Custody Compliance in SEA: What MAS, BSP, and OJK Require from Fintechs
Ted Nguyen
Author
BD & Growth @Fystack
[TL;DR]
- Compliance officers expanding across Southeast Asia must satisfy three separate custody frameworks simultaneously: OJK Indonesia, MAS Singapore, and BSP Philippines each regulate key control, asset segregation, and audit obligations differently.
- MAS sets the clearest technical threshold: at least 90% of customer digital assets in cold storage at all times, multi-party controls as the recommended authorization model, and daily reconciliation.
- Indonesia's OJK transferred crypto oversight from Bappebti on January 10, 2025 under OJK Regulation No. 27/2024, then amended the framework under OJK Regulation No. 23/2025: segregated accounts must now be held by the Clearing institution.
- BSP Philippines extended its moratorium on new VASP licenses from September 2025. Existing operators remain governed by BSP Circular 1108 and BSP Circular 1213.
A fintech company expanding across Southeast Asia cannot use a single compliance template for the region. OJK (Indonesia), MAS (Singapore), and BSP (Philippines) each regulate digital asset custody from a different starting point. Getting one jurisdiction wrong is a setback. Getting all three wrong simultaneously is a compliance failure that appears only after go-live.
The five dimensions that determine custody architecture are: key control, cold storage ratio, asset segregation, data residency, and audit obligations.
Why These Three Regulators and Why Now
OJK, MAS, and BSP sit at three distinct stages of regulatory development. MAS has the longest-running Digital Payment Token (DPT) licensing regime, with technical standards set out in PS-G03 (September 2024). OJK transferred oversight from Bappebti on January 10, 2025 under OJK Reg. 27/2024, then added derivative trading rules and restructured the segregated accounts regime under OJK Reg. 23/2025. BSP introduced the VASP framework under Circular 1108 in 2021, updated IT risk obligations under Circular 1213 in May 2025, and extended a moratorium on new VASP licenses from September 2025. A fintech that treats these three as interchangeable will underestimate the compliance gap between them.
#ICYMI: MAS has amended the Payment Services Act (PS Act) to expand the scope of payment services it regulates, and to impose user protection and financial stability-related requirements on digital payment token service providers.
— MAS (@MAS_sg) May 3, 2024
Find out more: https://t.co/H35hX2c7zO pic.twitter.com/pVvtTpK8Kr
Table 1. OJK vs MAS vs BSP: custody framework at a glance
Dimension | Indonesia OJK | MAS Singapore | BSP Philippines |
Governing regulation | OJK Reg. 27/2024, amended by OJK Reg. 23/2025 | Payment Services Act, PS-G03 (Sep 2024) | BSP Circular 1108 (2021), Circular 1213 (2025) |
Cold storage requirement | Not specified; ISO certification required | At least 90% in cold wallets at all times | Not specified; cybersecurity framework required |
Asset segregation | Segregated accounts held by Clearing institution for consumer benefit | Trust accounts; separate blockchain addresses from operator | Effective mechanism to record and separate customer VAs from proprietary |
Multi-party authorization | Certified IS security personnel required; principles-based | Recommended: no single party should authorize movement unilaterally | Principles-based; operator's internal control system |
Data and key residency | PSE registration required; local data obligations apply | Permanent place of business in Singapore; books and records maintained locally | Primary operations, offices, and key management personnel inside Philippines |
Licensing status | Open; 1 custodian license issued as of March 2025 | Open; strict eligibility and annual independent audit required | Moratorium on new applications from September 2025 |
Key Control and Cold Storage
MAS sets the clearest threshold: under PS-G03, at least 90% of customer assets must be in cold wallets at all times. On authorization, MAS cites multi-party computation with threshold controls (such as 2-of-3) as the recommended approach: no single party should be able to move customer assets unilaterally. This is not a hard mandate, but it is the architecture PS-G03 points toward.
OJK's framework sets no cold storage ratio. Under OJK Reg. 23/2025, ISO certification now applies to licensed operators broadly, not just to the Disaster Recovery Center. Exchanges, custodians, and clearing entities must each employ at least one Certified Information System Auditor and one Certified Information System Security Professional. The custodian role belongs to a separately licensed entity: the Digital Financial Asset Custodian. As of March 2025, OJK had issued only one DFA custodian license, meaning the custody infrastructure the regulation requires is still being formed.
BSP Circular 1108 requires VA custodians to maintain adequate reserves for VAs held in custody and to disclose to customers whether the VASP or the customer holds the private key. No cold storage ratio is specified. The Philippines framework places the design of security controls with the operator.
Asset Segregation Requirements
All three regulators require customer assets to be separated from operator assets. The mechanism and enforcement specificity differ.
MAS requires customer DPTs in a trust account with a safeguarding institution by the next business day, with daily reconciliation. Assets may sit in one custody account, but that account must use separate blockchain addresses from the operator's own assets. Custody and trading functions must also be operationally independent.
OJK Reg. 23/2025 restructured the segregated account regime: accounts previously held in the Trader's name must now be held by the Clearing institution for the benefit of each consumer. The Trader is no longer the account holder of record, and the contractual structure between Trader and Clearing institution must reflect this shift. Financial records must be retained for 10 years.
BSP Circular 1108 requires custodians to record and segregate customer VAs from proprietary VAs. Minimum paid-in capital for a VA custodian is PHP 50,000,000. Reconciliation cadence and technical controls are left to the operator.
Table 2. What each regulator requires before you can hold customer assets
Requirement | OJK Indonesia | MAS Singapore | BSP Philippines |
Cold wallet minimum | Not specified | 90% at all times | Not specified |
Segregation mechanism | Clearing institution holds accounts for consumer benefit | Separate trust accounts; separate blockchain addresses | Operator-designed; must record and separate customer VAs |
Multi-party authorization | Principles-based; certified IS security staff required | Recommended: threshold controls (e.g. 2-of-3 MPC) | Principles-based |
Daily reconciliation | Not specified | Required | Not specified |
Key personnel in-country | Certified IS auditor and IS security professional | Senior compliance officer; management personnel in Singapore | Key management personnel inside Philippines |
Data retention | 10 years | Books and records at Singapore office | Not specified in Circular 1108 |
External audit | Annual audit for licensed operators | Annual independent assessment required | Internal audit; external for higher-risk categories |
Data Residency and Key Management Personnel
Data residency is what most compliance teams find hardest to address after the fact. BSP is the most direct: VASPs must maintain primary operations, offices, and key management personnel inside the Philippines. For a fintech running distributed signing infrastructure, this constrains where key-responsible people and systems must be located, not just which legal entity holds the license.
OJK Reg. 23/2025 requires Digital Financial Asset Trading Operators to register as Electronic System Providers (PSE) under Government Regulation No. 71 of 2019 on Electronic System Operations. PSE registration carries data localization obligations for systems serving Indonesian users. The technical standards for key storage sit in the PSE framework rather than the OJK crypto rules, but the registration requirement closes a gap that previously left data obligations implicit for crypto operators.
MAS requires a permanent place of business in Singapore where books and records are maintained, and licensing criteria require management personnel with effective control to be Singapore-based. PS-G03 does not specify where key material must be physically located.
What This Means for Your Signing Architecture
The requirements across all three regulators point to the same architectural conclusion: signing authority must be controlled, auditable, and separated from operating infrastructure. MAS's 90% cold storage rule and recommended multi-party controls are best satisfied by a threshold signing setup where the hot wallet balance is a bounded allocation and any transaction requires multiple nodes to cooperate.
A SaaS custody provider that holds a key share and participates in every signing event creates ambiguity around the hot/cold boundary that PS-G03 is designed to remove.
OJK's structure points the same direction. Separating the Custodian as a distinct licensed entity, requiring certified security personnel, and extending ISO certification all position custody as a regulated function with its own infrastructure, not a feature inside a trading platform. BSP's in-country personnel requirement adds a physical placement constraint: if a vendor's nearest infrastructure is not in the Philippines, that is a compliance problem, not a latency one.
Table 3. Custody architecture options vs. regulatory requirements
Architecture | MAS: 90% cold + multi-party controls | OJK: custodian separation | BSP: in-country personnel and segregation |
Hot wallet / env variable key | Does not satisfy 90% cold requirement | Not consistent with custodian licensing structure | Does not satisfy segregation standard |
Custodial SaaS MPC | Vendor key share creates ambiguity around hot/cold boundary | Third party in signing path conflicts with custodian licensing intent | Offshore vendor infrastructure conflicts with in-country personnel requirement |
Self-hosted MPC | Satisfies 90% cold and multi-party threshold by design | Consistent with separately licensed custodian model | Nodes deployed in-country satisfy personnel and residency intent |
Ready to Map Your SEA Custody Architecture?
The custody architecture you choose now determines how many of these requirements you satisfy by design and how many become remediation after go-live. Swapping signing infrastructure inside a regulated market is expensive and creates a gap between what you are running and what the regulator expects.
Let us know if you are designing custody infrastructure for OJK, MAS, or BSP compliance. We, Fystack, will work through your setup: transaction volume, chain coverage, key placement constraints, and what self-hosted MPC looks like in your specific regulatory context.
Frequently Asked Questions (FAQs)
Can one self-hosted MPC setup satisfy custody requirements across all three jurisdictions?
Yes, but node placement must reflect each regulator's constraints. MAS requires trust-account segregation and 90% cold storage by design, OJK requires a separately licensed custodian entity, and BSP requires key management personnel inside the Philippines. A threshold signing setup with nodes distributed across jurisdictions can satisfy all three, but the legal structure around each node must align with the local requirement.
Does BSP's moratorium affect operators already licensed?
No. The moratorium, extended indefinitely from September 2025, applies only to new VASP license applications. Existing licensees remain subject to Circular 1108 and IT risk requirements under Circular 1213, including the June 30, 2026 deadline for authentication upgrades.
What happens when OJK issues more DFA custodian licenses?
The licensing bottleneck does not change the custody requirements; it changes who you can engage to meet them. As more DFA custodian licenses are issued, operators will have more options for the separately licensed entity OJK requires. The obligation to use an OJK-licensed custodian and hold segregated accounts under the Clearing institution remains regardless.
