This article covers everything you need to know about KYC/AML in Singapore.
Singapore has a robust and open economy, with reasonable taxes and a well-qualified labor market. The city-state focuses on doing business internationally, which has appealed to companies from all over the world.
Thus, it’s no surprise that the World Bank ranks the country as the second best in the world for business. However, Singapore’s open economy can attract financial criminals who intend to conceal the source of their income through money laundering or fund terrorism. To mitigate this risk, Singapore has established several governmental authorities and a robust AML regulatory framework.
Since 2016, Singapore has taken a number of considerable actions to strengthen its AML framework. This has generated a positive response from international organizations such as the Financial Action Task Force (FATF), which stated in its latest review that Singapore is steadily developing its AML regulatory framework and sufficiently ensuring that companies implement them.
Businesses planning to launch in Singapore need to comply with all the relevant regulations and guidelines. To simplify the process, we at Sumsub have prepared this article to explain how companies can stay compliant.
AML regulations in Singapore apply to financial institutions as well as certain designated business, including but not limited to:
The following types of transactions fall under AML regulations:
The Monetary Authority of Singapore (MAS) is Singapore’s central bank and integrated financial regulator. Its focus is regulating and licensing financial institutions, such as banks, crypto-related businesses, and brokers. The MAS also publishes guidelines for other types of financial institutions such as insurance companies.
It should be noted that the MAS is not the only financial regulator in Singapore. Facilities such as casinos are overseen by the Casino Regulatory Authority of Singapore. Meanwhile, real estate agencies have to comply with Council for Estate Agencies regulations.
The main AML regulation in Singapore is the Corruption, Drug Trafficking, and Other Serious Crimes Act 1992 (CDSA). The Act defines the roles of government authorities and imposes rules for money laundering prevention, including reporting procedures and penalties for criminals.
Some other important AML regulations include:
To learn more about each of these regulations, you can download our compliance guidelines here.
Payment Service Providers:
Licensing and regulation of payment services is prescribed by the Singapore Payment Services Act (PSA). This includes:
The PSA also regulates Virtual Asset Service Providers (VASPs), which include any entity that deals with buying and selling digital tokens/cryptocurrencies, provides an exchange or custodial services for tokens, or promotes or advertises these services.
To stay compliant, companies need to follow the obligations set out by the Corruption, Drug Trafficking and other Serious Crimes (Confiscation of Benefits) Act 1992 (CDSA), which include:
Suggested read: The APAC Sentinel: Effective Transaction Monitoring Tactics
The Designated Non-Financial Businesses and Professions (DNFBPs) defined under the AML/CFT regulations of Singapore include:
Financial institutions should establish a risk-based approach to assess the checks conducted by their outsourced parties, since liability for any potential inadequacy still lies with them.
In addition to the above, if the outsourced party has already performed its own CDD on a new customer, then the law permits the financial institution to rely on the CDD already performed if all the necessary and required conditions are satisfied.
Financial institutions should enable MAS, or any agent appointed by the regulator, to access and inspect the methodologies used by an outsourced service provider to perform CDD. In addition, MAS should be enabled to access any report produced by the service provider or its internal or external auditors—or by authorized agents of the outsourced service provider—with regard to detected suspicious activity, transactions and high-risk customers.
Financial institutions with larger customer volumes are expected to implement automated systems, with the ability to deal with an increased number of requests for CDD and a wide variety of customer transactions.
The MAS considers the use of certain statistical tools and methods, such as above-the-line (“ATL”)* and below-the-line (“BTL”)** testing by financial institutions to be a good practice.
Financial institutions should occasionally test and modify their transaction monitoring rules to ensure they can sufficiently identify suspicious transactions and behaviors, even in complex cases. Adjusting transaction monitoring rules is supposed to assist financial institutions to reduce the number of false positives/negatives.
Where necessary, analysts should investigate customers’ transaction history and other relevant notifications/alerts to holistically assess whether broader ML/TF patterns or behaviors may have manifested beyond the scope of an immediate alert.
* Above-the-line testing(ATL): testing means reviewing alerts generated by a transaction monitoring system to ensure that the thresholds for generating those alerts are appropriate
**Below-the-line testing(BTL): An evaluation of all financial/transaction activity to determine whether any transactions that should have been flagged as alerts were missed.
A value transfer refers to “any transaction carried out on behalf of a value transfer originator through a financial institution with a view to making one or more digital tokens available”.
Before conducting a value transfer, an ordering institution shall:
Requirements: Value Transfers Below or Equal To S$1,500
Requirements: Value Transfers Exceeding $1500:
Regulated entities have to establish proper Customer Due Diligence (CDD) procedures, which is the process of collecting and verifying information about a customer during onboarding. CDD includes identification, verification, and ongoing monitoring of information provided by customers.
When establishing business relationships, the following information should be collected from individuals/natural persons to meet CDD requirements:
Companies should also check customers for presence on sanctions lists (e.g., OFAC, UN, HMT, EU, DFT), Politically Exposed Persons (PEP) lists, and adverse media, followed by an ongoing monitoring process.
Additionally, if a customer is a legal person or legal arrangement, the following risk factors should also be considered:
When working with legal persons, the following actions should be taken:
Companies should then collect the following information about the legal person:
When collecting documents, companies can use external services such as accountants, lawyers, or available databases to ensure authenticity.
Financial institutions should take the following steps with regard to Politically Exposed Persons (PEPs) as well as their family members/close associates:
Financial institutions are required to keep records on their customers and transactions* for at least five years from the end of the business relationship or final transaction. Dealers of precious stones have to keep such records for the same amount of time when transactions exceed S$20,000 (approximately $15,000).
*”Transactions include wire transfers even if no account has been opened. For data, documents, and information relating to a transaction, including any information needed to explain and reconstruct the transaction, a period of retention of at least 5 years following the completion of the transaction is required.”
Furthermore, value transfers and digital tokens are included in the definition of transactions.
In addition to the above, account files, business correspondences, and the results of any analysis undertaken need to be kept for a period of at least 5 years after the end of business relationship.
A financial institution should also retain records of data, documents, and information on all matters that led to an investigation or subject to an STR.
The Suspicious Transaction Reporting Office (STRO) is the main government institution responsible for analyzing reports filed by companies. There are three types of reports that the authority may receive:
In case a regulated entity detects suspicious activity (for example, if they find out that a client has a record of drug-related offenses, has been found in adverse media, or has conducted an unusual transaction with no apparent purpose) it should immediately send a Suspicious Transaction Report to the STRO containing all the transactions of the customer in question, including attempted ones, without informing the subject of the report, as this would be considered as a “Tipping-off”* offense.
Dealers of precious stones and metals have to report all transactions exceeding S$20,000 (approximately $15,000), while casinos have to report all transactions exceeding S$10,000 (approximately $7,500). Such transactions should be reported within 15 business days.
Financial institutions should engage in an ongoing and extensive ongoing monitoring of suspicious clients by analyzing their transactions and requesting additional information and/or documents.
Should a financial institution decide to maintain a business relationship with a suspicious client, it should ensure that appropriate enhanced measures are taken to manage and mitigate the risks. These enhanced measures include subjecting the accounts to increased scrutiny, obtaining senior management approval prior to executing further transactions, and more.
*Tipping Off: The No Tipping Off Rule also applies to Singapore with regard to high-risk clients.
Complete instructions on report submission can be found here.
The updates state that:
Moreover, there are new definitions of “digital payment token transfer service” and “digital token transaction”.
“Digital Token” means:
“Digital token transaction” means:
Notice 2022 also states that financial institutions shall perform CDD measures on all joint account holders as if each of them were individual customers.
According to The Corruption, Drug Trafficking and other Serious Crimes (Confiscation of Benefits) Act 1992 (CDSA), the following penalties apply to those convicted of money laundering activities:
For companies that fail to comply with AML regulations (e.g., don’t report suspicious activities in a timely manner), the following penalties may apply:
The maximum monetary penalty for financial institutions failing to meet AML obligations cannot exceed S$1,000,000 (approximately $750,000).
Here’s the list of the main AML regulations in the country: The Corruption, Drug Trafficking, and Other Serious Crimes Act 1992 (CDSA) MAS Notice 626 MAS Notice 1014 MAS Notice 824 MAS Notice PSN01 MAS Notice PSN02
The Monetary Authority of Singapore (MAS) publishes AML guidelines for different types of entities. Violating these guidelines isn’t a criminal offense, but non-compliance can affect a company’s risk evaluation by the MAS.
It is a guideline published by the Monetary Authority of Singapore (MAS) which applies to banks and targets Anti-Money Laundering (AML) and Countering Financing of Terrorism (CFT) activities. The full text can be found here.
Singapore’s financial institutions are required to conduct KYC/CFT/AML checks when onboarding customers. The requirements are set by the Monetary Authority of Singapore (MAS). For individual customers onboarded remotely, businesses typically must verify their full name, unique identification number, residential address, date of birth, and nationality.
Where a company is satisfied that the risks of money laundering and terrorism financing are low, a bank may perform SDD measures. This decision should be made according to the needs, profile, complexity and size of the firm and always in compliance with local regulations as well as its internal procedures and guidelines. In such cases, companies shall document:
No. According to the latest FATF Mutual Evaluation Report, Singapore fully complies with 20 Recommendations and mostly complies with 17 recommendations (out of 40 total). This means that the country is successfully confronting money laundering.