What Should Fintechs Do to Ensure AML Compliance in Philippines

7 mins

The Philippines is one of the largest and fast-growing economies in Southeast Asia. Its relatively young population and broad mobile network penetration have boosted the country's internet-based businesses, especially the fintech sector. It is a global hotspot for fintech and financial services today.

The Philippines has a rising number of fintech startups, while its traditional banks are launching more online services to address the needs of its internet-savvy customers. While the Philippine government has favourable policies for fintech companies, COVID-19 marked the sector's growth. The pandemic led to a surge in demand for online payment solutions. Digital payments are projected to reach $29.6 million in value this year.

However, the country's Anti-Money Laundering and Combating of Financing of Terrorism (AML/CFT) system is yet to catch up with the growth, and criminals have been exploiting the country's weaknesses to launder money. Consequently, the Philippines has been placed among The Financial Action Task Force (FATF) grey list countries.

Therefore, it is critical for fintech companies seeking a license to have a formal anti-money laundering system of internal controls. Meanwhile, existing financial institutions should work towards enhancing the effectiveness and efficiency of their AML compliance programmes.

In this article, we have picked up a few essential action items relevant to fintech companies, including payment service providers, wallet operators and crypto businesses, to ensure risk-based AML compliance. We also explain how fintech companies can fulfil AML regulatory requirements with cutting-edge solutions.


What Does the Regulator Say?

As part of the country's efforts to move out of the FATF grey list, the Philippine central bank, Bangko Sentral ng Pilipinas (BSP), has issued fresh guidance to all supervised financial institutions in the country on conducting institutional risk assessments (IRAs).

The BSP looks to provide financial institutions with "practicable insights" to achieve optimal results in the IRA process. It also wants the institutions to adopt a risk-based approach while designing and implementing countermeasures against money laundering, terrorist financing and proliferation financing (ML/TF/PF).

The recommendations in the guidance paper are in line with the country's anti-money laundering (AML) regulations and international standards, including the Anti-Money Laundering Act of 2001 (AMLA) and the Financial Action Task Force (FATF) standards.

This guidance is intended for all financial institutions and presents a generic, flexible approach to IRA. The BSP notes that the guidance can be tailored to the nature and complexity of a financial institution's activities and operations, including those with simple business models.

Learn More: CFT Compliance in Hong Kong

Why is IRA Important for Fintechs?



  • According to the BSP, IRA is the "cornerstone of risk-based approach" to detecting and preventing ML/TF/PF and mitigating sanctions risk. The results from IRA would help develop or enrich anti-financial crime policies, systems, controls and procedures and ensure efficient and risk-focused allocation of resources.
  • The AMLA and the FATF standards require financial institutions to have a risk-based approach to preventing financial crimes. The procedures resulting from IRA would help financial institutions comply with AMLA and FATF requirements, according to the BSP. The IRA would help a fintech company in the following ways:
    • Provide a clear picture to the senior management on the ML/TF/PF and sanctions risks landscape as well as AML/CTPF control gaps and present improvement opportunities.
    • Inform remediation strategies and development or enhancements of AML/CTPF policies, systems, controls, processes and procedures.
    • Help focus on issues and concerns that present higher risks that warrant enhanced mitigation measures.
    • Use reduced preventive measures to identified low-risk areas so that unnecessary requirements are not imposed on lower-risk clients, products, and services.


How Can a Fintech Create an Effective IRA Process?

Here is a detailed guide on how a fintech company can create an efficient, effective and sustainable IRA process.


Step 1: Plan and Define the Scope of IRA

The BSP says that the prime goal of the assessment should be to identify the sources of ML/TF/PF risks and vulnerabilities. Furthermore, fintech companies must set the ambit, coverage and the covered period of the IRA and clarify if they are conducting combined or individual assessments for ML/TF/PF and sanctions risks. The other action items in this stage include:

  • Preparing a project plan with details on the involved personnel and setting milestones and timelines
  • Devising a feasible mechanism for the collection of relevant quantitative and qualitative data or information, data analysis and updating


Step 2: Select the Appropriate Methodology

While there is no "one-size-fits-all" approach to IRA, fintech companies should select a risk assessment methodology proportionate to the nature and complexity of their activities and operations. Accordingly, companies with complex procedures and structures may have a more detailed assessment process, while less complex companies may use a simple methodology. However, the selected method should be able to reasonably capture and analyse the company's risk and achieve the defined objectives.


Step 3: Identify Various ML/TF/PF Threats and Vulnerabilities

Fintech companies should try to understand the threat environment by listing known threats, such as relevant predicate offences and their proceeds. For this purpose, they need to gather information related to known or suspected threats and sectors, products or services that have been or may be exploited by criminals.

Fintechs should also identify the intrinsic or inherent risks before introducing preventive measures. Customers should be risk-scored based on the company's business relationships with them, including the products, services, and delivery channels they avail or utilise, geographic location of the customer and their transactions, new developments or technologies available to them and historical patterns of customers' transactions.


Step 4: Analyse ML/TF/PF or Sanctions Risks

Fintechs should conduct a thorough and informed assessment of the identified risks' nature, sources, likelihood, and consequences. The level and seriousness of each risk type should be determined in terms of their degree and relative importance or using a likelihood and impact matrix. After the analysis, the compliance team should assign a relative value or risk level for each identified risk.


Step 5: Evaluate Risk

Following the risk analysis, fintech companies should determine the priorities and develop strategies commensurate with the level of assessed residual risks. Depending on the level of risk appetite, the companies must employ methods such as acceptance, prevention (prohibiting certain products, services, or activities), or mitigation (or reduction).


Step 6: Prepare a Report for Senior Management

The risk assessment results and corresponding recommendations shall be reported to the board of directors for approval. If the fintech makes any amendments to its existing AML/CTPF policies and procedures based on the recommendations, the board should disseminate them to the concerned personnel for effective implementation.


Step 7: Monitor and Re-assess the IRA

Once the action plans from the IRA are implemented with proper systems and processes, fintech companies should assign the responsibility for monitoring the action plan to key personnel. The accountable staff should periodically report the functioning of the action plan to the board. The BSP recommends conducting IRAs at least every two years, depending on internal and external developments such as newly identified financial crime, changes in business operations and a spike in the volume and value of transactions and STRs.

While updating the IRA, fintech companies should also review the methods and assumptions used along with the adequacy of data, information and reports. This will ensure reasonable and meaningful results from IRA.


Step 8: Conduct Additional Risk Assessment for New Products/Services

When they develop new products/services and business practices, such as new delivery mechanisms and modern technologies, fintech companies should conduct additional risk assessments. They should consider the functionalities/features of the products and services and target market/customers, among others. They should be aware of risky features that allow customer anonymity, disguised ownership, concealed source of funds, large cash transactions and cross-border transactions. In case of high residual risk, they should institute additional controls, such as limits to transactions and further due diligence on transactions crossing thresholds.


How Can Tookitaki Help with Your AML Compliance?

With modern technologies such as artificial intelligence and machine learning at the forefront, compliance departments can address many of these issues effectively. With proper implementation, these technologies can bring in a paradigm shift in the way financial institutions approach financial crimes and compliance risk at large.

This is an area where machine learning-powered platforms like Tookitaki can add value. Our end-to-end AML/CFT analytics solution, the Anti-Money Laundering Suite (AMLS),  can create next-generation compliance programmes, encompassing key processes such as transaction monitoring, AML screening and customer AML risk scoring on a single platform.

The suite comprises our Transaction Monitoring, Dynamic Risk Review, Smart Screening and Case Management solutions under one roof for all your AML needs. AMLS achieves new levels of accuracy and speed by providing the industry's only shared typology platform, allowing our clients to break through silos and benefit from the industry's collective AML insights. Our coordinated, collaborative and innovative approach enables everyone to join forces in the fight against financial crime.

Both modern and traditional financial institutions across the globe are building agile and scalable compliance programmes using AMLS, making us a partner of choice.

Talk to our expert to learn more about our AML solution and how Tookitaki can be your partner of choice for enhancing risk-based AML compliance programmes.