On 30 May 2025, the Monetary Authority of Singapore (MAS) concluded its rulemaking process under the Singapore Financial Services and Markets Act 2022 (SG FSM Act) and published a complete, binding compliance framework for Digital Token Service Providers (DTSPs). The regime applies to all entities offering digital token custodial, exchange, transmission, or facilitation services in or into Singapore. This follows a two-stage consultation process that culminated in the issuance of the final “Response to Feedback Received from Consultation Paper on Proposed Regulatory Measures for Digital Token Service Providers” dated 30 May 2025.
This final framework builds on MAS’ earlier consultation, first published as the “Consultation Paper on Proposed Regulatory Measures for Digital Token Service Providers under the Financial Services and Markets Act 2022” on 03 October 2024, which proposed the introduction of a licensing regime under Section 138 of the SG FSM Act, accompanied by detailed compliance obligations tailored to the nature and risks of digital token activities. After receiving substantial feedback from global industry participants, MAS has now operationalised its proposals into a suite of binding legal instruments, comprising statutory notices and regulatory guidelines that will govern all DTSP operations targeting Singapore.
All DTSPs are now required to be licensed under Section 138 of the FSM Act. There is no transitional exemption: operating without a licence after the effective date constitutes an offence under Section 137(6). Applicants must meet a base capital requirement of SGD 250,000, pay an annual licence fee of SGD 10,000, and demonstrate meaningful substance in Singapore. The licensing obligation extends to both local and foreign firms, including those offering services cross-border into Singapore without a physical establishment. MAS has clarified that it will assess foreign applicants based on their group structure, financial soundness, and whether they are subject to equivalent regulatory supervision in their home jurisdictions.
The anti-money laundering and countering the financing of terrorism (AML/CFT) obligations for DTSPs are now formally codified in Notice FSM-N27. This mandates the implementation of a comprehensive, risk-based AML/CFT programme, including customer due diligence (CDD), ongoing monitoring, staff screening, and the appointment of an AML compliance officer who must be physically based in Singapore. In parallel, Notice FSM-N28 imposes a legal duty to report suspicious transactions and fraud within five business days of detection, with parallel filing to both MAS and the Suspicious Transaction Reporting Office (STRO) pursuant to the Corruption, Drug Trafficking and Other Serious Crimes (Confiscation of Benefits) Act (CDSA) and the Terrorism (Suppression of Financing) Act (TSOFA).
MAS has also proposed rules governing technology risk and cyber hygiene. Notice FSM-N30 requires DTSPs to ensure the availability of critical systems, implement tested recovery plans, and notify MAS within one hour of any major system disruption. A root cause analysis must be submitted within 14 days. Complementing this, Notice FSM-N31 prescribes mandatory cyber hygiene measures, including multi-factor authentication, patch management, and secured access to administrative accounts. MAS expects these measures to be embedded into the firm’s IT governance and not merely addressed in contingency plans.
Firms are now required to submit regulatory returns under Notice FSM-N29. Monthly operational reports (Form 1A), semi-annual financial statements (Form 1B), and annual compliance returns (Form 2) must be submitted via the MASNET system. Accuracy and timeliness are critical, with MAS empowered to take enforcement action for incomplete or delayed filings. These obligations are tightly interwoven with the broader supervisory architecture and require dedicated internal controls.
DTSPs must also comply with detailed record-keeping and client transaction obligations. Notice FSM-N32 obligates firms to maintain transaction logs and issue receipts in prescribed formats for every service rendered, with a mandatory retention period of five years. These requirements are enforceable, and any non-compliance could impair the firm’s ability to respond to audits or customer disputes. Additionally, the safeguarding of digital tokens held on behalf of customers must be clearly documented and segregated from the firm’s proprietary assets.
Disclosures and marketing representations are governed by Notice FSM-N33, which mandates that DTSPs issue conspicuous risk warnings to customers and prospective users. The licensed entity must clearly identify its regulated status and must not mislead the public into believing that unregulated affiliates within the group are MAS-supervised. MAS has taken a firm stance against inaccurate public communications, particularly in light of misrepresentations commonly seen in global digital asset markets.
Finally, the governance of DTSPs is anchored in the MAS Guidelines on Fit and Proper Criteria (FSG-G01). These guidelines apply to all directors, CEOs, partners, and key employees of licensed entities. The core attributes required include honesty, integrity, competence, financial soundness, and professional standing. MAS retains absolute discretion to refuse or revoke appointments where these criteria are not met, even if other licensing conditions have been satisfied.
In light of this new regime, DTSPs must now conduct full-spectrum compliance readiness assessments and re-engineer internal policies to align with each notice and guideline. MAS expects firms to demonstrate not only technical compliance but a principled approach to governance, risk, and accountability. The message is clear: compliance is not an afterthoughtit is a precondition to participation in Singapore’s digital finance ecosystem.
Firms operating in or serving Singapore from abroad must also revisit their business models, marketing materials, and system architecture to ensure no component of the value chain breaches MAS expectations. Enforcement under the FSM Act is not hypothetical: it is an active, structured process supported by audit rights, penalty provisions, and reputational consequences.
The FSM DTSP regime thus signals the start of a new era for virtual asset businesses — one grounded in regulatory clarity, operational discipline, and institutional trust.
Compliance Notes:
- Licensing is the gatekeeper: No entity may operate without Section 138 authorisation. Intent to apply is not a defence under Section 137(6).
- Substance matters: MAS will not entertain shell entities or passive representatives. Local governance and decision-making capabilities are essential.
- Audit trails are defence tools: The transaction logs and receipt records under FSM-N32 are primary evidence in enforcement or litigation scenarios.
- Technology incident reporting is a live timer: The 1-hour window for critical system breach notification under FSM-N30 demands real-time monitoring capability.
- Cross-border liability: Even without local incorporation, foreign DTSPs soliciting Singapore users fall within jurisdiction — MAS will assess them as if they are domestic.
- Marketing teams are legally exposed: Any misstatement or omission in promotional content may constitute a breach of FSM-N33 and invite penalties.
- Regulatory returns are not optional admin: Delays or misstatements can lead to licence conditions, reputational harm, or public sanctioning.
- The compliance officer is not ornamental: This role must be independent, resourced, and physically based in Singapore. No offshoring. No proxies.
- Review, reform, repeat: Firms should conduct quarterly policy audits aligned to each FSM Notice, with board oversight and documented rectification logs.
(Source: https://www.mas.gov.sg/publications/consultations/2024/consult-paper-dtsp)
