All unregistered cryptocurrency companies must withdraw from Singapore by the end of the month! No transition period!
Eight Key Focus Areas of the New MAS Regulations in Singapore.Author: jk(Odaily)
Singapore, located in the heart of Asia and once the preferred destination for global Web3 entrepreneurs due to its open yet prudent financial policies, is now undergoing an unprecedented regulatory upheaval.
On May 30, 2025, the Monetary Authority of Singapore (MAS) officially released a regulatory response document for Digital Token Service Providers (DTSP), marking the new regulations set to take full effect on June 30. This policy not only has no transition period but also sets "extremely limited licensing standards" and "criminal liability" as the baseline, almost overnight ending what was seen as the "Singapore model" for crypto haven.
Let’s take a look at the eight key points of the new regulations.
1. Core Content of the New Regulations: Obtain a License or Cease Operations by the End of the Month
The document released by the Monetary Authority of Singapore (MAS) on May 30, 2025, formally establishes new regulations for Digital Token Service Providers (DTSP), which center around the licensing obligation set forth in Section 137 of the Financial Services and Markets Act (FSM Act) for all individuals or institutions operating in Singapore and providing digital token services to overseas clients.
MAS clearly states that regardless of whether the clients are local Singaporean customers, any service conducted at any "place of business" in Singapore must obtain a DTSP license, or it will be considered illegal operation. Previously, if the clients were overseas, companies registered in Singapore did not need to obtain a license.
Even more stringent, MAS has refused to establish any transition period in this document. All entities subject to the new regulations must either obtain a DTSP license or completely cease all digital token service operations by June 30, 2025. MAS indicated that licenses would only be granted in "extremely limited circumstances," meaning that the vast majority of service providers do not meet the conditions to continue operating in Singapore. Violating the licensing regulations will constitute a criminal offense and face severe penalties as stipulated in the FSM Act.
2. Which Companies Will Be Affected?
The companies most affected by the new MAS regulations will be those that do not hold a DTSP license but have a physical presence, office, or core team members in Singapore, particularly the following two types of institutions:
International crypto institutions headquartered or primarily operating in Singapore, especially exchanges that previously used Singapore as a hub for the Asia-Pacific region. If certain service modules are not approved by DTSP, they may still touch regulatory red lines.
Web3 companies registered in Singapore but serving global users, unlicensed DEXs, wallets, and cross-chain protocol development teams: Projects that are legally registered in Singapore but target overseas clients, such as some DeFi protocols, NFT platforms, and blockchain game development teams.
For example, if a decentralized trading platform (a Uniswap fork project) or a cross-chain bridge team's core technical team operates in Singapore, even if targeting global users, they will still fall under compliance risk if they do not obtain a license.
3. How to Obtain a DTSP License? Is It Difficult?
The application threshold for the DTSP (Digital Token Service Provider) license is extremely high. MAS has clearly stated in the latest response document that the license will only be granted under "extremely limited circumstances." In other words, obtaining a license is not an open, routine administrative process but rather a special approval based on prudent regulatory logic.
First, the applicant must demonstrate that they have a comprehensive anti-money laundering and counter-terrorism financing (AML/CFT) control system, including customer due diligence (CDD) processes, suspicious transaction reporting mechanisms, technical and cybersecurity protections, due diligence processes when collaborating with third parties, IT system risk control and cybersecurity measures (which must meet the minimum cybersecurity requirements specified in FSM-N3 1), and internal compliance structures (including arrangements for key personnel such as compliance officers and risk control heads).
MAS has systematic evaluation requirements for the applicant's compliance capabilities, business transparency, risk control mechanisms, and personnel qualifications. Particularly in terms of customer identity verification, transaction tracking, and data retention, DTSP license holders will face regulatory intensity comparable to or even greater than that of traditional financial institutions.
Therefore, it can be clearly stated that the DTSP license is not only "difficult to obtain," but also, in terms of policy logic, "not encouraging widespread issuance." MAS's regulatory goal is not to help more crypto service providers comply but to actively filter out high-risk entities, minimizing the reputational and systemic financial risks that Singapore may face due to Web3 activities.
4. Remote Workers: Allowing Remote Work for Foreign Companies, but Risks Remain
MAS's attitude towards remote workers is particularly cautious and specific in this DTSP regulation, and the core logic can be summarized in one sentence: As long as you are "in Singapore and the work is overseas," you may trigger licensing obligations, even if you are working from home.
MAS clearly states that any individual providing digital token services (DT services) from a "place of business" in Singapore to overseas clients must apply for a DTSP license under Section 137 of the Financial Services and Markets Act. The definition of "place of business" is very broad, including not only formal offices but also shared workspaces and even home offices. This means that remote workers are not automatically exempt from regulatory obligations.
However, MAS has established exceptions for a certain group of individuals—if an individual is employed by a foreign-registered company that only serves foreign users, and their work is part of that employment relationship, such as remote coding or handling operational support tasks, then that employee's work itself is not considered illegal and does not trigger licensing obligations. It is important to note that this exemption only applies to formal "employees" and not to independent consultants, contractors, or company founders who do not have an employment contract.
Nevertheless, there remains a significant amount of discretionary power in practical operations. For example, MAS has not clearly defined whether "employees" include project founders, shareholders, or co-founders; nor has it clarified whether some responsibilities can be outsourced without affecting compliance status. Additionally, if remote workers engage in business negotiations, visit clients, or use shared office spaces in Singapore, it is unclear whether these activities could be deemed as conducting DT services in Singapore, thus falling under regulatory scope.
Therefore, for remote workers in Singapore, merely relying on "work not in the domestic market" is no longer sufficient for compliance assurance. MAS's position is very clear: as long as an individual is in Singapore and their work involves providing digital token services to overseas clients, they may be deemed to be operating illegally unless they meet extremely strict exception standards.
5. Stricter Due Diligence Requirements
In the regulatory framework released by MAS, the provisions regarding customer due diligence (CDD) are highly rigorous. MAS requires all individuals or institutions applying for and holding a DTSP license to establish a comprehensive CDD system to address the prevalent risks of money laundering and terrorist financing (ML/TF) in digital token services.
MAS has not set a uniform deadline for completing CDD in FSM-N 27 but has clearly stated that the completion timeline will be determined "on a case-by-case basis" during the licensing process, depending on the specific circumstances of each applicant. Assessment factors include the client's risk profile, the complexity of the business model, and the institution's own compliance capabilities.
When facing potential future CDD revision requirements, MAS will not uniformly stipulate under what circumstances all license holders must update their existing customer information. Instead, MAS requires DTSPs to establish internal assessment mechanisms to determine whether it is necessary to re-conduct due diligence based on actual business and revision content.
Additionally, MAS emphasizes that when deciding whether to rely on third parties to complete CDD work, DTSPs must conduct thorough due diligence on those third parties. Specifically, institutions should establish internal review processes to assess whether the third party has the capability to fulfill AML/CFT responsibilities. It is important to note that MAS does not allow payment service providers licensed in other countries or financial institutions regulated by foreign authorities to be automatically included in the "third party" category that can be relied upon.
6. Report Within Five Days for Events Like Three Arrows Capital, One Hour for Hacking Incidents
According to the relevant notifications released by MAS, DTSP license holders must comply with two key reporting obligations regarding suspicious activities/fraud incidents (FSM-N 28) and emergency notifications for significant incidents (FSM-N3 0):
First, the FSM-N 28 notification requires that if fraudulent or suspicious activities are discovered and the incident has a significant impact on the license holder's safety, soundness, or reputation (MAS will not uniformly define the "significance" of suspicious activities or fraud incidents; it is up to the company to judge), it must be reported to MAS within five working days. If the incident is still under investigation, the report must indicate the current status of the investigation, and MAS has the right to request additional information.
Secondly, the FSM-N3 0 notification stipulates that for significant incidents occurring in technical systems, cybersecurity, data breaches, etc., especially those that may trigger industry chain reactions or public confidence crises, license holders must submit an initial notification within one hour. MAS points out that the purpose of this requirement is to give regulatory authorities time to assess the potential impact of the incident on the overall market.
In summary: the reporting deadline for fraud and suspicious behavior is five working days, while significant cybersecurity incidents must be reported within one hour.
7. Which Licensed Companies Have Nothing to Worry About?
According to information released by the Monetary Authority of Singapore (MAS) as of June 5, 2025, the number of companies that have obtained a Digital Token Service Provider (DTSP) license is extremely limited, mostly consisting of well-known large companies.
Among them, known licensed (including those holding digital currency payment licenses) enterprises include Anchorage Digital Singapore, BitGo Singapore, Blockchain.com (Singapore), Bsquared Technology, Circle Internet Singapore, Coinbase Singapore, DBS Vickers Securities (Singapore), OKX, Paxos, Ripple, as well as well-known institutions like HashKey and GSR.
Additionally, some companies have obtained exemptions under the Payment Services Act (PS Act), Securities and Futures Act (SFA), or Financial Advisers Act (FAA), allowing them to provide related services without needing to apply for a DTSP license. Such exemptions typically apply to institutions that are already licensed and regulated in other financial service areas.
8. This Move is for Singapore's "Financial Reputation"
One of the core starting points of this new regulation is the Monetary Authority of Singapore's (MAS) high regard for the country's "financial reputation." MAS repeatedly emphasizes in the response document that due to the strong cross-border nature and internet characteristics of digital token services (DT services), their anonymity and borderless features make them more susceptible to being used for illegal activities such as money laundering, terrorist financing, and fraud. Although many DTSP clients are not located within Singapore, once these companies register or operate in Singapore, if something goes wrong, Singapore will inevitably bear the brunt of global public opinion and regulatory repercussions.
Therefore, MAS emphasizes that its regulatory goal is not merely to curb individual illegal activities, but to prevent any potential risks from causing systemic shocks to the reputation of Singapore's financial system. In MAS's view, the greatest risk posed by DTSPs to Singapore is not their direct penetration into the local financial system, but rather that if these institutions are misused, Singapore may be perceived as a "jurisdiction" that condones or inadequately regulates, which would severely undermine its credibility and regulatory reputation as a global financial center.
It can be said that this represents a "zero-tolerance" preventive regulatory mindset: it is better to forgo tolerance for high-risk innovations than to sacrifice national reputation. From this perspective, MAS's actions are not only about technical compliance but also a strategic defense of the "regulatory reputation red line."
