123/A, Miranda City Likaoli Prikano, Dope
+0989 7876 9865 9
+(090) 8765 86543 85
info@example.com
example.mail@hum.com
In essence, a compliance audit by MAS is a structured evaluation to assess whether a regulated financial institution is doing what it is supposed to do, based on its actual practices rather than just its stated policies. A MAS compliance audit, also known as a supervisory review, a thematic inspection, or an on-site examination, is a structured review by MAS to assess whether a regulated financial institution is meeting its regulatory obligations. A compliance audit is different from the periodic regulatory returns and annual filings that are part of MAS’s off-site monitoring programme because it requires MAS to visit the institution, engage its management, staff, systems, and records. This guide outlines the entire audit process for compliance conducted by MAS, which include targeted document requests, telephone interviews, and in-depth multi-day visits to the firm’s operations and compliance framework.
MAS conducts compliance audits for all categories of financial services regulated institutions – capital markets services licensees, fund managers, financial advisers, payment institution licensees, banks, insurers, and operators of VCC fund vehicles. These audits will vary in frequency, scope, and intensity across institutions based on the type of licence, the scale and risk profile of its operations, the quality of its past regulatory filings, and the extent of concerns it has raised in MAS’s off-site monitoring activities. The key aspects of any MAS regulatory compliance assessment guide include understanding what MAS compliance audits entail and how to be well prepared for them.
One of the more significant events in a financial institution’s life cycle is a MAS compliance audit. If the audit does not uncover material weaknesses – or if material weaknesses are identified, but are swiftly and effectively addressed – then a well-conducted audit will help reinforce MAS’s confidence in the governance culture and the institution’s regulatory position; this may lead to quicker decisions on licence variations, less on-the-shoulder monitoring, and a more positive supervisory relationship. On the other hand, a failure to achieve material compliance with any requirements (including, in particular, AML/CFT controls, risk management, or regulatory reporting) may lead to formal supervisory measures including directed remediation, improved reporting, financial penalties, conditions and restrictions on a licence, and in severe cases, licence suspension or revocation.
Compliance audits play an important internal role for regulated institutions that extends beyond the direct regulatory impact. In the course of preparation, weaknesses in the institution’s internal practices are often identified that the institution may have been unaware of. Institutions that treat the MAS compliance audit process as a learning exercise rather than a compliance hurdle invariably emerge with better compliance arrangements and a clearer understanding of what MAS expects of its supervisors. This is a proactive approach and forms the basis of an audit-readiness culture that the highest-regulated institutions in Singapore adopt as a key operating principle.
MAS’s supervisory powers are exercised through both off-site and on-site practices, including analysis of regulatory returns, financial information, and event-driven notifications, as well as on-site compliance audits and thematic inspections. The first principle of the Singapore compliance audit guide is that MAS’s supervisory approach is risk-based and proportionate; some institutions may have a higher risk profile, greater regulatory complexity, and/or compliance weaknesses, as reflected in their off-site data, and are likely to receive more intensive and more frequent supervisory engagement. In contrast, others with consistently clean regulatory records and lower-risk business models may be supervised in a lighter-touch and less frequent manner.
MAS’ supervisory resources are allocated based on its risk profile assessment of each regulated institution, which considers the nature and scale of the institution’s operations, its financial crime risk exposure, the complexity of its governance and its past performance on regulatory compliance. Institutions at greater risk are subject to more intensive supervision, including more frequent compliance audits.
In addition to institution-specific compliance audits, MAS periodically reviews compliance by conducting thematic reviews of specific regulatory requirements across a broad segment of the regulated population simultaneously. Thematic reviews usually include a questionnaire, which is sent to every institution in the licensed group in a particular category, followed by a subsequent visit to a selected sample of institutions to verify the data provided in the questionnaire.
AML/CFT, technology risk, market conduct and financial soundness are all aspects of financial regulation, and MAS’ supervisory teams are integrated to encompass all these areas. In the audit process, each team member will focus on a specific aspect of the institution’s compliance framework to ensure the audit is comprehensive.
MAS may carry out supervisory activities through bilateral arrangements and MOUs with overseas regulators for institutions with cross-border activities or that are subject to multiple regulatory authorities. This coordination enables the dissemination of supervision findings and the uniform implementation of compliance requirements across the institution’s worldwide activities.
Compliance audits are conducted on all MAS-regulated financial institutions and do not depend on an institution’s minimum size, minimum AUM, or licensing duration. The most frequent institutions for doing MAS compliance audits are the following:
MAS compliance audits for both A/I track and retail track licensed Fund Management Companies (LFMCs) and Venture Capital Fund Managers (VCFMs) will be conducted to assess compliance with AML/CFT controls, investment mandates, governance standards, and the accuracy of reporting against regulatory requirements. The size of the fund’s assets, the complexity of the fund’s structure, and the experience of managing regulatory returns late are factors that draw more supervisory attention to fund managers.
Both Standard Payment Institution (SPI) and Major Payment Institution (MPI) licensees are subject to MAS compliance audits. The compliance failures of MPI holders are more systemically significant because of the scale of their holdings, compared to SPIs, which are subject to more frequent and comprehensive supervision and, in addition to MAS’s supervisory programme, are subject to annual requirements for independent auditing.
MAS compliance audits are conducted for licensed financial advisers, broker-dealers, custodians, and other licensed institutions under MAS, and the scope of the audit includes conduct-of-business obligations, AML/CFT programmes, capital adequacy management, and regulatory filing compliance. Priority concerns in financial adviser audits are market conduct issues, such as suitability assessment failures and mis-selling.
In addition, banks, merchant banks, finance companies, companies, and institutions are licensed by the M subject and are subject to comprehensive supervisory examinations. These entities are not the main focus of this guide; however, the principles of audit preparation, response management, and remediation discussed herein apply to all categories of MAS-regulated institutions.
Knowing the intent of a compliance audit by MAS will enable institutions to better prepare and participate in the audit process. MAS audits are not adversarial exercises to uncover non-compliant firms, but rather structured assessments that enable MAS to gain a true understanding of the firm’s compliance culture and capabilities.
Compliance audits enable MAS to evaluate the institution’s overall compliance culture, which encompasses the tone set by senior management, the board’s involvement in compliance responsibilities, and the extent to which compliance is integrated into its day-to-day activities rather than being an isolated function. Cultural indicators are evaluated by interviewing management and staff and reviewing compliance documentation and compliance filings with the regulators.
In addition to checking policy documentation, MAS auditors will check whether the controls are being implemented in practice, including by sampling customer files to verify the quality of CDD, reviewing transaction monitoring alert dispositions, verifying that technology systems are being operated in accordance with the MAS’s cybersecurity policies, and verifying that training records are kept in compliance with the firm’s stated training programme. This type of testing shifts from documentation adherence to operational effectiveness.
MAS learns about systemic weaknesses from individual institution audits that may be occurring within a segment of the regulated population. Results which are common to several institutions in the same licence category are likely to lead to supervisory guidance across the industry, revisions to notices or new thematic review programmes addressing the identified weakness.
Compliance audits allow MAS to directly engage with the institution and ensure that it is aligned with the current application of the standards, whilst MAS may have developed its supervisory expectations since the last time it had the opportunity to engage with the institution, or since the last time the relevant notice was issued.
The most common reason for conducting a MAS compliance audit is simply to be part of the regular supervisory cycle that MAS applies to all regulated institutions. MAS has a risk-based supervisory approach that allows more on-site supervisory presence for higher-risk or more complex institutions than for lower-risk, simpler ones. A typical supervisory visit is expected within the first few years of licensure, and the frequency would depend on the institution’s compliance history and risk profile.
Usually, compliance audits are routine and scheduled in advance through MAS’s internal supervisory calendar, as part of a ‘programme’, rather than as a reactive response to any concern. In practice, the institution will often receive a request for information or a preliminary notification of an inspection. However, in exceptional circumstances, it is not always notified in advance of a routine audit: MAS retains the right to make unannounced visits. Institutions with high regulatory compliance scores, accurate and timely returns, and a constructive supervisory relationship with MAS are likely to have routine audits that are relatively straightforward, aimed at ensuring that the compliance programme documented by the institution is operational and effective.
MAS compliance audits are often triggered by significant changes in a regulated institution’s business, such as a material expansion in the number of customers, the launching of new products and services, rapid growth in the transaction volume or in assets managed (AUM), a change in the ownership and management of the firm, or a material increase in the transaction volume. These changes are of particular concern to supervisory officials because they can outpace the growth of an institution’s compliance system, leading to “oversized” regulatory exposure and a lag between the size and complexity of the business and the strength of the compliance system to manage regulatory risks.
For SPI holders, the growth of transaction volumes, often close to or exceeding the applicable SPI thresholds, frequently leads to contact from MAS to verify that the institution is properly monitoring its rolling 12-month volumes and to alert the institution to the need for licence variation planning before the thresholds are breached.
The launching of a new payment service, investment product or financial advisory offering, especially where new types of customers are involved or new transaction patterns or technology channels, could result in a MAS compliance review to determine if the institution’s AML/CFT controls, conduct procedures, and technology risk management have been sufficiently adapted to the risks of the new offering.
If the material is going into new geographic markets or new customer groups, especially jurisdictions and/or customer types where the institution has not previously had any activity, then the MAS would be interested in whether the institution’s ML/TF Risk Assessment and enhanced due diligence procedures have been updated to account for the changes in their risk exposure, and whether the compliance function has the skills and the capacity to handle the increased scope of the business.
A change of control (e.g., acquisition of significant equity, change in the institution’s management, etc.) often requires a MAS supervisory engagement to ensure that the new management and/or ownership is aware of the institution’s regulatory responsibilities and will continue to meet the institution’s compliance requirements.
Some of the most direct triggers of MAS compliance audits are specific events, such as a customer complaint about compliance, an operational issue, a cybersecurity breach, or the unit’s own compliance issues. If MAS receives information (from a customer complaint, a self-report from the institution or information provided by another regulatory authority) that suggests a regulated institution has not complied with its regulatory obligations, then MAS will typically undertake a targeted supervisory review to examine the nature and extent of the failure, and to assess the need for remedial action.
Self-reporting of compliance failures is a regulatory duty – institutions are required to report to MAS on material failures within specified time limits – and is also a mitigating factor MAS considers when determining the seriousness of the failure. Those institutions that can identify compliance failures and proactively report them to MAS, with a credible remediation plan, consistently receive more constructive supervisory responses than those where MAS has identified such failures during a review. Regarding financial compliance audits, the MAS Singapore context clearly signals that transparency and self-correction are essential hallmarks of a genuine compliance culture and, in themselves, positive indicators of the organisation’s financial compliance.
One major factor that affects subsequent MAS compliance audit compliance is the accuracy of previous audits. Institutions previously observed, recommended, or found deficient under MAS (through on-site inspection, thematic review, or off-site supervisory review) would be subject to a follow-up assessment to ensure that the identified weaknesses have been addressed.
In cases where MAS has formally directed an institution to address particular compliance issues, follow-up inspections are usual to ensure that the remediation actions are taken. The follow-up will generally be specific to the areas addressed in the original direction. It will require the institution to provide documentation, system changes, and operational evidence demonstrating that each remediation action identified in the original direction has been completed.
A thematic review of compliance of institutions identified as having compliance standards lower than MAS’s benchmark in a particular area (thematic area of concern) may result in a follow-up audit of the institution’s compliance in that thematic area of concern. The level of follow-up varies based on the magnitude of the identified gap.
Institutions that do not have a history of late, incomplete, or inaccurate regulatory filings, but have seen one or two such instances in the past, have some supervisory concerns and are likely to be the subject of a targeted compliance audit to determine if the filing problems are indicative of a systemic compliance weakness or simply some operational missteps.
If an external audit report includes a qualified opinion, a material weakness finding, or significant observations regarding the institution’s compliance controls, particularly those relating to AML/CFT, safeguarding, or capital adequacy, then MAS follows up on the audit report. MAS reviews all audit reports filed by a regulated institution and initiates supervisory contact if audit findings indicate a compliance gap requiring further evaluation.
AML/CFT aspects are invariably among the top priorities in MAS compliance audits. This is because the regulator continues to take the lead in ensuring that Singapore’s financial services sector remains FATF-compliant and is concerned with the specific money-laundering and terrorist-financing risks that financial services firms under its supervision face. During an AML/CFT audit of AML/CFT controls, the MAS auditor will evaluate the design of the institution’s AML/CFT programme (whether the policies and procedures documented are adequate to address the risks identified in the institution’s ML/TF Risk Assessment) and the operational effectiveness of AML/CFT controls (whether the controls are consistently and correctly implemented in practice).
AML/CFT scope of a MAS compliance audit usually includes: the completeness and quality of the customer due diligence on a sample of the institution’s customers, including that of PEP and higher-risk customers, and higher-risk jurisdictions; the effectiveness and calibration of the transaction monitoring system; the quality of STR decision making and the completeness of STR filing records; the quality of AML/CFT training and staff awareness; and the board’s and senior management’s engagement with the AML/CFT risk oversight. These are the most frequent observations across all aspects of MAS compliance examinations, especially CDD quality and the effectiveness of transaction monitoring.
The governance framework and the internal policy infrastructure of the institution are evaluated as factors in the institution’s overall compliance culture and the board’s commitment to complying with MAS requirements.
MAS reviews the minutes of board meetings and the compliance committee, as well as reports from the board, to determine whether the board has sufficient, timely, and accurate information on the institution’s compliance posture, regulatory obligations, and any material compliance issues that occurred during the review period. Boards that demonstrate engagement in compliance activities are good indicators of good governance, such as asking well-informed questions, approving material policies and following up on the progress of remediation efforts.
MAS examines whether senior management has well-defined and documented responsibilities for the institution’s compliance, including clear ownership of key compliance functions such as AML/CFT oversight, technology risk management, and regulatory reporting. One governance finding often observed is a lack of a clearly defined accountability structure, or evidence that accountability for compliance is split or unclear.
The internal policies, which address matters relating to AML/CFT, conduct, technology risk, conflicts of interest, and all other areas covered by the MAS-applicable notices and guidelines, must be comprehensive and up to date. Policies that have not been reviewed or updated since the institution was first licensed, or that do not account for changes in the regulatory environment or the institution’s business model, are a regular source of audit observations.
MAS requires regulated institutions to have a well-defined three-lines-of-defence structure: the first line of defence relates to business units, the second line of defence is compliance, and the third line of defence is internal audit. Auditors evaluate whether each line is properly resourced, whether it is truly independent, and whether it is actively fulfilling its oversight role, or whether the three lines are not real but merely on an organisational chart.
A MAS compliance audit examines the adequacy and effectiveness of the institution’s risk management framework, including financial, operational, compliance, and technology risks. MAS evaluates whether the institution has identified the material risks of its regulated activities, whether it has in place controls commensurate with those risks, and whether it has processes to monitor the effectiveness of those controls and to respond promptly if they are not effective.
Typical risk management gaps observed during MAS compliance audits are: ML/TF Risk Assessments that are dated, generic or inadequate to cover the risks associated with outsourced functions or third-party service providers; operational risk frameworks that are not sufficiently comprehensive to address the risks arising from outsourced functions and service providers; technology risk management frameworks which do not comply with the standards provided by MAS’s TRM Guidelines; and capital risk management processes that do not adequately provide forward-looking visibility to the board on the trajectory of the institution’s capital position. Any of these deficiencies, including those in which the institution’s otherwise adequate compliance is not in question, could result in a formal audit deficiency observation for remediation.
The accuracy of the regulatory reporting and the completeness of regulatory recordkeeping are examined in all MAS compliance examinations, as components of the institution’s compliance practices. The quality of these areas directly influences MAS’s ability to monitor institutions remotely.
MAS auditors cross-check a sample of the institution’s historical regulatory returns against underlying records and systems to ascertain their accuracy and completeness. Any differences between reported and actual figures, even if not considered deliberate, raise questions about the quality management and data sign-off within the institution.
Past regulatory filings are considered an indicator of compliance discipline, with the timeliness of these filings assessed. If there is a pattern of late submissions, even if each submission was eventually completed, it indicates general areas of nonconformance in the institution’s compliance calendar management and internal preparation.
MAS auditors evaluate whether the institution maintains complete, organised, and retrievable compliance records that capture all aspects of its regulated activities, including CDD records, transaction logs, STR filing records, training records, and minutes of its governance meetings. The lack of organisation, completeness or retrievability of records within a reasonable time of the audit is directly indicative of recordkeeping deficiency.
A review of the institution’s records of compliance incidents and/or breaches is conducted to evaluate the quality of the institution’s compliance monitoring and breach management processes, including how incidents were identified, evaluated, escalated, and remedied. Incidents reported in full detail and remediated systematically are evidence of a culture of compliance – a positive one, as seen by MAS – even if the incident relates to compliance weaknesses.
The first step in preparing for a MAS compliance audit is to conduct a thorough review and organisation of the documents to be audited. For u will request announced audits, where the institution does not receive prior notification, institutions that have their compliance documentation in an “always ready” state can respond promptly and with confidence to requests for compliance documentation and exhibit a culture of documentation that MAS takes as a marker for a mature compliance culture. The audit checklist for financial firms provide guide highlights key areas rotation that are currently requested in MAS compliance audits and can serve as a basis for an internal regular documentation readiness assessment on a rn documentation items requested in ML/TF compliance audits are as follows: the institution’s current ML/TF Risk Assessment, and the evidence underpinning each risk rating; a sample of customer due diligence documentation for review (usually a representative sample of customer due diligence files includes standard, enhanced and simplified CDD types); a sample of CDD files from the review period for transaction monitoring system configuration documentation; a sample of alert dispositions from the review period for transaction monitoring system configuration documentation; a sample of the institution’s ML/TF STR filing records for the review period; a sample of the institution’s suspicious activity analysis for the review period; a sample of board and compliance committee meeting minutes for the review period; staff AML/CFT and regulatory training records; a sample of internal audit reports for the review period; and the institution’s current versions of all material internal policies and procedures. When an institution is requested to submit an audit report, some of the most effective preparations they can make to help the auditor are to have these documents organised, indexed, and available at the time of the request.
The best way to uncover and resolve compliance issues before MAS auditors find them is through a structured internal compliance review – either conducted in preparation for an anticipated MAS audit, or as an annual practice. The internal review should closely reflect the MAS audit process, covering compliance with all regulatory requirements relevant to the institution’s various licence types and business activities, and evaluating the effectiveness of operating controls, not just policy documents.
Internal compliance reviews are effective when they are independent, specific and actionable: the review team or individual is independent from the function being reviewed, the review is based on the institution’s specific regulatory requirements and not on a generic checklist, and the findings of the review lead to specific, time-bound remediation actions, not general observations. Those institutions that conduct a proper internal compliance review and close all identified gaps before a MAS audit are always better off than those that identify gaps during the audit itself. If an institution does not have the in-house resources to perform a complete pre-audit review, it will be a great alternative to hire MAS audit consultants Singapore to carry out an independent Mock audit.
The identification of compliance gaps is just the first step; it is then necessary to prioritise and meaningfully remedy them, not merely through superficial document updates.
Not every compliance gap has the same regulatory impact. Given the focus of MAS on AML/CFT compliance, gaps in AML/CFT controls, including CDD quality and transaction monitoring effectiveness, are consistently identified as the top remediation priority. The same applies to technology areas where there is a risk gap for system resilience and cybersecurity controls. The absence of governance and reporting would otherwise be a more significant regulatory consequence, but would usually not be as imminent once detected and underway before the audit.
The first step in conducting effective gap remediation is to identify the cause of the gap, whether it is a policy issue, a training gap, a system limitation, a resourcing issue, or a governance failure. If remediation only treats the symptom, but not the cause, MAS auditors, who are trained to determine only if the remediation is genuine and permanent, will not be satisfied.
Every remediation action should yield visible and documented results demonstrating that the gap has been bridged, such as new policies, improved system settings, updated training logs, redone CDD for high-risk customers, or new customer risk ratings. MAS auditors will assess remediation evidence of implementation rather than an institution’s claim of gap closure.
The material non-conformities (MNCs) noted during a pre-audit review, along with their remediation plans, should be presented at the board meeting or to a senior management committee for information and approval. This is an example of a board engagement that illustrates the governance culture that MAS expects, and provides a paper trail of the institution’s compliance self-evaluation and remediation efforts.
Coordinating various functions across the institution is crucial for the MAS audit: compliance, operations, technology, finance, legal, and human resources each play a role in preparing the documentation and operational evidence that MAS auditors will review.
The compliance officer should be responsible for drafting the audit, setting the audit preparation timetable, delegating documentation duties to the appropriate departments, arranging internal review work, and maintaining a single audit preparation action-tracking sheet that reflects completed activities and their status. The compliance officer is also, in general, the chief liaison for MAS for the audit process.
Operations and technology teams need to be ready to share and grant access to relevant technology and platforms, such as transaction monitoring, CDD, and regulatory reporting systems, and to demonstrate system configurations and control settings to MAS auditors. Technical staff should be briefed on the audit process, their role in supporting system demonstrations and providing technical responses.
All regulatory return information from past periods needs to be reconciled and available, and the finance and reporting teams need to be able to account for any differences between the reported information and the underlying financial information. Capital Adequacy calculations, safeguarding reconciliation records and financial statements should be kept in the final approved version.
Senior management – including the CFO, CEO, and heads of regulated business lines – should be updated on the audit scope, areas of focus, the institution’s current compliance status, and any identified gaps or observations. Senior management interviews are an integral part of MAS compliance audits, and if the answers are inconsistent or not well prepared, they are a major contributor to negative audit impressions.
Most of the scheduled compliance audits are preceded by a letter of information request, which may be for a set of documents and data or to ban off-site supervisory review, and may or may not be followed by an on-site inspection. The information request letter will usually include the following: the purpose of the review; the types of documents and data needed; how to submit the information; and the submission deadline. The quality, completeness, and timeliness of the institution’s initial response to the information request are important; they provide a first impression of how well the institution is complying with the audit and reflect its compliance maturity.
The initial information request typically covers a prescribed period (usually the last 12 to 24 months). It seeks all documents related to material compliance from that period, such as regulatory submissions, AML/CFT programme documents, audit reports, governance meeting minutes, and incident records. The institution should approach the initial request as a true scoping exercise and respond fully and accurately (providing no partial substitutes, noting that items missing from documentation don’t exist, and marking up any gaps in documentation with an explanation and a remediation timeline). MAS auditors consider the quality and completeness of the document response as a gauge of the discipline of documenting and the culture of compliance within the institution.
After the initial document submission, the MAS reviews the documents systematically over several weeks (usually three or four) for a full audit. In this off-site review phase, the auditors from MAS will identify areas of potential concern, formulate specific questions and testing protocols for the information reviewed, and, if applicable, prepare for the on-site phase of the audit. Follow-up requests for additional documents or clarifications may be made during the off-site review phase — follow-up should be rapid and complete.
MAS auditors review the quality of the documents submitted against the applicable regulatory requirements: Policy is sufficiently detailed and operational; Risk assessment is appropriately tailored to the institution’s risk profile; CDD records include all required information and evidence; Board has actively engaged in compliance matters through governance records.
When making quantitative data submissions (such as reports on transaction volume, AUM, and capital adequacy calculations), MAS auditors will conduct analysis and look for any anomalies, trends, or inconsistencies that may require further investigation. Unusual patterns in transaction data trigger some of the typical follow-up questions. These significant unexplained movements in AUM or capital ratios appear inconsistent with the institution’s reported risk profile.
Through this, MAS auditors will check for any shifts in the institution’s reported position compared with historical regulatory returns and ensure that the information submitted in the audit documentation aligns with that submitted to MAS in previous regulatory returns. Any major differences between the audit reports and the previously filed regulatory reports, whether reflecting actual corrections of prior errors, will raise concerns about the reliability of the institution’s reporting procedures.
During the document review process, the MAS auditor will develop a structured agenda for the on-site phase of the audit, which will include all compliance areas to be tested, the system demonstrations to be requested, the customer files to be reviewed, and the interviews with management and staff. In general, this agenda is not communicated to the institution before the audit. However, institutions that have carefully studied the pre-audit agenda will be able to predict what areas will be focused on.
A key, established and significant element of a MAS compliance interview is the on-site interview with management and staff. The interviews fulfil several functions: they help ensure that the institutional compliance framework documented in the documents is understood and effectively implemented by those charged with its implementation; they offer an opportunity to the MAS for qualitative insight into the compliance culture of the institution, which can be gained from the documents alone; and they allow the management of the institution to explain the context of certain compliance decisions or apparent gaps in documentation.
The typical areas of discussion for management interviews include: the institution’s understanding of its regulatory requirements; the engagement of the board and senior management with AML/CFT issues; the AML/CFT risk assessment process and customer due diligence work; the institution’s incident response and breach management processes; and the institution’s plans for remediation of any identified compliance gaps during the pre-audit review. Staff interviews, usually conducted with compliance analysts, relationship managers, and operations staff, assess whether the institution’s policies and procedures are adhered to in the day-to-day running of the institution and whether the training programme has been successful in raising staff awareness of AML/CFT. A major audit finding concerns inconsistent responses during management and staff interviews, suggesting that the firm’s compliance regime is not embedded in the organisation’s practices.
The most operation-intensive part of a MAS compliance audit is control testing, and it is also the most likely to identify any discrepancy between the compliance frameworks documented in the MAS and what is actually happening in the operation.
A sample of customer files is selected by MAS auditors, covering the entire range of customer risk levels, including standard, enhanced, and simplified CDD categories, and is evaluated against the institution’s documented CDD procedures and applicable regulatory requirements. Common tests include whether an identity document has been completed, whether a legal-entity customer has been appropriately identified, whether a customer’s risk rating is appropriate, and whether periodic CDD reviews have been conducted promptly.
The auditors verify the setup, tuning and handling procedures for the institution’s transaction monitoring system (TMS), under the supervision of MAS. Normally, the testing should include: If the detection scenarios and thresholds are suitable for the institution’s risk profile; If alerts are being reviewed and disposed of within the institution’s stated timelines; If the quality of the alert analysis is adequate to make a well-informed STR or no-STR decision; and if the system’s performance is monitored and tuned on an ongoing basis.
Auditors assess the institution’s technology risk controls by reviewing documentation and conducting technical tests (penetration tests, vulnerability assessments, disaster recovery tests, and access management configurations) for institutions subject to MAS’s TRM Guidelines. Auditors may also ask for a demonstration of important technology controls and incident response systems.
Auditors check the accuracy of the institution’s regulatory reporting by reconciling reported numbers with source data, for example, by taking a sample of reported AUM against individual fund records, reconciling reported transaction volume against payment system logs, and comparing reported capital ratios to the institution’s capital ratio calculations. This reconciliation testing is designed to test the accuracy of the data and the strength of the institution’s regulatory reporting procedures.
One of the most regularly audited aspects of MAS compliance is customer due diligence (CDD) and know-your-customer (KYC). The impact of the institution’s AML/CFT programme depends on its CDD — if CDD is weak, the institution lacks a proper understanding of its customers, the legitimacy of their activities and the risks they pose. Over time, the MAS auditors have become more sophisticated in their approach to assessing the quality of the CDD, and no longer just rely on a checklist of documents, but also make a substantive assessment of whether the institution truly grasps each customer’s identity, business, source of funds, and purpose of the financial relationship.
Typical issues found during MAS compliance audits are: record keeping issues where customer files contain identity verification documents without any documentation of the identity verification process (steps taken); beneficial ownership issues where the name of the customer’s beneficial owners is identified in the corporate customer files but not the name of the natural persons who are the ultimate beneficial owners of the customer; risk ratings that seem to be assigned mechanically (based on the type of customer and not a substantive assessment of that customer’s risk profile); and customer profile issues where customer files are not updated to reflect material changes in the customer’s situation, such as a change in the legal nature of the customer’s business, his/her geographic exposure, or his/her ownership structure. These deficiencies represent gaps between documented CDD procedures and their implementation in the school.
Transaction monitoring is considered the primary operational control that a MAS can use to identify and act on suspicious transactions across all its customers.
MAS auditors determine whether the detection scenarios and alert thresholds of the transaction monitoring system are suitable for the institution’s business, product mix and geographic risks. An institution-specific system that is not tailored to the institution’s risk environment will produce more false-positive alerts (thus lowering alert review quality) or fewer alerts (thus reducing the monitoring coverage).
The quality of the institutions’ alert review process, such as the analytical rigour applied to each alert, the documentation of alert disposition, and the timeliness of escalation for alerts that require further investigation, is evaluated by reviewing a sample of alert records from the audit review period. One of the consistent findings in the MAS transaction monitoring reviews is that alerts are not disposed of without proper documentation of the analytical basis for the disposal decision.
MAS auditors evaluate the quality of the institution’s STR decision-making process, which comprises determining when an alert is converted to an STR, the escalation process from alert to STR decision, and the completeness and timeliness of STR filings to STRO. Institutions that lack any STRs or have few in a high-risk payment or fund management environment are likely to face heavy regulatory scrutiny of their transaction monitoring and STR decision-making.
MAS will routinely inquire with institutions about the performance of their transaction monitoring systems, such as the number and quality of alerts generated, false-positive rates, and the effectiveness of transaction scenarios in detecting typologies, and adjust the system as a result. A technology risk find is a system that has not been reviewed or retested since it was first implemented.
In MAS compliance audits, staff training and awareness are considered indicators of the extent to which the compliance programme is embedded within the institution or limited to the compliance function. MAS auditors check training by asking staff through interviews how far they have come in training, how many of them have completed training, and also ask relationship managers, operations staff, and customer service staff the following questions: What is your understanding of the AML/CFT red flags? What is your understanding of STR reporting obligations? How do you know if a customer or transaction is suspicious to you, and what escalation process should you have?
The institution’s AML/CFT regulatory training programme should be comprehensive. It should be designed for all employees who have contact with customers, process transactions, or are responsible for the institution’s compliance with AML/CFT regulations, and should be specific to the institution’s business model, risks, and regulatory requirements. In MAS audit findings, generic online compliance training that is not tailored to the institution’s products, customer segments, or risk environment is regularly cited as a concern.
Recruitment training should be provided and reviewed regularly (usually once a year) for all staff. The training content should be kept up to date to address changes in the regulatory environment, new AML/CFT typologies published by MAS or FATF or lessons learned from compliance incidents faced by the institution. Training programmes that are not updated from year to year are a regular audit feature.
MAS expects institutions to have conducted their own assessment of the effectiveness of their training programmes, using either post-training tests, compliance monitoring metrics, or periodic knowledge assessments, as appropriate, and take follow-up action based on such assessments where staff members’ understanding of their compliance obligations is found to be inadequate. Completion records without any evidence of an effectiveness assessment are insufficient to establish the existence of a real training programme.
The board and senior management receive training on the regulatory requirements that apply to the institution – including AML/CFT requirements, technology risk management, and key regulatory filing requirements – and MAS auditors assess this training. MAS has taken the finding of the absence of board-level compliance training seriously, as it affects the board’s credibility in overseeing the institution’s regulatory compliance posture.
MAS compliance audits increasingly focus on technology risk and cybersecurity: Financial institutions rely heavily on technology infrastructure and are more vulnerable to operational disruptions and data breaches that accompany such dependence. MAS’s TRM Guidelines have established in detail the expectations of the system on matters such as system resilience, cyber security controls, management of third-party vendors, and the response to incidents — a technology risk element specified in the compliance audit questions is now added to MAS compliance audits, which assess the institution’s compliance with the TRM Guidelines in reality.
During MAS compliance audits, key areas of technology risk examined encompass: the institution’s cybersecurity control framework (network security, access management, encryption, vulnerability management and security monitoring); the resilience and availability of its critical payment and compliance systems against its stated recovery time and recovery point objectives; the strength of its third-party and cloud vendor management programme, including due diligence conducted on key technology vendors and the oversight arrangements for managing key technology vendors’ performance and compliance; and the timeliness and quality of the institution’s response to technology incidents during the review period, both operationally and in relation to the regulatory notification process. Some of the top audit situations that carry a negative technology risk score involve institutions that had technology incidents with poor or delayed responses or without a response being reported back to MAS.
The lack of AML/CFT documentation is the most common issue across all licence categories in the overall AML/CFT compliance audit. It includes specific deficiencies, including for instance the failure to tailor the ML/TF Risk Assessment to the institution’s particular risk profile, the absence of identity documents with proof of verification in CDD files, and the failure to document the specific enhanced due diligence measures applied in the enhanced due diligence files, and the absence of analytical depth to support decisions on the nature of transactions and the STR/no-STR decision. Knowing the key types of AML/CFT documentation gaps is crucial for institutions aiming to get ready for the MAS requirements in this area.
Risk assessment documents that either reflect the institution’s insuring customer base rather than the actual customer base, its product offering rather than its actual offering, geographic exposures rather than the institution’s geographic exposures, or lack of updating since the institution was originally licensed are among the most frequently reported AML/CFT documentation weaknesses. MAS is not looking for a “one-off” exercise for licensing purposes but for a risk assessment that guides the design of the controls, as it should be a living document.
The lack of required identity verification documents on CDDs, a lack of required beneficial owner information on corporate customers’ CDDs, or a lack of enhanced due diligence analysis on higher-risk customers’ CDDs are common audit issues. Control weakness is one of the most direct indicators in places where the institution has strong CDD procedures in policy, and gaps in execution in individual customer files.
Decisions to file and decisions not to file must be based on a structured assessment process and must include sufficient analytical detail of the STR filing decision. Not having adequate documentation, or any documentation of STR decisions, is a major AML/CFT finding indicating that the institution’s suspicious activity management is not robust.
Insufficient AML/CFT training records (which do not include records covering all staff, do not show that content is relevant to their institution’s risk environment, or lack evidence that training was effective in achieving the required outcomes) are a recurring documentation finding that indicates that training is not being managed with the rigour that MAS expects.
The second most frequently recurring type of finding in MAS compliance audits is governance weaknesses, such as poor supervision by the board of commissioners, unclear accountability structures, and low involvement of senior management in governance issues.
Boards that don’t show signs of engagement, ask well-informed questions, challenge management assessments, and monitor remediation progress are consistently flagged as governance weaknesses. Minutes of Board meetings that do not provide substantive discussion but document compliance matters as ‘noted’ or ‘received’ without supporting information are a ‘red flag’ for MAS auditors when assessing governance quality.
MAS considers the lack of clear, documented accountability for several key compliance functions, such as AML/CFT oversight, regulatory filing management and technology risk management, to be a structural weakness. There should be a named owner for each material compliance duty who can undertake it effectively and has the necessary resources.
demonstrated to be inadequate in scale and scope to meet the regulatory needs of the institution, whether because of workforce, qualifications, or a lack of management interest or investment, are considered a governance finding and addressed by MAS through directed remediation, with a focus on strengthening compliance functions.
Compliance functions that can be clearly separated: MAS considers that, in the above scenarios, the compliance function is not sufficiently separated from the function or functions it oversees. For example, if the internal audit function is under the same executive as the compliance function, or if the compliance function has revenue-generating roles. In such cases, MAS considers structural change necessary to remedy governance issues.
Findings relating to risk assessment deficiencies are a catch-all category that includes the AML/CFT-specific risk assessment findings listed above and covers the institution’s approach to managing financial, operational, technological, and strategic risks associated with its regulated activities. MAS auditors examine the risk assessments on a variety of aspects, including: whether all material risks were identified; whether each risk was assessed appropriately in terms of its level of detail and factual analysis; whether controls put in place to manage each risk are sufficient and proportionate; and whether the residual risk position is acceptable given the institution’s risk appetite.
The lack of adequate operational risk assessment of risks related to key service provider outsourcing, third-party service providers, and/or technology-dependent processes is a recurring issue. MAS is not solely concerned with risks faced by the institution’s own operations, but also with risks associated with the use of vendors and technology infrastructure.
Regulatory findings for institutions with capital adequacy requirements, such as CMS licensees, include risk assessments that do not give the board enough forward-looking information on the institution’s capital position, including in stress scenario analysis and how potential business loss events or growth affect capital adequacy, may require enhanced capital reporting.
MAS considers the failure to identify and control concentration risks, such as customer, geographic, counterparty, and service provider concentrations, to be a strategic risk governance deficiency, especially with fund managers whose investment portfolios are concentrated and/or payment institutions that rely on a single banking relationship.
Institutions that have documented their risk appetite, but can’t evidence monitoring, reporting to the board, and operational use of the limits or thresholds to inform business decisions, either as a policy document or in practice, are provided with findings on the gap between the documented risk appetite and how it is applied in practice.
The failure to file on time and the incorrect filing are direct compliance violations and recurrent issues in MAS compliance audits. MAS considers the quality and timely submission of regulatory filings a good indicator of the institution’s overall compliance culture; that is, deficiencies in filing regulatory reports extend beyond the issues at hand and affect the institution’s entire compliance climate with MAS.
Where individual returns have been completed, there is a pattern of late returns, reflecting systemic issues in the calendar management of regulatory returns, the internal preparation of regulatory returns, and senior management’s prioritisation of regulatory obligations. MAS auditors will investigate the ongoing late submissions and mandate remediation to address the root cause of the process failure.
Deliberate or otherwise, regulatory returns with material data errors (such as incorrect AUM returns, erroneous transaction volume data, or disclosures of capital ratios) are serious findings. They are considered an integrity matter by MAS. Institutions should have data quality controls and senior-level sign-off processes to ensure the material submitted is error-free.
Among the most obvious filing compliance findings are failures to make the required notifications to meet the event conditions, such as changes in key personnel, cybersecurity incidents, or material breaches of licence conditions, within the required times. Every time a notification is not received is an individual regulatory breach and may be addressed by MAS under formal supervisory action.
Data integrity findings relate to discrepancies in key metrics across regulatory submissions, such as AUM reported to MAS and ACRA and transaction volumes reported in monthly returns versus the annual return, and indicate a lack of governance over regulatory reporting and the reliability of reporting systems at the institution.
The result of a compliance audit conducted by MAS is a written report or letter of findings that assesses the institution’s compliance posture and identifies any non-compliances. This report or letter is sent to the institution at the end of the audit. The findings from the MAS are generally expressed in three categories: Formal Requirements/directions must be addressed and corrected within a specified period; Significant Observations represent material compliance weaknesses that must be addressed and corrected substantively; Minor Recommendations represent items for improvement. An institution must grasp the difference between these levels and the response required to match the level of the findings.
The institution should carefully read the MAS findings report not only with a focus on the identified key areas of compliance, but also in the context of the findings as a whole to see what MAS’s findings collectively suggest about the areas of the compliance programme that are most underperformed. A lot of times, the individual findings point to a common bottom line – for example, an overstretched compliance role, an outdated risk assessment, or a structure and system in which the board does not sufficiently oversee compliance issues. While it may be desirable to remediate each finding, this should not be done without considering the root cause of the problem, because a remediation plan for an institution based on root cause correction is more likely to satisfy MAS than a narrow institutional remediation plan that ignores root cause correction.
The institution’s main communication tool for showing that it is taking compliance issues identified during the audit seriously and addressing the gaps comprehensively is the effective remediation plan.
The remediation plan should repeat each finding of the MAS and indicate: the cause of the finding; specific corrective action(s) to be taken; evidence that will help show that the corrective action is being completed; the owner of the action being taken; and the targeted date for the action to be completed. Plans that are at the same level of detail as the finding are more believable to MAS and more executable internally.
The timelines for remediation should be realistic in light of the operational requirements for effective and timely change to compliance systems, processes, and governance, while still meeting MAS’s expectation of moving quickly. MAS will challenge timelines that seem too short (shallow remediation) or too long (poor prioritisation of compliance improvements). In findings for the highest-severity areas (AML/CFT, safeguarding), timelines should be as short as operationally possible.
The board should approve the remediation plan, or a designated senior management committee should, and progress should be reported regularly until all items are closed. Approval of the plan by the board of directors is a positive sign of the governance structure’s involvement in the remediation process and in any subsequent supervisory engagement with the institution under the MAS.
Where the institution’s existing controls are materially deficient, such as a transaction monitoring system that is not generating enough alerts for the institution’s risk profile, interim risk mitigation measures should be implemented immediately. At the same time, a longer-term remediation plan is being executed. These interim measures confirm that the institution is not taking the risk lightly and is not waiting for the formal remediation process to take place.
The toughest part of the audit response management process is taking the necessary steps that actually improve the institution’s compliance framework, rather than simply adding documentation to it. MAS auditors are well-versed in identifying remediation vs. compliance theatre, and institutions that try to address findings by way of a policy change without evidence of related changes in practice stand a very high risk of receiving a follow-up finding in future supervisory engagements.
Effective implementation of corrective measures requires: Evidence that the changes in processes, systems and governance that led to the finding have been made – this is not enough to be simply recorded in the policy documents that describe these changes, but must involve evidence that the staff involved are briefed on the new procedures, the systems are configured as required and the controls are operating as intended; Evidence that the change is “working as intended” – this will include evidence that staff have been briefed on new procedures, evidence that systems are configured as required, and evidence of the correct application of CDD procedures to customer files; and a verification phase to ensure that the change is effective before the remediation action is formally closed. This validation process can be performed by the internal audit function, an external reviewer, or a compliance officer and provides the institution and MAS with confidence that the remediation is authentic and permanent.
A MAS compliance audit is not the last step in a school’s remediation efforts, but rather the first step in a continuous monitoring process to make sure that the improvements implemented are not lost over time.
The compliance function should implement periodic effectiveness testing to ensure that corrective measures are in place and effective for every significant finding that has been remediated. Standing activities, not just “when it’s time to do it” activities, should be incorporated into the continuous compliance monitoring programme during CDD file reviews, transaction monitoring system performance assessments and governance reporting quality assessments.
Regularly report to the board on the status of all remediation items in the open status until all items are closed and verified effective. During the remediation period, the compliance remediation status report, which sets out each finding, the corrective actions taken, evidence of compliance action implementation, the verification status, and the closing date, should be a regular agenda item at board or compliance committee meetings.
When MAS conducts a follow-up supervisory review to confirm remediation (either following a significant finding that warrants a routine follow-up review or in response to the institution’s submission of its remediation plan), the institution is required to provide evidence that each finding has been substantively addressed and that the corrective measures taken are operationally effective. The effectiveness of the institution’s remediation and the thoroughness of the evidence package supporting that effectiveness are the keys to MAS’s evaluation of the follow-up review.
Any remediation finding should be documented in the compliance calendar, internal policies, and training programme so that the compliance improvement becomes part of the institution’s routine and does not rely on the efforts of any individual. Institutionalisation of remediation is the difference between a ‘one-off’ remedy and a lasting enhancement of the institution’s compliance landscape.
Robust, structured, and timely compliance documentation is the foundation of the audit. Are institutions in a continual audit-ready posture as opposed to scrambling to prepare documentation upon receipt of an audit notification? Are institutions in a continuous posture of being audit-ready, or scrambling to prepare documentation when an audit notification is received? The MAS audit checklist for financial institutions on documentation readiness covers several important areas that need to be addressed and prioritised in the day-to-day operations of a financial institution.
Best practices for compliance documentation include: having all customer due diligence files in a standardised format with all of the necessary elements clearly documented and available for customer reference; maintaining a transaction monitoring alert log with complete documentation of the analytical basis for each disposition; maintaining a comprehensive document management system, including version control, document retention policies, and access logging; having all minutes of board and committee meetings finalised, approved, and stored within a pre-established timeframe after the meeting; and completing a quarterly documentation readiness review that evaluates the completeness and arrangement of the compliance record archive for the categories most frequently asked about in MAS compliance audits.
Between MAS supervisory reviews, regular internal audits, which are organised outside the compliance function under audit, provide the board and senior management with objective assurance of the institution’s compliance posture.
The internal audit programme should be risk-based and allocate audit resources to the areas of highest compliance risk, such as AML/CFT controls, technology risk management, and regulatory reporting accuracy. The programme should be reviewed and revised at least once a year to incorporate any changes in the institution’s profile and MAS’s current supervisory priorities.
Regular mock MAS audit exercises, which mimic responding to an MAS information request and an on-site audit, are an excellent way for the compliance team, the operations team, and senior management to prepare for the audit process. The mock audits reveal any missing documentation, verify staff knowledge and evaluate the institution’s ability to explain its controls during a supervisory engagement.
An annual independent review of the AML/CFT programme (conducted by the internal audit function or an independent reviewer) supplements the internal audit function’s self-assessment by providing an objective assessment of the programme’s adequacy and effectiveness. These reviews will mimic the MAS audit assessment of AML/CFT controls, and help uncover gaps in control before a regulatory review.
Any internal audit issues that are not resolved within the agreed deadlines are considered a major governance risk and could reflect poor resource allocation or a lack of management commitment to addressing compliance issues. All internal audit items should be monitored, reported to the board, and acted upon within agreed time parameters. Any item that is not completed should be escalated to the board and/or the senior management team as a priority issue.
Governance and accountability are two areas that are often reviewed on every compliance audit and tend to be lacking in most MAS. Compliance excellence is built on an institutional basis, with proactive investment into governance structures—before receiving an audit finding—rather than waiting. Investing in strengthening governance and governance frameworks proactively, before an audit finding is made, builds the institutional foundation for sustainable compliance excellence and a constructive supervisory relationship with MAS.
Each material regulatory requirement (any filing requirement, any AML/CFT control, any governance process, etc.) should have a named owner who has both the authority and the resources to fulfil the obligation and account for it effectively. Clear, documented responsibility matrices, agreed to by the board, help ensure that MAS has clear accountability and prevent the escalation of non-compliance by blurring accountability lines.
Oversight of compliance matters should be substantive and substantiated, including through informed questioning of management, approval of material compliance policies and risk assessments, regular review of compliance performance metrics, and active follow-up on the progress of remediation. The informed oversight capability expected of MAS can be developed by investing in board compliance education, including board-level compliance dashboards, external adviser briefings, and compliance-focused training sessions.
The compliance officer should be given access to all relevant information, people, and systems within the institution, the independence to report concerns to the board without management influence, and the seniority to hold business functions accountable for their compliance duties. Compliance structures that violate the independence of functions should be changed, including cases where the compliance officer reports to the head of business rather than to the CEO or the board.
Organisations with internal whistleblowing and escalation systems that have both developed an environment where employees feel empowered to report compliance concerns without fear of retaliation and established a mechanism where concerns are investigated and resolved quickly and promptly are best-equipped to identify and address compliance issues before they transition to regulatory violations. MAS believes a true escalation culture is a good sign of a healthy compliance culture.
It is inevitable that compliance policies and procedures, drafted to accurately reflect the regulatory environment at the time of their enactment, will become outdated due to ongoing regulatory changes, shifts in the institution’s business, and emerging risks. An important part of the audit readiness cycle is a systematic review and update of the policy.
All internal compliance policies should be subject to a formal annual review to determine if the policy continues to meet the current requirements of the MAS, whether or not the policy accurately reflects the current business model and risk profile of the institution and whether operational experience has identified any gaps or ambiguities in the policy that should be clarified. All policies need to be reviewed and re-approved by the appropriate person and communicated to relevant staff.
The annual cycle should be complemented by specific events which warrant an immediate review of the policy, such as the receipt of any MAS notice or the issuance of a new guideline, major changes in the institution’s products and services, significant risk environment changes in the external world, including new typologies of money laundering activities or changes in the MAS guidance, as well as the findings of the audit by the MAS.
Multiple versions of the policy should be version-controlled — including the revision date, revision contents, and approving authority. All policies with effective dates allow the institution to know which version of a policy was in effect at any given time; MAS auditors frequently test for this when investigating specific historical transactions and/or compliance decisions.
Policy changes need to be shared with all staff as soon as possible, and material changes in policy implementation should be accompanied by training to ensure that staff are aware of the new requirements and how to implement them correctly. Records of policy communication and training delivery should be kept as part of the institution’s compliance records, including email correspondence, training system records, and attendance records.
Independent compliance reviews – those conducted by third parties to the institution’s compliance function – provide a degree of objectivity and expert benchmarking that internal reviews simply don’t. An experienced external reviewer knows the supervisory expectations of MAS at present, knowledge of the findings that are commonly identified in recent MAS compliance audits of this type of institution and the ability to assess the posture of compliance that the institution is in with respect to a correct interpretation of the MAS expectations — rather than the expectations which the institution assumes it has. The independent view is especially beneficial in the lead-up to an expected MAS audit, as it offers the most proactive opportunity to identify and address gaps before they become regulatory findings.
Independent compliance reviews do more than just prepare audits. By regularly engaging compliance review services in Singapore, the board and senior management can maintain a continuous flow of objective and independent assurance that the compliance programme is meeting regulatory requirements, thereby complementing the internal audit function by adding external expertise and market awareness. Independent experts with relevant experience in MAS’s supervisory stance can identify early signs of developing regulatory expectations – items where MAS’s supervisory focus is growing even before any regulatory changes are formalised – and the institution can work on these in advance rather than in response.
The external MAS audit consultants in Singapore offer a range of services that complement the institution’s internal compliance capabilities.
External compliance consultants may be able to perform a wide-ranging pre-audit readiness review, including reviewing documentation, testing controls, conducting staff interviews, and benchmarking the institution’s compliance position against MAS’s supervisory expectations. The results of a readiness assessment are a prioritised gap list and a remediation plan, which allow the institution to correct its biggest vulnerabilities before MAS’s arrival.
A specialist AML/CFT compliance consultant can provide a detailed review of the institution’s AML/CFT programme, which includes a review of the institution’s ML/TF Risk Assessment, CDD procedures, transaction monitoring system configuration, STR decision-making process, and the training programme against the MAS Notice PSN01, CMG-N02 or the applicable AML/CFT notice/notice for the institution’s licence type. These reviews are specific, contextually aware, and pinpoint gaps in a way that can guide effective remediation.
Expert review of regulatory submission drafts, such as annual returns, AML/CFT programme certifications, and MAS licence variation applications, can be provided by compliance experts, who can help with data quality checks and advise MAS on how it is likely to interpret certain data or disclosures. This is especially important for new licensees who are making a first-time filing.
After a MAS compliance audit, external consultants can help with preparing the remediation plan, implementing specific corrective measures, conducting effectiveness testing, and preparing MAS follow-up responses. They are familiar with MAS’s expectations regarding the quality of remediation and the evidence that needs to be presented to the institution to restore its compliance programme to MAS’s standards.
The compliance function must work in close coordination with the legal, risk, and technology departments within the institution, each of which contributes uniquely to ensuring proper assessment and management of the institution’s regulatory exposure.
The institution’s legal team should review the findings letter issued by MAS to ensure the institution is aware of the legal nature of each finding and the regulatory framework under which it was made. One of the key elements of the legal team’s review is whether the findings might have enforcement implications, to ensure that the institution’s public statements about the findings and communications with MAS regarding remediation are appropriately calibrated.
The risk management function should be tasked with assessing the audit findings to identify any that represent a risk exposure that should be immediately mitigated (other than through the compliance remediation action identified in the remediation plan). For instance, a technology risk finding might suggest an unmanaged cybersecurity exposure that might necessitate immediate risk-mitigating actions, as well as longer-term control improvement actions.
The institution’s technology team should play a central role in the remediation planning and implementation process for technology risk and cybersecurity findings. However, system configuration changes, access management enhancements, and improved monitoring implementations – among other technology remediations – required technical expertise not available within the compliance function.
The finance team must also be included in the remediation planning process if the findings relate to capital adequacy, financial reporting accuracy, or safeguarding arrangements, to ensure that the corrective action taken is consistent with the institution’s financial reporting framework and does not result in additional risks in capital management and financial control.
The best way to manage the compliance audit is to create a programme and not manage each audit in isolation – rather, to make it constantly audit-ready. Institutions that invest in the long-term regulatory readiness – with up to date documentation, regular internal review, keeping compliance systems up to date with ever-changing regulations and engaging in active dialogue with MAS – always experience the MAS compliance audit as a confirmation of their compliance culture, and not as a clash over identified regulatory gaps.
Building long-term regulatory readiness demands an on-going institutional commitment to compliance excellence, evidenced by the provision of resources to support the compliance function, the board’s and senior management’s engagement with compliance issues, and compliance as a fundamental part of the institution’s practices and norms, not an endpoint of administrative work. For institutions that attain this standard, it is not about preparing for a MAS compliance audit. Still, periodic recalibration of an already robust compliance programme against the latest MAS supervisory expectations – with continued dialogue with MAS audit consultants in Singapore and external legal counsel providing regulatory intelligence – to prepare ahead of MAS’s supervisory focus.
We hope you’ve got a detailed understanding of the MAS compliance audit process explained in this guide, from the triggers and scope of MAS compliance audits to preparing for the audit and conducting it on-site to addressing findings and fostering ongoing audit readiness. The key principles for any institution under the auspices of MAS are as follows:
Audits for compliance with MAS can be conducted at any time without warning. The best audit preparation is not to sprint into it upon being told to audit, but to keep a compliance programme in a state of readiness on an ongoing basis. Those institutions with a long-standing outlook on audit readiness (not a project to be completed at periodic intervals) always achieve more positive audit results.
The practicability of the quality, completeness and organisation of compliance documentation is the most significant determinant of the outcome of an MAS audit. Institutions that have complete, well-organised and up-to-date documentation are more effective in demonstrating their posture of compliance than those with substantially similar compliance programmes that are poorly documented. Documentation investment is one of the greatest ROI compliance investments.
MAS auditors have the expertise to distinguish between institutions where compliance systems are in place and part of their day-to-day operations, and institutions where compliance systems are documented but not part of operational practice. Any follow-up supervision engagement will determine that remediation is superficial if it is only done for the record and not designed to change the process and/or control.
Institutions that are proactive in their relationship with MAS — ones that anticipate any non-compliant conduct and self-report it; notify MAS of material changes promptly; and respond to audit requests transparently, constructively, and promptly — over time gain the trust of the supervisor, which in turn means a more proactive relationship. Each regulatory engagement represents an opportunity to reinforce and/or diminish MAS’s confidence in the institution’s compliance culture.
This collaboration with qualified compliance review services in Singapore and compliance advisers specialising in this field offers institutions an independent view, regulatory insights, and expert advice that supplement their internal compliance skills. The most effectively regulated institutions have robust internal teams of compliance staff and have identified and established targeted external relationships to ensure the programme remains aligned with MAS’s current supervisory expectations.
This guide is based on the premise that the best approach to MAS compliance audits isn’t reactive management of each audit event; it’s proactively establishing a culture of compliance that ensures a positive audit outcome is a natural by-product of the institution’s daily activities. A culture of compliance that’s proactive is defined by the true commitment of the board and senior management to achieve regulatory excellence, their compliance and risk functions are well resourced and empowered, their approach is learning-oriented, with compliance gaps and audit findings regarded as opportunities to improve, and there’s a clear relationship with MAS, characterised by accurate reporting, timely notification, and constructive engagement.
Creating that culture is an ongoing investment, and for compliance officers, senior management and on the board of MAS regulated institutions, it is an investment in people, technology, training, governance frameworks and external advisory relationships, that will enable compliance to evolve into a strategic competitive advantage, not a cost of regulation. By securing this positioning, institutions can enable MAS, investors, and counterparties to be confident that their compliance program is truly “best in class” rather than “good enough” for Singapore’s increasingly rigorous financial regulatory landscape, paving the way for sustainable, long-term success. The guidance in this guide is a practical first step in that journey — and for institutions that are ready to go further, hiring an experienced MAS audit consultant in Singapore who is aware of the letter and spirit of MAS’ supervisory expectations is the best next step.
