It’s a hefty figure, but the real cost might be what it reveals about how banks are still struggling to keep up with the speed and sophistication of financial crime.
The penalties followed MAS reviews linked to a sprawling SGD $3 billion money laundering case involving fake documents, multiple passports, and a complex web of shell companies. The funds were funnelled through at least 16 financial institutions, raising serious questions about how the system failed to stop them.
MAS didn’t find a lack of policies.
What it found was something arguably worse. Policies that existed, but weren’t properly followed. Risk assessments were flawed. Source of Wealth (SOW) checks were inconsistent. Suspicious transactions weren’t investigated in time, even after internal systems flagged them.
The Rules Exist, but Why Does It Still Fail?
Baran sees this not just as a process problem, but a structural one.
He mentioned that most of the institutions caught in this round of enforcement operate within extremely complex environments, with decades-old systems stitched together over time.
Baran Ozkan
“Their core systems still sit on-prem, with limited connectivity between operational data sources. Risk signals end up siloed across products, teams, and geographies.”
It’s not that banks aren’t serious about financial crime. According to Baran, the intention is there, but execution is being held back by technology and design.
“Most institutions and leadership teams I work with take financial crime risk seriously. The gap lies between strategy and execution.”
A Known Weakness That Hasn’t Improved
One of the most striking failures MAS flagged was around Source of Wealth (SOW) verification. All nine institutions penalised came up short, even when dealing with high-risk clients.
“SOW is tricky,” Baran said.
Roughly 80% of it lives in land registries, private equity waterfall documents, and multilingual court filings, according to the CEO of Flagright, often scanned as PDFs.
“Rule engines built to ingest neat CSV files can’t read it,” he continued.
In mature financial hubs like Singapore, the problem is also cultural. Banks tend to treat SOW checks as a one-time onboarding step. Once the account is open, they don’t revisit the wealth narrative, even when the client’s behaviour changes drastically.
Ideally, SOW data would feed into the same systems that track transactions and risk indicators. If a client claiming generational wealth suddenly starts moving money to a luxury goods broker in a high-risk jurisdiction, that should trigger a reassessment.
But in most institutions, those connections don’t exist. The data sits in silos. Risk teams end up reacting to individual alerts instead of spotting the larger story.
Credit Suisse’s Penalty Shows a Pattern
Part of Credit Suisse’s fine was tied to older compliance breaches involving U.S. accounts. While not directly related to the current scandal, MAS factored them in.
That decision points to something deeper. From what I can see, more of a historical risk patterns that go unnoticed because different parts of the organisation operate in isolation.
Baran Ozkan highlighted that most large global banks still run region-specific systems, policies, and data warehouses.
“That siloed architecture may satisfy local regulations, but it buries risk signals in separate contexts,” he pointed out.
MAS also flagged that some institutions failed to act even after filing Suspicious Transaction Reports (STRs). From Baran’s perspective, that’s a serious issue, and a common one.
An STR, quoting Baran, is “meant to be the fire-alarm that sets a full response in motion, not the final tick on a checklist.”
In many banks, STRs are filed by one team, while investigation and follow-up sit somewhere else entirely. Without a clear, connected workflow, nothing happens after the report is submitted.
Baran explained that it’s not mostly about people cutting corners. From what he saw, is that it’s the infrastructure that is currently limiting these banks’ ability to act.
We Are Overdue for a Rethink
According to Baran, we (as a group) are overdue for a rethink. This is because he believes that, quoting him,
“The rulebook itself isn’t the problem. The toolings that run beneath it are.”
While regulations have evolved and criminals have become more sophisticated, many institutions are still relying on outdated infrastructure. In Singapore, particularly, batch jobs, on-prem hardware, and disconnected dashboards aren’t built for the kind of dynamic, real-time oversight AML now demands.
What’s needed, he says, is a modern compliance backbone.
Something cloud-native, integrated, and fast enough to bring all parts of the risk picture together (from customer profiles to alerts, and all the way to historical context) so teams can respond before the damage is done.
“Get those right and today’s rulebook finally works as intended,” he said.
MAS has said remediation efforts are underway.
Institutions are reviewing their processes, upgrading systems, and reassigning personnel. But if there’s one thing this latest enforcement round makes clear, it’s that policy alone isn’t enough.
And as Baran reminded, “Ignore them and the industry will keep paying multimillion-dollar tuition for the same lesson.”
