Source: Singapore MAS; Translated by: AIMan@金色财经
On May 30, 2025, the Monetary Authority of Singapore issued the "Guidelines on Licensing for Digital Token Service Providers", officially licensing and supervising DTSP.
The following is the full text of the Singapore Monetary Authority's "Guidelines for Licensing Digital Token Service Providers":
1. Purpose
2. Licenses under the Financial Services and Markets Act
3. Entry criteria
4. License application requirements
5. Ongoing requirements for licensees
Appendix 1 Governance and ownership requirements
Appendix 2 Minimum compliance arrangements
Appendix 3 Guidelines for information required for license applications
Appendix 4 Annual license fees
Appendix 5 Rules for participation in the application review process
Appendix 6 Independent assessment by external auditors
1. Purpose
1.1
The Guidelines on Licensing of Digital Token Service Providers (the “Guidelines”) aim to provide guidance on the application process, licensing criteria and ongoing requirements for digital token service providers (defined as individuals, partnerships or Singapore companies that have a place of business in Singapore or are incorporated in Singapore but carry on the business of providing digital token services abroad, referred to as “DTSPs”) under Part 9 of the Financial Services and Markets Act 2022 (the “FSM Act”).
1.2 This Guidelines should be read in conjunction with the FSM Act, the Financial Services and Markets (Digital Token Service Providers) Regulations (the “FSM Regulations”) and other relevant laws, notices, guidelines and Frequently Asked Questions (FAQs) issued by the Monetary Authority of Singapore (“MAS”).
1.3 MAS will periodically update this Guidelines to provide further guidance.
2. Licences under the Financial Services and Markets Act
2.1 Pursuant to section 137 of the FSM Act, any person who carries on digital token services as defined in the First Schedule to the FSM Act in Singapore must hold a licence unless exempted. Section 137(5) of the FSM Act sets out the applicable exemptions.
2.2 As MAS will not provide transitional arrangements for DTSPs, DTSPs that are required to obtain a licence under section 137 of the FSM Act must suspend or cease engaging in the business of providing digital token services overseas by 30 June 2025. DTSPs that breach the licensing requirements will be guilty of an offence and will be liable for the penalties prescribed in section 137(6) of the FSM Act.
Types of Digital Token Services
2.3 Applicants should assess whether their business model involves the provision of digital token services based on the ten categories of digital token services in the First Schedule to the FSM Act. Applicants should also consider whether their proposed activities fall within the exceptions to the regulation of digital token services set out in Part 2 of the First Schedule to the FSM Act.
Translator's Note: The ten categories of digital token services marked in the Schedule to the FSM Act
1. Any digital token trading service (except digital token trading services specified by MAS);
2. Any service that facilitates the exchange of digital tokens (except digital token trading services specified by MAS);
3. Any service of accepting digital tokens (whether as principal or agent) from a digital token account (whether in Singapore or elsewhere) for the purpose of transmitting or arranging for the transmission of digital tokens to another digital token account (whether in Singapore or elsewhere);
4. Any service that arranges (whether as principal or agent) to transfer digital tokens from one digital token account (whether in Singapore or elsewhere) to another digital token account (whether in Singapore or elsewhere);
5. Any service that induces or attempts to induce any person to enter into or offer to enter into any agreement to buy or sell any digital token in exchange for any money or any other digital token (whether of the same or different type);
6. Any service that protects digital tokens where the service provider has control over the digital tokens;
7. Any service that executes instructions for clients in relation to digital tokens where the service provider has control over the digital tokens;
8. Any service for the protection of a digital token instrument where the service provider has control over one or more digital tokens associated with the digital token instrument;
9. Any service for the execution of instructions for a client in relation to one or more digital tokens associated with a digital token instrument where the service provider has control over the digital token instrument;
10. Any service related to the sale or offer for sale of digital tokens involving - 1. Providing advice related to any digital token, directly or through publications or writings (whether in electronic, printed or other form); or 2. Providing advice by publishing or publishing research analyses or research reports (whether in electronic, printed or other form) related to any digital token.
3. Access Criteria
3.1 Due to the internet attributes and cross-border nature of digital token services, DTSPs are more vulnerable to money laundering, terrorist financing and proliferation financing (“ML/TF”) risks. This will increase the risk of such providers engaging in or being abused for illegal purposes, damaging Singapore’s reputation. In view of these risks, MAS licenses DTSPs in a prudent and cautious manner, and will only consider granting an applicant a DTSP license under the FSM Act in very rare cases. Rare circumstances include:
the applicant’s business model is economically justified and the applicant can demonstrate to MAS’ satisfaction that, despite being operated or established/registered in Singapore, it has legitimate reasons for not intending to carry on the business of providing digital token services in Singapore;
the applicant’s operations do not raise concerns for MAS and it has been regulated and supervised by relevant regulators in all jurisdictions where it provides offshore digital token services in respect of compliance with relevant internationally recognised standards (such as those set by the Financial Stability Board, the International Organisation of Securities Commissions and the Financial Action Task Force on Money Laundering (“FATF”));;
MAS has no concerns about the applicant’s business structure, such as its ability to comply with regulatory obligations.
3.2 The applicant must fully meet the following criteria and clearly demonstrate that it is able to comply with its obligations under the FSM Act as a licensee.
3.2.1 Governance and Ownership Requirements The applicant must comply with the governance and ownership structure set out in Appendix 1 and be registered with the Accounting and Corporate Regulatory Authority (ACRA) of Singapore.
3.2.2 Fit and Suitable An applicant must satisfy MAS that its sole proprietor, partners, managers or directors and chief executive officer (CEO), shareholders and employees, as well as the applicant itself, are fit and suitable in accordance with the Guidelines on Fit and Suitable Standards [FSG-G01]. The burden of demonstrating that the relevant persons are fit and suitable lies with the applicant, not MAS. In addition to honesty, integrity and reputation, ability and competence, and financial soundness are also factors to be considered, and MAS will also consider other factors such as the existence of conflicts of interest and the time commitment of the relevant persons to the Singapore entity. In particular, the entity and its related groups should not have any adverse reputation, especially in terms of financial crime and sanctions compliance.
3.2.3 Competence of Key Personnel An applicant must ensure that its sole proprietor, partners, managers or executive directors and CEO have sufficient operating experience in the digital token services industry, including a good understanding of the regulatory framework of Singapore DTSPs.
If the relevant person will be managing a larger team, he or she should also have the relevant experience, ability and influence to effectively supervise and control business activities and employees.
The applicant should also consider the educational background and professional qualifications of its key personnel.
3.2.4 Permanent Place of Business or Registered Office The applicant must have a permanent place of business or registered office in Singapore. The place must be an office area where the applicant's books and records can be kept securely. The applicant must also appoint at least one person to be present to handle any queries or complaints from customers, and inquiries/information requests from the authorities.
3.2.5 Basic Capital The license applicant must satisfy MAS that it is familiar with the basic capital requirements under the FSM Regulations and clearly demonstrate how it will meet these requirements on an ongoing basis, as outlined in Table 3. Given this obligation, applicants must ensure that they maintain adequate capital buffers in excess of the basic capital requirement, taking into account the size and scope of their business and the likelihood of profit and loss. Generally, an entity's basic capital should be able to cover the applicant's operating expenses for at least 6 to 12 months. Applicants should also establish effective monitoring processes to ensure that the basic capital requirement is met at all times, such as regular reporting or setting a specific capital buffer above the minimum requirement.
Table 1 Basic Capital Requirements

3.2.6 Compliance ArrangementsApplicants must have an effective compliance arrangement plan and ensure that sufficient compliance resources are devoted to the nature, size and complexity of their business. The minimum compliance arrangement requirements are set out in Appendix 2. Regardless of how the compliance arrangements are set up, the sole proprietor, partner, manager or director and CEO of the applicant have the ultimate responsibility and accountability for compliance with applicable laws and regulations.
3.2.7 Technology Risk ManagementThe applicant must conduct penetration testing of the digital token service it proposes to provide, remediate all identified high-risk issues, and independently verify the effectiveness of the remediation measures. This work does not need to be completed before application, but must be completed before the grant of a license.
3.2.8 Audit ArrangementsThe applicant must have an appropriate independent audit arrangement plan in place to regularly assess the adequacy and effectiveness of its procedures, controls, and compliance with regulatory requirements. The audit arrangements should be commensurate with the size, nature and complexity of its business. Audits may be conducted by the applicant's internal audit function, an independent internal audit team at the applicant's head office, or outsourced to a third-party service provider.
3.2.9 Annual Audit Requirement The applicant must have a plan to meet the annual audit requirement as prescribed in section 158 of the FSM Act. The auditor must be appointed by the applicant at its own expense to audit its accounts and transactions and compliance with relevant regulations and requirements.
3.2.10 Accountability Letter and/or Undertaking Letter Where appropriate, MAS may require the applicant to obtain an accountability letter and/or undertaking letter from its controlling shareholder, parent company and/or associated companies. MAS will provide a template if the application is approved.
3.2.11 Other Factors MAS may also consider the following factors (where applicable):
- The record and financial position of the applicant and its holding or associated companies;
- The applicant’s operational readiness, including its ability to comply with regulatory requirements;
- Whether the applicant has fully appreciated the principal risks associated with its business activities and has adequately identified, assessed and mitigated the relevant risks;
- Whether the granting of a licence is in the public interest.
3.3 MAS assesses each application on its own merits and may consider other factors on a case-by-case basis. The above criteria and considerations are not exhaustive and MAS may impose additional conditions or requirements to address the unique risks posed by an applicant.
3.4 Applicants should submit an application in Form 1. All applicants and licensees must pay the relevant fees specified in the Schedule to the FSM Regulations. For more information on fees, please refer to Appendix 4. Applicants should also refer to Appendix 5 for the rules of engagement in the application review process.
4. Licence Application Requirements
4.1 Applicants who have assessed that they meet the entry criteria should refer to Appendix 3 for guidance on the information required for a licence application.
Legal Opinion for New Licence Applications
4.1.1 New applicants applying for a DTSP licence are required to submit a legal opinion issued by a reputable law firm with their application. The legal opinion should include a clear and concise summary of the applicant’s business model and an assessment of whether the services and/or products that the applicant proposes to provide fall under the regulated digital token services under the FSM Act.
4.1.2 In any case, if the initial legal opinion is unclear, MAS reserves the right to request a second legal opinion.
Independent Assessment by External Auditor
4.1.3 Upon obtaining In-Principle Approval (“IPA”), the applicant shall appoint a qualified independent external auditor to conduct an independent assessment of its policies, procedures and controls in the areas of technology and cybersecurity risk (this requirement will be included as an IPA condition. The scope of the technology and cybersecurity risk assessment is set out in Appendix 6).
5. Ongoing requirements for licensees
5.1 Licensees must comply with all applicable requirements under the FSM Act and other relevant laws on an ongoing basis. Licensees should establish processes, systems, policies and procedures to ensure that all ongoing obligations are met, including making applications and notifications to MAS when necessary. The following outlines some of the requirements, but not all. Licensees should keep abreast of regulatory developments and visit the MAS website for the latest requirements.
5.2 Anti-Money Laundering and Counter-Terrorism Financing (“AML/CFT”) Requirements Licensees must comply with the AML/CFT requirements set out in the Financial Services and Markets Regulations (including those relating to targeted financial sanctions), the Terrorism (Suppression of Financing) Act 2002, the Corruption, Drug Trafficking and Other Serious Crime (Confiscation of Benefits) Act 1992, the Prevention of Money Laundering and Counter-Terrorism Financing Notice [FSM-N27] and the Suspicious Activity and Fraud Reporting Notice [FSM-N28]. Licensees should also refer to the Guidance to Notice FSM-N27 for information on their AML/CFT requirements.
5.3 Periodic Reporting Licensees must submit periodic regulatory reports in relation to their digital token activities in accordance with the FSM Regulations. The relevant requirements are set out in the Notice on Submission of Regulatory Reports [FSM-N29].
5.4 Cybersecurity Licensees must comply with the cybersecurity requirements set out in the Cybersecurity Notice [FSM-N31] and have appropriate safeguards in place to protect customer information.
5.5 Technology Risk Management Licensees must comply with the Technology Risk Management Notice [FSM-N30] and refer to the Technology Risk Management Practice Guide for technology risk management requirements.
5.6 Conduct of Business Licensees must comply with the conduct of business requirements in the FSM Act, the FSM Regulations and the Conduct Notice [FSM-N32]. These obligations include recording transactions, issuing receipts, displaying exchange rates and fees and notifying normal business hours. Licensees must also ensure compliance with all prohibitions and restrictions, including prohibited business activities.
5.7 Disclosure and Communications A licensee must make an accurate statement of the scope of its licence and, where applicable to its business, provide the disclosures required by the Disclosure and Communications Notice [FSM-N33]. The licensee should also ensure that clients are promptly updated on any material changes to the disclosures.
5.8 Annual Audit Requirements A licensee must appoint an auditor every year to audit its accounts and transactions and compliance with regulations and requirements. The licensee must ensure that the auditor submits a report to MAS in Form 3.
Appendix 1
A1 Governance and Ownership Requirements

Appendix 2
A2 Minimum Compliance Arrangements
The applicant should ensure that it has effective compliance arrangements and adequate compliance resources commensurate with the size, nature and complexity of its business. This may take the following forms:
- Independent compliance function The applicant should establish an independent compliance function in Singapore with staff who are suitably qualified in areas relevant to its business activities. The compliance officer may also take up other non-conflicting, complementary roles, such as in-house legal counsel.
- Compliance support from holding company or overseas related entity The applicant may obtain compliance support from an independent dedicated compliance team in its holding company or overseas related entity, provided that it can demonstrate adequate supervision by the applicant’s compliance officer, sole proprietor, partner, manager or director and the CEO and other senior management.
The applicant must also have appropriate compliance management arrangements in place, including, at least, the appointment of a suitably qualified compliance officer at the management level. This person should be based in Singapore, have sufficient expertise in areas relevant to his/her business activities and have the authority to oversee the applicant’s compliance function, although he/she may be assisted by other staff in day-to-day operations.
The applicant should also have an appropriate governance structure in place to oversee compliance and AML/CFT issues (including those related to targeted financial sanctions). Depending on the size of the business and the group structure, the applicant may consider having the compliance officer report regularly to the board or a board committee on compliance and AML/CFT issues and make decisions on matters that are beyond the compliance officer’s authority.
The applicant should note that, regardless of the arrangement chosen, the sole proprietor, partner, manager or director and CEO of the applicant are ultimately responsible for all compliance and regulatory matters and must provide adequate oversight of the arrangements.
Accordingly, the applicant’s senior management and compliance officer should be able to demonstrate that they have a full understanding of the compliance and ML/FT risks faced by the applicant’s business activities and the measures taken to effectively manage these risks.
Appendix 3
A3 Guidance on Information Required for Licence Applications
The applicant should ensure that it fully meets the admission criteria and that the application is complete, free of errors and inconsistencies and is accompanied by the necessary supporting documents specified in the application form.
Information Required in the Proposed Business Plan
In particular, its proposed business plan should include the following information:
The applicant should provide a clear description of its business model and plans, which should be supported by the professional experience and expertise of the proposed management team. The business plan should describe how it will comply with the FSM Act and related subsidiary legislation and include the following information:
- Jurisdictions of services, including evidence that the applicant has been licensed to operate in the jurisdictions where it provides digital token services and is supervised by the relevant regulators for compliance with relevant internationally recognized standards (such as those set by the Financial Stability Board, the International Organization of Securities Commissions and the FATF).
- Target customer profile.
- Proposed products and services. The applicant should clearly state the type of digital token services it will carry out at each stage of the transaction process. If the applicant intends to provide more than one type of digital token services, each type of digital token service should be assessed separately.
- Reasons why it does not intend to carry on the business of providing digital token services in Singapore despite being operated or established/registered in Singapore.
- Detailed funds flow plan and channels, including transaction and/or process flow diagrams. If there is more than one product or service, or more than one type of transaction and/or process flow, a diagram should be provided for each flow. The flow diagram should:
Describe a typical transaction from the source of funds accepted by the applicant (e.g. bank transfer, cash, bank card) to the full performance of its obligations to the customer.
Describe the interactions between customers and the applicant and the flow of funds.
Indicate timelines, including service level agreements with third parties, and applicable payment and settlement cycles.
Highlight areas where it uses innovative technologies (e.g., use or provision of digital tokens, distributed ledger technology) or product or service delivery methods that differ from market norms.
Include all third parties involved (e.g., other digital token service providers, banking partners, intermediaries, other agents) and describe their roles in the process.
- Implementation plan, including the expected timeline for business/product launch, and the systems, processes and third parties that will play a key role in its operations.
- Whether the digital token service is ancillary or bundled with any other products or services provided by the applicant.
- A brief description of any other activities currently being conducted or proposed to be conducted by the applicant that are regulated by MAS (e.g. financial advisory, securities dealing, etc.).
- A brief description of any exempt and unregulated activities currently being conducted or proposed to be conducted by the applicant.
- For applicants that are part of a global digital token services group:
The applicant’s role in the group, including the functions or services it will receive from and/or provide to its affiliates within the group, if any. Where possible, the applicant should provide an estimate of the level of resources (in terms of headcount and time commitment) of other affiliates within the group to support business operations in Singapore.
Confirm that all its entities are fully licensed/registered and provide details of the licensing/registration of each entity. The applicant should provide a copy of its license/registration certificate or its licensing/registration status information on the regulator’s website. The applicant should disclose any regulatory enforcement actions/investigations in which any of its entities may be involved.
- A comprehensive risk assessment of all digital tokens and digital token services (e.g. trading platforms, custody) that it intends to support or provide, including its token listing governance process. The applicant should provide a complete list of digital tokens it supports and explain its assessment of the nature of the tokens (e.g. whether they are security tokens or payment tokens) in accordance with the MAS regulatory framework.
- Its consumer access measures and business conduct measures for maintaining customer digital token access and operational controls in Singapore, daily reconciliation of customer accounts and provision of monthly account statements to customers, risk management controls (controls on the movement of customer assets), disclosures to customers.
Legal Opinion
The applicant is required to provide a legal opinion issued by a reputable law firm on the regulated digital token services it will provide under its proposed business model. The legal opinion should include (but not limited to) the following: - A clear and concise summary of the applicant’s business model and each service and product that the applicant proposes to provide (including the asset/fund flows and parties involved for each service/product, as applicable). - An assessment of whether the proposed service or product falls within the meaning of the regulated digital token service under the FSM Act. The assessment should include a detailed and comprehensive analysis of whether each regulated digital token service is applicable to each proposed service or product. The assessment should also take into account all relevant laws, notices, guidelines, circulars and FAQs. - If any proposed service or product is assessed to be exempt or unregulated, a detailed explanation of how the relevant exemption or exception applies. - Confirmation that the legal opinion will be disclosed to MAS.
Information Required for Compliance, Risk Management, Systems and Controls
Technology Risk Management
The applicant should have a framework for assessing and managing technology risks and take measures to protect customer data, transactions and systems that are commensurate with the risk level and complexity of the financial services provided and the technology that supports these services. Applicants should refer to the Technology Risk Management Notice [FSM-N30], the Cybersecurity Notice [FSM-N31] and the Technology Risk Management Practice Guide for information technology risk management principles and regulatory expectations.
Compliance and Audit
The applicant should provide the following information and documents consistent with the nature of the proposed business model:
Anti-Money Laundering/Counter-Terrorism Financing policies and procedures that demonstrate compliance with MAS’s Notice FSM-N27 and relevant targeted financial sanctions requirements. This should include a framework for assessing and supervising agents and third-party partners (both local and overseas).
Enterprise-wide Money Laundering/Terrorist Financing/Proliferation Financing Risk Assessment (“EWRA”). Applicants should also include a Tax Evasion Risk Assessment in the EWRA.
AML/CTF governance, escalation and reporting arrangements. This should include details of the involvement of the sole proprietor, partners, managers or directors and the CEO and other senior management in overseeing and addressing AML/CTF issues that may arise in the course of the business.
Implementation plan for compliance management arrangements, including processes rolled out and systems to be used.
Name and resume (“CV”) of the Compliance Officer, including details of any formal compliance certifications, e.g. ACAMS, IBF.
If the organisational chart does not include the staffing arrangements and reporting lines for the compliance function, then provide details of these. This should include details of all outsourced compliance functions, including the location of the outsourced provider and team, the applicant’s relationship with the outsourced provider (e.g. supplier, parent company), the outsourced provider’s licensing/registration status and monitoring arrangements.
Internal and external audit arrangements.
Shareholding structure
The applicant should provide a complete shareholding structure (down to the ultimate controller), which should be a natural person.
Written confirmation is required if the applicant does not have a 20% controlling shareholder.
Appendix 4
A4 Annual License Fee
The license fee is payable on an annual basis in accordance with section 140 of the FSM Act as detailed in the Schedule to the FSM Regulations. All license fees paid are non-refundable.
The licensee should enter into a bank automatic transfer (GIRO) agreement with MAS to pay the license fee on an annual basis. Licensees should ensure that their GIRO agreement details are up to date and that there are sufficient funds in their bank accounts by the deduction date specified in the fee notice.
Pro-rata licence fee for new licensees
For new licensees that are not licensed on 1 January of the year in which the licence is granted, the licence fee for the first calendar year after the licence is granted is calculated as a pro-rata of the fixed annual licence fee for the period from the date of licence issuance to 31 December of the same year. Example 1 shows how the first year licence fee is calculated.
Example 1 A company obtains a DTSP licence on 1 December 2025.

Appendix 5
A5 Rules of Participation in the Application Review Process
Initial Review and Information Request
The application review process begins with the assignment of a case officer and receipt of all required information and documents from the applicant. Depending on the volume of applications received, case assignment may not occur immediately upon receipt of an application by MAS. Once a case is assigned, the case officer will contact the applicant to inform him/her of the necessary next steps, which may include a kick-off meeting.
The case officer will examine the full set of documents submitted, which will usually constitute the first round of information requests that the applicant will receive. The case officer will also conduct a preliminary review of the applicant's business model. During the review process, there may be multiple rounds of information and clarification requests, depending on the completeness of the responses submitted by the applicant.
Before submitting an application, the applicant should always ensure that the application meets the admission criteria set out in these guidelines and contains the necessary information required by Appendix 3 to these guidelines. MAS reserves the right to reject an application if the submission is assessed to be seriously incomplete or has major deficiencies. The applicant should also always have a contact person available to follow up on these information requests and provide a full response in a timely manner. The applicant should promptly notify MAS of any change in the contact person.
The applicant must disclose all material information to the case officer promptly, proactively and fully without any concealment. If the applicant is found to have deliberately obscured, concealed or delayed the disclosure of information without reasonable cause, it will be considered a major deficiency. Applicants are reminded that they must take reasonable care to ensure that the information and documents provided to MAS are not false or misleading. An individual who contravenes section 176(1) or 176(3) of the FSM Act may be guilty of an offence and may be liable on conviction to a fine or imprisonment.
Timeliness and quality of response
MAS will normally provide applicants with a deadline by which they must respond to a request for information. If an applicant fails to respond within the prescribed time, MAS will deem the application withdrawn. If an applicant requires additional time to prepare a response, the case officer should be informed in advance.
The applicant must also strike a balance between the time required to provide a sufficiently comprehensive response and the need to rush the response in order to expedite the review. Failure to provide a satisfactory and comprehensive response will be assessed as a deficiency which may result in an adverse consideration of the application.
Interview
The case officer will normally arrange for an interview with the applicant's key management personnel and/or compliance officer. All representatives of the applicant should take their interaction with the case officer seriously. The purpose of the interview is for the applicant to explain how it intends to manage its business and risks in order to comply with regulatory requirements. Consultants, external legal counsel and other third parties are not permitted to attend the interview. This is because even if an applicant outsources any of its functions, it will still be held accountable for meeting its regulatory obligations.
Potential circumstances where a case officer would have reasonable grounds to believe that an applicant is unable to adequately meet its obligations as a licensee include, but are not limited to, the following:
Failure to attend the interview without good reason;
Inability to answer questions clearly during the interview;
Being verbally abusive to the case officer.
If there are material changes to the application after the interview but before the outcome of the application, the case officer may arrange an additional interview with the applicant. Examples of such changes include changes in the appointment of key personnel of the applicant or changes in the applicant's business model.
MAS's Review Process
Case officers are obliged to conduct a comprehensive assessment of the application. Even at the application stage, the applicant's goal is to obtain a license and thus be subject to ongoing regulation and supervision, as if it were in a regulatory system. Case officers will review the application in this context and expect the applicant to behave as if it were an already regulated financial institution. Applicants who fail to do this will be assessed as having potential material deficiencies, which may result in the application being rejected.
Putting an application on hold
MAS should be informed promptly of any changes to the information provided after the application has been submitted. If there are material changes to the application, the applicant may want to consider withdrawing the application and reapplying once the changes are completed as the application will not be available for review until then.
During the review process, if there is a major corporate restructuring, major changes in key management personnel or a major change in business model/activities, MAS has the right to put on hold applications that are assessed as not ready for review for six months. While such major changes may not be foreseeable by the applicant, the hold period allows resources to be diverted from these incomplete applications to ensure fairness to all other ready applicants in the queue.
During the hold period, it is the applicant's responsibility to ensure that all necessary changes are addressed/completed in a timely manner and that relevant documents are provided to MAS for assessment at the end of the hold period. The default hold period is six months and cannot be extended. If the material changes are not completed within the hold period, the application will be assessed as not ready for review and the applicant should consider withdrawing the application.
Withdrawal of Application
An applicant has the right to withdraw his/her application at any time. An applicant may also be advised to withdraw his/her application if, following MAS's review, there are fundamental issues that cannot be adequately addressed within a reasonable time, or if the application is assessed to have major deficiencies. Applicants should note that if the case officer makes such an assessment, it indicates that other applicants in similar circumstances have not been approved. Robust controls are in place to ensure that the case officer makes a fair, objective and verifiable assessment. Each application and its supporting documents are rigorously reviewed by a team of case officers, supervisory officers, and review and approval agencies. Applicants should therefore take the review process and its results seriously.
If an applicant intends to resubmit an application, it must ensure that all issues and deficiencies have been adequately addressed. Resubmission of an application without correcting the issues previously raised by MAS may result in rejection.
Regarding application holds, major changes in key management personnel primarily refer to changes related to key C-suite positions such as the Chief Executive Officer, Chief Financial Officer, Chief Risk Officer, and Chief Compliance Officer. However, the applicant should also assess and highlight other changes in positions that should be considered key management personnel based on the criticality of its business model and the importance of reporting lines.
Appendix 6
A6 Independent Assessment by External Auditor
A. Technology and Cybersecurity Risks:
(To be completed by the applicant after Approval in Principle)
Criteria for the External Auditor Appointed to Conduct an Independent Assessment of Technology and Cybersecurity Risks
The external auditor appointed by the applicant to conduct the independent assessment shall meet the following criteria:
Scope of Assessment
The following are the areas of technology and cybersecurity risk that will be assessed by the independent external auditor as a condition of the In-Principle Approval (IPA).
The heads of business should have sufficient seniority and sufficient experience and expertise in the areas of technology and cybersecurity risk (technology risk). It is the applicant’s responsibility to ensure that an appropriately qualified independent external auditor is appointed to conduct an independent assessment of its technology risk policies, procedures and controls.
I. Cybersecurity
a. Taking into account the Applicant’s proposed business model, products, services, capital flows and delivery channels,
i. Identify any gaps with the relevant regulatory requirements as set out in MAS’s FSM-N31 Cybersecurity Notice;
ii. Highlight areas of improvement required to mitigate cybersecurity risks.
II. Data Loss Prevention
a. Review and assess the Applicant’s proposed Information Protection Policies and Controls (IPPCs) in the following areas:
i. Protection of sensitive data (including customer data) during transmission and storage;
ii. Detection and prevention of unauthorized access or disclosure (including communication, transmission and storage) of sensitive data (including customer information);
iii. Protection of custodial wallet encryption keys.
b. Taking into account the Applicant’s proposed business model, products, services, funding flows and delivery channels,
iv. Identifying any gaps with applicable technology risk management regulatory requirements (including but not limited to MAS’s FSM-N30 Technology Risk Management Notice and Section 11 of the Technology Risk Management Guidelines);
v. Highlighting areas of improvement required to mitigate the technology risks arising from its proposed business model.
III. Penetration Testing
a. Reviewing and assessing the Applicant’s proposed IPPCs in terms of penetration testing systems, including:
i. The frequency of penetration testing determined based on factors such as system criticality and the cyber risk faced by the system. For systems that are directly accessible from the internet, the Applicant should conduct penetration testing at least annually or when significant changes or updates are made to these systems to verify the adequacy of security controls;
ii. Service Level Agreements (“SLAs”) for remediation of penetration testing findings commensurate with the relevant risk level.
b. Review and assess whether penetration testing conducted on the applicant’s proposed online financial services (within the past 12 months) is relevant and sufficient to identify critical security vulnerabilities.
c. Taking into account the applicant’s proposed business model, products, services, financial flows and delivery channels,
i. Identify any gaps with applicable regulatory expectations on technology risk management (including but not limited to Section 13.2 of the Technology Risk Management Guidelines);
ii. Highlight areas of improvement required to mitigate the technology risks posed by its proposed business model.
IV. DIGITAL WALLETS AND SMART CONTRACTS
a. Review the Applicant’s proposed IPPCs and assess whether the proposed IPPCs include the following controls commensurate with the Applicant’s proposed business model, products, services, capital flows, and delivery channels:
i. Follow secure design principles (including appropriate access control, comprehensive testing, regular updates to stable versions, static and dynamic code analysis) in the system development lifecycle of its proposed systems and smart contracts (if relevant);
ii. Development of smart contracts, including controls to ensure that smart contracts are protected from cyber threats and vulnerabilities through secure development, DevSecOps, and testing to prevent unauthorized access, data leakage, and exploitation of security vulnerabilities;
iii. Controls to ensure high availability of critical systems, and system recovery and business recovery priorities (including root cause and impact analysis) to ensure a rapid recovery strategy for such systems;
iv. Use technologies such as multi-party computation and threshold signature schemes to protect custodial wallets;
v. Integrate custodial wallet systems with other information systems/ Implement network isolation between the Internet to prevent unauthorized connections;
vi. Separation of custodial wallet encryption key components to ensure that no single person or system can access the complete key at any time (i.e. follow the "never alone" principle, requiring at least two authorized persons to coordinate and approve key management operations).