Face Verification
Address Verification
Document Verification
Age Verification
VideoIdent
Fast ID
Docless Verification
Consent Verification
NFC Verification
Business Verification
Due Diligence
Investor Verification
E-Signature
QES
AML Screening
Transaction Monitoring
Adverse Media
Business AML Screening
PEP & RCA
Sanctions
Watchlist
Behavioural Biometrics
Device Fingerprinting
Biometric Face Authentication
MFA
Fraud Hub
Onboarding
Ongoing Monitoring
KYC
KYB
KYI
Age Assurance
Identity Verification
Workforce IAM
Candidate Verification
Compliance
Fraud prevention
Trust & safety
Global expansion
Product Managers
Compliance Officers
Fraud Analysts
Developers
Deepfake
Bonus Abuse / Promotion Abuse
Account Takeover
Synthetic Identity Fraud
Document Fraud
Impersonation Fraud
Multi-Accounting
Fraud Networks
Chargeback Fraud
Money Mule Activity
Party Fraud
Regulatory & Compliance Risks
Fintech
Crypto
iGaming
Forex
Social Network
Marketplace
Banking
Gig Economy
Payments
Ride Hailing
Adult Content
Blind Spot Audit
Deepfake Detector
Liveness Spoofs
Document Originality
Document Deepfake
Global Trust Platform
Journey Builder
Case Management
Shufti AI
Fraud Analytics
Vendor Comparison
Brand Personalisation
IDV Modes
AI Compliance Co-Pilot
OCR
Secure Capture
Deployment Options
Identity Methods
API Documentation
Mobile SDKs
Service Status
Help Center
Contact Us
Technical Support
Supported Documents
Supported Countries
Content library
Blogs
News
Reports
Insights
Knowledgebase
ROI calculator
About
Career
Press Release
Certifications
Partnership
Awards
Events & Webinar
Interactive Demo
Podcast Studio
Spotlight Studio
Back
Singapore KYC & AML Compliance Guide 2026
Singapore did not write new rules after 2023. It started checking, with evidence, whether institutions actually run the rules they already have.
This guide shows compliance, fraud, and operations teams how to rebuild onboarding and AML controls around MAS enforcement expectations, the NRIC authentication migration, MyInfo and FIN-holder verification, source-of-wealth evidence standards, and the AI fraud now hitting the onboarding stage.
The Shift
Why Singapore institutions are rebuilding KYC workflows after 2023?
On 15 August 2023, Singapore police arrested ten foreign nationals tied to a S$3 billion money laundering network. Proceeds from overseas fraud, illegal gambling, and other serious crime had moved through respected local institutions using falsified documents, opaque corporate structures, and unverified source-of-wealth claims. It remains the largest laundering case in the country's history.
The case did not dent Singapore's standing as a financial centre. It reset the enforcement bar for everyone operating inside it. MAS reviewed the failures and found five patterns that repeat across institutions, and then it built the machinery to catch them.
Five failure patterns MAS identified
Risk Assessment
Customer risk assessment that was thin or never refreshed at onboarding.
Source of Wealth
Source of wealth collected but never independently corroborated for high-value customers.
Transaction Monitoring
Transaction-monitoring alerts that fired but were not properly reviewed.
Due Diligence
Enhanced due diligence that existed on paper but was applied inconsistently.
Governance
Governance that let compliance frameworks lag behind business growth.
Singapore's AML response, on a timeline
Two milestones matter most for how you onboard. The National AML Strategy, published 30 October 2024 by MAS and the Ministry of Finance, set a three-part approach: stronger pre-onboarding prevention, active detection through analytics and inter-agency sharing, and firm enforcement proportionate to the failure at any size of institution.
COSMIC, launched 1 April 2024, changes the maths. It lets financial institutions share customer information where money laundering, terrorism financing, or proliferation financing is suspected with MAS running the hub and DBS, HSBC, OCBC, Standard Chartered, UOB, and Citibank Singapore as founding participants. Suspicious activity one bank cannot see alone becomes visible once shared, so weak controls that used to stay private now surface.
The Enforcement Reality
What MAS actually penalised in July 2025?
On 4 July 2025, MAS fined nine financial institutions a total of S$27.45 million. Every one had written compliance policies. The penalties were not for missing policy they were for execution: procedures applied unevenly, evidence not generated, and governance that tolerated the gap between what the policy said and what staff did.
Scale and reputation did not decide who got fined. The quality of control execution did, and the penalty summaries name four failure categories that map straight to fixes you can make before the next supervisory cycle.
| Breach category | What MAS found | Evidence MAS expects | Control response |
|---|---|---|---|
| Customer risk assessment | High-value customers accepted without real risk profiling; ratings never updated as profiles changed | Documented risk rationale per customer; approval records for tier upgrades; review trail for higher-risk categories | Risk engine with configurable scoring and documented escalation for rating changes |
| Source of wealth | Documentation collected but not independently verified; beneficial owners not identified; conflicts left unresolved | Independent corroboration; discrepancy notes with resolution; ownership chain with verified identities | SoW workflow with an evidence checklist and an MLRO review gate for unresolved discrepancies |
| Transaction monitoring | Systems flagged suspicious activity; alerts were not adequately reviewed or escalated | Case notes per alert, escalation records, SLA evidence, and SAR decisions with rationale | Case management with SLA enforcement and an audit trail on every reviewed alert |
| Enhanced due diligence | EDD lived in policy documents but was applied inconsistently; escalation paths not followed | EDD checklist completion per higher-risk customer; MLRO or committee approval; periodic review schedule | Tiered onboarding with mandatory EDD gates for higher-risk segments |
Read the matrix as a self-diagnostic: the right-hand column is what a MAS supervisor expects to find in the file, not what your policy promises.
Before the next supervisory cycle, four questions are worth asking. Can you prove why a customer sits in their current risk tier, who decided, and when? Can you show who reviewed the source-of-wealth evidence for each higher-risk customer, and what they concluded? For every alert closed in the past 12 months, can you produce the case note, the reviewer, and the rationale? And for each higher-risk customer, can you show when EDD was triggered, who approved it, and the review schedule?
Regulatory Architecture
Which MAS framework applies to your institution?
MAS Notice 626 gets most of the coverage in compliance writing, but it applies to banks. Singapore's wider financial sector runs on a network of separate AML/CFT notices, and non-bank institutions routinely under-scope their obligations by treating Notice 626 as the universal reference.
Find your institution type first. The notice that governs you sets the depth of verification, the data-residency question, and the workflow you have to design around.
| Institution type | Primary AML/CFT notice | What it changes for your IDV workflow |
|---|---|---|
| Banks | MAS Notice 626 | Heavier scrutiny on SoW, EDD, and alert review; on-premise deployment may be needed for data residency |
| Merchant banks | MAS Notice 1014 | Same verification depth as banks; smaller volumes can allow more manual EDD |
| Payment service providers | MAS Notice PSN01 | High-volume, low-value onboarding; low tolerance for manual delay, so automated routing is essential |
| Capital markets intermediaries | SFA AML/CFT notices | Client base skews to PEPs and high-net-worth non-residents; SoW and EDD depth are the design priority |
| Trust companies | TCA-N03 | Deep UBO tracing and legal-arrangement verification; complex structures need KYB at depth |
| Variable capital companies | VCC-N01 | Beneficial ownership traced through fund and sub-fund structures, sometimes verified separately |
| DPT service providers | Payment Services Act 2019 | Wallet screening, Travel Rule for crypto transfers, and on-chain monitoring; blockchain-native risk signals required |
If your controls were built around Notice 626 and you are not a bank, pull your specific notice and confirm your platform supports its distinct obligations, whether that is PSN01 payment thresholds, DPT Travel Rule workflows, or TCA-N03 beneficial-ownership depth.
Customer Segments
Which Singapore customers need which verification path?
The popular shorthand citizens onboard instantly and everyone else waits is commercially neat and operationally wrong. FIN holders with valid Employment Passes, S Passes, Dependant Passes, and Long-Term Visit Passes can register for Singpass and may hold MyInfo profiles, provided they are 15 or older and hold a valid ICA pass.
MyInfo completeness varies. A recent arrival may have very little government-held data populated, so a path that assumes a full MyInfo profile will break. The design has to route by segment and fall back to documents wherever data has gaps.
Singapore citizen or PR
Holds a valid FIN (EP / S Pass / DP / LTVP)
New arrival with an IPA letter
Non-resident investor or director
Corporate entity or UBONote: Singpass eligibility does not guarantee complete MyInfo data. FIN holders who registered recently, or whose employer has not updated ICA records, may have partial profiles. Your platform has to support document-based fallback for those gaps, or you will either over-verify a clean profile and lose the customer, or under-verify a high-risk one and fail a review.
The full six-segment model in the guide adds MyInfo eligibility and the exact controls for each path from citizens and PRs through FIN holders, new arrivals with IPA letters, non-resident investors, foreign corporate UBOs, and DPT or PSP wallet users.
The Fraud Threat
What fraud is hitting Singapore onboarding in 2026?
Singapore's identity-fraud picture has changed in two years. Three typologies now drive onboarding-stage losses and each exploits a different blind spot in traditional KYC. A fourth, the digital injection attack, bypasses the camera entirely.
The thread running through all four is simple. A control tuned for a 2020 threat model passes the attacker through. The mule case is the sharpest example, because the document, the face, and the person are all real.
Stage 1
Capture
Stage 2
Liveness check
Stage 3
Face match
Stage 4
AML & decision
Digital injection
Hits Stage 1Bypasses the camera, injecting synthetic media at the API layer.
Deepfake video
Hits Stage 2Defeats motion-based liveness with AI-generated video.
Synthetic identity
Hits Stage 3Fabricated identity plus real biometrics, with no database match.
Mule account
Hits Stage 4Real person, real document, real biometric, passes every stage.
On mules specifically, the Singapore Police Force placed 550 individuals under banking restrictions and 801behavioural under telecommunications restrictions for mule-related activity as of February 2026. The risk signal is not the identity, it is the behaviour. Watch the gap between onboarding and first transaction, the velocity of activity, and the distance between stated occupation and actual account use.
One certification note worth carrying into vendor calls. iBeta PAD Level 1, Level 2 and Level 3 confirm a liveness solution can defeat static images, pre-recorded video, and 3D masks. It does not, on its own, prove defence against modern injection attacks or AI-generated video. Ask for test evidence on deepfake, replay, screen-presentation, and digital-injection attack types specifically.
One connected verification stack for MAS-regulated onboarding
See how MyInfo routing, document fallback for FIN holders, deepfake-resistant biometric authentication and AML screening against 3500+ watchlist sources come together for Singapore onboarding, mapped to MAS expectations on a single page.
Explore Shufti for SingaporeThe 31 December 2026 Deadline
Who must stop using NRIC for authentication, and by when?
On 2 June 2025, MDDI, the Personal Data Protection Commission, and the Cyber Security Agency of Singapore issued a joint advisory: private organisations must stop using NRIC numbers as authentication credentials by 31 December 2026, with PDPC enforcement stepping up from 1 January 2027.
The trap is a single word. Identification is still required. Authentication is what gets banned. Miss the distinction and you either keep an illegal credential live or rip out a number you are still obliged to collect.
Countdown to the NRIC authentication deadline
31 December 2026
Roughly eight months from April 2026 · PDPC enforcement begins 1 January 2027
Identification
Permitted- ✓Collecting an NRIC number during KYC onboarding for AML/CFT
- ✓Using NRIC as an internal unique customer identifier
- ✓Requesting NRIC to identify a customer during a service interaction
Authentication
Prohibited from 31 Dec 2026- ✕Using NRIC numbers as passwords or PINs
- ✕Setting NRIC as a default or reset credential
- ✕Combining NRIC with easily obtained data (DOB, address) to form an authentication factor
- ✕Using NRIC as a security credential that controls account access
The work runs in three phases. Discovery maps every customer-facing flow, backend default, call-centre script, and password-reset path that uses NRIC as a credential. Architecture picks the replacement, biometric with anti-deepfake detection, MFA, or device-bound credentials, and designs accessible fallbacks. Implementation notifies customers, retrains agents, runs parallel systems, and assesses fraud risk, since migration windows see elevated account-takeover attempts. With under eight months left from April 2026, institutions on complex legacy systems that have not started vendor procurement face a real risk of missing the deadline.
Source of Wealth
What source-of-wealth evidence does MAS expect you to verify?
Source of wealth became the defining test of compliance quality after July 2025. Several penalised institutions collected SoW documentation, then failed to show the stated origins were independently corroborated, specific enough to the claimed wealth level, and consistent with the customer's profile and conduct. The gap between collecting a document and assessing it is exactly what MAS acted on.
Two terms get conflated. Source of funds verifies the money behind one transaction. Source of wealth covers the customer's total accumulated wealth, and it is an ongoing obligation that has to be refreshed when circumstances change materially.
| Wealth source | Acceptable primary evidence | Independent corroboration | Red flags |
|---|---|---|---|
| Employment income | 3–6 months of payslips; contract; bank statements showing salary deposits | Employer letter, tax assessment, company registry check | Salary inconsistent with employer size; unexplained large deposits |
| Business ownership | Financial statements, registration documents, tax returns | Auditor's report; ACRA verification; corporate tax assessment | Offshore structures with no clear purpose; undocumented related-party transfers |
| Investment returns | Brokerage statements, portfolio valuations, custodian confirmations | Independent custodian or manager confirmation; exchange verification | Returns out of step with stated experience; unexplained offshore accounts |
| Digital asset wealth | Wallet statements, exchange statements, transaction history | Exchange-level KYC confirmation; on-chain analysis | Activity linked to mixers, high-risk exchanges, or dark-web indicators |
MAS does not expect certainty. It expects professional scepticism on the record. Document the discrepancy, the questions you asked, and the resolution. If it cannot be resolved, escalate to the MLRO with a recommendation to continue or exit. The full matrix in the guide runs nine wealth categories, including inheritance, property sales, gifts, offshore corporate proceeds, and trust or family-office distributions.
The Operating Model
What does a compliant Singapore KYC operating model look like?
A compliant model is not one set of steps applied to everyone. It is a tiered, segment-aware system that puts the right depth of verification on each customer type while generating the audit evidence a MAS reviewer expects to find. Ten steps, each owned by a function, each producing a record.
The point of the flow is the last step. If you cannot reconstruct the decision trail later, the work in steps one through nine does not protect you in a review.
Each step has to leave a record the segment rationale, the pathway chosen, the evidence collected and assessed, the risk tier and who approved it, the SoW outcome, the screening results, EDD completion or escalation, and any suspicious-transaction referral. That consolidated case file is what turns a defensible process into a provable one.
Platform Selection
How should you evaluate an IDV platform for Singapore?
Three forces make platform selection a near-term decision, not a 2027 project. The NRIC authentication deadline is fixed at 31 December 2026. MAS has shown that penalties follow execution gaps, not policy gaps. And the fraud environment needs controls that were not standard in platforms built for a 2020 threat model.
The criteria below are written in the language of a compliance evaluator, not a technology buyer. The full sixteen-point scorecard sits in the guide. These are the must-haves that decide a Singapore deployment.
Institutions starting procurement in April 2026 have roughly eight months. Vendor selection and sandbox integration usually take four to six weeks, integration and testing eight to twelve, and parallel running plus training another four to six. Teams that have not started face a material risk of incomplete migration by the deadline.
Self-Serve
Scope and price a Singapore deployment yourself
You do not need a sales call to start. Map the must-haves above to a live configuration, see plans, and price a deployment directly on the self-serve portal.
Explore Plans & PricingWhere Shufti Fits
How Shufti maps to Singapore's KYC requirements?
Singapore institutions need a platform that routes by customer segment, integrates with Singpass and MyInfo for eligible users, falls back to documents when government-held data is thin, meets MAS TRM data-residency requirements, and produces the audit evidence a supervisor looks for. Shufti is built around those requirements rather than retrofitted to them.
Shufti is a technology platform, not a compliance consultancy. It provides the verification, screening, case management, and audit-trail tooling that lets your team execute its obligations the regulatory interpretation stays yours.
| Singapore KYC requirement | Shufti capability |
|---|---|
| MyInfo-eligible onboarding (citizens & PRs) | Singpass / MyInfo integration supporting MyInfo-based CDD workflows |
| FIN-holder fallback verification | Document verification and pass-based routing for FIN holders with incomplete MyInfo profiles |
| Non-resident & foreign documents | 10,000+ actively processed document types across 240+ countries and territories; zero-shot AI recognises new variants without manual templates |
| NRIC authentication replacement | Face verification with anti-deepfake detection, certified to iBeta PAD Level 1, Level 2 and Level 3 |
| AML, PEP & sanctions screening | Screening against 3500+ watchlist sources, updated every 15 minutes |
| Corporate onboarding & UBO | KYB with ACRA integration for local entities and global beneficial-ownership tracing |
| Source-of-wealth evidence | Configurable evidence-collection workflows with a documented case trail and MLRO escalation |
| MAS audit-trail requirements | Exportable case records with decision logs, screening results, and verification timestamps |
| Data-residency requirements | On-premise and private-cloud deployment for MAS TRM localisation |
Inside the Full Guide
What the downloadable guide adds?
This page gives you the argument and the frameworks. The 22-page PDF gives you the working tools your team can pick up and run every checklist, matrix, and scorecard in full.
Regulatory map
Across all seven institution types with the notice that governs each.Remediation matrix
Full breach-to-control matrix drawn from the July 2025 findings.Customer model
Six-segment model with the full decision tree and controls per segment.Evidence matrix
Complete nine-category source-of-wealth evidence matrix with red flags.Migration checklist
Phased NRIC authentication migration, discovery through go-live.Vendor scorecard
Sixteen-criterion IDV vendor scorecard calibrated to Singapore.
Certifications
Independently audited and certified for enterprise-grade security and data protection.
Frequently Asked Questions
Expectations tightened after the S$3 billion money laundering case exposed onboarding, source-of-wealth, and transaction-monitoring failures across major institutions. MAS responded with firmer enforcement, the COSMIC information-sharing platform, a National AML Strategy, and S$27.45 million in penalties across nine institutions in July 2025. The obligations are not new. They are now checked with evidence.
Private organisations must stop using NRIC numbers as authentication credentials by 31 December 2026, with PDPC enforcement from 1 January 2027. Institutions can still collect NRIC numbers for KYC and AML, but cannot use them as passwords, login credentials, or verification factors.
Yes. Employment Pass, S Pass, Dependant Pass, and Long-Term Visit Pass holders may be eligible for Singpass and MyInfo, provided they are 15 or older and hold a valid ICA pass. Profile completeness varies, so institutions still need document-fallback workflows for FIN holders with partial data.
MAS expects independent corroboration of wealth claims, not just collected documents. Depending on the wealth source, that means tax assessments, company and registry records, probate documents, investment and custodian statements, or blockchain transaction history, plus a documented assessment of whether the evidence was sufficient and how discrepancies were resolved.
The main threats are deepfake video fraud, synthetic identities, mule-account recruitment, and digital injection attacks. Traditional liveness checks alone no longer hold against AI-generated video or injection attempts, and mule accounts pass standard KYC because the document, face, and person are all genuine. The signal there is behavioural, not documentary.
No. Notice 626 governs banks. Merchant banks follow Notice 1014, payment and DPT providers follow the Payment Services Act 2019 and Notice PSN01, capital markets intermediaries follow SFA notices, trust companies follow TCA-N03, and variable capital companies follow VCC-N01. Non-bank institutions that scope only to Notice 626 routinely under-cover their actual obligations.
Identification means collecting an NRIC number to establish who a customer is, which is still required for CDD under MAS Notice 626. Authentication means using the NRIC number to prove a person is who they claim to be, as a password, PIN, or access code. The 31 December 2026 ban applies to authentication only.
From an April 2026 start, vendor selection and sandbox integration usually take four to six weeks, technical integration and testing eight to twelve weeks (longer for core banking systems), and parallel running plus staff training another four to six weeks. That leaves little slack against the 31 December 2026 deadline for institutions that have not started.
Form submitted successfully!
Thank you for your interest — your report is loading now.
Verify Singapore customers before December 2026
With about eight months to the NRIC authentication deadline and MAS enforcement at its firmest since 2023, see Shufti configured for Singapore, with MyInfo routing, FIN-holder fallback, deepfake-resistant biometric authentication, AML screening, and MAS-calibrated audit records.
Explore Singapore Identity Verification
