MAS Notice 626 and Singapore AML Compliance: A Practical Guide

Singapore's standing as a financial centre rests on a supervisory regime that has steadily raised the bar on financial-crime compliance over the past fifteen years. MAS Notice 626 is the operational embodiment of that regime for banks. It is short relative to the obligations it creates, because it sits on top of a layer of MAS Guidelines, information papers and thematic reviews that fill in the supervisory expectation.

The honest framing for any compliance lead is that the Notice is the floor, not the ceiling. A bank can satisfy every literal clause and still fail an inspection if its monitoring does not surface activity the data clearly contained, or if its analysts close alerts without genuine investigation. This guide is structured around that distinction — what the Notice requires, and what it takes to satisfy it in practice.

The Notice's substantive requirements fall into six areas. Each is straightforward to state and demanding to operate.

Banks must identify and verify every customer and, where relevant, the beneficial owners behind them, before or during the establishment of the relationship. CDD is not a one-time onboarding event — the Notice requires that customer information be kept current through periodic and trigger-based reviews. For a practitioner's walk-through of the underlying process, see our complete guide to customer due diligence.

Higher-risk relationships attract additional measures: more detailed verification, senior-management approval to onboard or continue the relationship, and closer ongoing scrutiny. The Notice singles out politically exposed persons, customers connected to higher-risk jurisdictions, and relationships with complex or opaque ownership structures. The risk assessment that drives EDD is itself an inspectable artefact — MAS expects to see how a bank decided a given customer was higher risk.

This is the most operationally demanding area. Banks must monitor activity on a continuing basis and apply a risk-based approach: higher-risk customers warrant more intensive monitoring, and the typologies monitored for should reflect Singapore's actual exposure. A uniform, one-size-fits-all rule set is unlikely to satisfy modern expectations. Effective programmes pair rule-based detection with behavioural baselining — a distinction we cover in transaction monitoring.

Once suspicion is formed, a bank must file a suspicious transaction report with the Suspicious Transaction Reporting Office (STRO) within a reasonable timeframe. The reporting obligation flows from the Corruption, Drug Trafficking and Other Serious Crimes Act (CDSA) and sits alongside the Notice. The supervisory focus here is timeliness and quality — a backlog of unreviewed alerts, or reports filed long after suspicion should reasonably have formed, is a recurring inspection finding.

Banks must retain CDD records, transaction records, and STR-related documentation for at least five years from the end of the relationship or the date of the transaction, whichever is later. Records must be retrievable in a form usable by regulators and law enforcement. Retention that exists in principle but cannot be produced quickly during an inspection does not meet the requirement.

The Notice requires documented AML/CFT policies and procedures approved by senior management, an independent compliance function, an internal audit function with AML/CFT in scope, and ongoing training for all relevant staff. The board or a delegated senior committee is expected to review and approve the programme at least annually, and to update it promptly when the bank's risk profile changes materially.

MAS has been explicit that AML controls must be more than procedural. Inspection findings, and the enforcement actions that have followed serious failures, consistently turn on whether controls operated effectively — not on whether a policy existed. Four areas attract the most scrutiny:

• Does monitoring surface what the data contained? The most damaging finding is that suspicious activity was identifiable from the bank's own records but the monitoring did not flag it. This points to rule libraries, calibration, or coverage rather than to data access.
• Are alerts genuinely investigated? High alert volumes closed quickly with thin rationale suggest a triage process under pressure rather than a functioning control. MAS looks at disposition quality, not just throughput.
• Is the risk-based approach evidenced? A bank must be able to show how it assessed customer and product risk and how that assessment shaped its monitoring. A risk rating that exists as a label, without the reasoning behind it, is weak.
• Is STR filing timely and complete? Delays between suspicion forming and a report reaching STRO, or reports missing key context, are recurring themes.

The same weaknesses recur across programmes that struggle under inspection:

• Policy without practice. A comprehensive manual that the day-to-day operation does not actually follow. MAS tests the operation, not the manual.
• Uniform monitoring. One rule set applied across the whole customer base, producing noise on high-volume customers and silence on the ones whose behaviour has genuinely shifted.
• Alert backlogs. Volume outrunning capacity, leading to rushed closures and delayed STRs.
• Stale CDD. Customer information that was accurate at onboarding and never refreshed, so the risk rating no longer reflects reality.
• Weak audit trail. Decisions — risk ratings, alert closures, EDD approvals — recorded as outcomes without the reasoning, leaving nothing for an inspector to assess.

Each of these is a practice failure rather than a documentation gap, which is precisely why they survive in programmes that look complete on paper. For the structural treatment of t