On 6 May 2026, the Financial Action Task Force (FATF) published its mutual evaluation of Singapore’s AML compliance framework. The result was unambiguous: Regular Follow-up, the best monitoring tier in the FATF framework, and an upgrade from the Enhanced Follow-up status Singapore had carried since its last full assessment in 2016.
That is a genuinely strong outcome. Singapore is among the first countries assessed under the FATF’s tougher fifth-round methodology, adopted in 2022, which raises the bar on effectiveness in ways the previous framework did not. Earning Regular Follow-up under those standards is not a formality. It is a statement that the country’s AML/CFT system is working.
But the report tells two stories. The first is the headline: seven of eleven Immediate Outcomes rated Substantial, four Moderate, none High. The second is the evidence the FATF used to reach those ratings. And that evidence includes one of the most significant enforcement episodes in Singapore’s financial history.
To understand what the FATF report means for your institution, you need to start with what happened three weeks before the assessors arrived.
On 4 July 2025, MAS imposed S$27.45 million in composition penalties on nine financial institutions for AML/CFT breaches connected to the S$3 billion money laundering case uncovered in August 2023. The penalties were the second-largest cumulative AML/CFT enforcement action in Singapore’s history, behind only the S$29.1 million levied across eight banks in connection with 1MDB.
The FATF onsite visit ran from 1 to 18 July 2025. The assessors walked into a market where the regulator had just made the most significant AML enforcement statement in a decade. That timing was not a coincidence. MAS had been conducting supervisory examinations of the nine institutions from early 2023 through early 2025. The enforcement actions landed when the assessors could see them.
MAS was explicit about what it found. The failures were not about missing policies. Most of the nine institutions had established AML/CFT frameworks on paper. The frameworks failed in practice. And they failed in four specific categories that map directly to what the FATF measures when it assesses whether a country’s financial institutions actually do what the law requires.
The FATF assesses effectiveness against eleven Immediate Outcomes. For financial institutions, four matter most. IO.3 asks whether supervisors conduct oversight that drives compliance. IO.4 asks whether institutions apply preventive measures proportionate to their risk. IO.6 asks whether financial intelligence is generated and used. IO.7 asks whether money laundering is investigated and proceeds recovered.
Singapore scored Substantial on IO.3, IO.4, and IO.6. That is a strong result. It means the system is working at a level the FATF considers adequate, with room for improvement. It does not mean the system is working perfectly, and it does not mean every institution within the system is meeting the standard.
The distinction matters. A country’s FATF rating reflects the aggregate performance of its system. Your institution’s readiness is a different question. The four failures MAS documented in July 2025 are part of the evidence base that produced Singapore’s Substantial ratings on IO.4 and IO.6. They are also the reason those ratings did not reach High. And they describe gaps that exist, right now, in institutions that were not named in the enforcement action but share the same structural weaknesses.
These are not inferences. They are publicly stated findings, documented across multiple institutions, each connected to a specific FATF effectiveness indicator.
Five institutions failed to implement adequate processes for rating the money laundering risk of their customers. Higher-risk customers were classified as medium risk. Enterprise-wide risk assessments were absent, outdated, or built on generic templates that did not reflect the institution’s actual business.
This is the foundation everything else sits on. If the risk rating is wrong, the controls applied to that customer are wrong. Enhanced due diligence is not triggered when it should be. Transaction monitoring thresholds are set too high. The entire control framework is calibrated to the wrong level. That is what IO.4 measures, and it is what MAS found.
This gap deserves special attention, because it is the mechanism by which the largest money laundering case in Singapore’s history operated undetected.
All nine institutions, not most, all nine, failed to detect or follow up on discrepancies in source of wealth documentation for higher-risk customers. Enhanced due diligence requires independent corroboration: not recording what the customer claims, but verifying it against independent evidence. The laundered funds moved through Singapore’s financial system because institutions accepted source of wealth claims at face value.
When a gap appears universally across nine separately managed institutions, it is not an individual compliance failure. It is a structural weakness in how the industry approaches source of wealth verification.
Suspicious patterns went undetected. Systems were misconfigured, under-resourced, or generating alerts that nobody investigated properly. The institutions produced data. They did not act on it.
IO.6 measures whether financial intelligence reaches competent authorities in a form and timeframe that allows them to act. Suspicious Transaction Reports that were not filed, or filed too late, are the clearest evidence of a broken chain. In the context of the S$3 billion case, those reports either did not exist or arrived after the damage was done.
Alerts raised. Not acted upon. Escalations started. Not completed. Compliance functions identified concerns and then did not resolve them.
The failure here is not detection. It is the space between detection and action. A compliance team that identifies a problem and does not follow it to resolution has, for regulatory purposes, made things worse: they have created a record that they knew something was wrong and did nothing about it.
Every one of these failures is, at its core, an oversight problem. The institutions outsourced AML functions to service providers. The providers delivered outputs. But the institutions did not have independent visibility into whether those outputs were accurate, timely, and meeting the regulatory standard.
They did not all use bad providers. They lacked the architecture to see when good providers were underperforming. That is a critical distinction, because it means the fix is not about firing vendors. It is about building an oversight layer that gives the institution its own view of its own compliance. In the compliance orchestration space, this is the problem FrankieOne was built to solve, and it is the reason the four gaps above look familiar to us: we see them in discovery conversations with Singapore-based institutions every week.
MAS has been making this point for years. The July 2020 guidance paper on strengthening oversight of AML/CFT outsourcing arrangements sets it out plainly: outsourcing a function does not outsource the responsibility. The institution must be able to demonstrate, on demand, that its outsourced controls are operating effectively. The July 2025 enforcement actions are what happens when institutions cannot make that demonstration.
Regular Follow-up is not a conclusion. It is the start of a monitoring cycle.
The FATF adopted a roadmap of recommended actions at the February 2026 Plenary, to be completed within three years. Priority areas include strengthening beneficial ownership verification, prioritising complex money laundering investigations, and introducing more dissuasive sentencing guidelines. Singapore’s authorities have publicly committed to studying and implementing the recommendations.
MAS was already moving in this direction before the report landed. The Enforcement Report 2023/24, published on 16 April 2025, set AML/CFT enforcement as the primary priority for 2025-26 and committed to reviewing penalty frameworks for proportionality and deterrence. That phrase, “proportionality and deterrence,” is MAS telling the market that the S$27.45 million in July 2025 penalties is not the ceiling.
The practical consequence: inspection cycles accelerate after a FATF report. The institutions named in July 2025 are already on remediation plans. The institutions that were not named but share the same structural vulnerabilities are the next cohort. And the FATF report has given MAS both the mandate and the international benchmark to justify increased scrutiny.
A MAS inspector is not asking whether you outsourced to a reputable provider. They are asking whether you have independent visibility into whether that provider’s controls are working, right now, at the required standard. The four gaps all point to the same question: does the institution know what its compliance programme is actually doing?
Three things separate the institutions that will move through the next inspection cycle cleanly from those that will not:
Independent monitoring, not provider reporting. Your view of your AML controls needs to come from your own data. Not from quarterly exception reports the provider produces. MAS has documented, repeatedly, that institutions depending on providers to self-report failures found out too late.
Continuous oversight, not periodic reviews. Batch screening and periodic CDD reviews create windows where risks go unmonitored. Customers move up the risk ladder between cycles. Sanctions lists update. Transaction patterns shift. For higher-risk customers, where MAS requires enhanced due diligence and more frequent reviews, periodic processes are structurally insufficient.
A consolidated audit trail, producible on demand. When MAS asks you to show the basis for your AML decisions on a specific customer, across all functions and all providers, the answer needs to come from your own systems in hours. Not from a manual assembly exercise that takes days and still has gaps.
These are the requirements that led FrankieOne to build its orchestration platform around the concept of institution-owned oversight. Here is what that looks like in practice.
Most institutions have these gaps for a structural reason. Outsourcing AML functions across multiple providers creates multiple data streams running through multiple systems, none of which connect natively to the institution’s own risk view. The compliance function receives outputs. It does not own the picture.
Orchestration fixes that architecture. Not by replacing providers, but by connecting them through a single layer the institution owns.
FrankieOne connects financial institutions to 350+ KYC, AML, and fraud providers across 195 countries through a single API. Every screening result, every CDD output, every transaction monitoring alert flows through a unified risk engine that the institution controls. The institution owns the data. It owns the audit trail. It does not depend on any single provider to produce its view of its own compliance.
For Singapore-based institutions, that means a single integration layer across customer due diligence, ongoing monitoring, screening, and transaction monitoring, with a full audit trail covering the customer lifecycle.
In a MAS oversight context, orchestration means the institution can run independent screening queries without waiting for a provider’s batch cycle. Risk profiles update in real time. The audit trail is complete and consolidated from onboarding through ongoing monitoring. When MAS asks how the institution knows its controls are working, the answer comes from the institution’s own system, not from assembling fragments across vendor platforms.
That is the distinction the FATF report draws. An institution demonstrating real-time, independent oversight of its outsourced AML functions is what IO.4 asks for. An institution relying on its provider to flag problems is not.
The FATF report does not name individual institutions. What it does is set the effectiveness benchmark against which MAS will supervise Singapore’s financial sector for the next several years.
Singapore earned the best result in its history. But the FATF was clear that the system “must be sharper in producing demonstrable and consistent risk-based results.” That language is directed at regulators. It lands on institutions.
The ones that build the architecture to show their compliance, not just describe it, are positioning themselves for more than a clean inspection. In Singapore, correspondent banking relationships, deal flow, and institutional credibility all follow AML standing. Getting this right is not just a compliance exercise. It is a competitive one.
See what the oversight layer looks like when it works
We see the four gaps in this article in discovery conversations with banks across APAC every week.
We also see what institutions look like once they have addressed them: a single dashboard showing every provider output in real time, an audit trail that covers the full customer lifecycle and compiles in minutes, continuous screening that does not wait for a batch cycle.
Book a demo. We’ll walk you through a consolidated audit trail compiling in real time for a high-risk customer, from onboarding through ongoing monitoring, across multiple providers. That is the platform, running against the gaps that matter to MAS right now.
Frequently asked questions
Singapore was placed on Regular Follow-up, the best monitoring tier in the FATF framework and an upgrade from its 2016 Enhanced Follow-up status. Seven of eleven Immediate Outcomes received Substantial Effectiveness ratings. Four received Moderate. None received Low or High.
MAS imposed S$27.45 million in penalties on nine financial institutions for failures in customer risk assessment, source of wealth corroboration for high-risk customers, transaction monitoring, and follow-through on Suspicious Transaction Reports. The breaches related to the S$3 billion money laundering case uncovered in August 2023.
The four failure categories correspond to FATF Immediate Outcome 4 (preventive measures) and Immediate Outcome 6 (financial intelligence). Singapore scored Substantial on both. The enforcement findings are part of the evidence base FATF used to assess effectiveness, and part of the reason those ratings did not reach High.
The FATF issues a roadmap of recommended actions to be completed within a set timeframe, typically three years. For Singapore, priority areas include strengthening beneficial ownership verification, prioritising complex ML investigations, and introducing more dissuasive sentencing. MAS calibrates its supervisory intensity against the report.
The enforcement findings show institutions lacked independent visibility into whether outsourced providers were meeting regulatory standards. MAS expects institutions to demonstrate effective oversight of outsourced functions on demand. Post-FATF inspection cycles typically accelerate, and institutions with the same structural gaps as those penalised are likely to face increased scrutiny in 2026 and 2027.