123/A, Miranda City Likaoli Prikano, Dope
+0989 7876 9865 9
+(090) 8765 86543 85
info@example.com
example.mail@hum.com
The Singapore AML/CFT compliance checklist is among the most comprehensive, as it is based on legislation, regulatory notices, and international standards. The main pieces of legislation that regulate anti-money laundering and countering the financing of terrorism are the Corruption, Drug Trafficking and Other Serious Crimes (Confiscation of Benefits) Act (CDSA), the Terrorism (Suppression of Financing) Act (TAFA) and the Mutual Assistance in Criminal Matters Act (MACMA), together with the Monetary Authority of Singapore Act, which allows MAS to issue binding notices and guidelines to all financial institutions that it regulates, including fund managers.
MAS Notice SFA04-N02 outlines the requirements for fund managers under their Capital Markets Services (CMS) licence for customer due diligence, record-keeping, suspicious transaction reporting, and transaction monitoring. Singapore’s framework is consistent with the Financial Action Task Force (FATF) recommendations, and continues to be evaluated via mutual evaluation reviews. The MAS AML CFT for fund managers is expected to be implemented, documented, and tested regularly by fund managers operating in or from Singapore.
In the context of an AML compliance guide for Singapore fund managers, compliance is not just about the legal “tick”; it is also about maintaining business integrity and investors’ confidence. The role of the fund manager is pivotal in the financial system, as they bring together investors’ funds, invest them across asset classes and geographies, and deal with different counterparties whose beneficial owners can be complex or hidden. This renders them an easy lure for people wishing to wash their dirty money or funnel cash to terrorism. A strong AML/CFT system will help the fund manager avoid the risk of unwittingly becoming a “conduit” for financial crime, safeguarding the firm’s image and investor protection.
The protection of reputation is not the only reason for compliance with AML/CFT; it is also necessary to ensure that the fund manager remains eligible to hold its operating licence and to maintain its relationships with other institutions. MAS conducts periodic supervisory assessments and thematic and targeted inspections of fund managers’ compliance functions. The errors and omissions found during these reviews may lead to formal regulatory responses, such as issuing licence conditions, revoking licences, levying civil penalties, or prosecuting responsible persons. Institutional investors and global custodians also conduct their own due diligence on counterparties’ fund management compliance procedures in Singapore, and a robust, well-documented AML/CFT programme is essential for institutional investors to access funding and prime brokerage offerings.
MAS Notice SFA02-N02 is a vital compliance document that fund managers should refer to first. The notice is legally binding and, in the event of a conflict with internal guidelines, takes precedence. The regulatory compliance checklist prepared by the MAS from this notice covers all phases of the client lifecycle, from client onboarding through CDD and subsequent monitoring up to exit, and calls on fund managers to adopt a risk-based approach tailored to the client’s risk profile.
Table 1: Key MAS AML/CFT Regulations for Fund Managers
Fund managers play a vital role as gatekeepers in the wider Singapore AML/CFT landscape. They are the ones who bring together and control third-party capital and, as such, can spot suspicious investment patterns, abnormal investment flows, and clients whose sources of wealth do not align with the investments they make. MAS wants fund managers to be proactive in the fight against financial crimes, and internal controls must be comprehensive enough to identify not only the obvious red flags but also subtler ones that may signal potential financial crimes.
In reality, this requires the fund manager’s compliance function to collaborate closely with the front office, so that AML/CFT is not seen as an administrative back-office issue but rather becomes part of everyday activity. It is everyone’s responsibility, from portfolio managers to investor relations and operations staff, to detect and flag unusual activity. A fund manager who has only a compliance officer to perform these duties will certainly miss the mark on certain aspects of the requirements, which MAS and well-informed institutional investors will pick up during their supervisory visits and due diligence checks.
The CDSA and TAFA prescribe criminal penalties against the fund manager or its key personnel that apply when a suspicious money transaction is not reported, or when a money transaction is reported but is not determined to be suspicious. Fines of up to S$500,000 and up to 10 years in jail are possible for convictions.
A fund manager holding a CMS licence may have their licence revoked or suspended if MAS thinks that the AML/CFT controls are materially inadequate. Should the licence be lost, the fund manager will no longer be able to conduct business in Singapore, which may trigger redemption obligations for investors.
For any infringements of MAS notices and guidelines, civil penalties, including disgorgement of profits from non-compliant conduct, may apply. Financial penalties are made public, adding to the damage to the reputation.
Key individuals who have been determined to be responsible for compliance failures may be subject to formal reprimands and/or prohibition orders, which will be published on the MAS website and will remain in effect permanently.
It is expected that many firms will have operations that involve more than one regulatory function. Both the SFA and the FAA could license a company that handles investments and offers financial guidance. As the interaction among these frameworks comes into play early in the planning process, expensive structural changes are avoided once operations have begun.
The basis of effective AML compliance services for fund managers is an enterprise-wide risk assessment (EWRA). It requires the fund manager to identify and assess, systematically and comprehensively, the money laundering and terrorist financing risks associated with its business, covering its customers, products and services, distribution channels, and geographic presence. The EWRA should be reviewed and updated as necessary whenever there is a significant change in the business, the environment, or both, and as a good practice every year.
The EWRA’s output is a critical factor in developing the fund manager’s AML/CFT controls. If an entity has a high percentage of politically exposed persons (PEPs) on its client list, it should apply more stringent due diligence measures in line with the risk. The EWRA must be documented, approved by senior management, and made available for inspection during supervisory reviews, in accordance with MAS expectations. Companies that fail to perform a comprehensive evaluation (identifying and stating risk factors without truly analysing their probability and consequences) will end up with controls that are out of sync with actual risks, resulting in structural weaknesses in regulatory and operational requirements.
Clients with, or former, high-profile public positions, and clients’ close associates and family members, are automatically considered high risk. Be more rigorous when undertaking due diligence and approvals at the senior management level before hiring, and more frequent and rigorous monitoring after hire.
When there are FATF warnings or countermeasures, UN sanctions, or MAS advisories, they need to be treated with greater care. The fund manager should document its understanding of the risks in the jurisdiction where it operates and take these risks into account in its onboarding and monitoring processes.
A combination of opacity in beneficial ownership, such as trusts, foundations, multi-layered corporate structures, and nominee arrangements, means that clients with opaque beneficial ownership carry a higher risk, because it is difficult to determine who the ultimate natural persons in control of the funds are.
Any transaction that lacks the consistency of the client’s investment objectives, has unusually high cash movements in and out of the account, or is typical of layering (frequent movement of large amounts of cash in and out of the account) should be escalated for review, regardless of whether the client has been a patient for a long time. Regardless of the length of the client’s tenure, transactions that are inconsistent with the client’s stated investment objectives, have unusually high cash movements in and out of the account, or are typical of layering (frequent movement of large amounts of cash in and out of the account) should be escalated for review.
FATF grey-listing, corruption and weak AML/CFT systems in jurisdictions where fund managers invest or receive funds should trigger further due diligence on funds and transactions involving the jurisdictions.
Some fund structures, such as funds that accept bearer instruments, funds with no lock-up periods, or high-velocity trading strategies, have greater potential for layering or structuring. There must be a specific reference to product-level risk in the risk assessment.
The non-face-to-face nature of onboarding, digital investor portals, and intermediaries (including sub-distributors or placement agents) increases the risk to the final investor’s identity and source of funds, necessitating compensating controls.
Risk assessments need to be seen as living documents rather than snapshots. MAS considers that fund managers should recalibrate their assessment when there are material business changes (e.g. new products, new markets or significant changes to the fund client base), external developments (e.g. new FATF guidance, MAS circulars or changes to sanctions lists), or internal incident(s) / audit finding(s) that indicate gaps in existing controls. The updates should be done at a frequency commensurate with changes in the business environment, but at least once a year is considered good industry practice.
Standard CDD is the minimum due diligence the fund manager should conduct when a new investor comes on board, before entering into a business relationship with them or performing a transaction on their behalf. Standard CDD involves the fund manager determining the customer’s identity, verifying it with reliable, independent source documents, understanding the nature and purpose of the anticipated business relationship, and evaluating the customer’s risk profile based on the information obtained. For individual investors, this usually means providing a government-issued identification document and confirming the customer’s name, date of birth, and home address. Corporate investors need to recognise the legal entity, confirm the entity is registered, understand its shareholding, and identify the directors and the legal documents.
In addition, the anti-money laundering checklist Singapore funds for standard CDD will request information regarding the source of wealth and source of funds of the customer, where the investment funds have come from and how the customer has earned his/her wealth. This information is used as the starting point to measure future transactions for consistency and reasonableness. MAS expects this process to be documented as it occurs, with copies of all verification documents retained for at least 5 years after the closure of the business relationship.
Enhanced due diligence (EDD) should be carried out on all clients identified as high risk under the firm’s due diligence procedures, including PEPs, clients from high-risk jurisdictions, and clients with complex or opaque ownership structures. Beyond the traditional requirements of CDD, EDD entails greater depth of knowledge about the nature and pattern of the business relationship, the need to seek approval from senior management before commencing the relationship, and more frequent and more intensive ongoing monitoring throughout the relationship’s lifecycle.
PEPs, in particular, are required to determine whether any customer or that customer’s beneficial owner is a PEP, obtain approval from the security and finance team to enter into or maintain a business relationship with them, and implement appropriate measures to establish the source of wealth and source of funds. EDD is not an extra step; it is a higher level of awareness to be sustained throughout the period of high-risk classification. All reasons for the EDD and any further steps taken should be recorded in the client’s file.
Fund managers should seek to identify members of the firm who are the ultimate owners or controllers of a corporate customer, whether by owning or controlling more than 25% of such customers or by otherwise exercising effective control. If more than one layer is involved in the structure, this analysis should work through each layer to determine which natural persons are at the top of the ownership hierarchy.
The fund manager should ascertain the names of the settlor, trustees, protectors (if any), beneficiaries or classes of beneficiaries and any other natural person who has ultimate control over the trust (for trusts). Every role will need to be independently verified to the appropriate standard for the role based on the individual’s risk profile.
In cases where a customer has appointed a nominee shareholder or director, the fund manager will be required to identify the beneficial owner behind the nominated shareholder/director and obtain confirmation of the nominee arrangement. It is not compliant with MAS requirements if only the nominee’s identity is provided, without the ultimate principal’s identity.
Beneficial ownership information should be reviewed and updated when the fund manager has reason to believe it may have changed, and at least once a year for high-risk clients. Any changes to beneficial ownership should be documented, and the associated risks should be assessed promptly.
For both LFMC tracks, the CEO must be a Singapore resident, the directors must have the required seniority and residency while the track must have a physical office in Singapore. They are both required to comply with both the AML/CFT requirements and regulatory reporting obligations of MAS and fit and proper criteria of all key personnel of MAS. So it’s not just a question of compliance costs, but of the firm’s desired clientele and future business plan.
Ongoing monitoring is a duty throughout the client relationship and is tailored to each client’s risk level. It includes regular re-compliance of the client’s KYC data to keep it up to date and accurate, monitoring of transactions to ensure they are consistent with the client’s profile, and periodic re-risking to capture any changes in the client’s circumstances or the external environment that might affect their risk profile. High-risk clients should be reviewed more often – MAS guidance is that an annual review is the minimum for high-risk relationships, with more frequent reviews if circumstances dictate. All monitoring actions should be documented, and any anomalies should be reported up the firm’s internal reporting chain.
Government-issued ID documents must be collected and verified by fund managers for all individual customers and authorised signatories. Documents must be current at the time they are collected, and where original documents are not submitted, copies must be certified as true copies by authorised person(s) and kept in the client file.
Required documents for corporate investors are the certificate of incorporation, memorandum and articles of association, a register of directors and shareholders, and resolutions authorising investment. Where possible, each document must be cross-referenced with an independent, reliable source.
Where appropriate, detailed information on the source of wealth and/or funds should be sought and corroborated with supporting documents, such as bank statements or tax returns.
Knowing the customer’s investment goals and the expected type of investment-to-customer relationship provides a reference point for transaction monitoring. A significant deviation from the stated objectives is an important driver of review and escalation.
All customers, beneficial owners, directors and authorised signatories are to be screened against sanctions lists before customer onboarding and periodically throughout the customer relationship, including: the United Nations Security Council Consolidated List; Singapore’s domestic Terrorism (Suppression of Financing) Act designations; and lists issued by MAS. The screening shall be conducted whenever there is a material change in the client’s profile or whenever the fund manager is aware of any new designations that may be of concern to current clients.
Screening tools should be able to detect name changes, transliterations, and aliases, and should be kept current with the issuance of new designations in near real time. If there is a potential match, the fund manager should have a clear escalation procedure in place which establishes whether the match is a true match or a false match, records the results of the match and — if the match is confirmed — promptly takes measures to freeze assets and makes the appropriate reports to the Suspicious Transaction Reporting Office (STRO) and MAS.
PEP screening is required at onboarding for all customers and beneficial owners, and ongoing to identify PEPs who become PEPs after the business relationship is formed. A PEP is defined under MAS Notice SFA04-N02 as an individual who is or has been in a prominent position or function, such as heads of state and government, senior politicians, senior government officials, senior judicial officials, senior military officials, senior executives of state-owned enterprises, and senior officials of international organisations. The fund manager is also responsible for determining who are close associates and immediate family members of PEPs, as they may be used as intermediaries in transactions involving PEP-connected funds. The basis for the classification should be clearly recorded in all PEP determinations.
The KYC should be kept up to date and accurately describe the client’s profile at all times. Any information found to be incorrect or out of date will be updated as soon as possible, and the significance to the client’s risk rating will be considered and recorded.
All KYC documentation should be retained for 5 years from the termination date of the business relationship, or from the transaction date in the case of transactions that do not constitute an ongoing business relationship. In certain situations, longer retention periods may be required for MAS.
Records shall be maintained in a manner that facilitates easy retrieval in the event of a regulatory inspection, internal audit, or law enforcement request. In MAS supervisory reviews, incomplete or disorganised KYC is a frequent occurrence, indicating systemic shortcomings in the compliance programme.
All KYC documents, both electronic and paper, are subject to protection against access, deletion or alteration without permission. Accountability and regulatory review require electronic systems to have audit trails that track access to and changes to a record and by whom.
Transaction monitoring is the process or mechanism used to determine whether transactions occur that are inconsistent with the client’s profile, investment goals, and historical activity. Fund managers must be particularly mindful of any complex, unusually large, or unusual patterns of transactions that serve no economic or obvious lawful purpose, in accordance with MAS Notice SFA04-N02. This doesn’t just apply to large one-off transactions but also to a series of smaller, more frequent abnormal transactions. Under the Singapore financial firms’ framework for CFT compliance, all monitoring cases, whether opened or closed, should be recorded, with the rationale for closure.
To effectively monitor transactions, baseline transaction profiles need to be set for each client, which can be benchmarked against current transactions. These profiles should be based on the client’s investor profile, investment goals, stated source of wealth and frequency and size of transactions. Any deviation from this baseline, especially when accompanied by other red flags such as third-party funds, requests for unusual payment methods, or changes to bank account information, should automatically trigger a review and escalation to the compliance officer for consideration of an STR.
Money invested and withdrawn within a short period of time without an apparent investment purpose, or that is straightaway redirected to third parties, is a classic sign of layering – the second phase of the money laundering cycle – and is subject to review.
Significant red flags are subscriptions from accounts other than the client’s and/or redemption proceeds to third-party accounts. Fund managers need to have a policy that proceeds from a redemption are paid to the account upon which the subscription was originally made.
Any transactions that do not align with the client’s stated goals, risk profile, or financial means — for instance, a large purchase by an individual who states that he does not have the funds — must be investigated immediately and may be subject to greater due diligence.
If there are multiple transactions just below a reporting or review threshold, or if subscription and redemption patterns appear designed to circumvent automated monitoring triggers, then it should be considered structuring, even if a single transaction is not in and of itself suspicious.
All fund managers should have a well-documented escalation procedure that outlines the person to whom staff are to report concerns, what will happen as a result, and how this will be done. The escalation chain should result in the case being submitted to the designated compliance officer or money laundering reporting officer (MLRO) for review to determine whether to file an STR. Staff should be shielded from any adverse effects on their employment status if they make a good-faith report in accordance with the firm’s reporting procedures – this is also a legal requirement under the CDSA in Singapore. The escalation process should be documented in the firm’s AML/CFT policies and procedures handbook, and all staff should be trained in it.
An automated system would identify transactions that meet predefined threshold criteria, including those of a certain size, fund transfers to a specific high-risk jurisdiction, or unusual frequency within a certain time frame.
More complex systems use scenario models to determine whether a pattern of behaviours, as a whole, indicates suspicious activity, even if none of the data points individually pass a threshold. These models need to be calibrated periodically to remain effective.
The automated systems produce alerts that trained analysts review and disposition. The review of alerts, as well as the rationale for closing an alert without escalation, should be fully documented, and MAS expects firms to demonstrate the quality and consistency of their alert review process.
As the business grows, automated monitoring systems need to be validated periodically to ensure they remain fit for purpose. Validation should measure the quality of alerts produced, the false-positive rate, and whether the scenario and threshold are still correctly aligned with the firm’s risk profile.
The fund manager has a legal duty under Section 39 of the CDSA and Section 4 of the TAFA to report an STR if they know, suspect or have reasonable grounds to suspect that a transaction or activity is linked with a criminal offence. The filing requirement is intentionally low – suspicion, not certainty, is enough to fulfil the obligation. Again, this means that when there is reasonable suspicion based on preliminary facts, fund managers should not delay filing to investigate further. The obligation to file shall arise as soon as practicable, and even if the transaction is not finally completed. In a supervisory review, it is common for this threshold to be underreported, so the process for preparing a fund manager’s AML audit should ensure that staff members are well aware of it.
Obviously, the fact that the client has a longstanding relationship, the size of the transaction is small, or the suspicious indicators may have a legitimate cause, are not enough to determine not to file. If in doubt, the compliance officer should file it. The disclosure of a report, or the fact that a report is being considered, is in itself a criminal offence under CDS, A, and fund managers should have procedures in place to ensure that client-facing staff do not inadvertently disclose that a report is being considered.
STRs should be submitted to the Suspicious Transaction Reporting Office (STRO) of the Singapore Police Force via the Suspicious Transaction Reporting Office’s online reporting platform (SONAR). Fund managers need to make sure that the necessary staff are on this platform and know how to operate it in time.
An STR should provide enough detail to allow law enforcement to know the reasons for suspicion. This comprises the name of the subject, the type of suspicious activity, and the transactions (dates, amounts, and by whom). Failure to provide a complete report may result in it being returned or not being processed during the investigation.
The compliance officer should document the facts surrounding the STR and review them before filing to ensure that the STR is well-founded and includes all relevant facts. This review should be completed promptly to prevent undue delay in filing after a decision to file is made.
The fund manager shall make every effort not to advise (indirectly or directly) the subject of the report that an STR has been filed or is under consideration. There is a need to inform staff who will come into contact with the subject client, on a need-to-know basis.
Recordkeeping is required for all STRs, including a copy of the entire report, the date that it was filed, confirmation from STRO of receipt of the report and all underlying documentation and analysis that led to the report. These records shall be kept for a minimum of five years and shall be produced upon request to MAS or law enforcement officials. Any case that has been investigated but not resulted in an STR, along with the documented reasons for that, should also be kept, as it will give a good idea of how well and consistently the firm is monitoring and escalating cases.
It is important to note that fund managers should be ready to assist MAS, the police, STRO, and other competent authorities in all AML/CFT inquiries, investigations, and asset-freezing orders. Promptly responding to production requests for customer information and transaction data, responding to instructions to freeze/block transactions while under investigation, and responding to regulatory requests with accurate and complete information. The fund manager’s policies should clearly delegate specific staff members to deal with regulatory authorities, establish procedures for internal escalation, and document interactions with the authorities.
The new MAS Notice, SFA04-N02, sets out a 5-year retention period for most AML/CFT records, starting from the date the business relationship ceases and/or the date the transaction is completed. The retention period might be extended if records are relevant to any current investigation or regulatory action, and will remain in place even after the fund is wound up or the fund manager ceases to operate the fund in accordance with MAS’s directives (records should be handed over to an appropriate custodian in such cases).
Table 2: MAS AML/CFT Record Retention Requirements
Comprehensive audit trails are particularly crucial for regulatory compliance and for the fund manager’s internal audit and investigative efforts. An audit trail should not just capture who did what, when they did it, and what they did, but also why they did it and why they didn’t. All supporting documents obtained during the CDD and monitoring process should be kept in the same format in which they are collected (paper or electronic) and not modified once collected. If electronic records are kept, there should be the capability to obtain a full, unaltered copy of all activities relevant to the record as it stands at any given time, on demand.
Access controls that limit the retrieval of AML/CFT records to authorised persons must be provided in systems or physical locations that keep records. A record of all accesses, modifications, or retrievals shall be kept in access logs to aid accountability and/or a forensic investigation, if required.
Electronic records are to be regularly backed up and safeguarded against system loss, cyberattacks, or physical disasters. BCP should cover access to compliance records within a timeframe that corresponds to regulatory requirements.
Paper records, such as original identity documents, certified copies and wet-ink agreements must be kept in secure, fire-resistant buildings with controlled entry. They should be organised and catalogued so they can be easily retrieved during regulatory reviews.
Fund managers should be able to proactively and in an orderly manner provide requested records in response to supervisory inspections under the MAS. Inspections may require access to KYC data, transaction data, monitoring logs, STR histories, training records, and governance documents — and these requests can come in at lightning speed. Firms should have a document management system that enables them to retrieve documents by name, date, or type when a document is needed, rather than performing a manual search in unstructured storage. Responding efficiently to requests from regulators is already a key indicator of the quality of the fund manager’s compliance infrastructure and is part of MAS’s overall assessment.
The AML/CFT policies and procedures manual is the bedrock of the fund manager’s AML/CFT compliance programme. This document shall incorporate the requirements of MAS Notice SFA04-N02 and all other relevant regulations into practical and concrete procedures that will be followed consistently by staff members in their daily work. Should encompass all phases of the AML/CFT lifecycle – client onboarding, CDD, monitoring, escalation, STR filing, record keeping, training and audit. The manual shall be reviewed and approved by senior management at least once a year and whenever there are material changes to the regulatory framework or the business. If a policy has not been updated since licensing and is not aligned with MAS guidance and/or the firm’s actual operating model, it has no meaningful compliance significance. It will be considered a deficiency during supervisory review.
Effective procedures are specific, actionable, and carried out by a named role rather than an unspecified part of the organisation. They need to define exactly who does what, who has to do what, what paperwork needs to be completed, who should be escalated to, and what should be done if there is a change of mind at each stage of the process. Managers who are creating their first fund management compliance framework in Singapore should take the time to develop procedures that suit their business model – those founded on a generic template without the consideration of their own investor base, strategies and organisational structure are unlikely to be effective on the ground.
MAS believes that the tone of commitment to AML/CFT compliance should be set clearly by the board and senior management throughout the organisation. This involves demonstrating by example a decision-making process based on compliance rather than commercial pressures, and never putting compliance second to commercial pressures.
The firm’s AML/CFT policies and procedures, the enterprise-wide risk assessment and any material changes to the compliance programme must be formally approved by senior management. This approval needs to be recorded on dates and with signatures as a record of governance oversight.
Senior management approval before onboarding and a continued relationship are specific requirements for the MAS for PEP clients and any other high-risk clients identified as requiring EDD. They must be implemented and documented in procedures and the client file.
Senior management is responsible for ensuring that the compliance function has adequate human, technological and financial resources to meet its responsibilities. When compliance failures are found, MAS will not accept Resource Constraints as a mitigating factor.
The designated compliance officer (often the same person as the MLRO) will be the person to manage the day-to-day implementation of the firm’s AML/CFT programme, which means ensuring that policies are complied with, monitoring is effective, escalation is dealt with in a timely manner, and training is provided.
The compliance officer is usually the person who determines the situation of filing an STR. The job demands clear judgement, a sound knowledge of the requirements of the MAS, independence and authority to make decisions without being overly influenced by commerce.
The compliance officer is the key liaison with MAS and other regulatory authorities, is responsible for regulatory correspondence and is responsible for coordinating the firm’s response to supervisory inquiries, inspections and production orders.
The compliance officer should also review the firm’s programme as part of their duties and consider what new risks or regulatory changes might necessitate changes to the programme, and report improvements to senior management for approval.
The compliance function must be independent of those activities that it is responsible for overseeing if it is to be effective. The compliance officer should report directly to the board or a board committee and not be underreported to any revenue-generating function that might create an opportunity for bias in decision-making. Many fund managers, especially smaller managers, hire outside
compliance providers such as Singapore AML compliance consultants to fill in the gaps or to fulfil the role of compliance officer. This is acceptable under MAS guidelines, as long as the firm maintains ultimate responsibility for compliance, the arrangement is reported to MAS if necessary, and the external provider has adequate access to the firm’s business to be able to do meaningful oversight. The internal audit function is also assisting with independent compliance oversight, where it offers a separate layer of review assurance on the effectiveness of the AML/CFT programme.
MAS Notice SFA04-N02 stipulates that fund managers must establish training programmes which ensure all relevant personnel have an understanding of the relevant AML/CFT laws and regulations, of the firm’s policies and procedures, of what constitutes suspicious activity and how it must be reported and of the penalties that may be imposed upon the firm and individual for non-compliance. Training must be available from the day of licensing; it is not optional, nor can it be put off until later in the firm’s development. Training records are routinely checked by MAS officers in the course of supervisory inspections to determine that the firm’s human defences against financial crime are proportionate to their documented controls.
The nature and content of the training programme should be varied so as to meet the needs of various roles in an organisation. The front office needs to have hands-on experience with the identification of red flags, the escalation process and the responsibilities associated with the CDD of the particular front office personnel. The compliance officer and senior management need to gain a better understanding of the regulatory framework, governance responsibilities and expectations of MAS. All staff need to be made aware of general AML/CFT duties for the firm and the legal responsibilities of non-compliance, tipping off or deliberate facilitation of money laundering.
Training should be tailored to the job of each role. Compliance training that can be conducted in a generic manner without taking into account the actual day-to-day activities of a fund manager, such as investor onboarding, processing of subscriptions and redemption, and portfolio management, will probably not be effective and will not meet MAS’s expectations.
The staff are better equipped to recognise suspicious activity through the use of anonymised real-world cases and typologies from FATF, MAS and STRO publications. Abstract training, which focuses on regulatory requirements but lacks concrete examples, is likely to lead to poorer retention and to less effective vigilance.
Staff should be able to recognise common AML/CFT red flags relevant to their work, such as unusual investor behaviour, inconsistencies in KYC information, unusual payment patterns, and client requests that deviate from the norm. An effective programme includes regular updates and reminders on red flag awareness.
Training should ensure that reporting concerns is a legal and professional duty and that staff are not faced with a risk of retaliation for making good faith reports. Establishing an environment where escalation is regarded as a positive and professional behaviour and not as a breach of loyalty to the client relationship is an important objective of good AML/CFT awareness training.
Any new staff members who have AML/CFT roles will need to be trained before taking on their role. It is a minimum expectation in the MAS and can’t be postponed until after the person has already started interacting with clients or transactions.
Refresher training should be offered at least once a year and include updates as necessary to address changes in MAS regulations, new FATF typologies or audit or monitoring results that highlight areas in need of reinforcement. Annual training is the minimum; more frequent training is required in a fast-changing regulatory environment.
All training provided should be recorded, and details of the date, content, training format (face-to-face, e-learning, etc.), and attendees’ names should be recorded. The records should be kept for five years and made available for MAS inspection.
Training without understanding assessment will give a partial view of the human capacity for compliance within the firm. Formal testing – such as quizzes, scenario-based or structured tests – should be a part of the training programme for fund managers to ensure that employees have understood and remembered the information. The results of testing should be recorded, and any member of staff who exhibits significant knowledge gaps should be given follow-up training before returning to duties that put the firm at risk of AML/CFT. Documented testing programmes are a positive sign of a developed and committed compliance culture in MAS’s eyes.
Independent AML/CFT audits offer the board and senior management an independent view of the effectiveness of the firm’s compliance programme in practice, not just theory. MAS expects the fund managers to have their AML/CFT controls independently tested periodically, and at frequencies and with the scope commensurate with the firm’s risk profile. An audit that simply verifies that policies exist but does not assess their effectiveness is inadequate and will not meet MAS’s expectations. To prepare for AML audits, fund managers need to ensure that the scope of the audit includes all the key elements of the AML/CFT programme, including CDD, EDD procedures, transaction monitoring and alert management, STR procedures, recordkeeping, training and governance.
The independence requirement implies that the audit should be performed by a person who is not involved in the day-to-day running of the AML/CFT programme. This would normally be achieved by smaller fund managers by hiring an external firm, either from an AML advisory firm or by engaging an independent AML compliance specialist, to perform the review. In larger companies, an independent internal audit function can do this if it is sufficiently independent from the compliance function that it is being assessed. An independent internal audit function may be able to do this in larger businesses, as long as the lines of responsibility make it clear that it is independent of the compliance function it is assessing. All audit results should be shared with either the board or a committee on the board that has responsibility for the audit, and results should be followed up on until remediation is implemented.
Representation of sample files to be reviewed to determine if CDD and EDD have been completed in accordance with policies and MAS requirements, and if documentation is complete and current, and if risk ratings are in line with the actual risk of the client.
The audit should include a determination of whether the firm’s transaction monitoring system is providing alerts of appropriate quality; whether the alerts are reviewed and dispositioned in a timely and consistent manner; and whether the rationale for alert disposition is well documented.
The audit should confirm that the “STR escalation process” is working effectively, that all STRs that should have been reported were reported and that the documentation pertaining to both reporting and not reporting STRs is adequate and well-reasoned.
The audit should verify that all necessary employees are trained promptly, that records are kept, and that the training is up to date and relevant to the firm’s risk profile and employees.
The findings are not restricted to small or recently-licensed fund managers and are always identified in firms of all sizes in their supervisory reviews conducted by MAS and in independent audits. What is common to all of these is the disconnect between what is written in the policy and what is being done on an operational basis, which can grow over time as the pressure of business builds and compliance procedures fall behind the firm’s development and changes.
Table 3: Common AML/CFT Audit Findings and Remediation Actions
If the audit results indicate findings, the fund manager shall design a formal remediation plan to include the corrective action to be taken, who is responsible for taking the action and the expected completion date. The Senior Management team must approve the remediation plan, and the compliance officer must monitor its completion. MAS takes the prompt resolution of material findings as a given, and if the finding is outstanding for several audit cycles without resolution, it is a clear governance issue that could be brought up in supervisory discussions. If a finding is made identifying a systemic weakness in the system, the remediation plan should remedy the systemic weakness and not simply the instance identified to prevent recurrence.
AML/CFT compliance is an all-encompassing, never-ending requirement for fund managers in or from Singapore that covers all aspects of the business. This AML compliance checklist Singapore has outlined the essential elements of an effective programme, including a risk-based enterprise-wide risk assessment, appropriate CDD and KYC processes, disciplined transaction monitoring, prompt and well-documented filing of STR, extensive records, an effective internal governance framework, staff training and a robust independent audit. All of these components support each other — if one is lacking, the programme as a whole could be undermined.
MAS’s supervisory review is more data-driven and risk-focused, with specific thematic inspections of fund managers added to regular on-site reviews. Fund managers with investment strategies that are based on the creation of a meaningful compliance program — not a program that meets the letter of the regulatory requirements — will be more likely to withstand regulatory supervision, attract institutional investors and sustainably manage their businesses as the regulatory landscape in Singapore evolves. When hiring Singapore AML compliance consultants, it is important that they have first-hand experience with MAS supervisory expectations as well as the fund management industry, rather than just generic compliance skills.
Finally, sustainable AML/CFT compliance is a cultural thing, and not a documentation exercise. The most advanced policies and monitoring will be ineffective if the people executing them do not truly grasp why AML/CFT controls are important and how their actions (or inactions) affect the firm’s AML/CFT compliance profile. The culture has to be demonstrated at a senior level, backed by appropriate training and awareness initiatives, a transparent and secure escalation pathway, and a readiness for rapid action on concerns raised — regardless of the business impact.
A solid understanding of the MAS AML CFT requirements for fund managers, which are covered in this guide, is fundamental for any compliance professional to build a successful career in this sector at the junior and mid levels. Being able to interpret the regulatory requirements into day-to-day practice and to differentiate between what is real risk and what looks like an indicator of risk, and clearly articulate compliance expectations to colleagues and senior management, is a highly sought-after skill in the industry. Building a compliance function that is appreciated, well-resourced, and truly embedded in the business can be a regulatory asset and a competitive differentiator — and one of the most significant things a compliance professional can do for their organisation.
