For many Singapore SME directors, “corporate compliance” conjures a short mental checklist: file the annual return with ACRA, hold the AGM, pay the corporate tax by the deadline. In 2026, that checklist is dangerously out of date.

Singapore’s regulatory environment has undergone a structural shift over the past two years. The Corporate and Accounting Laws Amendment Act 2025 (CALA 2025), the Corporate Service Providers Act, updated ACRA enforcement priorities, and the Personal Data Protection Commission’s stepped-up PDPA enforcement have converged to create an environment where directors cannot treat regulatory risk as something they hand entirely to their company secretary and forget.

These obligations attach to the individual director. They cannot be delegated away. If your company engages a professional corporate services provider (CSP) to handle ACRA filings, maintain the share register, and manage the company secretary function, that is sensible and cost-effective — but it does not transfer your personal legal exposure.

This article outlines what Singapore boards must personally own in 2026, why the traditional “tick-box” approach is now both legally and financially dangerous, and how to build a practical compliance rhythm without consuming every board meeting.

The 2025–2026 Regulatory Reset: Four Changes Every Board Must Understand

1. CALA 2025: Director Penalties Have Sharply Increased

CALA 2025 commenced on 6 May 2026 and amended the Companies Act 1967, the Accountants Act 2004, and the Singapore Accountancy Commission Act 2013. For directors, the most consequential changes are the increased criminal and civil penalties for regulatory breaches.

Under the revised regime, breaches that previously carried token fines now attract penalties of up to S$20,000 per breach in civil penalty proceedings, and up to S$200,000 and/or 12 months’ imprisonment for more serious criminal contraventions. Where directors are found to have authorised or permitted a breach — even passively — they can be held personally liable alongside the company.

CALA 2025 also introduced mandatory director screening requirements, including checks against ACRA’s register of disqualified directors and the MAS Financial Institutions Directory before any new director is appointed.

2. Corporate Service Providers Act: Your CSP Must Be Registered

From 2025 onwards, any business providing corporate secretarial or registered office services in Singapore must be registered with ACRA under the Corporate Service Providers Act and must comply with AML/CFT obligations. This changes the landscape significantly.

It means your CSP is now a regulated entity with its own compliance obligations. It also means that if your CSP is not ACRA-registered, using their services exposes your company to regulatory risk. Before renewing any CSP engagement, directors should confirm ACRA registration status.

Importantly, the new regime has also tightened obligations for nominee directors, who are no longer permitted to act as passive placeholders. Nominee directors must exercise genuine oversight — including receiving management accounts, reviewing compliance reports, and flagging suspicious activity — or risk personal liability for facilitating corporate misconduct.

3. AML/CFT: Board-Level Approval Is Now Required

Under Singapore’s AML/CFT framework, the board of directors is explicitly responsible for approving the company’s AML/CFT policies and procedures, reviewing Suspicious Transaction Reports (STRs), overseeing customer due diligence for high-risk counterparties, and maintaining the Register of Registrable Controllers (RORC).

A written AML policy must exist, be reviewed at least annually, and be approved by the board (or a sub-committee with board-delegated authority). AML/CFT obligations apply to all Singapore companies — not just financial institutions. The FATF Mutual Evaluation of Singapore in 2024 highlighted the risk of corporate vehicles being used for money laundering, and ACRA has intensified its enforcement response accordingly.

4. PDPA: Data Governance Is Now a Director-Level Issue

The Personal Data Protection Commission has significantly stepped up enforcement since 2024. Key obligations that the board must own include: formal appointment of a Data Protection Officer (DPO), a data breach response plan enabling PDPC notification within 3 calendar days where required, and a project to remove NRIC numbers as authentication credentials before the 1 January 2027 deadline.

Where a breach affecting 500 or more individuals occurs — or any breach likely to result in significant harm — the company must notify PDPC within three calendar days of becoming aware. If the board has not established a response plan in advance, meeting this deadline is practically impossible.

What Boards Must Formally Review: A Quarterly and Annual Compliance Calendar

Quarterly Reviews (at Every Board Meeting)

At each quarterly board meeting, directors should review ACRA filing status and upcoming deadlines, any changes to directors or shareholders requiring ACRA notification, AML/CFT flag reports from the company secretary, and the company’s financial position relative to its creditor obligations. If the financial position is deteriorating, the board must turn attention to insolvent trading risks immediately.

Annual Reviews (at or Before the AGM)

Annually, the board should formally review and approve the AML/CFT policy, confirm the DPO appointment and review any data protection incidents, and use board resolutions in Singapore to authorise the company secretary to update the register of members, register of directors, and RORC. Director screening checks against ACRA’s disqualified director register should also be run annually.

Refer to the Singapore Company Compliance Calendar 2026 for a full breakdown of all ACRA, IRAS, and MOM filing deadlines by month.

The Company Secretary as Compliance Conscience

A professional company secretary is not merely an administrative function. Under Section 171 of the Companies Act 1967, the company secretary is a statutory officer of the company. A good CSP proactively alerts the board to upcoming filing deadlines, regulatory changes, compliance red flags, and governance gaps — before they become problems.

When evaluating your current CSP, ask: in the past 12 months, how many times has the CSP proactively contacted your board about a compliance issue (as opposed to simply processing a request you made)? A reactive CSP is an administrative vendor. A proactive CSP is a compliance partner.

For more detail on company secretary statutory duties under the Companies Act, refer to our comprehensive guide.

The Cost of Getting It Wrong in 2026

The financial and reputational cost of compliance failures in 2026 is considerably higher than in prior years. Post-CALA 2025, ACRA has stated publicly that enforcement will be more active. The “we didn’t know” defence is increasingly difficult to sustain when statutory obligations are clear and publicly available.

Breach Penalty (2026)
Failure to hold AGM within prescribed period Fine up to S$5,000 per director
Annual return filed late ACRA late-lodgement fee + penalty up to S$5,000
Failure to maintain accurate RORC Fine up to S$5,000 (company) + director personal liability
AML/CFT policy breach (CSP Act) Up to S$100,000 per breach
Data breach not reported within 3 days (PDPA) Up to 10% of annual Singapore turnover or S$1 million, whichever is lower
Insolvent trading (Companies Act s 339) Personal liability for company debts + possible disqualification

For sound financial planning and investment decisions, business owners should factor compliance costs into their annual budget from the outset — they are not optional and they are not going away.

A Simple 3-Step Board Compliance Review Process for Singapore SMEs

If your board currently has no structured approach to compliance governance, here is a practical starting point.

Step 1: Conduct a compliance health check. Ask your company secretary to produce a compliance status report covering: all ACRA filings due in the next six months; RORC accuracy; whether an AML/CFT policy exists and when it was last reviewed; and whether a DPO has been formally appointed.

Step 2: Allocate board-level ownership. Designate one director as the compliance champion. This does not create additional liability — it ensures that one person has the responsibility and authority to escalate compliance issues before they become breaches.

Step 3: Build compliance into the board calendar. Add a standing compliance item to every board meeting agenda. A 10-minute review of the CSP’s filing status report and upcoming deadlines is sufficient for most SMEs — the key is that it is on the record.

If you need legal advice on your compliance obligations, we can point you in the right direction. For the latest Singapore business news and regulatory updates, there are useful resources for directors and business owners.

Conclusion

Corporate compliance in Singapore in 2026 is not an administrative back-office function. It is a board-level obligation with real financial and personal consequences for directors who treat it otherwise. CALA 2025, the Corporate Service Providers Act, AML/CFT obligations, and PDPA enforcement have all tightened simultaneously. The directors who navigate this well are those who take ownership of the framework, appoint the right professional partners, and build compliance into the rhythm of how their company is governed.

To speak with the team at Raffles Corporate Services, you can email [email protected] or call, SMS, or WhatsApp +65 8501 7133. We are happy to assist with any queries.

— The Editorial Team, Raffles Corporate Services