๐Ÿ“‹ How-To Guide

Singapore Family Office Technology Guide

How to build operational infrastructure that satisfies MAS requirements, supports your 13O/13U application, and counts toward substance test spending.

Singapore's family office ecosystem has grown from 400 to over 1,500 offices in four years, and MAS has significantly tightened the requirements for both new and existing 13O and 13U structures. From January 2025, new tiered local business spending thresholds, minimum AUM requirements, and enhanced substance tests apply. Technology spending with Singapore-registered providers counts directly toward your local business spending requirement โ€” making your choice of technology provider a decision with direct tax implications. This guide covers every technology decision that matters, with specific regulatory references and practical verification items for each step.

Step-by-Step Checklist

1. Understand the Substance Test & Technology Spending

13O and 13U tax incentive schemes require genuine Singapore economic substance. Technology spending with Singapore-registered providers counts toward the tiered local business spending (LBS) requirement โ€” meaning your technology procurement decisions have direct tax implications.

The 2026 LBS tiers (combined fund + family office spending) scale with AUM. Qualifying LBS includes investment professional salaries, office rental, professional fees (legal, accounting, audit, fund administration), local infrastructure and technology subscriptions, and SGX exchange fees. LBS is verified annually as part of ongoing scheme compliance โ€” failure can trigger clawback of the tax exemption.

Technology subscriptions from Singapore-registered companies count as qualifying LBS. This means a subscription to DiligenceWorks Pte. Ltd. (UEN 202622083N), a Singapore-registered company, contributes directly to your substance requirement. The same subscription from a US or UK provider would not count. For family offices approaching their LBS threshold, this distinction can be the difference between meeting and missing the requirement.

Track your LBS spending systematically from day one. Do not wait until year-end to calculate whether you have met the threshold. Implement a tracking system that categorises expenditure as qualifying or non-qualifying LBS in real time, so you can adjust spending decisions during the year if needed.

Recommended tools
  • LBS tracking system: Accounting integration that categorises expenditure as qualifying/non-qualifying LBS in real time. Xero or QuickBooks with custom tracking categories.
  • Singapore-registered technology providers: DiligenceWorks Pte. Ltd. (UEN 202622083N) โ€” subscription counts as qualifying LBS. Prioritise Singapore-registered vendors across your technology stack.
Regulatory references
  • Income Tax Act 1947, Sections 13O and 13U: Tax exemption schemes for Singapore-managed funds, requiring genuine economic substance including tiered local business spending.
  • MAS Practice Statement on 13O/13U (updated January 2025): Updated AUM thresholds, tiered LBS requirements, and enhanced substance criteria for both new and existing approved funds.
Verification checklist
  • LBS tier requirement identified based on current and projected AUM
  • Technology vendor register annotated with Singapore-registered status (qualifying LBS) for each provider
  • LBS tracking system implemented with real-time qualifying/non-qualifying categorisation
  • Annual LBS compliance review scheduled
  • Technology subscription invoices clearly show Singapore-registered entity details
Key question

Does your technology spending count toward your 13O/13U substance requirement?

2. PDPA Compliance Infrastructure

The Personal Data Protection Act 2012 (PDPA) governs how your family office collects, uses, discloses, and stores personal data. DPO appointment has been mandatory since June 2025, and your technology infrastructure must support the full PDPA compliance lifecycle โ€” from consent collection to breach notification.

Your Data Protection Officer (DPO) must be a Singapore-based individual whose contact details are published on your website and registered with the PDPC. The DPO is responsible for ensuring PDPA compliance across all data processing activities, responding to data subject access requests, and managing breach notification procedures. For family offices, the DPO is often a senior operations or compliance professional.

Data Protection Impact Assessments (DPIAs) should be conducted for any new technology system or process that involves personal data. This includes your deal analysis platform (which may process personal data of investee company executives), CRM systems, investor onboarding workflows, and employee records. Document the assessment and maintain a register of completed DPIAs.

Breach notification under the PDPA requires you to notify the PDPC within three calendar days of assessing that a notifiable data breach has occurred, and to notify affected individuals without unreasonable delay. Your technology infrastructure must support rapid breach detection, assessment, and notification โ€” you cannot rely on manual processes when the clock is ticking.

Self-hosted infrastructure simplifies PDPA compliance by keeping all personal data within your direct physical and legal control. You remain the sole data controller with no need to manage processor relationships for your core operational data.

Recommended tools
  • Consent management: Implement consent collection and withdrawal mechanisms for all personal data processing. Integrate with investor onboarding and CRM workflows.
  • DPIA framework: Standardised DPIA template for evaluating new systems and processes. Maintain a register of completed assessments.
  • Breach detection and notification: Monitoring tools that detect unauthorised access or data exfiltration, with automated alerting to the DPO. Notification templates pre-drafted for PDPC and affected individuals.
  • Self-hosted platform: DiligenceWorks runs within your dedicated infrastructure โ€” no personal data leaves your environment for external processing.
Regulatory references
  • Personal Data Protection Act 2012 (PDPA): Singapore's primary data protection legislation governing collection, use, disclosure, and storage of personal data.
  • PDPA Part VIA (Mandatory Breach Notification): Requires notification to PDPC within 3 calendar days of assessing a notifiable breach. Affected individuals must be notified without unreasonable delay.
  • PDPA Part IX (DPO appointment): Mandatory DPO appointment with published contact details and PDPC registration.
Verification checklist
  • DPO appointed, contact details published on website, registered with PDPC
  • DPIA conducted for all systems processing personal data
  • Consent management mechanisms integrated with investor onboarding workflow
  • Breach notification procedure documented with pre-drafted templates (PDPC and individual notices)
  • Data inventory mapping all personal data locations across your technology stack
  • Cross-border data transfer mechanisms documented (if any data leaves Singapore)
Key question

Have you appointed a DPO and documented your data protection practices?

3. Deal Analysis for Investment Operations

Family offices managing direct investments need systematic deal evaluation capabilities. Whether screening VC opportunities, evaluating PE co-investments, or assessing project finance deals, the analysis must be documented and auditable for family principals, external advisors, and regulators.

The VCC (Variable Capital Company) structure, increasingly used for Singapore family office funds, requires investment decisions to be documented at the sub-fund level. If your VCC has multiple sub-funds with different mandates, each sub-fund's investment analysis must be maintained separately with clear decision trails.

For 13O/13U compliance, demonstrating a systematic investment process strengthens your substance argument. MAS evaluates whether the family office is genuinely managing investments from Singapore or merely holding assets passively. A documented deal analysis process โ€” with evidence of research, analysis, committee discussion, and decision โ€” demonstrates active management substance.

Integration with your fund administrator matters. Your deal analysis outputs should feed into the administrator's record-keeping, creating a continuous chain from opportunity identification through analysis, decision, execution, and ongoing monitoring. Gaps in this chain invite questions during audits.

Recommended tools
  • Adversarial deal analysis: DiligenceWorks provides systematic claim extraction and verification across VC, PE, project finance, and co-investment opportunities.
  • Portfolio monitoring: Ongoing tracking of portfolio companies against original investment thesis. Flags when actual performance diverges from projections.
  • IC documentation: Structured investment committee minutes and decision records linked to underlying analysis.
Regulatory references
  • Securities and Futures Act (SFA), Section 99B: Related corporation exemption from CMS licensing for single family offices โ€” requires genuine single-family management.
  • VCC Act 2018: Operational requirements for VCC structures including sub-fund segregation and reporting.
Verification checklist
  • Deal analysis workflow documented (screening, analysis, IC review, decision, execution)
  • Analysis outputs linked to IC decision records
  • Sub-fund investment records maintained separately (if using VCC structure)
  • Historical deal analyses retrievable for compliance review
  • Integration with fund administrator for continuous record chain
Key question

Can your investment team demonstrate a systematic process for evaluating every deal?

4. MAS Technology Risk Management Alignment

The MAS Technology Risk Management (TRM) Guidelines establish comprehensive requirements across governance, risk management, and operational resilience for financial institutions. While not all family offices are directly licensed, aligning with TRM standards strengthens LP and institutional co-investor relationships and prepares you for potential future regulation.

The TRM Guidelines (last revised January 2021) cover technology risk governance, technology operations, cybersecurity, IT resilience, and technology audit. Key chapters include board and senior management oversight (requiring documented technology risk appetite and governance frameworks), access management (principles of least privilege and segregation of duties), change management (structured processes for technology changes), IT audit (regular independent assessments), and incident response (documented procedures for technology incidents).

MAS has signalled that AI-specific risk management requirements are coming. The proposed Guidelines on AI Risk Management (AIRG), consulted on in late 2025, introduce formal requirements for AI risk management across the entire AI lifecycle. The consultation proposed a 12-month implementation period from issuance. Even if your family office is not directly in scope, implementing AIRG-aligned practices now positions you ahead of the curve.

For family offices that are exempt from CMS licensing, TRM compliance is not mandatory. However, institutional co-investors, banks, and fund administrators increasingly ask about technology risk management practices during onboarding and due diligence. Having TRM-aligned documentation signals operational maturity.

Recommended tools
  • GRC platform: CISO Assistant or similar governance, risk, and compliance platform for tracking TRM alignment, controls, and assessments.
  • Vulnerability scanning: Regular vulnerability assessments of your technology infrastructure (OpenVAS, Nessus, or managed service).
  • Technology audit: Annual independent technology assessment against TRM guidelines, conducted by a qualified firm.
Regulatory references
  • MAS TRM Guidelines (January 2021): Comprehensive technology risk management framework covering governance, cybersecurity, IT resilience, access management, and incident response.
  • MAS Proposed AIRG (2025): Proposed AI Risk Management Guidelines covering AI lifecycle governance, risk materiality assessment, and third-party AI management. 12-month implementation period from issuance.
Verification checklist
  • Technology risk governance framework documented (risk appetite, oversight responsibilities)
  • Access management follows least-privilege principle with regular reviews
  • Change management procedures in place for all technology modifications
  • Incident response plan documented with escalation procedures
  • Annual technology risk assessment completed
  • AI tools inventoried with risk materiality assessment (AIRG readiness)
Key question

Could you pass a MAS TRM assessment today?

5. Reporting to Family Principals

Family principals expect clear, regular reporting on investment performance, operational status, and risk exposure. Build reporting infrastructure from day one rather than retrofitting it after the first board meeting requests information you cannot produce.

A consolidated family report should cover: portfolio valuation and performance (by sub-fund if using VCC), asset allocation versus mandate, risk exposure summary, operational status (compliance, technology, personnel), cash flow and liquidity position, and tax status (particularly 13O/13U substance requirement progress). Producing this report should take hours, not weeks.

Tax reporting for IRAS requires documentation of qualifying income, designated investments, substance requirements, and LBS spending. Your reporting system should categorise transactions and expenses in a way that maps directly to 13O/13U compliance requirements, so annual submissions are a data export rather than a reconstruction exercise.

Consider a principal reporting portal โ€” a secure, access-controlled dashboard where family members can view portfolio performance, reports, and key metrics on demand. This reduces the operational burden of ad-hoc reporting requests while maintaining security and confidentiality.

Recommended tools
  • Portfolio reporting: Consolidated reporting across all sub-funds and mandates. Integration with fund administrator for automated NAV and performance data.
  • Tax compliance tracking: Real-time tracking of qualifying income, designated investments, and LBS spending against 13O/13U requirements.
  • Principal portal: Secure dashboard for family members with role-based access to portfolio data, reports, and key metrics.
Verification checklist
  • Consolidated report template designed covering all required sections
  • Report generation process documented (data sources, calculation methodology, review steps)
  • Tax compliance data categorised to map directly to IRAS 13O/13U reporting
  • Reporting frequency agreed with family principals (monthly, quarterly)
  • Report delivery mechanism secure and auditable
Key question

Can you produce a consolidated family report within 24 hours of a request?

6. VCC Operational Technology

The Variable Capital Company (VCC) structure, introduced under the VCC Act 2018, is the preferred vehicle for many Singapore family offices. VCC structures have specific operational technology requirements around sub-fund segregation, corporate actions, and regulatory reporting that generic fund administration systems may not handle natively.

Sub-fund isolation is a fundamental VCC requirement. Each sub-fund has separate assets and liabilities, and your technology must enforce this separation at the data level. Commingling sub-fund data in shared spreadsheets or databases creates both regulatory and audit risk. Your systems must produce sub-fund-level reporting, sub-fund-level NAV calculations, and sub-fund-level compliance monitoring.

VCC corporate actions (capital increases and decreases, share transfers, dividend payments) can occur at the umbrella or sub-fund level and must be recorded accurately. Your technology must track share registers per sub-fund, process capital calls and distributions at the correct level, and maintain corporate records that satisfy ACRA filing requirements.

Since the VCC framework is relatively new, some fund administration systems have limited VCC support. Verify that your administrator's system handles multi-sub-fund structures natively before committing โ€” retrofitting VCC support after launch is expensive and error-prone.

Recommended tools
  • VCC-aware fund administration: Verify your fund administrator supports VCC sub-fund segregation natively (Apex, Trident Trust, and Vistra have VCC-specific capabilities).
  • Sub-fund accounting: Accounting system with sub-fund-level chart of accounts, ensuring no commingling of sub-fund assets or liabilities.
  • Corporate records management: System for maintaining VCC-specific corporate records including per-sub-fund share registers and ACRA filing tracking.
Regulatory references
  • Variable Capital Companies Act 2018: Establishes the VCC framework including sub-fund segregation requirements, umbrella-level governance, and ACRA filing obligations.
  • VCC Regulations 2020: Detailed operational requirements for VCC structures including record-keeping, annual returns, and dissolution procedures.
Verification checklist
  • Fund administrator confirmed to support VCC sub-fund segregation natively
  • Sub-fund-level accounting, NAV, and reporting verified as operational
  • Share registers maintained per sub-fund
  • ACRA filing requirements calendared (annual returns, changes in particulars)
  • Corporate records system tracks umbrella and sub-fund actions separately
Key question

Does your technology infrastructure enforce sub-fund segregation at the data level, or are you relying on manual separation?

7. Data Sovereignty & Hosting

Decide where your family office data will reside. The PDPA imposes specific requirements on cross-border data transfers, and your hosting decision affects both compliance obligations and the practical security of your fund's information.

PDPA Part 5A governs cross-border transfers of personal data. Data may only be transferred outside Singapore if the receiving country provides a comparable standard of protection, or if the transfer is covered by binding corporate rules, contractual arrangements, or consent. Self-hosting in Singapore eliminates cross-border transfer complexity entirely.

Singapore has excellent data centre infrastructure. AWS Asia Pacific (Singapore), Google Cloud Singapore, Azure Southeast Asia, and numerous co-location facilities provide local hosting options. For maximum sovereignty, self-hosted infrastructure (dedicated servers or private cloud within Singapore) keeps all data under your direct physical control.

Consider the ASEAN data localisation landscape. If your family office invests across Southeast Asia, you may process personal data from jurisdictions with their own data localisation requirements (Indonesia, Vietnam, Thailand). Your technology architecture should accommodate these requirements without creating operational complexity.

Recommended tools
  • Singapore-hosted infrastructure: Self-hosted servers, Singapore-region cloud (AWS ap-southeast-1, Azure Southeast Asia), or co-location in Singapore data centres.
  • Self-hosted platform: DiligenceWorks runs within dedicated Singapore infrastructure โ€” all data remains in-country with no cross-border processing.
  • Cross-border transfer assessment: Framework for evaluating PDPA compliance of any data transfer outside Singapore, including to ASEAN jurisdictions.
Regulatory references
  • PDPA Part 5A (Transfer Limitation Obligation): Governs cross-border transfer of personal data, requiring comparable protection standards or appropriate safeguards.
  • PDPC Advisory Guidelines on Key Concepts: Guidance on what constitutes personal data, processing, and transfer under the PDPA.
Verification checklist
  • Data hosting location documented for all systems
  • Cross-border data transfers identified and assessed against PDPA Part 5A
  • Transfer mechanisms in place where cross-border transfers are necessary (contracts, consent, binding rules)
  • ASEAN data localisation requirements reviewed for jurisdictions where you invest
  • Hosting provider's physical security and access controls verified
Key question

Do you know exactly which jurisdictions can access your family office data, and under what legal authority?

8. AI Risk Management

MAS has proposed formal AI Risk Management Guidelines (AIRG) that will apply to all financial institutions. Even if your family office is exempt from direct MAS licensing, implementing AIRG-aligned practices demonstrates operational maturity and prepares you for potential future requirements.

The proposed AIRG establishes requirements across the entire AI lifecycle. Key areas include AI identification and inventory (maintaining a register of all AI systems in use), risk materiality assessment (evaluating each AI system across impact, complexity, and reliance dimensions), and life-cycle controls (data management, fairness, transparency, human oversight, and third-party AI management).

Board and senior management oversight is a core AIRG requirement, including the potential need for a dedicated cross-functional committee if overall AI risk exposure is material. For family offices, this translates to ensuring that family principals understand what AI tools are in use, what decisions they influence, and what governance is in place.

Third-party AI management is particularly relevant for family offices. If you use external AI tools for deal analysis, portfolio monitoring, or compliance screening, you must assess the provider's AI governance practices, data handling, and model risk management. Tools that process your fund data externally create risks that self-hosted alternatives eliminate.

Recommended tools
  • AI inventory: Register of all AI tools in use across the family office, with risk materiality assessment for each.
  • Self-hosted AI analysis: DiligenceWorks runs adversarial analysis within your dedicated infrastructure โ€” no fund data sent to external AI services.
  • AI governance documentation: Framework covering AI lifecycle controls, human oversight mechanisms, and third-party AI assessment procedures.
Regulatory references
  • MAS Proposed AIRG (Consultation 2025): Proposed Guidelines on AI Risk Management covering identification, risk assessment, lifecycle controls, and oversight. 12-month implementation period from issuance.
  • MAS TRM Guidelines, Section 5.2: Existing technology risk governance requirements that apply to AI as a subset of technology risk.
Verification checklist
  • AI tools inventory created with risk materiality assessment
  • Human oversight model documented for each AI-assisted process
  • Third-party AI providers assessed (data handling, model governance, auditability)
  • AI governance responsibilities assigned (who reviews AI outputs, who approves AI tool deployment)
  • Family principals briefed on AI tools in use and governance arrangements
Key question

If MAS asked for your AI inventory and governance framework tomorrow, could you produce them?

9. Cybersecurity & Access Controls

Implement cybersecurity controls aligned with MAS TRM Guidelines chapters on IT security and access management. Between July 2023 and December 2024, MAS initiated 163 enforcement actions including penalties for technology-related misconduct โ€” cybersecurity is not optional.

MAS TRM Chapter 9 requires encryption of confidential information stored on IT systems, servers, and databases, including backup media transported offsite. Chapter 11 requires access controls based on the principle of least privilege. These are not suggestions โ€” they are the benchmark MAS uses when assessing financial institutions.

Implement MFA across all systems, privileged access management for administrator accounts, regular access reviews (quarterly minimum), and automated de-provisioning when personnel changes occur. Penetration testing should be conducted at least annually by an independent assessor.

For family offices, the biggest cybersecurity risk is often the family principals themselves. High-net-worth individuals are prime targets for spear phishing, social engineering, and SIM-swap attacks. Implement security awareness training for all personnel including family members who access fund systems.

Recommended tools
  • Identity and access management: Keycloak (self-hosted SSO), Okta, or Azure AD with MFA enforcement and automated access reviews.
  • Penetration testing: Annual independent penetration test by a qualified assessor. Consider CREST-accredited firms for international credibility.
  • Security awareness training: Regular training for all personnel including family principals. Focus on phishing, social engineering, and secure device practices.
Regulatory references
  • MAS TRM Guidelines, Chapter 9 (IT Security): Requirements for encryption, data protection, and security of IT systems including backup media.
  • MAS TRM Guidelines, Chapter 11 (Access Control): Least-privilege access, segregation of duties, regular access reviews, and privileged access management.
Verification checklist
  • MFA enabled on all systems holding fund or personal data
  • Privileged access management implemented for administrator accounts
  • Quarterly access reviews scheduled and documented
  • Annual penetration test completed by independent assessor
  • Security awareness training delivered to all personnel including family principals
  • Full-disk encryption on all devices
  • Automated de-provisioning configured for personnel changes
Key question

Have you conducted a penetration test of your family office infrastructure in the last 12 months?

10. Vendor & Service Provider Integration

Your family office technology stack includes multiple vendors and service providers that must work together seamlessly. From fund administrators to accounting platforms, each integration point requires data processing agreements, security assessments, and ongoing monitoring โ€” all while tracking which vendor spending qualifies as LBS.

Fund administrator integration is the most critical vendor relationship. Verify that your administrator can exchange data electronically (API, SFTP, or secure portal) rather than requiring manual email-based reporting. Automated data exchange reduces errors, accelerates reporting, and creates an auditable integration trail.

Every vendor that processes personal data on your behalf requires a data processing agreement under the PDPA. This includes your fund administrator, accounting software provider, email hosting provider, and any cloud services. Maintain a register of all DPAs with expiry dates and renewal schedules.

Track vendor spending against LBS requirements in real time. Annotate each vendor in your register with their Singapore registration status (qualifying LBS) or foreign status (non-qualifying). When evaluating new technology vendors, consider the LBS impact alongside functionality and cost โ€” choosing a Singapore-registered provider may be the deciding factor when alternatives are equivalent.

Recommended tools
  • Vendor register: Comprehensive register of all technology vendors with DPA status, LBS qualification, security assessment results, and contract details.
  • Integration monitoring: Automated monitoring of data feeds between your systems and external providers (fund admin, accounting, reporting).
  • LBS spending tracker: Real-time categorisation of vendor spending as qualifying/non-qualifying LBS with running totals against threshold.
Regulatory references
  • PDPA, Part IV (Protection Obligation): Requires data controllers to protect personal data through reasonable security arrangements, including when processed by third-party vendors.
  • MAS Guidelines on Outsourcing: Requirements for oversight of outsourced functions including due diligence, contractual protections, and ongoing monitoring.
Verification checklist
  • Vendor register maintained with DPA status, LBS qualification, and security assessment for each provider
  • Fund administrator integration tested and documented (data format, frequency, reconciliation process)
  • DPAs in place with all vendors processing personal data
  • Vendor LBS status annotated and tracked against substance requirement
  • Annual vendor security assessment schedule established
Key question

Can you show an auditor every vendor that touches your fund's data, their Singapore registration status, and the DPA governing their access?

Frequently Asked Questions

Does DiligenceWorks spending count toward 13O/13U substance requirements?

Yes. DiligenceWorks Pte. Ltd. is a Singapore-registered company (UEN 202622083N). Subscription fees count as qualifying local business spending toward the tiered LBS requirement under both 13O and 13U incentive schemes.

What technology does a Singapore family office need?

Core requirements include a deal analysis platform, document management with PDPA compliance, secure communications, financial reporting integrated with your fund administrator, PDPA compliance infrastructure (DPO appointment, DPIA framework, breach notification), VCC-compatible accounting (if using VCC structure), and cybersecurity aligned with MAS TRM guidelines. For 13O/13U offices, choosing Singapore-registered providers contributes to substance test spending.

How does the new MAS AI guidance affect family offices?

MAS proposed formal AI Risk Management Guidelines (AIRG) in late 2025, with a 12-month implementation period from issuance. While exempt family offices may not be directly in scope, implementing AIRG-aligned practices (AI inventory, risk assessment, human oversight) demonstrates operational maturity to institutional co-investors and prepares for potential future requirements.

What are the PDPA breach notification requirements?

You must notify the PDPC within three calendar days of assessing that a notifiable data breach has occurred. Affected individuals must be notified without unreasonable delay. A breach is notifiable if it involves significant harm to individuals or affects 500 or more individuals. Pre-drafted notification templates and a documented assessment procedure should be ready before a breach occurs.

Ready to See DiligenceWorks in Action?

DiligenceWorks is a Singapore Pte. Ltd. (UEN 202622083N). Subscriptions count toward your 13O/13U substance requirement, and all data remains within your dedicated Singapore infrastructure. Book a discovery call.

Book a Discovery Call

Content ID: G02.I01.T06.L01 ยท Last updated: