Virtual Office Service Provider (VOSP) under the CSP Act: How to stay compliant without overburdening your business

1.     The role of VOSP

Virtual Office and Serviced Office Providers (VOSPs) play a unique role in Singapore’s business ecosystem. They provide workspace solutions, mailing addresses, and basic business support services for entrepreneurs, SMEs, and foreign companies. For many clients, a VOSP is the most cost-effective way to establish presence in Singapore without heavy overheads.

But unlike traditional Corporate Service Providers (CSPs) who handle incorporations, secretarial functions, and director appointments, VOSPs often only deal with workspace rental or registered office address provision. Their model is lean, high-volume, and operates on thin margins and VOS is highly competitive in Singapore, where land is a premium.

2.     The New CSP Act and why are VOSPs being regulated

The Corporate Service Providers Act (CSP Act), which came into effect in June 2025, expanded the regulatory net to ensure all businesses offering registered office address services fall are subjected AML/CFT/CPF obligations.

Why is this necessary? Because registered office addresses are a known gateway risk. Shell companies and illicit actors often misuse registered addresses to create shell companies to give them the appearance of legitimacy. By scoping in VOSPs, ACRA aims to close this gap and ensure that even “address-only” service providers act as effective gatekeepers.

This means:

• If you provide a registered office service, you are required to register yourself as a CSP and must perform Customer Due Diligence (CDD), maintain Internal Policies, Procedures and Controls (IPPCs), and file Suspicious Transaction Reports (STRs).

• If you only provide workspace rental or hot desks with no registered office or mailing services, then you are outside the strict CSP definition. Nonetheless, regulators still expect you to manage risks proportionately.

3.     Challenges Faced by VOSPs in meeting the CSP Act

With the new regulations, many VOSPs may now find themselves in a tricky spot:

• Thin margins and heavy obligations: Compliance costs can feel disproportionate to revenues. With requirements to implement KYC procedures, monitoring and other compliance management responsibilities, it may feel cost prohibitive for VOSPs, especially when you have to start the implementation from scratch.  

• Blurred service lines: A client may rent a desk but also receive mail. And all of a sudden, you’ve found yourself providing a regulated activity which requires you to register as a CSP. This means you could be unknowingly providing a CSP service without applying CDD or AML/CFT/CPF controls and create an unintentional compliance breach that exposes your business to regulatory action.

• Staff and management readiness: Frontline staff may not be trained to recognise red flags or collect CDD documents properly given this is a new requirement for VOSPs. For management of VOSPs who are accountable for the implementation of AML/CFT/CPF obligations of their firms, the new obligations may be unfamiliar or appear to be daunting.  This means that investment into training is going to be essential

• Reputational exposure: A single bad client misusing your address can lead to regulatory scrutiny or even cancellation of your CSP registration. For VOSPs, this risk is particularly damaging because your business model is built on physical investment which include high rental commitments, premium office fit-outs, and ongoing overheads to maintain a professional environment that attracts clients.

4.     Practical Tips for VOSPs to Meet Compliance Requirements

For VOSPs, compliance does not have to mean adopting the heavy frameworks of a full-service CSP. The key is to right-size your obligations, so that they are proportionate to your actual business risks.

The starting point is your Enterprise-Wide Risk Assessment (EWRA). Instead of trying to cover every conceivable risk mentioned in the Act & Regulations, focus on the ones that are most relevant to your model. Be familiar with typologies such as the misuse of mailboxes, the creation of shell companies, or clients with offshore connections. A well-thought and documented EWRA can be just as defensible as a thick report, provided it shows that you have considered your risks and put appropriate controls in place.

Customer Due Diligence (CDD) is another area where proportionality matters. For clients who take up your registered office services (ie: use your address as their address), you must apply the full set of checks: identification documents, BizFile extracts, beneficial ownership declarations, and proper screening. But for those who only rent serviced office space without using your address service, you can consider a lighter approach. Simplified CDD processes such as collecting the ID of the signatory and some basic company information may be sufficient for such cases. The important part is to document why you chose a simplified measure so that you can defend your rationale if regulators ask.

Your Internal Policies, Procedures and Controls (IPPCs) should also reflect your operating reality. You don’t need a 50-page manual. A concise document of 10 to 15 pages that sets out your onboarding steps, periodic reviews, how mail is handled, and what staff should do if they encounter red flags is more than adequate.

Staff training is equally important, even if your team is small. An annual session of one to two hours can go a long way in making sure employees know what to look out for. For VOSPs, this should focus on very practical scenarios: sudden spikes in mail from banks, regulatory letters arriving for dormant companies, or clients who resist providing ownership information.

Finally, on-going monitoring should be simple but effective. You probably don’t need complex systems. By using a straightforward log of your clients and their mail patterns, this can help you spot anomalies early. When something looks suspicious, be ready to escalate and, if necessary, file a Suspicious Transaction Report (STR).

The bottom line is this: compliance for VOSPs should be proportionate, practical, and well-documented. Regulators understand your model is different from traditional CSPs, but they expect you to show that you have thought through the risks and applied reasonable safeguards.

5.     Final Thoughts

The CSP Act has undeniably raised the bar for VOSPs. While the obligations may feel heavy, proportionate compliance is both possible and defensible under the risk-based approach. Regulators don’t expect you to act like a Big Four firm or a full suite CSPs, but minimally, they expect you to understand your risks, apply reasonable controls, and document your rationale.

At UP Compliance, we help VOSPs design practical AML/CFT/CPF frameworks that meet commensurate with ACRA’s requirements without breaking your business model. If you’re unsure how to start, or worried about inspections, let’s have a conversation on how to get ready for registration while keeping compliance light-touch and workable.