All unregistered cryptocurrency companies must exit Singapore by the end of the month, with no transition period.
TechFlow Selected TechFlow Selected
All unregistered cryptocurrency companies must exit Singapore by the end of the month, with no transition period.
Eight Key Points to Note About MAS's New Regulations
Navigating Web3 tides with focused insightsWritten by: jk, Odaily Planet Daily
Singapore, a hub at the heart of Asia once favored by global Web3 entrepreneurs for its open yet cautious financial policies, is now undergoing an unprecedented regulatory transformation.
On May 30, 2025, the Monetary Authority of Singapore (MAS) officially released its regulatory response document targeting Digital Token Service Providers (DTSP), marking the imminent full enforcement of new rules on June 30. These regulations come without any transition period and establish a baseline of "extremely limited licensing criteria" and criminal liability—effectively ending overnight the so-called "Singapore model," previously seen as a crypto safe haven.
Let’s examine the eight key aspects under the new regulations.
1. Core of the New Rules: Get Licensed or Cease Operations by Month-End
The document issued by the Monetary Authority of Singapore (MAS) on May 30, 2025, formally establishes new regulatory requirements for Digital Token Service Providers (DTSP). The core lies in Section 137 of the Financial Services and Markets Act (FSM Act), which imposes a licensing obligation on all individuals or entities operating from a business premises in Singapore that provide digital token services to overseas clients.
MAS clearly states that regardless of whether the customers are based in Singapore, any service conducted from any “business premises” within Singapore must be licensed under DTSP; otherwise, it constitutes illegal operation. Previously, companies registered in Singapore were not required to obtain a license if their clients were overseas.
Even more stringent, MAS has refused to introduce any transitional arrangements. All entities subject to the new rules must either obtain a DTSP license or fully cease all digital token service operations by June 30, 2025. MAS emphasizes that licenses will only be granted in “extremely limited circumstances,” meaning most service providers do not meet the conditions to continue operating in Singapore. Violations of licensing requirements will constitute criminal offenses, subject to strict penalties under the FSM Act.
2. Which Companies Will Be Affected?
The biggest impact of this MAS regulatory update falls on Web3 companies that lack a DTSP license but have a physical presence, office, or core team members in Singapore—particularly two types of organizations:
-
International crypto institutions headquartered or primarily operating in Singapore, especially exchanges that previously used Singapore as their Asia-Pacific hub. If certain service modules remain unapproved under DTSP, they may still breach regulatory boundaries.
-
Web3 companies incorporated in Singapore serving global users—unlicensed DEXs, wallet providers, and cross-chain protocol development teams. Projects legally registered in Singapore but targeting foreign markets, such as certain DeFi protocols, NFT platforms, and blockchain gaming developers.
For example, if the core technical team of a decentralized exchange (a Uniswap fork project) or a cross-chain bridge operates from Singapore, even with global user focus, failure to obtain approval places them under compliance risk.
3. How to Obtain a DTSP License? Is It Difficult?
The threshold for obtaining a DTSP (Digital Token Service Provider) license is extremely high. In its latest response document, MAS explicitly states that a DTSP license will only be granted in “extremely limited circumstances.” In other words, obtaining approval is not an open or routine administrative process, but rather an exceptional authorization based on prudential supervision logic.
Firstly, applicants must demonstrate robust anti-money laundering and counter-terrorism financing (AML/CFT) control systems, including customer due diligence (CDD) procedures, suspicious transaction reporting mechanisms, technological and cybersecurity protections, due diligence processes when collaborating with third parties, IT system risk controls and cybersecurity measures (meeting minimum cybersecurity standards specified in Notice FSM-N3 1), and internal compliance structures (including designated compliance officers and risk management personnel).
MAS conducts systematic evaluations of applicants’ compliance capabilities, business transparency, risk management frameworks, and personnel qualifications. Particularly in areas like customer identification, transaction tracking, and data retention, DTSP license holders will face regulatory scrutiny comparable to—or even exceeding—that imposed on traditional financial institutions.
Therefore, it is clear that the DTSP license is not only difficult to obtain, but also designed under a policy framework that actively discourages broad issuance. MAS’s regulatory objective is not to facilitate widespread compliance among crypto service providers, but to proactively filter out high-risk entities and minimize reputational and systemic financial risks to Singapore arising from Web3 activities.
4. Remote Workers: Working Remotely for Foreign Firms Is Permitted—but Still Carries Risks
MAS’s stance toward remote workers, as reflected in the new DTSP regulations, is particularly rigorous and specific. Its underlying logic can be summarized in one sentence: if you are “physically in Singapore while conducting work for overseas clients,” you may trigger licensing obligations—even if working from home.
MAS explicitly states that any individual providing digital token (DT) services to overseas clients from within a “business premises” in Singapore must apply for a DTSP license under Section 137 of the Financial Services and Markets Act. The definition of “business premises” is extremely broad—it includes not only formal offices, but also co-working spaces and potentially even residential homes used for work. This means remote workers are not automatically exempt from regulatory obligations.
However, MAS provides an exception for one category: individuals employed by a foreign-incorporated company that serves only foreign users, where the work performed forms part of the employment relationship—for instance, remotely writing code or handling operational support tasks. In such cases, the employee's activity itself does not constitute a violation nor triggers licensing requirements. Notably, this exemption applies strictly to formal “employees” and does not extend to independent consultants, contractors, or founders who lack an employment contract.
In practice, however, significant discretion remains. For example, MAS has not clarified whether “employee” includes project founders, shareholders, or co-founders, nor whether outsourcing certain responsibilities affects compliance status. Additionally, there is no clarity on whether actions such as engaging in business discussions, visiting clients, or using shared workspaces in Singapore could be deemed as conducting DT services locally—and thus fall under regulation.
Thus, for remote workers in Singapore, merely asserting that their services are not directed at the domestic market is no longer sufficient for compliance assurance. MAS’s position is unequivocal: anyone physically present in Singapore whose work involves providing digital token services to overseas clients may be considered to be operating illegally unless they meet very narrow and strictly defined exceptions.
5. Stricter Due Diligence Requirements
Within the regulatory framework released by MAS, the provisions regarding Customer Due Diligence (CDD) are highly stringent. MAS requires all individuals or institutions applying for or holding a DTSP license to establish comprehensive CDD systems to address common money laundering and terrorist financing (ML/TF) risks inherent in digital token services.
MAS does not set a uniform deadline for completing CDD in Notice FSM-N27. Instead, it explicitly states that the completion timeframe will be determined on a case-by-case basis during the licensing process. Factors considered include the client’s risk profile, complexity of the business model, and the applicant’s own compliance capacity.
When future revisions to CDD requirements arise, MAS will not uniformly mandate when existing client information must be updated. Rather, DTSPs are required to establish internal assessment mechanisms to determine independently whether re-conducting due diligence is necessary based on actual operations and changes in regulations.
Furthermore, MAS stresses that when choosing to rely on third parties to perform CDD, DTSPs must conduct thorough due diligence on those third parties. Specifically, institutions should establish internal review processes to assess whether the third party possesses the capability to fulfill AML/CFT responsibilities. Importantly, MAS does not automatically accept payment service providers licensed in other jurisdictions or financial institutions regulated by foreign regulators as eligible “third parties” for reliance.
6. Report Events Like Three Arrows Capital Within Five Days, Hacking Incidents Within One Hour
According to notices issued by MAS, DTSP licensees must comply with two critical reporting obligations: reporting suspicious activities/fraudulent incidents (FSM-N28) and emergency notifications of major incidents (FSM-N30):
First, Notice FSM-N28 mandates that if a licensee detects fraud or suspicious activity that significantly impacts its security, stability, or reputation (MAS does not provide a standardized definition of what constitutes “significant”—this judgment rests entirely with the company), it must report to MAS within five working days. If the incident is still under investigation, the initial report must indicate the current status, and MAS retains the right to request additional information.
Second, Notice FSM-N30 stipulates that for major incidents involving technology systems, cybersecurity breaches, or data leaks—especially those that could trigger industry-wide ripple effects or undermine public confidence—the licensee must submit a preliminary notification within one hour. MAS notes that this requirement aims to give regulators time to respond and assess the potential broader market implications.
In summary: reporting deadline for fraud and suspicious activities is five working days; major cybersecurity incidents must be reported within one hour.
7. Which Companies Are Fully Compliant and Need Not Worry?
As of June 5, 2025, according to information published by the Monetary Authority of Singapore (MAS), the number of companies granted Digital Token Service Provider (DTSP) licenses is extremely limited, mostly consisting of well-known major players.
Known licensed entities (including those holding cryptocurrency payment licenses) include Anchorage Digital Singapore, BitGo Singapore, Blockchain.com (Singapore), Bsquared Technology, Circle Internet Singapore, Coinbase Singapore, DBS Vickers Securities (Singapore), OKX, Paxos, Ripple, HashKey, and GSR, among others.
In addition, some firms are exempted from needing a separate DTSP license because they operate under exemptions provided by the Payment Services Act (PS Act), the Securities and Futures Act (SFA), or the Financial Advisers Act (FAA). Such exemptions typically apply to institutions already licensed and supervised in other financial service domains.
8. This Move Is About Protecting Singapore’s “Financial Reputation”
One of the central motivations behind these new regulations is the Monetary Authority of Singapore’s (MAS) deep concern for national “financial reputation.” In its response document, MAS repeatedly highlights that digital token services (DT services), due to their inherently cross-border nature and internet-based characteristics, possess anonymity and borderless features that make them more susceptible to misuse for illicit purposes such as money laundering, terrorism financing, and fraud. Although many DTSPs serve clients outside Singapore, once these companies use Singapore as their registration location or operational base, any misconduct inevitably draws global scrutiny and regulatory spillover effects onto Singapore.
Hence, MAS stresses that its regulatory goal extends beyond curbing individual violations—to prevent any potential risks from causing systemic damage to Singapore’s financial reputation. From MAS’s perspective, the greatest risk posed by DTSPs is less about direct penetration into the local financial system, and more about the possibility that Singapore could be perceived globally as a permissive or inadequately regulated jurisdiction—a “launchpad” for illicit activity—which would severely erode its credibility and regulatory standing as a global financial center.
In essence, this reflects a “zero-tolerance” preventive regulatory mindset: better to forgo tolerance for high-risk innovation than to jeopardize national reputation. Viewed this way, MAS’s move is not merely about technical compliance, but a strategic defense of its “regulatory reputation red line.”
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News
Odaily
