Business Compliance12 min read30 April 2026

AML/CFT Compliance Singapore: What Every SME Needs to Know (2026 Guide)

Complete guide to anti-money laundering (AML) and counter-terrorism financing (CFT) compliance for Singapore SMEs. Key laws, obligations, penalties, and practical steps.

ComplyHQ Team

AML/CFT Compliance Singapore: What Every SME Needs to Know (2026 Guide)

When Singapore authorities seized over S$3 billion in assets in August 2023 — luxury condos, sports cars, gold bars, bank accounts — it was not just a headline. It was a wake-up call for every business owner in the country. Ten foreign nationals arrested. The largest money laundering case in Singapore's history. And the enforcement crackdown that followed reached far beyond the banking sector.

TL;DR: Complete guide to anti-money laundering (AML) and counter-terrorism financing (CFT) compliance for Singapore SMEs. Key laws, obligations, penalties, and practical steps.

If you run an SME and think AML compliance is something only banks worry about, I would encourage you to reconsider. The fallout from that 2023 case hit corporate service providers, real estate agencies, precious goods dealers, luxury retailers, and accounting firms. New regulations landed. Enforcement resources expanded. And regulators started looking much more carefully at businesses that had previously flown under the radar.

In 2026, AML/CFT compliance is not a nice-to-have for Singapore businesses. This guide walks through what the law actually requires, which businesses face the strictest obligations, and the concrete steps every SME should take.

What Are AML and CFT?

Anti-Money Laundering (AML) covers the laws and procedures designed to stop criminals from passing off dirty money as legitimate income. The classic pattern involves three stages: placement (getting cash into the financial system), layering (moving it through complex transactions to obscure the trail), and integration (using the "cleaned" money for legitimate purposes).

Countering the Financing of Terrorism (CFT) targets the use of any funds — legal or illegal in origin — to finance terrorist activities.

Singapore takes both with absolute seriousness. As a global financial hub with a reputation built on rule of law, the government has zero tolerance for either, and the penalties reflect that.

Key AML/CFT Laws in Singapore

Corruption, Drug Trafficking and Other Serious Crimes (Confiscation of Benefits) Act (CDSA)

This is Singapore's primary AML statute. The provisions that matter most:

  • Section 43: Criminalises helping someone retain the benefits of criminal conduct
  • Section 44: Criminalises dealing with property you know or believe represents criminal proceeds
  • Section 46: Criminalises acquiring, possessing, concealing, or transferring benefits of crime
  • Section 47: The mandatory reporting obligation — you must file Suspicious Transaction Reports when you have reasonable grounds to suspect something is off

Penalties: Fines up to S$500,000 and/or imprisonment up to 10 years per offence.

Who it applies to: Everyone. Not just regulated entities. If your business processes a payment that smells wrong, you have a legal duty to file a report. Full stop.

Terrorism (Suppression of Financing) Act (TSOFA)

Makes it a criminal offence to collect or provide funds intended for terrorism. Penalties mirror the CDSA — fines up to S$500,000 and/or up to 10 years in prison.

MAS Notices and Guidelines

For regulated financial institutions, MAS issues binding Notices that prescribe detailed requirements for customer due diligence, ongoing monitoring, record-keeping, and suspicious transaction reporting. Key notices include MAS Notice 626 (Banks), SFA04-N02 (Capital Markets), and PSN02 (Payment Services).

Precious Stones and Precious Metals Act

Since 2019, PSPM dealers handling cash transactions of S$20,000 or more must perform Customer Due Diligence and file STRs. This caught a number of jewellers and watch dealers off-guard when it first came in.

Which Businesses Have Enhanced AML Obligations?

Tier 1: Full AML/CFT Programme Required

These businesses need comprehensive frameworks — CDD, ongoing monitoring, record-keeping, staff training, and STR filing:

  • Banks and financial institutions (MAS-regulated)
  • Payment service providers (licensed under Payment Services Act)
  • Capital markets intermediaries
  • Insurance companies and intermediaries
  • Money changers and remittance agents

Tier 2: Sector-Specific Obligations

These businesses have targeted AML/CFT requirements under their own regulatory frameworks:

  • Corporate Service Providers (CSPs): CDD on clients, record maintenance, STR filing
  • Real estate agents: Enhanced CDD for property transactions, particularly high-value deals and foreign buyers
  • Precious goods dealers: CDD for cash transactions of S$20,000 or more
  • Lawyers: CDD when handling client money or certain transactional work
  • Accountants: AML/CFT obligations when performing specified services

I have worked with several CSPs that were surprised by how detailed their AML obligations were. Some had been operating for years without proper CDD procedures. After the 2023 crackdown, regulators started conducting spot checks, and companies without documentation scrambled to catch up.

Tier 3: General Obligations (All Businesses)

Even if your business sits outside the regulated sectors, you still have obligations:

  • CDSA reporting: File an STR if you have reasonable grounds to suspect a transaction involves criminal proceeds
  • Do not handle suspicious funds: You must not deal with property you know or suspect represents proceeds of crime
  • TSOFA compliance: You must not provide funds or support to designated terrorist entities

Core AML/CFT Compliance Elements

For Tier 1 and Tier 2 businesses, a proper AML/CFT framework includes these building blocks:

1. Risk Assessment

Assess your exposure based on:

  • Customer risk: Who are your clients? Politically exposed persons? From high-risk jurisdictions?
  • Product/service risk: Which offerings are most vulnerable to misuse?
  • Geographic risk: Do you deal with FATF-flagged countries?
  • Channel risk: In-person versus online — each carries different risks

2. Customer Due Diligence (CDD)

CDD is identity verification plus understanding the business relationship. Three tiers:

Simplified CDD: For lower-risk customers. Reduced verification.

Standard CDD: The baseline. Verify identity using independent documents (NRIC, passport, ACRA BizFile profile), identify beneficial owners, understand the business purpose, and monitor the relationship on an ongoing basis.

Enhanced Due Diligence: For higher-risk situations. Deeper verification of source of funds and wealth, senior management sign-off, more frequent monitoring, and additional documentation.

3. Ongoing Monitoring

AML is not a check-the-box exercise at onboarding. You need to:

  • Watch for unusual transaction patterns
  • Screen customers against sanctions lists (MAS, UN Security Council, OFAC)
  • Update customer information periodically
  • Reassess risk profiles when circumstances change

4. Record-Keeping

Maintain records for at least 5 years:

  • CDD information and documents (from end of business relationship)
  • Transaction records (from date of transaction)
  • STR filings
  • Internal reports and investigation files

5. Suspicious Transaction Reporting

File with STRO when you have reasonable grounds to suspect:

  • A transaction involves proceeds of crime
  • A transaction relates to terrorism financing
  • Property represents proceeds of a specified offence

The rules here are straightforward but critical: file promptly, use the SONAR online system, and never tip off the customer that you have filed a report. Filing in good faith gives you legal protection — you cannot be sued for breach of confidentiality.

6. Staff Training

Everyone who touches customer transactions needs training on:

  • Recognising money laundering and terrorism financing indicators
  • Red flags specific to your industry
  • Internal escalation procedures
  • When and how to file STRs
  • What happens if they do not comply

Run training at onboarding and refresh it annually. Keep attendance records.

Red Flags Every SME Should Recognise

Regardless of your industry, watch for:

  • Cash for high-value purchases when electronic payment would be normal
  • Structuring: Multiple transactions deliberately kept just below reporting thresholds
  • Inconsistent story: Customer details that do not match publicly available information
  • Reluctance to verify: Customers who push back on standard identification procedures
  • Overly complex structures: Corporate arrangements with no obvious business rationale
  • High-risk geography: Transactions involving countries flagged by the FATF
  • Unusual urgency: Pressure to skip normal procedures and "just process it"
  • Third-party payments: Funds coming from or going to unrelated parties with no clear explanation

A real estate agent I advise spotted the third-party payment red flag last year — a buyer wanted to pay the deposit from three different overseas accounts, none in the buyer's name. They filed an STR. It turned out to be a legitimate family arrangement, but the agent did the right thing. Filing protects you. Not filing exposes you.

Practical Steps for Non-Regulated SMEs

If your business is not in a regulated sector, you do not need a full AML/CFT programme. But you should:

  1. Train your key staff on what money laundering warning signs look like
  2. Know how to file an STR — register for SONAR access before you actually need it
  3. Document your due diligence on significant customers and large transactions
  4. Screen against sanctions lists for any international business relationships
  5. Keep records of any suspicious activity assessments, even if you decide not to file
  6. Set up a clear escalation path — when something looks wrong, who does your team tell?

How ComplyHQ Helps

AML/CFT compliance can feel like drinking from a fire hose, especially for SMEs without dedicated compliance staff. ComplyHQ helps by providing:

  • Risk assessment frameworks: Structured tools to evaluate your AML/CFT exposure
  • Compliance calendar: Track training deadlines, policy review dates, and regulatory updates
  • Document management: Store CDD records, training logs, and policies securely
  • Regulatory alerts: Automatic notifications when AML/CFT rules change
  • Integrated compliance: Manage AML record-keeping alongside your PDPA obligations in one platform

The goal is not to make AML compliance feel like a burden. It is about understanding your risks and taking proportionate, sensible steps to address them.

Related guides: Singapore SME Compliance Requirements, Cost of Non-Compliance for Singapore SMEs, and MAS Compliance Guide for Singapore SMEs.

Sources

  1. MAS — Anti-Money Laundering
  2. STRO — Suspicious Transaction Reporting Office
  3. MOM — Ministry of Manpower

Looking for more? Check out Adaptels.

Simplify Your Compliance

ComplyHQ's AI can assess your PDPA compliance gaps in under 15 minutes and generate the policies you need.

Try Free Assessment

Frequently Asked Questions

Does my SME need to comply with AML regulations in Singapore?
Yes, to some extent. All businesses in Singapore are subject to the Corruption, Drug Trafficking and Other Serious Crimes (Confiscation of Benefits) Act (CDSA), which criminalises dealing with proceeds of crime. If your business operates in a regulated sector (financial services, real estate, precious dealers, corporate service providers, lawyers, accountants), you have additional AML/CFT obligations under sector-specific regulations. Even if you are not in a regulated sector, you must not handle funds you suspect are linked to criminal activity.
What are the penalties for AML non-compliance in Singapore?
Penalties are severe. Under the CDSA, individuals face fines up to S$500,000 and/or imprisonment up to 10 years for money laundering offences. Under the Terrorism (Suppression of Financing) Act, penalties include fines up to S$500,000 and/or imprisonment up to 10 years. Businesses can face unlimited fines, licence revocations, and reputational damage. MAS can also impose composition penalties and public reprimands on regulated financial institutions.
What is KYC and does my business need to do it?
KYC stands for Know Your Customer (or Know Your Client). It is the process of verifying the identity of your customers and understanding the nature of their business activities. Regulated businesses (financial institutions, CSPs, precious dealers, real estate agents) are legally required to perform KYC. Non-regulated businesses are not legally required to perform formal KYC, but doing so is strongly recommended as a risk management practice, especially for high-value transactions.
What is a Suspicious Transaction Report (STR) and when must I file one?
A Suspicious Transaction Report (STR) must be filed with the Suspicious Transaction Reporting Office (STRO) when you have reasonable grounds to suspect that a transaction is linked to money laundering, terrorism financing, or other criminal activity. All persons in Singapore -- not just regulated businesses -- are required to file STRs under the CDSA. Filing can be done online through the STRO's e-filing portal. You must not tip off the customer that an STR has been filed.
How is AML compliance different from PDPA compliance?
AML and PDPA are separate regulatory frameworks with different objectives. AML aims to prevent money laundering and terrorism financing; PDPA protects personal data. However, they intersect in practice: AML requires collecting and retaining customer identification data, while PDPA requires that data to be protected and retained only as long as necessary. Your AML records must be securely stored and protected under PDPA, but PDPA cannot be used as a reason to refuse providing data to law enforcement during an AML investigation.
Tags:AMLCFTanti-money launderingcomplianceCDSAMASSME

Ready to get PDPA compliant?

Stop guessing about compliance. ComplyHQ uses AI to assess your gaps, generate policies, and guide you through every PDPA obligation.

Start Free AssessmentView Pricing
Gap AssessmentPolicy GeneratorAI Compliance Chat

Related Articles

1 May 202612 min read

Business Licence Singapore: Complete Guide to Licences and Permits Every SME Needs (2026)

Comprehensive guide to business licences in Singapore. Which licences your SME needs, how to apply, costs, renewal timelines, and penalties for operating without one.

Read more
2 May 202610 min min read

PDPA Compliance for AI Chatbots in Singapore: What SMEs Need to Know (2026)

Using AI chatbots for your Singapore business? This PDPA compliance guide covers consent, data collection, third-party processing, and what the PDPC expects from businesses using AI and chatbots.

Read more
30 April 202611 min read

Data Retention Policy Singapore: PDPA Compliance Guide for SMEs (2026)

How to create a PDPA-compliant data retention policy for your Singapore business. Retention periods, disposal requirements, and a step-by-step template for SMEs.

Read more