Introduction: A Booming Industry at Risk

The global remittance landscape has seen unprecedented expansion, catalysed by financial innovation, mobile-first economies, and growing migration patterns. According to Statista, remittance transactions are forecast to reach USD 1.42 trillion by 2030, serving more than 331 million users worldwide.

Yet, this growth brings significant risks. As remittance networks become broader and faster, they also present opportunities for criminal abuse, including money laundering, terrorist financing, and fraud.

What Makes Remittance Services High-Risk?

1. Anonymity and Accessibility

Remittance platforms provide quick and convenient financial access. While this benefits legitimate customers, it also attracts criminals who exploit false identities or proxies.

2. High Transaction Volumes and Frequency

The sheer number of small-value, daily transfers creates an environment where ‘structuring’ or ‘smurfing’ can easily go undetected.

3. Cross-border Complexity

Different AML standards across jurisdictions leave gaps that criminal networks can exploit.

4. Agent-Based Models

Where remittance services rely on agents, manual onboarding, limited automation, and weak oversight heighten compliance risks.

The Three Pillars of Money Laundering in Remittance

1. Placement

Illicit funds enter the system through:

  • Over the counter (OTC) cash deposits.
  • Prepaid cards or mobile wallets.
  • Third-party transactions.

Examples:

  • A mule deposits multiple cash amounts at different remittance outlets.
  • An individual uses a front company to send large sums with fabricated invoices.

2. Layering

Funds are moved to disguise their origins through:

  • Multiple transfers between accounts or platforms.
  • Use of shell companies or cryptocurrency.
  • Use of intermediaries across jurisdictions.

Examples:

  • Sending money to multiple beneficiaries across high-risk jurisdictions.
  • Purchasing and transferring NFTs or tokens to convert and mask assets.

3. Integration

Funds re-enter the legitimate economy through:

  • Real estate purchases.
  • Luxury goods and vehicles.
  • Business investments.

Examples:

  • Purchasing property through a straw buyer.
  • Investing in cash-intensive businesses like car washes or restaurants.

Key AML Compliance Measures for Remittance Providers

1. Customer Due Diligence (CDD)

Verify the identity of customers using government-issued identification documents, and biometrics, or facial recognition; screen against sanctions and PEP databases; assess transaction purpose and source of funds. enhanced due diligence (EDD) applies to politically exposed persons (PEPs), non-governmental organisations (NGOs), complex structures, high-risk jurisdictions, and unusual transactions.

2. Ongoing Transaction Monitoring

Utilise real-time rule-based systems; detect suspicious patterns, such as transfers just below thresholds or sudden behavioural changes. Monitoring patterns like:

  • High frequency of transfers just below thresholds
  • Transfers with round amounts (e.g., ($currency) 10,000)
  • Sudden change in behaviour without a clear rationale

3. Sanctions & Watchlist Screening

Automated screening against sanctions lists by the United Nations (UN), the Office of Foreign Assets Control (OFAC), and other national lists, including adverse media checks.

4. AML Awareness & Training

Regular programs should train staff to:

  • Spot red flags
  • Understand transaction patterns
  • Escalate and report suspicious activity
  • Comply with STR filing protocols

5. Recordkeeping & Regulatory Reporting

Retain Customer Due Diligence (CDD) records for 5 to 7 years, document risk assessments and suspicious transaction reports (STRs), and comply with financial intelligence unit’s (FIU) requirements (e.g., the Suspicious Transaction Reporting Office (STRO) in Singapore, or the Financial Intelligence Unit (FIU) in Malaysia).

Red Flags Specific to Remittance Transactions

Global AML Frameworks Impacting Remittance

International Bodies:

  • Financial Action Task Force (FATF): 40 Recommendations form global AML standards.
  • Asia/Pacific Group on Money Laundering (APG) / Committee of Experts on the Evaluation of Anti-Money Laundering Measures and the Financing of Terrorism (MONEYVAL) / EGMONT Group: Regional & intergovernmental bodies for compliance and intelligence-sharing.
  • World Bank: Collaborate on capacity building and tech integration.

Local Regulators:

  • Monetary Authority of Singapore (MAS)
  • Bank Negara Malaysia (BNM)

Strengthening Internal AML Programs

Governance & Oversight:

  • Appoint a qualified compliance officer
  • Establish an independent AML committee
  • Conduct annual audits and scenario-based risk assessments

Technology Investment:

  • Deploy transaction monitoring software
  • Use machine learning models to detect anomalous behaviour
  • Enable API integrations for real-time KYC and screening

Industry Collaboration:

  • Share typologies and red flags through industry associations
  • Participate in regulatory sandbox initiatives
  • Collaborate with FIUs on suspicious activity trends

Conclusion: A Shared Responsibility

The responsibility of safeguarding remittance services from abuse rests not only with regulators but also with licensed operators, their staff, and technology partners. AML compliance should be viewed not as a cost, but as a strategic investment in trust, reputation, and sustainability.

By embedding strong controls, prioritising staff training, leveraging technology, and maintaining vigilance, remittance providers can remain compliant, competitive, and resilient against financial crime.

How We Can Help

Ingenia Consultants Malaysia Sdn Bhd. provides regulatory support services for financial institutions, including compliance services. We assist in the review and enhancement of AML/CFT frameworks, carry out customer due diligence, and review such efforts by financial institutions to provide their senior management and board of directors with assurance through our service.

 

For more information on our compliance services and capabilities, please contact:

 

Zakrillah Abdul

Head – Payment Service Malaysia

Ingenia Consultants Malaysia Sdn Bhd

zakrillah.abdul@ingenia-consultants.com

The Monetary Authority of Singapore (“MAS”) reminded fund managers of their obligations in managing variable capital companies (“VCCs”) in a special circular on the Governance and Management of Variable Capital Companies (VCCs) (Circular no: IID 04/2025), published on 26 June 2025. Fund managers ensure compliance with the following key requirements for VCCs: 

  1. A VCC must be used as a collective investment scheme (“CIS”). 
  1. A Singaporean fund manager must manage the property of the VCC. 
  1. A director or representative of the fund manager must be appointed as a director of the VCC. 
  1. A VCC must engage an eligible financial institution (“EFI”) to carry out the necessary anti-money laundering (“AML”) and countering the financing of terrorism (“CFT”) measures. 
  1. The assets of the VCC must be segregated and maintained with an independent custodian. 
  1. All individuals engaging in fund management activity for the VCC must be appointed as representatives of the fund manager. 

Rapid Rise of Variable Capital Companies 

Since the launch of the VCC framework in January 2020, fund managers have rapidly adopted VCCs as an investment vehicle of choice. By 31 March 2025, approximately 1,200 VCCs were incorporated, managed by about 500 financial institutions carrying out fund management activities in Singapore. 

Based on their filings and a survey of VCC managers in 2024, the MAS carried out a thematic review. The MAS’ reminders and expectations in its circular IID 04/2025 reflect the findings of this survey and the review. To the greatest extent, they reiterate existing regulatory requirements. 

Substantive Fund Management 

The sole object of a VCC is to be one or more collective investment schemes in the form of a body corporate.” (sec. 15(1) VCC Act)  

For every CIS/fund it manages, including every VCC and sub-fund of a VCC that it manages, the fund management company (“FMC”) shall conduct substantive fund management activity (para. 4.7 SFA04-G05), such as portfolio management, investment research or trade execution (para. 3.2 SFA04-G05). In contrast, the following activities or structures do not qualify as substantive fund management and, therefore, no VCC should be established for these purposes. 

  1. A VCC should not solely hold illiquid assets previously owned by the investor(s) on behalf of a single investor or a few connected investors (para. 10 IDD 04/2025). The “MAS is of the view that VCC managers who merely help transfer investors’ existing investments or assets into the VCC without providing investment inputs would not be considered as carrying out substantive fund management activity.” (para. 10 IDD 04/2025) 
  1. An FMC must not merely provide[.] a conduit or channel for its customer to structure its investments or assets in the form of fund units, without providing any substantive input or influence over the merits or suitability of the investment or assets, or assuming responsibility for their investment performance. This includes cases where an FMC executes trades purely based on customers’ instructions” (para. 10 IID 04/2025, para. 3.3.1 SFA04-G05) or the VCC merely serve[s] as a conduit for the offer of funds managed by other fund managers “para. 10 IDD 04/2025), i.e. a feeder fund for a CIS managed by a third-party fund manager.
  2. The FMC purely engage[s] in marketing of the VCC[.]” (para. 10 IDD 04/2025) 

The MAS also expects VCCs to hold assets and have investors within one year after their incorporation. Accordingly, fund managers should periodically assess their VCCs and wind down VCCs that hold no assets or have no investors (para. 9 IDD 04/2025). 

Appointment of Representatives 

VCCs may appoint directors who are not directors or representatives of the VCC manager to strengthen oversight and corporate governance (para. 8 IDD 04/2025). However, they must be mindful that every individual engaged in a regulated activity must be appointed as a representative of the fund manager (sec. 99B(1) SFA). Regulated activities for fund managers include 

  1. deal sourcing, investment research, portfolio management, investment decision making, or trade execution for the VCC’s investments; or 
  1. client-facing activities such as marketing, business development, or account/client servicing (para. 8 IDD 04/2025, para. (iv) of Appendix 1 to SFA04-G05). 

All representatives are subject to the fund manager’s policies and procedures and supervision. 

Custody Arrangement 

VCC managers must ensure that assets under management are subject to independent custody, unless the assets are private equity or venture capital investments offered only to accredited/institutional investors. (para. 7 IID 04/2025) 

A fund management company must segregate assets under its management from its own assets (or assets of related companies and connected persons) (reg. 13B SF(LCB)R). It must deposit the money and assets of the CIS in an account designated by the CIS or in a custody account held on trust for the CIS, separate from its own assets money or assets (reg. 13B(1)(c), 16 and 26 SF(LCB)R, para. 4.1.1 SFA04-G05). Certain exemptions apply, namely, for private market investments by closed-end venture capital (“VC”) or private equity (“PE”) funds restricted to accredited investors or institutional investors (reg. 13B(4) SF(LCB)R) 

Eligible Financial Institution for AML/CFT 

Every VCC shall put in place adequate controls and processes to comply with [its] AML/CFT obligations, including those outlined in the MAS Notice VCC-N01 and Variable Capital Companies (Sanctions and Freezing of Assets of Persons) Regulations 2020.” (para. 11 IDD 04/2025) These obligations, namely, include the identification and verification of the identities of VCCs’ investors and their beneficial owners, maintaining an accurate and up-to-date register of beneficial owners of VCCs, performing screening, as well as conducting enhanced due diligence measures on higher-risk customers (para. 12 IDD 4/2025). 

or the execution of its respective required checks and measures, the VCC must engage an eligible financial institution (“EFI”), essentially a financial institution supervised by the MAS1 (para. 4.1 VCC-N01). Nonetheless, the VCC remains responsible for its AML/CFT obligations. Accordingly, the VCC and its directors must ensure that they sufficiently supervise the appointed EFI (para. 11 IDD 04/2025). 

How We Can Help 

Ingenia Consultants Pte. Ltd. provides regulatory support services for financial institutions, including compliance and internal audit. We provide compliance advice regarding the fund management company’s regulatory obligations or carry out its compliance obligations to ensure that it remains compliant with its regulatory requirements and aligned with the MAS’ expectations. In addition, we carry out internal audits to provide the fund management company’s board of directors, management, and other stakeholders with assurance regarding the company’s compliance conduct. 

Further, Auto-Comply, our group company, provides easy, inexpensive screening services. 

For more information on our compliance and internal audit services and capabilities, please contact: 

Rolf Haudenschild 

Co-founder 

Ingenia Consultants Pte. Ltd. 

rolf.haudenschild@ingenia-consultants.com 

In an era where online transactions dominate both personal and business activities, digital convenience has become a double-edged sword. While e-commerce platforms and digital banking services have simplified our lives, they’ve also opened the door to increasingly sophisticated cyber fraud. Criminals exploit every weakness from untrained users to unsecured websites to carry out identity theft, phishing, and financial fraud.

Personal transactions carried out on your company’s systems or access to your company’s systems on jeopardised personal devices can lead to a breach of your company’s security. This article aims to empower consumers, employees, and stakeholders with critical awareness and actionable steps to detect and prevent falling victim to fraudulent websites posing as legitimate e-commerce or banking portals.

Understanding the Risk Landscape

Cybercriminals use deceptive tactics to lure users into fake websites that mimic legitimate portals. These sites often look identical to the real ones but are designed to capture your sensitive data, such as login credentials, banking information and personal identification details.

Key threats include:

  • Phishing websites: Look-alike URLs that trick users into entering their login details.
  • Man-in-the-middle attacks: Hackers intercept unencrypted data between you and the website.
  • Spoofed certificates: Fraudulent websites may display misleading security indicators.

To combat these threats, users must develop a keen eye for detail and perform basic checks before proceeding with any online transactions.

5 Essential Steps to Verify a Website’s Authenticity

1. Always Look for the Padlock Icon in the Address Bar

A fundamental step in evaluating a website’s legitimacy is to check for the padlock icon before the URL. This padlock indicates that the website uses HTTPS (Hypertext Transfer Protocol Secure; not just HTTP), which encrypts the connection between your device and the site.

  • Legitimate e-commerce and banking portals always use HTTPS.
  • Fraudulent or unsecured websites may lack this icon or display a warning.

Tip: Never enter personal information or make payments on sites without the padlock icon.

2. Click on the Padlock to View the Security Status

Merely seeing the padlock icon is not enough; it can sometimes be spoofed. Click on the icon to reveal a message such as “Connection is secure”. This message means the website’s identity has been authenticated by a trusted certificate authority.

3. Confirm the Validity of the Website’s SSL Certificate

A valid SSL/TLS (Secure Sockets Layer/Transport Layer Security) certificate assures users that the website is not only encrypted but that its ownership has been verified.

To verify:

  • Click on “Certificate is valid”.
  • Look at the issuer’s name, such as DigiCert, Sectigo, or Let’s Encrypt.
  • Check the validity period to ensure it has not expired or been revoked.

Warning signs:

  • Self-signed certificate
  • Expired certificate
  • Unrecognised issuer

4. Inspect Certificate Details via the “Certificate Viewer”

In the Certificate Viewer panel, users can inspect:

  • The Subject: Should match the domain (e.g., bankABC.com).
  • The Issuer: Trusted bodies like GlobalSign or DigiCert.
  • Public Key: A unique digital signature that helps prevent impersonation.

Warning sign: If the subject name looks unfamiliar, inconsistent, or contains unusual characters, it may indicate a spoofed site.

5. Cross-Check the Website URL and Domain Structure

Even before clicking anything, verify the website’s URL. Official domains are short, clear, and familiar. Fraudulent sites often use tricks like:

  • Slight misspellings (e.g., www.arnazon.com instead of www.amazon.com).
  • Extra subdomains (login-secure.mybank.verify.com).
  • Use of numbers or foreign letters.

When in doubt, type the address manually or search for it using a search engine. The steps are illustrated at the very end of this article.

Why Awareness Matters

Even with robust IT security systems in place, the weakest link is often the user. Fraudulent portals depend on social engineering and trust. By equipping users with practical detection steps, we reduce individual exposure and create a safer digital environment.

Organisations should consider:

  • Periodic fraud awareness campaigns.
  • Regular training for staff and customers.
  • Reporting mechanisms for suspicious portals or phishing attempts.

Conclusion: Trust But Verify

Digital fraud is an ever-evolving threat, but basic awareness and vigilance go a long way. Whether shopping online, accessing a bank account, or logging in to a government portal, follow the five steps as part of your digital hygiene.

Remember: “If something feels off, it probably is”.

Only engage with verified websites, double-check certificates, and avoid entering sensitive data on suspicious platforms. When in doubt, consult your bank, IT security team, or trusted support channel.

How We Can Help

We at Ingenia Consultants Malaysia Sdn Bhd support our clients in navigating the fraud detection and prevention requirements. We specialise in helping our clients comply with these regulatory obligations by developing appropriate policies and procedures.

For any further information, please contact:

Zakrillah Abdul

Head – Payment Service Malaysia

Ingenia Consultants Malaysia Sdn Bhd

zakrillah.abdul@ingenia-consultants.com

Steps On How to Detect Fraudulent E-Commerce and Banking Portals 

The following steps enable customers to detect whether the e-commerce or banking portal is genuine or fraudulent. 

At any respective e-commerce or banking portal, look for the padlock icon  

e-commerce Portal: 

Banking Portal: 

Upon clicking the padlock icon, you will be routed to an information box regarding the website you are accessing. Click on “Connection is secure”. 

 

It will then route to another information box, which shows that the website has a valid certificate issued by a trusted authority. 

 

Information on the certificate can be viewed by clicking on the certificate icon  

The “Certificate Viewer” contains valuable information, such as the issuance of the web portal certificate and the certificate and public key number, which is an inimitable, unique number. Each genuine portal has its own certificate issuance. 

 

On 30 June 2025, the Monetary Authority of Singapore (“MAS”) published its Response to Feedback Received on Proposed Amendments to AML/CFT Notices and Guidelines (the “Response”), and the updated notices and guidelines, essentially for all types of financial institutions (“FIs”) and variable capital companies (“VCCs”). The amended notices and guidelines took effect on 1 July 2025. No transition is provided. 

In this article, we are discussing the material amendments to the MAS’ notices and guidelines on anti-money laundering (“AML”) and countering the financing of terrorism (“CFT”). Hereby, we are focusing on Notice SFA 04-N02 to Capital Markets Intermediaries on Prevention of Money Laundering and Countering the Financing of Terrorism (“Notice SFA04-N02” or “SFA04-N02”) and the Guidelines to Notice SFA 04-N02 on Prevention of Money Laundering and Countering the Financing of Terrorism – Capital Markets Intermediaries (“Guidelines to SFA04-N02”) that apply to holders of a capital markets (“CMS”) licence under the Securities and Futures Act 2001 (“SFA”), such as licenced fund management companies. 

Inclusion of Proliferation Financing 

The scope of the AML/CFT notices and guidelines has been amended to explicitly include counterproliferation financing (“CPF”). A description of proliferation financing has been included in paragraph 1-4-8A of the Guidelines to SFA04-N02. Footnotes in the regulations further remind financial institutions that, for the purposes of the AML/CFT notices and guidelines, money laundering includes proliferation financing. Accordingly, money laundering risks must be regarded as including proliferation financing risks, and controls must be expanded accordingly. 

Proliferation financing (“PF”) risk assessments can be carried out independently or as part of the ML/TF risk assessments that the financial institution is already conducting. If the financial institution has not yet performed a PF risk assessment, it should do so as soon as possible. 

Consideration of National Risk Assessments in the Financial Institution’s Enterprise-wide ML/TF Risk Assessment 

Previously, Notice SFA04-N02 had only mentioned Singapore’s National ML/TF Risk Assessment Report to be considered in the financial institutions’ enterprise-wide ML/TF risk assessment (“EwRA”). The updated Notice SFA04-N02 holds financial institutions to include Singapore’s various risk assessment reports, such as the Money Laundering National Risk Assessment Report, the Terrorism Financing National Risk Assessment Report, and the Proliferation Financing National Risk Assessment Report, in its EwRA. 

Identification of the Customer 

The provisions in Notice SFA04-N02 for the information required from customers have been segregated to distinguish between information required from customers who are individuals and customers that are legal persons or legal arrangements (para. 6.6 SFA04-N02). For the information required from customers who are individuals, no material changes were made (para. 6.6(a) SFA04-N02). For the information required of customers that are legal persons or legal arrangements (para. 6.6(b) SFA04-N02), the following notable amendments were introduced: 

  1. A requirement to obtain information on the purpose for which the legal person or legal arrangement was set up was introduced. 
  1. A requirement to obtain information on the place from where the legal person or legal arrangement is administered was introduced (para. 6.6(b)(vii) SFA04-N02). In the case of a trust, the place of administration is where the trust’s administration is carried out. This includes keeping of accounting records, acting as a custodian without also acting as a trustee, the management and administration of trust assets, dealing with trust assets, including the investment, transfer and disposal of such assets, the distribution of trust assets, the payment of expenses or remuneration out of the trust; review and monitoring the activities of investment advisers, agents, and persons to whom a trustee has delegated any trust, power or discretion, exercising any trust, power or discretion on behalf of a trustee, opening bank accounts for an express trust, and transferring assets into an express trust. (See paragraph 6 of the TCA Guidelines on Scope of Regulation (“TCA-G04”))(para. 3.7 Response). In case of a legal person, the place of administration is the registered or business address or principal place of operations of the legal person, or of the corporate service provider of the legal person, if any (para. 3.8(a) Response). 
  1. For trusts, financial institutions are held to obtain a copy of the trust deed or its equivalent (para. 6.6(b)(vi) SFA04-N02) that set out relevant identification information and support the establishment of the trust, such as reliable extracts of the trust deeds, deed of appointment etc. (para. 3.17 Response). 

Trust Relevant Parties as Beneficial Owners 

The list of parties involved in trusts that financial institutions must identify has been modified (para. 6.14(b)(i) SFA04-N02). A reference to trust relevant parties as defined in paragraph 2.1 of MAS Notice TCA-N03 has been introduced. Trust relevant parties are 

  1. the settlor; 
  1. the trustee; 
  1. the protector; 
  1. the beneficiary, class of beneficiaries or object of a power; or 
  1. any other persons with the power under the legal arrangement instrument or by law to do any of the following: 
    1. dispose of the property under the legal arrangement; 
  1. invest the property under the legal arrangement other than as a trust manager of the legal arrangement; 
    1. direct, make or approve distributions of the property under the legal arrangement; 
  1. vary or terminate the legal arrangement; 
    1. add or remove a person as a beneficiary or object of a power under the legal arrangement; or 
  1. add a person to, or remove a person from, a class of beneficiaries under the legal arrangement. 

Herby, an “object of a power” means a person who is a member of a class of possible beneficiaries under the trust, and is reasonably expected to benefit from the trust, whether or not because the person is referred to as a potential beneficiary by the settlor of the trust in a document relating to the trust such as a letter of wishes, or the class of possible beneficiaries has narrowed for any reason (para. 2.1 TCA-N03). The respective persons should be identified as soon as reasonably practicable after they become identifiable, and in any case before making a distribution to that person or when that person intends to exercise his/her vested rights. 

In case of higher-risk customers, the financial institution shall establish and corroborate the source of wealth of the higher-risk trust relevant party that is a contributor of assets to the legal arrangement (para. 3.2 Response). 

Information on Beneficial Owners 

The amended notices list the information that financial institutions must obtain from beneficial owners (in para. 6.14A(a) SFA04-N02). 

  1. The full name, including any aliases; 
  1. The unique identification number (such as an identity card number, birth certificate number or passport number); 
  1. The residential address; 
  1. The date of birth; 
  1. The nationality. 

If the financial institution is unable to obtain the unique identification number or residential address of the beneficial owner after taking reasonable measures, and has assessed the ML/TF risks in relation to the customer as not being high, the financial institution may simply obtain the date of birth and nationality of the beneficial owner, in lieu of the unique identification number, and the business address of the beneficial owner, in lieu of the residential address (para. 6.14C SFA04-N02). However, the financial institution must document its assessment and the measures taken (para. 6.14D SFA04-N02). 

Information on Intermediate Owners 

In addition to the information required from beneficial owners who are natural persons, the Notice also lists information required from beneficial owners that are legal persons or legal arrangements (para. 6.14A SFA04-N02). In its Response, the MAS clarifies that beneficial owners are only natural persons. The requirement to obtain information on legal persons or legal arrangements applies to legal persons or legal arrangements in the chain of ownership or control between the customer and the beneficial owner, i.e. intermediate owners (para. 3.10 Response). 

Financial institutions must obtain at least the following information from intermediate owners: 

  1. its full name; 
  1. its incorporation number, business registration number or tax identification number or its equivalent; 
  1. its registered or business address, and if different, its principal place of business; 
  1. its date of constitution, incorporation or registration; 
  1. its place of incorporation or registration; 
  1. a copy of the trust deed (or its equivalent)(if any); 
  1. the purpose for which the legal person or legal arrangement was set up; 
  1. the place from where the legal person or legal arrangement is administered; and 
  1. the legal form, constitution and powers that regulate and bind the legal person or legal arrangement. 

Detection of Fraudulent or Tampered Data, Documents or Information 

The financial institution should provide its staff with adequate guidance on how to identify indicators of fraudulent or tampered data, documents or information, such as significant discrepancies in a customer’s representations, anomalies in financial statements, or a lack of sign-off by relevant certifying parties such as an auditor. The financial institution should put processes in place to escalate instances where such indicators are detected (para. 6-65A Guidelines to SFA04-N02). 

Screening 

Financial institutions are reminded that they need to be cognisant of the limitations of their screening tools (para. 5.4 Response). They should take a risk-based approach to determine where pertinent search engines should be used on top of screening against commercial databases; for example, further information on an apparent match in the screening against the commercial database may be obtained in internet-based search engines predominately used in countries closely associated with the nationality, residence, or source of wealth of the person screened (para. 6-15-3 Guidelines to SFA04-N02 and FN 7 to para. 6-15-3 Guidelines to SFA04-N02). 

Red Flags on Customers 

Customers who exhibit characteristics of a higher-risk shell company are listed as an additional example of a category of potentially higher-risk customers (para. 8-2(a)(vii) Guidelines to SFA04-N02). Such indicators of a higher-risk shell company may be an unclear economic purpose of requiring an account relationship in Singapore, an unclear economic purpose for linking a common individual or address to multiple companies, the addition of unrelated third parties to operate the account after its opening, an unusual change in the corporate structure or the beneficial owner after account opening, suspicious transactions which are not in line with the financial institution’s understanding of the customer, or superficial corporate websites inconsistent with the customer’s purported business (para. 8-2(a)(vii) Guidelines to SFA04-N02). 

Assessment of the Source of Wealth 

Financial institutions must establish the source of wealth of their high-risk customers, i.e. the origin of the customer’s and beneficial owner’s entire body of wealth (i.e. total assets). Hereby, they need not only to clarify the source of current assets but must establish the seed money that generated subsequent wealth and gifts or other assets received by the customer or beneficial owner, as applicable (para. 8-5-5 Guidelines to SFA04-N02). Where a material source of wealth of the customer or beneficial owner is a gift or other asset received from third parties, the financial institution should obtain information to establish the legitimacy and plausibility of such a gift or other asset. Firstly, it should establish the relationship between the donor and the customer or beneficial owner. Secondly, it should verify the transactions effecting the gift or transfer of the other asset against reliable and independent sources of information, such as bank statements or public sources. Finally, the financial institution should also assess the plausibility of the donor’s source of wealth that enabled the gift or other transfer of the asset (para. 8-5-7B Guidelines to SFA04-N02, para. 5.8 Response). 

Financial institutions must corroborate the source of wealth of their high-risk customers and their beneficial owners. Hereby, the financial institution should apply a risk-based approach and focus on the corroboration of sources of wealth and sources of funds that are more material and/or present a higher ML/TF risk (para. 8-5-7 Guidelines to SFA04-N02). Namely, financial institutions are not required to obtain documents from many years ago which may no longer be easily available and are not of high relevance to the generation of the customer’s wealth.” (para. 5.8 Response) 

To the extent practicable, the financial institution should use reliable and independent sources. Where information is not available from public sources, the financial institution should exercise prudence and perform additional checks to validate its plausibility. The financial institution should document the basis for its use of the information and periodically review this basis (para. 8-5-7 Guidelines to SFA04-N02). 

Where the financial institution is unable to corroborate a source of wealth or source of funds that more material or presents a higher ML/TF risk, it should assess whether the residual risks associated with not corroborating such a source of wealth or source of funds are acceptable and whether additional risk mitigation measures should be applied in the absence of corroboration (para. 8-5-7A Guidelines to SFA04-N02). 

However, where the customer is a high-risk customer other than a politically exposed person (“PEP”), the financial institution may assess if the sources of wealth and sources of funds need to be corroborated (para. 8-6-1 Guidelines to SFA04-N02). For example, the financial institution may conclude that no corroboration is necessary, where the customer is a listed company that has publicly available information on its wealth-generating commercial activities, or is a financial institution that is subject to and supervised for compliance with AML/CFT requirements consistent with standards set by the FATF and thus subject to corporate governance or other regulatory requirements (FN 9 to para. 8-6-1 Guidelines to SFA04-N02). 

Red Flags for Transactions 

The participation in a tax amnesty programme (“TAP”) was added as an example of an activity that indicates a higher ML/TF risk (para. B-7(ix) of Appendix B to the Guidelines to SFA04-N02). If a customer participates in a TAP, the financial institution should file a suspicious transaction report (“STR”) and determine if a review of the customer’s account is warranted (FN 23 to para. B-7(ix) of Appendix B to the Guidelines to SFA04-N02). At the same time, financial institutions should encourage their customers to use the opportunity accorded under a TAP to ensure that their tax affairs are in order or regularised (FN 23 to para. B-7(ix) of Appendix B to the Guidelines to SFA04-N02). 

Measures in Case of Increased Risks 

Where the financial institution detects indications that risks associated with an existing customer have increased, the financial institution must not only request additional information and conduct a review of the customer, but also promptly implement commensurate risk mitigation measures, including enhanced monitoring (para. 6-10-3 Guidelines to SFA04-N02).  

Sharing of Information 

Financial institutions are expected to monitor related customer accounts holistically within and across business units, so as to better understand the risks associated with such customer groups, identify potential ML/TF risks and report suspicious transactions.” (para. 6-10-11 Guidelines to SFA04-N02) At least, customer due diligence information should be shared among the financial institution’s business units (para. 6-10-11 Guidelines to SFA04-N02). 

Reduction of Third Parties to Be Relied On 

Under specified circumstances, financial institutions can rely on third parties to carry out customer due diligence measures (sec. 9 SFA04-N02). New provisions were introduced that exclude holders of a payment services licence under the Payment Services Act 2019 or of a digital payment token service provider licence under the Financial Markets and Services Act 2022 and foreign financial institutions holding similar licences from third-party financial institutions that a financial institution can rely upon (para. 9.1 SFA04-N02). 

Suspicious Transaction Reports 

Financial institutions are encouraged to put processes in place to detect and investigate concerns of higher ML/TF risks even before suspicions are raised. This preventive control will allow the financial institution to put early mitigation measures in place. These processes should include the identification and prioritisation of the review of concerns of higher ML/TF risks, their prompt review, and escalating them to senior management or another designated body to decide on the appropriate ML/TF risk mitigation measures (para. 13-A Guidelines to SFA04-N02). 

Suspicious transaction reports (“STRs”) should be referred to the Suspicious Transaction Reporting Office (“STRO”) without delay. Generally, the filing of an STR should not exceed five business days after the suspicion was first established (para. 13-1 Guidelines to SFA04-N02), i.e. after the financial institution concludes that the filing of an STR is warranted based on available information, the circumstances and its investigation (FN 6 to para. 6-15-2 Guidelines to SFA04-N02, FN 14 to para. 13-1 Guidelines to SFA04-N02, and para. 4.3 Response). STRs regarding sanctions should even be submitted within one business day after the suspicion was first established (para. 6-15-2 Guidelines to SFA04-N02). 

Financial institutions do not need to share a copy of suspicious transaction reports (“STRs”) with the MAS by default anymore. They only need to share STRs with the MAS upon the MAS’ request (para. 13.2 SFA04-N02). 

How We Can Help 

Ingenia Consultants Pte. Ltd. provides regulatory support services for financial institutions, including compliance and internal audit. We assist in the review and enhancement of AML/CFT frameworks, carry out customer due diligence, and review such efforts by financial institutions to provide their senior management and board of directors assurance through our internal audits. 

In addition, Auto-Comply, our group company, provides easy, inexpensive screening services. 

For more information on our compliance and internal audit services and capabilities, please contact: 

Rolf Haudenschild 

Co-founder 

Ingenia Consultants Pte. Ltd. 

rolf.haudenschild@ingenia-consultants.com 

On 30 May 2025, the Monetary Authority of Singapore (“MAS”) announced and clarified the implementation of the licensing requirement for digital token service providers (“DTSPs”) under the Financial Services and Markets Act 2022. In its Response to Feedback Received Consultation Paper on Proposed Regulatory Approach, Regulations, Notices and Guidelines for Digital Token Service Providers issued under the Financial Services and Markets Act 2022 (the “Response”), it confirmed that DTSPs require a licence starting 1 July 2025, with no transitional arrangements, and elaborated further on some of the licensing requirements. Having attracted criticism for its cautious approach, the MAS followed up with a media release,MAS Clarifies Regulatory Regime for Digital Token Service Providers, on 6 June 2025 (the “Clarification”). 

Requirement for Licensing 

Under the Financial Services and Markets 2022 (“FSM”), a person in Singapore, including a company incorporated in Singapore, requires a licence to carry on a business of providing the following services outside of Singapore, unless an exemption applies: 

  1. any service of dealing in digital tokens; 
  1. any service of facilitating the exchange of digital tokens; 
  1. any service of accepting (whether as principal or agent) digital tokens from one digital token account, for the purposes of transmitting, or arranging for the transmission of, the digital tokens to another digital token account; 
  1. any service of arranging (whether as principal or agent) for the transmission of digital tokens from one digital token account to another digital token account; 
  1. any service of inducing or attempting to induce any person to enter into or to offer to enter into any agreement for or with a view to buying or selling any digital tokens in exchange for any money or any other digital tokens (whether of the same or a different type); 
  1. any service of safeguarding a digital token, where the service provider has control over the digital token; 
  1. any service of carrying out for a customer an instruction relating to a digital token, where the service provider has control over the digital token; 
  1. any service of safeguarding a digital token instrument, where the service provider has control over one or more digital tokens associated with the digital token instrument; 
  1. any service of carrying out for a customer an instruction relating to one or more digital tokens associated with a digital token instrument, where the service provider has control over the digital token instrument; 
  1. any service relating to the sale or offer for sale of digital tokens which involves  
      1. providing advice, either directly or through publications or writings, and whether in electronic, print or other form, relating to any digital tokens; or 
  1. providing advice by issuing or promulgating research analyses or research reports, whether in electronic, print or other form, relating to any digital tokens. 

The MAS clarified that an individual requires a digital token (“DT”) services licence if he/she carries out the regulated activity by himself/herself. In contrast, he/she does not require a licence if he/she carries out the work as part of his/her employment with a foreign-incorporated company. 

In its Response, the MAS announced that DTSPs which are subject to licensing under the FSA must suspend or cease carrying on a business of providing DT services outside Singapore by 30 June 2025. No transitional arrangements will be provided. 

Conversely, the MAS reiterated in its Clarification that providers of services for digital payment tokens or tokens of capital market products that serve customers in Singapore are already subject to regulation and licensing under the Payment Services Act 2019 and the Securities and Futures Act 2001. There is no change to what these licensed providers can do. These providers, which serve customers in Singapore, may also provide services to customers outside of Singapore. 

Notable Exemptions from the Requirement for Licensing 

First of all, we would like to highlight that the FSM subjects services regarding digital tokens to licensing (sec. 137 FSM and Part 1 of the First Schedule to the FSM). It is our view that only activities for the benefit of third parties can be regarded as services. Therefore, activities carried out for the person’s own benefit, e.g. proprietary trading, do not qualify as a DT service. 

Moreover, only persons who carry on a business of providing any type of DT service require a licence (sec. 137 FSM). Therefore, a person generally does not require a DTSP licence if they occasionally carry out a regulated activity without system. 

Finally, the following types of financial institutions are exempt from the requirement to hold a DTSP licence to the extent that the DT service activity is incidental to the activity for which they hold a licence (or are exempt from holding a licence): 

  1. financial institutions that are required to be licensed, approved or recognised under the Securities and Futures Act 2001, or exempt thereof, such as  
      1. holders of a capital markets services (“CMS”) licence for fund management, dealing in capital markets products, providing custodial services, or advising on corporate finance, and 
  1. recognised market operators; 
  1. licensed and exempt financial advisers; 
  1. major and standard payment institutions holding a licence under the Payment Services Act 2019, namely for digital payment token service. 

Thus, financial institutions that are not required to obtain or hold a DTSP licence include 

  1. fund management companies that manage a collective investment scheme that invests in digital tokens; 
  1. brokers (holding a CMS licence for dealing in capital markets products) that offer tokenised securities; 
  1. corporate finance advisers (holding a CMS licence for advising on corporate finance) that assist companies in raising capital through tokenised securities; 
  1. payment institutions (holding a licence for digital payment token services) when arranging an over-the-counter (“OTC”) transfer of digital tokens between two parties outside of Singapore. 

Requirements to Obtain a Licence 

In its Response and Clarification, the MAS highlighted that it will only grant a DT services licence under extremely limited circumstances due to its concerns about their higher risk of money laundering (“ML”) and terrorism financing (“TF”). 

Nonetheless, the MAS has provided additional clarification regarding the requirements under the Financial Services and Markets Act 2022 for a DTSP to obtain and maintain a licence. 

  • The DTSP must have a permanent place of business in Singapore where at least one person is present during specified business hours. 
  • The DPTSP must have a minimum of SGD 250,000 in base capital, total capital contribution or cash deposit in the case of a company, partnership or limited liability partnership and individual respectively. 
  • The DTSP must have a business model that makes economic sense and must be able to demonstrate to the MAS’ satisfaction that it has valid reasons as to why it does not intend to carry on a business of providing DT services in Singapore despite operating in or being formed or incorporated in Singapore. 
  • The DTSP must not operate in a manner that is of concern to the MAS. Hereby, the MAS may take into account if the DTSP is already regulated and supervised for its compliance with relevant internationally agreed standards, such as standards established by the Financial Stability Board, the International Organisation of Securities Commissions, and the Financial Action Task Force (“FATF”) by all the relevant supervisors in the jurisdictions that it provides DT services outside of Singapore.  
  • The directors and the CEO of a DPTSP must be fit and proper and have sufficient experience in operating a DTSP business as well as a sufficient understanding of the regulatory framework for DTSPs in Singapore. 
  • An executive director, or a similar person in the case of other entities, must be resident in Singapore. 
  • The DTSP must put in place an adequate business structure that does not give rise to any concerns by the MAS, e.g., regarding its capacity to adequately manage key risks associated with its business activities and its ability to comply with regulatory obligations. 
  • The DTSP must have compliance arrangements that are commensurate with the scale, nature, and complexity of its operations. These may take the form of an independent compliance function in Singapore, or compliance support from its holding company or overseas related entity. In any case, a DTSP is required to appoint a suitably qualified compliance officer at the management level who is based in Singapore. 
  • The DTSP is required to appoint an auditor to conduct an audit of the transactions in relation to the DT services and submit the audit report to the MAS annually. 
  • The DTSP must put in place a technology risk management framework and controls adequate for its activities that depend on the underlying distributed ledger technology and interaction with service providers in the network. 
  • An annual licence fee of SGD 10,000 will apply. 

How We Can Help 

Ingenia Consultants Pte. Ltd. provides regulatory support services for financial institutions, including licensing, compliance and internal audit. We support companies in their applications with the Monetary Authority of Singapore (“MAS”) across different sectors, such as capital markets, financial advice and payment services, including digital payment token services. We assist licensed financial institutions in compliance, from outsourced compliance services to advice and regulatory projects, and provide their senior management with assurance through internal audits. 

For more information on our compliance and internal audit services and capabilities, please contact: 

Rolf Haudenschild 

Co-founder 

Ingenia Consultants Pte. Ltd. 

rolf.haudenschild@ingenia-consultants.com 

On 8 April 2025, the Monetary Authority of Singapore (“MAS”) published a Consultation Paper on the Proposed Amendments to Anti-Money Laundering and Countering the Financing of Terrorism Notices for Financial Institutions and Variable Capital Companies. In this consultation, the MAS proposes streamlined amendments across all financial institutions that predominantly implement best practices that were communicated previously. Clearly, the amendments result in higher requirements for the financial institutions’ anti-money laundering (“AML”) and countering the financing of terrorism (“CFT”) measures. The consultation period ends on 8 May 2025. The MAS expects the amendments to take effect from 30 June 2025. 

In this article, we outline the proposed amendments.

Inclusion of Proliferation Financing

To better align AML/CFT regulations in Singapore with the revised FATF standards, the MAS proposes to explicitly state that money laundering (“ML”) includes proliferation financing (“PF”). Therefore, financial institutions must identify, assess, understand and mitigate their PF risks and, thus,include adequate measures to counter PFin their AML/CFT frameworks. Most financial institutions are expected to already include PF in their AML/CFT frameworks. The existing AML guidelines already include information, including red flags, regarding PF.

Expansion of Trust Relevant Parties

The MAS proposes to amend the definition of trust relevant parties in its Notice on Prevention of Money Laundering and Countering the Financing of Terrorism – Trust Companies (“TCA-N03”) and to reference this definition in its AML/CFT notices applicable to other types of financial institutions, for example, the Notice on Prevention of Money Laundering and Countering the Financing of Terrorism – Capital Markets Intermediaries (“SFA04-N02”).

[1] An “object of power” is proposed to mean “a person who

    • Is a member of a class of possible beneficiaries under the trust; and
    • Is reasonably expected to benefit from the trust, whether or not because
      • The person is referred to as a potential beneficiary by the settlor of the trust in a document relating to the trust such as the letter of wishes; or
      • The class of possible beneficiaries has narrowed for any reason.”

 

The MAS proposes that a financial institution must, in addition to the information prescribed for the existing trust relevant parties, obtain information on the identity of the protector, the identity of the class of beneficiaries and object of power, and of any other natural person(s) exercising ultimate effective control over a trust related party. This included information on beneficial owners of a legal person or a legal arrangement that is a trust relevant party. 

Clarification of Timelines for Filing of Suspicious Transaction Reports 

The MAS proposes to reduce the number of days to submit a suspicious transaction report (“STR”) from 15 business days of the case being referred by the relevant employee of the financial institution to 5 business days after suspicion was first established, in the case of sanctions, 1 business day after suspicion was first established. 

In addition, in the proposed amendments to the AML Guidelines, the MAS is promoting a risk-based monitoring to identify and prioritise the review of concerns of higher ML/TF risk. These concerns should be promptly reviewed and escalated for mitigating measures where required. 

Amendments to the Notices and Guidelines 

In this section, we highlight pertinent proposed changes to the notices and guidelines on AML/CFT, in particular the Notice on Prevention of Money Laundering and Countering the Financing of Terrorism – Capital Markets Intermediaries (SFA04-N02) and the Guidelines to MAS Notice SFA04-N02 on Prevention of Money Laundering and the Financing of Terrorism (Guidelines to SFA04-N02). Please note that we do not list all proposed amendments to the notices and guidelines. 

Identification of Beneficial Owners 

Instead of requiring financial institutions to take reasonable measures to verify the identities of the beneficial owners, the MAS proposes that financial institutions must obtain specified information on the beneficial owners that is similar to the information required from the customers.² 

[2] You may note that the MAS is also proposing a list of information required from beneficial owners that are a legal person or legal arrangement.

Guidance to Identify Fraudulent or Tampered Data, Documents or Information 

The MAS proposes that financial institutions must provide their staff with adequate guidance on how to identify indicators of fraudulent or tampered data, documents or information. Indicators include 

  • significant discrepancies in a customer’s representations that are found when these representations are checked against independent sources of information, such as corporate data reports; 
  • accounting errors, or anomalies in financial statements that are not in line with the financial institution’s understanding of the customer’s profile; and 
  • lack of sign-off by relevant certifying parties such as an auditor or notary public. 

If any indicators are detected, the matter should be escalated and appropriate ML/TF risk mitigation measures applied. 

Sharing of Information on Customers 

To ensure the holistic monitoring of customer accounts, the MAS proposes that financial institutions have processes to share information on customers and their related accounts within and across business units. The information shared should minimally include the information to identify the customer and the source of wealth. 

Enhancements in Screening 

The MAS proposes that financial institutions screen against pertinent search engines, in addition to commercial databases. Financial institutions should conduct screening in the native language(s) of the person screened and on pertinent search engines used in countries or jurisdictions closely associated with the person screened. 

Higher-risk Shell Companies 

The MAS provides examples of characteristics displayed by higher-risk shell companies. These include: 

  • Unclear economic purpose for requiring an account relationship in Singapore; 
  • Unclear economic purpose for linking a common individual/address to multiple companies; 
  • Unrelated third parties are added to operate an account after the account opening; 
  • Unusual change of corporate structure/beneficial owner after the account opening; 
  • Suspicious transactions which are not in line with the financial institution’s understanding of the customer; or  
  • Superficial corporate websites that are inconsistent with the scale of the business. 

Examples are provided for most cases. 

Clarification on the Establishment and Corroboration of the Source of Wealth 

The MAS proposes changes to reflect its latest guidance on the establishment and corroboration of the source of wealth, including a risk-based approach. 

Reflecting a risk-based approach, the MAS indicates that financial institutions should obtain source of wealth information to the extent practicable about the entire body of wealth that the customer and beneficial owner would be expected to have, and how the customer and beneficial owner acquired the wealth. Accordingly, the MAS expects financial institutions to establish the seed moneythat generated subsequent wealth. Where a material source of wealth of the customer or beneficial owner is a gift or other asset received from third parties, financial institutions should obtain information to establish the legitimacy and plausibility of the gift or other asset. This should include establishing the relationship between the third party and the customer or beneficial owner, verifying the transaction(s) effecting such gift or other asset against reliable and independent sources of information, and assessing the plausibility of the third party’s source of wealth. 

Financial institutions should take a risk-based approach and focus on corroboration of sources of wealth and sources of funds that are more material or present a higher risk for ML/TF. 

Financial institutions should ensure that sources of wealth and sources of funds are established through appropriate and reasonable means, to the extent practicable, using reliable and independent sources of information. Examples of appropriate and reasonable means include credible public sources. Where independent sources of information are not available, financial institutions should exercise prudence in the use of non-independent sources of information, such as customer representations, assumptions and benchmarks, to ensure adequate rigour of assessment. This should include the performance of additional checks against alternative information sources. Moreover, the financial institutions basis for using such information should be documented and reviewed periodically. 

Where a financial institution is unable to corroborate any more material source of wealth or source of funds that presents a higher risk for ML/TF, it should assess whether the residual risks associated with not corroborating this source of wealth or source of funds is acceptable and whether additional risk mitigation measures should be applied in the absence of corroboration. 

Finally, the MAS proposes to classify all offering of personalised wealth management services, financial advisory services and financial products to high-net-worth individuals as higher-risk business. As a result, financial institutions are expected to independently corroborate these customers sources of wealth and screen operating companies and individual benefactors contributing to the customer’s and beneficial owner’s wealth. 

Participation in Tax Amnesty as Indicator of Higher Risk 

The MAS proposes adding participation in a tax amnesty programme to its list of examples of suspicious transactions (situations) in the section on tax crime-related transactions and requests financial institutions to file an STR when a customer has indicated that it has participated in a tax amnesty programme. 

 

How We Can Help 

Ingenia Consultants Pte. Ltd. provides regulatory support services for financial institutions, including compliance and internal audit. We assist in the review and enhancement of AML/CFT frameworks, carry out customer due diligence, and review such efforts by financial institutions to provide their senior management and board of directors assurance through our internal audits. 

For more information on our compliance and internal audit services and capabilities, please contact: 

Rolf Haudenschild

Co-founder 

Ingenia Consultants Pte. Ltd. 

rolf.haudenschild@ingenia-consultants.com 

The International Internal Audit Standards Board released the new Global Internal Audit Standards (the new “IIA Standards”) on 9 January 2024, and the internal audit functions were required to adopt the new Standards by 9January 2025 

Based on the new IIA Standards, the Institute of Internal Auditors (IIA) has introduced several key changes that can impact the selection of consulting firms a company, such as a financial institution, engages to carry out its internal audit as an outsourced service provider 

  • Stricter independence of the internal audit services (the new “Organizational Independent Standard”) 
  • Greater emphasis on risk-based auditing (the new “Engagement Risk Assessment Standards”) 
  • Higher expectations for internal audit quality and objectivity 
  • More focus on environmental, social and governance (“ESG”), and cybersecurity audits 
  • Adoption of technology and data analytics 

Enhanced Internal Audit Standards 

Organisational Independence 

Under the new Organizational Independence Standard, internal audit service providers are expected to follow stricter independence requirements when providing internal audit and consulting services for the same client. The chief audit executive is required to be qualified and report directly to the board of directors (the “Board”) and the function is positioned at a level within the organization that enables the internal audit function to discharge its service and responsibilities without interference.  

Risk-based Audit 

The new Engagement Risk Assessment Standards reinforce a risk-based approach, requiring internal audits to focus on high-risk areas. Consulting firms that perform internal audits based on regulation or SOX requirements may need to adjust audit methodologies or approaches to align with these new expectations. Internal auditors need to consult with their clients to identify high-risk areas and assess the inherent risk, including alignment with the company’s risk appetite and industry best practices. 

Competency 

The new Competency Standard requires internal auditors to possess or obtain the relevant industry knowledge and auditing standards to perform their responsibilities successfully. For example, to conduct internal audits in the financial sector, the internal audit staff should have the knowledge about applicable regulations and business models, experience to understand the operations of the financial institutions and applicable industry practices, and the skills and abilities to conduct the test of design and test of execution of the financial institution in accordance with the IIA Standards and clearly communicate the findings to the financial institution’s Board and senior management. 

Focus on ESG and Cybersecurity 

The chief audit executive should seek inputs from the Board on the governance and risk management concerns related to non-financial matters such as strategic initiatives, cyber security, health and safety, sustainability, business resilience and reputation and address them as part of the proposed internal audit plan.  

Use of Technology and Data Analytics 

As part of their due professional care, internal auditors are required to consider the efficient use of techniques, tools, and technology and the extent and timeliness of work to achieve the engagement objective. For this purpose, internal auditors may use data analysis software and technologies. 

How We Can Help 

Ingenia Consultants Pte. Ltd. is well-positioned to provide an independent and objective assurance review in accordance with the new IIA Standard. 

Ingenia Consultants Pte. Ltd. is a corporate member of the Institute of Internal Auditors (IIA). Our internal audit team is headed by a certified public accountant (“CPA”) and led by a certified internal auditor (“CIA”). To ensure the independence of our internal audit, in particular, from our regulatory compliance services, we maintain an independent internal audit business unit with separate staff and a separate system dedicated to internal audit. 

At the outset of our internal audit engagements, we work with our clients (their board of directors or senior management) to identify high-risk areas, assess the inherent risk and align our internal audit with the risk appetite determined by the board of directors and industry best practices. To strengthen this process, we also leverage anonymised industry data from our extensive work over several years. 

For more information on our internal audit services and capabilities, please contact: 

Kew Yip Han 

Manager 

Ingenia Consultants Pte. Ltd. 

yiphan.kew@ingenia-consultants.com 

The Monetary Authority of Singapore (“MAS”) released its 2024 Proliferation Financing (“PF”) National Risk Assessment (“NRA”) and Counter-PF Strategy on 30 October 2024. This provides an in-depth analysis of Singapore’s exposure to PF risks and outlines a comprehensive framework to mitigate them. As PF threats grow more complex, the MAS emphasises the importance of financial institutions (“FIs”) enhancing their compliance measures to align them with regulatory expectations and evolving risks. 

The assessment identifies several key threats to Singapore’s financial system. A major concern is the misuse of legal entities to obscure the origins and movement of funds, as proliferators often rely on complex corporate structures to conceal illicit financial flows. Additionally, ship-to-ship transfers present another challenge, facilitating the evasion of sanctions and export controls. The trade in dual-use goods—items with both civilian and military applications—poses a heightened risk, as these goods may be diverted for unauthorized purposes. Moreover, luxury goods exports are increasingly exploited as part of PF networks, while virtual assets pose anonymity risks that make them vulnerable to misuse by sanctioned entities. 

The report further highlights that both financial and non-financial sectors are exposed to PF risks. The financial sector, including banks, digital payment token service providers, remittance agents, and maritime insurers, faces heightened risks due to the nature of its operations, which involve international transactions and potential exposure to illicit actors. Similarly, the sector of designated non-financial professions and businesses (“DNFPBs”), including corporate service providers, dealers in precious metals and stones, and legal professionals, is identified as being at risk due to its role in facilitating business transactions, managing client funds, and establishing corporate structures that could be misused for PF purposes. 

In response to these risks, the MAS has developed a counter-PF strategy focused on strengthening Singapore’s defences. The strategy emphasizes raising awareness and building capabilities by engaging financial institutions and businesses to ensure a deeper understanding of PF risks and regulatory expectations. Enhanced compliance measures, including stricter due diligence, improved transaction monitoring, and more effective screening processes to detect and prevent PF-related activities, are essential components of this strategy. The regulatory framework will also have to undergo continuous risk assessments and adaptations to remain responsive to emerging threats in the global financial landscape. 

The implications of this assessment and strategy for financial institutions are significant. FIs must enhance their risk assessment frameworks by integrating the MAS’ findings into their internal risk models. Strengthening due diligence measures, particularly for high-risk sectors and jurisdictions, is critical to mitigating PF exposure. Institutions may also invest in advanced transaction monitoring systems capable of detecting unusual activities, such as transactions involving dual-use goods or entities with opaque ownership structures. Compliance with sanctions regimes remains a critical priority, requiring regular updates to sanctions lists to prevent dealings with designated persons or entities. Furthermore, targeted training programs should be implemented to equip financial sector employees with the knowledge necessary to identify and report suspicious activities effectively. 

The 2024 assessment introduces several key updates and enhancements to Singapore’s approach to countering PF. The scope of PF threats has expanded to include the misuse of virtual assets and the exploitation of luxury goods exports, reflecting the evolving tactics of proliferators. Additionally, emerging high-risk sectors, such as digital payment token providers and maritime insurers, have been identified as areas requiring greater compliance scrutiny. The refined counter-PF strategy places a renewed focus on awareness, control measures, and continuous monitoring to ensure Singapore’s financial system remains resilient against PF threats. 

These developments underscore the MAS’ proactive approach to addressing the dynamic challenges posed by PF. By continually refining regulatory frameworks and strengthening institutional defences, Singapore reinforces its commitment to maintaining a robust and secure financial ecosystem, ensuring it remains well-equipped to combat both existing and emerging risks associated with PF activities. 

How We Can Help 

We at Ingenia Consultants Pte. Ltd. support our clients in navigating their anti-money laundering requirements, including proliferation finance. We specialize in helping our clients comply with these regulatory obligations, by developing appropriate policies and procedures. For any further information, please contact: 

Phoebe Mok

Senior Manager 

Ingenia Consultants Pte. Ltd. 

phoebe.mok@ingenia-consultants.com  

Financial institutions operating in Singapore, such as holders of a capital market services (“CMS”) licence and payment service providers (“PSPs”), are required to comply with anti-money laundering (“AML”) and countering the financing of terrorism (“CFT”) regulations. One of the key obligations is the timely filing of suspicious transaction reports (“STRs”) with the Suspicious Transaction Reporting Office (STRO), a division of the Commercial Affairs Department (CAD) of the Singapore Police Force
(SPF).

This article provides an overview of the legal requirements, indicators of suspicious transactions, and the process for filing an STR to help financial institutions remain compliant.

Legal and Regulatory Framework

The following key regulations govern the obligation to file an STR:

  • Corruption, Drug Trafficking and Other Serious Crimes (Confiscation of Benefits) Act 1992 (“CDSA”)
  • Terrorism (Suppression of Financing) Act 2002 (“TSOFA”)
  • Notices and guidelines by the Monetary Authority of Singapore (MAS), namely
    • MAS Notice SFA04-N02 for CMS license holders, or
    • MAS Notice PSN01 or PSN02 for payment service providers

Under these laws and regulations, financial institutions must promptly file an STR when they have reasonable grounds to suspect that a transaction is connected to criminal conduct, money laundering (“ML”), or terrorism financing (“TF”). At the latest, they are to submit the STR within 15 business days from their discovery of the suspicious transaction (para. 13-1 Guidelines to SFA04-02 for CMS licence holders and para. 18-1 Guidelines to PSN01 or para. 16-1 Guidelines to PSN02 for PSPs)

STRs filed by Financial Institutions in Singapore

As per information published by the Singapore Police Force (“SPF”)1, the number of STRs filed increased significantly in the past years.

Year     Number of STR Filed    % Increase
2020    33,882
2021    45,897                               35%
2022    49,846                               9%

By far most STRs were submitted by banks. In 2021, they submitted 60% of all STRs, and in 2022, 58%.

Indicators of Suspicious Transactions

All financial institutions should identify red flags common to their type of business and, more specifically, to their company’s specific business. They should list these red flags in their procedures and include them in the AML/CFT training of their staff.

While not exhaustive, the following are common red flags that may warrant an STR filing:

  • Transactions involving unusually large amounts with no clear economic purpose;
  • Request by a customer for investment management services where the source of funds is unclear or not consistent with the customer’s apparent standing;
  • An account operated in the name of an offshore company with structured movement of funds;
  • Cross-border transactions involving the acquisition or disposal of high-value assets that cannot be clearly identified as bona fide transactions;
  • Transactions linked to high-risk jurisdictions identified by the Financial Action Task Force (FATF);
  • Customers unwilling to provide information on the source of funds or the purpose of transactions;
  • The customer uses intermediaries that are not subject to adequate AML/CFT laws;
  • A customer relationship with a payment service provider in which a customer has a large number of accounts with the same payment service provider and frequently transfers between different accounts;
  • Concentration of payments where multiple senders transfer money to a single individual’s account;
  • Frequent changes to the customer’s address or authorized signatories;
  • Customers are in a hurry to complete the transaction, with promises to provide the supporting information later;
  • Funds or digital payment tokens (“DPT”, commonly referred to as cryptocurrencies) used by a customer to settle his obligations are from a source that appears to have no explicit or direct links to the customer;
  • Frequent changes in the customer’s identification information, such as home address, IP address, or linked bank accounts/wallet addresses.

Refer to the MAS’ AML Guidelines applicable to your type of business for further examples of red flags that are specific to your type of business (Guidelines to SFA04-N02 for holders of a CMS licence, e.g. for fund management or dealing in capital markets products, Guidelines to PSN01 for PSPs offering fiat payment services such as domestic or cross-border money transfer service, merchant acquisition service, or account issuance service, or Guidelines to PSN02 for PSPs providing digital payment token, i.e. cryptocurrency, service).

Filing an STR: Step-by-Step Process

Identify and Assess the Suspicious Transaction

  • Staff carrying out various tasks may identify suspicious transactions either at the time of onboarding or throughout a customer’s relationship life cycle. Suspicious transactions and other new information indicating an ML/TF risk can also be identified through automated monitoring systems. These systems continuously monitor/screen the customers and analyse transaction patterns, customer behaviour, and predefined rules. The systems help flag information and anomalies that could be potential red flags compared to the customer’s profile, prompting further investigation by compliance teams.
  • The staff who identifies the suspicious transaction should escalate their suspicion to their compliance team or money laundering reporting officer (“MLRO”), as indicated in your AML/CFT policies and procedures.
  • Once escalated to the compliance team or MLRO, they will conduct internal investigations and review the transaction in question.

Complete the STR Form and Submit it to STRO

  • The MLRO or a compliance officer may access the STR form via the STRO Online Notices and Reporting (“SONAR”) system and electronically submit the completed STR form.
  • In the STR form, you must provide details such as transaction amounts, counterparties, account details, and the basis of suspicion, and supporting documents (e.g., transaction records and emails) should be attached where relevant.

Maintain Confidentiality

The fact that an STR has been filed must not be disclosed to the customer. Tipping-off is an offence under the CDSA and TSOFA. Even internally, this information should only be on a need-to-know basis.

Ongoing Monitoring and Internal Reporting

  • Even after the submission, you must continue monitoring the account for further suspicious activity, possibly even conducting enhanced monitoring.
  • Moreover, you should consider additional control measures and implement them, as appropriate.
  • Don’t forget to maintain proper internal records of the STR submission and any follow-up actions.

Compliance Best Practices

The filing of STRs is part of your comprehensive AML/CFT framework. It must be properly embedded and connected within your entire framework to effectively detect suspicious transactions (and adverse information) and ensure their proper filing through STRs.

  • Establish a robust AML/CFT framework, including internal policies and training programs.
  • Ensure all employees are aware of their obligations and are trained in identifying suspicious transactions.
  • Regularly review transaction monitoring systems to enhance detection capabilities and fine tune to keep them relevant.
  • Maintain a log of cases where an STR was filed and circumstances where it was decided not to file an STR with a rationale for the decision.
  • File the STR as soon as investigations are completed, and the facts have been established. At the latest, you should file the STR within 15 business days after the discovery of the suspicious transaction.
  • Cooperate fully with regulatory authorities and provide additional information when required.

Conclusion

Filing STRs is a critical compliance requirement under Singapore’s AML/CFT regulations. Capital Market Services license holders and Payment Service Providers must establish strong internal controls to detect and report suspicious transactions in a timely and accurate manner. Failure to comply may result in regulatory penalties and reputational damage. Staying vigilant and adhering to legal obligations will help financial institutions contribute to Singapore’s efforts in combating financial crimes.

How We Can Help

We at Ingenia Consultants Pte. Ltd. support our clients in navigating their anti-money laundering requirements, including the filing of STRs. We specialize in helping our clients comply with these regulatory obligations, by developing appropriate policies and procedures. For any further information, please contact:

Vijay Bharadwaj

Director

Ingenia Consultants Pte. Ltd.

vijay.bharadwaj@ingenia-consultants.com