Source: Singapore MAS ; Translated by: AIMan@ Jinse Finance
On May 30, 2025, the Monetary Authority of Singapore issued the "Guidelines on Licensing for Digital Token Service Providers", officially licensing and supervising DTSP.
The following is the full text of the Singapore Monetary Authority’s “Guidelines for Licensing Digital Token Service Providers”:
1. Purpose
2. License under the Financial Services and Markets Act
3. Admission criteria
4. License application requirements
5. Ongoing requirements for licensees
Appendix 1 Governance and Ownership Requirements
Appendix 2 Minimum Compliance Arrangements
Appendix 3 Guidelines for information required for permit applications
Appendix 4 Annual License Fee
Appendix 5 Rules for Participation in the Application Review Process
Appendix 6 Independent Assessment by External Auditors
1. Purpose
1.1 The Guidelines on Licensing of Digital Token Service Providers (hereinafter referred to as the “Guidelines”) aim to provide guidance on the application process, licensing standards and ongoing requirements for digital token service providers (defined as individuals, partnerships or Singapore companies that have a place of business in Singapore, or are incorporated in Singapore but carry on the business of providing digital token services abroad, referred to as “DTSPs”) under Part 9 of the Financial Services and Markets Act 2022 (“FSM Act”).
1.2 This Guideline should be read in conjunction with the FSM Act, the Financial Services and Markets (Digital Token Service Providers) Regulations (“FSM Regulations”) and other relevant laws, notices, guidelines and Frequently Asked Questions (FAQs) issued by the Monetary Authority of Singapore (“MAS”).
1.3 MAS will periodically update this guide to provide further guidance.
2. License under the Financial Services and Markets Act
2.1 Under Section 137 of the FSM Act, any person who carries on digital token services as defined in the First Schedule to the FSM Act in Singapore must hold a licence unless he is exempted. Section 137(5) of the FSM Act sets out the applicable exemptions.
2.2 As MAS will not provide transitional arrangements for DTSPs, DTSPs that are required to obtain a licence under section 137 of the FSM Act must suspend or cease engaging in the business of providing digital token services overseas by 30 June 2025. DTSPs that breach the licensing requirement will be guilty of an offence and liable to the penalty prescribed in section 137(6) of the FSM Act.
Types of digital token services
2.3 Applicants should assess whether their business model involves the provision of digital token services in accordance with the ten categories of digital token services in the First Schedule to the FSM Act. Applicants should also consider whether their proposed activities fall within the exceptions to the regulation of digital token services set out in Part 2 of the First Schedule to the FSM Act.
Translator’s note: The ten categories of digital token services listed in the FSM Act Schedule
1. Any digital token trading service (except for digital token trading services prescribed by MAS);
2. Any service that facilitates the exchange of digital tokens (except for digital token trading services as specified by MAS);
3. Any service of receiving digital tokens (whether as principal or agent) from one digital token account (whether in Singapore or elsewhere) for the purpose of transferring or arranging for the transfer of digital tokens to another digital token account (whether in Singapore or elsewhere);
4. Any service that arranges (whether as principal or agent) for the transfer of digital tokens from one digital token account (whether in Singapore or elsewhere) to another digital token account (whether in Singapore or elsewhere);
5. Any service that induces or attempts to induce any person to enter into or offer to enter into any agreement to buy or sell any digital token in exchange for any money or any other digital token (whether of the same or different type);
6. Any service that protects digital tokens, where the service provider has control over the digital tokens;
7. Any service that performs instructions for clients in relation to digital tokens, where the service provider has control over the digital tokens;
8. Any service for protecting a digital token instrument where the service provider has control over one or more digital tokens associated with the digital token instrument;
9. Any service that carries out for a client an instruction in relation to one or more digital tokens in relation to a digital token instrument over which the service provider has control;
10. Any service related to the sale or offering of sale of digital tokens that involves: 1. Providing advice related to any digital token, directly or through publications or writings (whether in electronic, printed or other form); or 2. Providing advice through the publication or publication of research analyses or research reports (whether in electronic, printed or other form) related to any digital token.
3. Admission criteria
3.1 Due to the internet nature and cross-border nature of digital token services, DTSPs are more susceptible to money laundering, terrorist financing and proliferation financing (“ML/TF”) risks. This will lead to an increased risk of such providers engaging in or being abused for illegal purposes, damaging Singapore’s reputation. In view of these risks, MAS licenses DTSPs in a prudent and cautious manner and will only consider granting an applicant a DTSP license under the FSM Act in very rare circumstances . These rare circumstances include:
The applicant’s business model is economically justified and it can demonstrate to MAS’ satisfaction that, despite being operated or established/registered in Singapore, it has legitimate reasons for not intending to carry on the business of providing digital token services in Singapore;
The applicant does not operate in a manner that would raise concerns for MAS and has been regulated and supervised by relevant regulators in all jurisdictions where it provides offshore digital token services in respect of compliance with relevant internationally recognised standards (such as those set by the Financial Stability Board, the International Organisation of Securities Commissions and the Financial Action Task Force on Money Laundering (“FATF”)) ;
MAS has no concerns about the applicant’s business structure, such as its ability to comply with regulatory obligations.
3.2 Applicants must fully satisfy the following criteria and clearly demonstrate that they are able to comply with their obligations under the FSM Act as a licensee.
3.2.1 Governance and Ownership Requirements Applicants must comply with the governance and ownership structure set out in Appendix 1 and be registered with the Accounting and Corporate Regulatory Authority (ACRA) of Singapore.
3.2.2 Fit and Proper Applicants must satisfy MAS that their sole proprietors, partners, managers or directors and chief executive officers (CEOs), shareholders and employees, as well as the applicant itself, are fit and proper in accordance with the Guidelines on Fit and Proper Standards [FSG-G01]. The burden of demonstrating that the relevant persons are fit and proper rests with the applicant, not MAS. In addition to honesty, integrity and reputation, ability and competence, and financial soundness are also factors to be considered, and MAS will also consider other factors such as the existence of conflicts of interest and the relevant person’s time commitment to the Singapore entity. In particular, the entity and its related groups should not have any adverse reputation, especially in terms of financial crime and sanctions compliance.
3.2.3 Capabilities of Key Personnel Applicants must ensure that their sole proprietors, partners, managers or executive directors and CEOs have sufficient operational experience in the digital token services industry, including a full understanding of the regulatory framework of Singapore’s DTSPs.
If the relevant individual will be managing a larger team, he or she should also have the relevant experience, ability and influence to effectively supervise and control business activities and employees.
Applicants should also consider the educational background and professional qualifications of their key personnel.
3.2.4 Permanent Place of Business or Registered Office The applicant must have a permanent place of business or registered office in Singapore. The place must be an office area where the applicant’s books and records can be kept securely. The applicant must also appoint at least one person to be present to handle any queries or complaints from customers, and enquiries/information requests from the authorities.
3.2.5 Basic capital A licence applicant must satisfy MAS that it is familiar with the basic capital requirements set out in the FSM Regulations and clearly demonstrate how it will meet these requirements on an ongoing basis, as outlined in Table 3. In light of this obligation, an applicant must ensure that it maintains adequate capital buffers in excess of the basic capital requirements, taking into account the size and scope of its business and the likelihood of profit and loss. Generally, an entity's basic capital should be able to cover the applicant's operating expenses for at least six to twelve months. The applicant should also establish effective monitoring processes to ensure that the basic capital requirements are met at all times, such as regular reporting or setting specific capital buffers above the minimum requirements.
Table 1 Basic capital requirements
3.2.6 Compliance Arrangements Applicants must have an effective compliance arrangement plan in place and ensure that adequate compliance resources are committed commensurate with the nature, size and complexity of the business. The minimum compliance arrangement requirements are set out in Appendix 2. Regardless of the set-up of the compliance arrangement, the sole proprietor, partner, manager or director and CEO of the applicant have the ultimate responsibility and accountability for compliance with applicable laws and regulations.
3.2.7 Technical Risk Management Applicants must conduct penetration testing of the digital token services they intend to provide, fix all identified high-risk issues, and independently verify the effectiveness of the fixes. This work does not need to be completed before application, but must be completed before the license is granted.
3.2.8 Audit Arrangements Applicants must have in place an appropriate independent audit arrangement plan to regularly assess the adequacy and effectiveness of their procedures, controls, and compliance with regulatory requirements. Audit arrangements should be commensurate with the size, nature and complexity of their business. Audits may be conducted by the applicant's internal audit function, an independent internal audit team at the applicant's head office, or outsourced to a third-party service provider.
3.2.9 Annual Audit Requirements The applicant must prepare a plan to meet the annual audit requirements set out in section 158 of the FSM Act. Auditors must be appointed by the applicant at its own expense to audit its accounts and transactions and compliance with relevant regulations and requirements.
3.2.10 Responsibility Letter and/or Undertaking Letter Where appropriate, MAS may require the applicant to obtain a responsibility letter and/or undertaking letter from its controlling shareholder, parent company and/or associated companies. MAS will provide a template if the application is approved.
3.2.11 Other factors MAS may also consider the following factors (where applicable):
- The record and financial status of the applicant and its holding or affiliated companies;
- The applicant’s operational readiness, including its ability to comply with regulatory requirements;
- Whether the applicant has fully recognized the main risks associated with its business activities and has adequately identified, assessed and mitigated the relevant risks;
- Whether the granting of the licence is in the public interest.
3.3 MAS assesses each application on its own merits and may consider other factors on a case-by-case basis. The above criteria and considerations are not exhaustive and MAS may impose additional conditions or requirements to address the unique risks posed by an applicant.
3.4 Applicants should submit an application in Form 1. All applicants and licensees must pay the relevant fees set out in the Schedule to the FSM Regulations. For more information on fees, see Appendix 4. Applicants should also refer to Appendix 5 for the rules of engagement in the application review process.
4. License application requirements
4.1 Applicants who have assessed that they meet the admission criteria should refer to Appendix 3 for guidance on the information required for a licence application.
Legal advice on new licence applications
4.1.1 New applicants for a DTSP license are required to submit a legal opinion from a reputable law firm along with their application. The legal opinion should include a clear and concise summary of the applicant’s business model and an assessment of whether the services and/or products that the applicant intends to provide fall under the regulated digital token services under the FSM Act.
4.1.2 In any case, if the initial legal opinion is unclear, MAS reserves the right to request a second legal opinion.
Independent assessment by external auditors
4.1.3 Upon obtaining In-Principle Approval (“IPA”), the Applicant shall appoint a qualified independent external auditor to conduct an independent assessment of its policies, procedures and controls in the areas of technology and cybersecurity risk (this requirement will be included as a condition of the IPA. The scope of the technology and cybersecurity risk assessment is set out in Appendix 6).
5. Ongoing requirements for licensees
5.1 Licensees must comply with all applicable requirements under the FSM Act and other relevant laws on an ongoing basis. Licensees should establish processes, systems, policies and procedures to ensure that all ongoing obligations are met, including making applications and notifications to MAS when necessary. The following outlines some of the requirements, but not all. Licensees should keep abreast of regulatory developments and visit the MAS website for the latest requirements.
5.2 Anti-Money Laundering and Counter-Terrorism Financing (“AML/CFT”) Requirements Licensees must comply with the AML/CFT requirements set out in the Financial Services and Markets Regulations (including those relating to targeted financial sanctions), the Terrorism (Suppression of Financing) Act 2002, the Corruption, Drug Trafficking and Other Serious Crime (Confiscation of Benefits) Act 1992, the Prevention of Money Laundering and Counter-Terrorism Financing Notice [FSM-N27] and the Suspicious Activity and Fraud Reporting Notice [FSM-N28]. Licensees should also refer to the Guidance to Notice FSM-N27 for information on their AML/CFT requirements.
5.3 Periodic Reporting Licensees must submit periodic regulatory reports in relation to their digital token activities in accordance with the FSM Regulations. The relevant requirements are set out in the Notice on Submission of Regulatory Reports [FSM-N29].
5.4 Cybersecurity Licensees must comply with the cybersecurity requirements set out in the Cybersecurity Notice [FSM-N31] and take appropriate safeguards to protect customer information.
5.5 Technology Risk Management Licensees must comply with the Technology Risk Management Notice [FSM-N30] and refer to the Technology Risk Management Practice Guide for technology risk management requirements.
5.6 Conduct of Business Licensees must comply with the conduct of business requirements in the FSM Act, the FSM Regulations and the Conduct Notice [FSM-N32]. These obligations include recording transactions, issuing receipts, displaying exchange rates and fees and notifying normal business hours. Licensees must also ensure compliance with all prohibitions and restrictions, including prohibited business activities.
5.7 Disclosures and communications A licensee must make an accurate representation of the scope of its licence and, where applicable to its business, provide the disclosures required by the Disclosures and Communications Notice [FSM-N33]. A licensee should also ensure that clients are promptly updated on any material changes to the disclosures.
5.8 Annual Audit Requirements A licensee must appoint an auditor every year to audit its accounts and transactions and compliance with regulations and requirements. The licensee must ensure that the auditor submits a report in Form 3 to MAS.
Appendix 1
A1 Governance and Ownership Requirements
Appendix 2
A2 Minimum Compliance Arrangements
The applicant should ensure that it has effective compliance arrangements and adequate compliance resources commensurate with the size, nature and complexity of its business. This may take the form of:
- Independent Compliance Function Applicants should establish an independent compliance function in Singapore with staff who are appropriately qualified in areas relevant to their business activities. Compliance staff may also take on other non-conflicting and complementary roles, such as in-house legal counsel.
- Compliance support from holding companies or overseas related entities An applicant may obtain compliance support from an independent dedicated compliance team in its holding company or overseas related entity, provided that it can demonstrate that adequate supervision is provided by the applicant’s compliance officer, sole proprietor, partner, manager or director and the CEO and other senior management.
Applicants must also have appropriate compliance management arrangements in place, including at least the appointment of a suitably qualified compliance officer at management level. This person should be based in Singapore, have sufficient expertise in areas relevant to its business activities, and have the authority to oversee the applicant’s compliance function, although he or she may be assisted by other staff in day-to-day operations.
Applicants should also establish an appropriate governance structure to oversee compliance and AML/CFT issues (including those related to targeted financial sanctions). Depending on the size of the business and group structure, applicants may consider having a compliance officer report regularly to the board or a board committee on compliance and AML/CFT issues and make decisions on matters that are beyond the compliance officer’s authority.
Applicants should note that, regardless of the arrangement chosen, the applicant’s sole proprietor, partners, managers or directors and CEO are ultimately responsible for all compliance and regulatory matters and must provide adequate oversight of the arrangement.
Therefore, the applicant’s senior management and compliance officers should be able to demonstrate that they fully understand the compliance and ML/FT risks faced by the applicant’s business activities and the measures taken to effectively manage these risks.
Appendix 3
A3 License Application Information Guide
Applicants should ensure that they fully meet the admission criteria and that their application is complete, free from errors and inconsistencies and is accompanied by the necessary supporting documents as specified in the application form.
Information required in a proposed business plan
In particular, its proposed business plan should include the following information:
Applicants should provide a clear description of their business model and plans, supported by the professional experience and expertise of the proposed management team. The business plan should describe how it will comply with the FSM Act and related subsidiary legislation and include the following information:
- Jurisdictions of services, including evidence that the applicant has obtained an operating license in the jurisdiction where it provides digital token services and is subject to supervision by relevant regulators for compliance with relevant internationally recognized standards (such as those set by the Financial Stability Board, the International Organization of Securities Commissions and the FATF).
- Target customer profile.
- Products and services to be provided. The applicant should clearly state the types of digital token services it will provide at each stage of the transaction process. If the applicant intends to provide more than one type of digital token service, each type of digital token service should be evaluated separately.
- Reasons why you do not intend to carry on the business of providing digital token services in Singapore despite being operated or established/registered in Singapore.
- Detailed funding flow plans and channels, including transaction and/or process flow diagrams. If there is more than one product or service, or more than one type of transaction and/or process flow, a diagram should be provided for each flow. The flow diagram should:
Describe a typical transaction from the time the applicant accepts the source of funds (e.g. bank transfer, cash, bank card) to the time the applicant fully fulfils its obligations to the customer.
Describe the interactions between customers and applicants and the flow of funds.
Indicate timelines, including service level agreements with third parties, and applicable payment and settlement cycles.
Highlight any use of innovative technology (e.g. use or provision of digital tokens, distributed ledger technology) or a different way of delivering products or services than is commonly seen in the market.
Include all third parties involved (e.g. other digital token service providers, banking partners, intermediaries, other agents) and explain their roles in the process.
- Implementation plan, including the expected timeline for business/product launch, and the systems, processes, and third parties that will play a key role in its operation.
- Whether the digital token service is ancillary or bundled with any other product or service provided by the applicant.
- A brief description of any other activities currently being carried out or proposed to be carried out by the applicant that are regulated by MAS (e.g. financial advisory, securities dealing, etc.).
- A brief description of any exempt and unregulated activities currently being carried out or proposed to be carried out by the applicant.
- For applicants that are part of the Global Digital Token Services group:
The applicant's role within the group, including the functions or services it will receive from and/or provide to its affiliates within the group, if any. Where possible, the applicant should provide an estimate of the level of resources (in terms of headcount and time commitment) provided by other affiliates within the group to support its business operations in Singapore.
Confirm that all its entities are fully licensed/registered and provide the licensing/registration details of each entity. The applicant should provide a copy of its license/registration certificate or its licensing/registration status information from the regulator’s website. The applicant should disclose any regulatory enforcement actions/investigations in which any of its entities may be involved.
- A comprehensive risk assessment of all digital tokens and digital token services (e.g. trading platforms, custody) that it intends to support or provide, including its token listing governance process. The applicant should provide a complete list of supported digital tokens and explain its assessment of the nature of the tokens (e.g. whether they are security tokens or payment tokens) based on the MAS regulatory framework.
- Its consumer access measures and business conduct measures for maintaining customer digital token access and operational controls in Singapore, daily reconciliation of customer accounts and provision of information to customers on monthly account statements, risk management controls (controls on the movement of customer assets), and disclosures to customers.
Legal advice
Applicants are required to provide a legal opinion issued by a well-known law firm regarding the regulated digital token services to be provided under their proposed business model. The legal opinion should include (but not be limited to) the following:
- A clear and concise summary of the applicant's business model and each service and product that the applicant proposes to provide (including the asset/fund flows and parties involved for each service/product, if applicable).
An assessment of whether the proposed service or product is a regulated digital token service under the FSM Act. This assessment should include a detailed and comprehensive analysis of whether each regulated digital token service is appropriate for each proposed service or product. The assessment should also take into account all relevant laws, notices, guidelines, circulars and FAQs.
If any proposed service or product is assessed to be exempt or unregulated, a detailed explanation of how the relevant exemption or exception applies is required.
Confirmation that the legal opinion will be disclosed to MAS.
Information required for compliance, risk management, systems and controls
Technology Risk Management
Applicants should develop a framework for assessing and managing technology risks and take measures that are commensurate with the risk level and complexity of the financial services provided and the technology that supports those services to protect customer data, transactions and systems. Applicants should refer to the Technology Risk Management Notice [FSM-N30], the Cybersecurity Notice [FSM-N31] and the Technology Risk Management Practice Guide for information technology risk management principles and regulatory expectations.
Compliance and Audit
Applicants should provide the following information and documents consistent with the nature of the proposed business model:
Demonstrate compliance with AML/CTF policies and procedures in accordance with MAS Notice FSM-N27 and relevant targeted financial sanctions requirements. This should include a framework for assessing and monitoring agents and third-party partners (both local and overseas).
An enterprise-wide money laundering/terrorist financing/proliferation financing risk assessment (“EWRA”). Applicants should also include a tax evasion risk assessment in their EWRA.
AML/CTF governance, escalation and reporting arrangements. This should include details of the involvement of the sole proprietor, partners, managers or directors and the CEO and other senior management in monitoring and addressing AML/CTF issues that may arise in the course of the business.
An implementation plan for the compliance management arrangements, including the processes rolled out and the systems to be used.
The name and resume (“CV”) of the Compliance Officer, including details of any formal compliance certifications, e.g. ACAMS, IBF certifications.
If the organizational chart does not include the staffing arrangements and reporting lines for the compliance function, then relevant details are required. This should include details of all outsourced compliance functions, including the location of the outsourced provider and team, the applicant's relationship with the outsourced provider (e.g. supplier, parent company), the outsourced provider's licensing/registration status, and the monitoring arrangements.
Internal and external audit arrangements.
Equity Structure
The applicant should provide a complete shareholding structure diagram (up to the ultimate controller), and the ultimate controller should be a natural person.
If the applicant does not have a 20% controlling shareholder, written confirmation is required.
Appendix 4
A4 Annual License Fee
In accordance with section 140 of the FSM Act, licence fees are payable on an annual basis as detailed in the Schedule to the FSM Regulations. All licence fees paid are non-refundable.
Licensees should enter into a GIRO agreement with MAS to pay their licence fees annually. Licensees should ensure that the details of their GIRO agreement are up to date and that there are sufficient funds in their bank accounts by the deduction date specified in the fee notice.
Pro rata licence fee for new licensees
For new licensees that are not licensed on January 1 of the current year, the license fee for the first calendar year after the license is issued is calculated at the rate of the fixed annual license fee, calculated from the license issuance date to December 31 of the same year. Example 1 shows how the first year license fee is calculated.
Example 1 A company obtains a DTSP license on December 1, 2025.
Appendix 5
A5 Rules for Participation in the Application Review Process
Initial Review and Information Requests
The application review process begins with the assignment of a case officer and receipt of all required information and documents from the applicant. Depending on the volume of applications received, case assignment may not occur immediately after MAS receives the application. Once the case is assigned, the case officer will contact the applicant to inform them of the necessary next steps, which may include a kick-off meeting.
The case officer will review the full set of documents submitted, which usually constitutes the first round of information requests that the applicant will receive. The case officer will also conduct a preliminary review of the applicant's business model. During the review process, there may be multiple rounds of information and clarification requests depending on the completeness of the responses submitted by the applicant.
Applicants should always ensure that their applications meet the admission criteria set out in these Guidelines and contain the necessary information as required by Appendix 3 of these Guidelines before submitting their applications. MAS reserves the right to reject applications if the submissions are assessed to be materially incomplete or contain significant deficiencies. Applicants should also always have a contact person available to follow up on these information requests and provide a full response in a timely manner. Applicants should promptly notify MAS of any changes to the contact person.
Applicants must disclose all material information to the case officer promptly, proactively and fully without concealing anything. Any information that is found to be deliberately obscuring, concealing or delaying disclosure without good cause will be considered a material deficiency. Applicants are reminded that they must take reasonable care to ensure that the information and documents provided to MAS are not false or misleading. A person who contravenes section 176 (1) or 176 (3) of the FSM Act may be guilty of an offence and may be liable to a fine or imprisonment upon conviction.
Timeliness and quality of responses
MAS will usually give applicants a deadline to respond to a request for information. If an applicant fails to respond within the specified time, MAS will consider the application to be withdrawn. If an applicant requires additional time to prepare a response, they should notify the case officer in advance.
Applicants must also strike a balance between the time required to provide a sufficient and comprehensive response and the need to rush a response to expedite examination. Failure to provide a satisfactory and comprehensive response will be assessed as a deficiency, which may result in unfavorable consideration of the application.
interview
The case officer will usually arrange for an interview with the applicant's key management personnel and/or compliance officer. All representatives of the applicant should take their interactions with the case officer seriously. The purpose of the interview is for the applicant to explain how it intends to manage its business and risks to comply with regulatory requirements. Consultants, external legal counsel and other third parties are not permitted to attend the interview. This is because even if the applicant outsources any of its functions, it remains responsible for meeting its regulatory obligations.
Potential situations where the case officer has reasonable grounds to believe that the applicant is unable to adequately perform the obligations of a licensee include, but are not limited to, the following:
Failure to attend the interview without valid reasons;
Inability to answer questions clearly during the interview;
Insulting the case officer.
If there are significant changes to your application after the interview but before the decision is made, the case officer may arrange an additional interview with the applicant. Examples of such changes include changes in the appointment of key personnel of the applicant or changes in the applicant’s business model.
MAS’s review process
Case officers are obliged to conduct a comprehensive assessment of applications. Even at the application stage, the goal of an applicant is to be licensed and thus subject to ongoing regulation and supervision, as if they were in a regulated system. Case officers will review applications in this context and expect applicants to behave as if they were already regulated financial institutions. Applicants who fail to do this will be assessed as having potentially significant deficiencies, which may result in the application being rejected.
Suspended application
MAS should be informed immediately of any changes to the information provided after the application has been submitted. If there are material changes to the application, the applicant may want to consider withdrawing the application and reapplying once the changes have been made, as the application will not be reviewed until then.
MAS has the power to hold applications that are assessed as not ready for review for six months if there is a significant corporate restructuring, a significant change in key management personnel, or a significant change in business model/activities during the review process. While such significant changes may not be foreseeable by the applicant, the hold period allows resources to be diverted away from these incomplete applications to ensure fairness to all other ready applicants in the queue.
During the hold period, it is the applicant’s responsibility to ensure that all necessary changes are resolved/completed in a timely manner and to provide relevant documents to MAS for assessment at the end of the hold period. The default hold period is six months and is not extendable. If significant changes are not completed within the hold period, the application will be assessed as not ready for review and the applicant should consider withdrawing the application.
Withdrawal of application
Applicants have the right to withdraw their applications at any time. Applicants may also be advised to withdraw their applications if, following MAS review, there are fundamental issues that cannot be adequately resolved within a reasonable time, or if the application is assessed to have significant deficiencies. Applicants should note that if the case officer makes such an assessment, other applicants in similar circumstances have not been approved. Robust controls are in place to ensure that case officers make fair, objective and verifiable assessments. Each application and its supporting documentation undergoes a rigorous review by a team of case officers, supervisory officers, and review and approval agencies. Applicants should therefore take the review process and its outcomes seriously.
If the applicant intends to resubmit the application, it must ensure that all issues and deficiencies have been adequately addressed. Resubmission of the application without correcting the issues previously raised by MAS may result in refusal.
In relation to application for suspension, significant changes in key management personnel refer primarily to changes related to key C-suite positions such as the Chief Executive Officer, Chief Financial Officer, Chief Risk Officer and Chief Compliance Officer. However, applicants should also evaluate and highlight other changes in positions that should be considered key management personnel based on the criticality of their business model and the importance of their reporting lines.
Appendix 6
A6 Independent Assessment by External Auditors
A. Technical and cybersecurity risks:
(Applicants need to complete after approval in principle)
Criteria for the appointment of an external auditor to carry out an independent assessment of technology and cybersecurity risks The external auditor appointed by the applicant to carry out the independent assessment should meet the following criteria:
Scope of Assessment Below is a list of the technical and cybersecurity risk areas that will be assessed by the independent external auditor as a condition of the In-Principle Approval (IPA).
The business head should be of sufficient seniority and have sufficient experience and expertise in the areas of technology and cybersecurity risk (technology risk). It is the applicant's responsibility to ensure that an appropriately qualified independent external auditor is appointed to conduct an independent assessment of its technology risk policies, procedures and controls.
I. Cybersecurity
a. Taking into account the applicant’s proposed business model, products, services, funding flows and delivery channels,
i. Identify any gaps with relevant regulatory requirements as set out in MAS’ FSM-N31 Cybersecurity Notice;
ii. Highlight areas of improvement required to mitigate cybersecurity risks.
II. Data Loss Prevention
a. Review and assess the applicant’s proposed Information Protection Policy and Controls (IPPCs) in the following areas:
i. Protection of sensitive data (including Customer Data) during transmission and storage;
ii. detect and prevent unauthorized access to or disclosure of sensitive data (including customer information) (including communications, transmission and storage);
iii. Protection of Custody Wallet Encryption Keys.
b. Taking into account the applicant’s proposed business model, products, services, funding flows and delivery channels,
iv. identify any gaps with applicable technology risk management regulatory requirements (including but not limited to MAS FSM-N30 Technology Risk Management Notice and Section 11 of the Technology Risk Management Guidelines);
v. Highlight areas of improvement required to mitigate the technical risks posed by its proposed business model.
III. Penetration Testing
a. Review and evaluate the applicant's proposed IPPCs with respect to penetration testing systems, including:
i. The frequency of penetration testing is determined based on factors such as system criticality and the cyber risks faced by the system. For systems that are directly accessible from the Internet, applicants should conduct penetration testing at least annually or when these systems undergo major changes or updates to verify the adequacy of security controls;
ii. Service Level Agreements (“SLAs”) for remediation of penetration test results that are commensurate with the level of risk involved.
b. Review and assess whether penetration testing conducted (within the past 12 months) on the applicant's proposed online financial services was relevant and sufficient to identify critical security vulnerabilities.
c. Taking into account the applicant’s proposed business model, products, services, funding flows and delivery channels,
i. Identify any gaps with applicable technology risk management regulatory expectations (including but not limited to Section 13.2 of the Technology Risk Management Guidelines);
ii. Highlight areas of improvement required to mitigate the technical risks posed by its proposed business model.
IV. Digital Wallets and Smart Contracts
a. Review the applicant’s proposed IPPCs and assess whether the proposed IPPCs include the following controls that are commensurate with the applicant’s proposed business model, products, services, financial flows and delivery channels:
i. Follow secure design principles (including appropriate access controls, thorough testing, regular updates to stable releases, static and dynamic code analysis) throughout the system development lifecycle of its proposed systems and smart contracts (if relevant);
ii. Development of smart contracts, including controls to ensure smart contracts are protected from cyber threats and vulnerabilities through secure development, DevSecOps, and testing to prevent unauthorized access, data breaches, and exploitation of security vulnerabilities;
iii. Controls to ensure high availability of critical systems, and system recovery and business recovery priorities (including root cause and impact analysis) to ensure rapid recovery strategies for such systems;
iv. Use technologies such as multi-party computation and threshold signature schemes to protect custodial wallets;
v. Implement network isolation between the custodial wallet system and other information systems/the Internet to prevent unauthorized connections;
vi. Separation of custodial wallet cryptographic key components to ensure that no single person or system has access to the complete key at any time (i.e., following the “never alone” principle, requiring at least two authorized persons to coordinate and approve key management operations).
