When the Monetary Authority of Singapore (MAS) issues fines of up to S$960,000 for insufficient AML compliance, it is no longer a local incident but a signal to the whole industry: old approaches to anti-money laundering for fintech no longer work. Singapore is building a global Fintech Singapore hub, and at the same time is increasing pressure on high-risk segments, payment processors, digital payment token services, cross-border digital payments.
A fintech company that copies an «average» AML/CFT framework based on FATF recommendations and only slightly adapts it to local MAS regulations is laying a time bomb today: from MAS monetary penalties to real license revocation risks for Major Payment Institutions.
In this article I will analyze exactly how fintech AML requirements in Singapore differ from the «FATF average», and show how to build an operational, tech-driven, and cost-effective AML system. If you are planning or already running a business in Singapore, I recommend reading the material in full: you will gain a strategic understanding of MAS’s logic and a step-by-step checklist that my team at COREDO regularly uses in licensing and real-time AML implementation projects.
Who is responsible for what: MAS, PSA, CDSA, PDPA
Role of MAS: PSA, Notices, enforcement
At the core of Singapore’s AML/CFT frameworks stands the Monetary Authority of Singapore (MAS) – the regulator that combines the functions of a central bank and financial sector supervisor. MAS sets the rules of the game through:
- Payment Services Act (PSA), the primary law for payment services, Major Payment Institutions (MPI), digital payment token services, e-money issuance services, merchant acquisition services.
- Sectoral rules: MAS Notice PSN01 (AML/CFT for payment services) and MAS AML Notice 626 (for banks), which set detailed requirements for KYC, Customer Due Diligence, transaction monitoring for fintech and Suspicious Transaction Reporting.
- Strict regulatory enforcement actions: public rulings, fines and, where necessary, suspension or revocation of licenses.
Connection with the CDSA, the PDPA and the Cybersecurity Act 2018
AML compliance in Singapore is always tied to related regulations:
- Corruption, Drug Trafficking and Other Serious Crimes Act (CDSA): defines predicate offences and the obligations for STR reporting to the Commercial Affairs Department, strengthening the anti-money laundering framework.
- Personal Data Protection Act (PDPA) – sets the framework for handling customer data, including PDPA-compliant CDD data, storage, access and cross-border transfer.
- Cybersecurity Act 2018 is critical for fintech platforms that fall into the category of critical information infrastructure or operate high-risk scenarios, including cyber-enabled scams.
AML for fintech in Singapore vs global standards
Когда речь заходит о ключевых отличиях AML для финтех в Сингапуре (в сравнении с глобальными стандартами), именно платёжные решения оказываются в центре внимания регулятора. В отличие от многих юрисдикций, в Сингапуре MAS выстраивает отдельный, более детализированный режим контроля для payment processors и Major Payment Institutions (MPI), что напрямую влияет на архитектуру бизнес‑моделей и процессов комплаенса.
Payment processors and Major Payment Institutions (MPI)
- Payment processors compliance;
- Major Payment Institutions that handle large volumes;
- Segments of cross-border digital payments, merchant acquisition services, e-money issuance services.
Requirements for real-time transaction monitoring
Ключевой отличительный элемент: ожидание Real-time AML. Для transaction monitoring fintech MAS Notice PSN01 прямо и косвенно задаёт планку:
- Focus on ongoing behavioral monitoring, not just static scoring at onboarding.
- Expectation of near real-time alerting for anomalous patterns, especially in the context of anti-scam measures 12-hour cooling and countering fast fraud schemes.
- Readiness to promptly generate a Suspicious Transaction Report and send it to the Commercial Affairs Department.
Ownership control and screening of beneficial owners
Второй сильный акцент MAS – прозрачность владения:
- Strict Customer Due Diligence with a focus on beneficial owners screening.
- Expanded Enhanced Due Diligence (EDD) for complex structures and EDD for high-risk jurisdictions.
- Oversight of complex ownership structures with checks on nominee arrangements, trusts and SPVs.
Proliferation financing: new risks in 2025
Текущие версии MAS AML Notice 626 и связанные апдейты для payment services более явно включают:
- Proliferation financing risk as a separate mandatory element of the Business Risk Assessment for ML/TF;
- Linkage with sanctions lists and the international FATF approach to proliferation financing and sanctions compliance;
- A focus on digital assets and new vectors of abuse, including single‑currency stablecoin regulations.
MAS requirements for fintech AML programs
MAS’s practical requirements for fintech AML programs (what is mandatory and why) start with a basic question: how deeply the company understands its own risk profile and can manage it at the group level. That’s why enterprise-wide risk assessments and a structured risk management become not a mere tick-box for a MAS report but the core of the AML program, on which all other required elements depend.
Enterprise-wide risk assessments and risk management
MAS requires enterprise-wide risk assessments not as a formal document but as a living risk management system:
- Assessment of ML/TF and proliferation financing by products, channels, geographies, and customer types.
- Built-in senior management oversight: the board or senior management should not just “sign off” but participate in approving the risk appetite and in overseeing remediation plans.
- Readiness for regulatory enforcement actions if the assessment does not reflect the business’s actual risks.
KYC, CDD, Enhanced Due Diligence: the regulator’s minimum
For Know Your Customer (KYC) and Customer Due Diligence, MAS AML guidelines set a threshold, but businesses often benefit from going further:
- Obvious elements: customer identification, identity verification, and source-of-funds checks.
- Enhanced Due Diligence for high-risk customers: additional documentation on the origin of funds, enhanced monitoring of high-risk customers, and deeper analysis of PEPs and their connections.
- Scoring models that take into account the industry, country of registration, and type of services used.
Transaction monitoring, STR and CAD
Transaction monitoring in fintech, under MAS logic, is not only about detecting suspicious transactions, but also:
- Systematic ongoing behavioral monitoring: pattern analysis, detecting unusual behavior relative to the customer’s profile.
- A clear process for preparing Suspicious Transaction Reports, documenting the rationale, and STR reporting to the Commercial Affairs Department via GoAML or similar channels.
- Flexible configurations: the ability to quickly add new scenarios if MAS or correspondent banks point to emerging risks.
Personnel management and internal control
One of MAS’s first focal points: the appointment of a compliance officer and the three lines of defense structure:
- A dedicated AML/CTF officer with real authority and direct access to senior management oversight.
- Regular AML staff training for all front- and back-office employees according to their roles.
- Formalized regular account reviews, procedures to remediate internal AML procedure weaknesses, and internal audit.
Integration of the PDPA and Cybersecurity Act into AML
The technological part of the AML process must take into account:
- The PDPA and personal data handling rules, especially when building PDPA-compliant CDD data repositories and analytical dashboards.
- The Cybersecurity Act 2018 and related technology risk management practices, including vulnerability management, access control, and protection against cyber-enabled scams.
- The use of AI-driven AML with algorithmic transparency and bias management: a topic that is embedded into general AI governance standards for fintech.
Real-time AML in fintech: architecture and integrations
Solution components: ingestion, enrichment, scoring, alerting, case-management
A working real-time AML architecture for fintech in Singapore typically consists of the following layers:
- Data ingestion
Collection of data in near real-time from payment gateways, the core platform, KYC providers, and blockchain analytics (for DPT). MAS pays attention to completeness and latency: delays in data arrival directly increase risk. - Data enrichment
Enrichment of transactions with context:- customer profile (KYC/EDD);
- geography, IP, device;
- sanctions and watchlists;
- historical behavior.
In COREDO projects we see that without enrichment scoring becomes either too coarse or too noisy.
- Risk scoring and typologies
A combination of rule-based logic and ML models:- scenarios of smurfing, velocity, layering;
- anti-scam typologies relevant to Singapore;
- separate rules for proliferation financing and sanctions evasion.
Important: MAS expects explainability. Any model must be able to answer the question “why did the alert trigger”.
- Alerting and SLA
Near real-time alerts prioritized by risk. For high-risk scenarios — immediate escalation.
In some cases MAS effectively checks how much time elapses from the transaction to the response. - Case-management and audit trail
Full lifecycle of the case: decision, rationale, documents, history of changes.
This is critical for STRs and subsequent supervisory reviews. The absence of an audit trail is a direct red flag.
Common mistakes by fintechs when implementing AML in Singapore
In practice COREDO regularly encounters recurring mistakes:
- Copying European AML policies without adapting them to the PSA and MAS Notices.
- A formal risk assessment that does not reflect the actual product and channels.
- Batch monitoring where MAS expects near real-time.
- Underestimating ownership and control in international structures.
- No linkage between AML ↔ PDPA ↔ Cybersecurity, which leads to conflicts between functions.
- A compliance officer without authority, resources, and access to senior management.
Almost always these mistakes don’t cause problems “immediately”, but become the reason for fines, conditions, or licence suspension at the first thorough review.
Practical checklist: Is your fintech ready for MAS AML scrutiny?
COREDO’s working minimum before licensing or scale-up:
- Governance
- Enterprise-wide ML/TF + proliferation risk assessment
- Approved risk appetite at the board level
- A real AML/CTF Officer with access to the C-level
- KYC / EDD
- Differentiated CDD / EDD workflows
- Full beneficial ownership mapping
- Source-of-funds, not a formal source-of-wealth
- Transaction monitoring
- Near real-time monitoring
- Anti-scam and cross-border typologies
- Ability to explain every non-STR case
- STR & reporting
- Formalized STR process
- Case-management + audit trail
- SLA for escalation
- Technology & data
- PDPA-compliant data handling
- Cybersecurity controls
- Explainable AML models
Conclusion: AML in Singapore is not compliance, it’s infrastructure
Key takeaway:
If you operate or plan to operate in Singapore, the question is no longer whether you need to strengthen AML. The question is when and how costly it will be if you fail to do it in time.