New CSP Regulatory Framework – Raising the Bar on AML Compliance

New CSP Regulatory Framework – Raising the Bar on AML Compliance

The Corporate Service Providers Act 2024 (“CSP Act”) and the Corporate Service Providers Regulations 2025 came into effect in Singapore on 9 June 2025.

These new laws mark a significant step in Singapore’s ongoing efforts to enhance its AML/CFT regime, following the S$3 billion money laundering case that came to light in late 2023. These measures are aimed at tightening oversight of CSPs and curbing the abuse of corporate structures and shell entities for illicit financial activities.

The key obligations under the CSP Act are:

1. CSPs have to be registered.
2. CSPs have duties and responsibilities that they must abide by, including on the prevention of money laundering, proliferation financing and terrorism financing. 
3. Breaches of the obligations can lead to criminal penalties for the CSP and senior management. 

CSPs have to be registered with ACRA

Under the CSP Act, anyone carrying on the business of providing a corporate service must be registered with the Accounting and Corporate Regulatory Authority (ACRA). This also applies to Singapore-based entities that provide corporate services, even if they do not transact with ACRA (e.g. if they provide corporate services exclusively to overseas clients). 

Some examples of regulated corporate services are (see s 2 CSP Act for the full list):

1. Forming a corporation or other legal entity.
2. Acting as a director or secretary.
3. Arranging for another person to act as a director of a company.
4. Providing a registered office or business address for a company.
5. Acting, or arranging for another person to act, as a nominee shareholder.
6. Carrying out ACRA transactions with the ACRA Registrar using the electronic transaction system.

Failure to register with the ACRA is a criminal offence, and can attract a fine not exceeding $50,000 or imprisonment not exceeding 2 years or both. In the case of a continuing offence, a further fine not exceeding $2,500 for every day or part of a day during which the offence continues after conviction may be imposed. 

Duties to prevent money laundering, proliferation financing and terrorism financing

The CSP Act and its accompanying regulations set out very detailed requirements on the types and extent of customer due diligence (“CDD”) measures that CSPs are expected to implement, to prevent money laundering, proliferation financing (financing the proliferation of weapons of mass destruction) and terrorism financing (“ML/PF/TF”).

Under the CSP Act, CSPs must perform CDD measures:

1. Before providing a corporate service to a customer.
2. When the CSP has reason to suspect ML/PF/TF.
3. When the CSP has reason to doubt the veracity or adequacy of information obtained from earlier CDD measures.

The CDD obligations are ongoing obligations. CSPs must conduct ongoing monitoring of every business relationship with a customer. As client relationships develop and new facts come to light, CSPs have to assess whether there are any inconsistencies or red flags that emerge, that can cause reason to doubt any earlier information collected about the customer. 

The CDD measures that CSPs must take under the new law include:

1. Risk assessments - take appropriate steps to identify, assess and understand the risks of ML/PF/TF in relation to all of the following:
   1. Customers.
   2. The countries where its customers are from or in.
   3. The countries it has operations in. 
   4. Its products, corporate services and transactions.
2. Determine the extent of CDD measures to be performed in relation to a customer on a risk-sensitive basis (ie, based on the risk assessment done). For instance,
   1. Simplified CDD measures may be done where the risks of ML/PF/TF are low. 
   2. Enhanced CDD measures must be performed for complex or unusually large transactions, or unusual patterns of transactions that have no apparent or visible economic or lawful purpose.
3. Establish and verify the identity of customers and customers’ agents.
4. Establish and verify the identity of beneficial owners. 
5. Conduct screenings on every customer, agent, connected party and beneficial owner of a customer. In particular, CSPs must conduct sanctions checks to determine whether a designated person (under regulations made under the United Nations Act 2001), or terrorist or terrorist entity (under the Terrorism (Suppression of Financing) Act 2022) is involved.
6. For remote transactions, i.e. when a customer is not physically present for identification, a CSP must take specific and adequate measures to compensate for the higher risk, including ensuring that the customer’s identity is established by additional documents, data or information.
7. CSPs must keep the records that it obtains through the CDD measures. 

If a CSP is for any reason unable to, or chooses not to, complete performing any CDD measure, the CSP must do all of the following:

1. Decline to provide any corporate services to the customer.
2. Terminate any ongoing provision of any corporate services to the customer.
3. Determine whether to make a disclosure under section 45 of the Corruption, Drug Trafficking and Other Serious Crimes (Confiscation of Benefits) Act 1992 or section 8 or 10 of the Terrorism (Suppression of Financing) Act 2002.
4. Record the basis of the said determination.

CSPs must develop internal policies, procedures and controls to prevent money laundering, proliferation financing and terrorism financing

Under the new CSP laws, CSPs must develop and implement adequate internal policies, procedures and controls to prevent ML/PF/TF in relation to:

1. CDD measures (including simplified and enhanced CDD measures) and ongoing monitoring (including enhanced ongoing monitoring).
2. Reporting.
3. Record-keeping.
4. Risk assessment and management.
5. Audit of the internal policies, procedures and controls.
6. Monitoring and management of compliance with, and internal communication of, the internal policies, procedures and controls.
7. Hiring and training of employees.
8. Customer screening.

Where a CSP has one or more branches or subsidiaries (including those outside Singapore), it must develop and implement group-wide programmes for preventing ML/PF/TF, which includes policies and procedures for the sharing of information within the group for CDD and risk management, and adequate safeguards on the confidentiality and use of such information.

The new laws impose a duty on CSPs to regularly assess the effectiveness of their internal policies, procedures and controls to combat money laundering, proliferation financing and terrorism financing. CSPs must also ensure that its employees, whether in Singapore or elsewhere, are trained on the laws for the laws for the prevention of money laundering, proliferation financing and terrorism financing, including under the CSP Act/ Regulations, the Corruption, Drug Trafficking and Other Serious Crimes (Confiscation of Benefits) Act 1992, and the Terrorism (Suppression of Financing) Act 2002.

Criminal liability for breaches of the AML/CFT/PF requirements

Breaches of these AML/CFT/PF requirements have potential criminal consequences. 

CSPs who breach the requirements may be liable on conviction to a fine not exceeding $100,000 (per breach). 

The senior management of a CSP (e.g. CEO, director, manager) who fail to ensure that the CSP complies with the requirements may also be liable on conviction to a fine not exceeding $100,000 (per breach).

Tightening of requirements for nominee directors of companies

To address the potential misuse of nominee directorship arrangements, the new CSP laws impose new restrictions on the appointment of nominee directors of companies. 

With the new laws, a person can only act as a nominee director of a company if:

1. The person is a registered CSP, or
2. The person has been arranged to do so by a registered CSP.

A breach of this requirement can attract a fine of up to $10,000. 

CSPs must ensure that the person it arranges to act as nominee director of a company are “fit and proper”. To determine whether a person is “fit and proper”, the CSP must take all reasonable steps to satisfy themselves that the nominee director is not disqualified from acting as a director of a company under any written law. In addition, the CSP must consider whether:

1. The person has been convicted of any offence involving fraud or dishonesty, or of any relevant offence;
2. The person is an undischarged bankrupt;
3. The person’s previous conduct and compliance history of the companies of which the person was a director has been satisfactory; and
4. The person has the competency, capacity and capability to properly fulfil the obligations of a nominee director, taking into account the person’s experience and existing commitments, including the number of the person’s existing directorships.

Practical points for clients

It is critical for businesses that currently provide corporate secretarial or directorship services to assess whether they fall within the scope of the new regime, and whether their compliance frameworks comply with the ongoing obligations. These newly codified CDD measures are not mere box-ticking exercises, but require a robust risk-based approach tailored to customer profiles. CSPs can expect heightened scrutiny from regulators and can take this development as an opportunity to holistically review their internal policies, compliance culture and training programmes.