AML Compliance for Digital Banks in Malaysia: Meeting BNM's Requirements with FinCense

Malaysia's digital banking sector entered a new phase with the awarding of five digital bank licences by Bank Negara Malaysia (BNM) in 2022 — granted to GXS Bank, Boost Bank, AEON Digital Bank, KAF Digital Bank, and TNG Digital. These institutions launched into a compliance environment that expects bank-grade AML standards from day one, without the legacy infrastructure that established banks use to meet them.

The expectations are not abstract. BNM's 2023 AML/CFT/CPF/TFS Policy Document updated and consolidated the compliance obligations applicable to all reporting institutions in Malaysia, and FATF's mutual evaluation process means Malaysia's AML framework is assessed against international benchmarks with direct consequences for the country's financial sector standing. For Malaysian digital banks, meeting these obligations is not a future consideration — it is an operational requirement from the moment they begin transacting.

What BNM Requires from Digital Banks on AML/CFT

The 2023 AML/CFT/CPF/TFS Policy Document is the primary BNM instrument governing AML compliance for all reporting institutions including digital banks. Its key requirements include:

Risk-based customer due diligence. Digital banks must apply a three-tier CDD approach — simplified due diligence for lower-risk customers, standard CDD at onboarding, and enhanced due diligence for high-risk customers including politically exposed persons, customers from high-risk jurisdictions, and those with complex ownership structures. The risk classification must be documented and reviewable.

eKYC standards. BNM has approved electronic know-your-customer processes for digital onboarding, with specific technical requirements: MyKad chip reading for identity verification, liveness detection to counter deepfake presentation attacks, and facial comparison against the chip photograph. Digital banks that rely on softer eKYC controls without meeting these standards face compliance exposure at onboarding.

Ongoing transaction monitoring. The Policy Document requires continuous monitoring of customer transactions against the risk profile established at onboarding. Monitoring must be capable of identifying suspicious patterns — structuring, rapid fund movement, mule account behaviour — and generating Suspicious Transaction Reports (STRs) where reasonable grounds for suspicion exist. For a detailed breakdown of transaction monitoring requirements in Malaysia, see our Malaysia transaction monitoring guide.

Record keeping for six years. All transaction records, customer identification documents, and investigation files must be retained for a minimum of six years from the date of the transaction or the end of the business relationship. This applies regardless of whether an STR was filed.

International Transfer of Funds Advisory. Digital banks involved in cross-border remittance or payments must comply with BNM's requirements on international fund transfer reporting, including appropriate source-of-funds verification on outbound transfers.

Statutory reporting under AMLATFPUAA. The Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001 (AMLATFPUAA) remains the primary legislation. STRs must be filed with the Financial Intelligence and Enforcement Department (FIED) of BNM when there are grounds for suspicion, with no minimum value threshold.

FATF Requirements Applicable to Malaysian Financial Institutions

Malaysia's AML/CFT framework is assessed against FATF's 40 Recommendations and 11 Immediate Outcomes. Several of these are particularly relevant for digital banks in 2026.

Recommendation 1 — Risk-based approach. FATF expects institutions to identify, assess, and understand their ML/TF risks, and to apply measures commensurate with those risks. For digital banks, this means the monitoring programme must be derived from a documented risk assessment — not from generic vendor defaults.

Recommendation 10 — Customer due diligence. FATF's requirements on CDD align with BNM's three-tier approach, with particular emphasis on beneficial ownership identification for legal persons. Digital banks onboarding business customers must identify and verify ultimate beneficial owners, not just the entity's authorised representatives.

Recommendation 16 — Wire transfer requirements. For any cross-border fund transfer, originator and beneficiary information must accompany the transaction. Digital banks and eWallet providers that process international transfers must implement systems to capture, transmit, and receive this information — the FATF Travel Rule obligation.

Recommendation 19 — Higher-risk countries. Digital banks must apply enhanced due diligence to customers and transactions linked to jurisdictions identified as high-risk by FATF. With FATF's grey list and black list updated at each plenary session, institutions need monitoring systems that can incorporate updated jurisdiction risk classifications without manual reconfiguration.

Recommendation 35 — Sanctions. Malaysia's obligations under United Nations Security Council resolutions require real-time screening against designated lists. For digital banks processing high transaction volumes, this means automated name and transaction screening capable of matching against continuously updated sanctions lists.

Key AML Challenges Facing Malaysian Digital Banks

Mule account abuse at onboarding scale. Digital banks that onboard thousands of customers monthly are primary targets for mule recruitment. Syndicates open coordinated batches of accounts, use them briefly for layering scam proceeds, and abandon them. Detection requires graph-based network analysis — not per-account rules — and onboarding risk scoring that flags suspicious applicants before accounts are opened.

eKYC integrity under deepfake pressure. Synthetic identity fraud and deepfake presentation attacks are increasing across Malaysia's digital banking sector. Meeting BNM's eKYC standards requires liveness detection capable of identifying AI-generated faces and video injection attacks — not just passive document comparison.

High alert volumes on lean compliance teams. Digital banks are built to operate with lean teams. Legacy rule-based monitoring generates false positive rates of 90–95%, which is unmanageable for a compliance function that cannot scale headcount at the speed of customer growth.

Dual compliance across AML and fraud. BNM and FATF address AML and CFT obligations; the same scam and fraud flows that compliance teams intercept also create AML reporting obligations when proceeds move through accounts. Institutions running separate fraud and AML systems create the gap between those systems that financial crime networks exploit. For more on how unified fraud and AML detection works in practice, see our FRAML guide.

How FinCense Supports Malaysian Digital Banks

AEON Digital Bank — one of Malaysia's five licensed digital banks — runs Tookitaki's FinCense platform for AML compliance. FinCense addresses the Malaysian digital bank compliance challenge across three areas.

Detection aligned to BNM's risk-based requirements. FinCense is configured from the institution's documented risk assessment, not from generic defaults. Monitoring scenarios map directly to the risk outputs from BNM-compliant ML/TF risk assessments — producing the traceability between risk assessment and deployed scenarios that BNM examiners expect. Typology coverage is updated through Tookitaki's Anti Financial Crime (AFC) Ecosystem, a federated intelligence network of 30+ APAC financial institutions that identifies and validates new financial crime patterns as they emerge across the network.

Onboarding Risk Suite for eKYC integrity. FinCense's Onboarding Risk Suite provides applicant risk scoring at the point of account opening — combining eKYC signal assessment, consortium-level risk indicators from the AFC Ecosystem, and behavioural risk factors to identify mule recruitment and synthetic identity attempts before accounts enter the monitored customer base.

Operational efficiency for lean teams. FinCense reduces false positives by up to 70% compared to legacy rule-based systems through risk-based scenario design and AI-driven alert prioritisation. Integrated case management connects alert, investigation, and reporting workflows in a single environment — investigators access the full transaction history, customer risk profile, and connected entity context in one view, reducing investigation time and improving the quality of STR narratives filed under AMLATFPUAA.

Unified AML and fraud detection. FinCense addresses both AML monitoring and fraud detection on a single engine, shared data layer, and unified case management environment. The cross-typology view — fraud signals and AML indicators on the same account and entity — closes the gap between separate systems and supports the integrated STR reporting that BNM expects when fraud proceeds move through a monitored account.

Malaysia's digital banking sector will continue to grow, and BNM's compliance expectations will evolve with it. Institutions that build their AML programme on a platform aligned to BNM's specific requirements — risk-based by design, explainable by default, and updated continuously through community intelligence — are better positioned for both current examination cycles and the regulatory trajectory ahead.

For a full overview of BNM's AML/CFT requirements and how to structure a compliant programme, see our Malaysia AML compliance guide and Malaysia KYC requirements guide.

To see how FinCense is deployed in Malaysian digital banks and how it supports BNM AML/CFT compliance, book a demo with our Malaysia compliance team.