Crypto & Blockchain Regulation & Licensing in Singapore

Singapore has established one of the most clearly defined regulatory frameworks for crypto and blockchain businesses in the Asia-Pacific region. The Monetary Authority of Singapore (MAS) is the primary regulator, and any business dealing with digital payment tokens, digital asset services, or blockchain-based financial products must assess its licensing obligations before commencing operations. Failure to obtain the correct licence exposes operators to criminal liability, forced cessation of business, and reputational damage that is difficult to reverse. This article covers the legal architecture, licensing pathways, compliance obligations, enforcement posture, and practical strategies for international businesses entering or operating in Singapore';s digital asset market.

Singapore does not have a single "crypto law." Instead, the regulatory framework is built across several statutes, each addressing a distinct aspect of digital asset activity.

The Payment Services Act 2019 (PSA), as amended by the Payment Services (Amendment) Act 2021, is the central instrument. It brought digital payment token (DPT) services within the licensing perimeter of MAS. Under the PSA, a DPT is defined as any cryptographically secured digital representation of value that is not denominated in any currency and is not pegged to any currency, and that can be transferred, stored, or traded electronically. Bitcoin, Ether, and most utility tokens that function as a medium of exchange fall within this definition.

The Securities and Futures Act 2001 (SFA) governs digital tokens that constitute capital markets products - meaning tokens that represent shares, debentures, units in a collective investment scheme, or derivatives. A token that grants holders profit-sharing rights, voting rights in a corporate entity, or represents a debt obligation is likely to be classified as a capital markets product, triggering SFA obligations including prospectus requirements and licensing under the SFA.

The Financial Advisers Act 2001 (FAA) applies where a business provides advice on investment products, including digital tokens that qualify as capital markets products under the SFA.

The Monetary Authority of Singapore Act 1970 (MASA) grants MAS broad supervisory and enforcement powers, including the authority to issue directions, impose civil penalties, and refer matters for criminal prosecution.

Anti-money laundering and counter-terrorism financing obligations are embedded in the MAS Notice PSN02 on Prevention of Money Laundering and Countering the Financing of Terrorism for Digital Payment Token Service Providers. This notice imposes customer due diligence, transaction monitoring, suspicious transaction reporting, and record-keeping requirements on all licensed DPT service providers.

Under the PSA, a business providing DPT services in Singapore must hold one of three licence types, or qualify for an exemption.

A Standard Payment Institution (SPI) licence is available to businesses whose monthly transaction volume does not exceed SGD 3 million for any single payment service, and does not exceed SGD 6 million across all payment services. The SPI licence carries lighter capital requirements - a minimum base capital of SGD 100,000 - and is suited to early-stage or smaller-volume operators.

A Major Payment Institution (MPI) licence is required where a business exceeds either of the SPI thresholds. The MPI licence requires a minimum base capital of SGD 250,000 and imposes more extensive ongoing compliance obligations, including safeguarding requirements for customer funds. Most institutional-grade crypto exchanges, OTC desks, and DPT custodians operating at scale will require an MPI licence.

A Money-Changing Licence covers the exchange of physical currency and is not relevant to most crypto businesses, but operators combining fiat cash exchange with DPT services must assess whether both licences are needed.

Certain activities are exempt from PSA licensing. A business that provides DPT services solely to its related corporations, or that provides DPT services only as an incidental part of another regulated activity, may qualify for an exemption. However, MAS interprets these exemptions narrowly, and relying on an exemption without a formal legal opinion is a common and costly mistake made by international operators.

The application process for an SPI or MPI licence involves submission of a detailed business plan, governance documentation, AML/CFT policies and procedures, technology risk management frameworks, and fit-and-proper assessments of directors and substantial shareholders. MAS typically takes between six and twelve months to process a DPT licence application, though complex applications or those with incomplete documentation can take longer. Applicants must also demonstrate that they have adequate financial resources to sustain operations during the review period.

To receive a checklist of MAS DPT licence application requirements for Singapore, send a request to info@vlolawfirm.com

Where a blockchain project involves the issuance of tokens that qualify as capital markets products, the SFA framework applies in parallel with or instead of the PSA.

MAS published A Guide to Digital Token Offerings, which sets out its analytical framework for determining whether a token is a capital markets product. The key question is whether the token, by its terms and the rights it confers, falls within the definition of a security, a unit in a collective investment scheme, or a derivative contract under the SFA.

A token that entitles holders to a share of profits generated by a project, or that represents an interest in a fund pooling investor capital, is almost certainly a capital markets product. In practice, many projects attempt to structure tokens as "utility tokens" to avoid SFA obligations, but MAS looks through the label to the economic substance of the rights conferred. A token marketed as a utility token but that in practice functions as an investment instrument will be treated as a capital markets product.

Businesses that deal in, advise on, or manage capital markets products - including digital tokens qualifying as such - must hold the appropriate SFA licence. The main licence types relevant to crypto businesses are:

• Capital Markets Services (CMS) licence for dealing in capital markets products, fund management, or operating a collective investment scheme.
• Financial Adviser';s licence under the FAA for providing investment advice on capital markets products.

The CMS licence application requires demonstration of adequate financial resources, fit-and-proper management, robust risk management systems, and compliance infrastructure. The minimum base capital for a CMS licensee dealing in capital markets products is SGD 250,000, rising to SGD 1 million for fund managers managing assets above a regulatory threshold.

A non-obvious risk for international blockchain projects is the extraterritorial reach of the SFA. Where a project is incorporated outside Singapore but actively markets token offerings to Singapore investors, MAS takes the position that the SFA may apply. Several projects have received MAS guidance letters requiring them to cease marketing activities in Singapore or to restructure their token offering.

Obtaining a licence is only the first step. The ongoing compliance obligations under MAS Notice PSN02 are operationally demanding and represent a significant cost centre for licensed DPT service providers.

Customer due diligence (CDD) requirements under PSN02 require licensed DPT service providers to identify and verify the identity of all customers before establishing a business relationship or conducting a transaction above the applicable threshold. For corporate customers, this extends to identifying beneficial owners holding 25% or more of the entity. Enhanced due diligence (EDD) is mandatory for customers classified as higher risk, including politically exposed persons (PEPs) and customers from jurisdictions identified as high-risk by the Financial Action Task Force (FATF).

Transaction monitoring must be conducted on an ongoing basis. Licensed providers must implement systems capable of detecting unusual transaction patterns, structuring behaviour, and transactions involving addresses associated with sanctioned entities or known illicit activity. In practice, this requires integration with blockchain analytics tools capable of tracing the provenance of funds on-chain.

Suspicious transaction reports (STRs) must be filed with the Suspicious Transaction Reporting Office (STRO) of the Singapore Police Force where a licensed provider knows or has reason to suspect that a transaction involves proceeds of criminal conduct. The obligation to file an STR arises regardless of the transaction value and regardless of whether the transaction is completed.

Record-keeping obligations require licensed providers to retain customer identification records, transaction records, and CDD documentation for at least five years from the date of the transaction or the end of the business relationship, whichever is later.

A common mistake made by international operators is to treat AML/CFT compliance as a documentation exercise rather than an operational system. MAS conducts thematic inspections of licensed entities and has taken enforcement action against providers whose AML/CFT systems were found to be inadequate in practice, even where the written policies appeared compliant on paper.

To receive a checklist of AML/CFT compliance requirements for MAS-licensed DPT service providers in Singapore, send a request to info@vlolawfirm.com

MAS imposes specific technology risk management (TRM) obligations on licensed DPT service providers through the MAS Technology Risk Management Guidelines and the MAS Notice on Technology Risk Management.

The TRM Guidelines require licensed entities to establish a robust technology risk governance framework, conduct regular vulnerability assessments and penetration testing, implement multi-factor authentication for critical systems, and maintain business continuity plans that address cyber incidents. For DPT service providers, the guidelines specifically address the security of private key management, wallet infrastructure, and smart contract deployment.

Custody of customer digital assets is a particularly sensitive area. Under the PSA, MPI licensees that hold customer DPTs must comply with safeguarding requirements. These require that customer assets be held separately from the provider';s own assets, and that adequate arrangements be in place to return customer assets promptly in the event of the provider';s insolvency. MAS has indicated that it expects providers to maintain a clear audit trail of customer asset holdings at all times.

In practice, the custody requirements have significant implications for business model design. Operators that hold customer private keys must implement hardware security module (HSM) infrastructure, multi-signature wallet arrangements, and cold storage protocols that meet MAS expectations. Operators that use third-party custodians must conduct due diligence on those custodians and ensure that contractual arrangements provide adequate protection for customer assets.

A non-obvious risk is the interaction between custody obligations and insolvency law. Under Singapore';s Insolvency, Restructuring and Dissolution Act 2018 (IRDA), the treatment of customer DPTs held by an insolvent DPT service provider is not fully settled. Whether customer assets held on-chain are treated as trust assets - and therefore outside the insolvent estate - or as assets of the provider subject to distribution among creditors, depends on the specific contractual and operational arrangements in place. Providers that have not structured their custody arrangements carefully may expose customers to significant loss in an insolvency scenario.

Three practical scenarios illustrate the range of situations operators face:

• A Singapore-incorporated crypto exchange with monthly DPT trading volume exceeding SGD 3 million must hold an MPI licence, implement full AML/CFT infrastructure, and comply with safeguarding requirements for customer assets. The cost of establishing this infrastructure - including legal, compliance, and technology expenditure - typically runs into the mid-to-high six figures in USD before the business processes its first transaction.

• A blockchain project incorporated in the British Virgin Islands that issues tokens to Singapore retail investors without MAS authorisation risks enforcement action under the SFA, including a direction to cease the offering and potential criminal liability for the directors. The project may also be required to offer rescission rights to Singapore investors.

• A DeFi protocol that operates without a central operator and does not hold customer funds may fall outside the PSA licensing perimeter, but if the protocol';s governance token confers economic rights resembling a collective investment scheme, MAS may take the position that the SFA applies to the token issuance.

MAS has demonstrated a willingness to take enforcement action against unlicensed and non-compliant crypto businesses. Its enforcement toolkit includes the issuance of prohibition orders, civil penalties, and referral of cases for criminal prosecution under the PSA and SFA.

Under the PSA, carrying on a payment service business without a licence is a criminal offence punishable by a fine of up to SGD 125,000 or imprisonment of up to three years, or both. Continuing to carry on an unlicensed business after a MAS direction to cease is an aggravated offence.

Under the SFA, making a false or misleading statement in connection with a capital markets product offering, or carrying on a regulated activity without a licence, carries penalties of up to SGD 250,000 or imprisonment of up to seven years, or both.

MAS has also used its powers under the MASA to issue public warnings against entities it considers to be operating in breach of Singapore law. These warnings are published on the MAS Investor Alert List and have a significant reputational impact, particularly for businesses seeking to raise capital from institutional investors.

A common mistake made by international businesses is to assume that operating from outside Singapore insulates them from MAS jurisdiction. MAS takes the position that where a business actively solicits customers in Singapore, or where its services are accessible to Singapore residents, it may be subject to Singapore law regardless of where it is incorporated or where its servers are located.

The risk of inaction is concrete. A business that commences DPT services in Singapore without a licence and later seeks to regularise its position faces a more difficult application process, potential enforcement action for the period of unlicensed operation, and the reputational consequences of having operated without authorisation. Addressing licensing obligations before commencing operations is materially less costly than remediation after the fact.

We can help build a strategy for MAS licence applications and regulatory compliance in Singapore. Contact info@vlolawfirm.com

What is the most significant practical risk for a foreign crypto business entering Singapore?

The most significant risk is misclassifying the nature of the business activity and therefore applying for the wrong licence - or no licence at all. Many international operators assume that because their token is labelled a "utility token" or because their platform is incorporated offshore, they fall outside the MAS regulatory perimeter. MAS looks to the economic substance of the activity and the accessibility of the service to Singapore residents, not to labels or corporate domicile. A business that commences operations on the basis of an incorrect regulatory analysis may face enforcement action, forced restructuring, and significant legal costs to remediate the position. Engaging qualified Singapore legal counsel before commencing operations is the most effective risk mitigation measure.

How long does it take to obtain a MAS DPT licence, and what does it cost?

MAS typically takes between six and twelve months to process a DPT licence application under the PSA, though the timeline depends heavily on the completeness of the application and the complexity of the business model. Applications that are incomplete or that raise novel regulatory questions can take considerably longer. The cost of preparing and submitting a licence application - including legal fees, compliance consultancy, and technology risk assessments - typically starts from the low to mid six figures in USD for a straightforward MPI application. Ongoing compliance costs, including AML/CFT systems, transaction monitoring tools, and regulatory reporting, represent a further recurring expenditure that operators must factor into their business economics before committing to the Singapore market.

When should a crypto business consider restructuring its token model rather than seeking a licence?

Restructuring the token model is worth considering where the cost and operational burden of obtaining and maintaining the required licence is disproportionate to the revenue generated from Singapore customers, or where the token';s economic design can be modified without materially affecting the project';s commercial proposition. For example, removing profit-sharing rights from a token may take it outside the SFA';s capital markets product definition, reducing the regulatory burden to a PSA DPT licence or potentially no licence at all. However, restructuring must be approached carefully: a superficial change that does not alter the economic substance of the token is unlikely to change MAS';s regulatory analysis, and may be viewed as an attempt to circumvent the regulatory framework. Any restructuring should be supported by a formal legal opinion from Singapore-qualified counsel.

Singapore';s crypto and blockchain regulatory framework is detailed, actively enforced, and continuing to evolve. The PSA and SFA together create a comprehensive licensing perimeter that captures most commercially significant digital asset activities. Businesses that engage with the framework proactively - by obtaining the correct licence, building robust AML/CFT infrastructure, and maintaining ongoing dialogue with MAS - are well positioned to operate sustainably in one of Asia';s most credible digital asset markets. Those that attempt to operate without proper authorisation face material legal and financial risk.

To receive a checklist of regulatory steps for establishing a licensed crypto or blockchain business in Singapore, send a request to info@vlolawfirm.com

Our law firm VLO Law Firms has experience supporting clients in Singapore on crypto and blockchain regulatory matters. We can assist with MAS licence applications, token classification analysis, AML/CFT compliance frameworks, and regulatory strategy for digital asset businesses. To receive a consultation, contact: info@vlolawfirm.com