Skip to main content
ANLIAN GROUP

Article

CDD and AML Under the CSPA 2024: What Singapore Corporate Service Providers Actually Do for Clients

In one sentence

The Corporate Service Providers Act 2024 (CSPA 2024) requires every business carrying on corporate service activities in Singapore to register with ACRA and comply with customer due diligence (CDD), ongoing monitoring, suspicious transaction reporting (STR), and record-keeping obligations on a risk-based basis; the Act commenced 9 June 2025 and the ACRA Guidelines for Registered CSPs (issued 9 May 2025) and the Corporate Service Providers Regulations 2025 set the operational standard. Fines of up to S$100,000 per breach apply to the CSP and its senior management; the underlying criminal AML framework is the Corruption, Drug Trafficking and Other Serious Crimes (Confiscation of Benefits) Act (CDSA) and the Terrorism (Suppression of Financing) Act (TSOFA).

Quick answer

  1. Every business providing corporate services in or from Singapore must be registered with ACRA under the CSPA 2024 (in force 9 June 2025), and each registered CSP must designate one or more Registered Qualified Individuals (RQIs) who are personally responsible for the CSP's AML/CFT/PF compliance.
  2. Registered CSPs must conduct customer due diligence (CDD) on every designated transaction, on transactions where there is reason to suspect money laundering, terrorism financing, or proliferation financing, and where the CSP doubts the veracity or adequacy of previously obtained information; the depth of CDD is risk-based per the ACRA Guidelines for Registered CSPs issued 9 May 2025.
  3. The CDD touchpoints in a typical Singapore client engagement are: incorporation or registration of the entity, appointment of a nominee director under the CSPA-CSP-arranged route, account opening introduction (banking and fund-vehicle), fund vehicle setup for 13O / 13U applicants, and ongoing monitoring throughout the engagement.
  4. Suspicious transactions must be reported to the Suspicious Transaction Reporting Office (STRO) under the Corruption, Drug Trafficking and Other Serious Crimes (Confiscation of Benefits) Act (CDSA) and the Terrorism (Suppression of Financing) Act (TSOFA); the registered CSP is the reporting party and the client is not informed of the report (the "no tipping-off" rule).
  5. Breach of the CSPA 2024 AML/CFT/PF obligations attracts a maximum fine of S$100,000 per offence applicable both to the CSP and to its senior management; ACRA has already imposed penalties on six CSPs (S$4,000 to S$14,000 per case) for AML/CFT breaches under the prior Registered Filing Agent framework, and the enforcement posture has tightened under the CSPA 2024.

Why this matters in 2026

Three regulatory and supervisory shifts since 2024 reshape what a Singapore corporate service provider is and what it owes to its clients. First, the Corporate Service Providers Act 2024 came into force on 9 June 2025, replacing the prior Registered Filing Agent (RFA) framework with a unified Corporate Service Provider regime administered by ACRA. The Act consolidates the registration obligation, the CDD and ongoing-monitoring perimeter, the fit-and-proper assessment of CSPs and RQIs, the STR obligation, and the record-keeping regime. The Corporate Service Providers Regulations 2025 and the ACRA Guidelines for Registered CSPs (issued 9 May 2025) operationalise the Act. The maximum fine for breach moved up to S$100,000 per offence, applicable to both the CSP and its senior management. Second, the Singapore Money Laundering National Risk Assessment 2024 and the Singapore Proliferation Financing National Risk Assessment 2024 identified corporate service providers as a higher-risk DNFBP sector. FATF and APG's 2025 mutual evaluation of Singapore (on-site visit July 2025) reinforced the supervisory expectation: CSPs are at the frontline of beneficial-ownership transparency, sanctions screening, and shell-company prevention. The class exemption framework for Section 13O / 13U applications (covered in the [Family Trust and 13O complementarity article](/insights/singapore-family-trust-13o-fund-complement)) shifted some of the upfront fund-side CDD onto the CSP layer rather than the case-by-case MAS application path. Third, the CDD perimeter now sits at the front of every client interaction rather than at the end. Engagement-letter signature, incorporation filing, nominee director appointment (covered in the [nominee director article](/insights/singapore-nominee-director-acra-csp)), and bank-account introduction all trigger documented CDD checkpoints under the CSPA 2024. The "we'll get to the paperwork later" model is structurally non-viable, because ACRA's inspection focus is the documentary file the CSP produces, not the substantive client relationship. For clients, the operational consequence is that onboarding takes longer and requires more documents than under the prior RFA regime, and the CSP cannot lawfully proceed if the CDD file is incomplete.

The fundamentals

The CSPA 2024 framework: registration, RQI, and the CDD perimeter under the Act and 2025 Regulations

The Corporate Service Providers Act 2024, administered by ACRA and in force from 9 June 2025, requires every business providing corporate services in or from Singapore to register as a Corporate Service Provider, to designate at least one Registered Qualified Individual (RQI) who is personally responsible for AML/CFT/PF compliance, and to apply customer due diligence on designated transactions and on transactions where there is reason to suspect money laundering, terrorism financing, or proliferation financing; the Corporate Service Providers Regulations 2025 and the ACRA Guidelines for Registered CSPs (9 May 2025) operationalise the Act. Registration scope. The CSPA 2024 applies to anyone carrying on a business in or from Singapore of providing corporate services, where corporate services include incorporation and registration of entities, secretarial and filing functions, nominee director arrangements by way of business, and related corporate administration. Existing Registered Filing Agents transitioned to CSP registration on commencement; new entrants must apply and demonstrate fit-and-proper standing. The Registered Qualified Individual. Each CSP must designate one or more RQIs. The RQI is the individual with personal responsibility for the CSP's CDD and AML/CFT/PF compliance, holds the relevant qualifications, and is registered with ACRA in that capacity. The RQI's standing is the linchpin: a CSP that loses its RQI without a replacement loses operational capacity, and the RQI's prior compliance history follows the individual into any new CSP they join. The CDD perimeter. The CDD obligation applies to every "designated transaction" specified in the Act and Regulations (the high-touch corporate transactions: incorporation, change of ownership, registered office change, nominee director arrangement, AR filings where ownership has changed) and to every transaction where the CSP has reason to suspect ML/TF/PF or doubts the veracity of previously obtained information. The CDD identifies and verifies the customer, identifies and verifies the beneficial owner, and establishes the purpose and intended nature of the business relationship. Where CDD is performed by a third party (an introducer or affiliated firm), the registered CSP remains responsible for the compliance outcome and must hold the underlying records.

The five CDD triggers in a typical Singapore client engagement

A Singapore client engagement triggers CDD at five operational touchpoints: at engagement-letter / company-incorporation stage, at nominee director appointment under the CSPA-arranged route, at the introduction to a bank or fund administrator, at the establishment of a Section 13O / 13U fund vehicle where applicable, and on an ongoing basis throughout the engagement; each touchpoint has its own document set, risk-rating, and trigger conditions for enhanced due diligence (EDD). Touchpoint 1, incorporation or engagement-letter. At the entry point of the engagement, the CSP collects identification and verification documents for each individual director, shareholder, and beneficial owner. The risk-rating considers jurisdiction of residence, source of funds, source of wealth, the nature of the proposed business, the use of nominee or trust structures, and any politically exposed person (PEP) status. The output of touchpoint 1 is a documented CDD file that supports the incorporation filing on Bizfile and the subsequent operational engagements. Touchpoint 2, nominee director appointment. When the company requires a nominee resident director under the CSPA arrangement, the CSP arranging the appointment must independently assess the proposed nominee as fit and proper (covered in the [nominee director article](/insights/singapore-nominee-director-acra-csp)). The fit-and-proper file sits in the CSP's records and is open to ACRA inspection. The CDD on the underlying client (the nominator) continues to apply at this touchpoint with reference to the controlling-party transparency expectations. Touchpoint 3, banking or fund-administrator introduction. When the CSP introduces the client to a Singapore bank or to a fund administrator for the fund vehicle, the receiving institution conducts its own CDD under the MAS Notices applicable to that institution category. The CSP's CDD does not substitute for the bank's CDD; the two are parallel and both are required. The CSP's role at this touchpoint is to verify that its own file matches the documentation the client presents to the bank, so the engagement does not unravel on a documentary inconsistency at the bank's onboarding stage. Touchpoint 4, Section 13O / 13U fund vehicle setup. For families pursuing the 13O / 13U fund tax incentive scheme through a Single Family Office, the CSP's CDD layer feeds into the MAS application path. The post-2024 class exemption framework requires the SFO application to be supported by a legal opinion referencing the class exemption, and the CSP's CDD file is part of the documentary trail behind that opinion. The companion piece on [the 13O family office cost picture in 2026](/insights/singapore-13o-family-office-cost-2026) covers the cost-side mechanics that flow from this touchpoint. Touchpoint 5, ongoing monitoring. The CDD is not a one-off event. The CSPA 2024 requires the CSP to monitor the business relationship on a risk-based basis, refresh CDD information at intervals appropriate to the risk-rating, screen the client (and beneficial owners) against sanctions lists, and trigger enhanced due diligence (EDD) where new information surfaces, the risk-rating changes, or the transaction profile diverges from the established baseline. An EDD trigger may also flow from a sanctions-list match, a media exposure, or a change in beneficial ownership that the CSP detects during routine corporate actions.

STR reporting, the no-tipping-off rule, and the enforcement schedule under CDSA, TSOFA, and CSPA 2024

Where a registered CSP has reason to suspect that a transaction is connected to a serious offence or to terrorism financing, the CSP must file a suspicious transaction report (STR) with the Suspicious Transaction Reporting Office under Section 39 of the Corruption, Drug Trafficking and Other Serious Crimes (Confiscation of Benefits) Act (CDSA) and the equivalent provisions of the Terrorism (Suppression of Financing) Act (TSOFA); the CSP must not disclose the report or the suspicion to the client (the "no tipping-off" rule), and breach of the CDD, monitoring, STR, or no-tipping-off obligations under the CSPA 2024 attracts a maximum fine of S$100,000 per offence applicable to the CSP and to its senior management. The STR mechanism. STRs are filed electronically with STRO, the agency within the Commercial Affairs Department of the Singapore Police Force. The CDSA, the TSOFA, and the Corporate Service Providers Regulations 2025 together fix the reporting obligation and the timing. The CSP's role is to lodge the STR; it is not to investigate the underlying conduct or to decide whether the activity is criminal as a matter of fact-finding. The standard is "reasonable suspicion", not proof. The no-tipping-off rule. Under Section 48 of the CDSA and the parallel CSPA 2024 obligations, the CSP must not disclose the fact of the STR (or the underlying suspicion) to the client or to any third party who might alert the client. The rule exists because tipping-off defeats the law-enforcement purpose of the STR. The operational consequence for clients is that a CSP that has filed an STR may continue to provide routine services without comment; the client may not be aware of the report. The Anlian Group corporate services team's compliance discipline includes RQI-only handling of STR matters and a documentary firewall between operational client-facing staff and the STR record. The penalty schedule. The maximum fine under the CSPA 2024 for AML/CFT/PF breaches is S$100,000 per offence, applicable to both the registered CSP and the individual senior managers responsible for the breach. ACRA has already imposed financial penalties on six CSPs under the prior RFA framework, ranging from S$4,000 to S$14,000, for AML/CFT breaches. The 2025 enforcement posture under the CSPA 2024 is tighter, with the higher maximum fine and the explicit senior-management personal exposure. The ACRA Guidelines for Registered CSPs (9 May 2025) set out the inspection expectations and the documentary standards against which a CSP's compliance file is reviewed.
CDD touchpointTriggerCSP collectsCSP verifiesEDD trigger conditions
1. Incorporation / engagement-letterNew client onboardingIdentification of directors, shareholders, beneficial owners; source of funds; nature of businessID documents; address; corporate registry of source jurisdictionPEP status; high-risk jurisdiction; cash-intensive business; nominee structures
2. Nominee director appointmentCSP arranges nominee under CSPA 2024Nominator particulars; nominee fit-and-proper assessmentNominee's standing; nominator's beneficial-ownership chainSanctions match on nominator or beneficial chain; opaque ownership
3. Banking or fund-administrator introductionAccount opening for client entityDocuments matching prior file; account purposeConsistency with CSP's existing fileInconsistency between CSP file and bank presentation; new beneficial owners
4. Section 13O / 13U fund vehicle setupSFO application preparationFund structure documentation; legal opinion fileClass-exemption legal-opinion alignmentSource-of-wealth gaps; cross-border tax residency questions
5. Ongoing monitoringThroughout the engagementPeriodic refresh of CDD info; sanctions screeningContinuing alignment of business profile with fileSanctions-list match; media adverse-news; unusual transaction pattern
STR triggerReasonable suspicion at any touchpointDocumentary record of suspicionn/a (STR is filed, not verified by CSP)All EDD triggers above + reportable activity threshold

Common pitfalls

  • Treating CDD as "documents at onboarding" rather than continuous obligation

    The CSPA 2024 imposes ongoing monitoring, risk-rating refresh, and sanctions-screening throughout the engagement, not just at onboarding. A CSP file that captures the day-one documents and never updates them does not meet the standard. The fix is a scheduled refresh cadence calibrated to the risk-rating: annual for low-risk, semi-annual or quarterly for medium-risk, event-driven for high-risk.

  • Engaging an unregistered "informal" CSP after 9 June 2025

    Anyone carrying on corporate services in or from Singapore by way of business must be registered with ACRA under the CSPA 2024. Engaging an unregistered provider after commencement exposes the client to the consequences of an unsupervised CDD file, exposes the unregistered provider to enforcement, and means the corporate filings may be reviewable as compromised. Verify the CSP's registration on the public ACRA register before engagement.

  • Relying on a third party's CDD without holding the records

    The CSPA 2024 permits the use of third parties for CDD measures, but the registered CSP remains responsible for the compliance outcome and must hold the underlying records. A CSP that points to an introducing firm's CDD file rather than maintaining its own copy is exposed at ACRA inspection. The Anlian Group corporate services team's standard is to obtain certified copies of third-party CDD files at onboarding and to record the source.

  • Skipping enhanced due diligence (EDD) on triggers that should escalate

    PEP status, high-risk jurisdictions, sanctions-list matches, cash-intensive businesses, and complex layered ownership are EDD triggers under the risk-based approach. A CSP that applies only standard CDD on a clearly EDD case is not meeting the ACRA Guidelines standard. The fix is a documented risk-rating decision at each touchpoint, with the EDD pathway invoked when triggers apply.

  • Missing the STR filing window when reasonable suspicion arises

    The CDSA and TSOFA require an STR when the CSP has reason to suspect a transaction is connected to a serious offence or to terrorism financing. The standard is reasonable suspicion, not proof. A CSP that defers filing while waiting for "more information" risks both a CSPA 2024 breach for the delay and a CDSA / TSOFA breach for the substantive non-report.

Frequently asked questions

What is a "designated transaction" under the CSPA 2024?
Designated transactions are the specific corporate-services transactions identified in the Corporate Service Providers Regulations 2025 that trigger mandatory CDD. The category includes incorporation, change of registered office, change of directors or shareholders involving beneficial ownership shifts, nominee director appointments under the CSPA-arranged route, and AR filings where ownership has changed. The CSP must apply CDD on each designated transaction regardless of whether the client is new or existing.
Does every client face the same CDD or is the depth risk-based?
The depth of CDD is risk-based. Low-risk clients (Singapore-resident individuals, established local SMEs with transparent ownership) receive standard CDD; medium-risk and high-risk clients (cross-border ownership chains, PEPs, high-risk-jurisdiction connections, cash-intensive businesses) receive enhanced due diligence (EDD). The ACRA Guidelines for Registered CSPs (9 May 2025) set out the risk factors and the EDD documentary expectations.
Who is a Registered Qualified Individual (RQI) and why does it matter to me as a client?
The RQI is the individual within the registered CSP who is personally responsible for AML/CFT/PF compliance. Each CSP must have at least one. For the client, the RQI's standing matters because the RQI signs off the CDD file and is the named individual ACRA holds responsible for the CSP's compliance posture. Asking the CSP who its RQI is, and verifying the RQI's registration, is a reasonable due-diligence step on the client's side before engagement.
What is the difference between my CSP's CDD and the AML compliance my bank does?
The CSP's CDD is under ACRA's framework (CSPA 2024 + Regulations 2025 + ACRA Guidelines). The bank's AML is under MAS's framework (the applicable MAS Notice for the bank's licence category). The two operate in parallel: the CSP focuses on corporate-services CDD; the bank focuses on account-opening and transaction monitoring. Both apply to the same client at the same time, and both rely on internally consistent documentary records.
What documents will a registered CSP ask for at incorporation in 2026?
At minimum: identification (passport / NRIC) and proof of address for each director, shareholder, and beneficial owner; corporate documents (certificate of incorporation, register of members) for any corporate shareholder; declaration of source of funds and source of wealth at engagement; declaration of intended business activity; declaration of PEP status. Higher-risk profiles attract additional documents under the EDD pathway (audited financial statements, bank reference letters, certified copies of constitutional documents from non-cooperating jurisdictions).
What happens if my CSP files a suspicious transaction report on me?
The CSP files the STR with STRO and must not inform the client (the "no tipping-off" rule under the CDSA). The client therefore has no notice that an STR has been filed. The CSP may continue to provide routine services while the matter is pending. An STR is not by itself an allegation or a finding of wrongdoing; it is a reporting threshold based on reasonable suspicion, and STRO's downstream action depends on its assessment.
How does Anlian Group's licensed corporate services team apply the CSPA 2024 framework?
Anlian Group's licensed corporate services team is registered with ACRA as a Corporate Service Provider under FA20200346 and operates under the CSPA 2024 framework with an RQI registered with ACRA. The team's compliance discipline includes documented CDD files at each of the five touchpoints, a scheduled risk-based monitoring cadence, RQI-only handling of STR matters, and the firewall between client-facing operational staff and the STR record described above. Engagement scope is confirmed during the [strategy call](/contact/strategy-call), and the related [nominee director cluster article](/insights/singapore-nominee-director-acra-csp) covers the CSP-arranged nominee director route.

How Anlian Group helps

If your situation maps onto this article, we'd start with a no-pitch strategy call: 30 minutes, single-use invite, scheduled within 24 hours of your inquiry.

Request a Strategy Call →