Regulatory Framework for Virtual Asset Service Providers in line with FATF Enhanced Standards Commences on 30 June 2025

Introduction

With effect from 30 June 2025, Part 9 of the Financial Services and Markets Act 2022 (“FSMA“) will take effect to introduce a new class of financial institutions (“FIs“), namely digital token service providers (“DTSPs“). The new DTSP regulatory framework aims to implement the enhanced standards set by the Financial Action Task Force (“FATF“) which require each country to regulate virtual asset service providers created in their respective jurisdictions to mitigate the risk of regulatory arbitrage, regardless of whether the service provider provides the virtual asset service in that jurisdiction.

This development follows from an earlier consultation exercise conducted by the Monetary Authority of Singapore (“MAS“) from 4 October 2024 to 4 November 2024, seeking feedback on (i) the subsidiary legislation and MAS Notices and Guidelines operationalising the regulatory framework, and (ii) the anti-money laundering and countering the financing of terrorism (“AML/CFT“) obligations applicable to DTSPs. On 27 May 2025, MAS issued its Response to the earlier consultation paper. For more information on the consultation, please see our October 2024 Legal Update titled “MAS Consults on Proposed Regulations, AML/CFT Notice and Guidelines, for Regulatory Framework for Virtual Asset Service Providers under FSMA”.

This Update sets out the key features of the new DTSP regulatory framework.

Entities to be Regulated as DTSPs

Under the FSMA, DTSPs include the following persons, who will be required to obtain a DTSP licence unless they fall within one of the excluded categories in the FSMA:

1. Individuals or partnerships: Individuals or partnerships who, from a place of businessin Singapore, carry on a business of providing digital token (“DT“) servicesoutside Singapore; and

2. Corporations: Singapore corporations (including limited liability partnerships) which are formed or incorporatedin Singapore, and which carry on a business (whether from Singapore or elsewhere) of providing DT servicesoutside Singapore.

In the Response, MAS clarified that:

1. When determining whether a DTSP is “carrying on a business of providing DT services outside Singapore”, factors such as whether the DTSP’s front-office functions (e.g. sales, business development) or customers are located outside Singapore would be relevant; and

2. For individuals in particular:

• An individual attracts a DTSP licensing requirement under the FSMA if he or she: (i) is locatedin Singapore; and (ii) is carrying on a business of providing DT services to persons (i.e. individuals and non-individuals)outside Singapore.
• However, where an individual is an employee of a foreign-incorporated company that provides DT servicesoutside Singapore, work done by the individual as part of his or her employment with the foreign-incorporated company would not, in itself, attract a DTSP licensing requirement under the FSMA.

New DTSP Regulatory Regime Commencing on 30 June 2025

On 30 May 2025, the following subsidiary legislation, MAS Notices, and MAS Guidelines implementing the DTSP regulatory regime were issued. They will take effect on 30 June 2025 in conjunction with the commencement of Part 9 of the FSMA.

1. The Financial Services and Markets (Digital Token Services Providers) Regulations 2025 (“FSM Regulations“) that set out (among others) the licensing, financial and business conduct requirements applicable to a DTSP.

2. MAS Notices on:

• AML/CFT (“AML/CFT Notice“), i.e. MAS Notice FSM-N27 Prevention of Money Laundering and Countering the Financing of Terrorism – Holders of Digital Token Service Licence;
• Reporting of suspicious activities and incidents of fraud;
• Submission of regulatory returns;
• Technology risk management;
• Cyber hygiene;
• Business conduct;
• Disclosures and communications to customers and potential customers; and
• Regulatory forms and other administrative matters.

3. MAS Guidelines including:

• The amended MAS Guidelines on Fit and Proper Criteria [FSG-G01] (“F&P Guidelines“) taking effect on 30 June 2025, which were amended to provide a non-exhaustive list of factors which DTSPs should use in assessing the competence and capability of their “relevant persons” (as defined in the F&P Guidelines);
• The new MAS Guidelines on Licensing for Digital Token Services Providers (“MAS Licensing Guidelines“) setting out the eligibility criteria and application procedures for DTSPs under the FSMA; and
• The new MAS Guidelines to MAS Notice FSM-N27 on Prevention of Money Laundering and Countering the Financing of Terrorism – Digital Token Service Providers (“AML/CFT Guidelines“) setting out guidance to DTSPs on the requirements in the AML/CFT Notice and to be read in conjunction with the same.

Once the DTSP regulatory regime commences on 30 June 2025, entities which are subject to the DTSP licensing requirements under the FSMA must suspend or cease carrying on a business of providing DT services outside Singapore unless they obtain a licence or are exempted. Entities that contravene the DTSP licensing requirements under the FSMA will be guilty of an offence and liable to penalties under the FSMA.

Policy Approach for Licensing of DTSPs

1. Restrictive licensing approach: DTSPs are more susceptible to potential money laundering / terrorism financing (“ML/TF“) risks, given the cross-border and internet-based nature of their DT services. MAS envisages that in most cases, persons operating from a place of businessin Singaporeor incorporated or formedin Singaporewill carry on a business of providing DT servicesin Singapore, and thus be subject to licensing and ongoing requirements under other applicable legislation (e.g. the Payment Services Act 2019 (“PS Act“), the Securities and Futures Act 2001 and/or the Financial Advisers Act 2001). Hence, there will be extremely limited circumstances under which MAS will grant a DTSP licence under the FSMA. MAS will review applications for the same on a case-by-case basis, considering the non-exhaustive licensing criteria described below.

2. Key licensing criteria: MAS has set out the following licensing criteria for DTSPs in the MAS Licensing Guidelines (closely modelled after the payment services regime). MAS will take into account whether the applicant meets the following licensing criteria and may also impose the same as licensing conditions:

• Applicants must have a business model that makes economic sense and demonstrate to MAS’ satisfaction that they have valid reasons for not providing DT services within Singapore despite operating in or being formed or incorporated in Singapore;
• Applicants do not operate in a manner that is of concern to MAS and are already regulated and supervised for compliance with relevant internationally agreed standards (such as standards established by the Financial Stability Board, the International Organisation of Securities Commissions, and FATF) by all the relevant supervisors in the jurisdictions where they provide DT services outside of Singapore; and
• There are no concerns with the applicant’s business structure in relation to its ability to comply with regulatory obligations.

3. Additional licensing criteria: Applicants must fulfil, among others, the following additional licensing criteria:

• Having at least one executive director, or partner, or partner or manager (as applicable) resident in Singapore;
• Meeting the fit and proper criteria;
• Having a permanent place of business in Singapore;
• Penetration testing of an applicant’s proposed DT services, remediation of all high-risk findings identified, and independent validation on the effectiveness of the remediation actions;
• Adequate compliance and independent audit arrangements commensurate with the scale, nature and complexity of operations;
• Ability to meet the annual audit requirements; and
• Meeting MAS’ expectations in managing key risks associated with their business activities.

4. Post-licensing notifications: DTSP licensees must notify MAS of any changes to the circumstances set out in their applications or their business model or operations that could affect compliance with the licensing criteria. Failure to comply could potentially result in the revocation of the licence.

FSM Regulations for DTSP Licensees

1. Control of provision of DT services: The FSM Regulations set out requirements for:

• Licence applications and applicable fees;
• Document submission deadlines;
• Licence lapsing; and
• Time, and prorating methodology, for payment of fees.

2. Financial requirements: The FSM Regulations require DTSP licensees to maintain minimum initial and ongoing financial requirements to ensure that they are well-capitalised, committed to maintaining a meaningful presence in Singapore, and sufficiently resourced to conduct their DT services under their licences.

3. Business conduct requirements:

• Approval of management: The FSM Regulations set out the requirements for DTSP licensees’ applications to MAS for approval of their Chief Executive Officers (“CEOs“), directors, partners and managers (as applicable). The MAS Licensing Guidelines set out MAS’ guidance on the competencies of such CEOs, directors, partners and managers (as applicable); and
• Audit report requirements: The FSM Regulations also set out the relevant audit report requirements in connection with a DTSP licensee’s obligations to: (i) appoint an auditor to conduct an audit of transactions in relation to the DT services provided; and (ii) submit the audit report to MAS annually.

AML/CFT Notice for DTSP Licensees

1. Addressing ML/TF risks: The AML/CFT Notice requires DTSPs to:

• Take appropriate steps to identify, assess, and understand their ML/TF risks;
• Develop and implement policies, procedures, and controls to manage and mitigate identified risks, including customer due diligence (“CDD“), transaction monitoring, screening, suspicious transaction reporting and record keeping;
• Monitor, implement, and enhance the implementation of, the policies, procedures and controls referred to above; and
• Perform enhanced measures if higher ML/TF risks are identified.

2. Conducting CDD on existing customers:

• The AML/CFT Notice requires DTSPs to perform CDD on all existing customers.
• MAS will not prescribe (i) any baseline timelines for DTSPs to complete the required CDD measures by; and (ii) the situations in which DTSPs must update the initial CDD for existing customers, as this would primarily depend on what the subsequent revisions of CDD requirements relate to.

3. Outsourcing to third parties: The AML/CFT Notice permits DTSPs to rely on third parties for such CDD in the following circumstances:

• The DTSP must: (i) be satisfied that the third party is subject to and supervised for compliance with AML/CFT requirements consistent with FATF standards and has adequate measures in place to comply; and (ii) take appropriate steps to understand the ML/TF risks in the third party’s jurisdiction of operation.
• The DTSP must not be specifically precluded by MAS from relying upon that third party. The third party must be able and willing to provide data, documents or information regarding the CDD measures applied to customers, without delay, upon the DTSP’s request.

4. Risk mitigation for correspondent account services: The AML/CFT Notice requires DTSPs who provide correspondent account services to another FI or engage another FI for such services, to perform risk mitigation measures (in addition to CDD), including:

• Assessing the suitability of the AML/CFT controls of the respondent / correspondent FI involved (“Respondent / Correspondent FI“) for adequacy and effectiveness. The AML/CFT Guidelines include a list of non-exhaustive factors which DTSPs may consider when assessing the suitability of the Respondent / Correspondent FI involved;
• Understanding and documenting the respective AML/CFT responsibilities of the DTSP and the Respondent / Correspondent FI; and
• Obtaining senior management approval before providing or receiving correspondent account services or similar services to or from a new FI.

5. Risk mitigation for payments: The AML/CFT Notice prohibits DTSPs from: (i) making cash payouts for payments equal to or exceeding S$20,000; instead, permitting them to use cheques for the same subject to certain conditions; and (ii) issuing bearer negotiable instruments in any amount.

6. Risk mitigation for value transfers (“transfers”):

• Ordering institutions: The AML/CFT Notice requires such DTSPs to: (i) prior to effecting or arranging for the transfer, identify the value transfer originator (“originator“), take reasonable measures to verify the originator’s identity (if not already done as part of Paragraph 6 of the AML/CFT Notice) and record adequate details of the transfer so as to permit reconstruction (e.g. the date of transfer, the type and value of DTs transferred, and the value date); (ii) collect and document specific information on the originator and value transfer beneficiary (“beneficiary“); and (iii) immediately and securely submit the said information to the beneficiary institution.
• Beneficiary institutions and intermediary institutions: The AML/CFT Notice requires such DTSPs to: (i) take reasonable measures (including monitoring) to identify transfers that lack the required originator or beneficiary information; (ii) implement appropriate internal risk-based policies, procedures and controls to determine when to execute, reject or suspend such transfers lacking required originator or beneficiary information, and the appropriate follow-up actions; (iii) for transfers where the beneficiary institution pays out the transferred DTs in cash or cash equivalent to the beneficiary, identify and verify the identity of the beneficiary if this has not been previously done; and (iv) for intermediary institutions, retain all information accompanying the transfer.
• MAS will not prescribe how DTSPs should comply with the value transfer requirements, given that a variety of solutions are presently available or being developed, and so as to remain technology neutral.

7. Adequate compliance arrangements: The AML/CFT Notice requires DTSPs to:

• Develop appropriate compliance management arrangements and ensure that their compliance function has adequate resources and timely access to the information required to discharge its responsibilities; and
• Appoint a suitably qualified compliance officer at the management level.

8. Adequate audit arrangements: The AML/CFT Notice requires DTSPs to maintain an audit function that is adequately resourced, independent, and able to regularly assess the effectiveness of the DTSP’s internal policies, procedures and controls, and its compliance with regulatory requirements.

Other MAS Notices for DTSP Licensees

1. MAS Notice FSM-N28 Reporting of Suspicious Activities and Incidents of Fraud:

• DTSPs must periodically report (in the form, manner and time specified) upon discovery of suspicious activities or fraud incidents, if such activities or incidents are material to the safety, soundness or reputation of the DTSP. Such report must be lodged within five working days after the discovery of the activity or incident by the DTSP.
• MAS will not prescribe the materiality of a suspicious activity or fraud incident, as this would depend on various factors such as the amounts involved, the impact on the business operations, etc, which should be assessed by the DTSP.

2. MAS Notice FSM-N29 Submission of Regulatory Returns: This notice requires periodic submission by DTSPs of:

• Information relating to the DT services provided; and
• Information that allows understanding and monitoring of the profile of each DT service for more targeted supervision.

3. MAS Notice FSM-N30 Technology Risk Management: It is important for DTSPs to implement controls to manage the technology risks arising in the course of business. DTSPs are required to:

• Establish a framework to identify critical systems, ensure their maximum unscheduled downtime is under four hours within any 12-month period, and establish a recovery time objective of under four hours;
• Notify MAS within one hour upon discovery of a system malfunction or security incident with severe and widespread impact on the DTSP’s operations or material impact on its services to its customers, and submit a root cause and impact analysis report within 14 days; and
• Implement information technology (“IT“) controls to protect customer information from unauthorised access or disclosure.

4. MAS Notice FSM-N31 Cyber Hygiene: DTSPs are required to:

• Secure administrative accounts against unauthorised access or use;
• Establish security standards;
• Implement security patches timeously; and
• Establish network perimeter defence, malware protection, and multi-factor authentication for administrative accounts of critical systems and system accounts used to access customer information through the internet.

MAS expects DTSPs to: (i) apply the MAS Guidelines on Risk Management Practices – Technology Risk, which require FIs to establish technology risk governance and maintain cyber resilience (including implementing secure coding, robust cryptographic key management, and controls to ensure the availability and security of IT systems) in their risk assessments over their businesses; and (ii) establish effective processes and controls to manage the identified risks.

5. MAS Notice FSM-N32 Conduct:

• Minimum operating hours: DTSPs must ensure that their designated person responsible for being present at their permanent place of business to respond to queries relating to AML/CFT or complaints from their DT service users or customers, will be so present for: (i) at least ten days a month; and (ii) at least eight hours per day during normal business hours, unless an exception applies.
• Other conduct requirements such as in relation to the record of transactions, issuance of receipts and display of exchange rates and fees.

6. MAS Notice FSM-N33 Disclosures and Communications: DTSPs are required to:

• Provide customers with a specified risk warning statement;
• Accurately represent the scope of regulation of the DTSP under the FSMA and ensure that such representations do not misrepresent the scope of activities that the DTSP is licensed to carry out; and
• Request correction of any false or misleading statement by a third party about such scope, where MAS alerts the DTSP that such false or misleading statement has been made (albeit the DTSP is not required to take legal action against the third party).

Concluding Words

Entities to whom the DTSP regulatory framework is intended to apply should consider: (i) the requirements for applying for and obtaining a DTSP licenceby no later than 30 June 2025; and (ii) should they obtain such licence, how best to give effect to the suite of relevant post-licensing requirements applicable to DTSP licensees.

If you have any queries or require assistance on the above matters, please reach out to our Team members set out on this page.