There's a country in Southeast Asia that had a functioning digital asset custodian framework, licensed exchanges, regulated IEO platforms, and Shariah-compliant crypto classifications. All before most Western regulators had finished their consultation papers. It's not the country you're thinking of.
It's Malaysia.
The Quiet Achiever
When people think "crypto hub in Southeast Asia," they think Singapore. The headlines are loud: MAS licensing regime, Temasek's crypto investments, the fintech festivals. Singapore has done extraordinary work building its reputation as a financial centre. That reputation is earned and deserved, but it tells an incomplete story about where the actual regulatory infrastructure was built first.
Malaysia's Securities Commission published their Capital Markets and Services (Prescription of Securities) Order in 2019, a comprehensive framework for digital assets under securities law. By 2020, they had issued detailed Guidelines on Digital Assets. Today:
- 5 licensed Digital Asset Exchanges
- 3 registered Digital Asset Custodians
- 2 IEO platforms
- 23 tradeable digital assets, 16 with formal Shariah-compliant classification
No other jurisdiction on earth has that last distinction.
Meanwhile, Singapore's MAS received approximately 170 license applications under the Payment Services Act. The approval rate was brutal. Roughly 20 made it through. Most withdrew or were rejected. The selectivity isn't the problem. The problem is what happened in the gap between application and regulation.
The Singapore Correction
Three Arrows Capital, a Singapore-registered fund, collapsed in June 2022, taking $3.5 billion in creditor claims with it. MAS reprimanded them for exceeding their AUM threshold, providing false information, and failing to notify of directorship changes. Hodlnaut, a Singapore-headquartered lending platform, had quietly converted $317 million of customer deposits into TerraUSD via Anchor Protocol. When UST collapsed in May 2022, they lost $190 million overnight. Their CEO was charged with fraud in 2026. Terraform Labs itself was incorporated in Singapore. Luna Foundation Guard, managing $2.4 billion in Bitcoin reserves, was a Singapore-based non-profit. The UST depeg erased $45 billion in market cap in a single week.
Singapore's state investor Temasek wrote off its entire US$275 million FTX investment.
None of this diminishes Singapore's broader financial infrastructure. It remains one of the world's great financial centres and its regulatory sophistication across traditional finance is unmatched in the region. However, the crypto chapter reveals something important: reputation and regulatory readiness are not the same thing. Speed to market without depth of oversight produces spectacular failures.
What Malaysia Did Differently
Malaysia's approach was slow. Deliberately, painfully slow. I know this personally. I spent two years advising the Securities Commission on their blockchain blueprint through Project Castor, and then five years funding and waiting for CoKeeps to receive its Digital Asset Custodian approval. Five years. From application to licence.
That timeline sounds like bureaucratic failure. It isn't. It's what happens when a regulator takes the time to understand the technology deeply enough to write frameworks that actually work, rather than rushing to publish something that looks good at a fintech conference but collapses under stress.
The SC Malaysia's process with us went through distinct phases. First: education. Workshops where I explained distributed ledger technology to people who would eventually write policy around it. Second: demonstration. Working implementations using Neuroware's Cortex platform. Not whitepapers, but running software showing digital identities, token factories, compliance contracts, and upgradeable architectures. Third: feasibility. Could this actually work for capital markets? For secondary trading? For institutional custody?
Only after all three phases did policy emerge. That's the correct order. Educate. Demonstrate. Regulate.
Infrastructure Built in Kuala Lumpur
Here's something the global crypto community rarely acknowledges: two of the most critical infrastructure companies in the entire blockchain ecosystem were built in Malaysia.
Etherscan, the dominant blockchain explorer, used by virtually every Ethereum developer, trader, and auditor on earth, was founded in Malaysia. When a developer verifies a smart contract, when a trader checks a transaction, when a security researcher traces funds, they're using Malaysian infrastructure.
CoinGecko, the second-largest cryptocurrency data aggregator globally, tracking thousands of tokens across hundreds of exchanges, was founded and is headquartered in Kuala Lumpur. The price data, market caps, and trading volumes that inform billions of dollars in daily decisions flow through Malaysian servers.
These aren't peripheral services. They're foundational infrastructure that the global ecosystem cannot function without. They were built quietly, without the flashy launch events or government-backed accelerator programmes. They emerged from an ecosystem that values building over announcing. The same ecosystem that produced a functioning regulatory framework while louder jurisdictions were still debating consultation responses.
What Regulators Actually Need
After thirteen years operating in this space (founding R1 in 2012, building the Blockchain Embassy consortium with Maybank and RHB, advising the SC, and eventually seeing CoKeeps approved), I've learned what regulators need from blockchain teams. It's not what most teams think.
They don't need to be convinced that blockchain is revolutionary. They don't need token economics explained. They don't need to hear about decentralisation's philosophical merits. They've heard all of that. What they need is:
- Auditability. Can the system produce a complete, tamper-evident record of every transaction, every decision point, every state change? Regulators don't care about trustlessness — they care about verifiability.
- Reversibility pathways. Not reversibility of the blockchain itself — but administrative mechanisms for error correction, dispute resolution, and regulatory intervention. A system with no off-switch is not one a regulator will approve.
- Compliance as architecture, not feature. KYC/AML cannot be bolted on. It must be the foundation. DN-Key Protocol was designed for this — key management that's regulated-environment-native, not retrofitted from a permissionless context.
- Patience. The willingness to spend five years in a regulatory process without cutting corners, without launching "in the meantime" in a friendlier jurisdiction, without pressuring timelines. Regulators respect teams that take the process seriously.
- Education without condescension. Explaining smart contract upgradeability patterns to a securities lawyer requires a specific skill. You need to convey the architecture without dumbing it down, while translating technical guarantees into regulatory language. Most technical founders can't do this. Most compliance consultants don't understand the technology deeply enough to do it either.
The UK Opportunity
The FCA's crypto registration process has a 14% approval rate. Only 14% of applicants have achieved registration since January 2020. That's not because the FCA is hostile. It's because most applicants don't understand what regulators need from them.
More significantly: the UK is only now finalising its digital asset custody framework, with legislation expected in 2026 and rules (CASS 17) potentially operational by late 2026 or 2027. Malaysia had this solved in 2022. HM Treasury's April 2025 draft legislation for "cryptoasset custody and issuance" covers ground that the SC Malaysia covered five years earlier.
This isn't a criticism. The UK has different priorities, a different scale of financial system, and legitimate reasons for caution. Brexit consumed regulatory bandwidth. The FTX collapse made everyone more conservative. These are reasonable explanations for the timeline.
This gap creates an opportunity. The UK doesn't need to learn these lessons from scratch. The frameworks exist. The edge cases have been discovered. The compliance architectures have been tested. Someone who has been through the process (from the earliest education phase with regulators who were sceptical, through the multi-year demonstration phase, through the eventual framework publication and the first approvals) can shortcut years of trial and error.
The question is not whether the UK will regulate digital asset custody. It's whether the teams advising that process have the depth of experience to help regulators get it right the first time, or whether we'll see another cycle of consultation papers and frameworks that don't survive contact with reality.
Slow is Fast
The "move fast and break things" mindset is exactly wrong for regulated markets. Every broken thing in a financial system has a victim. Every corner cut in a custody framework is someone's pension fund at risk. Every launch-first-regulate-later strategy produces a Hodlnaut or a Three Arrows Capital. Entities that operated in the regulatory gap between ambition and oversight.
Malaysia understood this. The SC took their time. They educated themselves before they regulated. They demanded working demonstrations before they wrote frameworks. They tested assumptions over years, not weeks. The result is a jurisdiction with zero high-profile crypto collapses, a functioning multi-category regulator, and institutional infrastructure that quietly powers the global ecosystem.
Patience isn't a weakness. It's the only proven strategy for getting regulated technology right.