Crypto License in Singapore

The PSA defines a “digital payment token” (DPT) as any digital representation of value that is not denominated in any currency, can be transferred or stored electronically, and is intended as a medium of exchange. This definition captures Bitcoin, Ethereum, stablecoins pegged to fiat, and virtually all utility and payment tokens traded on exchanges.

In April 2024, MAS expanded the scope of regulated DPT services to include custodial services, cross-border transfer facilitation, and token exchange between different DPT types. Any entity providing these services — whether to Singapore residents or overseas customers from a Singapore base — must hold a valid Payment Services licence.

The licence tier you need depends on your monthly transaction volume:

• Standard Payment Institution (SPI) — for businesses processing less than SGD 3,000,000 per month for any single payment service and less than SGD 6,000,000 per month across all services combined.
• Major Payment Institution (MPI) — required once either volume threshold is exceeded. Carries higher capital requirements, a mandatory security deposit, and stricter governance obligations.

Singapore’s Financial Services and Markets Act 2022 (FSMA) introduced Part 9, establishing a separate Digital Token Service Provider (DTSP) licensing regime effective 30 June 2025. This regime was designed as a narrow gap-filling measure — it captures only activities that do not already fall under the PSA, the Securities and Futures Act, or the Financial Advisers Act.

PSA licensees are exempt from DTSP licensing for activities already covered by their PSA licence (FSMA s.137(5)), even when serving overseas customers. The two frameworks differ as follows:

In practice, MAS has stated it will grant new DTSP licences only in “extremely limited circumstances.” For the vast majority of crypto businesses, the PSA remains the sole viable licensing route. The DTSP regime is relevant only to a narrow class of overseas-facing activities that genuinely fall outside PSA coverage.

Any business that provides one or more DPT services from Singapore — whether to local or overseas customers — must hold a PSA licence. The following activities are expressly regulated:

• Cryptocurrency exchanges — platforms facilitating the buying, selling, or exchange of DPTs for fiat currency or other DPTs.
• OTC desks — over-the-counter dealing services that buy or sell DPTs directly with customers outside an order-book exchange.
• Crypto wallet providers — services that store customers’ private keys or provide interfaces for managing DPT holdings.
• Custodians — entities that safeguard DPT assets on behalf of customers, including institutional custody and sub-custody arrangements.
• DPT transmission services — facilitating the transfer of DPTs from one account or address to another on behalf of customers.

If your platform deals with tokens classified as capital markets products (e.g., security tokens representing shares or debt), you may also need a Capital Markets Services licence under the Securities and Futures Act — in addition to or instead of a PSA licence. MAS applies a substance-over-form analysis to determine classification.

Operating any of these services without a valid MAS licence is a criminal offence under Section 5(1) of the Payment Services Act 2019. The penalty is a fine of up to SGD 125,000 and/or imprisonment of up to 3 years, with an additional fine of up to SGD 12,500 for each day the offence continues after conviction.

An SPI licence applies when your projected monthly transaction volume remains below SGD 3,000,000 for any single payment service and below SGD 6,000,000 in aggregate across all services. If you also hold e-money, the outstanding float must stay below SGD 5,000,000 on any given day. Breaching any one of these thresholds triggers mandatory upgrade to an MPI licence.

Compliance obligations for an SPI are lighter than for an MPI, but far from trivial:

• Resident AML/CFT officer — a Singapore-resident compliance officer at management level must be appointed and named in the application. This person must be independent of revenue-generating functions.
• Licensed auditor — annual independent audits covering financials, AML/CFT controls, and cybersecurity are mandatory from the first year of operations.
• Fund segregation — customer monies and digital payment tokens must be held in segregated accounts or trust arrangements, separate from operating funds.
• MAS Notice PSN02 — full AML/CFT programme including customer due diligence, ongoing monitoring, Travel Rule compliance, and suspicious transaction reporting.
• PS-G03 90% cold storage — at least 90% of customer digital payment token assets must be held in cold storage at all times, with documented safeguarding procedures.
• Daily reconciliation — daily balance reconciliation of all customer assets is mandatory; discrepancies must be investigated and reported within prescribed timeframes.

An MPI licence becomes mandatory when your business breaches any SPI threshold — either the SGD 3,000,000 single-service cap, the SGD 6,000,000 aggregate cap, or the SGD 5,000,000 e-money float ceiling. You cannot voluntarily remain on an SPI licence once volumes exceed these limits; MAS requires notification and upgrade within a prescribed period.

The MPI tier imposes a substantially higher regulatory burden:

• Base capital SGD 250,000 — minimum paid-up capital must be maintained at all times. A breach triggers immediate notification to MAS and remediation within a specified period.
• Security deposit SGD 100,000–200,000 — an MPI must lodge a security deposit with MAS (or provide a bank guarantee): SGD 100,000 if monthly transaction volume is ≤ SGD 6,000,000, or SGD 200,000 if volume exceeds that level.
• Enhanced governance — MAS expects a dedicated compliance function with clear reporting lines to the board, a risk management committee, and documented escalation procedures for regulatory breaches.
• Stricter ongoing reporting — MPIs face more frequent and detailed regulatory returns, including quarterly financial statements and ad-hoc reporting on material changes to the business.

The table below summarises the key differences between the SPI and MPI licence tiers. All figures are per MAS licensing requirements for payment service providers.

MAS sets a minimum base capital that must be paid up and maintained at all times. The threshold determines whether you qualify as a Standard Payment Institution (SPI) or must apply for a Major Payment Institution (MPI) licence:

If your transaction volumes start below the SPI ceiling but you expect rapid growth, incorporate with SGD 250,000 from the outset. Upgrading from SPI to MPI mid-operation requires a fresh application and introduces a compliance gap that MAS scrutinises closely.

Major Payment Institutions must lodge a security deposit with MAS before commencing operations. The deposit protects consumers in the event of insolvency and scales with your monthly transaction volume:

Standard Payment Institutions are exempt from the security deposit requirement entirely — this is one of the material cost advantages of staying within SPI thresholds.

The deposit must remain in place for the full duration of the licence. MAS will not release it until all customer obligations have been discharged, even after voluntary surrender of the licence.

If you choose a bank guarantee rather than a cash deposit, negotiate a multi-year facility upfront. Annual renewals create a window of non-compliance risk that MAS may flag during inspections.

MAS publishes a fixed fee schedule for Payment Services licence applications. These are non-refundable regardless of outcome and payable per service at the point of submission via the MAS e-Licensing portal.

The security deposit scales with transaction volume: SGD 100,000 if your monthly DPT transactions are SGD 6,000,000 or below, and SGD 200,000 once they exceed that threshold. The deposit may be held as cash with MAS or as a bank guarantee from an approved institution. SPIs are not required to maintain a security deposit at any volume level.

The application fee is a rounding error in your total budget. Below is a realistic breakdown of what first-year licensing actually costs, including preparation, capital lock-up, and ongoing obligations:

When you total these figures, a realistic all-in budget for an SPI licence sits at SGD 200,000–350,000 in the first year, while an MPI licence typically requires SGD 400,000–500,000+. These ranges assume a straightforward single-service application; multi-service filings, complex corporate structures, or expedited timelines push costs higher.

Total elapsed time from incorporation to licence issuance is typically 6–12 months. The compliance preparation phase (Weeks 1–8) can run in parallel with incorporation, but MAS will not begin its review until a complete Form 1 submission is accepted through the e-Licensing portal.

Your operating entity must be a Singapore-incorporated private limited company registered with ACRA. Standard incorporation takes 1–3 business days for straightforward applications. The company must have a registered office address in Singapore and a constitution that does not restrict the proposed DPT activities.

At least one director must be ordinarily resident in Singapore under the Companies Act s.145. MAS expects this individual to be actively involved in the business — a purely nominal appointment will not satisfy the fit-and-proper assessment. All directors and substantial shareholders are evaluated against MAS’s Guidelines on Fit and Proper Criteria, which examine honesty, integrity, reputation, competence, and financial soundness.

Any person who becomes a 20% controller of the licensed entity must obtain MAS approval in advance under PSA s.27/28. This includes indirect controllers and persons acting in concert. MAS will reject or revoke a licence where a controller is deemed unfit.

A qualified company secretary ordinarily resident in Singapore must be appointed within six months of incorporation. The secretary cannot be the sole director.

MAS requires every DPT service provider to appoint a dedicated AML/CFT compliance officer. This person must meet three criteria simultaneously:

• Singapore residency — the compliance officer must ordinarily reside in Singapore and be available for MAS engagement at short notice.
• Management-level seniority — the officer must hold a position at or above middle management, with direct reporting access to the board or CEO.
• Independence of function — the compliance role cannot be subordinated to revenue-generating functions or combined with sales responsibilities.

Under MAS Notice PSN02, the compliance officer bears personal responsibility for ensuring the entity’s AML/CFT programme is implemented, maintained, and updated. MAS assesses this individual’s qualifications and track record as part of the licence application.

The CEO or executive director is also subject to a separate fit-and-proper assessment. MAS may conduct interviews with key personnel during the review period and reserves the right to object to any appointment it considers inadequate.

The following documents must accompany your Form 1 submission via the MAS e-Licensing portal. An incomplete package will not be reviewed — MAS returns it and the assessment clock resets.

• Form 1 — the prescribed MAS application form for a Standard or Major Payment Institution licence, completed for each DPT service you intend to provide.
• Business plan — a detailed five-year financial projection covering revenue model, customer acquisition strategy, liquidity management, and ownership structure.
• AML/CFT policies — a comprehensive compliance manual aligned to MAS Notice PSN02, covering CDD, enhanced due diligence, transaction monitoring, and suspicious transaction reporting.
• Risk assessment — an enterprise-wide ML/TF risk assessment identifying inherent risks by customer type, product, geography, and delivery channel, with corresponding mitigating controls.
• Cybersecurity plan — a technology risk management framework consistent with MAS Notice FSM-N13, covering system access controls, incident response, vulnerability management, and business continuity.
• Flow diagrams — visual representations of customer onboarding flows, transaction processing paths, and fund/asset custody arrangements demonstrating how DPT moves through your systems.
• Legal opinion — a written analysis from qualified counsel confirming that your tokens and services are correctly classified under the PSA and, where applicable, the FSMA Part 9 DTSP framework.
• Audited financials — audited or management accounts for the applicant entity (or its parent), demonstrating the capacity to meet minimum base capital requirements from incorporation.

PSN02 imposes a full suite of AML/CFT controls across your customer lifecycle and transaction activity. Every DPT licensee — SPI and MPI alike — must implement and maintain each of the following:

• Customer Due Diligence (CDD) — Verify customer identity before establishing a business relationship. Standard CDD applies to all customers; enhanced due diligence (EDD) is mandatory for higher-risk customers, politically exposed persons, and complex or large transactions where ownership is unclear.
• Ongoing Monitoring — Continuously screen transactions and customer behaviour against your risk profile. MAS expects you to detect patterns inconsistent with the stated nature of a customer’s business and to act on them promptly.
• Suspicious Activity Reports (SARs) — File reports with the Suspicious Transaction Reporting Office (STRO) whenever a transaction gives rise to reasonable grounds for suspicion of money laundering or terrorism financing. There is no materiality threshold — the obligation attaches to the suspicion, not the amount.
• Record-Keeping — Retain CDD documents, transaction records, and internal investigation files for a minimum of five years. Records must be retrievable promptly on MAS request.
• AML/CFT Compliance Officer — Appoint a management-level officer resident in Singapore who holds responsibility for the programme and reports directly to senior management. MAS will assess this individual’s competence as part of your licence application.

Singapore implemented the FATF Travel Rule for DPT transfers under PSN02. When you send or receive a DPT transfer above the applicable threshold, you must collect, verify, and transmit originator and beneficiary information to the counterparty institution. For outgoing transfers, you must screen beneficiary information before executing the transaction. For incoming transfers, you must screen originator data before making funds available to the recipient. Transfers to or from unhosted wallets require additional due diligence steps to establish the ownership of those wallets.

Alongside the Travel Rule, MAS Notice FSM-N13 establishes technology risk management obligations that sit alongside your AML/CFT controls. FSM-N13 requires DPT licensees to conduct regular penetration testing of customer-facing and internal systems, maintain a vulnerability remediation programme with defined resolution timelines, and report material technology incidents to MAS within prescribed windows. In practice this means you need a documented IT security framework — not just a policy document, but evidence of testing cycles, remediation tracking, and board-level oversight of technology risk — before MAS will be satisfied that your licence application reflects a fully operational compliance function.

MAS Guidelines PS-G03 require DPT service providers to hold at least 90% of customer digital payment token assets in cold storage at all times, with daily balance reconciliation of all customer assets. MAS expects your technology controls and your AML/CFT controls to function as an integrated programme, audited annually by an independent external auditor covering both AML/CFT compliance and technology risk.

MAS Guidelines PS-G03 require DPT service providers to hold at least 90% of all customer digital payment token assets in cold storage at all times. The safeguarding requirements took effect on 4 October 2024, with full custody measures applying from 19 June 2025. Although PS-G03 is framed as “guidelines” rather than binding regulations, MAS treats non-compliance as grounds for supervisory action — in practice, the distinction carries little operational difference for licensees.

In practice, “cold storage” means private keys that are never exposed to an internet-connected environment — air-gapped hardware devices, offline multi-signature schemes, or third-party institutional custody solutions that meet MAS’s standards. The remaining ≤10% of assets may be held in hot wallets to service withdrawals and operational liquidity, but this ceiling is firm.

• Segregation — customer assets must be held separately from the licensee’s own assets at all times. Commingling is a breach of licence conditions.
• Custody documentation — you must maintain written policies governing key management, access controls, and recovery procedures. MAS expects these policies to be reviewed and tested regularly.
• Third-party custodians — if you outsource custody, the custodian must be approved and the arrangement must not dilute your regulatory obligations. You remain fully accountable to MAS.

The 90% cold storage threshold is not aspirational guidance — it is a hard floor. Build your wallet architecture to stay comfortably above it, not to hover at the minimum.

MAS post-licensing obligations require daily entity-level reconciliation of customer assets. Every business day, your records of customer balances must match the assets actually held in custody — both on-chain and in cold storage. Any discrepancy must be identified, investigated, and resolved promptly. MAS expects this process to be documented and auditable on demand.

Beyond the daily cycle, licensees must commission annual independent external audits covering three distinct areas:

• Financial audit — standard statutory audit of the licensee’s financial statements, conducted by an approved auditor. Required for all PSA licensees.
• Compliance audit — an independent review of AML/CFT controls, customer due diligence processes, and adherence to MAS Notice PSN02. The auditor must have no operational relationship with the compliance function being reviewed.
• Cybersecurity audit — an independent technical assessment of your technology infrastructure, key management systems, and cyber resilience. MAS expects this to be performed by a qualified external party, not internal IT staff.

All three audits must be completed by independent external auditors — you cannot self-certify. Audit reports are submitted to MAS as part of ongoing supervisory oversight. Budget for these as recurring annual costs, not one-off exercises.

MAS PS-G02 — the Guidelines on Provision of Digital Payment Token Services to the Public — places strict limits on how licensed DPT service providers may promote their services to the general public in Singapore. The restrictions exist because MAS does not consider DPT trading appropriate for retail consumers and does not want licensees driving general public demand.

Under PS-G02, marketing directed at the Singapore public is permitted only through these channels:

• Your own website — owned and operated by the licensee.
• Your own mobile application — the app through which customers access your services.
• Your official social media accounts — accounts registered in the licensee’s name, not third-party profiles.

The following are prohibited for DPT service advertising directed at the public in Singapore:

• Public advertising — no transit ads, outdoor billboards, or physical placements in public spaces.
• Broadcast and print media — no television, radio, newspaper, or magazine advertisements.
• Third-party digital placements — no paid advertising on external websites, apps, or platforms.
• Influencer marketing — no paid endorsements or promotional arrangements with individuals outside your organisation.
• Unsolicited promotions — no cold outreach, pop-up ads, or promotional messages sent to people who have not opted in.

These restrictions apply to marketing directed at the general public in Singapore. Communications with existing customers, responses to direct enquiries, and B2B marketing to institutional counterparties fall outside the scope of PS-G02. However, the boundary between permitted institutional outreach and prohibited public-facing promotion can be narrow — document your rationale for each campaign before launch.

Singapore’s headline corporate income tax (CIT) rate is 17% — one of the lowest in Asia-Pacific for a Tier-1 financial centre. For Year of Assessment (YA) 2026, the government provides a 40% Corporate Income Tax Rebate capped at SGD 30,000 per company. In addition, qualifying companies receive a CIT Rebate Cash Grant of SGD 1,500, providing further relief in the first years of operation.

Singapore taxes on a territorial basis: only income sourced in or remitted to Singapore is subject to CIT. However, the Foreign-Sourced Income Exemption (FSIE) regime means that foreign-sourced income — including dividends, branch profits, and service income — can be received in Singapore tax-free if certain conditions are met: the income has been subject to tax in the source jurisdiction (headline rate of at least 15%), and the remittance is beneficial to the Singapore company. For crypto companies structuring multi-entity operations across jurisdictions, the interplay between territorial taxation and FSIE determines whether offshore revenue can flow back to the Singapore holding entity without additional tax cost.

IRAS — Corporate Income Tax Rate, Rebates and Tax Exemption Schemes

Singapore does not impose capital gains tax. Gains arising from the disposal of digital payment tokens held as long-term investments are not taxable — a significant advantage for crypto treasuries and venture-backed token portfolios.

For GST purposes, the exchange of Digital Payment Tokens (DPTs) for fiat currency or other DPTs is treated as an exempt supply — not zero-rated. This distinction matters: exempt supplies do not attract GST but also do not allow recovery of input GST on related expenses. Since 1 January 2024, intermediary services (such as brokerage, custody, and advisory services connected to DPT transactions) attract GST at the standard rate of 9%. NFT transactions may not qualify for the DPT exemption — IRAS has indicated that NFTs do not meet the definition of a digital payment token under the GST Act, meaning sales of NFTs may be subject to 9% GST if the supplier is GST-registered.

IRAS — GST Treatment of Digital Payment Tokens

Newly incorporated Singapore companies — including crypto licensees — qualify for the Start-up Tax Exemption (SUTE) scheme during their first three consecutive Years of Assessment. The exemption applies as follows:

• 75% exemption — on the first SGD 100,000 of normal chargeable income
• 50% exemption — on the next SGD 100,000 of normal chargeable income

This results in a maximum tax exemption of SGD 125,000 per YA (75% of SGD 100,000 = SGD 75,000 plus 50% of SGD 100,000 = SGD 50,000). For a crypto company earning SGD 200,000 in its first year, the effective tax rate falls below 5% — significantly below the headline 17% rate.

After the first three YAs, the company transitions to the Partial Tax Exemption scheme for established companies, which provides 75% exemption on the first SGD 10,000 and 50% on the next SGD 190,000. While less generous than SUTE, it still reduces the effective rate on the first SGD 200,000 of income to approximately 8.3%.

MAS publishes detailed guidance, consultation responses, and binding notices that tell applicants exactly what compliance looks like. Two documents anchor the DPT regulatory framework: MAS Notice PSN02 sets out AML/CFT requirements for DPT service providers, while Guidelines PS-G02 governs consumer-protection standards and advertising restrictions. That transparency reduces operational uncertainty and, crucially, makes your compliance posture legible to counterparties. Global custodians, prime brokers, and institutional investors treat MAS oversight as a credible proxy for governance quality.

The licensing framework is also broad-based. The PSA covers both domestic and overseas-facing DPT services — trading, custody, transfer, and exchange — under a single regulatory umbrella. Between the PSA and the narrower FSMA Part 9 DTSP regime (effective 30 June 2025), most crypto business models can find a regulated home under Singaporean law without needing multiple licences.

Singapore sits at the intersection of South-East Asia’s 700-million-person consumer market and the institutional capital flows that move through Hong Kong, Tokyo, and Sydney. Operating from Singapore gives your business a physical and regulatory anchor that carries weight across the region. Local presence — required under Companies Act section 145 (resident director) and MAS rules (resident AML/CFT compliance officer) — is not just a box-tick: it puts your team in the same time zones as your customers and regulators, which accelerates decisions and builds relationships that remote licensing structures cannot replicate.

Singapore operates a territorial tax system with a 17% headline corporate rate, but three features reduce effective costs:

• New company exemption — 75% exemption on the first SGD 100,000 of chargeable income and 50% on the next SGD 100,000 for each of the first three Years of Assessment, bringing the effective rate to roughly 6.4% on the first SGD 200,000.
• No capital gains tax — gains on disposal of capital assets are generally not taxed in Singapore. Since 1 January 2024, Section 10L taxes certain foreign-sourced disposal gains received by entities without sufficient economic substance, but domestically-held crypto capital gains remain outside the tax net.
• DPT exchange GST exemption — the exchange of Digital Payment Tokens is an exempt supply under GST rules since 1 January 2020, meaning no GST applies to token trading. Intermediary service fees (exchange commissions, wallet fees) remain subject to the current 9% GST rate.

For a detailed breakdown of how Singapore taxes crypto businesses, see the full taxation section below.