For most Singapore SME directors, compliance means one thing: making sure the annual return is filed on time. In recent years, however, Singapore’s regulatory architecture has changed fundamentally. The 2025–2026 wave of legislative reform — culminating in the commencement of the Corporate and Accounting Laws (Amendment) Act 2025 (CALA 2025) on 6 May 2026 — has elevated compliance from a clerical task to a personal board-level obligation.
Large advisory firms have been vocal about this shift for listed companies. But the pressure is equally real for private limited companies, whose directors can now face fines of up to S$20,000 and imprisonment of up to 12 months for breaches of their statutory duties. This guide is for Singapore SME boards who want to understand what compliance truly requires of them — and how to structure their oversight accordingly.
Why the Regulatory Landscape Has Shifted in 2025–2026
Singapore has strengthened its corporate governance framework on multiple fronts simultaneously. Understanding the cumulative effect matters because no single change is overwhelming on its own — but together they represent a material increase in board-level exposure.
CALA 2025 (effective 6 May 2026) — The most significant overhaul of the Companies Act in recent memory raised director penalty caps from S$5,000 to S$20,000 per breach, and introduced up to 12 months’ imprisonment for serious violations. It also introduced mandatory nominee director registers and tightened the rules around corporate service providers.
Corporate Service Providers Act 2024 (CSP Act) — All businesses providing corporate secretarial services are now required to register with ACRA and comply with full AML/CFT obligations. This matters for boards because their corporate service provider now has its own compliance obligations that extend to the companies and directors it serves.
PDPA Enforcement — The Personal Data Protection Commission has continued to impose significant financial penalties on companies that fail to protect customer data. The Mandatory Data Breach Notification obligation applies to the company, and board oversight of personal data practices is now expected.
MAS Regulatory Developments — A series of MAS regulatory updates affecting fund management, family offices, and capital markets signals a broader direction towards requiring explicit registration and accountability from all structured entities. Directors of companies with any MAS-regulated component cannot treat these obligations as peripheral.
What Directors Cannot Delegate
The most important principle for any Singapore director to understand is this: you can outsource the function, but you cannot outsource the liability.
You may engage a corporate service provider to maintain your statutory registers, file your annual return, and send you reminders about AGM dates. But if those obligations are not discharged, you — the director — face the penalty. Under Section 157 of the Companies Act, directors must act honestly and use reasonable diligence. Reasonable diligence includes verifying that the functions you have delegated are actually being performed.
Strategic Oversight of Compliance Risk
The board must collectively understand which regulatory regimes apply to the company and what the company’s exposure would be if those regimes are breached. This requires at least one agenda item per board meeting dedicated to regulatory risk — not simply a sign-off on the annual return filing.
AML/CFT Oversight
If your company operates in any sector with AML/CFT obligations, the board must formally approve the company’s AML/CFT policy, review it annually, and receive reporting from whoever manages compliance. Directors cannot assume that the corporate secretary handles this as a matter of course.
Data Governance Under the PDPA
Every company that collects personal data from customers, employees, or vendors is subject to the Personal Data Protection Act. The board must approve the company’s data protection policy, be notified promptly of any data breach, and take responsibility for the breach notification process to the PDPC within three calendar days of assessing a notifiable breach.
The Practical Board Compliance Calendar
One practical way to institutionalise compliance as a board-level priority is to establish a rolling compliance calendar — not just for statutory filings, but for governance reviews. Here is a workable framework for Singapore private companies:
Q1 (January to March)
- Review the company’s compliance calendar for the financial year.
- Confirm the annual return filing window (7 months from financial year end for private companies).
- Review and approve the company’s data protection policy.
- Confirm that directors’ interests in contracts have been disclosed and minuted.
Q2 (April to June)
- AGM preparation (for 31 December FYE companies, the AGM must be held by 30 June).
- Review auditor appointment or re-appointment.
- Confirm all changes to directors, secretaries, or shareholders have been notified to ACRA within 14 days.
Q3 (July to September)
- Mid-year review of any regulatory changes affecting the company’s sector.
- Update the Register of Registrable Controllers (RORC) if there have been changes in beneficial ownership.
- Review data protection measures and access controls introduced since the previous review.
Q4 (October to December)
- Year-end review of board composition: does the company have at least one ordinarily resident director in Singapore?
- Review the nominee director register if applicable (mandatory under CALA 2025 for companies with nominee directors).
- Brief incoming directors on their fiduciary duties if any board changes are planned.
The Company Secretary as Compliance Conscience
A well-engaged corporate secretary is not simply a filing agent. Their role — under Section 171 of the Companies Act — includes advising directors on compliance, ensuring that board and shareholder meetings are properly convened and minuted, and maintaining the accuracy of the company’s statutory registers.
The distinction between a reactive and proactive corporate secretary is significant. A reactive secretary files documents when instructed. A proactive secretary flags upcoming deadlines before they pass, alerts the board when a regulatory change affects the company’s structure or obligations, and ensures that the board’s decisions are properly documented. When evaluating a corporate service provider, directors should ask how it will flag regulatory changes, how it ensures the RORC is current, and what its process is for reviewing compliance obligations when the business changes.
The Cost of Non-Compliance in 2026
Under CALA 2025, the financial and personal consequences of director non-compliance have become materially more severe:
| Breach | Maximum Fine | Imprisonment |
|---|---|---|
| Failure to maintain statutory registers | S$20,000 | Up to 12 months |
| Failure to notify ACRA of officer changes | S$20,000 | — |
| Breach of duty to act honestly (Section 157) | S$20,000 | Up to 12 months |
| Failure to maintain RORC | S$20,000 | Up to 12 months |
| Non-compliance with nominee director register | S$20,000 | Up to 12 months |
| Late filing of annual return | S$600 composition fine | — |
ACRA has moved from a culture of small composition fines to genuine director accountability. For data breaches under the PDPA, penalties can reach up to 10% of annual local turnover or S$1 million, whichever is higher.
A Three-Step Board Compliance Review for Singapore SMEs
Step 1: Audit your statutory registers. Ask your corporate secretary to confirm that the following are current: register of directors; register of members; Register of Registrable Controllers; and, if applicable, the register of nominee directors. Any gap should be remedied immediately.
Step 2: Review your compliance calendar. Confirm that reminders are in place for the AGM date, annual return filing deadline, CPF submission deadlines, GST filing deadlines (if registered), and any sector-specific regulatory filing dates.
Step 3: Confirm that your board minutes are up to date. Every material decision — appointment of officers, approval of financial statements, declaration of dividends, approval of contracts with connected parties — must be properly minuted. Unminuted decisions create gaps that are difficult to remedy in any regulatory review or dispute.
Conclusion
Singapore’s regulatory framework now demands far more than annual return compliance from company directors. The combination of CALA 2025’s higher penalties, the CSP Act’s compliance demands, PDPA enforcement, and evolving regulatory expectations means that boards must treat compliance as a standing strategic agenda item. Companies that demonstrate strong governance attract better investors, stronger banking relationships, and a more favourable profile with government agencies. For the latest Singapore business news and regulatory updates, there are useful resources for directors and business owners.
For broader business investment planning decisions that go hand in hand with sound governance, directors should take a holistic view of their obligations. If you need legal advice on your compliance obligations, we can point you in the right direction.
To speak with the team at Raffles Corporate Services, you can email [email protected] or call, SMS, or WhatsApp +65 8501 7133. We are happy to assist with any queries.
— The Editorial Team, Raffles Corporate Services
Leave A Comment