Countdown to June 30, 2025 DTSP under the FSMA regulatory framework

Author: pony

June 30, 2025, is less than a month away. On this day, Singapore's Financial Services and Markets Act (FSMA) will officially come into effect, setting ironclad rules for the digital asset industry. MAS wants to protect Singapore's reputation as a global financial center. Digital token services: Broking, dealing, transmission, exchange, matching, custodial services, advisory or dealing services for digital tokens are online cross-border operations and are easily used by criminals to launder money or finance terrorism (abbreviated as ML/TF). DTSPs refer to individuals or companies that have offices or registered companies in Singapore but mainly provide digital token (DT) services overseas. These services have little connection with Singapore, but if something goes wrong, Singapore may be blamed. Therefore, MAS decided to strictly regulate and require DTSP to obtain a license, and the compliance standards are particularly high.

Therefore, companies that fail to comply with the license may be ordered to close down. Among them, industry practitioners still have many doubts about FSMA. The Monetary Authority of Singapore also gave a detailed response to the feedback received by the company on June 6. The following is Aiying's reply content:

1. If the company is registered only for tax residency or only has senior executives, does it need a license?

MAS's statement: Some companies are registered in Singapore, but the purpose is not to actually conduct business in Singapore, but to take advantage of Singapore's tax incentives and become Singapore's "tax residents". Tax residency allows companies to enjoy lower tax rates or tax treaty benefits in Singapore. Or the company only arranges senior management (such as CEO, directors, CFO, etc.) in Singapore, but has no other substantial business activities (such as sales, customer service, operations)

As long as the actual provision of overseas DT services (such as processing transactions and hosting tokens through Singapore accounts), a license is still required. The purpose of registration does not affect the license requirements. The key is whether DT services are provided.

2. Is working from home considered a business place?

MAS’s statement: It does not clearly stipulate whether a residence is a "business place", but emphasizes that the judgment is based on the substance of the business. If you conduct substantial business at home (such as processing customer orders, making sales, and providing consulting services through a home computer), MAS may determine that it is a business place and require a license.

If you only handle work occasionally (such as replying to a few emails and providing light administrative support), it may not be considered a business place. Shared office spaces or company offices are more likely to be considered business premises because they are more like formal business locations.

3. Is the threshold for applying for a license high? Is the time enough? Can it be extended?

MAS's statement: Want to get a DTSP license? It's not that easy! MAS only issues licenses in "very rare cases", such as when your business model is reasonable, regulated overseas (must comply with international standards such as FATF), and the company structure is fine. The key is that there is no transition period. From June 30, 2025, unlicensed DTSPs must stop overseas services, otherwise they will be illegal. MAS will give you 4 weeks' notice in advance to let you prepare, but don't expect leniency.

Feedback from companies: 4 weeks is too short! It's too late to prepare application materials and wait for MAS to review. Companies are worried about business shutdowns, layoffs, and even supply chain impacts. Some people suggested a 3-month transition period, or to allow the companies that are applying to continue to operate temporarily.

MAS's response: No concessions. MAS believes that the DTSP is too risky and must comply quickly. 4 weeks is enough for you to decide whether to apply or close down.

4. Will the license fees and capital requirements crush small companies?

MAS's statement: The license application fee and annual fee are both S$10,000, which is fixed, regardless of the size of your company or the amount of business. In addition, you must prepare S$250,000 in capital (basic capital for companies and cash deposits for individuals) to prove that you have the strength to take root in Singapore.

Enterprise feedback: Small companies complain that S$250,000 is too high, and the S$10,000 license fee is not cheap. Some people suggest charging according to the size of the company, or lowering the capital requirements. Others asked whether the fees would increase due to the variety of services.

MAS's response: No change! The fees are aligned with those of the payment services industry (DPTSPs), and a unified fee is the fairest. S$250,000 is to ensure that you are not a "shell company."

5. Who has to apply for a license?

MAS's statement: Companies with business premises (such as offices, shared workspaces) in Singapore or registered in Singapore (regardless of whether they actually operate in Singapore) must apply for a license if they provide offshore digital token (DT) services (such as cryptocurrency trading, wallet services, and custody). MAS will look at whether your front-office functions (such as sales, business development, customer service) or customer base are overseas. For example, a license is required to contact overseas customers and process transactions in Singapore.

Exemptions:

Employees of foreign companies: Working for foreign registered companies in Singapore (such as technical support, backend development), personal licenses are not required only for employment activities

6. How to do due diligence (CDD) for old customers?

MAS’s statement: After obtaining the license, you have to re-do customer due diligence (CDD) for old customers (customers you cooperated with before the license), such as checking identity and source of funds. The completion time is determined by MAS based on customer risk.

Enterprise feedback: Everyone agrees to do CDD, but there is a worry about time)}, especially for companies with many customers. It is recommended to handle it in stages according to risk (check high-risk customers first), and I also want to know if old information can be reused.

MAS’s response: No fixed time is given, and the timetable is determined according to customer risk. Enterprises have to evaluate their subsequent CDD needs by themselves. MAS will issue guidelines but no specific regulations.

7. Can I ask a third party to help with CDD?

MAS’s statement: You can ask a third party to do CDD, but it cannot be a payment service company (because their compliance levels vary). You have to check whether the third party is reliable.

Enterprise feedback: It is easier to find a third party. It is recommended to allow the use of payment companies that meet FATF standards, and there must be clear evaluation criteria.

MAS’ response: No concessions, payment companies are not allowed. Enterprises have to build their own processes to evaluate third parties.

8. How strict are the rules for account services and transfers?

MAS’s statement:

Account services: When working with other financial institutions, you must first check their anti-money laundering measures to ensure that there is no risk.

Transfers: Transfers must include the initiator and beneficiary information (name, ID number, etc.) in accordance with FATF standards. If the information is incomplete, you must decide whether to proceed based on the risk.

Enterprise feedback: I want to evaluate templates and unified information standards, such as adding transaction IDs and token types. I am worried that incomplete information will block transactions and affect customer experience.

MAS’s response: It will provide evaluation guidelines, but will not stipulate technical standards and remain neutral. The information must be complete, otherwise it may be rejected.

9. Are technical risks and network security requirements easy to deal with?

MAS’s statement:

Technical risks: IT systems must be as stable as Mount Tai, customer data must not be leaked, and major incidents must be reported to MAS within 1 hour.

Cybersecurity: Protect accounts, apply patches, install firewalls, anti-virus, and use multi-factor authentication.

Enterprise feedback: 1-hour reporting is too rushed, it is recommended to report briefly first and then follow up in detail. I also want to add global practices, such as regular penetration testing.

MAS’s response: 1-hour reporting is a must to ensure that MAS understands the impact in a timely manner. Cybersecurity is a basic requirement, and new measures may be added in the future.

10. Will the conduct and disclosure requirements be too troublesome?

MAS’s statement:

Conduct: You must record transactions, issue receipts, publicize exchange rates and fees, and set business hours so that customers can find you.

Disclosure: You must issue risk warnings to remind customers that they may lose money; do not randomly say that you are regulated by MAS.

Feedback from companies: Business hours are too rigid, and it is recommended to be flexible according to the size of the company. Disclosures want to use multiple languages ​​and templates, and guidance is needed to handle incorrect disclosures.

MAS’s response: Business hours will not be changed, and customers will be able to contact you. You can set the language for disclosures yourself, and incorrect disclosures must be corrected quickly.

11. Are the guidelines specific enough? Can they help companies avoid detours?

MAS’s statement: DTSPs must comply with general financial guidelines (suitability, technical risks, business continuity, outsourcing), and may issue DTSP-specific FAQs in the future.

Enterprises’ concerns: They want DTSP-specific cybersecurity guidelines, executive competency lists and cases, and feel that general guidelines are not suitable enough.

MAS’s attitude: Guidelines are principled, and you have to customize them yourself. We will consider adding FAQs to solve industry pain points.

12. Even if you already have a license or are exempted, FSMA still has higher compliance requirements for all DTSP-related businesses:

Stricter technology risk management (TRM): System security and network risk prevention and control need to be strengthened in accordance with MAS’s “Technology Risk Management Guidelines”.  

Annual audit report submission: Independent audit reports must be submitted to MAS regularly, focusing on assessing AML/CFT (anti-money laundering and counter-terrorist financing) compliance.  

Higher AML/CFT requirements: Including customer due diligence (CDD), transaction monitoring, screening of suspicious activities, etc., which must comply with MAS's PSN02 notification requirements.  

Quick reporting of major security incidents: Major security incidents (such as data leaks, hacker attacks) must be reported to MAS within 1 hour (Note: This time requirement may be adjusted according to specific guidelines, it is recommended to refer to MAS's final notification).  

Cash Payment Restrictions: Cash transactions exceeding S$20,000 (approximately US$15,000) are prohibited to reduce money laundering risks

You do not need to apply for a DTSP license under FSMA if you are already licensed or exempted under the following frameworks:

• Licensed under the Payment Services Act (PSA)

• Exempted from the PSA

• Licensed or exempted under the Securities and Futures Act (SFA) or the Financial Advisers Act (FAA)

Aiying Action Suggestions:

• Self-check immediately: Find a lawyer to confirm whether your business needs a license, and quickly prepare an application or exit plan.

• Spend money on compliance: Upgrade systems, train employees, and ensure that CDD, technical security, and disclosure are up to standard.

• Communicate more: Proactively contact MAS to confirm timelines and requirements to reduce guessing games.

• Pay attention to guidance: MAS's follow-up guidance and FAQs are very important, pay close attention.

DTSP regulatory framework solution comparison: