"DTSP License Guide" (full text)

Source: [Singapore MAS](https://www.mas.gov.sg/regulation/guidelines/guidelines-on-licensing-for- dtsps#) ; Translated by: AIMan@Golden Finance

On May 30, 2025, the Monetary Authority of Singapore issued the "Guidelines on Licensing for Digital Token Service Providers", officially licensing and supervising DTSP.

The following is the full text of the "Guidelines for Licensing of Digital Token Service Providers" of the Monetary Authority of Singapore:

1. Purpose

2. License under the Financial Services and Markets Act

3. Access standards

4. License application requirements

5. Licensed Persons Continuous Requirements

Appendix 1 Governance and ownership requirements

Appendix 2 Minimum Compliance Arrangements

Appendix 3 Guide to information required for license application

Appendix 4 Annual License Fee

Appendix 5 Rules for Participation in Application Review Process

Appendix 6 Independent Assessment of External Auditors

1. Purpose

1.1 The "Guidelines for the Application of Digital Token Service Providers" (hereinafter referred to as "this Guide") aims to provide guidance on application procedures, licensing standards and ongoing requirements for digital token service providers under Part 9 of the Financial Services and Markets Act 2022 (the "FSM Act") (defined as individuals, partnerships or Singaporean companies established in Singapore but engaged in providing digital token services abroad, referred to as "DTSPs").

1.2 This guide shall be read in conjunction with the FSM Act, the Financial Services and Markets (Digital Token Service Providers) Ordinance (the “FSM Ordinance”) and other relevant laws, notices, guidelines and FAQs issued by the Monetary Authority of Singapore (“MAS”).

1.3 This guide will be updated regularly by MAS to provide further guidance.

2. License under the Financial Services and Markets Act

2.1 Under Article 137 of the FSM Act, any individual engaged in digital token services as defined in the First Schedule of the FSM Act in Singapore must hold a license unless exempted. Article 137(5) of the FSM Act provides for applicable exemptions.

2.2 Since MAS will not provide transitional arrangements for DTSPs, DTSPs that require a license under Article 137 of the FSM Act must suspend or stop engaging in providing digital token services overseas before June 30, 2025. DTSPs that violate the licensing requirements will constitute an offence and shall be subject to penalties stipulated in Article 137(6) of the FSM Act.

Types of digital token services

2.3 Applicants should evaluate whether their business model involves the provision of digital token services based on the ten types of digital token services in the first Schedule of the FSM Act. Applicants should also consider whether the activities they intend to conduct fall within the exceptions outside the scope of regulatory scope of digital token services stipulated in Part 2 of the First Schedule of the FSM Act.

Translator 's note: Ten types of digital token services marked by the FSM law schedule

1. Any digital token trading service (except for digital token trading services specified by MAS);

2. Any service that promotes digital token exchange (except for digital token trading services stipulated by MAS);

3. Any service that accepts digital tokens (whether as principal or agent) from one digital token account (whether in Singapore or elsewhere) is to transfer or arrange for the transfer of digital tokens to another digital token account (whether in Singapore or elsewhere);

4. Any service that arranges (whether as a principal or agent) to transfer digital tokens from one digital token account (whether in Singapore or elsewhere) to another digital token account (whether in Singapore or elsewhere);

5. Any service that induces or attempts to induce or provides any person to enter into or provide any agreement to purchase or sell any digital token in exchange for any money or any other digital token (whether the same or different types);

6. Any service that protects digital tokens, where the service provider has control over the digital tokens;

7. Any service that executes instructions related to digital tokens for customers, where the service provider has control over the digital tokens;

8. Any service that protects digital token tools, where the service provider can control one or more digital tokens associated with the digital token tools;

9. Any service for the customer to execute instructions related to one or more digital tokens related to the digital token tool, wherein the service provider has control over the digital token tool;

10. Any service related to the sale or provision of digital tokens involves-1. Providing advice related to any digital token directly or through publications or works (whether in electronic, printed or otherwise); or 2. Providing advice through the publication or publication of research analysis or research reports related to any digital tokens (whether in electronic, printed or otherwise)

3. Access standards

3.1 Due to the internet attributes and cross-border nature of digital token services, DTSPs are more susceptible to the risks of money laundering, terrorist financing and proliferation financing (“ML/TF”). This will result in an increased risk of such providers participating or being misused for illegal purposes, damaging Singapore’s reputation. In view of these risks, MAS licenses DTSPs in a prudent and prudent manner and will only consider granting applicants DTSP licenses under the FSM Act in rare cases . Very rare cases include:

• The applicant's business model is economically reasonable and can prove to MAS satisfactorily that despite its operation or establishment/registration in Singapore, it has legitimate reasons not to engage in the business of providing digital token services in Singapore;

• The way the applicant operates does not cause concerns about MAS and has been subject to supervision and supervision by relevant regulatory agencies in all jurisdictions where it provides overseas digital token services in order to comply with relevant internationally recognized standards such as those established by the Financial Stability Commission, the International Securities Commission organization and the Anti-Money Laundering Financial Action Task Force (“FATF”) ;

• MAS has no concerns about the applicant's business structure, such as its ability to comply with regulatory obligations.

3.2 The applicant must fully meet the following criteria and clearly demonstrate that he or she, as a licensee, is able to comply with the obligations under the FSM Act.

3.2.1 Governance and Ownership Requirements Applicants must comply with the governance and ownership structure specified in Appendix 1 and register with the Accounting and Enterprise Administration of Singapore (ACRA).

3.2.2 Appropriateness and Applicability Applicants must, in accordance with the Guidelines for Proper and Suitability [FSG-G01], ensure that MAS is confident that its sole proprietor, partners, managers or directors and CEOs (CEOs), shareholders and employees, and the applicant themselves, are appropriate and appropriate. The responsibility for proof of appropriateness and appropriateness of the person concerned lies with the applicant, not the MAS. In addition to honesty, integrity and reputation, competency and financial robustness are also considerations, and MAS will also consider other factors, such as the existence of conflicts of interest and the time commitment of relevant personnel to Singapore entities. In particular, the entity and its affiliated groups should not have any bad reputation, especially in terms of financial crime and sanctions compliance.

3.2.3 Capabilities of key personnel Applicants must ensure that their sole proprietors, partners, managers or executive directors and CEOs have sufficient operational experience in the digital token services industry, including a full understanding of the regulatory framework of Singapore’s DTSPs.

If the relevant personnel will manage a larger team, they should also have relevant experience, capabilities and influence in order to effectively supervise and control business activities and employees.

Applicants should also consider the educational background and professional qualifications of their key personnel.

3.2.4 Permanent business premises or registered offices Applicants must have a permanent business premises or registered offices in Singapore. The venue must be an office area that can safely keep applicant's books and records. The applicant must also appoint at least one person to handle any inquiries or complaints from the client, as well as an inquiry/information request from the authorities.

3.2.5 The applicant for the Basic Capital License must make the MAS familiar with the basic capital requirements set out in the FSM regulations and clearly demonstrate how it will continue to meet these requirements, as an overview is shown in Table 3. In view of this obligation, applicants must consider the size and scope of their business and the possibility of profit and loss, ensuring that sufficient capital buffers exceed the basic capital requirements are maintained. Generally speaking, the entity's basic capital should be able to cover the applicant's operating expenses for at least 6 to 12 months. Applicants should also establish effective monitoring processes to ensure that basic capital requirements are always met, such as periodic reporting or setting specific capital buffers above the minimum requirements.

Table 1 Basic capital requirements

3.2.6 Compliance arrangement applicants must develop an effective compliance arrangement plan and ensure adequate compliance resources that are commensurate with the nature, size and complexity of the business. See Appendix 2 for minimum compliance arrangement requirements. Regardless of the arrangements for compliance, ensure the applicant's sole proprietor, partner, manager or director and CEO of the applicant's final responsibility and accountability in complying with applicable laws and regulations.

3.2.7 Technical risk management applicants must conduct penetration tests on the digital token services they intend to provide, fix all identified high- risk issues, and independently verify the effectiveness of the repair measures. This work does not need to be completed before application, but must be completed before the license is granted.

3.2.8 Audit arrangement applicants must develop an appropriate independent audit arrangement plan, regularly assess the adequacy and effectiveness of their procedures, control measures, and compliance with regulatory requirements. Audit arrangements should be commensurate with the size, nature and complexity of their business. Audits can be conducted by the applicant's internal audit function, the applicant's headquarters' independent internal audit team, or outsourced to third-party service providers.

3.2.9 Annual audit requires applicants to formulate plans to meet the annual audit requirements stipulated in Article 158 of the FSM Law. Auditors must be appointed at the applicant's own expense to audit their accounts and transactions and compliance with relevant regulations and requirements.

3.2.10 Letter of Responsibility and/or letter of commitment In appropriate circumstances, MAS may require the applicant to obtain a letter of responsibility and/or letter of commitment from its controlling shareholder, parent company and/or affiliate. If the application is approved, MAS will provide the template.

3.2.11 Other factors MAS may also consider the following factors (if applicable):

- Records and financial status of the applicant and his holding company or affiliates;

- Applicant's operational readiness, including the ability to comply with regulatory requirements;

- Whether the applicant has fully recognized the main risks associated with his business activities and has fully identified, evaluated and mitigated the relevant risks;

- Is it in the public interest to grant a license?

3.3 MAS is evaluated based on the specific circumstances of each application and may consider other factors based on the case. The above standards and considerations are not specified and MAS may impose additional conditions or requirements to address the unique risks posed by the applicant.

3.4 The applicant shall submit a Form 1 application. All applicants and licensees must pay the relevant fees stipulated in the Schedule of the FSM Ordinance. See Appendix 4 for more information on fees. Applicants should also refer to Appendix 5 to understand the rules of participation in the application review process.

4. License application requirements

4.1 Applicants who have evaluated that they can meet the admission criteria should refer to Appendix 3 for guidance on the information required for the licensing application.

Legal opinion on application for new license

4.1.1 New applicants applying for DTSP license must submit legal opinions issued by well-known law firms with the application. Legal opinions should include a clear and concise summary of the applicant's business model and an assessment of whether the applicant intends to provide services and/or products belong to regulated digital token services under the FSM Act.

4.1.2 In no event, if the initial legal opinion is unclear, MAS reserves the right to request a second legal opinion.

Independent assessment of external auditors

4.1.3 Upon obtaining principled approval (“IPA”), the applicant shall appoint a qualified independent external auditor to conduct an independent assessment of the policies, procedures and controls in the areas of technical and cybersecurity risk (this requirement will be included as an IPA condition. See Appendix 6 for the scope of technical and cybersecurity risk assessment).

5. Licensed Persons Continuous Requirements

5.1 Licensed persons must continue to comply with all applicable requirements under the FSM Act and other relevant laws. Licensors should establish processes, systems, policies and procedures to ensure that all ongoing obligations are fulfilled, including filing applications and notifications to the MAS if necessary. Some of the requirements are outlined below, but not all, and licensees should be kept up to date with regulatory updates and can visit the MAS website to obtain the latest requirements.

5.2 Anti-money laundering and Counter-terrorism financing (“AML/CFT”) requirements Licensed persons must comply with the AML/CFT requirements set out in the Financial Services and Markets Ordinance (including regulations against targeted financial sanctions), the Terrorism (Stop Financing) Act 2002, the Corruption, Drug Trafficking and Other Serious Crimes (Forfeiture) Act 1992, the Notice on Preventing Money Laundering and Counter-terrorism Financing [FSM-N27] and the Notice on Reporting Suspicious Activities and Fraud [FSM-N28]. Licensors should also refer to the FSM-N27 Notice Guide for their AML/CFT requirements.

5.3 Periodic Report Licensed persons must submit periodic regulatory reports related to their digital token activities in accordance with the FSM regulations. Relevant requirements are contained in the "Notice on Submitting Regulatory Reports" [FSM-N29].

5.4 Cybersecurity Licensed persons must comply with the network security requirements stipulated in the Cybersecurity Notice [FSM-N31] and take appropriate safeguards to protect customer information.

5.5 Technical risk management Licensed persons must comply with the "Technical Risk Management Notice" [FSM-N30] and refer to the "Technical Risk Management Practice Guide" to understand technical risk management requirements.

5.6 Business Conduct Licensed persons must comply with the business conduct requirements in the FSM Law, FSM Regulations and the "Notice of Conduct" [FSM-N32]. These obligations include transaction records, issuance of receipts, display of exchange rates and fees, and notifying normal business hours. Licensors must also ensure compliance with all prohibited and restrictive regulations, including prohibited business activities.

5.7 Disclosure and Communications Licensee must make accurate representations of the scope of their license and provide the disclosures as set out in the Disclosure and Communications Notice [FSM-N33] where applicable to their business. Licensors should also ensure that the client receives timely updates to any material changes in the disclosure.

5.8 Annual Audit Requirements Licensed Person must appoint an auditor annually to audit their accounts and transactions and compliance with regulations and requirements. The licensee must ensure that the auditor submits a report to the MAS in Form 3.

Appendix 1

A1 Governance and ownership requirements

Appendix 2

A2 Minimum Compliance Arrangement

Applicants should ensure that they have effective compliance arrangements and adequate compliance resources commensurate with the size, nature and complexity of the business. This can take the following form:

• - Independent Compliance Functions Applicants should establish an independent compliance function in Singapore with employees with appropriate qualifications in areas related to their business activities. Compliance personnel may also serve as other conflict-free complementary roles, such as internal legal counsel.

• - Compliance support for holding companies or overseas affiliated entities Applicants may obtain compliance support from their independent full-time compliance team of holding companies or overseas affiliated entities provided that they can prove that the applicant's compliance officer, sole proprietor, partner, manager or director, CEO and other senior management has conducted sufficient supervision.

Applicants must also develop appropriate compliance management arrangements, including at least a compliance officer with appropriate qualifications at the management level. The person shall be based in Singapore, have sufficient expertise in areas related to their business activities, and have the right to monitor the applicant's compliance functions, although it may be assisted by other employees in daily operations.

Applicants should also establish appropriate governance structures to monitor compliance and AML/CFT issues (including issues related to targeted financial sanctions). Depending on the business size and group structure, applicants may consider having the Compliance Officer report compliance and AML/CFT issues to the Board of Directors or Board Committees regularly and make decisions on matters beyond the Compliance Officer’s authority.

Applicants should note that regardless of the arrangement chosen, the applicant's sole proprietor, partner, manager or director and CEO shall ultimately be responsible for all compliance and regulatory matters and must fully supervise the relevant arrangements.

Therefore, the applicant's senior management and compliance officer should be able to demonstrate that he or she is fully aware of the compliance and ML/FT risks faced in the applicant's business activities and the measures taken to effectively manage these risks.

Appendix 3

A3 License Application Information Guide

Applicants should ensure that they fully meet the admission criteria and ensure that the application is complete, error-free and inconsistent, and are accompanied by the necessary supporting documents specified in the application form.

Information required in the proposed business plan

In particular, its proposed business plan should include the following information:

Applicants should provide a clear description of their business model and plan, supported by the professional experience and expertise of the proposed management team. The business plan should state how to comply with the FSM Act and related subsidiary legislation and include the following information:

- The jurisdictions of the service, including evidence that the applicant has obtained operational licenses in the jurisdiction in which he provides digital token services and is subject to supervision by relevant regulatory authorities for compliance with relevant internationally recognized standards such as those established by the Financial Stability Commission, the International Securities Commission Organization and the FATF.

- Target customer profile.

- Products and services to be provided. Applicants should specify the type of digital token services they will conduct at each stage of the transaction process. If the applicant intends to provide more than one type of digital token service, each type of digital token service should be evaluated separately.

- Reasons for not intending to engage in the provision of digital token services in Singapore despite operating or being established/registered in Singapore.

- Detailed capital flow plans and channels, including transactions and/or process flow charts. If there is more than one product or service, or more than one type of transaction and/or process flow, a graph should be provided for each flow. The flow chart should:

• Describes the whole story of a typical transaction from the source of funds accepted by the applicant (such as bank transfer, cash, bank card) to the full performance of obligations to the client.

• Describe the interaction between the client and the applicant and the flow of funds.

• Indicate the timeline, including service level agreements with third parties, and applicable payment and settlement cycles.

• Highlight the links in which they use innovative technologies (such as the use or provision of digital tokens, distributed ledger technology) or products or services delivered differently from those common in the market.

• Include all third parties involved (such as other digital token service providers, bank partners, intermediaries, other agents) and explain their role in the process.

- Implementation plans, including the expected timeline for business/product launch, as well as systems, processes and third parties that will play a key role in their operations.

- Whether the digital token service is an accompanying or bundled service to any other product or service provided by the applicant.

- A brief description of any other activities currently underway or intended by the MAS (such as financial advisory, securities trading, etc.).

- A brief description of any exemptions and unregulated activities currently being conducted or intended by the applicant.

- For applicants who are part of the Global Digital Token Services Group:

• The role of the applicant in the Group, including the functions or services (if any) they will receive and/or provide to them from affiliates within the Group. If possible, the applicant should provide an estimated value for the resource level (in terms of employee number and time input) that other affiliates within the Group support the operations of Singapore.

• Confirm that all its entities have been fully licensed/registered and provide licensing/registration details for each entity. The applicant shall provide a copy of his/her license/registration certificate or his/her license/registration status information on the regulatory authority's website. Applicants should disclose any regulatory enforcement actions/investigation that any of their entities may be involved.

- Comprehensive risk assessment of all digital tokens and digital token services (such as trading platforms, custody) it intends to support or provide, including its token listing governance process. Applicants should provide a complete list of supported digital tokens and describe their assessment of the nature of the token according to the MAS regulatory framework (such as whether it is a securities token or a payment token).

- It maintains customer access measures and business behavior measures to maintain customer digital token access and operational control in Singapore, daily reconciliation of customer accounts, and provides customers with relevant information on monthly account statements, risk management control (control of customer asset flow), and disclosure content to customers.

Legal opinion

Applicants are required to provide legal advice issued by a well-known law firm regarding the regulated digital token services to be offered under their proposed business model. Legal opinions should include (but are not limited to) the following:

- A clear and concise summary of the applicant's business model and each service and product to be provided by the applicant (including the asset/funding flows of each service/product and the parties involved, if applicable).

• An assessment of whether the proposed service or product falls under the regulated digital token service provided by the FSM Act. The assessment should include a detailed comprehensive analysis of whether each regulated digital token service is applicable to each proposed service or product. The assessment should also consider all relevant laws, notices, guidelines, notices and FAQs.

• If any proposed service or product is evaluated as exempt or unregulated, the application of the relevant exemption or exceptions shall be explained in detail.

• Confirmation of legal opinions will be disclosed to MAS.

Information required for compliance, risk management, system and control

Technical risk management

Applicants should develop a framework for assessing and managing technical risks and take measures commensurate with the risk level and complexity of the financial services provided and the technologies supporting these services to protect customer data, transactions and systems. Applicants should refer to the Technical Risk Management Notice [FSM-N30], the Cybersecurity Notice [FSM-N31] and the Technical Risk Management Practice Guidelines to understand the information technology risk management principles and regulatory expectations.

Compliance and Audit

The applicant shall provide the following information and documents consistent with the nature of the proposed business model:

• Prove compliance with the anti-money laundering/anti-terrorism financing policies and procedures of the MAS FSM-N27 Notice, as well as relevant targeted financial sanctions requirements. This should include frameworks for evaluating and overseeing agents and third-party partners (local and overseas).

• Business-wide money laundering/terrorist financing/proliferation financing risk assessment (“EWRA”). Applicants should also include tax evasion risk assessment in the EWRA.

• Anti-money laundering/anti-terrorism financing governance, escalation and reporting arrangements. This should include details of the involvement of sole proprietors, partners, managers or directors and CEOs and other senior management in monitoring and resolving possible anti-money laundering/anti-terrorism financing issues in the business process.

• Implementation plans for compliance management arrangements, including the processes that have been introduced and the systems that will be used.

• The name and resume of the Compliance Officer (“CV”), including any formal compliance certification details such as ACAMS, IBF certification.

• If the organizational chart does not include staffing and reporting lines for compliance functions, relevant details must be provided. This should include details of all outsourcing compliance functions, including the location of the outsourcing provider and team, the applicant’s relationship with the outsourcing provider (such as suppliers, parent companies), the outsourcing provider’s licensing/registration status, and oversight arrangements.

• Internal and external audit arrangements.

Equity Structure Chart

The applicant should provide a complete equity structure chart (until the final controller), and the final controller should be a natural person.

If the applicant does not have 20% of the controlling shareholders, written confirmation is required.

Appendix 4

A4 Annual License Fee

Under Article 140 of the FSM Act, the licensing fee is paid annually, as detailed in the Schedule of the FSM Ordinance. All paid license fees are non- refundable.

The licensee shall enter into an automatic bank transfer (GIRO) agreement with MAS to pay the licensing fee annually. Licensors shall ensure that their GIRO agreement details have been updated and that they have sufficient funds in their bank account before the deduction date specified in the Fee Notice.

Proportional license fee for new licensees

For new licensees who have not obtained a license on January 1 of the year, the licensing fee for the first calendar year after their license is calculated as a proportion of the fixed annual licensing fee, and the calculation period is the date of issuance of the license until December 31 of the same year. Example 1 shows how the first year licensing fee is calculated.

Example 1 A company obtained a DTSP license on December 1, 2025.

Appendix 5

A5 Rules for Participation in Application Review Process

Initial audit and information request

The application review process begins with the allocation of the case officer and receiving all required information and documents submitted by the applicant. Depending on the number of applications received, case allocation may not be made immediately after the application is received by the MAS. After the case is allocated, the case officer will contact the applicant to inform him of the necessary next steps, which may include holding an initiation meeting.

The case officer will check the full set of documents submitted, which usually constitutes the first round of information requests that the applicant will receive. The case officials will also conduct a preliminary review of the applicant's business model. During the review process, multiple rounds of information and clarification requests may be made based on whether the respondent submitted by the applicant is complete.

Before submitting an application, the applicant should always ensure that the application complies with the access standards set forth in this guide and include the necessary information required in Appendix 3 of this guide. MAS reserves the right to refuse the application if the submitted material is assessed as severely incomplete or has a material defect. Applicants should also always have contact persons to follow up on these information requests at any time and provide timely and adequate responses. If the contact person changes, the applicant should promptly notify MAS.

The applicant must promptly, proactively and fully disclose all important information to the case officials and shall not conceal any of them. If it is found that the applicant deliberately blurs, conceals or delays the disclosure of information without a legitimate reason, it will be considered a major defect. Applicants need to pay attention to it and must reasonably and carefully ensure that the information and documents provided to MAS are not false and not misleading. An individual who violates section 176 (1) or 176 (3) of the FSM Act may constitute an offence and may be liable to a fine or imprisonment upon conviction.

Timeliness and quality of reply

MAS usually provides applicants with a deadline for responding to information requests. If the applicant fails to reply within the specified time, the MAS will be deemed to have the application withdrawn. If the applicant needs additional time to prepare for a reply, the case officer should be notified in advance.

Applicants must also balance the time required to provide a fully comprehensive response and hasty responses to speed up review. Failure to provide a satisfactory and comprehensive response will be assessed as a defect and may result in adverse considerations for the application.

interview

Case officials will usually arrange for interviews with the applicant’s key administrator and/or compliance officer. All representatives of the applicant should take their interaction with the case official seriously. The purpose of the interview is to have the applicant explain how he intends to manage business and risks in order to comply with regulatory requirements. Consultants, external legal counsel and other third parties are not allowed to participate in the interview. This is because even if the applicant outsources any of his functions, he is still responsible for the performance of his regulatory obligations.

Potential circumstances in which the official in the case has reasonable grounds to believe that the applicant is unable to fully perform the licensee's obligations include, but is not limited to, the following:

• Not participating in the interview without a legitimate reason;

• The question cannot be answered clearly during the interview;

• Insulting the case officials.

If there is a major change in the application content after the interview but before the application results are released, the case official may arrange for an additional interview with the applicant. Examples of such changes include a change in appointment of applicant key personnel or changes in applicant business model.

MAS audit process

The case official is obliged to conduct a comprehensive assessment of the application. Even at the application stage, the applicant’s goal is to obtain permission to accept ongoing supervision and supervision as if he is in a regulatory system. The case officials will review the application in this context and expect the applicant to behave like a regulated financial institution. Applicants who fail to do this will be assessed as having potentially significant flaws that may result in the rejection of the application.

Apply for shelves

If any changes occur in the information provided after the application is submitted, the MAS should be notified immediately. If there is a major change in the application, the applicant may need to consider withdrawing the application and reapplying after the change is completed, because the application will not be reviewed before this.

During the audit process, if there is a major enterprise reorganization, a major change in key management personnel, or a significant change in business model/activity, MAS has the right to put applications assessed as not yet ready for review on hold for six months. While such significant changes may not be foreseeable by the applicant, the shelving period allows the transfer of resources from these incomplete applications to ensure fairness to all other prepared applicants in the queue.

During the shelving period, it is the responsibility of the applicant to ensure that all necessary changes are resolved/completed in a timely manner and to provide relevant documents to MAS for evaluation at the end of the shelving period. The default shelving period is six months and cannot be extended. If a major change is not completed within the shelving period, the application will be evaluated as not yet ready for review and the applicant should consider withdrawing the application.

Retraction of application

The applicant has the right to withdraw his application at any time. After MAS review, the applicant may also be advised to withdraw the application if there is a fundamental problem that cannot be fully resolved within a reasonable time, or if the application is assessed as having a significant defect. Applicants should note that if such assessment is made by the case official, other applicants in similar circumstances have not been approved. Sound control measures have been established to ensure that case officials conduct fair, objective and verifiable assessments. Each application and its support documents are strictly reviewed by a team of case officials, supervisory officials, and an audit and approval agency. Therefore, applicants should take the review process and its results seriously.

If the applicant intends to resubmit an application, it is necessary to ensure that all issues and deficiencies have been fully resolved. Resubmitting an application without correcting a previously raised issue by MAS may result in refusal.

Regarding the application shelves, significant changes to key management personnel mainly refer to changes related to key C-suite positions such as CEO, CFO, Chief Risk Officer and Chief Compliance Officer. However, applicants should also evaluate and highlight other job changes that should be considered key managers based on the criticality of their business model and the importance of the reporting line.

Appendix 6

A6 External Auditor Independent Assessment

A. Technology and cybersecurity risks:

(Application must complete the application after principle approval)

1. Standards for External Auditors appointed for independent assessment of technical and cybersecurity risks Applicants appointed for independent assessment of external auditors shall comply with the following criteria:

2. Scope of Assessment The following lists areas of technical and cybersecurity risk that will be assessed by an independent external auditor that will be a condition of principle approval (IPA).

The business leader should have sufficient seniority and have sufficient experience and expertise in the areas of technical and cybersecurity risk (technical risk). The applicant is responsible for ensuring that the independent external auditors with appropriate qualifications are appointed to conduct independent assessments of their technical risk policies, procedures and control measures.

I. Cybersecurity

a. Taking into account the applicant's proposed business model, products, services, capital flows and delivery channels,
i. Identify any gaps with relevant regulatory requirements set out in the MAS FSM-N31 Cyber ​​Security Notice;
ii. Highlight areas of improvements needed to mitigate cybersecurity risks.

II. Data loss prevention

a. Review and evaluate the applicant's proposed information protection policies and control measures (IPPCs) in the following areas:
i. Protection of sensitive data (including customer data) during transmission and storage;
ii. Detect and prevent unauthorized access or disclosure (including communication, transmission and storage) of sensitive data (including customer information);
iii. Protection of custodial wallet encryption keys.
b. Taking into account the applicant's proposed business model, products, services, capital flows and delivery channels,
iv. Identify any gaps with applicable technical risk management regulatory requirements (including but not limited to MAS FSM-N30 Technical Risk Management Notice and Technical Risk Management Guidelines Section 11);
v. Highlight the areas of improvement needed to mitigate the technological risks posed by their proposed business model.

III. Penetration Testing

a. Review and evaluate applicants' proposed IPPCs in penetration testing systems, including:
i. Penetration testing frequency determined based on factors such as the criticality of the system and the network risks faced by the system. For systems that are directly accessible from the Internet, applicants should conduct penetration tests at least annually or when major changes or updates are made to verify the adequacy of security controls;
ii. Service Level Agreements (“SLAs”) that correct penetration test results commensurate with the relevant risk levels.
b. Review and evaluate whether the penetration test (within the last 12 months) of the applicant's proposed online financial services is relevant and sufficient to identify critical security vulnerabilities.
c. Taking into account the applicant's proposed business model, products, services, capital flows and delivery channels,
i. Identify any gaps with applicable technical risk management regulatory expectations (including but not limited to Section 13.2 of the Technical Risk Management Guide);
ii. Highlight the areas of improvement needed to mitigate the technological risks posed by their proposed business model.

IV. Digital wallets and smart contracts

a. Review the applicant's proposed IPPCs and evaluate whether the proposed IPPCs include the following controls commensurate with the applicant's proposed business model, products, services, capital flows and delivery channels:
i. Follow security design principles (including appropriate access control, comprehensive testing, periodic updates to stable versions, static and dynamic code analysis) throughout the system development life cycle of its proposed systems and smart contracts (if related);
ii. Development of smart contracts, including controls to ensure smart contracts are protected from cyber threats and vulnerabilities through security development, DevSecOps and testing to prevent unauthorized access, data breaches and exploitation of security vulnerabilities;
iii. Controls to ensure high availability of critical systems, as well as system recovery and business recovery priorities (including root cause and impact analysis) to ensure rapid recovery strategies for such systems;
iv. Use technologies such as multi-party computing and threshold signature schemes to protect custodial wallets;
v. 在托管钱包系统与其他信息系统/ 互联网之间实施网络隔离，以防止未授权连接；
vi. 托管钱包加密密钥组件的分离，以确保任何时候都没有单一个人或系统可以访问完整密钥（即遵循“永不单独” 原则，要求至少两名授权人员协调和批准密钥管理操作）。