MAS Digital Payment Token License: Singapore MPI Application Guide

Singapore’s Position in Tokenization

The Monetary Authority of Singapore (MAS) has consistently led Asian regulators in developing clear, workable frameworks for digital assets and tokenization. Singapore’s Project Guardian — an industry collaboration between MAS and major financial institutions to pilot tokenized asset markets — has produced some of the most detailed published guidance on institutional tokenization infrastructure anywhere globally.

The Payment Services Act 2019 (PSA), subsequently amended by the Payment Services (Amendment) Act 2021, provides the primary licensing framework for digital payment token (DPT) businesses. It established two license tiers — the Standard Payment Institution (SPI) and the Major Payment Institution (MPI) — with the MPI license applying to firms above threshold transaction volumes or that conduct the full range of DPT services.

For tokenization platforms operating in Singapore or servicing Singapore-based clients, the MPI license is the relevant authorization. The SPI license applies only to smaller-scale operations below specified volume thresholds.

PSA Framework: MPI vs. SPI

Standard Payment Institution (SPI)

The SPI license applies to firms whose monthly transaction volume for any single payment service does not exceed S$3 million, and whose total monthly transaction volume across all payment services does not exceed S$6 million. For DPT services specifically, the S$3 million threshold applies.

The SPI is the entry-level license. Capital requirement: S$100,000. Annual fee: S$10,000. The SPI is inadequate for any tokenization business that anticipates meaningful transaction volume, and it does not provide the credibility signal that institutional counterparties expect.

Major Payment Institution (MPI)

The MPI license applies to firms exceeding the SPI thresholds, or that conduct account issuance, e-money issuance, or DPT services as a principal activity. Any firm operating a tokenization platform as its core business will require an MPI license.

Capital requirements for MPI licensees depend on the services conducted:

• Standard DPT services only: S$250,000 minimum capital
• Expanded DPT services (including services to institutional clients with significant volume): S$500,000

Annual license fee: S$30,000. Application fee: S$1,000 (an anomalously low fee relative to global peers).

The MPI Application Process

The MAS application process is formal and sequential. The MAS does not offer pre-application meetings in the same way as EU NCAs, but its published guidance and FAQ documents for the PSA licensing regime are detailed enough to provide meaningful preparation guidance.

Step 1: Application Submission via MAS Licensing Portal

Applications are submitted through the MAS’s Licensing and Registration System (LORAS). The application requires:

• Applicant entity details (Singapore-incorporated company or Singapore branch of a foreign company)
• Payment service activities sought (the specific PSA service categories)
• Corporate structure, shareholder information, and UBO declarations
• Director and key executive details and CVs
• Business plan (minimum 3 years)
• Projected financial statements
• AML/CFT policies and procedures
• Compliance governance framework
• Technology and cybersecurity framework description

Step 2: MAS Review and Queries

The MAS conducts a substantive review of the application. Review periods have lengthened in recent years due to application volume; effective review periods of 12–18 months are realistic for well-prepared applications.

The MAS issues queries (equivalent to the FCA’s RFI) requesting clarification or additional information. Unlike the FCA, the MAS tends to be more prescriptive in its queries — it identifies specific gaps and expects specific responses, rather than returning applications as incomplete.

Step 3: In-Principle Approval (IPA)

The MAS issues an In-Principle Approval before the full license is granted. The IPA specifies conditions that must be satisfied before the full license is issued. These conditions typically include:

• Appointment of key management personnel acceptable to the MAS
• Confirmation of office premises in Singapore
• Demonstration of operational readiness (systems testing, compliance framework in place)
• Submission of any outstanding documentation

Step 4: License Issuance

Upon satisfaction of IPA conditions, the MAS issues the MPI license. The full license permits the firm to commence DPT services.

MAS Technology Risk Management (TRM) Guidelines

The MAS TRM Guidelines are among the most technically detailed cybersecurity requirements applied to any financial services regulator globally. For tokenization platforms, compliance with TRM requirements is a significant operational undertaking.

Key TRM requirements for DPT service providers:

Technology Risk Governance: The board and senior management are accountable for technology risk. The firm must have a designated technology risk function, a Chief Information Security Officer (or equivalent), and documented technology risk appetite.

System Availability: MPI licensees must maintain system availability of at least 99.9% for customer-facing systems. This requires redundant architecture, hot standby capability, and tested failover procedures.

Penetration Testing: Regular penetration testing is required, at minimum annually. External penetration testers must be qualified (CREST, GIAC, or equivalent accreditation) and independent. Penetration testing scope must include the blockchain nodes, smart contracts (where applicable), key management systems, and customer-facing applications.

Cryptographic Key Management: For platforms that manage cryptographic keys on behalf of clients, the TRM Guidelines specify requirements for hardware security modules (HSMs), key generation ceremonies, key rotation procedures, and key recovery arrangements. Cold storage ratios are not specified in the Guidelines but the MAS expects firms to document their custody architecture and justify their approach.

Incident Reporting: Technology incidents that affect system availability or security must be reported to MAS within 1 hour of detection for major incidents, and within 24 hours for significant incidents. Major incidents are defined as those affecting the firm’s ability to provide services to all clients or resulting in significant data breach.

Third-Party Risk: Cloud service providers, blockchain infrastructure providers, and other material technology vendors must be subject to vendor risk assessments, contractual controls, and ongoing monitoring. The MAS expects right-to-audit clauses in contracts with material technology vendors.

Smart Contract Security: For platforms using smart contracts (for token issuance, settlement, or custody), the MAS expects evidence of third-party smart contract audits prior to deployment and a process for managing identified vulnerabilities. This has become an increasingly detailed area of MAS scrutiny following several high-profile DeFi exploits.

AML/CFT Requirements for DPT Services

The MAS Notice PSN01 (Anti-Money Laundering and Countering the Financing of Terrorism – Digital Payment Token Service) sets out detailed AML/CFT requirements for MPI licensees conducting DPT services.

Key requirements:

Customer Due Diligence: Standard CDD is required for all customer relationships. For individual customers, this includes identity verification (identity card or passport), address verification, and source of funds for higher-risk customers. For institutional customers, entity verification, beneficial ownership, and authorised representative identity are required.

Enhanced Due Diligence: EDD is required for:

• Customers from high-risk jurisdictions (FATF grey list or blacklist)
• Politically exposed persons (PEPs) and their associates
• Customers with complex or unusual transaction patterns
• Customers with no apparent legitimate purpose for their DPT activity

Transaction Monitoring: MPI licensees must implement automated transaction monitoring with rules calibrated to the specific risk profile of their DPT services. Rules must cover structuring (smurfing), round-tripping, mixing patterns, and transactions involving high-risk wallet addresses.

Blockchain Analytics: The MAS expects DPT service providers to use blockchain analytics tools to screen transactions for association with sanctioned addresses, darknet markets, ransomware, and other illicit sources. Chainalysis Reactor, Elliptic Navigator, and TRM Labs Blockchain Intelligence are the tools most commonly referenced in MAS communications.

Suspicious Transaction Reporting: STRs must be filed with the Suspicious Transaction Reporting Office (STRO) within 3 business days of knowledge or reasonable grounds of suspicious activity. MAS monitors STR filing rates and patterns; unusually low filing rates are a supervisory concern.

Travel Rule Compliance

Singapore implemented FATF Recommendation 16 (the Travel Rule) for DPT transfers effective January 2024, under amendments to the PSN01 Notice. The threshold is S$1,500 (approximately US$1,100).

For transfers above S$1,500, MPI licensees must collect and transmit:

• Originator: name, account identifier, address or national identity number or customer identification number or date and place of birth
• Beneficiary: name, account identifier

For transfers to unhosted wallets (non-custodial addresses), the MAS requires licensees to verify that the unhosted wallet belongs to the customer before transmitting funds. This verification must be documented.

Travel Rule compliance requires interoperability with other VASPs. The most commonly used Travel Rule compliance solutions among Singapore MPI licensees are Notabene and Sygna Bridge. Both support the IVMS101 data standard and integrate with the major virtual asset platforms.

Further information: MAS Digital Payment Tokens regulation

Practical Timeline: What 12–18 Months Looks Like

Month 1–2: Application preparation, entity incorporation (if new Singapore entity), SIC/ACRA registration, appointment of key personnel.

Month 3: Application submission via LORAS.

Month 4–9: MAS initial review period. Expect at least one round of queries, likely two. Responses should be thorough and timely — delays in responding extend the timeline proportionally.

Month 10–14: MAS substantive review completion. IPA issuance (if application is approved).

Month 15–18: IPA conditions satisfaction. Operational readiness demonstration. Full license issuance.

This timeline assumes a complete, well-prepared application with no material deficiencies and prompt query responses. Applications with AML or TRM deficiencies, or that require significant rounds of query and response, routinely extend beyond 18 months.

Related Resources

• Licensing Cost and Timeline Comparison
• AML Framework for Tokenization Platforms
• Travel Rule Compliance Guide
• Jurisdictions Database: Singapore
• Regulatory Benchmarks