Singapore Fintech Subsidiary Setup - Regulatory Checklist

Fintech Subsidiary Regulatory Checklist

Setting up a compliant fintech subsidiary in Singapore requires executing specific corporate, regulatory, and operational steps. Use this procedural checklist to track your market entry progress and ensure you meet MAS requirements before launching your financial product.

Corporate Incorporation and Structuring

• Incorporate a Private Limited Company (Pte. Ltd.) with the Accounting and Corporate Regulatory Authority (ACRA).
• Appoint at least one resident director who meets the MAS fit and proper criteria.
• Inject the minimum base capital required for your intended license category into a corporate bank account.
• Establish a registered physical office address in Singapore where regulatory records will be kept.

Licensing and Regulatory Filings

• Determine your exact payment service category under the Payment Services Act.
• Submit your license application (SPI or MPI) via the MAS Corporate Services Portal.
• Lodge the required security deposit with MAS based on your payment volume projections.
• Draft and submit your comprehensive business plan, detailing user flows, revenue models, and financial projections.

Compliance and Risk Management

• Draft an enterprise-wide AML and Counter-Terrorism Financing (CTF) policy tailored to your user base.
• Appoint a dedicated compliance officer at the management level to oversee transaction monitoring.
• Implement mandatory cybersecurity measures outlined in the MAS Notice of Cyber Hygiene.
• Prepare your standard operating procedures for handling customer funds and safeguarding digital assets.

What Are the Major Payment Institution (MPI) License Requirements?

A Major Payment Institution (MPI) license allows fintechs to conduct payment services without being subject to the strict transaction volume limits applied to smaller entities. You must secure this license from MAS if your monthly transaction volume exceeds 3 million SGD for a single payment service or 6 million SGD across multiple payment services.

To obtain an MPI license, your subsidiary must demonstrate financial stability and strong corporate governance. MAS enforces strict baseline requirements to protect the financial ecosystem.

• Base Capital: The subsidiary must maintain a minimum base capital of 250,000 SGD at all times.
• Security Deposit: You must lodge a security deposit with MAS of 100,000 SGD if your monthly transactions are below 6 million SGD, or 200,000 SGD if they exceed this threshold.
• Executive Leadership: At least one executive director must be a Singapore citizen or permanent resident, and the leadership team must pass stringent background checks to ensure they possess relevant financial sector experience.
• Safeguarding of Funds: MPIs must safeguard customer monies through trust accounts with local safeguarding institutions, bank guarantees, or surety bonds.

Payment Services Act Compliance for Digital Token Providers

Digital token providers must comply with the Payment Services Act 2019 to legally facilitate cryptocurrency or digital asset transactions in Singapore. MAS requires entities dealing in Digital Payment Tokens (DPTs) to obtain specific licenses and implement rigorous consumer protection measures to mitigate retail trading risks.

The regulatory framework for DPT service providers is heavily focused on risk awareness and asset separation. MAS continuously tightens these regulations to shield retail consumers from digital asset volatility.

• Retail Marketing Restrictions: DPT providers cannot advertise their services to the general public in Singapore. Marketing is strictly limited to corporate websites and official social media channels.
• Asset Safeguarding: Providers must segregate customer digital assets from their own corporate assets and place customer tokens in an independent trust.
• Risk Disclosures: Platforms must present clear, unalterable risk warnings to retail customers before allowing them to open a trading account or transfer funds.
• Lending Bans: DPT service providers are strictly prohibited from lending or staking retail customers' digital payment tokens.

Structuring AML and CTF Protocols

Anti-Money Laundering (AML) and Counter-Terrorism Financing (CTF) protocols act as your primary defense against financial crime and regulatory penalties. Fintech subsidiaries must implement the guidelines outlined in MAS Notice PSN02, which requires robust customer due diligence, risk assessment, and transaction monitoring systems.

Your compliance framework cannot be a generic template. MAS expects a bespoke risk-based approach that addresses the specific typologies of financial crime associated with your product type and target demographics.

• Customer Due Diligence (CDD): You must implement strict Know Your Customer (KYC) onboarding processes. This includes verifying the identities of beneficial owners who hold more than 25 percent of a corporate client's shares.
• Ongoing Monitoring: Static KYC is insufficient. Your subsidiary must deploy automated systems to track transaction behaviors and flag deviations from established customer profiles.
• Suspicious Transaction Reporting: If your team detects illicit activity, you must file a Suspicious Transaction Report (STR) with the Suspicious Transaction Reporting Office (STRO) promptly.
• Record Keeping: All customer identification data and transaction records must be retained for a minimum of five years after the termination of the business relationship.

Cybersecurity Standards and Data Residency Rules

Technology Risk Management (TRM) guidelines set by MAS dictate how fintechs must secure their infrastructure and handle customer financial data. While Singapore does not enforce blanket data localization, financial institutions must ensure MAS has immediate and unhindered access to their data regardless of where the servers reside.

Fintechs must treat cybersecurity as a board-level responsibility. Failure to maintain secure infrastructure can result in immediate license suspension.

• Notice of Cyber Hygiene: This mandatory MAS directive requires fintechs to implement basic security controls, including administrative account restriction, security patches, network firewalls, and multi-factor authentication for all remote access.
• Penetration Testing: High-risk systems must undergo regular vulnerability assessments and independent penetration testing prior to launch and annually thereafter.
• Incident Reporting: Any system malfunction or IT security breach that severely impacts operations must be reported to MAS within one hour of discovery.
• Personal Data Protection: The subsidiary must comply with the Personal Data Protection Act (PDPA), ensuring explicit customer consent is obtained before collecting or processing personal data.

Grants and Regulatory Sandbox Opportunities

Singapore accelerates fintech innovation through the MAS FinTech Regulatory Sandbox and various Financial Sector Technology and Innovation (FSTI) grants. These programs allow new market entrants to test disruptive financial products in a live environment while receiving subsidized funding and temporary exemptions from specific regulatory requirements.

The ecosystem is designed to lower barriers to entry for highly innovative concepts that do not neatly fit into existing regulatory frameworks.

• FinTech Regulatory Sandbox: Allows startups to experiment with real customers for a limited time. If the test is successful, the firm must fully comply with all relevant legal requirements to deploy the product broadly.
• Sandbox Express: A faster track for market testing specific activities like insurance broking or remittance. Applications are typically assessed within 21 days.
• FSTI 3.0 Grants: MAS commits substantial funding to support innovation in areas like Artificial Intelligence, RegTech, and Environmental, Social, and Governance (ESG) fintech solutions. Eligible firms can receive co-funding for technology infrastructure and specialized talent acquisition.

Common Misconceptions About Singapore Fintech Regulation

Foreign executives often misjudge the timeline and flexibility of Singapore's financial regulations when planning their expansion. Understanding the reality of MAS oversight prevents costly launch delays and regulatory enforcement actions.

1. Incorporation equals authorization to operate. Many founders assume that registering a company with ACRA allows them to begin offering fintech services immediately. In reality, incorporation is just the first step. You cannot legally process transactions or onboard users until the appropriate MAS license is formally approved.
2. Offshore licenses apply in Singapore. Holding an FCA license in the UK or a financial license in the US does not grant you passporting rights to operate in Singapore. You must apply for a local MAS license and meet Singapore-specific capital and compliance requirements.
3. Sandboxes bypass all regulations. The MAS Sandbox is not a total waiver of compliance. Participants must still adhere to strict confidentiality, consumer protection, and AML protocols while inside the sandbox environment.

Frequently Asked Questions

How long does it take to get an MPI license in Singapore?

The application process for a Major Payment Institution license typically takes between 6 to 12 months. This timeline depends heavily on the completeness of your initial application, the complexity of your business model, and how quickly you respond to MAS queries.

What is the minimum capital for a fintech subsidiary?

The minimum base capital depends on your specific license. A Standard Payment Institution (SPI) requires 100,000 SGD, while a Major Payment Institution (MPI) requires 250,000 SGD. Capital must be maintained at these levels continuously during operations.

Can a foreign director run a Singapore fintech subsidiary alone?

No. Under the Companies Act and MAS regulations, a Singapore subsidiary must have at least one ordinarily resident director. This individual must be a Singapore citizen, permanent resident, or an Employment Pass holder residing locally.

Does MAS regulate all fintech companies?

MAS regulates fintechs that provide services falling under specific legislation like the Payment Services Act, Securities and Futures Act, or Financial Advisers Act. Pure software-as-a-service (SaaS) companies selling tech to banks may not require a license, but the financial institutions using the software remain liable for compliance.

When to Hire a Lawyer and Next Steps

Navigating MAS regulations and structuring your fintech subsidiary requires specialized corporate and regulatory counsel. Engaging a lawyer early ensures your business model aligns with the Payment Services Act before you invest capital in operations, technology builds, or marketing campaigns.

Your initial legal consultation should focus on mapping your proposed user flow against the Payment Services Act to determine your exact licensing needs. From there, your counsel will draft your AML frameworks, structure your data policies, and represent your firm during MAS inquiries. To start planning your market entry, connect with experienced corporate and commercial lawyers in Singapore who specialize in financial regulatory compliance and digital asset licensing.