Introduction

The “Pushing Back on Compliance” series is an in-depth guide for C-suite executives and board members seeking to push back when compliance rules hurt business without improving risk management. This instalment dissects the operational and commercial costs of over-inclusive know your customer (“KYC”) questionnaires and provides a framework for calibrating client onboarding processes. The objective is to demonstrate how a more precise, risk-based approach can reduce compliance drag, lower operational costs, and enhance genuine risk detection, turning a source of friction into a commercial advantage.

The Inciting Incident

Recently, a global IT and communications service provider with more than a decade of operating history created a new subsidiary in Singapore (the “Company”).  The Company does not maintain offices, subsidiaries, or material operations in jurisdictions commonly classified as high-risk.  In trying to open a bank account, the Company received the following question (the “Dragnet Question“), directed to all directors, shareholders, and persons with account access:

“Are you or any of your family members (e.g., spouse/parents/in-laws/siblings/children/uncle/aunt/cousin) currently working for, or previously worked for a government (including state-owned companies) or political group? If yes, please indicate the country and name of political group/government and your position/your family member’s position in the table below.”

One of the Company’s directors, a non-executive director with no operational role in the Company (the “NED“), faced particular difficulty with the Dragnet question.  The NED had multiple extended family members (including uncles, aunts and cousins) who had held government roles or served in the armed forces, but the NED did not maintain close relationships with them. The NED did not want to provide inaccurate or incomplete information, yet obtaining the requested details would have required disproportionate time and outreach.

This scenario is not uncommon. For the bank, it created a tangible risk of commercial abandonment by a desirable, standard-risk client, resulting in lost revenue and a poor client experience. For the compliance function, it risked triggering a manual review cycle for a low-value data point, diverting resources that could be more effectively deployed elsewhere.

The Applicable Standard for KYC

Under Singapore’s MAS Notice 626 on the Prevention of Money Laundering and Countering the Financing of Terrorism (the “Notice”), the relevant concepts are more constrained than many onboarding forms imply.

The “Prominent Public Function” Test

The foundational definition of a politically exposed person (“PEP”) in Singapore is not based on mere employment by a state entity, but on the level of authority held. Under the Notice, a PEP is defined as a natural person who is or has been entrusted with “prominent public functions”.

A non-exhaustive list of what constitutes a “prominent” function includes:

• Heads of state or government;
• Senior politicians and government ministers;
• Senior judicial or military officials;
• Senior executives of state-owned corporations; and
• Senior management of international organisations.

Crucially, the Guidelines to the Notice explicitly limit the scope of this definition. The Guidelines to the Notice clarify that the definition of a PEP “is not intended to cover middle-ranking or more junior individuals in the categories listed”.

The Finite List of Family Members

The Dragnet Question’s inclusion of “uncles, aunts, and cousins” also diverges from the regulatory text. The Notice provides a prescriptive list of who qualifies as a “family member” of a PEP. This list is limited to:

• Parents and step-parents;
• Spouses;
• Children, step-children, and adopted children;
• Siblings, step-siblings, and adopted siblings.

The Notice does not expressly require institutions to map a customer’s extended family tree. The regulatory focus is on the immediate family, where influence and asset movement are most probable.

The Influence Test for Close Associates

The concept of a “close associate” introduces further nuance. However, the Notice defines a close associate as someone connected to a PEP “socially or professionally.” The critical distinction lies between a relationship label (e.g., “cousin”) and the reality of the relationship (i.e., whether the PEP has demonstrable influence over that person). The Guidelines further clarify that this determination depends on the “level of influence the PEP has on such a person.” A questionnaire that presumes association solely from a family link, without examining the actual relationship dynamics, does not fully align with the logic behind the regulatory framework.

A Critical Distinction: Political Influence vs. Source of Funds

It is critical to distinguish between screening for political influence and verifying the source of funds. This distinction is fundamental to the risk-based approach (“RBA”) mandated by the Notice, which requires that due diligence measures be proportionate to the actual risks identified. The Dragnet Question violates the RBA by conflating two distinct regulatory inquiries.

The first inquiry, screening for political influence, serves to identify PEPs. The regulatory architecture for this is highly specific. As established above, this definition excludes middle-ranking or junior officials, focusing scrutiny on those with genuine authority. The Notice’s finite list of family members (parents, spouse, children, siblings) excludes more distant relatives by implication – under expressio unius est exclusio alterius,[1] the explicit enumeration implicitly excludes more distant relatives like cousins from automatic scrutiny.

While a cousin could theoretically be a “close associate,” this status requires a demonstrable social or professional relationship involving actual influence, not just a familial label. Financial institutions may reasonably rely on customer declarations as an input to this assessment. However, the institution remains responsible for the design and calibration of its screening framework—including what constitutes reasonable inquiry and what escalation is warranted—so that questions do not require exhaustive and speculative extended-family investigations.

The second inquiry, verifying the source of wealth (“SoW”) and source of funds (“SoF”), is a distinct, forensic exercise triggered only by elevated risk. Paragraph 8.3(b) of the Notice mandates these enhanced due diligence (“EDD”) measures after a high-risk designation—such as a positive PEP identification—has already been made. Where a relative provides capital or holds beneficial ownership, SoW and SoF inquiries are of course justified. However, absent such a direct financial nexus, a distant relative’s employment history is legally and operationally irrelevant to the origin of the Company’s funds.

The Dragnet Question erroneously conflates these two steps. It uses a flawed screening tool to fish for data that is only relevant under EDD, a subsequent stage that the baseline facts do not warrant. This approach generates a high volume of ‘noise’ but yields little to no actionable intelligence, degrading the institution’s ability to detect genuine threats and violating the principle of proportionality central to the RBA.

The Rationale Behind Cautious Onboarding Practices

Why then do global banks still ask such over-inclusive questions? The answer lies in the nature of the risks being prioritized.

Compliance professionals defend expansive questionnaires on several grounds. The first, and most consequential, is the reality of the global regulatory environment. For any bank with significant U.S. dollar clearing operations, the risk of enforcement action from U.S. authorities (e.g., the Department of Justice, OFAC, FinCEN) is existential. Losing correspondent banking relationships can cripple a global institution. Faced with this pressure, many banks adopt a single, globally consistent “high-water mark” for KYC, often calibrated to the most conservative interpretation of U.S. regulatory expectations. This approach reflects not merely heightened risk aversion but a rational response to a genuine systemic regulatory dependency. It is not, however, a legal justification. A bank’s global policy does not override its obligation to implement that policy in a manner consistent with Singapore’s risk-based framework — and Singapore’s regulatory architecture is deliberately calibrated to permit precisely the kind of targeted, proportionate approach advocated here.

A second justification is the desire for contractual protection. Banks view expansive questions as a form of contractual warranty, whereby an inaccurate answer provides clean grounds for account termination and a potential legal defense if misconduct subsequently arises. However, the practical enforceability of a warranty based on an impossible-to-answer question is questionable, as it may be deemed unenforceable.

More fundamentally, such expansive questions intended as contractual warranties risk being legally void. Under established common law doctrines, courts can invalidate contract terms on grounds of unconscionability, where a term is so one-sided and oppressive as to be unenforceable. Forcing a customer to warrant facts they cannot possibly know creates this exact risk. Rather than providing legal protection, these terms expose the bank to legal challenges and reputational harm, undermining the intended contractual safeguards.

A third, more operational explanation concerns system design constraints. Global banks rely on automated onboarding platforms with standardized data fields. A front-line analyst often has no authority or technical ability to accept a nuanced answer or an addendum. A proposed clarification may be rejected not on substantive legal grounds, but because the internal system literally cannot process it without triggering a manual override. From the bank’s perspective, any deviation from the standard workflow introduces cost, delay, and the potential for human error, making uniform, albeit over-inclusive questions the path of least resistance.

The Operational Harms of Over-Collection

Beyond the flawed legal logic, the defensive onboarding approach creates tangible, negative outcomes:

• Dilution of Compliance Resources: False positives flood internal workflows, diverting skilled compliance resources from investigating material threats to clearing low-risk, administrative non-issues generated by cooperative clients.
• Commercial Abandonment:  Intrusive and seemingly irrelevant inquiries erode customer trust and can lead directly to account abandonment by desirable clients, leading to avoidable loss of revenue and reputational damage.
• Degradation of Signal Intelligence: A system overwhelmed with low-value alerts becomes less effective at isolating genuine threats. In the pursuit of appearing compliant, the system becomes less effective at actually detecting risk.  This phenomenon, commonly known as “alert fatigue,” is a critical and well-documented failure mode in compliance operations. When systems generate thousands of low-value false positives, skilled analysts become desensitized, and their cognitive capacity to identify genuine threats is diminished. The indiscriminate data collection from dragnet questions is a primary driver of this condition, ironically making the institution less secure by burying high-risk signals in an avalanche of low-value noise.

The bank and the customer are therefore solving different problems. The bank is primarily mitigating systemic risk (U.S. enforcement), while the customer is trying to solve a procedural one (an illogical question on a form). This asymmetry explains why a client’s well-reasoned, legally sound arguments often fail to persuade. Institutional optimisation often favours global standardisation and catastrophic-risk avoidance rather than localised regulatory precision.

Addressing Concerns of Under-Collection

Concerns regarding under-collection frequently arise in response to calibration proposals. This fear is understandable but mistakes data volume for risk intelligence. No screening system is perfect, but we can aim to build the most effective one. A calibrated system, focused on precise, high-signal questions, generates fewer, more meaningful alerts. This allows compliance resources to conduct deeper analysis where it matters, ultimately leading to better risk outcomes than a system that indiscriminately collects data it cannot effectively process.

When Broad Questions Are Defensible

We are not arguing that all extended inquiries are unjustified. Elevated risks, such as operating in high-corruption jurisdictions, receiving funding from opaque sources, or demonstrating unusual ownership structures, may warrant expanded questioning. The objection is not directed at enhanced diligence itself, but at routine overreach for standard, low-risk customers, where broad questions substitute for risk judgment rather than complement it.

Restoring Calibration: A Preview of the Solution

The strategic goal is to move from a vague, open-ended question to a precise, attestable one. The contrast between a poorly calibrated control and a well-calibrated one is stark:

Blueprint for a Calibrated, Risk-Tiered Onboarding Framework

An optimized onboarding process deploys a risk-tiered approach that aligns the level of diligence with the client’s risk profile, rather than using a single, uniform questionnaire.

Tier 1: Streamlined Onboarding for Standard-Risk Clients

This is the default path for the majority of corporate clients.

• Questionnaire Design: Forms use precise, closed-ended questions that map directly to regulatory definitions (e.g., the Notice). Questions are attestable (“To the best of your knowledge, is any relevant person a PEP…?”) rather than open-ended investigations.
• Objective: Maximize straight-through processing, minimize manual reviews, and provide a fast, frictionless client experience.

Tier 2: Enhanced Due Diligence for Elevated-Risk Clients

This path is triggered by specific, predefined risk factors (e.g., high-risk jurisdictions, complex ownership structures).

• Questionnaire Design: The EDD module includes more granular questions justified by the specific risk trigger.
• Objective: Focus skilled analyst resources on a smaller cohort of higher-risk clients, conducting genuine diligence rather than clearing low-value alerts.

Tier 3: Exception Handling Protocol for Sophisticated Clients

This is a defined workflow for managing nuanced attestations from sophisticated clients who may propose calibrated language.

• Process Design: Establishes a clear escalation path from the front line to a specialized senior team (e.g., a joint Legal and Compliance committee). This team is empowered to review and approve non-standard but substantively compliant responses, such as a client’s formal attestation that, “to the best of their knowledge after reasonable inquiry, no relevant individual meets the definition of a PEP, family member, or close associate under the Notice.”
• Objective: Provide flexibility to manage complex cases without disrupting standard workflows. Accepting a precise attestation from a client (e.g., framed to the Notice) provides a stronger, more defensible contractual position than relying on a vague answer to an overly broad question.

Conclusion

A calibrated, risk-based KYC regime strengthens compliance outcomes by reducing noise, conserving investigative capacity, and aligning data collection with genuine risk constructs. These lead to commercial benefits such as, lower onboarding friction, reduced abandonment, and improved operation efficiency. In this model, compliance ceases to function as a drag mechanism and instead becomes an instrument of institutional resilience and competitive differentiation.

At HM, we assist financial institutions to refine the execution of global compliance frameworks at the regional and local levels. We help financial institutions reduce unnecessary friction without compromising their core risk posture.

Our work provides tangible improvements by helping clients:

• Calibrate Questionnaires and Workflows: We review KYC questionnaires to align with regulations like the Notice, distinguishing essential risk-mitigating questions from low-value data collection. We then design risk-tiered onboarding paths—streamlined processing for standard-risk clients, enhanced diligence for elevated-risk cases.
• Develop Exception Protocols: We assist in creating practical and defensible “Tier 3” escalation protocols. This allows your senior teams to approve substantively compliant attestations from sophisticated clients, preserving key relationships without compromising your global risk posture.
• Train Front-Line and RM Teams: We develop training modules to help relationship managers and onboarding staff explain the “why” behind KYC requests and manage client pushback constructively, turning a point of friction into an opportunity to demonstrate the bank’s sophistication.

For a discussion on how we can refine your firm’s approach, please contact:

Chris Holland: Partner | [email protected]

Disclaimer: The material in this post represents general information only and should not be relied upon as legal advice. Holland & Marie Pte. Ltd. is not a law firm and may not act as an advocate or solicitor for purposes of the Singapore Legal Profession Act.

Related articles: Moving KYC from Compliance Theatre to Effective Risk Management, Pushing Back on Compliance

^1. This Latin phrase is not an AI hallucination. Working at HM, you learn something new every day. https://lawgazette.com.sg/practice/practice-matters/dont-skip-the-boilerplate-a-guide-to-review-part-3/