MAS Compliance for Singapore SMEs: What You Need to Know in 2026

The Monetary Authority of Singapore (MAS) is Singapore's integrated financial regulator and central bank. For most SMEs, MAS is a distant concern — something that affects banks and large financial institutions, not small businesses.

But that perception is increasingly incorrect. As Singapore's digital economy grows and more SMEs enter fintech, payments, and financial services, MAS compliance has become a practical reality for a wider range of businesses. Even traditional SMEs that use payment service providers, handle digital assets, or serve financial institutions as vendors may have MAS-related obligations.

This guide explains what MAS compliance means for Singapore SMEs, which obligations apply to you, and how they intersect with other requirements like the PDPA.

Does MAS Compliance Apply to My Business?

Before diving into specifics, it is important to understand the threshold question: does MAS regulate your business at all?

MAS regulates entities that:

• Conduct regulated financial activities under Singapore law
• Hold or apply for a MAS licence
• Operate as payment service providers under the Payment Services Act
• Act as Designated Non-Financial Businesses or Professions (DNFBPs) under AML/CFT legislation

If your SME does not fall into any of these categories, MAS does not directly regulate your operations. You still need to comply with other laws (PDPA, Employment Act, ACRA filing) as covered in our Singapore SME compliance requirements guide, but MAS rules do not apply to you.

However, you may face indirect MAS obligations if:

• Your bank or payment processor requires you to comply with MAS-mandated contract terms
• You are a technology vendor to a MAS-licensed financial institution
• You process or store financial data subject to MAS Technology Risk Management requirements
• Your business model is evolving into payments or financial services

The Payment Services Act: Most Relevant for SMEs

The Payment Services Act (PSA), enacted in 2019 and significantly amended in 2021, is the most common point of MAS contact for Singapore SMEs. It regulates seven types of payment services:

1. Account issuance services
2. Domestic money transfer services
3. Cross-border money transfer services
4. Merchant acquisition services
5. E-money issuance services
6. Digital payment token (DPT) services
7. Money-changing services

Do You Need a PSA Licence?

If your SME provides any of these services, you likely need a PSA licence. There are three licence types:

Money-Changing Licence: For businesses that only conduct money-changing services.

Standard Payment Institution (SPI) Licence: For businesses with lower transaction volumes (monthly average not exceeding S$3 million for any payment service, or S$6 million for all services combined).

Major Payment Institution (MPI) Licence: For businesses that exceed SPI thresholds.

Licence-exempt entities: Small businesses with limited, ancillary payment activities may qualify for an exemption. For example, a retail store that issues gift cards redeemable only within the store may be exempt from e-money licensing requirements.

Operating without the required PSA licence is a criminal offence under Section 5 of the Payment Services Act, carrying fines up to S$125,000 and imprisonment of up to three years.

Ongoing PSA Compliance Requirements

Once licensed, PSA holders must comply with ongoing requirements:

• Capital requirements: Maintain minimum base capital (S$100,000 for SPI, S$250,000 for MPI)
• Safeguarding obligations: Protect customer funds held in float
• AML/CFT compliance: Implement Know Your Customer (KYC) and transaction monitoring procedures
• Technology risk management: Follow MAS TRM guidelines
• Annual reporting: Submit annual returns to MAS
• Audit requirements: Maintain audited accounts and submit to MAS review

AML/CFT Obligations for SMEs

Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) requirements are a central part of MAS compliance for regulated entities.

Who Must Comply with AML/CFT

MAS AML/CFT requirements apply to:

Regulated Financial Institutions (RFIs): All MAS-licensed entities — banks, insurers, capital markets services licensees, and payment service providers.

Designated Non-Financial Businesses and Professions (DNFBPs): Under the Corruption, Drug Trafficking and Other Serious Crimes (Confiscation of Benefits) Act (CDSA), certain non-financial businesses must comply with AML/CFT obligations:

• Real estate agents (for transactions above S$20,000 in cash)
• Lawyers and notaries (for certain transactions)
• Accountants (for designated transactions)
• Dealers in precious metals and stones (DPMS) for transactions above S$20,000
• Pawnbrokers and licensed moneylenders

If your SME operates in any of these sectors, you have specific AML/CFT obligations even if you are not a financial institution.

Core AML/CFT Requirements

For entities subject to AML/CFT rules, the key requirements are:

Customer Due Diligence (CDD): Verify the identity of customers before establishing business relationships or conducting transactions above specified thresholds. For higher-risk customers, Enhanced Due Diligence (EDD) is required.

Record Keeping: Maintain customer identification records and transaction records for a minimum of five years. This intersects with the PDPA's data retention obligations — you must keep records long enough for AML purposes, but not longer than necessary under PDPA.

Suspicious Transaction Reporting (STR): File Suspicious Transaction Reports with the Suspicious Transaction Reporting Office (STRO) when you know, suspect, or have reasonable grounds to believe that a transaction involves proceeds of criminal conduct. Failure to report is a criminal offence.

Ongoing Monitoring: Continuously monitor customer transactions and update customer information when material changes occur.

Internal Controls: Implement policies, procedures, and training programmes to prevent money laundering and terrorist financing.

MAS Technology Risk Management (TRM)

MAS's Technology Risk Management (TRM) Guidelines, last updated in 2021, set out risk management principles and best practices for financial institutions. They apply to all MAS-licensed entities.

What TRM Requires

The TRM guidelines cover:

• Governance: Board and senior management accountability for technology risk
• IT security: Access controls, patch management, vulnerability management
• Cyber resilience: Incident response, business continuity, recovery time objectives
• Third-party risk: Due diligence on technology vendors and outsourcing arrangements
• Data management: Data classification, encryption, and access controls

Implications for SME Technology Vendors

If you are an SME that provides software, cloud services, or IT infrastructure to MAS-licensed financial institutions, your customers will contractually require you to meet TRM standards. This typically means:

• Providing evidence of security certifications (ISO 27001, SOC 2)
• Submitting to security assessments and audits
• Implementing specific data handling and encryption requirements
• Having documented incident response procedures

Failing to meet these vendor requirements can result in contract termination by your financial institution clients.

MAS Compliance and PDPA: Where They Intersect

Singapore's financial regulations and the PDPA both impose obligations relating to personal data, and they intersect in several important ways.

Conflicting Retention Requirements

The PDPA's Retention Limitation Obligation (Section 25) requires you to destroy or anonymise personal data when it is no longer needed for business or legal purposes. AML/CFT rules, however, require you to retain customer identification and transaction records for five years after the business relationship ends.

Resolution: AML/CFT legal requirements override the PDPA's retention limitation for the duration that records are legally required. You should document this in your data retention schedule — "KYC records retained for 5 years post-relationship end, as required by MAS AML/CFT regulations."

For more on PDPA data retention, see our PDPA compliance checklist for SMEs.

Data Protection in AML/CFT Processes

CDD and EDD processes require collecting sensitive personal data — NRIC numbers, financial information, source of funds documentation. These collections must comply with PDPA consent and notification requirements. However, the PDPA provides an exemption for data collected pursuant to legal obligations, so AML/CFT-mandated CDD does not require consent from customers.

See our guide on NRIC collection rules in Singapore for specifics on handling national identification documents.

Data Breach Obligations

MAS-licensed entities face dual breach notification obligations:

1. PDPA: Notify the PDPC within 3 calendar days if a breach affects 500+ individuals or causes significant harm
2. MAS: Report major operational and technology incidents (including cyber attacks affecting customer data) to MAS within 1 hour of discovery, with a full incident report within 14 days

The MAS reporting timeline is far more aggressive than PDPA's. Prioritise MAS notification first, then follow through with PDPC notification within the PDPA timeframe.

Financial Services and Markets Act (FSMA) 2022

The Financial Services and Markets Act (FSMA), which came into force in 2022, consolidated several previously separate pieces of MAS legislation and introduced new requirements. Key aspects relevant to SMEs:

Licensing consolidation: The FSMA consolidated licensing for payment service providers, financial advisers, and capital markets entities under a more unified framework.

Market conduct: Stricter rules on fair dealing, disclosure, and handling of client assets.

Digital token services: Expanded the regulatory perimeter to cover more digital asset activities.

If your business was previously unlicensed but is now caught under the expanded FSMA perimeter, you may need to apply for a licence or exemption.

Practical Steps for SMEs

Step 1: Determine If MAS Applies to You

Work through these questions:

1. Does your business conduct any of the seven payment services under the PSA?
2. Does your business provide financial advice, deal in securities, or manage funds?
3. Is your business a DNFBP (real estate, law, accounting, precious metals)?
4. Do you serve MAS-licensed financial institutions as a technology vendor?

If yes to any of the above, proceed to Step 2. If no, MAS does not directly regulate your business.

Step 2: Identify Your Licence Type

Use the MAS Financial Institutions Directory and the relevant legislation to determine the licence you need. When in doubt, seek legal advice from a lawyer with financial services expertise.

Step 3: Apply for Licensing Before Operating

Do not commence regulated activities before receiving your licence or exemption. MAS takes unlicensed operations seriously — enforcement action has been taken against numerous businesses operating payment services without a PSA licence.

Step 4: Implement Compliance Infrastructure

Once licensed, build your compliance framework:

• Appoint a compliance officer or designate a compliance function
• Implement AML/CFT policies and procedures
• Set up CDD processes and transaction monitoring
• Adopt the MAS TRM guidelines for your technology systems
• Integrate MAS obligations with your PDPA compliance programme (a tool like ComplyHQ can help manage the PDPA side systematically)

Step 5: Stay Current with MAS Circulars

MAS issues regular circulars, consultation papers, and guidance notes that update compliance expectations. Subscribe to MAS notifications at mas.gov.sg or follow the MAS news feed to stay informed. Key changes in 2025-2026 include updates to the FSMA licensing framework and revised TRM guidelines.

Common MAS Compliance Mistakes

Assuming exemptions apply without checking: PSA exemptions are narrow and have specific conditions. Assuming your business is exempt without legal verification is risky.

Inadequate KYC for payment services: Collecting only a name and email is not sufficient CDD. You typically need government-issued ID, proof of address, and for higher-risk customers, source of funds documentation.

Missing the dual notification window: Many financial SMEs know about PDPA breach notification but are unaware of MAS's 1-hour incident reporting requirement. Set up internal escalation procedures to ensure both are met.

Conflating PSA and PDPA data retention: AML/CFT records must be kept for five years post-relationship. Standard customer data should be deleted when no longer needed under PDPA. Your data retention schedule must distinguish between these categories.

Ignoring vendor compliance requirements: Technology vendors to financial institutions often underestimate how seriously their FI clients take TRM compliance. A contract breach for non-compliance can lead to significant commercial losses.

Key Resources

• MAS website: mas.gov.sg — licensing, legislation, circulars, and guidance
• MAS Financial Institutions Directory: Check if a firm is licensed
• Business Grants Portal: PSG and other grants for qualifying solutions
• PDPC website: pdpc.gov.sg — PDPA guidance that complements MAS requirements

For the PDPA side of your compliance obligations, ComplyHQ's free gap assessment can identify where your data protection practices stand and generate tailored action items — without requiring a consultant.