence fee.
2. Internal Controls and Staffing
- An independent compliance function in Singapore
- Appointment of a Singapore-based compliance officer
- Approval required for CEO and key management roles
- Adequate governance structures, either in-house or via group-level compliance support
Compliance highlights:
Appoint a Singapore-based compliance officer: Designate a qualified individual who resides in Singapore to oversee compliance matters. Ensure the role is well-defined with clear authority and independence.
Obtain MAS approvals for key roles: Seek MAS approval for the appointment of CEO, directors, and other key personnel. Maintain fit-and-proper assessments and update MAS on material changes.
Strengthen governance structure: Ensure your board and senior management have clear oversight over compliance, risk management, and DT operations. Regularly review governance policies to align with MAS expectations.
3. Mandatory Audits
- Annual audit of DT-related operations, submitted directly to MAS
- MAS may extend audit scope or demand additional inspections based on risk indicators
Compliance highlights:
Engage a qualified auditor: Appoint an external auditor experienced in digital asset operations and Singapore's regulatory expectations to conduct the annual audit of DT activities.
Prepare for annual submissions: Ensure timely submission of the audit report to MAS every year. Set internal timelines and responsibilities to avoid delays.
Maintain audit-ready records: Implement internal controls to log and retain detailed records of DT transactions, policies, and system changes to support the audit process.
Technology Risk, Cyber Hygiene & Operational Resilience
1. Technology Risk Management (TRM) under MAS Notice FSM-N30
- Unscheduled downtime of critical systems must stay under 4 hours annually
- Licensees must maintain high availability, robust recovery plans, and immediate incident reporting (within 1 hour of major breach)
Compliance highlights:
Identify and classify critical systems: Maintain an up-to-date inventory of all IT systems, classifying which ones are considered critical under MAS guidelines.
Monitor downtime and track incidents: Set up real-time system monitoring and alerts to track outages. Ensure that unscheduled downtime for each critical system stays within the 4-hour annual limit.
Prepare for immediate MAS notification: Create an incident response protocol to ensure MAS is notified within 1 hour of discovering a system failure or cyber incident with severe or widespread impact. Assign clear roles for reporting and documentation.
2. Cyber Hygiene Measures under MAS Notice FSM-N31
- Mandatory security patching, malware protection and two-factor authentication
- Enhanced controls for administrator accounts and perimeter defences
These rules are backed by potential financial penalties of up to SGD 1 million per breach.
Compliance highlights:
Deploy malware protection tools: Use up-to-date antivirus and anti-malware software on all endpoints and servers. Monitor threat detection logs and review alerts periodically.
Enable multi-factor authentication (MFA): Mandate two-factor authentication for all user accounts, especially those accessing sensitive data or administrative functions.
Strengthen network defences: Set up perimeter controls such as firewalls and intrusion detection systems. Regularly test for vulnerabilities through penetration testing or vulnerability scans.
AML/CFT Expectations
According to MAS Notice FSM-N27, licensees must:
- Perform customer due diligence on all clients (past and future)
- Refrain from relying on third parties (e.g., banks or other payment services providers) for KYC compliance
- Avoid cash payouts equal to or more than SGD 20,000 or issuing bearer instruments
- Conduct enhanced due diligence on value transfer transactions, per Financial Action Task Force (FATF) standards
Compliance highlights:
Conduct full customer due diligence (CDD): Perform CDD for all existing and new clients. Review legacy customer profiles and update records to meet FSMA standards.
Restrict high-risk transactions: Prohibit cash payouts of SGD 20,000 or more and disallow issuance of bearer instruments. Embed controls to detect and block such transactions automatically.
Avoid third-party reliance for KYC: Establish internal KYC processes and refrain from outsourcing CDD duties to external financial institutions or payment service providers.
Conduct & Disclosure Obligations
1. Operational Days as per MAS Notice FSM-N32
Licensees must be physically operational for at least:
- 10 days per business month
- 8 hours per day
unless customers are duly notified or unforeseen events prevent operation.
Compliance highlights:
Maintain minimum physical presence: Ensure that your business premises are staffed for at least 10 business days per month, with operations running for a minimum of 8 hours each of those days.
Document operational schedules: Keep an internal calendar and attendance logs to demonstrate compliance with the minimum operating requirements.
Prepare for contingencies: Establish and document procedures for unplanned disruptions (e.g., system outages or emergencies) that may affect your ability to meet physical presence requirements.
2. Disclosure as per MAS Notice FSM-N33
DTSPs must
- Provide prescribed risk warning to all customers and potential customers
- Avoid any misleading statements about their regulatory status
Compliance highlights:
Display prescribed risk warnings clearly: Ensure that all onboarding materials, customer communications, and interfaces (e.g., websites, apps) include the MAS-mandated risk warning statement in a prominent and accessible format.
Audit communications regularly: Periodically review all marketing materials, website content, social media posts, and third-party listings to ensure accuracy regarding your licensing and regulatory status.
Correct mis-statements promptly: If any misleading statements are discovered, take swift corrective action and retain documentation of remediation efforts.
A New Global Benchmark in Token Regulation
This new regime underscores Singapore's intent to preserve its credibility as a digital asset hub. It is a clear signal to the market that only entities with institution-grade compliance architecture, capital resilience and technological robustness will be allowed to operate.
In the long term, the MAS aims to:
- Reinforce international confidence in Singapore as a trusted and well-regulated digital asset jurisdiction
- De-risk the ecosystem from illicit finance threats
- Ensure that only credible, well-managed firms operate from Singapore
For firms that meet the standard, licensing could become a competitive advantage.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
