MAS Notice 626: What It Requires and Who It Applies To

What is MAS Notice 626?

MAS Notice 626, formally titled "Notice to Banks on Prevention of Money Laundering and Countering the Financing of Terrorism," is the Monetary Authority of Singapore's primary legally binding AML/CFT directive for banks. MAS first issued it in 2007, drawing directly on FATF Recommendations to set a mandatory compliance baseline for Singapore's banking sector. The current version took effect on 27 January 2022, incorporating revised supervisory expectations on beneficial ownership, correspondent banking controls, and wire transfer information requirements.

The notice isn't guidance. It's a directive under the Banking Act. Non-compliance is a regulatory breach, not just a risk management gap. MAS can impose composition penalties, issue binding directions restricting business activities, and revoke a banking license. That distinction matters when compliance teams are scoping their programme investments.

Why did Singapore need it? The city-state sits at the center of regional trade flows, cross-border capital movements, and correspondent banking networks across Southeast Asia. That creates real ML/TF exposure. The 1MDB scandal made it concrete. Billions in suspicious funds moved through Singapore-based banks before meaningful reports reached STRO. MAS's response was systematic: enforcement action against six banks between 2016 and 2022, license revocations for two of them, and materially tighter supervisory expectations for everyone else.

Banks must maintain a written AML/CFT programme reviewed and approved by their board or a delegated senior committee at least annually. When material changes in the bank's risk profile occur, the programme must be updated promptly.

Who does MAS Notice 626 apply to?

MAS Notice 626 applies to all banks licensed in Singapore under the Banking Act 1970. There's no minimum asset threshold or balance sheet carve-out.

Covered entities include:

• Locally incorporated full banks: DBS Bank, OCBC Bank, United Overseas Bank, and all other banks holding a full bank licence incorporated in Singapore. Notice 626 obligations apply across all Singapore operations.
• Foreign full bank branches: Citibank N.A. Singapore Branch, HSBC Singapore, Standard Chartered Bank Singapore, and other foreign banks operating under a full bank licence. Singapore operations must comply with Notice 626 even where the home country's AML/CFT requirements differ.
• Wholesale banks: Foreign bank branches operating under a wholesale bank licence, primarily serving corporate and institutional clients. The notice applies in full.
• Offshore banks: Banks holding offshore bank licences conducting foreign-currency business with non-residents. Notice 626 applies to Singapore-booked transactions.
• Digital full banks and digital wholesale banks: GXS Bank and MariBank (digital full bank licensees) and Anext Bank and Green Link Digital Bank (digital wholesale bank licensees) are subject to the notice from the date they commence banking operations.

Where a foreign bank's home jurisdiction sets a lower standard than Singapore, the Singapore standard applies without exception. Where the home country imposes stricter controls in specific areas, banks may adopt those with MAS awareness.

Banks also face indirect obligations through correspondent banking. When a Singapore bank maintains a respondent relationship with a bank in another jurisdiction, it must assess whether that respondent's AML/CFT controls meet the Singapore standard. That assessment must be documented and repeated periodically. Gaps in correspondent banking due diligence have been a recurring cited weakness in MAS inspections.

What does MAS Notice 626 require?

The notice establishes eight core obligation categories. Banks must implement all of them:

1. Customer Due Diligence: Conduct Customer Due Diligence (CDD) for all customers at onboarding and on an ongoing basis. For occasional customers, CDD is mandatory for cash transactions or wire transfers of SGD 20,000 or more, whether in a single payment or multiple linked transactions that together reach that amount. CDD covers identity verification, understanding the nature and purpose of the relationship, and obtaining source of funds information.

2. Enhanced Due Diligence: Apply EDD to higher-risk relationships including politically exposed persons (PEPs), customers from high-risk jurisdictions, complex corporate structures with multiple ownership layers, and any relationship presenting elevated ML/TF indicators. EDD requires source of wealth verification, senior management approval for PEP relationships, and more frequent periodic reviews.

3. Beneficial Ownership Identification: Identify and verify the ultimate beneficial owner of legal entities and legal arrangements. The control threshold is 25% ownership or voting rights. Banks must obtain a beneficial owner declaration and take reasonable steps to verify it using reliable, independent sources.

4. Suspicious Transaction Reporting: File an STR (Suspicious Transaction Report) with Singapore's Suspicious Transaction Reporting Office whenever the bank knows, suspects, or has reasonable grounds to suspect that any property represents proceeds of crime or is connected to terrorism financing. There's no minimum transaction amount. Suspicion triggers the obligation, not a dollar threshold.

5. Record Retention: Retain CDD documentation for at least five years from the end of the business relationship. Retain transaction records for at least five years from the transaction date. Where records are relevant to ongoing court proceedings, the retention period extends until those proceedings conclude.

6. Wire Transfer Compliance: For wire transfers of SGD 2,000 or more, ordering banks must include full originator information (name, account number, and address or date of birth) and full beneficiary information. Intermediary and beneficiary banks must detect and manage transfers with missing required fields. This implements FATF Rec 16 (FATF) in Singapore's banking sector.

7. Sanctions Screening: Screen customers and transactions against MAS's targeted financial sanctions lists, the UN Security Council Consolidated List, and other applicable sanctions regimes before processing. No minimum transaction amount applies.

8. AML/CFT Programme: Maintain a board-approved, written programme covering the enterprise-wide ML/TF risk assessment, policies and procedures, transaction monitoring system, independent audit coverage, and annual staff training.

What evidence do regulators expect?

MAS examiners want proof that controls work, not confirmation that policies exist. Banks arriving at an inspection with a polished policy document but sparse operational records get cited. Here's what examiners specifically look for:

• Board-level governance: Minutes confirming the board or a delegated senior committee reviewed and approved the AML/CFT policy within the last 12 months. Substantive discussion must be evident, not a rubber-stamp sign-off.
• ML/TF risk assessment: A current, documented enterprise risk assessment covering the bank's customer base, products, geographies, and delivery channels. It must be updated when material risk changes occur. This is typically the first document MAS examiners request. Banks that can't produce a current, board-reviewed version rarely leave an inspection without findings.
• CDD and EDD files: For a sample of accounts, complete identity verification records, source of funds documentation, source of wealth evidence (for EDD cases), PEP declarations, UBO verification records, and documentation of when periodic reviews were completed and who approved them.
• Transaction monitoring calibration: Documentation of how monitoring rules are set, when thresholds were last reviewed, alert disposition records, and false-positive rate tracking. Examiners will test whether parameters reflect the bank's actual customer risk profile or are generic vendor defaults.
• STR records: Evidence that alerts were investigated with documented rationale, and that reports were filed with STRO promptly once suspicion arose. Both the volume of STRs and the triage workflow are reviewed.
• Sanctions screening logs: System-generated records showing that screening ran before transactions were processed, that matches were reviewed, and that decisions were documented with the reviewer's identity.
• Training records: Completion records for all relevant staff, with content tailored to the bank's specific risk profile rather than generic AML awareness modules.
• Independent audit findings and management responses: Internal audit or external review reports with documented management responses and remediation tracking against each finding.

Common failure modes

MAS inspections and enforcement actions since 2016 have documented a consistent set of weaknesses. Most of them are on the public record in enforcement orders and MAS press releases, so there's no shortage of case material to learn from.

• Customer risk classification failures: Banks assigned customers to standard risk tiers when their profiles, transaction patterns, or PEP connections clearly warranted elevated classification. BSI Bank's 2016 license revocation cited a systematic failure to apply adequate risk-based analysis to its client base.
• Source of wealth accepted on declaration alone: Banks obtained customer declarations but took no steps to corroborate them against publicly available information or request documentation when fund volumes were inconsistent with stated business activity.
• Single-database PEP screening: Reliance on one commercial screening database, with no process for managing potential false negatives or documenting the rationale for match disposals. Examiners expect evidence of a methodology, not just a subscription to a data provider.
• Transaction monitoring not calibrated to actual risk: Rules copied from vendor defaults and not updated to reflect the bank's real customer mix. MAS has cited banks for monitoring thresholds that hadn't been reviewed in years despite material changes in client activity.
• STR delays: Internal escalation processes that added weeks between initial detection and filing with STRO. The obligation is triggered by suspicion, not certainty. Waiting for proof before filing is a systemic failure, not a conservative approach.
• Correspondent banking assessments undocumented: Banks couldn't produce evidence that they had assessed respondent banks' AML/CFT controls at onboarding or on a periodic basis thereafter.

The MAS Enforcement Actions page lists composition penalties and directions issued across all licensed entities and is updated regularly.

Penalties for non-compliance

MAS has used its full enforcement toolkit against banks that fell short of Notice 626 requirements. The consequences are not theoretical.

Composition penalties: Under the Banking Act, MAS can compound offences for up to SGD 1 million per breach. In the 1MDB-related enforcement cycle, MAS imposed composition sums across multiple banks. Standard Chartered Singapore paid SGD 3.8 million in 2017. Coutts & Co paid SGD 1.2 million in 2017. UBS AG Singapore Branch paid SGD 1.3 million in 2017. In 2022, Goldman Sachs International and Goldman Sachs (Singapore) Pte. Ltd. were jointly reprimanded and required to pay approximately SGD 3.9 million for 1MDB-related AML control failures.

Binding directions: MAS can issue a direction requiring a bank to remediate specific control gaps, appoint an independent reviewer, or restrict certain business activities. These directions are non-negotiable and require regular reporting back to MAS until the remediation is complete.

License revocation: The most severe sanction. MAS revoked BSI Bank's merchant banking license in May 2016, citing "most serious breaches of AML requirements and control failures." Falcon Private Bank's license was revoked in October 2016 for a "persistent pattern of non-compliance." Both cases remain the most significant license revocations in Singapore banking history and are documented in MAS's public enforcement records at mas.gov.sg/regulation/enforcement.

Criminal prosecution: The Corruption, Drug Trafficking and Other Serious Crimes (Confiscation of Benefits) Act provides for criminal prosecution of individuals. Maximum penalties are 10 years imprisonment, substantial fines, or both. MAS refers cases involving individual culpability to the Attorney-General's Chambers and the Commercial Affairs Department.

Related regulations and frameworks

MAS Notice 626 sits within a broader regulatory stack. Treating it as a standalone obligation misses how the pieces connect.

FATF Recommendations: The notice directly implements FATF Rec 10 (FATF) on customer due diligence. Singapore completed its most recent FATF Mutual Evaluation in 2022. The FATF Mutual Evaluation Report for Singapore rated Singapore "Compliant" or "Largely Compliant" on most FATF technical recommendations. Effectiveness findings flagged areas for improvement, particularly in the speed of STR analysis and the depth of correspondent banking due diligence at smaller institutions.

Suspicious Transaction Reporting Act and CDSA: The legal obligation to file STRs flows from the Corruption, Drug Trafficking and Other Serious Crimes (Confiscation of Benefits) Act, not Notice 626 itself. Notice 626 sets the operational framework for how banks manage and escalate suspicious activity. Criminal liability for failing to file sits under the CDSA; regulatory breach for systemic process failures sits under Notice 626. Banks need to comply with both frameworks in parallel.

MAS Guidelines on AML/CFT: MAS publishes explanatory guidelines alongside Notice 626. The guidelines are non-binding but represent MAS's interpretation of what compliance looks like in practice. Examiners use them as a reference. Banks that deviate from the guidelines without documented rationale typically face questions about whether their alternative approach is adequate.

Regional equivalents: Singapore's Notice 626 is closely aligned with Hong Kong's HK AMLO (HK-HKMA). Both are FATF-implementing frameworks with similar CDD obligations and record retention requirements. Banks operating across both jurisdictions should map their differences systematically. There are calibration differences in EDD thresholds and the treatment of non-face-to-face customer onboarding that require jurisdiction-specific policy provisions rather than a single shared document.

How FluxForce supports MAS Notice 626 compliance

FluxForce's AI agents automate the most labor-intensive parts of Notice 626 compliance. Aiden Flux runs Know Your Customer (KYC) and CDD workflows. Risk ratings update automatically when transaction patterns shift, without analyst intervention. Nova Sentinel monitors transactions in real time; false-positive alert volumes drop and detection accuracy improves. Every decision produces a full audit trail that maps directly to what MAS examiners request on inspection day. For compliance teams managing STR backlogs or correspondent banking reviews, FluxForce's Regulatory Compliance Automation platform is worth a conversation. Book a demo.