Jurisdiction - Singapore
Reports and Analysis
Singapore – MAS Finalises Policy Posture On The PDPA And Its Impact On AML/CFT Obligations Of Financial Institutions.

28 July, 2014




In anticipation of the coming into force of the Personal Data Protection Act (“PDPA”) on 2 July 2014, the Monetary Authority of Singapore (“MAS”) had on 2 June 2014 issued a Consultation Paper proposing certain amendments to be made to the MAS Notices on Prevention of Money Laundering and Countering the Financing of Terrorism (collectively “the AML/CFT Notices”). 

The AML/CFT Notices were issued by MAS to the different classes of financial institutions which the MAS regulates. With certain variations that take into account the different operating models of each class of financial institutions, each of the AML/CFT Notices have largely the same effect – to impose on the financial institutions the general obligation to conduct due diligence before starting a business relationship with the customer, to monitor the business relationship and to refer any unusual or suspicious activity to the authorities for follow-up.

The PDPA is of course a statute that establishes a new legal regime in Singapore for the collection, use and disclosure of personal data, which is defined under the PDPA as any data (whether true or not) about an individual which can be identified from the data or from the data and other information which an organisation has or is likely to have access. Financial institutions subject to the AML/CFT Notices are required to gather a substantial amount of information on their customers as part of the customer due diligence process, some of which might be obtained directly from the customers and some of which might be obtained by the financial institutions through their own efforts. 

This has led to the question of how financial institutions are to deal with the large amount of information obtained through the customer due diligence process, in light of the new privacy requirements laid down by the PDPA. 

MAS Proposals 

It is clear from the terms of the PDPA itself that the new legal regime for personal data protection was never intended to replace or override any existing sector-specific laws concerning personal data. On the contrary, the PDPA was designed to be complementary to such sector-specific laws. Until the PDPA was enacted, there were generally no rules under Singapore law that dealt with the manner in which organisations are to manage and handle the large amount of personal data of individuals which organisations obtain by various means. The PDPA compels organisations to exercise some degree of discipline in the way it collects, uses or discloses personal data. 

The PDPA establishes the general principle that organisations must obtain the consent of the relevant individual before collecting, using or disclosing personal data. The PDPA goes on to specify how such consent might be obtained or might be deemed to have been given, as well as when such consent is not required. 

In the Consultation Paper published on 2 June 2014, the MAS accordingly proposed to clarify the extent to which the new PDPA rules would apply to personal data obtained by financial institutions in the course of conducting customer due diligence pursuant to the AML/CFT Notices. 

The original proposal of the MAS was that in respect of any personal data obtained pursuant to the AML/CFT Notices, a financial institution would not be required to provide the customer with any other right to access or correct such personal data. Nor would the financial institution be required to inform the customer of the ways in which such personal data would be used or disclosed by the financial institution. The one exception would be that a financial institution must give the customer the right to access and/or correct certain basic items of personal identification data (such as the name, unique identification number, contact details, date of birth, nationality) as well as any other personal data which the individual had provided to the financial institution. This would be because policy considerations behind combating money laundering and terrorist financing outweigh policy considerations providing for personal data privacy. 

MAS Response To Feedback 

Following the receipt of feedback, the MAS has refined the amendments to the AML/CFT Notices as follows:


  • The proposed amendments have been re-ordered to make clear that the PDPA rules concerning the right of access, the right of correction, and the disclosure of purpose of use would generally not apply to personal data derived from the customer due diligence process.
  • The one exception would be with respect to certain basic identification data as well as other personal data which the customer has provided to the financial institution (as distinguished from personal data on the customer which the financial institution has derived or obtained from its own efforts). For such data, the financial institution must still give the customer the right to access or correct. 
  • For the purposes of the AML/CFT Notices, the financial institution may continue to act on its own or through a third party in respect of the collection, use or disclosure of personal data. 
  • The above position will hold in respect of an individual customer as well as to an individual acting on behalf of a customer, an individual who is a connected party of a customer or an individual who is a beneficial owner of the customer.

Each of the AML/CFT Notices has now been duly amended, and the amendments take effect on 1 July 2014.


Shook Lin Bok LLP


For further information, please contact:


Eric Chan, Partner, Shook Lin & Bok

Comments are closed.