As Singapore’s primary financial services regulator, the Monetary Authority of Singapore (MAS) wants to see the country’s financial technology (FinTech) sector grow safely and securely. To make this happen, firms have to take on the responsibility of implementing resilient anti-money laundering and combatting the financing of terrorism (AML/CFT) frameworks that can make for safe and sustainable businesses.
To help firms address key issues around AML/CFT, the Guide to AML/CFT for Singaporean Fintechs provides firms with a range of useful guideposts and pointers on approaching common risks.
Financial Crime Risks for FinTechs in Singapore
The primary official document on money laundering (ML) and terrorist financing (TF) risks in Singapore is the National Money Laundering and Terrorist Financing Risk Assessment Report, commonly known as the National Risk Assessment (NRA). Although the NRA claims Singapore does not have a high rate of homegrown financial crime, criminal activities in neighboring jurisdictions and the country’s status as a major transport, logistical, and financial hub harm the country’s economy.
Among the major financial crime risks highlighted by Singapore’s NRA include:
- Misuse of shell companies: Opaque shell company structures expose FinTechs to the risk of unwitting involvement in money laundering schemes. Criminals exploit complex ownership structures to conceal the true origin of funds, utilizing FinTech platforms for illicit financial activities.
- Cryptocurrency-related risks: The increased use of cryptocurrencies introduces a risk of FinTech platforms being utilized for money laundering in Singapore. Cryptocurrencies' pseudonymous transactions challenge traditional AML measures, complicating the tracing and verification of funds in crypto transactions.
- Fraud and scams in online transactions: Vulnerabilities in online transactions expose Singaporean FinTechs to various fraudulent activities. The rapid nature of online transactions in FinTech platforms has become a target for cybercriminals engaged in payment fraud, identity theft, and other financial scams.
- Use of money mules: The use of individuals as money mules risks Singaporean FinTech platforms being unwittingly used for the movement of illicit funds. Criminals leverage these people to transfer funds, exploiting FinTech infrastructure to disguise the true nature of transactions.
- Exploitation of social networking for fraud: Phishing and fraudulent activities on social networking platforms pose a risk to individuals and businesses connected to Singaporean FinTech platforms. Social engineering tactics on these platforms can trick users into revealing sensitive information, leading to unauthorized access and other fraudulent activities.
But what do these kinds of risks mean for FinTechs in Singapore? Firstly, firms involved in all forms of cross-border financial activity need to ensure they appropriately calibrate their customer due diligence (CDD) and ongoing monitoring procedures. Secondly, they should keep in mind the increasing importance of the use of the internet by criminals to both generate and move illicit funds. It is incumbent on digitally native firms to ensure they look seriously at the protections they have in place to prevent criminal abuse. Payment service providers (PSPs), in particular, need to ensure they have adequate warnings implemented to inform clients about potential scams and real-time monitoring to deter and, if possible, prevent illicit payments.
AML Regulations in Singapore
In parallel, FinTechs need to pay close attention to the developing attitude of MAS and other official bodies on how obligated firms implement their AML/CFT obligations.
Singapore’s AML/CFT regime closely follows the recommendations set out by the Financial Action Task Force (FATF). The Corruption, Drug Trafficking and Other Serious Crimes (Confiscation of Benefits) Act of 1992 (CDSA) and the Terrorism (Suppression of Financing) Act of 2022 (TSOFA) are two significant pieces of legislation that form the basis for the criminalization of financial crime offenses in Singapore.
- The CDSA criminalizes any form of dealing in assets that represent the proceeds of crime called ‘Criminal Benefits’ either directly or indirectly or for one's own benefit or the benefit of others.
- The TSOFA criminalizes the collection or provision of funds or other assets that support terrorist attacks or wider terrorist purposes. Those convicted of core money laundering offenses face individual fines of up to $500,000 and prison sentences of up to ten years.
Singapore also has a well-developed institutional structure for implementing AML/CFT policy. The AML/CFT Steering Committee, which includes senior representation from the Ministry of Home Affairs, Ministry of Finance, and key agencies, provides national strategic direction on AML/CFT. They ensure consistency and deconfliction of policy priorities, balancing economic growth with effective management of financial crime risks. On a day-to-day level, the implementation of overall policy primarily falls on MAS and the Suspicious Transaction Reporting Office (STRO).
Other agencies with AML/CFT responsibilities include the Council for Estate Agents (CEA), the Accounting and Corporate Regulatory Authority (ACRA), and the Gambling Regulatory Authority (GRA). These agencies regulate non-financial sectors covered by FATF recommendations, often described as designated non-financial businesses and professions (DNFBPs).
AML Compliance Requirements for Singaporean FinTechs
Under relevant legislation and MAS guidance, AML/CFT-obligated firms are required to meet a set of core compliance responsibilities. There are numerous specific MAS notices and guidance for each sector, including banks, merchant banks, finance companies, etc. However, there are large similarities in the AML/CFT requirements, broadly following the pattern in the overview below.
- Licensing and Authorization
FinTechs must have the relevant license from MAS to provide regulated financial services and products. - Underlying Principles and a Risk-Based Approach
Firms must ensure their AML/CFT procedures are managed in accordance with ethical principles and professional standards. They must also ensure they are founded upon robust and up-to-date assessments of customer and enterprise-wide risks, as well as appropriate risk-mitigating policies, procedures, and controls. Financial institutions (FIs) must ensure that they take particular measures to assess and mitigate risks around new technologies and other developments. - Customer Due Diligence (CDD)
FIs must undertake a range of CDD measures, including:- Identifying and verifying customer identities (ID&V).
- Collecting risk-calibrated customer information through standard, simplified, or enhanced CDD measures.
- Identifying and verifying beneficial ownership (BO) details.
- Screening for political exposure and potential sanctions designations.
- Ongoing monitoring of client behaviors.
- Regular refreshes of due diligence material.
- External Relationships
FinTechs must ensure arrangements for outsourced services, reliance on third parties to execute AML/CFT, and correspondent banking relationships are properly documented and subject to risk-based due diligence. - Wires and Value Transfer Information
Depending on transaction values and other criteria, firms must ensure different elements of originator and beneficiary information are included in both domestic and international wire and value transfers (including digital token transfers). - Record Keeping
To help the work of MAS and law enforcement, FIs are expected to maintain records on AML/CFT activities for a minimum period of five years, providing them to official bodies on request. They are also required to follow the personal data requirements of the Personal Data Protection Act (PDPA) 2012 - Reporting
As part of CDD requirements related to ongoing monitoring, FIs will occasionally identify unusual customer behaviors or concerning activities. When this occurs, FIs are required to investigate and assess such occurrences, reporting any that they find suspicious or potentially indicative of ML/TF to the STRO in a suspicious transaction report (STR). - Governance and Compliance
Finally, FinTechs are required to ensure they have appropriate AML/CFT governance in place, including:- A clear structure of risk management, known as the ‘Three Lines of Defense.’
- The appointment of a senior AML/CFT compliance officer and board-level and senior management oversight.
- Appropriate recruitment, training, and oversight of staff, especially those in high-risk positions.
Compliance Challenges for FinTechs in Singapore
While MAS clearly defines the AML/CFT obligations of FinTechs, implementing these requirements can present certain practical challenges and choices. These challenges can be categorized into three areas – ‘paper’ (documented policies, procedures, and controls), ‘people’ (individuals responsible for managing the AML/CFT framework), and ‘platforms’ (tools and technologies used).
- Paper: When starting a new business, it’s important to have clear and accessible documentation that covers key obligations, including policies, processes/procedures, and controls. This documentation is required by law in Singapore and provides visible evidence to auditors, MAS, and law enforcement that the firm understands its responsibilities. Without it, external parties have no way to assess the firm’s conduct or understand how it responds to changes in the risk environment.
- People: Initially, the AML/CFT Compliance Officer is the sole point person on compliance, but as the firm grows, an AML/CFT compliance team develops. While creating multiple teams can lead to issues, FinTechs should try to retain the benefits of closely coordinated compliance operations.
- Platforms: Simply having compliance tools in place is often treated as ‘good enough,’ especially when that tool has a reputation for being widely used across legacy financial services. There can be an assumption that such platforms have a talismanic quality that will ward off regulatory concerns, but in reality, it is not enough. These platforms need to be appropriate to the firm’s needs and carefully chosen based on pivotal questions. Two approaches exist for incorporating advanced technology: starting with legacy models and upgrading over time or adopting the latest available technology. The former can encumber firms with an inflexible system with a high false positive rate, while the latter can deliver improved performance and efficiency. Singapore, in particular, has a welcoming environment for FinTechs and encourages the use of new technologies, such as cloud computing, APIs, and AI/machine learning, to improve screening and monitoring and drive down false positives.
Penalties for Non-Compliance with AML Regulations in Singapore
During the early stages of a FinTech, there can be a temptation to look at AML/CFT compliance and risk management as secondary issues behind growth and customer experience. In fact, some firms see compliance and risk management as an impediment to the firm’s success, creating additional costs and slowing delivery times. However, this is a short-sighted approach, as any FI that has received an enforcement fine for an AML/CFT breach can state.
In addition to fines, penalties for noncompliance with AML regulations in Singapore can include imprisonment. The specific penalties may vary based on the severity of the violation and are outlined in legislation, such as the CDSA and the (TSOFA). Some penalties for noncompliance include:
- Failing to file an STR: A fine of up to $500,000.
- Failing to produce documents to an authorized officer: A fine of up to $10,000 and/or imprisonment for up to 2 years.
- Failing to document and retain a copy of every transaction for at least five years: A fine of up to $10,000.
- Tipping off: A fine of up to $250,000 and/or to imprisonment for up to 3 years.
Tips for FinTechs to Achieve AML Compliance in Singapore
Because of the many aspects of AML/CFT regulation and the complexity and variety of modern financial services, each firm will need to work out its own plan for how to tackle AML/CFT. However, there are five important principles of approach to keep in mind as they do so:
- Start early: Some firms believe that AML/CFT is something to address once the firm has been established and growth is being achieved. This is false and likely to create problems down the line. It should be fully integrated into a firm’s approach to managing costs and client experience.
- Focus on the goal: An AML/CFT program and other obligatory functions are there to help tackle financial crime, first and foremost. Fintechs should keep that in mind when making decisions, tempering a desire to think about costs and profits with the firm’s wider responsibilities.
- Take a holistic view: Some firms believe they can fulfill AML/CFT obligations without worrying too much about the risk-based approach. This is not correct. A tick-box program will have no effect, as it will probably be focused on the wrong targets, with the wrong tools applied in the wrong way.
- Balance sustainability and flexibility: Firms should ensure they build AML/CFT frameworks that are not set-in-stone and have the resilience and scope to ‘flex’ in the face of changing circumstances, especially if you are looking to grow quickly or face an uncertain risk landscape. That will almost certainly require the intelligent use of technology.
- Find the right partners: AML/CFT is a complex area, and at different stages of implementation, firms will invariably need to look to outside partners to deliver. Firms need to look for partners who are keen to deliver solutions that meet real risks and have the capability and capacity to respond with agility.
Advanced AML Compliance Solutions for FinTechs
AML and anti-fraud solutions are critical for FinTechs to maintain compliance and effectively manage risk. The following list highlights the key features and capabilities to consider when evaluating potential vendors:
- Machine learning integration: When looking for advanced AML solutions, FinTechs should prioritize those that incorporate machine learning algorithms that enable real-time analyses of extensive datasets, facilitating the swift detection of suspicious activities.
- Automated risk assessment: By leveraging automation, robust AML compliance solutions can assess risk factors efficiently, streamlining processes and ensuring thorough evaluations of customer transactions.
- Enhanced transaction monitoring: With sophisticated algorithms, advanced AML solutions can enable FinTechs to monitor transactions more effectively, identifying patterns indicative of money laundering activities.
- User behavior analysis: Behavioral analytics are employed to understand and detect anomalies in user behavior, providing an additional layer of security against fraudulent or suspicious activities.
- Audit trail capabilities: Advanced AML compliance solutions maintain comprehensive audit trails, allowing FinTechs to trace and verify the integrity of their process, which is crucial for regulatory reporting and audits.
The key theme throughout the Guide to AML/CFT for Singaporean Fintechs is that there is no single ‘right answer’ to compliance. Fintechs need to understand their obligations, but they have to shape their response around the risks they face, which will vary from firm to firm. For MAS, as much as for any regulator, the vital point is that FIs can demonstrate they have sought to apply the rules in ways that really help fight the criminals and protect customers rather than simply seeking to do enough to ward off enforcement action.