One Constellation
Book a Demo
Regulations

MAS Notice 626 Explained: AML/CFT Requirements for Singapore Banks

MAS Notice 626 is the principal AML/CFT obligation for banks licensed under the Banking Act in Singapore, supplemented by Notice 626A for branches of foreign banks. The Notice has been amended substantially since its 2007 introduction — most recently in 2023 — and remains the operational baseline MAS inspects against. This guide walks through the structure, the substantive obligations, and what MAS actually examines during compliance reviews.

Published: May 2026 Category: Regulations Read time: ~13 minutes
Quick Answer
MAS Notice 626 (AML/CFT — Banks) is issued under the Monetary Authority of Singapore Act and the Banking Act and sets out the AML/CFT obligations for all banks licensed in Singapore. The Notice covers customer due diligence at onboarding and on an ongoing basis, enhanced due diligence for higher-risk relationships and PEPs, transaction monitoring calibrated to the bank's risk profile, suspicious transaction reporting to the Suspicious Transaction Reporting Office (STRO), record-keeping for at least five years, and internal controls including independent audit and board-approved policies. Notice 626A applies equivalent requirements to branches of foreign banks. MAS inspects against the Notice using a risk-based supervisory framework and has imposed significant enforcement penalties — including the 2017 actions following the 1MDB scandal — where it identifies systemic deficiencies. Compliance with Notice 626 is not a documentation exercise; it is an operational expectation that the bank's controls actually work in practice.

Singapore's reputation as a major financial centre is anchored on a supervisory regime that has actively raised expectations on financial-crime compliance over the past fifteen years. MAS Notice 626 is the operational embodiment of those expectations for banks. The Notice is not the only AML/CFT instrument in the Singapore framework — the Corruption, Drug Trafficking and Other Serious Crimes Act (CDSA), the Terrorism (Suppression of Financing) Act, and parallel Notices for other sectors (PSN02 for payment service providers, FAA-N06 for financial advisers, SFA04-N02 for capital markets services) form the wider structure — but it is the document banks are inspected against most directly.

The Notice has evolved in step with international expectations. Major amendments in 2014, 2015, 2018, 2020 and 2023 expanded the obligations around beneficial ownership transparency, source of wealth verification, sanctions compliance, and digital-asset-related activity. The current text reflects a regime that operates well above FATF minimums in several areas — particularly on STR filing standards, on the depth of EDD expected for higher-risk relationships, and on the operational evidence MAS expects to see during inspection.

Structure of the Notice

Notice 626 is organised into sections covering specific obligation areas. The principal sections, in order:

  • Application and definitions — establishes which banks the Notice applies to, defines key terms (customer, beneficial owner, PEP, higher-risk customer), and references underlying legislation.
  • Risk assessment and risk management — requires banks to conduct enterprise-wide AML/CFT risk assessment, document the methodology, and update the assessment periodically (in practice annually).
  • Customer due diligence — sets out CDD requirements at onboarding, including identification, verification, beneficial ownership disclosure, and purpose-of-relationship documentation. CDD is required on all new customers and on existing customers undergoing certain events.
  • Enhanced customer due diligence — specifies the additional measures required for higher-risk customers, PEPs, customers from higher-risk jurisdictions, and correspondent banking relationships.
  • Reliance on third parties — when and how banks may rely on CDD performed by other regulated entities, with the bank retaining ultimate responsibility.
  • Simplified customer due diligence — narrow circumstances where reduced measures are acceptable, primarily for lower-risk product types and customers in equivalent regulatory regimes.
  • Targeted financial sanctions and other prohibitions — sanctions screening obligations against UN, MAS-listed, and other applicable lists.
  • Ongoing monitoring — transaction monitoring requirements, frequency of CDD review, trigger events for re-review.
  • Suspicious transaction reporting — STR filing obligations to the STRO, internal reporting processes, tipping-off prohibitions.
  • Record-keeping — minimum retention periods (five years from the end of the relationship or transaction date), record format requirements.
  • Internal policies, procedures and controls — board approval, MLRO appointment, training, independent audit.

The Notice is supplemented by guidelines (notably the MAS Guidelines to Notice 626) that provide operational interpretation. The guidelines do not have the force of the Notice itself but represent MAS's stated supervisory expectations and are referenced in inspection findings.

Customer Due Diligence Requirements

CDD under Notice 626 is more prescriptive than the FATF baseline, with explicit requirements MAS inspects directly.

  • Identification. Full legal name, residential address, date of birth, nationality, identity document with reference number. For corporates: legal name, registered address, registration number, type of legal entity.
  • Verification. Identity verified by reference to reliable, independent source documents. For natural persons: original or certified-true-copy identity documents. For corporates: certificate of incorporation, business profile from ACRA (for Singapore-incorporated entities) or equivalent for foreign entities.
  • Beneficial ownership. For corporate customers, ownership and control structure documented up to the natural persons who ultimately own or control 25% or more of the entity. For complex structures, beneficial ownership must be traced through intermediate entities.
  • Purpose and intended nature of business relationship. Documented at onboarding — what the customer will use the relationship for, expected transaction volumes and types, expected counterparties and jurisdictions.
  • Source of funds (for higher-risk customers) and source of wealth (for PEPs and EDD cases). Documented and verified against independent evidence.

MAS expects CDD to be a substantive exercise, not a documentation tick-box. Inspections frequently identify gaps where the bank has collected documents without examining their consistency — beneficial ownership declarations that do not reconcile with publicly available registry data; declared business activity that does not align with the actual transaction patterns; identity documents from jurisdictions where the bank has no operational presence and no relationship with the issuing authority. The bank's KYC platform should support not just data collection but data validation.

Enhanced Due Diligence Triggers

EDD is mandatory for several customer categories under Notice 626. The triggers are explicit:

  • Politically Exposed Persons (PEPs) and their family members and close associates. Foreign PEPs always require EDD; domestic PEPs and PEPs of international organisations require EDD where a risk-based assessment identifies higher risk.
  • Customers from higher-risk jurisdictions, including FATF-identified jurisdictions under increased monitoring (the FATF Grey List) and jurisdictions on MAS's own higher-risk countries assessment.
  • Customers with complex or unusual ownership structures, particularly cross-jurisdictional ownership without coherent commercial rationale.
  • Customers in higher-risk sectors — gaming, virtual asset service providers, dealers in precious metals and stones, money services businesses, charities and NPOs where risk assessment indicates elevated risk.
  • Customers introduced through unusual or higher-risk channels, including non-face-to-face onboarding where additional measures are required to compensate for the channel risk.

The EDD measures expected for these customers include senior management approval before account opening, deeper source of funds and source of wealth verification, enhanced transaction monitoring with lower thresholds, more frequent CDD review (typically annual rather than the standard three-year cycle), and structured customer-engagement protocols where unusual activity is detected. The depth of EDD is calibrated to the risk profile, but the floor MAS expects is substantively above standard CDD.

PEP Treatment in Practice
MAS Guidelines clarify that the PEP classification persists for as long as the individual is in public function, plus a transitional period typically of 12–18 months following departure (depending on risk). Family members and close associates remain in scope for the same period. Banks should not declassify PEPs purely on departure date; the residual influence and access to state resources is the rationale for the transitional treatment.

Transaction Monitoring and STR Filing

Notice 626 requires banks to operate transaction monitoring calibrated to the bank's risk profile, the customer base, and the products offered. The Notice does not prescribe specific rule logic, but inspections examine the rule coverage, the calibration evidence, and the disposition workflow.

STR filing obligations under Section 39 of the CDSA require banks to file with the STRO where there is reasonable grounds to suspect that property is the proceeds of crime or related to a serious offence. The "reasonable grounds to suspect" standard is a low bar — substantially lower than "evidence of crime" — and Singapore courts have interpreted it as requiring filing even where the bank has not investigated to certainty. Under-filing relative to detected suspicious patterns is a recurring finding in MAS enforcement actions.

Operational expectations:

  • STR filing within reasonable time of suspicion arising — typically interpreted as days to a small number of weeks, not months.
  • Internal SAR escalation procedure documented and approved by the MLRO, with the MLRO having ultimate sign-off on filing decisions.
  • Tipping-off prohibition strictly enforced. Staff cannot disclose to a customer (or to anyone) that an STR has been or may be filed. Branch and relationship staff training on tipping-off is inspection-relevant.
  • Continued transaction monitoring after an STR is filed. The filing does not pause the relationship; the bank continues to monitor and may file follow-up STRs as additional information emerges.

For broader transaction monitoring context, see our guides on rule tuning and alert triage workflows.

What MAS Actually Inspects

MAS supervisory examinations have evolved into a structured framework that compliance teams should understand operationally:

  • Risk assessment quality. Does the bank's enterprise-wide risk assessment reflect its actual customer base and product mix? Does it identify the right inherent risks and document the residual risk after controls? Generic risk assessments lifted from templates are a frequent inspection finding.
  • CDD file quality on sampling. MAS samples customer files across risk tiers. For higher-risk customers, the inspection focuses on whether the documented EDD is substantively supported by evidence in the file — declared source of wealth supported by tax returns or asset documentation; beneficial ownership reconciled with registry data; purpose of relationship aligning with transaction patterns.
  • Transaction monitoring effectiveness. Are the rules calibrated against the actual customer base? Are alerts being dispositioned substantively rather than rubber-stamped? Are the SLAs being met? Are the dispositions defensible on case-file evidence?
  • STR filing rate and quality. Is the filing rate proportionate to the bank's risk profile and customer base? Are the filings substantive (not just check-box submissions)? Are the underlying internal escalations documented and supported by analyst reasoning?
  • Sanctions screening operations. Is screening occurring on the right frequency? Are alerts being dispositioned by trained staff? Is sanctions list update lag within acceptable bounds?
  • Governance and oversight. Is the MLRO appropriately senior and independent? Are board reports substantive? Is independent audit producing findings that drive remediation?
From the 1MDB Cases
MAS enforcement actions following 1MDB (against BSI Bank, Falcon Bank, Standard Chartered, UBS, DBS, Coutts and others) identified common deficiencies that remain illustrative: EDD documentation collected without substantive review; source of wealth declarations accepted without verification; transaction patterns inconsistent with customer profile not escalated; STR filing delayed despite clear suspicion indicators. The deficiencies were operational rather than structural — the policies existed; they were not being executed.

Practical Compliance for Production Programmes

Five operational priorities for banks operating under Notice 626:

  • Maintain a current and substantive risk assessment. The enterprise-wide risk assessment is the foundation MAS uses to assess proportionality. A generic or stale risk assessment makes every downstream control hard to defend.
  • Invest in CDD file substance, not just file completeness. The verification evidence behind each documented field matters more than the existence of the field. Banks operating mature programmes invest in independent verification — registry checks, sanctions and PEP screening, beneficial ownership traversal — at onboarding and on each refresh cycle.
  • Calibrate transaction monitoring to the actual customer base. Vendor-default thresholds do not survive MAS inspection. The bank should have documented its own calibration methodology, applied it, and validated the outputs.
  • File STRs substantively and on time. Under-filing is a recurring finding. So is delayed filing. Build the escalation workflow that produces high-quality STRs at the right cadence.
  • Treat the MLRO function as senior. MAS expects the MLRO to have authority, independence and resources proportionate to the bank's risk profile. Junior or under-resourced MLRO functions are inspection-relevant in themselves.

One Constellation's AML/CFT platform supports the operational evidence MAS inspects against — CDD with structured EDD workflow, beneficial ownership traversal across 130+ jurisdictions, transaction monitoring with documented calibration, and STR-ready case management aligned to STRO submission requirements.

AML/CFT Platform Built for MAS Inspection

One Constellation supports Notice 626 compliance with risk-based CDD, structured EDD workflow, calibrated transaction monitoring, and STR-ready case management — designed for the operational evidence MAS expects to see.

Book a Demo Explore AML/CFT
6AMLD Explained → All Articles
Scroll to Top