Business Compliance12 min read30 April 2026

AML/CFT Compliance Singapore: What Every SME Needs to Know (2026 Guide)

Complete guide to anti-money laundering (AML) and counter-terrorism financing (CFT) compliance for Singapore SMEs. Key laws, obligations, penalties, and practical steps.

ComplyHQ Team

AML/CFT Compliance Singapore: What Every SME Needs to Know (2026 Guide)

In August 2023, Singapore authorities seized over S$3 billion in assets in one of the world's largest money laundering cases. Ten foreign nationals were arrested. Luxury properties, cars, gold bars, and bank accounts were frozen. The case dominated headlines for months and prompted a nationwide tightening of anti-money laundering enforcement.

If you are an SME owner reading this, you might think AML compliance is something only banks and financial institutions worry about. That is incorrect. The fallout from the 2023 case reached far beyond the financial sector. Corporate service providers, real estate agents, precious dealers, luxury goods retailers, and even accounting firms found themselves under increased scrutiny. New regulations and enhanced enforcement followed.

In 2026, AML/CFT compliance is not optional for any Singapore business. This guide explains what the law requires, which businesses face the strictest obligations, and the practical steps every SME should take.

What Are AML and CFT?

Anti-Money Laundering (AML) refers to the laws, regulations, and procedures designed to prevent criminals from disguising illegally obtained funds as legitimate income. Money laundering typically involves three stages: placement (introducing illegal funds into the financial system), layering (moving money through complex transactions to obscure its origin), and integration (using the "cleaned" money for legitimate purposes).

Countering the Financing of Terrorism (CFT) refers to measures designed to detect and prevent the use of funds -- whether from legal or illegal sources -- to finance terrorist activities.

Singapore treats both seriously. The city-state's position as a global financial hub, combined with its strict rule-of-law reputation, means that AML/CFT enforcement is aggressive and penalties are severe.

Key AML/CFT Laws in Singapore

Corruption, Drug Trafficking and Other Serious Crimes (Confiscation of Benefits) Act (CDSA)

The CDSA is Singapore's primary anti-money laundering law. Key provisions:

  • Section 43: Criminalises assisting another person to retain benefits of criminal conduct
  • Section 44: Criminalises dealing with property known or believed to represent proceeds of criminal conduct
  • Section 46: Criminalises acquiring, possessing, using, concealing, or transferring benefits of criminal conduct
  • Section 47: Mandatory reporting obligation -- requires filing of Suspicious Transaction Reports (STRs) when there are reasonable grounds to suspect transactions are linked to criminal activity

Penalties: Fines up to S$500,000 and/or imprisonment up to 10 years per offence.

Who it applies to: Everyone. The CDSA applies to all persons and businesses in Singapore, not just regulated entities. If your business processes a payment you suspect is linked to criminal activity, you have a legal obligation to file an STR.

Terrorism (Suppression of Financing) Act (TSOFA)

Criminalises the collection or provision of funds intended to support terrorism. Penalties include fines up to S$500,000 and/or imprisonment up to 10 years.

MAS Notices and Guidelines

The Monetary Authority of Singapore (MAS) issues sector-specific AML/CFT requirements for regulated financial institutions through MAS Notices (legally binding) and Guidelines (expected compliance). Key notices include:

  • MAS Notice 626 (Banks)
  • MAS Notice SFA04-N02 (Capital Markets Intermediaries)
  • MAS Notice PSN02 (Payment Services)

These notices prescribe detailed requirements for Customer Due Diligence (CDD), ongoing monitoring, record-keeping, and suspicious transaction reporting.

Precious Stones and Precious Metals (Prevention of Money Laundering and Terrorism Financing) Act

Since 2019, dealers in precious stones, precious metals, and precious products (PSPM dealers) with cash transactions of S$20,000 or more must conduct Customer Due Diligence and file STRs.

Which Businesses Have Enhanced AML Obligations?

Not all businesses face the same level of AML/CFT requirements. Here is a breakdown:

Tier 1: Full AML/CFT Programme Required

These businesses must implement comprehensive AML/CFT frameworks including CDD, ongoing monitoring, record-keeping, staff training, and STR filing:

  • Banks and financial institutions (MAS-regulated)
  • Payment service providers (licensed under Payment Services Act)
  • Capital markets intermediaries (MAS-regulated)
  • Insurance companies and intermediaries
  • Money changers and remittance agents

Tier 2: Sector-Specific AML/CFT Obligations

These businesses have specific AML/CFT obligations under their regulatory framework:

  • Corporate Service Providers (CSPs): Must perform CDD on clients, maintain records, and file STRs. Regulated under the CSP regulatory framework.
  • Real estate agents: Enhanced CDD requirements for property transactions, particularly for high-value deals and foreign buyers.
  • Precious stones, metals, and products dealers: CDD required for cash transactions of S$20,000 or more.
  • Lawyers: Required to perform CDD when handling client money or certain transactional work. Regulated by the Legal Profession Act and Law Society.
  • Accountants: AML/CFT obligations under ISCA/ACRA requirements when performing specified services.

Tier 3: General Obligations (All Businesses)

Even if your business is not in a regulated sector, you are still subject to:

  • CDSA reporting obligation: You must file an STR if you have reasonable grounds to suspect a transaction is linked to criminal activity
  • Prohibition on handling proceeds of crime: You must not deal with property you know or suspect represents proceeds of criminal conduct
  • TSOFA obligations: You must not provide funds or support to designated terrorist entities

Core AML/CFT Compliance Elements

For businesses with enhanced obligations (Tier 1 and Tier 2), a compliant AML/CFT framework includes:

1. Risk Assessment

Assess your money laundering and terrorism financing risks based on:

  • Customer risk: Who are your customers? Are they politically exposed persons (PEPs)? Do they come from high-risk jurisdictions?
  • Product/service risk: Which of your products or services are most vulnerable to misuse?
  • Geographic risk: Do you deal with countries identified as high-risk by the Financial Action Task Force (FATF)?
  • Channel risk: How do customers access your services (in-person vs. online)?

2. Customer Due Diligence (CDD)

CDD is the process of verifying customer identity and understanding the purpose of the business relationship. Three levels:

Simplified CDD: For lower-risk customers and transactions. Reduced verification requirements.

Standard CDD: The default. Requires:

  • Verifying customer identity using reliable, independent documents (NRIC, passport, ACRA BizFile profile for companies)
  • Identifying the beneficial owner (the natural person who ultimately owns or controls the customer entity)
  • Understanding the purpose and intended nature of the business relationship
  • Ongoing monitoring of the relationship

Enhanced Due Diligence (EDD): Required for higher-risk situations. Includes:

  • More detailed verification of source of funds and source of wealth
  • Senior management approval for establishing the relationship
  • More frequent ongoing monitoring
  • Additional documentation requirements

3. Ongoing Monitoring

AML compliance is not a one-time check at onboarding. You must:

  • Monitor transactions for unusual patterns
  • Screen customers against sanctions lists (MAS sanctions, UN Security Council, OFAC)
  • Update customer information periodically
  • Review risk assessments when circumstances change

4. Record-Keeping

Maintain records of:

  • CDD information and documents: At least 5 years from the end of the business relationship
  • Transaction records: At least 5 years from the date of the transaction
  • STR filings: Retain copies for at least 5 years
  • Internal reports and investigations: At least 5 years

5. Suspicious Transaction Reporting

File an STR with the Suspicious Transaction Reporting Office (STRO) when you have reasonable grounds to suspect that:

  • A transaction involves proceeds of crime
  • A transaction is related to terrorism financing
  • Property represents proceeds of a specified offence

Key rules:

  • File promptly -- as soon as practicable after forming the suspicion
  • File via STRO's online portal (SONAR system)
  • Do NOT tip off the customer that an STR has been filed
  • Filing an STR provides legal protection -- you cannot be held liable for breach of confidentiality when filing in good faith

6. Staff Training

All relevant staff must receive AML/CFT training covering:

  • What money laundering and terrorism financing look like
  • Red flags and indicators of suspicious activity
  • Internal escalation procedures
  • How and when to file STRs
  • Consequences of non-compliance

Training should be conducted at onboarding and refreshed annually.

Red Flags Every SME Should Know

Regardless of your industry, watch for these warning signs:

  • Unusual payment patterns: Cash payments for high-value transactions when electronic payment is the norm
  • Structuring: Multiple transactions just below reporting thresholds
  • Inconsistent information: Customer details that do not match publicly available information
  • Reluctance to provide identification: Customers who resist standard verification procedures
  • Complex corporate structures: Unnecessarily complex ownership arrangements with no clear business rationale
  • Geographic risk: Transactions involving jurisdictions on the FATF high-risk list
  • Unexplained urgency: Pressure to complete transactions quickly without standard procedures
  • Third-party payments: Payments from or to unrelated third parties without explanation

Practical Steps for Non-Regulated SMEs

If your business is not in a regulated sector, you do not need a full AML/CFT framework. But you should:

  1. Train key staff on what money laundering red flags look like
  2. Know how to file an STR -- register for SONAR access before you need it
  3. Document your due diligence on significant customers and transactions
  4. Screen against sanctions lists for international business relationships
  5. Keep records of any suspicious activity assessments, even if you decide not to file an STR
  6. Establish a clear internal escalation path -- who do staff report concerns to?

How ComplyHQ Helps

AML/CFT compliance can be overwhelming, especially for SMEs without dedicated compliance teams. ComplyHQ helps by:

  • Risk assessment tools: Structured frameworks to assess your AML/CFT risk exposure
  • Compliance calendar: Track training deadlines, policy review dates, and regulatory changes
  • Document management: Store CDD records, training logs, and policy documents securely
  • Regulatory updates: Automatic alerts when AML/CFT regulations change
  • Integration with PDPA compliance: Manage AML record-keeping alongside your PDPA obligations in a single platform

Compliance is not about checking boxes. It is about understanding the risks your business faces and taking proportionate steps to address them.

Related guides: Singapore SME Compliance Requirements, Cost of Non-Compliance for Singapore SMEs, and MAS Compliance Guide for Singapore SMEs.

Simplify Your Compliance

ComplyHQ's AI can assess your PDPA compliance gaps in under 15 minutes and generate the policies you need.

Try Free Assessment

Frequently Asked Questions

Does my SME need to comply with AML regulations in Singapore?
Yes, to some extent. All businesses in Singapore are subject to the Corruption, Drug Trafficking and Other Serious Crimes (Confiscation of Benefits) Act (CDSA), which criminalises dealing with proceeds of crime. If your business operates in a regulated sector (financial services, real estate, precious dealers, corporate service providers, lawyers, accountants), you have additional AML/CFT obligations under sector-specific regulations. Even if you are not in a regulated sector, you must not handle funds you suspect are linked to criminal activity.
What are the penalties for AML non-compliance in Singapore?
Penalties are severe. Under the CDSA, individuals face fines up to S$500,000 and/or imprisonment up to 10 years for money laundering offences. Under the Terrorism (Suppression of Financing) Act, penalties include fines up to S$500,000 and/or imprisonment up to 10 years. Businesses can face unlimited fines, licence revocations, and reputational damage. MAS can also impose composition penalties and public reprimands on regulated financial institutions.
What is KYC and does my business need to do it?
KYC stands for Know Your Customer (or Know Your Client). It is the process of verifying the identity of your customers and understanding the nature of their business activities. Regulated businesses (financial institutions, CSPs, precious dealers, real estate agents) are legally required to perform KYC. Non-regulated businesses are not legally required to perform formal KYC, but doing so is strongly recommended as a risk management practice, especially for high-value transactions.
What is a Suspicious Transaction Report (STR) and when must I file one?
A Suspicious Transaction Report (STR) must be filed with the Suspicious Transaction Reporting Office (STRO) when you have reasonable grounds to suspect that a transaction is linked to money laundering, terrorism financing, or other criminal activity. All persons in Singapore -- not just regulated businesses -- are required to file STRs under the CDSA. Filing can be done online through the STRO's e-filing portal. You must not tip off the customer that an STR has been filed.
How is AML compliance different from PDPA compliance?
AML and PDPA are separate regulatory frameworks with different objectives. AML aims to prevent money laundering and terrorism financing; PDPA protects personal data. However, they intersect in practice: AML requires collecting and retaining customer identification data, while PDPA requires that data to be protected and retained only as long as necessary. Your AML records must be securely stored and protected under PDPA, but PDPA cannot be used as a reason to refuse providing data to law enforcement during an AML investigation.
Tags:AMLCFTanti-money launderingcomplianceCDSAMASSME

Ready to get PDPA compliant?

Stop guessing about compliance. ComplyHQ uses AI to assess your gaps, generate policies, and guide you through every PDPA obligation.

Start Free AssessmentView Pricing
Gap AssessmentPolicy GeneratorAI Compliance Chat

Related Articles

30 April 202611 min read

Data Retention Policy Singapore: PDPA Compliance Guide for SMEs (2026)

How to create a PDPA-compliant data retention policy for your Singapore business. Retention periods, disposal requirements, and a step-by-step template for SMEs.

Read more
30 April 202610 min read

ACRA Annual Return Filing Singapore: Complete SME Guide (2026)

Step-by-step guide to filing your ACRA annual return in Singapore. Deadlines, penalties, BizFile+ walkthrough, and exemptions for SMEs. Avoid S$600 late fees.

Read more
28 April 202612 min read

The Real Cost of Non-Compliance for Singapore SMEs (2026 Breakdown)

Complete breakdown of non-compliance costs for Singapore SMEs in 2026. Covers fines from PDPA, ACRA, IRAS, CPF, MOM, and GST — plus hidden costs most businesses overlook.

Read more