The Philippines has always lived with the threat of floods. Each typhoon season brings destruction, and the government has poured billions into flood control projects meant to shield vulnerable communities. But while citizens braced for rising waters, another kind of flood was quietly at work: a flood of fraud.

Investigations now reveal that massive chunks of the flood control budget never translated into levees, drainage systems, or protection for communities. Instead, they flowed into the hands of a handful of contractors, politicians, and middlemen.

Since 2012, just 15 contractors cornered nearly ₱100 billion in projects, roughly 20 percent of the total budget. Many projects were “ghosts,” existing only on paper. Meanwhile, luxury cars filled garages, mansions rose in gated villages, and political war chests swelled ahead of elections.

This is not simply corruption. It is a textbook case of money laundering, with ghost projects and inflated contracts acting as conduits for illicit enrichment. For banks, fintechs, and regulators, it is a flashing red signal that the financial system remains a key artery for laundering public funds.

The Anatomy of the Scandal

The Department of Public Works and Highways (DPWH) is tasked with executing infrastructure that keeps cities safe from rising waters. Yet over the past decade, its flood control program has morphed into a honey pot for collusion and fraud.

• Ghost projects: Entire budgets released for dams, dikes, and drainage systems that were never completed or never built at all.
• Overpriced contracts: Inflated project costs created buffers for skimming and fund diversion.
• Kickbacks for campaigns: Portions of project budgets allegedly redirected to finance electoral campaigns, locking in loyalty between politicians and contractors.
• Cartel behaviour: Fifteen contractors cornering nearly a fifth of the flood control budget, year after year, with suspiciously repeat awards.
• Lavish lifestyles: Contractors flaunting their wealth through luxury cars, sprawling mansions, and overseas spending.

The human cost is chilling. While typhoon-prone communities remain flooded each year, taxpayer money meant for their protection bankrolls supercars instead of sandbags.

The Laundering Playbook Behind Ghost Projects

This scandal mirrors the familiar placement-layering-integration framework of money laundering, but applied to public funds.

1. Placement: Ghost Projects as Entry Points
   Funds are injected into the system under the guise of legitimate project disbursements. With government contracts as a cover, illicit enrichment begins with official-looking payments.
2. Layering: Overpricing, Subcontracting, and Round-Tripping
   Excess funds are disguised through inflated invoices, subcontractor arrangements, and consultancy contracts. Round-tripping, where money cycles through multiple accounts before returning to the same network, further conceals the origin.
3. Integration: From Sandbags to Supercars
   Once disguised, the funds re-emerge in legitimate markets such as luxury cars, prime real estate, overseas tuition, or campaign expenses. At this stage, dirty money is fully cleaned and woven into political and economic life.

Globally, procurement-related laundering has been flagged repeatedly by the Financial Action Task Force (FATF). In fact, FATF’s 2023 mutual evaluation warned that the Philippines faces serious challenges in addressing public sector corruption risks. The flood control scandal is not just a local embarrassment; it risks pulling the country deeper into scrutiny by international watchdogs.

What Banks Must Watch

Banks sit at the centre of these laundering flows. Every contractor, subcontractor, or political beneficiary needs accounts to receive, move, and disguise illicit funds. This makes banks the first line of defence, and often the last checkpoint before illicit proceeds are fully integrated.

Transaction-Level Red Flags

• Large and repeated deposits from government agencies into the same small group of contractors.
• Transfers to shell subcontractors or consultancy firms with little to no delivery capacity.
• Sudden spikes in cash withdrawals after receiving government disbursements.
• Circular transactions between contractors and related parties, indicating round-tripping.
• Luxury purchases such as cars, property, and overseas spending directly following government project inflows.
• Campaign-linked transfers, with bursts of outgoing payments to political accounts during election seasons.

KYC/CDD Red Flags

• Contractors with weak financial standing but billion-peso contracts.
• Hidden ownership ties to politically exposed persons (PEPs).
• Corporate overlap among multiple contractors, suggesting collusion.
• Lack of verifiable track records in infrastructure delivery, yet repeated contract awards.

Cross-Border Concerns

Funds may also be siphoned abroad. Banks must scrutinise:

• Remittances to offshore accounts labelled as “consultancy” or “procurement.”
• Purchases of high-value overseas assets.
• Trade-based laundering through manipulated import or export invoices for construction materials.

Banks must not only flag individual transactions but also connect the narrative across accounts, owners, and transaction patterns.

What BSP-Licensed E-Money Issuers Must Watch

The scandal also casts a spotlight on fintech players. BSP-licensed e-money issuers (EMIs) are increasingly part of laundering networks, especially when illicit funds need to be fragmented, hidden, or redirected.

Key risks include:

• Wallet misuse for political finance, with illicit funds loaded into multiple wallets to bankroll campaigns.
• Structuring, where large government disbursements are broken into smaller transfers to dodge reporting thresholds.
• Proxy accounts, with employees or relatives of contractors opening multiple wallets to spread funds.
• Layering via wallets, with e-money balances converted into bank transfers, prepaid cards, or even crypto exchanges.
• Unusual bursts of wallet activity around elections or after government fund releases.

For EMIs, the challenge is to monitor not just high-value transactions but also suspicious transaction clusters, where multiple accounts show parallel spikes or transfers that defy normal spending behaviour.

How Tookitaki Strengthens Defences

Schemes like ghost projects thrive because they exploit systemic blind spots. Static rules cannot keep pace with evolving laundering tactics. This is where Tookitaki brings a sharper edge.

AFC Ecosystem: Collective Intelligence

With over 1,500 expert-contributed typologies, the AFC Ecosystem already covers procurement fraud, campaign finance laundering, and luxury asset misuse. These scenarios can be directly applied by Philippine institutions to detect anomalies tied to public fund diversion.

FinCense: Adaptive Detection

FinCense translates these scenarios into live detection rules. It can flag government-to-contractor payments followed by unusual subcontractor layering or sudden spikes in high-value asset spending. Its federated learning model ensures that detection improves continuously across the network.

AI Agents: Cutting Investigation Time

Smart Disposition reduces false positives with automated, contextual alert summaries, while FinMate acts as an AI copilot for investigators. Together, they help compliance teams trace suspicious flows faster, from government disbursements to the eventual luxury car purchase.

The Trust Layer for BSP Institutions

By embedding collective intelligence into everyday monitoring, Tookitaki becomes the trust layer between financial institutions and regulators. This helps BSP and the Anti-Money Laundering Council (AMLC) strengthen national defences against procurement-linked laundering.

Conclusion: Beyond the Scandal

The flood control scandal is more than an exposé of wasted budgets. It is a stark reminder that public money, once stolen, does not vanish into thin air. It flows through the financial system, often right under the noses of compliance teams.

The typologies on display—ghost projects, contractor cartels, political kickbacks, and luxury laundering—are not unique to the Philippines. They are part of a global playbook of corruption-driven laundering. But in a country already under FATF scrutiny, the stakes are even higher.

For banks and EMIs, the call to action is urgent: strengthen detection, move beyond static rules, and collaborate across institutions. For regulators, it means demanding transparency, closing loopholes, and leveraging technology that learns and adapts in real time.

At Tookitaki, our role is to ensure institutions are not just reacting after scandals break but detecting patterns before they escalate. By unmasking money trails, enabling collaborative intelligence, and embedding AI-driven defences, we can prevent the next flood of fraud from drowning public trust.

Floods may be natural, but fraud floods are man-made. And unlike typhoons, this one is preventable.

Introduction: Why Governance-First AI is Rewriting the Financial Crime Playbook

This article is the second instalment in our series, Governance-First AI Strategy: The Future of Financial Crime Detection. The series examines how financial institutions can move beyond box-ticking compliance and embrace AI systems that are transparent, trustworthy, and genuinely effective against crime.

If you missed Part 1 — The AI Governance Crisis: How Compliance-First Thinking Undermines Both Innovation and Compliance — we recommend it as a pre-read. There, we explored how today’s compliance-heavy frameworks have created a paradox: soaring costs, mounting false positives, and declining effectiveness in tackling sophisticated financial crime.

In this second part, we shift from diagnosing the crisis to highlighting solutions. We look at how governance-first AI is being operationalised through initiatives like Singapore’s AI Verify program, which is setting global benchmarks for validation, accountability, and continuous trust in financial crime detection.

The Governance Gap: Moving Beyond Checkbox Compliance

Traditionally, many financial institutions have seen governance as a final-layer exercise: a set of boxes to tick just before launching a new AML system or onboarding a new AI solution. But today’s complex, AI-driven systems have outpaced this outdated approach. Here’s why this gap is so dangerous:

The Risks of Outdated Governance

• Operational Failure: Financial institutions are reporting false positive alert rates reaching 90% or higher. Analysts spend valuable time on non-issues, while genuine risks can slip through unseen, creating an operational black hole.
• Regulatory Exposure: Regulators are increasingly sceptical of black-box AI systems that cannot be explained or audited. This raises the risk of costly penalties, strict remediation orders, and reputational damage.
• Stalled Innovation: The fear of non-compliance can make organisations hesitant to adopt even the most promising AI innovations, worried they will face issues during audits.

Towards Living Governance

True governance means embedding transparency, validation, and accountability across the entire AI lifecycle. This is not a static report, but a dynamic, ongoing protocol that evolves as threats and opportunities do.

AI Verify: Singapore’s Blueprint for Independent AI Validation

Enter AI Verify: Singapore’s response to the governance challenge, and a model now being emulated worldwide. Developed by the IMDA and AI Verify Foundation, this pioneering program aims to transform governance and validation from afterthoughts into core design principles for any AI system, especially those managing financial crime risk.

Key Features of AI Verify

• Rigorous, Scenario-Based Testing: Every AI model is evaluated against 400+ real-world financial crime detection scenarios, ensuring that outputs perform accurately across the range of complexities institutions actually face.
• Multi-language and Cross-Border Application: With testing in both English and Mandarin, AI Verify anticipates the needs of global financial institutions with diverse customer bases and regulatory environments.
• Zero Tolerance for Hallucinations: The program enforces strict protocols to ensure every AI-generated output is grounded in verifiable, auditable facts. This sharply reduces the risk of hallucinations, a key regulatory concern.
• Continuous Compliance Assurance: Validation is not a single event. Ongoing monitoring, reporting, and built-in alerts ensure the AI adapts to new criminal typologies and evolving regulatory expectations.

Validation in Action: The Tookitaki Case Study

Tookitaki became the first RegTech company to achieve independent validation under Singapore’s AI Verify program, setting a new industry benchmark for governance-first AI solutions.

• Accuracy Across Complexity: Our AI systems were validated against an extensive suite of real-world AML scenarios, consistently delivering precise, actionable outcomes in both English and Mandarin.
• No Hallucinations: With guardrails in place, every AI-generated narrative was rigorously checked for factual soundness and traceability. Investigators and regulators were able to audit the reasoning behind each alert, turning AI from a “black box” into a transparent partner.
• Compliance, Built-In: Stringent regulatory, privacy, and security requirements were checked throughout the process, ensuring our systems could not only pass today’s audits but also stay ahead of tomorrow’s standards.
• Strategic Trust: As recognised by media coverage in The Straits Times, Tookitaki’s independent validation became a source of trust for clients, regulators, and business partners, transforming governance into a strategic advantage.

Continuous Validation: Governance as Daily Operational Advantage

What sets AI Verify, and governance-first models more broadly, apart is the principle of continuous validation:

• Pre-deployment: Before launch, every model is stress-tested for robustness, fairness, and regulatory fit in a controlled, simulated real-world setting.
• Post-deployment: Continuous monitoring ensures that as new fraud threats and compliance rules arise, the AI adapts immediately, preventing operational surprises and keeping regulator confidence high.

This approach lets financial institutions move from a reactive, firefighting mentality to a proactive, resilient operating style.

The Strategic Payoff: Governance as a Differentiator

What is the true value of independent, embedded validation?

• Faster, Safer Innovation: Launches of new AI models become quicker and less risky, since validation is built in, not tacked on at the end.
• Operational Efficiency: With fewer false positives and more explainable decisions, investigative teams can focus energy where it matters most: rooting out real financial crime.
• Market Leadership: Governance-first adopters signal to clients, partners, and regulators that they take trust, transparency, and responsibility seriously, building long-term advantages in reputation and readiness.

Conclusion: Tomorrow’s AI, Built on Governance

As we highlighted in Part 1, compliance-first frameworks have proven costly and ineffective, leaving financial institutions trapped in a cycle of escalating spend and diminishing returns. AI Verify demonstrates what a governance-first approach looks like in practice: validation, accountability, and transparency built directly into the design of AI systems.

For Tookitaki, achieving independent validation under AI Verify was not simply a compliance milestone. It was evidence that governance-first AI can deliver measurable trust, precision, and operational advantage. By embedding continuous validation, institutions can move from reactive firefighting to proactive resilience, strengthening both regulatory confidence and market reputation.

Key Takeaways from Part 2:

1. Governance-first AI shifts the conversation from “being compliant” to “being trustworthy by design.”
2. Continuous validation ensures models evolve with emerging financial crime typologies and regulatory expectations.
3. Independent validation transforms governance from a cost centre into a strategic differentiator.

What’s Next in the Series

In Part 3 of our series, Governance-First AI Strategy: The Future of Financial Crime Detection, we will explore one of the most pressing risks in deploying AI for compliance: AI hallucinations. When models generate misleading or fabricated outputs, trust breaks down, both with regulators and within institutions.

We will examine why hallucinations are such a critical challenge in financial crime detection and how governance-first safeguards, including Tookitaki’s own controls, are designed to eliminate these risks and make every AI-driven decision auditable, transparent, and actionable.

Stay tuned.

In August 2025, Malaysian police stormed a five-storey office in Bangsar South, Kuala Lumpur, arresting more than 400 people linked to what is now called the country’s largest scam call centre operation.

The raid made headlines worldwide, not only for its scale but also because of its alleged link to Doo Group, a Singapore-based fintech that sponsors English football giant Manchester United. The case has cast a harsh spotlight on the industrial scale of financial crime in Southeast Asia and the reputational risks it poses for both financial institutions and global brands.

Background of the Scam

The dramatic raid took place on 26 August 2025, when Malaysian authorities swept into a commercial tower in Bangsar South, a thriving business district in Kuala Lumpur. Inside, they discovered a massive call centre allegedly set up to defraud victims across multiple countries.

Over 400 individuals were arrested. Videos of employees being escorted into police vans quickly went viral, symbolising the scale and industrial nature of the operation.

Initial reports linked the call centre to Doo Group, a global financial services provider with operations across Singapore, Hong Kong, London, Sydney, and Dubai. While the company has insisted that its operations remain unaffected and that it is cooperating fully with investigators, the reputational damage was already significant.

The Bangsar South raid is part of Malaysia’s wider anti-scam campaign. By mid-2025, authorities had arrested over 11,800 suspects in similar cases, with financial losses amounting to RM 1.5 billion (USD 355 million). The Bangsar South case, however, stands out because of its size, its international profile, and its link to a company with a global brand presence.

What the Case Revealed

The raid revealed troubling insights into how financial crime networks operate in the region:

1. Industrialised Fraud

A workforce of over 400 suggests this was not a small, fly-by-night scam but a structured enterprise. Staff were reportedly trained to follow scripts, handle objections, and target victims methodically, mirroring the efficiency of legitimate customer service operations.

2. Global Targeting

Reports indicate the call centre targeted victims not just in Malaysia but also overseas, raising questions about how funds were laundered across borders. The multilingual capabilities of employees further suggest international reach.

3. Reputation at Risk

The alleged connection to Doo Group highlights how reputable financial companies can be pulled into fraud narratives. Even if not directly complicit, the association underscores how thin the line can be between legitimate fintech operations and the shadow economy.

4. Oversight Gaps

The case also points to challenges regulators face in monitoring sprawling call centre operations and cross-border financial flows. By the time raids occur, thousands of victims may already have been defrauded.

Impact on Financial Institutions and Corporates

The Bangsar South raid is not just a law enforcement victory. It is a warning signal for the financial industry.

1. Reputational Fallout

When a Manchester United sponsor is linked to scams, it is not just the company that suffers. Brand trust in fintech, sports, and banking becomes collateral damage. This raises the stakes for due diligence in sponsorships and partnerships.

2. Investor and Customer Confidence

Digital finance thrives on trust. When fintechs are tied to scandals, investors hesitate and customers second-guess their safety. The Bangsar South case risks dampening enthusiasm for fintech adoption in Malaysia and the wider region.

3. Operational Risks for Banks

For financial institutions, call centre scams translate into suspicious transaction flows, mule account proliferation, and higher compliance costs. Traditional transaction monitoring often struggles to flag layered, cross-border flows connected to scams of this scale.

4. Regional Implications

Malaysia’s crackdown shows commendable resolve, but it also exposes the country as a hub for organised scam activity. This dual image, both a problem centre and an enforcement leader, will shape how regional regulators approach financial crime.

Lessons Learned from the Scam

1. Scale ≠ Legitimacy
   A large workforce and polished infrastructure do not guarantee a legitimate business. Regulators and partners must look beyond appearances.
2. Due Diligence is Non-Negotiable
   Global brands and institutions need deeper checks before partnerships. A sponsorship or corporate tie-up can quickly become a reputational liability.
3. Regulatory Vigilance Matters
   The Bangsar South raid shows what decisive enforcement looks like, but it also reveals how long such scams can operate before being stopped.
4. Cross-Border Cooperation is Critical
   Victims were likely spread across multiple jurisdictions. Without international collaboration, enforcement remains reactive.
5. Public Awareness is Essential
   Scam call centres thrive because victims are unaware. Public education campaigns must go hand-in-hand with enforcement.

The Role of Technology in Prevention

Conventional compliance methods, such as simple blacklist checks or static rules, are no match for scam call centres operating at an industrial scale. To counter them, financial institutions need adaptive, intelligence-driven defences.

This is where Tookitaki’s FinCense and the AFC Ecosystem come in:

• Typology-Driven Detection
  FinCense continuously updates detection logic based on real scam scenarios contributed by 200+ global financial crime experts in the AFC Ecosystem. This means emerging call centre scam patterns can be identified faster.
• Agentic AI
  At the heart of FinCense is an Agentic AI framework, a network of intelligent agents that not only detect suspicious activity but also explain every decision in plain language. This reduces investigation time and builds regulator confidence.
• Federated Learning
  Through federated learning, FinCense enables banks to share insights on scam flows and mule account behaviours without compromising sensitive data. It is collective intelligence at scale.
• Smart Case Disposition
  When alerts are triggered, FinCense’s Agentic AI generates natural-language summaries, helping investigators prioritise critical cases quickly and accurately.

Moving Forward: The Future of Scam Call Centres

The Bangsar South raid may have shut down one operation, but the fight against scam call centres is far from over. As enforcement improves, fraudsters will adopt AI-driven tools, deepfake impersonations, and more sophisticated laundering methods.

For financial institutions, the path forward is clear:

• Strengthen collaboration with regulators and peers to track cross-border scam flows.
• Invest in adaptive technology like FinCense to stay ahead of criminal innovation.
• Educate customers relentlessly about new fraud tactics.

The raid was a victory, but it was also a warning.

If one call centre with 400 employees can operate in plain sight, imagine how many others remain hidden. The only safe strategy for financial institutions is to stay one step ahead with collaboration, intelligence, and next-generation technology.