# MAS, AML/CFT & the CSP Act 2024

> The anti-money-laundering framework a Singapore corporate service provider works under — who supervises it, the Corporate Service Providers Act 2024, the RQI requirement, customer due diligence, record-keeping and suspicious-transaction reporting.

_Updated 2026-07-11_

Source: /help/regulatory/mas-aml

**In short:** The Corporate Service Providers Act 2024 (in force 9 June 2025) makes a registered CSP complete customer due diligence before providing services, keep records for at least 5 years, and have at least one Registered Qualified Individual (RQI). Suspicious transactions are reported under the CDSA. In-product screening runs on demo data until a provider is connected — always labelled.

> **Note:** Statutory statements here come from CorpSec AI’s verified citation table. The exact RQI firm cap and the detailed STR reporting mechanics are labelled “to be confirmed by counsel”. Screening inside the product runs on demo data until a real provider is connected — the record flags it. This is general information, not legal advice.

## Who supervises AML/CFT for CSPs

MAS — the Monetary Authority of Singapore — is Singapore’s central bank and integrated financial regulator, and the driving force behind the country’s anti-money-laundering and counter-financing-of-terrorism (AML/CFT) regime. MAS sets AML/CFT expectations across the financial sector and coordinates national AML/CFT policy.

For corporate service providers specifically, ACRA is the registering and supervising authority under the Corporate Service Providers Act 2024. In practice a CSP operates inside the national AML/CFT framework MAS anchors, while being licensed and inspected by ACRA. IRAS sits alongside for tax matters (e.g. stamp duty on share transfers, corporate tax filings).

- MAS: national AML/CFT framework and financial-sector supervision.
- ACRA: registers and inspects CSPs; enforces CSP-specific obligations.
- IRAS: tax authority — corporate tax, ECI, and stamp duty (e-Stamping).

## The Corporate Service Providers Act 2024

This is the statute that turned CSP AML/CFT expectations into hard, registrable obligations.

- In force from 9 June 2025 (the Corporate Service Providers Regulations 2025, S 292/2025).
- A registered CSP must complete customer due diligence before providing services.
- A CSP must keep records for at least 5 years.
- A CSP must have at least one Registered Qualified Individual (RQI).

> **Note:** Verified against the CSP Act 2024 and CSP Regulations 2025 (S 292/2025) and ACRA guidance. Reference: the Corporate Service Providers Act 2024. See also the Resources explainer The CSP Act 2024 and Who must register as a CSP.

## The Registered Qualified Individual (RQI)

Every CSP must have a person answerable for its regulated conduct — the RQI. There are limits on how thinly one RQI can be spread, and a separate threshold for acting as a nominee director.

- An RQI may act for a limited number of CSP firms — the cap is expressed by number of firms (approximately two, subject to case-by-case application), not by number of companies.
- A separate rule applies to acting as a nominee director for more than 50 companies, which triggers a capacity assessment under a distinct rule set.

> **Heads up:** To be confirmed by counsel: the exact RQI firm cap and the nominee-director capacity threshold should be confirmed against the Regulations with qualified counsel before you rely on a specific number. The common error is to state the cap in terms of “number of companies” — the cap is by number of CSP firms. Not legal advice. See the RQI explainer and nominee-director requirements.

## The AML/CFT obligation framework

A CSP’s AML/CFT duties are not a single task but a programme. Under the Corporate Service Providers Act 2024 and the wider AML/CFT framework, a registered CSP is expected to run the whole cycle below — and to be able to show it did. Exact clause references sit in the CSP Act 2024 and its Regulations and are to be confirmed by counsel; we describe the obligations, not sub-clause numbers we have not verified.

| Obligation | In one line | In CorpSec AI |
| --- | --- | --- |
| Firm-wide risk assessment | Understand the ML/TF risks your practice is exposed to. | Informs the risk model; the firm policy is your own |
| Customer due diligence (CDD) | Identify and verify the client and its beneficial owners before you act. | KYC dossier + hard gate (live); screening on demo data |
| Enhanced due diligence (EDD) | Do more for higher-risk clients (PEPs, complex ownership). | EDD prompts on higher risk (demo where screening-driven) |
| Ongoing monitoring | Keep the picture current; re-check on a risk-driven cycle. | Periodic KYC radar (live) |
| Screening | Check parties against sanctions / PEP / adverse-media lists. | Runs on demo data until a provider is connected |
| Record-keeping | Retain CDD and transaction records (≥ 5 years). | Dossier + append-only audit log (live) |
| Suspicious-transaction reporting | Report suspicion to the STRO under the CDSA. | Not filed by the product — your MLRO does this |
| Policies, training, compliance officer | Have written policies, train staff, appoint a responsible officer. | Supported by roles and audit trail; policy is your own |

> **Note:** The badges above are honest: “live” features run on your real data; screening and screening-driven EDD run on demo data until you connect a provider; the firm-wide policy and STR filing stay with your firm. Detail on each row follows.

## Firm-wide risk assessment

Before client-level work, a CSP is expected to understand the money-laundering and terrorism-financing risks its own practice faces — the client types, jurisdictions, services and delivery channels it deals in — and to set its risk appetite and controls accordingly.

- Assess and document the ML/TF risks across your client base and services.
- Let that assessment drive your client risk-rating model and where you apply enhanced measures.
- Review it periodically and whenever your practice changes materially.

> **Note:** The firm-wide risk assessment and written AML/CFT policy are your firm’s own documents. CorpSec AI’s per-client risk rating and periodic radar operationalise your policy; they do not replace it. Basis: the Corporate Service Providers Act 2024 and its Regulations — exact clauses to be confirmed by counsel. Not legal advice.

## Customer due diligence (CDD)

CDD is the practical heart of a CSP’s AML/CFT duties: know who your client really is before you act for them, and keep that knowledge current.

- Identify and verify the client and its beneficial owners (the controllers behind the company).
- Assess and record a risk rating; apply enhanced due diligence to higher-risk clients.
- Screen the parties against sanctions, PEP and adverse-media lists.
- Keep CDD current through periodic review, on a cadence driven by risk.

> **Heads up:** Screening inside CorpSec AI runs on demo data until a screening provider is connected, and is badged “Demo data” when it does. Connect a provider before relying on it as a genuine watchlist check. How the product enforces the CDD gate is covered in KYC & compliance.

## Enhanced due diligence (EDD)

Higher-risk relationships call for more than standard CDD. Where a client is higher risk — for example a politically exposed person (PEP), a complex or opaque ownership structure, or a higher-risk jurisdiction — a CSP applies additional measures before and during the engagement.

- Obtain and verify more information on the client, its beneficial owners and its source of wealth/funds.
- Apply senior-management sign-off for higher-risk onboarding where your policy requires it.
- Monitor the relationship more closely and review it more often.

> **Heads up:** EDD triggers that depend on screening (PEP / adverse-media hits) run on demo data in CorpSec AI until a provider is connected, and are badged accordingly. The obligation and its triggers derive from the CSP Act 2024 and its Regulations — exact clauses to be confirmed by counsel. Not legal advice.

## Ongoing monitoring

CDD is not a one-off at onboarding. A CSP keeps its knowledge of the client current — refreshing due diligence on a cadence set by the client’s risk, and revisiting it when something changes (a new controller, a change of activity, an adverse-media hit).

- Refresh CDD periodically — sooner for higher-risk clients.
- Re-screen and re-rate on review, and record the outcome.
- Trigger an off-cycle review on a material change.

> **Note:** CorpSec AI’s periodic KYC radar surfaces reviews that are due or overdue as real tasks — see the periodic KYC playbook. The review outcome is written to the append-only audit log.

## Record-keeping

The CSP Act sets a floor for how long your due-diligence and transaction records must be retained.

- Keep records for at least 5 years.
- In CorpSec AI, the CDD dossier, the append-only audit log and generated-document fingerprints together give a reconstructable record — see Prepare for an ACRA inspection.

## Suspicious-transaction reporting (STR)

Where a CSP forms a suspicion of money laundering or related offences, it has a reporting obligation. Reports are made under Singapore’s primary confiscation-of-benefits statute.

- Suspicious transactions are reported under the Corruption, Drug Trafficking and Other Serious Crimes (Confiscation of Benefits) Act 1992 (the CDSA), to the Suspicious Transaction Reporting Office.

> **Heads up:** To be confirmed by counsel: the precise triggers, timing and mechanics of an STR are a legal-compliance matter and should be confirmed with qualified counsel and your MLRO — CorpSec AI does not file STRs for you. This is general context, not legal advice.

## Internal policies, training & the compliance officer

The obligations above have to live inside a programme. A CSP is expected to put its AML/CFT approach in writing, keep staff trained, and give someone clear responsibility for compliance and for reporting suspicion.

- Maintain written AML/CFT policies and procedures proportionate to your risk.
- Provide ongoing staff training so the people doing CDD know what to look for.
- Appoint a person responsible for AML/CFT compliance and suspicious-transaction reporting — commonly a money-laundering reporting officer (MLRO).
- Keep the programme under independent review proportionate to the size of the firm.

> **Note:** These are firm-level responsibilities CorpSec AI supports (roles and four-eyes approval, the append-only audit trail, the CDD gate) but does not discharge for you. The RQI and MLRO are people in your firm. Basis: the Corporate Service Providers Act 2024 and its Regulations, read with the AML/CFT framework — exact clauses to be confirmed by counsel. Not legal advice.

## What non-compliance can cost

AML/CFT breaches are treated seriously. A registered CSP that fails its obligations can face regulatory and, in serious cases, criminal consequences.

- ACRA can take regulatory action against a registered CSP — from directions and financial penalties to suspension or cancellation of registration (measures and amounts under the CSP Act 2024 / Regulations — to be confirmed by counsel, not asserted here).
- Failing to report a suspicion, or tipping off, can carry criminal liability under the CDSA (exact offences and penalties to be confirmed by counsel).
- Individuals — including the RQI — can be held personally accountable for the firm’s failings.

> **Heads up:** To be confirmed by counsel: the specific penalties, thresholds and offences under the CSP Act 2024, its Regulations and the CDSA are legal-compliance matters — we do not state amounts we have not verified. Confirm with qualified counsel and your MLRO. Not legal advice.

## Frequently asked questions

### Is CorpSec AI itself the RQI or my AML compliance officer?

No. CorpSec AI is a tool that helps your firm run CDD, keep records and stay inspection-ready. The RQI and your money-laundering reporting officer are people in your firm with legal responsibilities the software supports but does not replace.

### Does the product screen against real sanctions and PEP lists?

Screening runs on demo data until you connect a screening provider, and every screening result is labelled “Demo data” until then. Connect a provider before relying on screening for a real watchlist check.

### Where do I see the underlying obligations in plain English?

The Resources hub carries explainers on the CSP Act 2024, who must register, the RQI, and AML/CFT obligations for CSPs. This help page focuses on the framework and how CorpSec AI supports it.

## Related

- [ACRA & the Companies Act 1967](/help/regulatory/acra)
- [CSP practice & the RFA / QI regime](/help/csp-practice)
- [Singapore CSP glossary](/help/glossary)
- [KYC & compliance (module guide)](/help/kyc-compliance)
- [AML/CFT obligations for CSPs (Resources)](/resources/csp-aml-cft-obligations)
