Anti-Money Laundering (AML) in Singapore: Complete Guide 2024

Singapore has a robust and open economy, with reasonable taxes and a well-qualified labor market. The city-state focuses on doing business internationally, which has appealed to companies from all over the world. 

Thus, it’s no surprise that the World Bank ranks the country as the second best in the world for business. However, Singapore’s open economy can attract financial criminals who intend to conceal the source of their income through money laundering or fund terrorism. To mitigate this risk, Singapore has established several governmental authorities and a robust AML regulatory framework. 

Since 2016, Singapore has taken a number of considerable actions to strengthen its AML framework. This has generated a positive response from international organizations such as the Financial Action Task Force (FATF), which stated in its latest review that Singapore is steadily developing its AML regulatory framework and sufficiently ensuring that companies implement them. 

Businesses planning to launch in Singapore need to comply with all the relevant regulations and guidelines. To simplify the process, we at Sumsub have prepared this article to explain how companies can stay compliant. 

Who’s affected?

AML regulations in Singapore apply to financial institutions as well as certain designated business, including but not limited to: 

• Banks
• Casinos
• Exchange companies
• Brokers
• Financial advisers
• Real estate agents
• Dealers of precious metals
• Payment service providers

The following types of transactions fall under AML regulations:

• Money transfers (both domestic and international)
• E-money issuance
• Account issuance
• Money exchange
• Virtual assets

Who are the regulators?

The Monetary Authority of Singapore (MAS) is Singapore’s central bank and integrated financial regulator. Its focus is regulating and licensing financial institutions, such as banks, crypto-related businesses, and brokers. The MAS also publishes guidelines for other types of financial institutions such as insurance companies.

It should be noted that the MAS is not the only financial regulator in Singapore. Facilities such as casinos are overseen by the Casino Regulatory Authority of Singapore. Meanwhile, real estate agencies have to comply with Council for Estate Agencies regulations.

What are the regulations?

The main AML regulation in Singapore is the Corruption, Drug Trafficking, and Other Serious Crimes Act 1992 (CDSA). The Act defines the roles of government authorities and imposes rules for money laundering prevention, including reporting procedures and penalties for criminals.

Some other important AML regulations include: 

• MAS Notice 626 
• MAS Notice 1014 
• MAS Notice 824 
• MAS Notice PSN01 
• MAS Notice PSN02 

To learn more about each of these regulations, you can download our compliance guidelines here.

Payment Service Providers:

Licensing and regulation of payment services is prescribed by the Singapore Payment Services Act (PSA). This includes:

• Domestic money transfer services
• Cross-border money transfer services
• Account issuance services
• Merchant acquisition services
• E‑money issuance services
• Digital payment token services

The PSA also regulates Virtual Asset Service Providers (VASPs), which include any entity that deals with buying and selling digital tokens/cryptocurrencies, provides an exchange or custodial services for tokens, or promotes or advertises these services. 

How to stay compliant

To stay compliant, companies need to follow the obligations set out by the Corruption, Drug Trafficking and other Serious Crimes (Confiscation of Benefits) Act 1992 (CDSA), which include: 

• Establishing internal policies and procedures with regard to compliance and AML monitoring based on a risk-based approach, meaning that entities can take into consideration the size and complexity of their business
• Communicating policies to all new employees and explaining any updates to them to existing employees at least on an annual basis
• Adequately training staff to identify and tackle suspicious activity and be aware of the consequences of entities violating regulations or not sufficiently monitoring risk
• Conducting business risk assessment to identify the overall ML/FT risk the business is exposed to, including the risk factors to be considered
• Appointing a compliance officer and clearly specify their roles and responsibilities in managing the AML compliance program
• Reporting suspicious transactions to regulatory authorities

Suggested read: The APAC Sentinel: Effective Transaction Monitoring Tactics

The Designated Non-Financial Businesses and Professions (DNFBPs) defined under the AML/CFT regulations of Singapore include:

• Dealers in Precious Stones & Precious Metals
• Real Estate Sector (Agents & Developers)
• Lawyers
• Corporate Service Providers
• Public Accountants
• Casinos
• Pawnbrokers

Outsourcing

Financial institutions should establish a risk-based approach to assess the checks conducted by their outsourced parties, since liability for any potential inadequacy still lies with them. 

In addition to the above, if the outsourced party has already performed its own CDD on a new customer, then the law permits the financial institution to rely on the CDD already performed if all the necessary and required conditions are satisfied.

Financial institutions should enable MAS, or any agent appointed by the regulator, to access and inspect the methodologies used by an outsourced service provider to perform CDD. In addition, MAS should be enabled to access any report produced by the service provider or its internal or external auditors—or by authorized agents of the outsourced service provider—with regard to detected suspicious activity, transactions and high-risk customers.

Automation

Financial institutions with larger customer volumes are expected to implement automated systems, with the ability to deal with an increased number of requests for CDD and a wide variety of customer transactions. 

The MAS considers the use of certain statistical tools and methods, such as above-the-line (“ATL”)* and below-the-line (“BTL”)** testing by financial institutions to be a good practice. 

Financial institutions should occasionally test and modify their transaction monitoring rules to ensure they can sufficiently identify suspicious transactions and behaviors, even in complex cases. Adjusting transaction monitoring rules is supposed to assist financial institutions to reduce the number of false positives/negatives.

Where necessary, analysts should investigate customers’ transaction history and other relevant notifications/alerts to holistically assess whether broader ML/TF patterns or behaviors may have manifested beyond the scope of an immediate alert.

* Above-the-line testing(ATL): testing means reviewing alerts generated by a transaction monitoring system to ensure that the thresholds for generating those alerts are appropriate

**Below-the-line testing(BTL): An evaluation of all financial/transaction activity to determine whether any transactions that should have been flagged as alerts were missed.

Value transfers 

A value transfer refers to “any transaction carried out on behalf of a value transfer originator through a financial institution with a view to making one or more digital tokens available”.

Before conducting a value transfer, an ordering institution shall:

• “Identify the value transfer originator and take the necessary measures to verify the value transfer originator’s identity, as the case may be 
• Record all the necessary details of the value transfer, including but not limited to, the date of the value transfer, the type and value of digital token(s) transferred and the value date”

Requirements: Value Transfers Below or Equal To S$1,500

• “The name of the value transfer originator
• The value transfer originator’s account number (or unique transaction reference number where no account number exists)
• The name of the value transfer beneficiary and
• The value transfer beneficiary’s account number (or unique transaction reference number where no account number exists)”

Requirements: Value Transfers Exceeding $1500:

• The value transfer originator’s –
  • Residential address, or
  • Registered or business address, and if different, principal place of business, as may be appropriate
• The value transfer originator’s unique identification number (such as an identity card number, birth certificate number or passport number, or where the value transfer originator is not a natural person, the incorporation number or business registration number) or
• The date and place of birth, incorporation or registration of the value transfer originator (as may be appropriate)

Performing Customer Due Diligence (CDD)

Regulated entities have to establish proper Customer Due Diligence (CDD) procedures, which is the process of collecting and verifying information about a customer during onboarding. CDD includes identification, verification, and ongoing monitoring of information provided by customers. 

When establishing business relationships, the following information should be collected from individuals/natural persons to meet CDD requirements:

• Full name
• Unique identification number (e.g., identity card number, birth certificate number, or passport number)
• Residential address
• Date of birth
• Nationality

Companies should also check customers for presence on sanctions lists (e.g., OFAC, UN, HMT, EU, DFT), Politically Exposed Persons (PEP) lists, and adverse media, followed by an ongoing monitoring process.

Additionally, if a customer is a legal person or legal arrangement, the following risk factors should also be considered: 

• The nature of the customers the entity is engaged with, including the customer’s business profile, type of structure, etc.
• The location or geographies in which the company is operating and the countries from which its customers are hailing or actively associated with
• The overall business profile of the regulated entity, covering:
  • The type of products and services offered,
  • Size, volume, and complexities of the transactions, including the mode of payments accepted
  • Delivery and distribution channels deployed, etc.

When working with legal persons, the following actions should be taken:

• Conduct background checks on its directors and shareholders up to its UBO (Ultimate Beneficial Owner) 
• Inquire about the relevant body that regulates and binds the legal person or legal arrangement which is their client 

Companies should then collect the following information about the legal person: 

• Full legal name of the entity
• Unique identification number (such as an identity card number, birth certificate number or passport number of directors, shareholders and ultimate beneficial owners 
• Registered business address, and if different, principal place of business, as may be appropriate;
• Proof of establishment, incorporation or registration
• Place of incorporation or place of registration 

When collecting documents, companies can use external services such as accountants, lawyers, or available databases to ensure authenticity. 

Provisions for PEPs

Financial institutions should take the following steps with regard to Politically Exposed Persons (PEPs) as well as their family members/close associates:

• Obtain approval from the financial institution’s Senior Management to establish or continue business relations with a PEP
• Identify and understand the source of wealth and the source of funds/income of the PEP and if they own any legal entity—and, if so, determine the beneficial owners of those entities
• Conduct enhanced monitoring of transactions, activity, and behavior while reporting any unusual or suspicious activity (without informing the customer

Recordkeeping

Financial institutions are required to keep records on their customers and transactions* for at least five years from the end of the business relationship or final transaction. Dealers of precious stones have to keep such records for the same amount of time when transactions exceed S$20,000 (approximately $15,000).

*”Transactions include wire transfers even if no account has been opened. For data, documents, and information relating to a transaction, including any information needed to explain and reconstruct the transaction, a period of retention of at least 5 years following the completion of the transaction is required.”

Furthermore, value transfers and digital tokens are included in the definition of transactions.

In addition to the above, account files, business correspondences, and the results of any analysis undertaken need to be kept for a period of at least 5 years after the end of business relationship.

A financial institution should also retain records of data, documents, and information on all matters that led to an investigation or subject to an STR.

Reporting

The Suspicious Transaction Reporting Office (STRO) is the main government institution responsible for analyzing reports filed by companies. There are three types of reports that the authority may receive:

• Suspicious Transaction Reports
• Cash Transaction Reports
• Cash Movement Reports

In case a regulated entity detects suspicious activity (for example, if they find out that a client has a record of drug-related offenses, has been found in adverse media, or has conducted an unusual transaction with no apparent purpose) it should immediately send a Suspicious Transaction Report to the STRO containing all the transactions of the customer in question, including attempted ones, without informing the subject of the report, as this would be considered as a “Tipping-off”* offense. 

Dealers of precious stones and metals have to report all transactions exceeding S$20,000 (approximately $15,000), while casinos have to report all transactions exceeding S$10,000 (approximately $7,500). Such transactions should be reported within 15 business days.

Financial institutions should engage in an ongoing and extensive ongoing monitoring of suspicious clients by analyzing their transactions and requesting additional information and/or documents. 

Should a financial institution decide to maintain a business relationship with a suspicious client, it should ensure that appropriate enhanced measures are taken to manage and mitigate the risks. These enhanced measures include subjecting the accounts to increased scrutiny, obtaining senior management approval prior to executing further transactions, and more.

*Tipping Off: The No Tipping Off Rule also applies to Singapore with regard to high-risk clients.

Complete instructions on report submission can be found here.

Updates to and key points of the 2022 Notice of the MAS AML Law

The updates state that:

• In relation to a wire transfer, the financial institution is an institution that receives the wire transfer from the ordering institution, directly or through an intermediary institution, and makes the funds available to the wire transfer beneficiary or
• In relation to a value transfer, the financial institution that receives the value transfer from the ordering institution, directly or through an intermediary institution, and makes one or more digital tokens available to the value transfer beneficiary

Moreover, there are new definitions of “digital payment token transfer service” and “digital token transaction”.

“Digital Token” means:

• “A digital payment token or 
• A digital CMP token” 

“Digital token transaction” means:

• “A payment service transaction or 
• Any transaction accepted, processed, or executed by the bank in the course of its business of conducting any regulated activity under the SFA in relation to digital CMP tokens”

Notice 2022 also states that financial institutions shall perform CDD measures on all joint account holders as if each of them were individual customers.

What are the penalties?

According to The Corruption, Drug Trafficking and other Serious Crimes (Confiscation of Benefits) Act 1992 (CDSA), the following penalties apply to those convicted of money laundering activities:

• For individuals: a fine of up to S$500,000 (approximately $375,000) or up to 10 years imprisonment;
• For companies: a fine of up to S$1,000,000 (approximately $750,000) or double the amount of goods acquired through illegal activity, whichever is higher.

For companies that fail to comply with AML regulations (e.g., don’t report suspicious activities in a timely manner), the following penalties may apply:

• Official warnings
• Reprimands
• Prohibition orders
• Removal of management from their positions
• License termination
• Monetary penalties.

The maximum monetary penalty for financial institutions failing to meet AML obligations cannot exceed S$1,000,000 (approximately $750,000).

FAQ

• What are the AML laws in Singapore?

  Here’s the list of the main AML regulations in the country: The Corruption, Drug Trafficking, and Other Serious Crimes Act 1992 (CDSA) MAS Notice 626 MAS Notice 1014 MAS Notice 824 MAS Notice PSN01 MAS Notice PSN02

• What are the Anti-Money Laundering Acts in Singapore?

  The Monetary Authority of Singapore (MAS) publishes AML guidelines for different types of entities. Violating these guidelines isn’t a criminal offense, but non-compliance can affect a company’s risk evaluation by the MAS.

• What is MAS Notice 626?

  It is a guideline published by the Monetary Authority of Singapore (MAS) which applies to banks and targets Anti-Money Laundering (AML) and Countering Financing of Terrorism (CFT) activities. The full text can be found here.

• What are the KYC requirements from the MAS?

  Singapore’s financial institutions are required to conduct KYC/CFT/AML checks when onboarding customers. The requirements are set by the Monetary Authority of Singapore (MAS). For individual customers onboarded remotely, businesses typically must verify their full name, unique identification number, residential address, date of birth, and nationality.

• What is simplified due diligence (SDD) in Singapore?

  Where a company is satisfied that the risks of money laundering and terrorism financing are low, a bank may perform SDD measures. This decision should be made according to the needs, profile, complexity and size of the firm and always in compliance with local regulations as well as its internal procedures and guidelines. In such cases, companies shall document:

  • The details of its risk assessment
  • The nature of the simplified CDD measures

  Compared to higher levels of due diligence, SDD implies less thorough measures and requirements—however, an adequate standard still needs to be maintained. This includes:

  • Customer identification and verification
  • Beneficial owner identification and verification
  • Understanding the purpose and nature of the relationship
  • Ongoing monitoring

  The firm is expected to produce the relevant policies that outline the different categories of accepted clients based on different risk factors such as geographical and industry.

• Is Singapore a high risk country for AML?

  No. According to the latest FATF Mutual Evaluation Report, Singapore fully complies with 20 Recommendations and mostly complies with 17 recommendations (out of 40 total). This means that the country is successfully confronting money laundering.