We just completed a full security audit with Adevar Labs.
Back to Blog

Southeast Asia Crypto Custody Compliance Map 2026: Navigating AML, Travel Rule, and Data Residency across SEA

Phoebe Duong

Phoebe Duong

Author

July 9, 2026
11 min read
Southeast Asia Crypto Custody Compliance Map 2026: Navigating AML, Travel Rule, and Data Residency across SEA

TL;DR: Digital asset custody compliance in Southeast Asia is becoming more fragmented, not more standardized. From Singapore's cold storage rules to Vietnam's data residency requirements, each market sets different expectations. This article compares five key jurisdictions, explains the hidden compliance traps, and provides a practical checklist for fintechs expanding across the region.


1. Compliance Is No Longer Something You Check Off a List

Many businesses still treat compliance as a formality: get the license, keep a few AML policies on paper, call it done. Recent enforcement history shows the opposite. Custody regulation now determines whether a business survives, not just whether it ticks an administrative box.

Three recent cases make the pattern clear.

  • Binance (2023): Fined $4.3 billion. The cause was systemic gaps in its AML and sanctions controls, with over 100,000 transaction alerts left unaddressed. Four US agencies were involved in the investigation: DOJ, FinCEN, OFAC, and CFTC.
  • Coinbase (2023): Fined $100 million by NYDFS for a backlog in AML/KYC records and a transaction monitoring system that hadn't matured fast enough.
  • Robinhood Crypto (2022): Fined $30 million by NYDFS. The cause wasn't intent to defraud, it was an understaffed AML program that hadn't transitioned from manual transaction monitoring to a system suited to its rapidly growing scale. This was also NYDFS's first-ever crypto enforcement action, announced on August 1, 2022.

None of these three cases involved intent to defraud. All three stemmed from growth outpacing investment in monitoring systems. That is exactly why custody and compliance infrastructure needs to be built right from day one, not patched later once revenue arrives.

By mid-2026, all five major Southeast Asian markets have their own distinct legal frameworks for digital asset custody, and the direction is toward more fragmentation, not convergence.

Escalating crypto enforcement timeline

2. The AML & Travel Rule Map Across 5 Southeast Asian Markets

Each country in SEA brings its own regulatory lens, with very specific technical lines drawn. Here's a consolidated view as of June 2026.

Market Custody / Cold Storage Rule AML & Travel Rule Standout Requirement Status (mid-2026)
Singapore MAS PS-G03: 90% cold wallets mandatory; MPC recommended, no single-party unilateral signing PSD-N02: real-time Travel Rule via TRUST/VerifyVASP; auto sanctions screening pre-signing Daily reconciliation, segregated trust accounts, local books & office Strictest, most mature DPT regime in region
Vietnam Not specified numerically; DTI Law 2025 + CASP Pilot (eff. 1/1/2026) Decree 19/2023/ND-CP: tx ≥400B VND or suspicious → auto-report to SBV ~$400M min capital, 65%+ institutional / 49% foreign cap, Level 4 Security, onshore data residency (Fystack internal research, verify official text) Pilot stage, highest structural barrier
Indonesia No fixed ratio; OJK Reg. 23/2025 requires ISO-certified core system + DR center Auto-report to PPATK; biometric e-KYC vs national ID DB; 10-yr log retention Exchanges banned from self-custody; must partner with licensed DFA Custodian (licensee count should be re-verified) Emerging, licensing bottleneck
Thailand No fixed ratio; SEC license, principles-based control model AMLO reporting entity, automated monitoring, STRs; Travel Rule (FATF) in progress TouristDigiPay sandbox: 18-month pilot, stablecoin-to-THB via QR for tourists Balanced, payments-friendly
Philippines Not specified; BSP Circulars 1108 & 1213 Travel Rule applies to transfers ≥$1,000 USD/EUR Indefinite moratorium on new VASP licenses since Sept 2025; key personnel must reside in PH Closed to new entrants

Singapore. MAS PS-G03 & PSD-N02: The Strictest Market

Singapore runs APAC's longest-standing Digital Payment Token (DPT) licensing regime. MAS PS-G03, issued in September 2024, is the clearest technical framework in the region:

  • 90% of customer assets must sit in cold wallets at all times
  • MPC is recommended. No single party should be able to unilaterally authorize a transaction
  • Daily reconciliation is mandatory
  • Trust accounts with blockchain addresses kept separate from the operator's own assets
  • Custody and trading must be operationally independent
  • Annual independent audit
  • A permanent place of business in Singapore, with books and records kept locally

Alongside the technical custody requirements, every DPT provider must comply with real-time Travel Rule obligations, per Notice PSD-N02, effective September 2024. Every transfer between VASPs, or from a VASP to an unhosted wallet, must carry verified sender and recipient KYC information, transmitted through networks like TRUST or VerifyVASP. Sanctions screening must run automatically before a transaction is signed on-chain.

Vietnam. CASP Pilot, January 2026: The Highest Structural Barrier

The DTI Law 2025 took effect on January 1, 2026, and the CASP Pilot program officially launched at the same time. Note: the figures below are based on Fystack's own legal research at the time this guide was compiled. Since this is newly enacted regulation, businesses should cross-check the official legal text before making business decisions based on it.

  • Minimum capital: VND 10,000 billion, roughly $400 million
  • Institutional ownership: above 65%
  • Foreign ownership cap: 49%
  • Security standard: Level 4 Information System Security
  • Data residency: user logs and wallet addresses must be stored onshore, mandatory

Under the existing AML Law, Decree 19/2023/ND-CP, any transaction of 400 million VND or more, or flagged as suspicious, must be automatically reported to the State Bank of Vietnam (SBV).

Indonesia. OJK Reg. 23/2025: Self-Custody Banned, But Compliant Infrastructure Is Scarce

Oversight of crypto moved from Bappebti, a commodities regulator, to OJK, the financial services supervisor, on January 10, 2025. OJK Reg. 23/2025 then tightened custody, security, and segregation requirements further.

Indonesia's defining feature: exchanges are not permitted to self-custody customer assets. Custody must run through a separately licensed DFA Custodian entity, fully separated from exchange operations. Segregated accounts must be held by a Clearing institution for the benefit of consumers. The entire core system and Disaster Recovery Center must carry ISO certification. Reporting must connect automatically to PPATK, the financial intelligence unit, alongside mandatory biometric e-KYC cross-checked directly against the national identity database, and a minimum 10-year retention period for logs and audit trails.

The practical problem: as of June 2026, only a very limited number of entities have been granted a DFA Custodian license. This should be re-verified for exact names and current licensing status before being cited externally, since this is a fast-moving piece of information. The result is a notable paradox: the law is strict, but legally compliant infrastructure is scarce, creating a bottleneck for anyone trying to enter this market. "No specific cold storage ratio" in Indonesia doesn't mean easier. ISO certification and audit requirements can be operationally more demanding than a fixed number.

Thailand. SEC & AMLO: A Balanced Model Geared Toward Real-World Payments

Thailand doesn't mandate a specific cold storage ratio, relying instead on a principles-based control model. Core requirements: an SEC license for digital asset businesses, a cybersecurity framework, AML/KYC, and transaction monitoring.

The most interesting angle in Thailand is commercial. The TouristDigiPay sandbox, an 18-month pilot, lets foreign tourists convert stablecoins to THB via QR code. Merchants receive funds in THB, so they carry no volatility risk. Alongside it, an active informal OTC segment has grown. USDT remains one of the most actively traded pairs on Bitkub, with tourism and services driving B2C adoption.

That said, this attractive payments angle doesn't exempt anyone from oversight obligations. AMLO requires every SEC-licensed operator to register as a reporting entity, deploy automated transaction monitoring systems to detect structured transactions or high-velocity movement, and file suspicious transaction reports in a timely manner. Travel Rule integration is also being prepared in line with FATF recommendations.

Philippines. BSP Circular 1108 + 1213: Closed to New Entrants

This is the most distinctive legal status among the five markets. BSP extended its moratorium on new VASP license applications, and has maintained it indefinitely since September 2025. As of June 2026, there is no path for any new entrant seeking a VASP license in the Philippines.

For entities that already hold a license, operating under Circular 1108 and Circular 1213, the requirements remain strict. No specific cold storage ratio is mandated, but a full cybersecurity framework is required, along with an effective customer asset segregation mechanism, and notably, key management personnel must reside directly in the Philippines to support on-site inspections. Travel Rule applies to any virtual asset transfer of $1,000 USD/EUR or more.

3. The Data Residency Trap in Vietnam

This is the section worth reading most carefully for any Web3 startup planning to enter, or already operating in, Vietnam, because this mistake doesn't surface right away. It only shows up when the regulator arrives for an on-site inspection.

Under Decree 53/2022/ND-CP, combined with the Level 4 Information System Security standard (the second-highest tier in Vietnam's cybersecurity framework, applying to systems whose failure would cause serious harm to national security or critical economic interests):

  • All user data, transaction history, and device identification data must be stored within Vietnam
  • Wallet addresses and balances linked to users must be stored onshore
  • Regulators must be able to physically inspect the infrastructure
  • A zero-downtime requirement applies: the system must run 24/7 without interruption, using hot-hot redundancy architecture, with no single point of failure

The problem is this: many international SaaS custody and MPC providers process keys on overseas cloud infrastructure. Operationally, there's nothing unusual about that. But legally, in Vietnam, this is an automatic violation of Decree 53, because key material and signing logs cannot be physically inspected on-site when regulators show up.

Model Gap Against Decree 53
Cloud HSM in an overseas data center Cannot be inspected locally by regulators
Traditional cold storage Depends on manual offline access, difficult for continuous operations
On-chain multisig Reveals internal signing structure, incurs network fees
SaaS MPC with offshore key processing Directly violates data residency rules

All three traditional models have their own gap against this requirement:

  • Cloud HSM in an overseas data center: cannot be inspected locally
  • Traditional cold storage: depends on manual offline access, difficult for continuous operations
  • On-chain multisig: reveals internal signing structure, incurs network fees
  • SaaS MPC with offshore key processing: directly violates data residency rules

What matters most: this violation is typically discovered after go-live, the moment an inspection team asks to see the physical infrastructure. Migrating an entire wallet core and key data set after a system is already live is an expensive process, carries high downtime risk, and during the transition period will almost certainly fail to meet continuous compliance requirements. The lesson: data residency architecture needs to be decided on day one of system design, not retrofitted after customers are already onboard.

4. Pre-Launch Readiness Checklist

Before applying for a license or operating in any SEA market, custody infrastructure should meet the following groups of criteria:

Must-haves, across every market:

  • Multi-party authorization, MPC at minimum 2-of-3, to eliminate single points of failure
  • Separate blockchain addresses: customer assets and operator assets must never be commingled
  • A segregation mechanism, a trust account or equivalent structure
  • Daily balance reconciliation, mandatory in Singapore, and best practice everywhere else

Market-specific:

  • Vietnam: Confirm the data residency architecture is fully onshore before applying, not after
  • Indonesia: Confirm a relationship with a licensed DFA Custodian partner. Personnel need CISA and CISSP certifications
  • Philippines: Confirm an existing VASP license is already in place, given the active moratorium. Key management personnel must reside in the Philippines

Should-haves:

  • ISO or SOC2 certification, or at minimum a clear roadmap toward it
  • Personnel holding appropriate security certifications

Nice-to-haves:

  • An independent auditor engaged before the license application
  • Travel Rule tooling already integrated into the payment flow
Category Checklist Item
Must-have (Every Market)
Multi-party authorization MPC at minimum 2-of-3 to eliminate single points of failure
Asset segregation Separate blockchain addresses; customer assets and operator assets must never be commingled
Segregation mechanism A trust account or equivalent structure to maintain asset separation
Balance reconciliation Daily balance reconciliation, mandatory in Singapore and considered best practice elsewhere
Market-specific Requirements
Vietnam Confirm the data residency architecture is fully onshore before applying, not after
Indonesia Confirm a relationship with a licensed DFA Custodian partner; personnel need CISA and CISSP certifications
Philippines Confirm an existing VASP license is already in place; key management personnel must reside in the Philippines
Should-have
Security certification ISO or SOC2 certification, or at minimum a clear roadmap toward it
Personnel readiness Personnel holding appropriate security certifications
Nice-to-have
Independent audit Engage an independent auditor before the license application
Travel Rule readiness Travel Rule tooling already integrated into the payment flow

5. Fystack: Self-Hosted Infrastructure Built for Compliance in Vietnam

Built directly in response to the bottlenecks above, particularly the data residency trap and Level 4 Security requirements, Fystack provides self-hosted custody infrastructure for financial institutions, CEXs, and OTC desks.

Open source as audit evidence

Regulators such as MAS in Singapore or the State Bank of Vietnam, when reviewing Level 4 information systems, consistently require transparent justification of the signing algorithm. This is exactly where closed-source SaaS solutions tend to struggle, because to an auditor, a closed-source system behaves like a black box: inputs and outputs are visible, but the internal logic can't be verified.

Fystack's secure wallet infrastructure is built on open-source libraries, mpcium and multichain-indexer. Transparent core source code helps businesses move through third-party IT assessments, including pre-licensing audits, faster, because auditors can review the source code directly instead of worrying about hidden malicious code in a system they can't see into.

A flat fee model that doesn't scale with transaction volume

Traditional international wallet SaaS providers typically charge based on a percentage of transaction volume or the number of wallet addresses generated. As a Web3 business scales, particularly stablecoin payment gateways or freelance payroll, which now accounts for as much as 35% of freelance payments across APAC, that kind of SaaS cost grows exponentially and eats into margins right at the moment a business is growing fastest.

Fystack runs on a flat subscription rate. Whether a business processes $10,000 or $100 million in stablecoin transactions, wallet infrastructure cost stays the same, making it far easier for a finance team to forecast operating cash flow without recalculating a fee schedule every time transaction volume rises.

Infrastructure fast enough for AML monitoring without slowing down the user experience

AML regulation requires risk and sanctions screening to be completed before a transaction is signed on-chain. That's a difficult balance to strike: thorough enough screening, without slowing down a user's deposit or withdrawal experience. To solve this, Fystack integrates Webacy's risk API directly into the signing flow, automatically isolating wallet addresses flagged as high-risk before a transaction is confirmed.

This is only possible with sufficiently powerful indexing infrastructure underneath. Fystack supports 12+ blockchains simultaneously with sub-millisecond address lookup speed, ensuring the AML screening step runs invisibly in the background while users still get a near-instant deposit and withdrawal experience.

If you are evaluating your custody and compliance infrastructure, the Fystack team would be happy to discuss your requirements and explore the right implementation approach.


SEA Digital Asset Custody: Questions We Hear Most Often

1. Is “not specified” cold storage in some SEA markets easier than Singapore’s 90% requirement?

Not necessarily. “Not specified” does not mean there are fewer requirements.

Countries like Indonesia, Vietnam, and Thailand often replace fixed cold storage percentages with other operational requirements, such as ISO certifications, data residency obligations, security controls, or principles-based custody standards.

In practice, these requirements can be just as demanding, or even more complex, than Singapore’s clear 90% cold storage rule.

2. Can I use an overseas SaaS MPC custody provider if I want to operate in Vietnam?

It depends on where your critical custody data is processed and stored.

If key material, signing data, or audit logs are handled outside Vietnam, the setup may conflict with Vietnam’s data residency requirements under Decree 53/2022/ND-CP.

Businesses entering Vietnam need to ensure their custody infrastructure supports local data requirements and can meet regulatory inspection expectations.

3. Can I launch a crypto exchange in Indonesia using my own custody system?

Not directly. Indonesia requires exchanges to work with licensed Digital Financial Asset (DFA) Custodians.

For new market entrants, securing a relationship with an approved custodian partner should be one of the first steps in the market-entry plan, because licensed custodians remain limited.

4. Can I apply for a new VASP license in the Philippines right now?

The Philippines has maintained a moratorium on new VASP applications since September 2025. Businesses entering the market need to evaluate alternative approaches, such as partnering with existing licensed entities, rather than assuming a new license can be obtained immediately.

5. Is open-source custody infrastructure really more secure?

Open source does not automatically make a system secure, but it improves transparency.

For compliance and security reviews, auditors can inspect the actual signing logic and architecture instead of relying only on vendor assurances.

Security ultimately depends on the system design, operational controls, and how the infrastructure is managed.

6. If I operate across multiple SEA markets, which compliance standard should I build for first?

Singapore’s MAS PS-G03 is often considered one of the clearest and most mature custody standards in the region.

Building infrastructure that meets Singapore-level requirements usually creates a stronger foundation for expanding into other SEA markets, rather than rebuilding compliance controls market by market.

Share this post