AML/CFT Compliance in Singapore: MAS, CDSA, and the 2026 Regulatory Landscape

Singapore’s AML/CFT regime is under unprecedented pressure after the S$3 billion money-laundering case that erupted in August 2023, prompting MAS to launch enhanced examinations of ten banks and to levy S$27.45 million in fines across the sector in 2024. The fallout has driven a wave of regulatory updates, tighter supervision of wealth-management and family-office structures, and a sharpened focus on digital-asset service providers. For compliance officers, offshore bankers and regulators, the next twelve months will demand a disciplined, risk-based approach that aligns with MAS notices, the CDSA and the Terrorism (Suppression of Financing) Act.

The Regulatory Landscape

At the core of Singapore’s AML/CFT architecture lies the CDSA, which criminalises money-laundering, terrorist financing and the concealment of proceeds from any serious offence. Section 50(1) imposes a duty on “financial institutions” to establish internal controls, while Section 51 requires the filing of suspicious transaction reports (STRs) with the STRO. The Terrorism (Suppression of Financing) Act (TSFA) adds a parallel offence for financing terrorism and mandates the same reporting obligations.

MAS, acting as both regulator and supervisor, translates these statutes into sector-specific guidance through a series of notices. Notice 626 (issued 1 January 2022, revised 28 March 2024) sets out AML/CFT expectations for banks, covering customer due diligence (CDD), risk assessment, transaction monitoring and record-keeping. Notice 627 mirrors these requirements for merchant banks and other non-bank financial institutions. Notice 1014 governs finance companies, while SFA Notice 04 applies to securities-dealing firms and fund managers. The PSN01 framework, last amended 2 July 2025, regulates digital payment token service providers (DPTSPs) and imposes additional obligations on crypto-asset custodians.

The Suspicious Transaction Reporting Office (STRO) operates under the Commercial Affairs Department and receives STRs via a secure web portal. STRO analyses reports, shares intelligence with MAS and other law-enforcement agencies, and may refer cases for criminal investigation under the CDSA.

MAS’s Updated AML/CFT Guidance (2024-2025)

In March 2024 MAS released the final version of the Guidelines to MAS Notice 626, a 120-page document that clarifies expectations on risk-based customer onboarding, ongoing monitoring and senior-management oversight. The guidelines introduced a “rolling review” requirement: high-risk customers must be reassessed at least annually, medium-risk every three years, and low-risk every five years (see paragraph 3.2.1 of the guidelines). The same document also added a new “beneficial-ownership verification” checklist, requiring institutions to obtain and retain certified copies of shareholders’ registers for entities with a shareholding of 25 % or more, in line with Section 51(2) of the CDSA.

A subsequent amendment to Notice 627 was published on 2 July 2025 after a public consultation that attracted 87 responses. The amendment tightened the definition of “politically exposed persons” (PEPs) to include senior officials of foreign state-owned enterprises, and it introduced a mandatory “enhanced-due-diligence (EDD) trigger” when a transaction exceeds S$5 million and involves a jurisdiction identified by the Financial Action Task Force (FATF) as high-risk.

The PSN01 amendment (2025) expanded the scope of “digital payment token services” to cover custodial wallet providers and introduced a requirement for real-time blockchain analytics. Providers must retain transaction logs for a minimum of seven years and must submit a “crypto-risk assessment” to MAS within 30 days of onboarding a new token. Failure to comply can result in a prohibition order under Section 48 of the PSA, as demonstrated in the 2026 case against a local exchange that was ordered to cease operations after repeated breaches.

Customer Due Diligence and KYC

MAS Notice 626 mandates that banks obtain, verify and retain the following for natural persons: full name, date of birth, nationality, residential address, and a government-issued identification number (e.g., NRIC or passport). For legal entities, the required documents include a certified copy of the certificate of incorporation, a register of shareholders, a register of directors, and a declaration of the ultimate beneficial owners (UBOs) holding at least 25 % of voting rights (Section 5.1 of the notice). The notice also requires verification of the UBOs’ identity through the same documents required for natural persons.

Ongoing monitoring is a continuous obligation. Institutions must apply transaction-monitoring rules that are calibrated to the risk profile established during onboarding. MAS expects “real-time” screening for high-risk customers, with alerts reviewed by senior compliance officers within 24 hours of generation. The guidelines to Notice 626 (paragraph 4.3.2) specify that any transaction that deviates from the customer’s known pattern must be investigated and, where appropriate, reported to STRO.

For family offices and private-wealth structures, MAS introduced a specific supervisory focus in 2025 under SFA sections 13X and 13O. These sections require wealth-management firms to obtain a “source-of-wealth” statement for each client with assets exceeding S$500 million, and to retain supporting documentation for at least ten years. The source-of-wealth statement must detail the origin of the client’s wealth, including any inheritance, business proceeds or capital gains, and must be signed by the client and a senior compliance officer.

Sanctions Screening

Singapore’s sanctions regime is derived from United Nations Security Council resolutions, the United Nations Consolidated Sanctions List, and the Singapore Ministry of Foreign Affairs’ own sanctions list. MAS Notice 626 (section 6.2) requires institutions to screen all customers, beneficial owners and counterparties against these lists at onboarding and on an ongoing basis. The notice also mandates that any “potential match” be investigated within two business days, and that a final decision - either a false-positive clearance or a SAR filing - be documented in the institution’s AML system.

In 2024 MAS issued a supplemental advisory on “Secondary Sanctions” after the United Kingdom imposed sanctions on several entities linked to the Russian defence sector. The advisory clarified that Singapore-based banks must also screen for UK-issued sanctions, even though the UK is not a UN-mandated sanctioning body. Non-compliance with this advisory can trigger enforcement under Section 52 of the CDSA, which carries a maximum fine of 10 % of the institution’s annual turnover.

SAR/STR Reporting

Under Section 51(1) of the CDSA, any “financial institution” that suspects a transaction is linked to money-laundering or terrorist financing must file a Suspicious Transaction Report (STR) with the STRO “as soon as practicable and, in any event, no later than the next business day”. The STR must contain the identity of the reporting institution, a description of the suspicious activity, the amount involved, and any supporting documentation. MAS Notice 626 (paragraph 7.1) requires that the STR be submitted through the secure STRO web portal, and that the institution retain a copy of the report for at least five years.

Risk-Based Approach

MAS requires a documented, institution-wide risk-assessment framework that is reviewed at least annually, or whenever there is a material change in the business model, product offering or customer base (Notice 626, paragraph 3.1). The risk-assessment must consider three dimensions: customer risk, product/service risk and geographic risk. High-risk customers - such as PEPs, non-resident high-net-worth individuals, and entities operating in FATF-high-risk jurisdictions - must be subject to enhanced due diligence (EDD) and more frequent transaction monitoring.

The 2025 MAS “Risk Management in Financial Institutions” paper highlighted that banks with a “risk-adjusted return on capital” (RAROC) below 8 % were more likely to experience AML breaches, prompting MAS to issue a supervisory notice in February 2026 that ties risk-management performance metrics to supervisory ratings.

Crypto-Assets and VASPs

The Payment Services Act (PSA) classifies digital payment token service providers (DPTSPs) as “money-service businesses” and subjects them to the same AML/CFT obligations as traditional financial institutions. MAS Notice PSN01 (effective 1 January 2024, amended 2 July 2025) requires DPTSPs to conduct customer onboarding, transaction monitoring and STR filing in line with Notice 626. In addition, DPTSPs must implement blockchain-analytics tools capable of tracing token movements across multiple wallets and must retain transaction data for a minimum of seven years.

A landmark enforcement case in March 2026 involved a local cryptocurrency exchange that failed to conduct EDD on high-value token transfers exceeding S$10 million. MAS imposed a S$4.2 million fine and issued a prohibition order under Section 48 of the PSA, illustrating the regulator’s willingness to apply traditional AML penalties to the crypto-sector.

Recent Enforcement (2024-2026)

MAS’s enforcement activity has intensified since the 2023 Fujian-gang money-laundering case. The following table summarises the most significant actions taken between 2024 and early 2026.

The enforcement pattern reveals three recurring themes: delayed STR filing, insufficient CDD on high-risk clients, and weak sanctions-screening controls. Institutions that have addressed these gaps early are better positioned to avoid the steep fines that have become commonplace.

Practical Compliance Checklist for Singapore Institutions

Common Pitfalls

First, many institutions still rely on “batch” STR filing, submitting reports weekly rather than within the next business day. MAS has repeatedly warned that the “as soon as practicable” standard is interpreted as a real-time obligation, and the 2025 enforcement action against a finance company (S$1.2 m fine) illustrates the cost of non-compliance.

Second, inadequate verification of beneficial owners continues to surface. Some firms accept uncertified copies of shareholder registers, which MAS deems insufficient under Notice 626 § 5.1. The regulator expects certified extracts or electronic filings from the Accounting and Corporate Regulatory Authority (ACRA) that include the UBO’s full identification details.

Third, over-reliance on commercial screening tools without documented rationale is a frequent error. MAS expects institutions to retain evidence of the matching algorithm, data-quality controls and periodic vendor validation. A “black-box” approach was a key factor in the UBS penalty for 2024.

How RegMantle Helps

RegMantle produces jurisdiction-specific AML/CFT documentation that references the CDSA, the Terrorism (Suppression of Financing) Act, MAS Notice 626, Notice 627, PSN01 and the latest STRO reporting templates. Outputs include a MAS-ready AML manual, a CDD policy aligned with CDSA § 50, a sanctions-screening framework citing UN and Singapore lists, and a SAR/STR template formatted to STRO specifications. The platform also generates a crypto-risk-assessment workbook that satisfies the PSA and PSN01 requirements, complete with blockchain-analytics vendor validation checklists.