Singapore’s regulatory environment has tightened considerably over the past two years. The Corporate and Accounting Laws Amendment Act 2025 (CALA 2025), which commenced on 6 May 2026, introduced higher director penalties and stricter nominee register requirements. The Monetary Authority of Singapore’s revised anti-money laundering frameworks have placed new expectations on boards. Meanwhile, the Personal Data Protection Act continues to evolve, with enforcement notices issued to companies that failed to implement basic data governance measures.
For many Singapore SME directors, compliance is still seen as an administrative task — something the company secretary handles, or that only becomes urgent when an ACRA notice arrives. That framing is dangerously outdated. In 2026, compliance is a board-level obligation, with personal liability consequences for directors who treat it as someone else’s problem.
This guide explains what Singapore directors must personally own beyond the annual return — and why treating compliance as a strategic priority protects both the company and the director personally.
What Has Changed in Singapore’s Regulatory Landscape (2025–2026)
Singapore’s regulatory environment has undergone simultaneous tightening across multiple domains. Directors who were compliant in 2023 may find themselves exposed in 2026 if they have not updated their governance practices.
CALA 2025 — Higher director penalties: Since 6 May 2026, directors who fail to comply with statutory obligations face fines of up to S$20,000 per breach and up to 12 months’ imprisonment for certain offences. This is a substantial increase from previous penalty levels. Breaches that were once handled with a warning letter from ACRA are now prosecutable. For more detail on what CALA 2025 changed, see our guide on CALA 2025: What Directors Must Know.
Corporate Service Providers Act — CSP oversight: All corporate service providers (CSPs) arranging nominee directors, share registration, or corporate secretarial services must now be ACRA-registered. Directors must satisfy themselves that their CSP is properly registered before engaging them — engaging an unregistered CSP can constitute a breach of the Companies Act.
MAS SFO framework changes: For companies with family office structures, MAS revised its Single Family Office (SFO) class exemption framework effective 15 June 2026. Existing SFOs have until 15 June 2027 to file their Notification with MAS or risk losing their licensing exemption.
PDPA enforcement acceleration: The Personal Data Protection Commission has increased its enforcement activity, issuing mandatory breach notifications and financial penalties to companies that did not appoint a Data Protection Officer (DPO) or implement documented data protection policies. Companies with more than 250 employees now face heightened scrutiny.
Non-Delegable Board Obligations: What Directors Cannot Outsource
One of the most important — and most misunderstood — principles of Singapore company law is that directors cannot outsource their personal obligations. A director who says “I left it to the company secretary” or “the corporate services provider handled that” has not discharged their duty.
Under Sections 157 and 157A of the Companies Act (Cap. 50), every director owes duties of loyalty, good faith, and due care and diligence to the company. These duties run to the company, not to any particular function holder. Delegating a task does not transfer the underlying obligation.
Board-level obligations that cannot be delegated away include:
- Approving the company’s financial statements — directors must satisfy themselves that statements present a true and fair view, not simply sign whatever is placed before them.
- Approving and overseeing AML/CFT policies — boards must formally adopt anti-money laundering policies and review them at least annually.
- Ensuring the company maintains proper accounting records — under Section 199 of the Companies Act, directors are personally responsible for ensuring records are kept for at least five years.
- Filing obligations with ACRA — while the company secretary typically files, directors remain liable if filings are not made on time.
- Data protection governance — boards are responsible for ensuring their organisation has a data protection policy and appointed DPO where required.
AML/CFT Board Duties: More Than a Paper Policy
Singapore is one of the world’s leading financial centres, and its government takes anti-money laundering and counter-financing of terrorism (AML/CFT) obligations seriously. Singapore’s MAS AML/CFT framework applies directly to financial institutions, but the underlying principles apply to all Singapore companies through the Companies Act and the Corruption, Drug Trafficking and Other Serious Crimes (Confiscation of Benefits) Act.
What directors must personally own at the board level includes:
Approving AML/CFT Policies
The board must formally adopt an AML/CFT policy that covers customer due diligence (CDD), beneficial ownership verification, and the handling of suspicious transactions. This policy should be minuted at a board meeting and reviewed annually.
Overseeing Suspicious Transaction Reporting
Singapore companies have a legal obligation to report suspicious transactions to the Suspicious Transaction Reporting Office (STRO). The board should ensure there is an internal escalation path so that unusual transactions reach a responsible person and are reported if required. Directors who knowingly permit money laundering through the company face criminal liability.
Register of Registrable Controllers (RORC)
Since CALA 2025, the RORC requirements have been tightened. Every Singapore company must maintain an accurate RORC identifying the persons who ultimately own or control the company. This register must be maintained at the company’s registered address and kept up to date whenever ownership or control changes. See our CALA 2025 Directors’ Guide for the updated RORC requirements.
Data Governance Under PDPA: What the Board Must Ensure
Singapore’s Personal Data Protection Act 2012 (PDPA) places obligations on organisations that collect, use, or disclose personal data. In 2026, the Personal Data Protection Commission (PDPC) has made clear that boards — not just IT teams — are responsible for data governance failures.
Key board-level data governance obligations include:
- Data breach notification: Mandatory data breach notifications must be filed with the PDPC within three calendar days of discovering a notifiable data breach. The board must ensure there is an incident response procedure so that breaches are identified and reported within this window.
- Data Protection Officer (DPO) appointment: Every organisation subject to the PDPA must designate a DPO responsible for ensuring compliance. For smaller companies, this can be the company secretary or an outsourced DPO. For more information on DPO obligations, visit the PDPC website.
- Data protection policy: The board must approve a documented data protection policy and ensure it is communicated to all staff who handle personal data.
- Vendor due diligence: Where personal data is shared with third-party processors (e.g. payroll providers, cloud storage), the board must ensure that data processing agreements are in place.
A Practical Compliance Calendar: What the Board Must Review
Many Singapore SME boards have no formal compliance review calendar. The result is that compliance is only addressed reactively — when a deadline is missed or an ACRA notice arrives. A proactive approach requires the board to schedule compliance reviews into its governance calendar.
For a full list of ACRA, IRAS, and MOM filing deadlines, refer to our Singapore Company Compliance Calendar. At the board level, a minimum governance calendar should include:
| Frequency | Board Compliance Review Item |
|---|---|
| Quarterly | Review of statutory filing status (Annual Return, XBRL, GST) |
| Quarterly | Review of RORC — any changes in beneficial ownership? |
| Quarterly | Data protection review — any incidents, near-misses, or vendor changes? |
| Annually | Board approval of AML/CFT policy and review of Suspicious Transaction Reporting |
| Annually | Financial statements review and director sign-off |
| Annually | Director’s statement and solvency declaration for annual return |
| Annually | AGM (or AGM exemption) — within 6 months of financial year-end |
| On event | Any change in directors, shareholders, or registered address — notify ACRA within 14 days |
| On event | Material data breach — notify PDPC within 3 days |
The Company Secretary as Compliance Conscience
Under Section 171 of the Companies Act, every Singapore company must appoint a company secretary within six months of incorporation, and that secretary must be ordinarily resident in Singapore. The company secretary is not merely an administrator — a good company secretary acts as the board’s compliance conscience, proactively flagging deadlines, regulatory changes, and governance risks.
What a good corporate service provider proactively does for the board:
- Monitors ACRA filing deadlines and sends advance reminders to directors
- Flags changes in company law and regulations that affect the company
- Reviews director appointment and cessation forms before submission to ensure accuracy
- Advises on RORC changes whenever share transfers or new investors are involved
- Identifies when a company is approaching the statutory audit threshold
- Coordinates with auditors, tax advisers, and payroll providers to ensure integrated compliance
For our guide on what a company secretary is legally required to do, see our article on Company Secretary Statutory Duties Under the Companies Act.
The Cost of Non-Compliance in 2026
Directors who dismiss compliance as a low-risk administrative matter are taking a significant personal gamble. The cost of non-compliance in Singapore in 2026 is higher than ever before:
- CALA 2025 penalties: Fines of up to S$20,000 per director per breach, with imprisonment for certain offences.
- ACRA late filing fees: Late annual return lodgement attracts fees of S$300 to S$600 per instance. Persistent late lodgement can result in ACRA striking off the company, exposing directors to personal liability for acts taken in the company’s name after striking off.
- PDPC fines: Financial penalties of up to 10% of Singapore annual turnover (or S$1 million, whichever is lower) for data protection failures.
- Tax penalties: IRAS imposes penalties of up to 200% of the tax amount evaded for serious non-compliance, and up to 5% surcharge per annum on late estimated chargeable income (ECI) not filed.
- Director disqualification: Under Section 155 of the Companies Act, directors of companies that are wound up or struck off for non-compliance may be disqualified from acting as directors for up to five years.
A Simple 3-Step Board Compliance Review Process for Singapore SMEs
You do not need a large compliance team to run a well-governed Singapore company. The following three-step process gives boards a practical framework they can implement immediately:
Step 1: Conduct a Compliance Audit
Start with a baseline audit of the company’s current compliance status. This means checking that all ACRA filings are up to date, that the RORC is accurate, that financial statements have been prepared for the most recent financial year, and that the company has a registered company secretary who is ordinarily resident in Singapore.
Step 2: Establish a Compliance Calendar
Map out all statutory deadlines for the next 12 months — ACRA filings, GST returns, ECI submission, AGM, financial statement preparation, and payroll tax filings. Add these to the board’s governance calendar so they are reviewed at quarterly board meetings. For a ready-made reference, use our Singapore Compliance Calendar.
Step 3: Assign Ownership and Confirm Escalation Paths
Every compliance obligation should have a named owner — whether that is the company secretary, a director, an internal employee, or an outsourced provider. For obligations that require board sign-off (e.g. financial statements, AML policy approval), set a standing agenda item in the board calendar. Ensure there is a clear escalation path for urgent compliance issues — for example, a data breach that requires PDPC notification within three days.
For the latest Singapore business regulatory updates, directors and business owners can stay informed on any changes that affect their governance obligations.
If you have concerns about whether your company’s compliance governance is robust enough, or if you need legal advice on your regulatory obligations, early engagement with the right professionals can prevent far more costly remediation down the line.
How Raffles Corporate Services Can Help
Treating compliance as a board-level strategic priority does not mean directors must become compliance experts. It means engaging a company secretary and corporate services provider that takes compliance seriously on your behalf — and ensures that nothing falls through the cracks.
At Raffles Corporate Services, we provide corporate secretarial, accounting, payroll, and compliance services to Singapore private companies of all sizes. Our team monitors ACRA filing deadlines, flags regulatory changes, and advises directors on their personal obligations — so that the board can focus on running the business rather than worrying about what they may have missed.
To speak with the team at Raffles Corporate Services, you can email [email protected] or call, SMS, or WhatsApp +65 8501 7133. We are happy to assist with any queries.
— The Editorial Team, Raffles Corporate Services
Leave A Comment