Jan 12, 2024
8 min read

Singapore Crypto Regulations—All You Need to Know in 2024

Learn about compliance requirements and licensing procedures

Singapore has a system for regulating crypto firms, known as “digital payment token (DPT) providers” in the country. Accordingly, the Payment Services Act (PSA) 2019 establishes a regulatory framework for DPT service providers in Singapore. 

In November 2023, the Monetary Authority of Singapore announced plans to tighten regulations for DPT providers, meaning they’ll have to quickly adapt to a new regulatory environment. 

To help you navigate Singapore’s crypto environment, we at Sumsub prepared this guide explaining the specifics of the country’s regulations. 

Crypto is not considered legal tender in Singapore, but it can be used as an alternative means of payment (Legal tender refers to the officially-recognized currency that can be used to settle debts and fulfill financial obligations within a country). In Singapore, the legal tender is the Singapore Dollar (SGD), issued and regulated by the Monetary Authority of Singapore (MAS).

Regulation of DPT services 

The main law regulating crypto businesses is the Payment Service Act (PSA). It was introduced in 2019 to provide a more coherent set of regulations, including rules for licensing and exemptions. We will discuss this part in detail in the following sections.

The Monetary Authority of Singapore (MAS) is continuously working to improve the regulatory framework of DPT services in the country, issuing several Notices and Guidelines aimed to clarify some regulatory requirements:

  • Notice PSN02 Prevention of Money Laundering and Countering the Financing of Terrorism—Digital Payment Token Service
  • Guidelines to Notice PSN02 on Prevention of Money Laundering and Countering the Financing of Terrorism – Digital Payment Token Service
  • Guidelines on Provision of Digital Payment Token Services to the Public [PS-G02]

In May 2023, the MAS issued its Consultation Paper on Proposed Amendments to Payment Services Regulations 2019.

On July 3, 2023, the MAS announced new requirements for DPT services to safekeep customer assets under a statutory trust before the end of the year. This will mitigate the risk of loss or misuse of customer assets, and facilitate their recovery in the event of a DPT insolvency. The MAS then carried out a public consultation on the draft legislative amendments to the Payment Services Regulations to put the July requirements into effect (the consultation was closed on August 3, 2023).

Who is affected?

In Singapore, DPT services include:

  • Any service facilitating the exchange of digital payment tokens, namely establishing or operating a DPT exchange, where the person that establishes or operates that DPT exchange comes into possession of any money or DPT
  • Any service that deals with digital payment tokens—namely buying or selling DPTs in exchange for money or any other DPT (either the same or a different type)

The 2021 Amendment Act proposes to expand the definition of DPT services to entities:

  • Transferring DPTs
  • Providing custodian wallets for or on behalf of customers
  • Brokering DPT transactions (without possession of money or DPTs)

It should be noted that the Act is not in force yet. 

Anti-money laundering (AML) requirements

DPT providers in Singapore must implement AML/CFT procedures and policies, including:

  • Risk assessment and risk mitigation, which includes assessing the possibility of engagement in ML/TF activities by clients and ways to prevent it
  • Customer Due Diligence (CDD), which includes collecting and verifying information about customers during onboarding and analyzing the results
  • Enhanced Due Diligence measures, which are carried out on customers considered to be more high-risk 
  • Simplified Due Diligence, which is carried out under certain circumstances when the risks of money laundering and terrorism financing are low
  • Transaction monitoring, carried out to assess the trajectory of the movement of assets, the size of the assets, frequency, patterns, etc.
  • Sanctions screening, which checks if customers are present on sanction, warning, PEP, or wanted lists
  • Suspicious transaction reporting, where DPT services promptly submit reports on suspicious transactions (including attempted transactions), regardless of the amount of the transaction, to the Suspicious Transaction Reporting Office and the Commercial Affairs Department of the Singapore Police Force, extending a copy to the MAS 
  • Recordkeeping, under which the DPT service is required to retain customer information for five years
  • Marketing procedures and policies which discourage:a.Portraying DPT trading in a manner that trivializes the high risks 

Releasing any form of advertisements or promotional materials to the general public or a specific consumer segment in Singapore:

  • In public areas in Singapore, including advertising on public transport or public transport venues, or providing in-person access to DPT services through the use of ATMs
  • Through any other media directed at the general public in Singapore, including broadcast media, newspapers and magazines, public events or roadshows
  • Engaging third parties, such as social media influencers or third-party websites, including banners or pop-up advertisements on third-party social media platforms
  • Promoting payment token derivatives to the public as a convenient unregulated alternative to trading in DPTs

So long as the risks of trading in DPTs is not trivialized and the promotion is consistent with the risk disclosures required under the PSA, DPT service providers are allowed to promote their services on their own through:

  • Corporate websites
  • Mobile applications
  • Official social media accounts

Additionally, payment service providers—which include DPT providers—shall develop and implement adequate internal policies, procedures, and controls to help prevent money laundering and terrorist financing and communicate these to their employees.

Compliance

DPT service providers are required to develop appropriate compliance management arrangements, which at the least includes appointing an AML/CFT compliance officer at the management level.

Auditing

DPT service providers are required to maintain an audit function that is adequately resourced, independent, and able to regularly assess the effectiveness of their internal policies, procedures, controls, and compliance with regulatory requirements.

Training

DPT service providers should take all appropriate steps to ensure that their employees and officers (whether in Singapore or elsewhere) are regularly and appropriately trained on AML/CFT regulations, internal policies, procedures and controls on AML/CFT.

DPT license in Singapore – 2024 updates

On November 23, 2023, the MAS published its final tranche of responses regarding DPT service providers in Singapore. The new proposals aim to minimize the potential consumer harm and stipulate minimum technology and cyber risk requirements. 

The new measures from the MAS include:

  • “Identifying, mitigating and properly providing information on potential and actual conflicts of interest
  • Publishing policies, procedures and criteria that govern the listing of a DPT
  • Establishing effective policies and procedures to handle customer complaints and resolve disputes”

DPT service providers should also minimize the speculations targeting customers through:

  • “Determining a customer’s risk awareness to access DPT services
  • Not offering any incentives to trade in cryptocurrencies
  • Not providing financing, margin or leverage transactions
  • Not accepting locally issued credit card payments
  • Limiting the value of cryptocurrencies in determining a customer’s net worth”

The regulatory measures on DPT services will be implemented through MAS cryptocurrency guidelines and regulations, which will take effect in phases from mid-2024. 

If you want to learn more about the specifics of the consultation paper, you can read it here.

Travel Rule

As part of their AML obligations, DPT service providers must comply with the Travel Rule as imposed by the MAS in accordance with FATF requirements.

The Travel Rule requires DPT service providers to collect and share the personal information of clients when sending or receiving DPTs by value transfer on the account of an originator or beneficiary. Therefore, DPT service providers must provide sender and recipient data to each other during transactions.

This rule also applies to payment service providers in cases of:

  • Sending of one or more digital payment tokens by value transfer; or
  • Receiving one or more digital payment tokens by value transfer on the account of the value transfer originator or the value transfer beneficiary, but shall not apply to a transfer and settlement between the payment service provider and another financial institution where the payment service provider and the other financial institution are acting on their own behalf as the value transfer originator and the value transfer beneficiary.

If you want to learn more about the Travel Rule and how it’s applied in different counties, including Singapore, you can find all the necessary information at our Help Center

The scope of information that originators are required to share with the beneficiary provider depends on the transaction amount. If the amount of transaction is less than S$1,500 (approximately $1,106), the provider should collect and share the following information:

  • The name of the value transfer originator
  • The value transfer originator’s account number (or unique transaction reference number where no account number exists)
  • The name of the value transfer beneficiary
  • The value transfer beneficiary’s account number (or unique transaction reference number where no account number exists)

If the transaction amount exceeds S$1,500, any of the following information may be required:

  • The name of the value transfer originator
  • The value transfer originator’s account number (or unique transaction reference number where no account number exists)
  • The name of the value transfer beneficiary
  • The value transfer beneficiary’s account number (or unique transaction reference number where no account number exists)
  • Any of the following:
    •  the value transfer originator’s residential address
    • registered or business address and, if different, principal place of business, as may be appropriate
    • the value transfer originator’s unique identification number (such as an identity card number, birth certificate number or passport number, or where the value transfer originator is not a natural person, the incorporation number or business registration number) the date and place of birth, incorporation or registration of the value transfer originator (as may be appropriate)

The actions required in relation to non-hosted wallets, incomplete or missing information, and more can be found in our Help Center.

The actions required in relation to non-hosted wallets, incomplete or missing information, and more can be found in our Help Center.

The Monetary Authority of Singapore (MAS) did not grant a grace period for compliance with the Travel Rule. However, under the Payment Services (Exemption for Specified Period) Regulations 2019 (Exemption Regulations), MAS allows digital payment token service providers to operate in Singapore without a license (and, therefore, without an attestation of compliance with the Travel Rule from the regulator) throughout a specific exemption period.

Only entities that were already providing digital payment token services before January 28, 2020 are qualified for the exemption,provided that they notified the MAS of such a fact within 30 days of that date. These entities are granted a period of 6 months from January 28, 2020 (i.e., until July 28, 2020) to apply for a license for providing digital payment token services in Singapore. If the license application was submitted in time, the exemption is extended until the application is approved, rejected, or withdrawn (Exemption Regulations, section 7).

Become a crypto compliance expert!

Join Sumsub’s free crypto Travel Rule course starting on October 3, 2024. Master compliance with practical insights from industry leaders.

Register now
Become a crypto compliance expert!

Licensing requirements

Choosing a license

There are three types of licenses a company can get in Singapore, depending on their business type:

  1. The money-changing license, which suits businesses that only provide a money-changing service (i.e., the buying or selling of foreign currency)
  1. The Standard Payment Institution (SPI) license, which allows holders to provide any kind of payment services, including operations with cryptocurrency. This license can be applied if services meet the following thresholds: 
  • S$3 million monthly transactions for any payment service (other than e-money account issuance and money-changing services)
  • S$6 million monthly transactions for two or more payment services (other than e-money account issuance and money-changing services)
  • S$5 million of daily outstanding electronic money (e-money).
  1. The Major Payment Institution (MPI) license, which offers the same opportunities for companies as the SPI license does, but is meant for larger companies that go beyond the thresholds aforementioned

There may be some additional authorization/recognition requirements in relation to businesses offering digital tokens.

Obtaining a license 

Obtaining a license 

For Standard Payment Institutions (SPI), the following criteria apply:

  • Be a Singapore-incorporated company or a Singapore branch of a foreign corporation.
  • Have a permanent place of business or a registered office where the books and records can be securely held.
    • At least one person must be appointed to be present at the place of business or a registered office to address any queries or complaints from consumers.
  • Have a minimum base capital of S$100,000 (approximately $73,740).
  • Have either 1 executive director who is a Singapore Citizen or Singapore Permanent Resident (PR), or 1 executive director who is a Singapore Employment Pass (EP) holder, and at least 1 other director who is a Singapore citizen or Singapore PR.
  • Implement a risk management system specialized for cryptocurrency activities.
  • A small PI business must not include payment initiation services or account information services.

The criteria for a Major Payment Institution (MPI) license are similar to those for SPIs, except that the minimum capital requirement is S$250,000 (approximately $184,300).

MPIs are also required to maintain a security deposit as a small buffer for the protection of customer money. MPIs who accept, process or execute payment transactions where the total value is $6 million or less in a month in respect of each payment service are required to place a security deposit of $100,000. Licensees that conduct higher volume transactions (above $6 million) in respect of any payment service are required to place a security deposit of $200,000.

There is a list of assessment criteria that MAS takes into consideration when evaluating an application for licenses. They include, but are not limited to: 

  • Fitness and propriety
  • Competency of key individuals 
  • Security 
  • Compliance arrangements 
  • Technology risk management 
  • Audit arrangements 
  • Annual audit requirements 
  • Letter of Responsibility and Letter of Undertaking 

You can read more about the differences in assessment criteria between each license here.

It should be noted that DPT service providers could be granted an exemption from holding a licence under the Payment Services Act (“PS Act”) for a specified period. This exemption will cease after a specified period or, if the entity submitted a licence application under the PS Act, on the date that the application is approved or rejected by MAS or withdrawn by the applicant. More detailed information about this exemption can be found here

FAQ

  • Are cryptocurrencies regulated in Singapore?

    Yes, provision of DPT services (services with cryptocurrencies) are regulated by the Monetary Authority of Singapore. DPT service providers must be licensed or exempted.

  • What is the MAS?

    The Monetary Authority of Singapore (MAS) is Singapore’s central bank and integrated financial regulator. The MAS has powers to issue legal instruments for the regulation and supervision of financial institutions.

  • Do you need a license to trade cryptocurrency in Singapore?

    A platform that facilitates trading in Singapore may require a license. Whether it needs a license or not will depend on the functionality of the platform.

  • What are the new crypto laws in Singapore?

    There have been no laws introduced recently. However, the MAS is carrying out consultations regarding amendments to the PSA. In addition, it has issued consultation documents and investor protection measures.

AMLCryptoRegulatory ComplianceSingaporeTravel Rule