TAKEAWAYS
In early May, the Financial Action Task Force (FATF) published its full evaluation of Singapore’s anti-money laundering and counter-terrorism financing (AML/CFT) regime. Its findings will be scrutinised by banks, regulators and correspondent institutions worldwide.
Singapore enters this assessment in the aftermath of its largest money laundering case – a S$3-billion syndicate operation uncovered in August 2023 that drew international attention and prompted significant reforms to the country’s AML/CFT framework.
In July 2025, the Monetary Authority of Singapore (MAS) concluded its enforcement sweep of the case, fining nine financial institutions a combined S$27.45 million. MAS found that these firms did not properly implement their own AML/CFT policies, despite having them on paper. In other words, while the controls existed, they were not upheld.
The incident showed that while companies understand the need for structured safeguards to deter, detect and mitigate fraudulent activities, having strong internal controls is not enough to prevent fraud.
Control failures rarely begin with a decision to act dishonestly. They begin with small process deviations that individually may seem harmless but collectively create the conditions for serious misconduct.
For instance, a payment is processed but the supporting invoice cannot be located. Rather than escalating the gap, a staff member reconstructs the document from memory and submits it as the original. The audit trail no longer shows what happened; it shows what someone decided it should say.
A superior suggests “making the file complete”. The instruction is soft; it is framed as administrative tidying and not falsification. The staff member complies because refusing feels disproportionate and clarifying feels like an accusation. This is how tone is set from the top – not through explicit directives, but through the casual normalisation of behaviour that compromises documentation integrity.
An approval is needed quickly. Instead of logging it through the system, someone sends a WhatsApp message or gives a verbal nod. The transaction proceeds. Everything looks normal. But, the approval system exists precisely because trust is not a control. When approvals go offline, the independent record disappears.
Each action is easy to justify in isolation. Together, they erode the conditions that allow controls to function and create the environment in which more serious misconduct takes root.
In most forensic investigations we conducted, the warning signs predate the problem by months, sometimes years. They were present in the documents, in staff behaviour, and in the language used within the organisation, but were not addressed.
The early indicators are consistent across cases:
The question is not whether these signals can be recognised. The question is whether anyone in the organisation is positioned to act on them without fear of what happens next.
A common assumption is that the external auditor will catch what management misses. It is worth being precise about what that means in practice.
External audit is designed to provide independent assurance on financial statements. A diligent auditor who pursues inconsistencies, presses on gaps, and declines to accept explanations at face value can surface early indicators of control failure. That has value. But audit operates on a sample, on a cycle, and on information that management controls. An organisation that has normalised document reconstruction, offline approvals and shifting explanations is also capable of presenting a clean face to an external reviewer.
Treating external audit as a fraud detection safety net is a misunderstanding of its purpose and a dangerous outsourcing of accountability. The responsibility for control integrity sits with the organisation. Audit can provide a check – it cannot substitute for ownership.
A robust fraud detection system is not built by adding more forms, more checklists, or more policy documents. Beyond adding more processes, fraud detection requires a holistic, multi-faceted approach that integrates culture and systems.
Psychological safety is the foundation. People must feel safe to question unusual instructions and escalate concerns without fearing professional consequences. This is not achieved through a policy that says, “We encourage speaking up.” It is achieved through what visibly happens to the person who does.
In addition, systems should be designed to make doing the right thing the easiest and an automatic option. If records can be modified after the fact, approvals can bypass the system, and transactions can be backdated, the environment accommodates misconduct whether or not anyone intends it. The path of least resistance should lead to compliance, not around it.
Furthermore, leadership must track behaviour, not just outcomes. Files that pass review, numbers that hit targets, and transactions that look clean can all coexist with a control environment that is quietly deteriorating. The signs are in how people behave, such as defensiveness when questioned, shifting explanations, and/or reluctance to follow process under pressure. Leaders who notice and address these behavioural red flags early can fix the culture before problems compound.
Thicker compliance manuals and more intricate processes are rarely the answer to enhanced fraud prevention. The best fraud prevention strategy is creating an environment that becomes inhospitable to fraud.
Lynn Yin Tan, CFE, CPA (US), is Partner and Head of Forensic Advisory, Grant Thornton Singapore.
