1. AlgoCandyHome
  2. Newsroom
  3. Singapore

Successfully registering as a Corporate Service Provider (CSP) in Singapore does not mean that compliance work is complete. CSP registration is only the beginning. What ACRA and enforcement authorities focus on is whether the CSP has established and implemented effective compliance procedures in its daily operations.

Key Things Newly Registered CSPs Must Know

For newly registered CSPs, the following matters should be addressed as soon as possible.

1. Prepare Your IPPC

IPPC stands for Internal Policies, Procedures and Controls. It refers to the internal compliance policies, procedures and control measures that a CSP must establish and maintain.

For a registered CSP, an IPPC is not an optional internal document. It is a core compliance requirement. If a CSP does not have an IPPC, or if the IPPC is merely a generic document that does not reflect its actual business operations, the CSP may be regarded as failing to meet its compliance obligations.

The purpose of an IPPC is to clearly explain how the CSP identifies customer risks, conducts customer due diligence, performs AML/CFT screening, keeps records, trains staff, and handles high-risk or suspicious customers.

An IPPC does not need to be unnecessarily complicated, but it should cover the key compliance areas of a CSP’s daily operations, including:

  • Customer acceptance criteria;
  • Customer due diligence procedures;
  • Identification and verification of customers, authorised representatives and beneficial owners;
  • AML/CFT screening and customer risk assessment;
  • Enhanced due diligence for high-risk customers;
  • Ongoing monitoring and periodic review;
  • Identification, internal escalation and handling of suspicious matters, including STR procedures;
  • Record-keeping requirements;
  • Staff hiring, training and internal supervision;
  • Controls over higher-risk services such as nominee director and nominee shareholder arrangements.

An IPPC should be tailored to the CSP’s own business. It should not simply be copied from a generic template. Different CSPs may have different customer types, service scopes, team structures and risk profiles, and their IPPC should reflect these differences.

For newly registered CSPs that have not yet established a complete IPPC, AlgoCandy provides a Singapore IPPC Template service. The template is designed for Singapore CSPs and takes into account the CSP Act 2024, CSP Regulations 2025, ACRA guidance and common compliance inspection focus areas. It helps CSPs establish and maintain their internal compliance framework more efficiently.

AlgoCandy Singapore IPPC Template linked to :

Singapore IPPC Template

2. Having an IPPC Is Not Enough — It Must Be Followed in Daily Work

Many newly registered CSPs make the mistake of assuming that having an IPPC means they are already compliant.

In reality, the IPPC is only the internal framework. What matters most is whether the CSP follows it in its daily operations.

Even if a CSP has an IPPC, it may still be considered non-compliant if, in practice, it:

  • Provides services before completing CDD;
  • Fails to identify or verify beneficial owners;
  • Fails to conduct AML/CFT screening;
  • Does not perform enhanced due diligence for high-risk customers;
  • Fails to keep screening, risk assessment and approval records;
  • Has staff who do not understand the IPPC requirements;
  • Skips required procedures for the sake of closing a deal or improving customer convenience.

Therefore, CSPs should translate their IPPC into practical workflows, such as customer acceptance forms, CDD questionnaires, AML screening, risk assessments, approval records, ongoing monitoring, review reminders and staff training records.

Compliance is not just about having documents. It is about having compliant processes and evidence to prove that those processes were followed.

3. Understand the Two Main Risk Triggers for CSPs

Many CSPs mistakenly believe that their biggest compliance risk comes from routine ACRA inspections. In practice, CSPs face two main types of risk triggers, and the second is often much more serious.

1. ACRA Compliance Inspections or Reviews

The first type of risk is a compliance review conducted by ACRA.

Such reviews may be carried out directly by ACRA or by third-party compliance reviewers appointed by ACRA. The review usually focuses on areas such as:

  • Whether the IPPC is complete;
  • Whether internal procedures meet regulatory requirements;
  • Whether staff understand and follow the IPPC;
  • Whether CDD has been properly completed;
  • Whether AML/CFT screening has been performed;
  • Whether customer risk assessments are reasonable;
  • Whether enhanced due diligence has been conducted for high-risk customers;
  • Whether STR procedures are in place;
  • Whether staff training records are maintained;
  • Whether selected customer files contain complete compliance records.

It is commonly understood in the industry that ACRA reviews hundreds of CSPs each year. Regardless of the exact number, CSPs should not rely on luck. Once selected for review, the CSP must be able to provide genuine, complete and traceable compliance records.

ACRA compliance reviews usually focus on whether the CSP has established proper policies and whether those policies are actually followed in daily operations.

2. Investigations Triggered by Customer Involvement in Money Laundering, Fraud or Other Criminal Risks

The second type of risk arises when a customer becomes involved in suspected money laundering, fraud, illegal fund flows or other criminal activities, and the Singapore Police Force or other enforcement authorities become involved.

This type of risk is often more serious than a routine ACRA review. The focus is no longer limited to whether the CSP has compliance documents. Instead, the authorities may review what the CSP actually did when servicing that customer, including whether there were any lapses or negligence.

They may examine whether the CSP:

  • Properly identified the customer’s true identity;
  • Identified the beneficial owners;
  • Understood the customer’s real business activities;
  • Conducted AML/CFT screening;
  • Detected any risk indicators;
  • Conducted further checks when red flags appeared;
  • Continued to provide services despite knowing the risks;
  • Kept complete CDD and communication records;
  • Reported suspicious matters where required;
  • Assisted the customer in avoiding regulatory scrutiny.

If a customer is ultimately involved in money laundering, fraud or other criminal activity, and the CSP is found to have been negligent in the course of providing services, the consequences may go beyond ACRA compliance penalties. The CSP may face more serious legal risks, including potential criminal liability.

Therefore, CSPs should understand that ACRA inspections are only one part of the compliance risk. The greater risk often arises when a customer gets into trouble and the CSP must prove that it has fulfilled its AML/CFT obligations properly.

4. Pay Attention to Staff Hiring and Training

A CSP’s compliance risk does not only come from customers. It can also come from internal staff. Newly registered CSPs should establish proper staff hiring and training procedures to ensure that employees understand and follow the company’s compliance requirements.

When hiring staff, CSPs should consider whether the person is suitable to handle customer information, company filings, CDD work, AML screening and customer communication.

In terms of training, relevant staff should at least understand:

  • Basic AML/CFT requirements;
  • The key content of the company’s IPPC;
  • Customer due diligence procedures;
  • AML screening and risk assessment methods;
  • How to identify suspicious customers or suspicious circumstances;
  • How to escalate matters internally;
  • How to keep proper compliance records.

Training should not be a one-time exercise. CSPs should conduct training regularly and maintain training records. New employees should also complete necessary training before handling customer matters.

5. Consider Purchasing AML/CFT Compliance Software

For CSPs that care about compliance, efficiency and customer experience, it is advisable to purchase AML/CFT compliance software as early as possible. As regulatory expectations for Singapore CSPs continue to increase, relying entirely on manual CDD and AML screening can create many practical challenges.

First, without professional software, it is difficult to perform AML screening in a complete and timely manner. Customers, directors, shareholders, authorised representatives and beneficial owners may all need to be screened against sanctions lists, PEP databases, adverse media, high-risk jurisdictions and other risk sources. Manual searches are inefficient and can easily miss important risk indicators.

Second, if CDD is handled entirely manually, it consumes a significant amount of time. CSPs may need to repeatedly explain technical terms to customers, request documents, verify information, follow up on missing details and organise records. This increases staff workload and may also make customers feel that the process is complicated and frustrating.

Third, manual processes can negatively affect customer experience. Many customers do not understand terms such as CDD, UBO, PEP, Source of Funds and Source of Wealth. If the CSP has to repeatedly explain these concepts and request additional information, customers may question the CSP’s professionalism, or even decide to leave.

Fourth, manual processes make it difficult to maintain a complete compliance evidence trail. If the CSP is later reviewed by ACRA, or if a customer triggers an investigation involving money laundering or fraud, the CSP must be able to show how it identified the customer, performed screening, assessed risk, approved the customer and conducted ongoing monitoring. Without systemised records, it can be difficult to reconstruct the full compliance process afterwards.

When choosing AML/CFT compliance software, CSPs should not only look at whether the system can perform AML screening. They should also consider:

  • Whether it covers the complete CDD workflow;
  • Whether it covers the main compliance requirements for CSPs;
  • Whether customers can complete and submit information online;
  • Whether it supports identity verification, AML screening, risk assessment and ongoing monitoring;
  • Whether it reduces manual communication and repeated data entry;
  • Whether it can generate complete CDD records and reports;
  • Whether it improves customer experience;
  • Whether it is truly suitable for Singapore CSP business scenarios.

AlgoCandy is a one-stop AML compliance software designed for Singapore CSPs. It covers customer onboarding, KYC/CDD, identity verification, AML screening, customer risk assessment, ongoing monitoring and CDD report export, helping CSPs improve compliance capability, operational efficiency and customer experience.

For CSPs that want to grow sustainably, compliance software should not be viewed simply as a cost. It is an important tool for reducing compliance risk, saving staff time and improving service professionalism.

6. Be Especially Careful with Nominee Director Arrangements

Nominee director services are among the higher-risk services in the CSP industry. Newly registered CSPs that provide or arrange nominee director services must be especially careful.

A nominee director is not a “paper director” without responsibility. Even if a person acts as a nominee director, they are still a company director and still bear directors’ duties. Before arranging for a person to act as a nominee director, the CSP should assess whether the person is fit and proper, and whether they have the ability, experience, time and judgment to perform the role.

CSPs should pay particular attention to the following:

  • Do not conceal customer risks from the nominee director;
  • Do not encourage the nominee director to avoid supervising the company;
  • Do not tell the nominee director that they are “only a nominee” and do not need to be involved;
  • Do not arrange clearly unsuitable persons to act as nominee directors;
  • Keep fit and proper assessment records for nominee directors;
  • If the customer presents high-risk factors, ensure that the nominee director understands the relevant risks.

If a CSP knows that a customer presents risks but still arranges a nominee director who does not understand, supervise or participate in risk judgment, the CSP may face significant risk.

7. Conclusion

Newly registered CSPs must understand that registration is only the first step. What truly matters is establishing and implementing an effective compliance framework.

After registration, CSPs should promptly:

  • Prepare an IPPC tailored to their business;
  • Implement the IPPC in daily operations;
  • Understand the different consequences of ACRA inspections and customer-triggered risk investigations;
  • Establish customer due diligence, AML screening, risk assessment and ongoing monitoring procedures;
  • Conduct proper staff screening and regular training;
  • Exercise strong caution when providing nominee director services;
  • Purchase AML/CFT compliance software that fits CSP business needs and improves compliance, efficiency and customer experience.

Compliance is not just about passing inspections. It is about protecting the CSP itself. If a customer becomes involved in illegal activity, whether the CSP can prove that it conducted reasonable due diligence, identified risks, obtained internal approvals and performed ongoing monitoring may directly affect the CSP’s regulatory and legal risk.

Previous:

Next:

Read more

Whatsapp Let’s Talk
SHARE
TOP
🎯 AML/CDD Compliance Training · Free Online Session  ➡️ Register Now
🎁 Enjoy 50% off the basic software fee. ➡️ Book a Demo Now