CPF Employer Obligations in Singapore: Complete SME Compliance Guide
Understand your CPF employer obligations in Singapore — contribution rates, deadlines, penalties, and how SMEs can stay compliant with CPFB and PDPA requirements.
CPF Employer Obligations in Singapore: Complete SME Compliance Guide
A few months ago, I sat down with the owner of a growing events company. Twenty employees, revenue climbing nicely. When I asked about his CPF process, he said his office manager "handles it." I asked him to show me the last three months of submissions. Turns out two months were late, one was calculated on basic salary only (missing commissions and allowances), and the NRIC numbers were sitting in an unencrypted shared Google Sheet accessible to the entire team.
Three compliance problems in one conversation. And this is not unusual.
TL;DR: Understand your CPF employer obligations in Singapore — contribution rates, deadlines, penalties, and how SMEs can stay compliant with CPFB and PDPA requirements.
Every Singapore employer — from a two-person startup in a co-working space to a 200-person company in Jurong — has a non-negotiable legal obligation to make CPF contributions for its employees. Getting CPF wrong carries real consequences: compound interest at 18% per annum, composition fines up to S$5,000, and in severe cases, criminal prosecution with penalties including imprisonment.
And because CPF administration involves NRIC numbers, salary data, and bank account details, it sits firmly within the PDPA's scope. Most compliance guides stop at the CPF Act. This one covers the data protection dimension too.
Who Must Pay CPF: The Legal Framework
The CPF Act requires every employer to contribute for employees who are Singapore citizens or Singapore permanent residents. No exceptions for company size. No probationary exemption. No minimum hours threshold. Contributions are due from day one of employment.
This covers:
- Full-time employees on monthly salaries
- Part-time employees, including those on hourly or daily wages
- Casual and temporary workers under a contract of service
- Company directors who receive remuneration (unless sole proprietors or partners)
- Foreign employees who obtain SPR status — CPF starts from the SPR effective date
The critical distinction is between a contract of service (employment, CPF mandatory) and a contract for services (independent contractor, CPF does not apply). CPFB applies a substance-over-form test: if the relationship looks like employment — with control over how, when, and where work happens — it will be treated as employment regardless of what the contract says.
Misclassifying employees as contractors to dodge CPF is one of the most common and most harshly penalised compliance failures I see among SMEs.
CPF Contribution Rates: 2026
For Singapore citizens aged 55 and below, the total rate is 37% of wages: 17% from the employer, 20% from the employee (deducted from salary). The employer's 17% is your cost — trying to recover it from the employee is an offence.
Graduated Rates by Age
- Above 55 to 60: Employer 15%, Employee 16% (Total 31%)
- Above 60 to 65: Employer 11.5%, Employee 10.5% (Total 22%)
- Above 65 to 70: Employer 9%, Employee 7.5% (Total 16.5%)
- Above 70: Employer 7.5%, Employee 5% (Total 12.5%)
SPR Graduated Rates
New SPRs follow a graduated schedule over two years, starting at 4% total and increasing to full rates by year 3. Getting these wrong — which happens frequently when processed manually — triggers the same interest and penalty regime as late payment.
Wage Ceilings
- Ordinary Wage Ceiling: S$7,400/month (2026, following the phased increase from Budget 2023)
- Additional Wage Ceiling: S$111,800 minus total OW subject to CPF for the year
Payment Deadlines and Process
CPF contributions are due by the 14th of the following month. January salaries must have CPF paid by 14 February. If the 14th falls on a weekend or public holiday, the due date extends to the next business day.
How to Pay
Submit through CPF EZPay: upload a contribution file listing each employee's wages and calculated contributions, then pay via GIRO, PayNow, eNETS, or cheque. GIRO is strongly recommended for automatic recurring payments — it eliminates the most common cause of late payments, which is simply forgetting.
Common Deadline Mistakes
Forgetting bonus months: CPF applies to Additional Wages including bonuses, commissions, and AWS. That 13th-month bonus paid in December needs CPF submitted by 14 January.
Mid-month joiners: Employees who start mid-month still need CPF contributions for that month, calculated on actual wages earned.
GIRO failures: If the deduction bounces due to insufficient funds, the contribution is not considered paid. Interest starts from the original due date, not from when you discover the failure.
Penalties for Getting It Wrong
Interest on Late Contributions
1.5% per month (18% annualised), compounding from day one after the due date. For an SME with 20 employees and a monthly CPF liability of S$25,000, a three-month delay generates roughly S$1,143 in interest — money paid to CPFB, not benefiting employees.
Administrative and Criminal Penalties
- Composition amounts up to S$5,000 per offence
- Court prosecution with fines up to S$10,000 per offence
- Imprisonment of up to seven years for wilful non-payment or false declarations
- CPFB can garnish employer bank accounts to recover unpaid contributions
- Directors can be personally liable
Enforcement Reality
CPFB processes over 200,000 employer files monthly with automated detection. Small size does not make you invisible. In practice, enforcement starts with a demand letter, then a composition offer, then court prosecution. CPFB publishes outcomes regularly — including cases involving SMEs.
CPF and the PDPA: The Data Protection Angle
This is where most guides stop. But CPF administration involves handling some of the most sensitive personal data in your business.
What CPF Data Is Protected
Everything you touch during CPF processing is personal data under the PDPA:
- NRIC numbers
- Salary and wage details
- Employment dates
- Bank account numbers
- Date of birth and age
The PDPC classifies NRIC numbers and financial data among the most sensitive categories, requiring heightened protection.
Your PDPA Obligations
Notification: Tell employees their data will be used for CPF purposes — include this in employment contracts or a data protection notice at onboarding.
Purpose limitation: CPF data may only be used for CPF-related purposes. Using salary data for lending decisions or sharing it with business partners without separate consent is a breach.
Protection: Restrict access to authorised HR personnel only. Do not store NRIC numbers in unencrypted spreadsheets or send them via email. Protect CPF EZPay credentials with strong passwords and MFA where possible. Lock physical payroll records.
Retention limitation: Keep CPF records for a defensible period — typically 7 years for audit coverage — then securely destroy them.
NRIC Guidelines
The PDPC's advisory guidelines restrict NRIC collection to situations where it is required by law (CPF qualifies) or necessary for high-fidelity identity verification. You cannot use NRIC numbers as general-purpose identifiers in systems where less sensitive IDs would work.
Practical Compliance Steps
1. Audit Your Current Process
Map your CPF workflow: Who calculates? What system or spreadsheet? Who submits and pays? Where are NRIC numbers and salary data stored? Who has access?
If the answers involve manual processes, shared spreadsheets, and broad access, you have both operational risk and PDPA exposure.
2. Automate
Manual CPF calculation is error-prone. Payroll software designed for Singapore SMEs handles contribution calculations automatically based on employee age, citizenship, and current rates, generates CPF-compliant files, and integrates with EZPay. The cost — typically S$5-15 per employee per month — is negligible compared to penalties from manual errors.
3. Lock Down Data
Restrict HR system access to those who genuinely need it. Encrypt files containing NRIC and salary data. Implement secure disposal when records pass retention. Document your data protection practices — the PDPC expects written policies, not informal habits.
4. Build a Compliance Calendar
- Monthly: CPF submission and payment by the 14th
- Annually: Review contribution rates (they change, and employee age transitions trigger rate shifts)
- On hire: Verify citizenship, collect NRIC, set up CPF
- On SPR conversion: Switch to graduated SPR rates from the effective date
- On termination: Final contribution and record archival
5. Use Compliance Software
Managing CPF alongside PDPA, Employment Act, GST, and ACRA obligations is a genuine burden for SMEs with limited admin resources. Platforms like ComplyHQ provide a single dashboard tracking all your obligations, sending deadline reminders, and ensuring nothing falls through.
Common Mistakes
No CPF during probation: There is no probation exemption. Contributions are due from day one. Period.
Wrong rates after birthday: When an employee crosses 55, 60, 65, or 70, the rate changes from the month following their birthday. Payroll systems that do not track birthdays frequently apply the wrong rate for months.
Excluding allowances: CPF applies to total wages — basic salary, overtime, commissions, allowances (with limited exceptions), and bonuses. Calculating on basic salary alone means underpayment.
Missed SPR conversions: When a foreign employee becomes an SPR, CPF obligations start immediately with graduated rates. Missing the notification or failing to update payroll creates underpayment exposure.
Insecure data handling: Emailing unencrypted NRIC-salary spreadsheets, using shared drives with company-wide access, or keeping CPF EZPay credentials in a shared document — these are not just poor IT practice, they are PDPA breaches. The PDPC has enforced against exactly these patterns.
Key Takeaways
CPF compliance is not something you can delegate without oversight. As the employer, you are personally responsible for correct calculations, timely payment, and data protection that meets PDPA standards.
- Know your rates: Verify for each employee based on age and citizenship
- Pay on time: By the 14th, every month, no exceptions
- Protect the data: NRIC numbers and salary figures are sensitive personal data — treat them accordingly
- Document everything: Written policies, retention schedules, and access controls are your evidence of compliance
- Automate: A payroll system costs far less than a single late-payment penalty
Build compliant systems now rather than reacting to enforcement notices later. It is the only approach that makes financial and operational sense.
ComplyHQ helps Singapore SMEs manage PDPA compliance and regulatory obligations through an AI-powered platform that turns weeks of manual compliance work into minutes. Get started at complyhq.app.
Sources
Looking for more? Check out Adaptels.
Simplify Your Compliance
ComplyHQ's AI can assess your PDPA compliance gaps in under 15 minutes and generate the policies you need.
Try Free AssessmentFrequently Asked Questions
What happens if my SME pays CPF contributions late?
Do I need to pay CPF for part-time or contract workers?
How does PDPA apply to CPF-related employee data?
Ready to get PDPA compliant?
Stop guessing about compliance. ComplyHQ uses AI to assess your gaps, generate policies, and guide you through every PDPA obligation.