EST · MMXXVI
Home/Jurisdictions/Singapore/AML/cft policy drafting in Singapore: Legal Requirements for Businesses
Compliance, AML & Travel Rule

AML/cft policy drafting in Singapore: Legal Requirements for Businesses

Aml/cft policy drafting in Singapore. Cross-border digital-asset legal counsel for business – licensing, disputes and structuring. Talk to OBOLUS.

Singapore's Payment Services Act (PSA) requires every licensed digital payment token (DPT) service provider to maintain a written, board-approved AML/CFT policy that maps directly to the Monetary Authority of Singapore's (MAS) Notice PSN02 on prevention of money laundering and countering the financing of terrorism. Failure to produce that documentation on demand is itself a breach – separate from any underlying compliance gap. For a crypto business entering Singapore, the policy document is not an administrative formality; it is the primary artefact regulators examine at the point of licence application, at annual attestation, and during any supervisory inspection.

This page sets out the legal basis, the required content structure, the cross-border complications that catch inbound operators off guard, and the practical process for getting a defensible policy in place.

MAS Notice PSN02, issued under the Payment Services Act, is the operative instrument for DPT service providers. Every DPT licensee – whether holding a standard payment institution (SPI) or major payment institution (MPI) licence – must have a written AML/CFT programme that satisfies the notice in full. The MAS framework draws directly from the Financial Action Task Force (FATF) Recommendations, including Recommendation 15, which treats virtual asset service providers as obligated entities subject to the same standards as banks and money-service businesses.

The notice is not aspirational. MAS expects a policy that names a designated compliance officer, describes the risk-based methodology for customer due diligence (CDD), sets out enhanced due diligence (EDD) triggers, documents the transaction-monitoring logic and thresholds, and contains explicit provisions for the Travel Rule – the obligation to transmit originator and beneficiary data alongside every qualifying transfer. MAS has been explicit in supervisory guidance that generic, template-derived policies attract scrutiny; the document must reflect the specific business model, user base, and transaction flows of the applicant.

In our practice, we see the policy gap most acutely in two scenarios: an offshore-registered entity that has built a product for Singapore users without obtaining a DPT licence, and an MPI applicant that copies a policy from another jurisdiction without adapting it to MAS's risk-categorisation expectations. Both paths carry enforcement risk that compounds the longer the position is left uncorrected.

To assess whether your current documentation meets the MAS standard, contact OBOLUS at info@oboluslaw.com. The process above describes the standard path. Your facts – the entity structure, the user base geography, the banking relationships – change the analysis materially.

What Must a Compliant AML/CFT Policy Actually Contain?

A MAS-compliant AML/CFT policy for a DPT service provider is a structured set of interconnected documents, not a single file. The core components are well-established under the PSA and Notice PSN02.

The risk assessment framework sits at the centre. MAS expects a documented methodology that categorises customers, products, channels and geographies by inherent risk, then describes the controls that bring residual risk to an acceptable level. For a crypto exchange with retail and institutional tiers, that means separate risk matrices for each customer class. The methodology must be updated when the business model changes – not only at annual review.

Customer due diligence procedures must cover the full spectrum: simplified CDD for lower-risk relationships, standard CDD for the general population, and EDD for politically exposed persons (PEPs), high-risk jurisdictions, and customers whose transaction behaviour raises anomalies. For a DPT business, the policy also needs to address wallet attribution – distinguishing self-hosted wallets from custodial accounts and documenting the evidentiary standard applied before a withdrawal is processed.

Transaction monitoring is a distinct chapter. MAS expects documented alert scenarios, calibrated thresholds, an escalation matrix from alert to suspicious transaction report (STR), and records of how the monitoring system has been tested. A policy that describes a monitoring system without specifying how alerts are dispositioned will not satisfy an inspection.

The Travel Rule section deserves particular attention for any operator that transfers DPTs between VASPs. Under the MAS Travel Rule requirements, originator and beneficiary information must accompany transfers above the applicable threshold, and the policy must describe the technical solution (IVMS 101 data standard is the industry baseline), the pre-transaction screening workflow, and the procedure when a counterpart VASP cannot receive the data. Operators sourcing banking from overseas correspondents face an additional layer: some correspondent banks apply stricter thresholds than MAS requires locally, and the policy must reflect the more stringent standard in practice.

Who Is the MLRO, and What Does the Role Require in Singapore?

The Money Laundering Reporting Officer (MLRO) – the senior individual designated to own the AML/CFT function – is a named, approved individual whom MAS expects to be genuinely senior, resident in Singapore, and capable of direct board reporting. Under the PSA framework, the MLRO's responsibilities are not delegable below a certain threshold: the officer must sign off on STR filings, own the annual compliance review, and attest to the board that the programme is operating effectively.

Several inbound operators we advise assume that a group compliance officer based in a European head office can serve as Singapore MLRO via remote designation. MAS's supervisory expectations effectively preclude that model for an MPI licensee; an SPI may have more flexibility in the early stages, but regulators increasingly expect local substance to match the licence tier. The practical consequence is a staffing cost that must be built into the Singapore operating budget before the application is filed – not discovered after licensing.

The MLRO designation also creates a personal accountability dimension. If an STR is filed late, or if the transaction-monitoring system produces systematic false negatives because alert thresholds were set too high, the MLRO faces direct regulatory exposure, not only the entity. Experienced operators structure the role with a defined escalation path to legal counsel for complex cases. We regularly advise on how to document that escalation path so it functions both as an operational control and as a record of good-faith compliance effort.

How the Travel Rule Changes the Policy Architecture for Cross-Border Operators

The FATF Travel Rule – applied in Singapore through the MAS PSA framework – requires VASPs to obtain, hold, and transmit originator and beneficiary data for qualifying DPT transfers. The obligation runs in both directions: a Singapore-licensed VASP sending funds to an overseas VASP must transmit the data, and one receiving funds from abroad must verify it.

The cross-border dimension creates asymmetric compliance risk. A Singapore VASP transacting with a counterpart in a jurisdiction that has not yet implemented the Travel Rule faces a gap: the outbound data is transmitted, but nothing confirmable comes back on inbound transfers. MAS expects the policy to address this gap explicitly – typically through a tiered approach that applies EDD to transfers originating from non-compliant jurisdictions and documents the rationale for each risk decision.

For operators that also hold licences in the EU – where MiCA and the EU Transfer of Funds Regulation apply – the policy architecture must accommodate two regimes simultaneously. The data fields required, the de-minimis thresholds, and the treatment of self-hosted wallets differ between the MAS framework and the MiCA / EU regime. A policy drafted for Singapore alone will not satisfy ESMA's expectations, and a MiCA-compliant policy transplanted to Singapore will not satisfy MAS. Operators sitting across both jurisdictions need a modular policy architecture: a common framework with jurisdiction-specific annexes.

In a recent compliance mandate, a payments company operating across Singapore and multiple EU markets had structured its Travel Rule compliance around a single policy designed for a European jurisdiction. When it sought MPI licensing in Singapore, MAS's review identified gaps in the wallet-attribution methodology and the escalation matrix for non-compliant counterpart VASPs. We restructured the policy into a core document and two jurisdiction-specific annexes, addressed the wallet-attribution gap, and the entity proceeded to licence approval. The timeline from engagement to a submission-ready policy was a matter of weeks.

The Application Process: When the Policy Is Submitted and How It Is Reviewed

MAS reviews the AML/CFT policy at multiple points in the DPT licensing process, not only on initial application. At the application stage, the policy is part of the substantive submission alongside the business model description, risk management framework, and shareholder structure. MAS may issue detailed queries on the policy document during the vetting process; response timelines are typically measured in weeks per round, and multiple rounds are common for complex applicants.

Post-licensing, the policy is a living document. MAS expects an annual review certified by the board, and the MAS supervisory inspection process – which MAS can initiate at its discretion for any licensed entity – treats the policy as the baseline against which actual practice is measured. Divergence between the documented procedure and what staff actually do is a common inspection finding and carries consequences disproportionate to the underlying gap.

For inbound operators, the timing of policy preparation matters. A business that begins drafting the policy only after deciding to apply for a Singapore DPT licence typically discovers structural issues – the MLRO appointment, the transaction-monitoring vendor, the data-sharing agreements with group entities – that take longer to resolve than the documentation itself. We advise clients to begin the policy-drafting process in parallel with the entity-structure decision, not after it.

If a prior application stalled or a supervised review identified gaps, a second read often surfaces the structural reason and the route forward. Contact OBOLUS at info@oboluslaw.com to discuss.

How AML Posture Interacts with Banking and Tax Structuring

A DPT licensee's AML/CFT policy does not exist in isolation. Singapore banks – already among the most cautious in Asia-Pacific when onboarding crypto clients – conduct their own AML review of prospective corporate clients that hold or apply for DPT licences. The quality of the AML/CFT policy materially affects whether a Singapore-incorporated entity can open and maintain an SGD operating account.

We have seen operators with technically valid MPI licences lose their primary banking relationship because the policy they showed the bank was the regulator-facing version, which contained risk language the bank's compliance team read as a liability signal. The solution is not a softer policy; it is a policy that is accurate, defensible, and framed to a sophisticated institutional reader. The language used to describe high-risk customer categories, for example, should reflect the actual risk controls in place rather than cataloguing every conceivable risk in terms that suggest the business expects to encounter them routinely.

From a tax-structuring angle, the Singapore AML/CFT policy interacts with the substance analysis that underpins the entity's claim to tax residency and to treaty access. If the MLRO and key decision-makers are offshore, the substance argument weakens simultaneously with the regulatory argument. A structure in which the Singaporean entity is genuinely managed and controlled from Singapore – with an MLRO, a compliance function, and a board that meets in Singapore – is both more defensible to MAS and more coherent for IRAS and for treaty purposes.

Common Mistakes That Cost Operators Time and Licensing Momentum

A common assumption among inbound operators is that a single offshore licence – typically in a lighter-touch jurisdiction – is sufficient to serve Singaporean customers from abroad. That assumption is incorrect. MAS takes an effects-based view of its jurisdiction: if a service is marketed to, or actively used by, Singapore residents, MAS may regard the operator as requiring a DPT licence regardless of where the entity is incorporated. Operating without the right licence in that environment exposes the business to enforcement action, frozen banking rails and reputational damage that is difficult to reverse quickly.

Beyond the jurisdictional question, the most common documentation mistakes in our experience are: a policy that names risk controls without describing who is responsible for executing them; a transaction-monitoring section that lists alert scenarios without stating how exceptions are resolved; and a sanctions-screening section that refers to OFAC and UN lists without addressing MAS's own sanctions requirements under the Singapore financial sanctions regime. Each gap is individually addressable, but finding them on the eve of an inspection rather than before submission is expensive in both time and regulatory capital.

We also regularly see policies that have not been updated to reflect the FATF guidance on virtual assets issued since 2019. MAS supervisors are familiar with that guidance and will ask whether the policy reflects it. A policy that predates the most recent FATF updates, or that was drafted to an earlier version of Notice PSN02, needs to be refreshed before any regulatory interaction.

Self-Assessment: Is Your AML/CFT Policy Submission-Ready?

The following questions reflect the threshold an MAS-compliant policy must clear. A "no" or "not sure" answer to any of them signals a gap that should be addressed before application or inspection.

  • Does the policy reflect the current version of MAS Notice PSN02 and any subsequent supervisory guidance?
  • Is the MLRO named, senior, and Singapore-resident, with a documented reporting line to the board?
  • Does the risk methodology distinguish between customer categories, product types, and geographic risk in terms specific to the business?
  • Does the transaction-monitoring section name the system, the alert logic, the escalation matrix, and the STR filing timeline?
  • Does the Travel Rule section describe the technical solution, the threshold applied, the wallet-attribution methodology, and the procedure for non-compliant counterpart VASPs?
  • Has the sanctions-screening section been mapped to both MAS's local requirements and the international lists the business is contractually or operationally required to screen against?
  • Has the policy been reviewed by a qualified practitioner in the current calendar year, or since any material change to the business model?
  • Does the entity's actual practice match the documented procedures – and is there evidence of that alignment (training records, alert logs, STR register)?

If your structure, entity, or banking is changing, the policy must change with it. We map the licence, AML, and banking stack across operating, custody and payment layers before you commit to a structure. To pressure-test your policy before the next regulatory interaction, message us via t.me/oboluslaw.

Related at OBOLUS

FAQ

What does the Travel Rule require from a VASP?

Under the FATF Recommendation 15 framework – implemented in Singapore through MAS Notice PSN02 – a VASP must obtain originator and beneficiary information and transmit that data to the receiving VASP alongside every qualifying DPT transfer. The data standard most commonly used is IVMS 101. The obligation applies in both directions: outbound and inbound transfers. Where a counterpart VASP cannot receive or supply the required data, the sending VASP's policy must describe the risk decision and the escalation path.

Who must act as MLRO for a crypto firm?

MAS expects the Money Laundering Reporting Officer to be a senior individual who is Singapore-resident, has genuine authority to file suspicious transaction reports and to escalate compliance issues to the board, and is not so operationally burdened that the compliance function is effectively unsupervised. For an MPI licensee, a remote or part-time designation – such as a group compliance officer based abroad – is unlikely to satisfy MAS's supervisory expectations. The appointment must be documented and the individual must be identified in the AML/CFT policy.

How do regulators audit crypto AML programs?

MAS supervisory inspections for DPT licensees typically assess whether actual practice matches the documented policy, whether alert dispositions and STR filings are timely and well-reasoned, whether CDD and EDD records are complete, and whether the Travel Rule solution is operational rather than theoretical. MAS may also request evidence of board oversight: minutes, attestation letters, and training records. A policy that accurately reflects operations is far easier to defend than one that overstates controls that are not yet implemented.

OBOLUS is an independent digital-asset law boutique acting only for businesses. We advise exchanges, custodians, token issuers and funds on licensing across 70+ jurisdictions, on disputes and on-chain asset recovery across 25+ forums, and on the AML/CFT, Travel Rule and sanctions compliance that sit at the centre of every digital-asset operation. Digital assets are the whole of our practice. We map the licence stack across operating, custody and payment layers before clients commit – and when enforcement or banking issues arise, our disputes team coordinates freezing relief and on-chain tracing across leading common-law forums. To discuss your Singapore AML/CFT posture, contact info@oboluslaw.com.

By Victor Olsen, Regulatory & Compliance Analyst – specialising in MAS payment services licensing and AML/CFT programme design for digital-asset businesses entering Singapore and the broader APAC region.

This publication is general information about the law and does not constitute legal advice. It is not a substitute for advice tailored to your circumstances. OBOLUS accepts no liability for action taken or not taken on the basis of this material. For advice on your situation, contact info@oboluslaw.com.

Tell us the task — we'll map your options in 30 minutes.

Fixed-fee packages with defined scope and SLAs. The first call is free and under NDA. Business clients only.

Map your optionsinfo@oboluslaw.com · t.me/oboluslaw · reply < 2 hours