Crypto License in Singapore 2026

What laws regulate crypto business in Singapore

The primary statutes are the Payment Services Act 2019, the Financial Services and Markets Act 2022, and the Securities and Futures Act 2001. Each statute answers a different regulatory question.

Payment Services Act 2019 (PSA)

The PSA is the main framework for payment services, including digital payment token services. It also covers account issuance, domestic money transfer, cross-border money transfer, merchant acquisition, e-money issuance, and money-changing. If the company is customer-facing and handles DPT-related services in or from Singapore, the PSA is often the first statute to analyze.

Financial Services and Markets Act 2022 (FSMA) Part 9

Part 9 of the FSMA took effect on 30 June 2025 and created the digital token service provider (DTSP) regime. Its practical importance is major: a Singapore-incorporated entity serving only foreign markets may still require authorisation if it provides digital token services from Singapore. This closed a gap that some offshore-facing structures previously tried to rely on.

Securities and Futures Act 2001 (SFA)

The SFA applies where the token or arrangement qualifies as a capital markets product. If a token grants equity rights, debt claims, profit participation, or collective investment exposure, the regulatory question shifts from “crypto” to securities law. In those cases, founders may need to consider capital markets licensing, prospectus rules, market conduct obligations, or recognised market operator issues.

Other legal layers founders should not ignore

• PDPA: personal data governance under the Personal Data Protection Act, supervised by the PDPC;
• CDSA and Terrorism (Suppression of Financing) Act: core AML/CFT and suspicious transaction reporting obligations;
• IRAS guidance: tax treatment of digital payment tokens and crypto-related income;
• ACRA rules: company incorporation, beneficial ownership records, and corporate filings.

A useful practical nuance is that MAS often reviews crypto applicants through multiple lenses at once: licensing, AML/CFT, technology risk, consumer protection, and governance. A legally plausible structure can still fail if the control framework is weak.

Do you need a MAS licence decision framework

You usually need a licence or authorisation if your Singapore company intermediates, exchanges, safeguards, transmits, or commercially arranges digital token activity as a business. The right answer depends on the service, token type, and customer geography.

When PSA is likely to apply

The PSA is commonly triggered where the company:

• operates a crypto exchange or brokerage that buys or sells DPTs for customers;
• provides a custodial wallet or otherwise safeguards customer DPTs;
• facilitates transfers or payment flows involving DPT services;
• combines crypto activity with fiat payment services such as remittance or merchant acquisition.

A practical point many founders miss: the legal analysis is not limited to the front-end brand. Treasury, settlement, omnibus wallet design, and who controls private keys can change the licensing outcome.

When FSMA Part 9 is the real issue

Overseas-only does not mean unregulated. If a Singapore entity provides digital token services to customers outside Singapore, FSMA Part 9 may still apply. This matters for groups that centralise management, compliance, or technology in Singapore while serving foreign markets through offshore brands.

When SFA becomes the main regime

If the token represents shares, bonds, fund units, or similar investment rights, the issue is no longer simply a “crypto exchange licence Singapore” question. It becomes a capital markets analysis under the SFA, potentially involving dealing, market operation, custody, or offering rules.

Common edge cases

• Non-custodial interfaces: some software-only models may fall outside direct licensing, but the answer depends on control, intermediation, and commercial involvement;
• Token issuance: utility-token issuance may not itself require a payment institution licence, but distribution mechanics, redemption features, and investor rights can change the result;
• Stablecoins: a fiat-pegged token may raise e-money or stablecoin-framework issues rather than pure DPT analysis;
• DAO-linked structures: decentralisation claims do not neutralise licensing if a Singapore entity still operates key functions, interfaces, treasury, or customer onboarding.

The cleanest way to answer “do I need a crypto license in Singapore?” is to map activity × token type × customer location × control over assets. That matrix is more reliable than any generic VASP checklist.

DPT, e-money, stablecoin or security token

MAS classifies tokens by substance, not by marketing label. The name on the whitepaper does not determine the legal regime. The regulator looks at rights, redemption mechanics, peg structure, transferability, and economic function.

DPT

A digital payment token is generally a digital representation of value intended to function as a medium of exchange and not denominated in or pegged by an issuer to a fiat currency in the same way as e-money. BTC and ETH are the standard examples used in market practice.

E-money and stablecoin issues

A fiat-pegged token may raise e-money or stablecoin-framework questions rather than pure DPT treatment. The legal answer depends on redemption rights, issuer obligation, reserve backing, and whether the holder has a claim against the issuer. Founders should avoid blanket statements such as “USDT is always e-money” or “all stablecoins are DPTs”; the correct classification is feature-specific.

Security tokens

If the token gives holders rights analogous to equity, debt, or collective investment scheme interests, it may be a capital markets product under the SFA. In that case, the licensing question changes materially, especially for platforms, brokers, and custodians handling those instruments.

Four practical questions to classify a token

1. Does the holder have a legal or economic claim on an issuer or pool of assets?
2. Is there a redemption promise into fiat or another reference asset?
3. Does the token confer profit participation, governance over pooled assets, or repayment rights?
4. Is the token used mainly as a payment/exchange instrument, or as an investment instrument?

A useful nuance for 2026: token classification should be documented not only in a legal memo, but also in listing criteria, customer disclosures, treasury policy, and AML risk assessment. MAS and banking counterparties increasingly expect those documents to align.

SPI vs MPI for DPT and payment services

Under the PSA, the licence class is usually either a Standard Payment Institution (SPI) or a Major Payment Institution (MPI). These are not separate “crypto licences” in the abstract; they are payment institution licence classes that may cover DPT services and other regulated payment services.

When SPI is usually enough

An SPI is designed for operators that stay within statutory thresholds. The practical thresholds commonly used are:

• SGD 3 million in monthly transactions for any one payment service;
• SGD 6 million in monthly aggregate transactions for two or more payment services;
• SGD 5 million in outstanding e-money float.

SPI applicants usually need at least SGD 100,000 base capital. This route can suit early-stage operators, but growth planning matters. A business that expects to exceed thresholds quickly should assess whether applying directly for MPI is more efficient than migrating later.

When MPI is needed

An MPI is generally required once the business exceeds those thresholds or needs unrestricted scale. The practical baseline includes SGD 250,000 base capital and a potential security deposit of SGD 100,000 or SGD 200,000. MPI status usually comes with heavier safeguarding, governance, and supervisory expectations.

A useful operational nuance: the licensing class also affects how banks and payment partners view the business. Even where SPI is legally available, some counterparties may prefer the scalability and risk posture associated with an MPI-ready control environment.

What goes into the MAS application pack

A serious Singapore crypto application is a coordinated evidence package, not a form-filling exercise. The submission is typically made through the relevant MAS e-licensing channel and usually includes Form 1 plus supporting documents tailored to the licence class and service scope.

Documents commonly required or expected in practice

• certificate of incorporation, constitution, and corporate registers;
• group structure chart and beneficial ownership map;
• detailed business plan with target markets, product scope, and customer journey;
• transaction-flow diagrams showing fiat and token movement;
• AML/CFT manual, sanctions policy, onboarding procedures, and STR workflow;
• Travel Rule operating procedure and vendor architecture where relevant;
• technology risk, cybersecurity, and outsourcing policies;
• safeguarding and custody memo, including reconciliation and key-management controls;
• 3-year financial projections with assumptions that can be defended;
• CVs, declarations, and fit-and-proper materials for directors and key officers;
• legal analysis on token classification or cross-border scope where the model is complex.

What MAS often asks in follow-up rounds

Expect detailed questions on customer geography, source of funds, token listing criteria, outsourcing, wallet control, treasury activity, sanctions exposure, and how the website markets the service. Review periods often extend because the business model described in the application does not match the operational reality shown in demos, contracts, or public materials.

A practical nuance many competitors omit: founders should prepare a regulator-ready data room and version control process before filing. Inconsistent policy versions and changing org charts are a common cause of avoidable delay.

Why MAS may reject or delay an application

Most Singapore crypto applications do not fail because of one missing form; they fail because the story does not hold together. MAS reviews the business as an integrated system: ownership, product, AML, safeguarding, technology, governance, and public communications.

Ten common red flags

1. Opaque ownership or weak UBO transparency;
2. unclear source of funds for capital or treasury;
3. no resident decision-maker with real authority;
4. generic AML manual not tailored to actual token flows;
5. weak sanctions and wallet-screening controls;
6. token classification ambiguity, especially for stablecoins and investment-like tokens;
7. website claims broader services than the application requests;
8. poor custody architecture or no credible reconciliation process;
9. outsourcing without oversight and no internal owner for critical functions;
10. unrealistic projections that ignore compliance, staffing, and banking constraints.

What founders can control

The best way to shorten review time is to reduce contradiction. The corporate documents, website, customer terms, AML scenarios, wallet flows, and financial model should describe the same business. If the company changes scope during review, it should update MAS promptly and consistently rather than trying to “patch” the narrative later.

A practical market reality: even where MAS does not reject immediately, a weak application can become commercially unusable if the review drags beyond funding runway or banking onboarding windows. That is why application readiness is as important as formal eligibility.

How to verify a Singapore crypto licence

The correct place to verify regulated status is the official MAS register, not the company’s website footer. Counterparties should check the MAS Financial Institutions Directory and confirm the exact legal entity name, licence class, and regulated service scope.

What to verify

• the full legal name of the licensed entity;
• whether it is licensed as an SPI or MPI where relevant;
• the specific regulated services listed;
• whether the website brand matches the legal entity in the register;
• whether the company is also active and in good standing in ACRA records.

Why this matters

Some businesses describe themselves as “registered”, “compliant”, or “regulated in Singapore” when they only have a company incorporation or an application in progress. Those terms are not substitutes for actual licensing. RUE recommends verifying both the MAS directory and the ACRA corporate record before onboarding a Singapore crypto counterparty.

For founders, the same rule applies internally: sales teams and investor materials should never overstate licensing status. Misleading public statements can create both regulatory and reputational problems.

30 to 60 day founder checklist before filing

The fastest way to waste a Singapore application is to submit before the operating model is coherent. A practical pre-filing checklist for founders is:

1. Day 1-7: map services by activity, token type, and customer geography;
2. Day 1-10: confirm whether PSA, FSMA Part 9, SFA, or a combination is engaged;
3. Day 5-15: incorporate the Singapore entity and clean up ownership disclosure;
4. Day 7-20: appoint the resident executive director and identify compliance ownership;
5. Day 10-25: draft business plan, product maps, and flow-of-funds diagrams;
6. Day 15-30: build AML/CFT framework, sanctions controls, Travel Rule process, and STR escalation;
7. Day 20-35: document custody, reconciliation, key management, and incident response;
8. Day 25-40: align website, terms, privacy notice, and public claims with the intended licence scope;
9. Day 30-45: prepare 3-year financial model and capital support documents;
10. Day 40-60: run a mock regulator Q&A with founders, compliance, and technology leads.

Founders that complete this sequence before filing usually reduce rework materially. RUE can also coordinate related workstreams such as legal services, bank account opening in Singapore, and crypto-specific tax structuring through Singapore crypto tax.