For many Singapore SME directors, compliance is a back-office function: file the annual return, hold the AGM, keep the company secretary happy. That mental model was always incomplete. In 2026, it is genuinely dangerous.

Singapore’s regulatory landscape tightened sharply between 2025 and 2026. The Corporate Amendments and Limited Liability Partnerships Act 2025 (CALA 2025) raised financial penalties and widened director liability. The Corporate Service Providers Act strengthened oversight of nominees and compliance agents. MAS tightened the single family office notification framework. The Personal Data Protection Act continues to be actively enforced. Taken together, these reforms mean that compliance is no longer something you can fully delegate — it is a personal, non-transferable board obligation.

This article explains what Singapore directors must personally own on the compliance agenda in 2026, and how to build a simple board-level system to stay on top of it without adding unnecessary bureaucracy.

Why Non-Delegable Director Obligations Matter

Singapore’s Companies Act 1967 imposes personal duties on every director. Under Section 157 of the Companies Act, directors must act honestly and use reasonable diligence in the discharge of their duties. These obligations follow the individual director, not the corporate structure. Outsourcing your accounting, your company secretarial work, and your payroll does not outsource your personal liability if those functions go wrong.

CALA 2025 made this harder to ignore. Breaches of certain ACRA filing obligations now carry fines of up to S$20,000 per director breach, with potential imprisonment of up to 12 months for wilful defaults. The days of assuming that a technical ACRA violation was a company-level fine are over — the regulator’s direction of travel is clear: individual directors bear personal accountability.

This does not mean directors must become compliance experts. It means they must understand which obligations are theirs to own, build the right structures to monitor them, and ensure they receive the right information from the right people at the right times.

The Four Board-Level Compliance Pillars in 2026

1. ACRA Statutory Filings and Corporate Governance

The foundational layer of compliance — filing annual returns, maintaining the Register of Registrable Controllers (RORC), passing board resolutions for material corporate events, maintaining the statutory registers — is managed by your corporate secretary. But the board must actively review and approve, not simply rubber-stamp.

Specifically, directors should confirm at each board meeting that: (a) annual returns have been filed within the statutory deadline; (b) any changes in directors, shareholders, or auditors have been lodged with ACRA; (c) the RORC is current and reflects all beneficial owners above the 25% threshold; and (d) there are no outstanding ACRA notices or queries. Your company secretary’s role is to prepare this information — but a director who simply waits to be told everything is taking on unnecessary personal risk.

2. Anti-Money Laundering and Counter-Financing of Terrorism (AML/CFT)

AML/CFT obligations apply to all Singapore companies, not just financial institutions. Every company has a duty to know its customers, understand the source of funds flowing through the business, and file Suspicious Transaction Reports (STRs) where warranted under the Corruption, Drug Trafficking and Other Serious Crimes (Confiscation of Benefits) Act.

For most SMEs, the AML/CFT obligations materialise in three concrete board responsibilities:

  • Approving an AML/CFT policy — even a one-page document that identifies your key customer due diligence processes and red flags
  • Knowing who your beneficial owners are — the RORC exists precisely because ACRA and law enforcement need to trace ultimate beneficial ownership; a board that cannot explain who ultimately controls the company and where its funds come from is not compliant
  • Ensuring staff know when to escalate — the STR obligation falls on directors and employees who know or suspect money laundering; there must be a clear internal escalation path

Companies operating in higher-risk sectors — property, professional services, precious metals, cash-intensive businesses — face heightened scrutiny. If you are unsure whether your business is captured by sector-specific AML rules, you should seek [legal advice on your compliance obligations](https://www.justfollowlaw.com).

3. Personal Data Protection Act (PDPA) and Data Governance

The PDPA applies to every Singapore company that collects, uses, or discloses personal data. Enforcement by the Personal Data Protection Commission (PDPC) has been active and visible: significant fines have been imposed on companies that suffered data breaches due to inadequate security measures or that collected data without proper consent.

Board-level data governance obligations include:

  • Data Protection Officer (DPO) designation — every organisation must designate a DPO; the DPO does not need to be an external professional but must have the requisite knowledge and be given sufficient authority
  • Data breach notification — a breach that likely affects 500 or more individuals, or is likely to cause significant harm, must be notified to the PDPC within 3 calendar days; the board needs to know this clock exists
  • Data protection policy — a written policy that sets out how personal data is handled, by whom, and what controls exist is a regulatory expectation, not merely best practice

Directors should receive at least an annual DPO report covering: types of personal data held, third-party data processors engaged, any near-misses or complaints in the year, and the status of data protection policies.

4. The Company Secretary as the Board’s Compliance Conscience

A proactive company secretary does more than file documents. They flag regulatory changes, prepare the compliance calendar for the year ahead, remind the board of approaching deadlines, and identify when a resolution or approval is required before an action can be taken.

The Singapore company compliance calendar is dense: AGMs, annual returns, IRAS filings, RORC updates, CPF contributions, and sector-specific obligations all carry their own deadlines. A good corporate secretary ensures the board is never surprised.

The right question for any Singapore director to ask their company secretary is: “What is outstanding this quarter, and what do you need from the board to close it?” If the answer is vague or slow, the compliance infrastructure needs attention.

A Practical Board Compliance Review Framework for Singapore SMEs

You do not need a large compliance team to stay on top of these obligations. Most Singapore SMEs can build an effective system around three simple practices:

Step 1: Annual Compliance Review (Board Agenda Item, Q1 Every Year)

At the first board meeting of each financial year, the company secretary presents a compliance snapshot: ACRA filings outstanding, RORC status, AML policy last reviewed date, DPO report summary, and any regulatory changes affecting the company. The board minutes this review and any actions arising.

Step 2: Quarterly Compliance Check-In (5 Minutes at Each Board Meeting)

At every board meeting, the company secretary confirms: no ACRA notices outstanding, no IRAS queries, CPF contributions current, no STR triggers identified, and no data breaches. If anything is outstanding, it is minuted and assigned.

Step 3: Trigger-Based Review (When Something Changes)

Specific corporate events — taking on a new investor, entering a related-party transaction, dismissing a director, opening a new business line — each carry specific compliance obligations. Directors must ensure their company secretary is informed of such changes before they happen, so the right filings and approvals are in place.

The Cost of Non-Compliance in 2026

The financial stakes have risen. Under CALA 2025, directors face fines of up to S$20,000 per breach of applicable ACRA obligations, with up to 12 months’ imprisonment for wilful defaults. PDPC fines for data protection breaches can reach up to S$1 million. MAS regulatory penalties for failing to maintain required records or notifications can affect the company’s ability to access regulated financial services.

Beyond the direct financial cost, enforcement action affects director reputation, creates difficulties for future business banking, and may trigger cross-default provisions in financing arrangements. For directors of companies applying for government grants, a poor compliance record can affect eligibility. For Singapore business owners thinking about their long-term enterprise value, a clean compliance record is a genuine asset at the point of any sale, fundraise, or restructuring.

The Role of Your Corporate Service Provider

An engaged corporate service provider does not just file documents — they proactively flag what is coming, remind the board of its obligations, and help structure the internal reviews described above. The right provider acts as the compliance conscience of the company, not a passive filing agent.

When selecting or reviewing your corporate service provider, ask: Are they an ACRA-registered filing agent? Do they proactively monitor for regulatory changes affecting your sector? Do they notify you of approaching deadlines before — not after — they pass? Do they understand your business model well enough to flag when a new activity may trigger a new compliance obligation?

Beyond corporate compliance, [sound financial planning and investment decisions](https://www.daryllum.com) are equally important for business owners building long-term enterprise value alongside their compliance framework.

Conclusion

Singapore directors in 2026 operate in a tighter regulatory environment than at any point in the past decade. CALA 2025, MAS framework updates, and active PDPC enforcement have all raised the stakes for personal director liability. The response is not to add bureaucracy — it is to build a simple, board-driven compliance system that gives directors visibility over what matters, who is responsible, and what is outstanding at any given time.

At Raffles Corporate Services, we work with Singapore company directors as a proactive compliance partner — not just a filing agent. We flag regulatory changes, prepare compliance calendars, and ensure directors have what they need to discharge their obligations with confidence.

To speak with the team at Raffles Corporate Services, you can email [email protected] or call, SMS, or WhatsApp +65 8501 7133. We are happy to assist with any queries.

— The Editorial Team, Raffles Corporate Services