Singapore’s regulatory environment has undergone a profound transformation over the past two years. The Corporate and Accounting Laws (Amendment) Act 2025 (CALA 2025), which commenced on 6 May 2026, arrived alongside the new Corporate Service Providers Act, tightened Personal Data Protection Act (PDPA) enforcement, and reinforced Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) obligations for companies and their directors. These changes did not arrive one at a time — they landed in a cluster, and together they fundamentally raise the bar for what it means to be a compliant Singapore director in 2026.
For many SME boards, compliance has historically been treated as a back-office function: the company secretary files the annual return, the accountant files the corporate tax, and the directors sign what they are told to sign. That model is no longer adequate. The 2025–2026 reforms have made clear that compliance is a board-level obligation, not a delegable administrative task. Directors who continue to treat it as someone else’s problem will face materially higher personal exposure under Singapore law.
This article explains what Singapore directors must personally own — beyond the routine annual filing — and offers a practical framework for embedding compliance into your board’s agenda.
Why Compliance Cannot Simply Be Outsourced
It is perfectly legitimate — and sensible — for a Singapore company to engage a licensed corporate service provider (CSP) to handle filings, maintain registers, and advise on regulatory requirements. But outsourcing the function does not transfer the liability. Under the Companies Act (Cap. 50), directors owe personal duties to the company and its stakeholders that cannot be contracted away.
The distinction matters especially under CALA 2025. When ACRA imposes a fine for a late annual return or a failure to update the register of controllers, the fine falls on the company and — in cases of wilful default or negligence — on the individual director personally. A signed engagement letter with a CSP does not constitute a legal defence.
The same principle applies to AML/CFT and PDPA obligations. If your company suffers a personal data breach and the Personal Data Protection Commission (PDPC) investigates, it will look at whether the board approved a data protection policy, whether a Data Protection Officer (DPO) was appointed where required, and whether breach notification timelines were met. These are board-level governance questions, not operational ones.
AML/CFT: What the Board Must Own
Singapore’s AML/CFT framework for non-financial businesses has been significantly tightened under the Corporate Service Providers Act, which requires all businesses providing corporate secretarial and related services to register with ACRA and comply with AML/CFT obligations from 9 June 2025. For companies that engage CSPs, this means your service provider is now subject to enhanced due diligence requirements — including screening directors and beneficial owners for money laundering convictions.
But the obligation does not stop at your CSP. Companies themselves are expected to have AML/CFT policies in place where their business activities carry higher risk. If your company operates in sectors with AML exposure — property, precious metals, money services, high-value goods, or professional services — your board should:
- Approve an AML/CFT policy appropriate to your risk profile
- Ensure customer due diligence (CDD) procedures are followed before onboarding high-risk counterparties
- Review whether any Suspicious Transaction Reports (STRs) have been filed in the period
- Re-screen directors and key officers annually against sanctions lists and AML conviction databases
If your company falls under MAS regulation — as a Registered Fund Management Company, Variable Capital Company manager, or licensed financial adviser — the AML/CFT obligations are considerably more detailed and the MAS will hold the board directly accountable for compliance failures.
PDPA: Data Governance as a Board Obligation
The PDPA amendments that took effect in February 2021 introduced mandatory data breach notification, higher financial penalties (up to 10% of annual Singapore turnover for egregious breaches), and clearer DPO appointment expectations. By 2026, PDPC enforcement has moved firmly into the territory of evaluating board governance rather than just operational failures.
At minimum, every Singapore company’s board should be able to confirm:
- A written Data Protection Policy exists and has been approved by the board or a board-authorised officer
- A DPO has been appointed (or a determination has been made that none is required given the company’s scale and data profile)
- Staff handling personal data have received data protection training
- A data breach response procedure is in place, including the 3-day mandatory notification timeline for notifiable breaches
- Third-party data processors (including CSPs, payroll providers, and IT vendors) are bound by contractual data protection obligations
The PDPC has made clear that ignorance at the board level is not a mitigating factor. Where a breach occurs and the investigation reveals that the board never formally addressed data governance, penalties are likely to be higher.
CALA 2025: Higher Personal Liability for Directors
The Corporate and Accounting Laws (Amendment) Act 2025 introduced a raft of changes that directly affect director liability. The most significant for SME boards include:
Increased Penalties for Filing Defaults
Under CALA 2025, maximum fines for director-level offences for common statutory defaults (late annual returns, failure to hold AGMs, late financial statement lodgement) have been increased. Wilful default can now attract fines of up to S$20,000 per director per breach, and repeat offenders face heightened scrutiny from ACRA including possible disqualification proceedings.
Nominee Register and Controller Disclosure
CALA 2025 strengthened the requirements around registers of nominee directors and registers of controllers. Directors who are nominees must disclose their nominee status and nominator details. Companies that fail to maintain accurate, up-to-date registers face enhanced penalties, and it is the board — not just the company secretary — that is responsible for ensuring accuracy.
Named Auditor Requirement
For companies that require a statutory audit, CALA 2025 requires audit reports to name the individual Public Accountant primarily responsible for the engagement, effective from 6 May 2026. While this is primarily an audit governance requirement, it reinforces the broader theme: individual accountability replaces institutional anonymity at every layer of Singapore’s corporate governance framework. Directors approving financial statements should verify that this requirement is met before signing off. For detailed guidance on who needs an audit, see our article on the Singapore Statutory Audit 2026.
Practical Board Compliance Calendar: What to Review Quarterly vs Annually
One of the most effective ways to embed compliance into board governance is a structured compliance calendar reviewed at each board meeting. Below is a practical framework for Singapore SME boards:
| Frequency | Compliance Item | Board Action |
|---|---|---|
| Quarterly | Review outstanding ACRA filings and deadlines | Confirm with CSP; note any late items and remediation steps |
| Quarterly | GST return status (if GST-registered) | Confirm filings are current; flag any arrears to IRAS |
| Quarterly | AML/CFT review (higher-risk businesses) | Review any STRs filed; confirm CDD procedures are followed |
| Quarterly | PDPA: data incidents and near-misses | Receive DPO or operational report; confirm no unreported breaches |
| Annually | AGM / annual return | Approve financial statements; confirm AR filed within 7 months of FYE |
| Annually | Register of controllers update | Confirm register is accurate; update for any ownership changes |
| Annually | Register of nominee directors | Confirm nominees have disclosed status; review nominator details |
| Annually | Director / officer AML screening | Re-screen all directors against sanctions lists |
| Annually | Data protection policy review | Board formally approves updated policy; DPO confirms no outstanding matters |
| Annually | ECI and corporate tax filing | Confirm ECI filed within 3 months of FYE; Form C-S/C by 30 November |
For a complete overview of all ACRA and IRAS filing deadlines, our Singapore Company Compliance Calendar 2026 sets out every deadline a private company must meet.
The Company Secretary’s Role as Compliance Conscience
A good company secretary — whether in-house or outsourced — does more than file documents. In the context of 2026’s heightened regulatory environment, the right CSP should proactively flag:
- Upcoming deadlines before they become defaults
- Regulatory changes that affect the company’s compliance obligations
- Director disqualification risks arising from persistent late filings
- Changes to the register of controllers triggered by new shareholding arrangements
- CALA 2025 and other statutory updates that require board-level action
Under ACRA’s framework, a CSP registered as a filing agent bears its own AML/CFT obligations — it must conduct due diligence on the companies and directors it serves. This creates a mutual accountability structure: the CSP vets the directors, and the directors should in turn ensure the CSP is ACRA-registered, AML/CFT compliant, and providing substantive governance support rather than purely administrative filing.
For more on board resolutions in Singapore — including the types of matters that require formal board approval — see our dedicated guide.
The Cost of Non-Compliance in 2026
The financial and reputational cost of compliance failures in Singapore has never been higher. Under CALA 2025, the penalty regime for director-level defaults has been materially strengthened:
- Failure to file annual return on time: Fine up to S$5,000 per officer in default; continued default adds further daily penalties
- Failure to hold AGM within statutory deadline: Fine up to S$5,000 per officer
- Wilful default on register obligations: Fines up to S$20,000 per director breach, with risk of criminal prosecution in egregious cases
- Director disqualification: Persistent defaults can trigger ACRA disqualification proceedings under Section 155B of the Companies Act, barring the individual from acting as a director of any Singapore company for up to 5 years
For an overview of how director disqualification proceedings work in Singapore, including court procedures and consequences, see our guide.
Beyond ACRA, PDPC penalties for serious data protection breaches can reach 10% of annual Singapore turnover. And for companies regulated by MAS, AML/CFT failures can result in loss of licence and criminal prosecution of individual officers.
A Simple 3-Step Board Compliance Review Process
For Singapore SME boards that want to embed compliance without creating bureaucratic overload, a three-step review process is practical and defensible:
Step 1: Compile the Compliance Register
Once a year (typically at the beginning of the financial year), the company secretary or a board-designated officer compiles a compliance register listing every statutory obligation, its deadline, the responsible party, and the current status. This register becomes the baseline document for quarterly review.
Step 2: Quarterly Board Compliance Update
At each quarterly board meeting, a standing agenda item covers: (a) status of all items in the compliance register; (b) any new regulatory changes affecting the company since the last meeting; (c) any compliance incidents or near-misses. The board minutes should record this discussion.
Step 3: Annual Compliance Sign-Off
At the year-end board meeting, directors formally confirm — on the record — that all material compliance obligations have been met in the financial year just closed, or that identified gaps have a documented remediation plan. This confirmation, minuted properly, demonstrates good faith governance and is the best available defence in any subsequent ACRA or regulatory inquiry.
Beyond compliance, sound financial planning and investment decisions are equally important for business owners looking to grow sustainably alongside their companies.
For legal advice on your compliance obligations as a director, or if you need guidance on corporate governance matters beyond the scope of your CSP, we can point you in the right direction.
For the latest Singapore business news and regulatory updates, there are useful resources for directors and business owners.
To speak with the team at Raffles Corporate Services, you can email [email protected] or call, SMS, or WhatsApp +65 8501 7133. We are happy to assist with any queries.
— The Editorial Team, Raffles Corporate Services
Leave A Comment