Singapore is one of the world’s busiest and most innovative commercial hubs and a destination for banks and financial services businesses around the world. Given that status, Singapore places a strong focus on financial regulation and plays a significant role in the global fight against money laundering and the financing of terrorism.

Stay on top of your compliance obligations, and protect your firm’s reputation, with our list of the top seven things you should know about AML regulations in Singapore.

The Monetary Authority of Singapore (MAS) is Singapore’s central bank and financial regulator. MAS is responsible not only for regulating and supervising the financial sector but promoting Singapore’s economic growth. MAS sets out CFT and AML policy in Singapore, issuing regular guidelines for banks and financial institutions, in addition to acts of law and subsidiary legislation.   

Beyond oversight of Singapore’s AML/CFT regulations, MAS is also responsible for managing the city-state’s monetary policy and foreign reserves and, like other central banks, also serves as a financial agent and banker to the government.

The Personal Data Privacy Act (PDPA) is Singapore’s principal data protection regulation and is implemented by the Personal Data Protection Commission (PDPC). Introduced in 2012, the PDPA sets out a number of data protection compliance obligations for organizations operating within the city. These obligations are built around three concepts:

• Consent: Organizations must obtain permission to collect, use, or disclose personal data.
• Purpose: Personal data must be used for the stated purposes of its collection.
• Reasonableness: Organizations may only use personal data in a manner that would be considered appropriate to a reasonable person.

The data protection obligations set out in the PDPA are transparent and flexible, and aligned with international best practice, including APEC’s Cross-Border Privacy Rules (CBPR). Where regulations had previously been restrictive towards localisation, storage and transfer, Singapore’s government has embraced cloud technology as a way to enhance data protection without stifling business innovation and economic growth.

Under MAS managing director, Ravi Menon, Singapore has become a global fintech leader, introducing regulations for a variety of technological innovations including blockchain and cryptocurrency, and other digital financial services. One of the most significant steps towards the integration of fintech into Singapore’s economic profile is the Payment Services Act (PSA), which will come into effect in 2020. 

The PSA is intended to be a forward-looking legislative framework which regulates payments systems and payment service providers in Singapore by applying anti-money laundering and counter-financing of terrorism rules to them. Under the PSA, fintech firms will be required to hold an operating licence (or qualify for an exemption).

Singapore’s AML/CFT regulations establish a clear requirement that fintechs have a transaction monitoring program in place. More specifically, fintechs must conduct ongoing monitoring to ensure that transactions are consistent with customers’ risk profiles, and to verify the source of their funds.

Fintechs in Singapore are required to pay special attention to transactions that are complex, unusually large, or which do not fit a customer’s normal pattern of behavior.  Similarly, certain suspicious transaction patterns, such as multiple small deposits over a short time period, also merit special attention. The transaction monitoring process should examine specific characteristics, including:

• The nature of the transaction relating to the customer’s risk profile
• Whether transactions were made with the intent to avoid reporting thresholds
• The destination of payments (e.g to or from high risk countries)
• The parties involved (e.g inclusion on sanctions lists or watch lists)

The counter-financing of terrorism is an important component of anti-money laundering in Singapore so fintechs are also required to conduct ongoing payment sanctions screening to ensure their customers are not connected to terrorist activities or organizations.

Like transaction monitoring, payment sanctions screening should be ongoing and take place whenever customers engage in unusual or complex transactions. The screening process itself involves checking transaction details against a list of designated inviduals and entities, as defined by Singapore’s First Schedule of the Terrorism (Suppression of Financing) Act. Where fintechs find a positive hit, they are required to freeze the payment without delay – along with the funds and assets of the designated persons or entities (if possible).

Singapore’s AML/CFT regulations require that fintechs perform a variety of Customer Due Diligence (CDD) checks when onboarding customers and monitoring them throughout the business relationship. That process involves verifying customer identities to ensure they are who they say they are, and that they are being truthful about the nature of their business.

Onboarding and monitoring requirements in Singapore must include checks for Politically Exposed Persons (PEP) and Adverse Media, both of which can reveal customers’ potential involvement in money laundering. Screening should be conducted at the beginning of the customer relationship and then continue periodically. Enhanced due diligence measures may be necessary for customers that present higher levels of risk.

Fintech: Singapore’s focus on fintech is steering upcoming regulatory changes. The Payment Services Act (mentioned above) is chief amongst Singapore’s upcoming regulations and will introduce new licensing requirements for fintech firms in January 2020. 

Cryptocurrency: Similarly, the Association of Cryptocurrency Enterprises and Start-Ups Singapore (ACCESS) is developing a voluntary Code of Practice in order to expand Singapore’s AML/CFT regulations to crypto-firms. The Code will include the standard screening, monitoring, and CDD measures that are applied to conventional banks and financial services firms, but will be adapted for the effective regulation of cryptocurrency, covering activities like:

• Exchange between different forms of cryptocurrency, or between crypto and fiat currencies
• Cryptocurrency transfers
• Safekeeping and administration of cryptocurrency controls  
• Provision of financial services relating to the sale of cryptocurrency

In September 2019, ACCESS ran a consultation on the forthcoming Code of Practice, and released a draft version.