What are the AML/CFT obligations for CSPs? (CSP Act 2024)
The anti-money-laundering and counter-terrorism-financing duties every registered Singapore CSP must meet — CDD, EDD, screening, risk assessment, records and STRs.
What AML/CFT obligations do CSPs have under the CSP Act 2024?
A registered CSP must operate a full anti-money-laundering, counter-terrorism-financing and counter-proliferation-financing (AML/CFT/PF) programme. In plain terms, the CSP must know who its clients are, check them against sanctions and watchlists, judge their risk, keep the evidence, and report suspicion.
These duties took effect on 9 June 2025 and apply to every registered CSP and its senior management. The core building blocks are customer due diligence, enhanced due diligence, screening, risk assessment, record-keeping and suspicious transaction reporting.
What is customer due diligence (CDD) for a CSP?
Customer due diligence means identifying and verifying every customer and the beneficial owners behind them — the natural persons who ultimately own or control the client — before and during the business relationship.
In practice a CSP collects identity documents, establishes the ownership and control structure, understands the purpose of the relationship, and keeps that information current. CDD is not a one-off box-tick; it is refreshed on a risk-sensitive basis throughout the engagement.
When must a CSP apply enhanced due diligence (EDD)?
Enhanced due diligence applies to higher-risk clients. A CSP must go beyond standard CDD when the client presents elevated money-laundering or terrorism-financing risk, including:
- Politically exposed persons (PEPs), their family members and close associates.
- Clients connected to higher-risk or sanctioned jurisdictions.
- Complex or opaque ownership structures designed to obscure beneficial ownership.
- Unusual transactions with no clear lawful or economic purpose.
Do CSPs have to screen clients against sanctions lists?
Yes. A CSP must screen customers and beneficial owners against sanctions lists and watchlists — including United Nations and Singapore-designated lists — at onboarding and on an ongoing basis. A positive or potential match must be investigated and, where warranted, escalated and reported.
Screening is inseparable from CDD: you cannot judge risk without checking names against the lists that define prohibited or high-risk parties.
How long must a CSP keep records?
A CSP must keep customer due diligence and transaction records for at least five years. Records must be sufficient to reconstruct individual transactions and to demonstrate compliance to ACRA on request.
| Obligation | Requirement |
|---|---|
| CDD records | Identity, verification and beneficial-ownership evidence for every client. |
| Transaction records | Details sufficient to reconstruct each transaction. |
| Retention period | At least 5 years. |
| Risk assessment | Documented and kept up to date. |
When must a CSP file a suspicious transaction report (STR)?
When a CSP knows or has reasonable grounds to suspect that funds or a transaction are linked to money laundering, terrorism financing or other criminal conduct, it must file a suspicious transaction report (STR) with the authorities without delay.
The obligation is triggered by suspicion, not proof. Failing to report — or “tipping off” the client that a report has been made — is itself an offence.
What are the penalties for breaching AML/CFT obligations?
Breaching AML/CFT/PF obligations under the CSP Act can attract a fine of up to S$100,000 per breach. Critically, senior management can be held personally liable — compliance is not something a CSP can delegate away and forget.
Because penalties apply per breach, weak controls across many clients can compound quickly. This is why CSPs operationalise CDD, screening and STR workflows rather than relying on ad-hoc checks.
Frequently asked questions
What are the main AML/CFT obligations for a CSP?
Customer due diligence, enhanced due diligence for high-risk clients, sanctions and watchlist screening, a documented risk assessment, record-keeping for at least five years, and filing suspicious transaction reports.
How long must a CSP keep AML records?
At least five years — covering customer due diligence and transaction records sufficient to demonstrate compliance and reconstruct transactions.
What is the penalty for breaching AML/CFT rules under the CSP Act 2024?
A fine of up to S$100,000 per breach, and senior management may be held personally liable.
When does a CSP need enhanced due diligence?
For higher-risk clients — such as politically exposed persons, clients from higher-risk jurisdictions, and complex or opaque ownership structures.
Sources
This article is general information for Singapore corporate service providers, not legal or professional advice. Verify against the primary sources above and your own professional judgement.