When Australian regulators translate AML failures into capital penalties, it signals more than enforcement. It signals a fundamental shift in how financial crime risk is priced, governed, and punished.

The recent action against Bendigo and Adelaide Bank marks a decisive turning point in Australia’s regulatory posture. Weak anti-money laundering controls are no longer viewed as back-office compliance shortcomings. They are now being treated as prudential risks with direct balance-sheet consequences.

This is not just another enforcement headline. It is a clear warning to the entire financial sector.

What happened at Bendigo Bank

Following an independent review, regulators identified significant and persistent deficiencies in Bendigo Bank’s financial crime control framework. What stood out was not only the severity of the gaps, but their duration.

Key weaknesses remained unresolved for more than six years, spanning from 2019 to 2025. These were not confined to a single branch, product, or customer segment. They were assessed as systemic, affecting governance, oversight, and the effectiveness of AML controls across the institution.

In response, regulators acted in coordination:

• Australian Prudential Regulation Authority (APRA) imposed a AUD 50 million operational risk capital add-on, effective January 2026.
• AUSTRAC commenced a formal enforcement investigation into potential breaches of Australia’s AML/CTF legislation.

The framing matters. This was not positioned as punishment for an isolated incident. Regulators explicitly pointed to long-standing control failures and prolonged exposure to financial crime risk.

Why this is not just another AML penalty

This case stands apart from past enforcement actions for one critical reason.

Capital was used as the lever.

A capital add-on is fundamentally different from a fine or enforceable undertaking. By requiring additional capital to be held, APRA is signalling that deficiencies in financial crime controls materially increase an institution’s operational risk profile.

Until those risks are demonstrably addressed, they must be absorbed on the balance sheet.

The consequences are tangible:

• Reduced capital flexibility
• Pressure on return on equity
• Constraints on growth and strategic initiatives
• Prolonged supervisory scrutiny

The underlying message is unambiguous.
AML weaknesses now come with a measurable capital cost.

AML failures are now viewed as prudential risk

This case also signals a shift in how regulators define the problem.

The findings were not limited to missed alerts or procedural non-compliance. Regulators highlighted broader, structural weaknesses, including:

• Ineffective transaction monitoring
• Inadequate customer risk assessment and limited beneficial ownership visibility
• Weak escalation from branch-level operations
• Fragmented oversight between frontline teams and central compliance
• Governance gaps that allowed weaknesses to persist undetected

These are not execution errors.
They are risk management failures.

This explains the joint involvement of APRA and AUSTRAC. Financial crime controls are now firmly embedded within expectations around enterprise risk management, institutional resilience, and safety and soundness.

Six years of exposure is a governance failure

Perhaps the most troubling aspect of the Bendigo case is duration.

When material AML weaknesses persist across multiple years, audit cycles, and regulatory engagements, the issue is no longer technology alone. It becomes a question of:

• Risk culture
• Accountability
• Board oversight
• Management prioritisation

Australian regulators have made it increasingly clear that financial crime risk cannot be fully delegated to second-line functions. Boards and senior executives are expected to understand AML risk in operational and strategic terms, not just policy language.

This reflects a broader global trend. Prolonged AML failures are now widely treated as indicators of governance weakness, not just compliance gaps.

Why joint APRA–AUSTRAC action matters

The coordinated response itself is a signal.

APRA’s mandate centres on institutional stability and resilience. AUSTRAC’s mandate focuses on financial intelligence and the disruption of serious and organised crime. When both regulators act together, it reflects a shared conclusion: financial crime control failures have crossed into systemic risk territory.

This convergence is becoming increasingly common internationally. Regulators are no longer willing to separate AML compliance from prudential supervision when weaknesses are persistent, enterprise-wide, and inadequately addressed.

For Australian institutions, this means AML maturity is now inseparable from broader risk and capital considerations.

The hidden cost of delayed remediation

The Bendigo case also exposes an uncomfortable truth.

Delayed remediation is expensive.

When control weaknesses are allowed to persist, institutions often face:

• Large-scale, multi-year transformation programs
• Significant technology modernisation costs
• Extensive retraining and cultural change initiatives
• Capital locked up until regulators are satisfied
• Sustained supervisory and reputational pressure

What could have been incremental improvements years earlier can escalate into a full institutional overhaul when left unresolved.

In this context, capital add-ons act not just as penalties, but as forcing mechanisms to ensure sustained executive and board-level focus.

What this means for Australian banks and fintechs

This case should prompt serious reflection across the sector.

Several lessons are already clear:

• Static, rules-based monitoring struggles to keep pace with evolving typologies
• Siloed fraud and AML functions miss cross-channel risk patterns
• Documented controls are insufficient if they are not effective in practice
• Regulators are increasingly focused on outcomes, not frameworks

Importantly, this applies beyond major banks. Regional institutions, mutuals, and digitally expanding fintechs are firmly within scope. Scale is no longer a mitigating factor.

Where technology must step in before capital is at risk

Cases like Bendigo expose a widening gap between regulatory expectations and how financial crime controls are still implemented in many institutions. Legacy systems, fragmented monitoring, and periodic reviews are increasingly misaligned with the realities of modern financial crime.

At Tookitaki, financial crime prevention is approached as a continuous intelligence challenge, rather than a static compliance obligation. The emphasis is on adaptability, explainability, and real-time risk visibility, enabling institutions to surface emerging threats before they escalate into supervisory or capital issues.

By combining real-time transaction monitoring with collaborative, scenario-driven intelligence, institutions can reduce blind spots and demonstrate sustained control effectiveness. In an environment where regulators are increasingly focused on whether controls actually work, this ability is becoming central to maintaining regulatory confidence.

Many of the weaknesses highlighted in this case mirror patterns seen across recent regulatory reviews. Institutions that address them early are far better positioned to avoid capital shocks later.

From compliance posture to risk ownership

The clearest takeaway from the Bendigo case is the need for a mindset shift.

Financial crime risk can no longer be treated as a downstream compliance concern. It must be owned as a core institutional risk, alongside credit, liquidity, and operational resilience.

Institutions that proactively modernise their AML capabilities and strengthen governance will be better placed to avoid prolonged remediation, capital constraints, and reputational damage.

A turning point for trust and resilience

The action against Bendigo Bank is not about one institution. It reflects a broader regulatory recalibration.

AML failures are now capital risks.

In Australia’s evolving regulatory landscape, AML is no longer a cost of doing business.
It is a measure of institutional resilience, governance strength, and trustworthiness.

Those that adapt early will navigate this shift with confidence. Those that do not may find that the cost of getting AML wrong is far higher than expected.

When the Financial Action Task Force publishes a Mutual Evaluation Report, it is not simply assessing the existence of laws and controls. It is examining whether those measures are producing real, demonstrable outcomes across the financial system.

The FATF Mutual Evaluation Report on Malaysia, published in December 2025, sends a clear signal in this regard. Beyond the headline ratings, the evaluation focuses on how effectively money laundering and terrorist financing risks are understood, prioritised, and mitigated in practice.

For banks, fintechs, and compliance teams operating in Malaysia, the real value of the report lies in these signals. They indicate where supervisory scrutiny is likely to intensify and where institutions are expected to demonstrate stronger alignment between risk understanding and operational controls.

What a FATF Mutual Evaluation Is Really Testing

A FATF Mutual Evaluation assesses two interconnected dimensions.

The first is technical compliance, which looks at whether the legal and institutional framework aligns with FATF Recommendations.

The second, and increasingly decisive, dimension is effectiveness. This examines whether authorities and reporting entities are achieving intended outcomes, including timely detection, meaningful disruption of illicit financial activity, and effective use of financial intelligence.

In recent evaluation cycles, FATF has made it clear that strong frameworks alone are insufficient. Supervisors are looking for evidence that risks are properly understood and that controls are proportionate, targeted, and working as intended. Malaysia’s December 2025 evaluation reflects this emphasis throughout.

Why Malaysia’s Evaluation Carries Regional Significance

Malaysia plays a central role in Southeast Asia’s financial system. It supports significant volumes of cross-border trade, remittance flows, and correspondent banking activity, alongside a rapidly growing digital payments and fintech ecosystem.

This positioning increases exposure to complex and evolving money laundering risks. FATF’s evaluation recognises Malaysia’s progress in strengthening its framework, while also highlighting the need for continued focus on risk-based implementation as financial crime becomes more cross-border, more technology-driven, and more fragmented.

For financial institutions, this reinforces the expectation that controls must evolve alongside the risk landscape, not lag behind it.

Key Signals Emerging from the December 2025 Evaluation

Effectiveness Takes Precedence Over Formal Compliance

One of the strongest signals from the evaluation is the emphasis on demonstrable effectiveness.

Institutions are expected to show that:

• Higher-risk activities are identified and prioritised
• Detection mechanisms are capable of identifying complex and layered activity
• Alerts, investigations, and reporting are aligned with real risk exposure
• Financial intelligence leads to meaningful outcomes

Controls that exist but do not clearly contribute to these outcomes are unlikely to meet supervisory expectations.

Risk Understanding Must Drive Control Design

The evaluation reinforces that a risk-based approach must extend beyond documentation and enterprise risk assessments.

Financial institutions are expected to:

• Clearly articulate their understanding of inherent and residual risks
• Translate that understanding into targeted monitoring scenarios
• Adjust controls as new products, delivery channels, and typologies emerge

Generic or static monitoring frameworks risk being viewed as insufficiently aligned with actual exposure.

Ongoing Focus on Cross-Border and Predicate Offence Risks

Consistent with Malaysia’s role as a regional financial hub, the evaluation places continued emphasis on cross-border risks.

These include exposure to:

• Trade-based money laundering
• Proceeds linked to organised crime and corruption
• Cross-border remittances and correspondent banking relationships

FATF’s focus here signals that institutions must demonstrate not just transaction monitoring coverage, but the ability to interpret cross-border activity in context and identify suspicious patterns that span multiple channels.

Expanding Attention on Non-Bank and Digital Channels

While banks remain central to Malaysia’s AML framework, the evaluation highlights increasing supervisory attention on:

• Payment institutions
• Digital platforms
• Designated non-financial businesses and professions

As risks shift across the financial ecosystem, regulators expect banks and fintechs to understand how their exposures interact with activity outside traditional banking channels.

Practical Implications for Malaysian Financial Institutions

For compliance teams, the December 2025 evaluation translates into several operational realities.

Supervisory Engagement Will Be More Outcome-Focused

Regulators are likely to probe:

• Whether monitoring scenarios reflect current risk assessments
• How detection logic has evolved over time
• What evidence demonstrates that controls are effective

Institutions that cannot clearly explain how their controls address specific risks may face increased scrutiny.

Alert Volumes Will Be Scrutinised for Quality

High alert volumes are no longer viewed as evidence of strong controls.

Supervisors are increasingly focused on:

• The relevance of alerts generated
• The quality of investigations
• The timeliness and usefulness of suspicious transaction reporting

This places pressure on institutions to improve signal quality while managing operational efficiency.

Static Monitoring Frameworks Will Be Challenged

The pace at which money laundering typologies evolve continues to accelerate.

Institutions that rely on:

• Infrequent scenario reviews
• Manual rule tuning
• Disconnected monitoring systems

may struggle to demonstrate timely adaptation to emerging risks highlighted through national risk assessments or supervisory feedback.

Common Execution Gaps Highlighted Through FATF Evaluations

Across jurisdictions, FATF evaluations frequently expose similar challenges.

Fragmented Monitoring Approaches

Siloed AML and fraud systems limit the ability to see end-to-end money flows and behavioural patterns.

Slow Adaptation to Emerging Typologies

Scenario libraries can lag behind real-world risk evolution, particularly without access to shared intelligence.

Operational Strain from False Positives

Excessive alert volumes reduce investigator effectiveness and dilute regulatory reporting quality.

Explainability and Governance Limitations

Institutions must be able to explain why controls behave as they do. Opaque or poorly governed models raise supervisory concerns.

What FATF Is Signalling About the Next Phase

While not always stated explicitly, the evaluation reflects expectations that institutions will continue to mature their AML capabilities.

Supervisors are looking for evidence of:

• Continuous improvement
• Learning over time
• Strong governance over model changes
• Clear auditability and explainability

This represents a shift from compliance as a static obligation to compliance as an evolving capability.

Translating Supervisory Expectations into Practice

To meet these expectations, many institutions are adopting modern AML approaches built around scenario-led detection, continuous refinement, and strong governance.

Such approaches enable compliance teams to:

• Respond more quickly to emerging risks
• Improve detection quality while managing noise
• Maintain transparency and regulatory confidence

Platforms that combine shared intelligence, explainable analytics, and unified monitoring across AML and fraud domains align closely with the direction signalled by recent FATF evaluations. Solutions such as Tookitaki’s FinCense illustrate how technology can support these outcomes while maintaining auditability and supervisory trust.

From Compliance to Confidence

The FATF Mutual Evaluation of Malaysia should be viewed as more than a formal assessment. It is a forward-looking signal.

Institutions that treat it purely as a compliance exercise may meet minimum standards. Those that use it as a reference point for strengthening risk understanding and control effectiveness are better positioned for sustained supervisory confidence.

Final Reflection

FATF evaluations increasingly focus on whether systems work in practice, not just whether they exist.

For Malaysian banks and fintechs, the December 2025 review reinforces a clear message. The institutions best prepared for the next supervisory cycle will be those that can demonstrate strong risk understanding, effective controls, and the ability to adapt as threats evolve.

In December 2025, the Reserve Bank of New Zealand sent one of its clearest signals yet to the financial sector. By filing civil proceedings against ASB Bank for breaches of the AML/CFT Act, the regulator made it clear that compliance in name alone is no longer sufficient. What matters now is whether anti-money laundering controls actually work in practice.

This was not a case about proven money laundering or terrorism financing. It was about operational effectiveness, timeliness, and accountability. For banks and financial institutions across New Zealand, that distinction is significant.

The action marks a turning point in how AML compliance will be assessed going forward. It reflects a shift from reviewing policies and frameworks to testing whether institutions can demonstrate real-world outcomes under scrutiny.

What Happened and Why It Matters

The Reserve Bank’s filing outlines multiple failures by ASB to meet core obligations under the AML/CFT Act. These included shortcomings in maintaining an effective AML programme, carrying out ongoing customer due diligence, applying enhanced due diligence when required, and reporting suspicious activity within mandated timeframes.

ASB admitted liability across all causes of action and cooperated with the regulator. The Reserve Bank also clarified that it was not alleging ASB knowingly facilitated money laundering or terrorism financing.

This clarification is important. The case is not about intent or criminal involvement. It is about whether an institution’s AML framework operated effectively and consistently over time.

For the wider market, this is a regulatory signal rather than an isolated enforcement action.

What the Reserve Bank Is Really Signalling

Read carefully, the Reserve Bank’s message goes beyond one bank. It reflects a broader recalibration of supervisory expectations.

First, AML effectiveness is now central. Regulators are no longer satisfied with documented programmes alone. Institutions must show that controls detect risk, escalate appropriately, and lead to timely action.

Second, speed matters. Delays in suspicious transaction reporting, extended remediation timelines, and slow responses to emerging risks are viewed as material failures, not operational inconveniences.

Third, governance and accountability are under the spotlight. AML effectiveness is not just a technology issue. It reflects resourcing decisions, prioritisation, escalation pathways, and senior oversight.

This mirrors developments in other comparable jurisdictions, including Australia, Singapore, and the United Kingdom, where regulators are increasingly outcome-focused.

Why This Is a Critical Moment for New Zealand’s Financial System

New Zealand’s AML regime has matured significantly over the past decade. Financial institutions have invested heavily in frameworks, teams, and tools. Yet the RBNZ action highlights a persistent gap between programme design and day-to-day execution.

This matters for several reasons.

Public confidence in the financial system depends not only on preventing crime, but on the belief that institutions can detect and respond to risk quickly and effectively.

From an international perspective, New Zealand’s reputation as a well-regulated financial centre supports correspondent banking relationships and cross-border trust. Supervisory actions like this are closely observed beyond domestic borders.

For compliance teams, the message is clear. Supervisory reviews will increasingly test how AML frameworks perform under real-world conditions, not how well they are documented.

Common AML Gaps Brought to Light

While the specifics of each institution differ, the issues raised by the Reserve Bank are widely recognised across the industry.

One common challenge is fragmented visibility. Customer risk data, transaction monitoring outputs, and historical alerts often sit in separate systems. This makes it difficult to build a unified view of risk or spot patterns over time.

Another challenge is static monitoring logic. Rule-based thresholds that are rarely reviewed struggle to keep pace with evolving typologies, particularly in an environment shaped by real-time payments and digital channels.

Ongoing customer due diligence also remains difficult to operationalise at scale. While onboarding checks are often robust, keeping customer risk profiles current requires continuous recalibration based on behaviour, exposure, and external intelligence.

Finally, reporting delays are frequently driven by workflow inefficiencies. Manual reviews, alert backlogs, and inconsistent escalation criteria can all slow the path from detection to reporting.

Individually, these issues may appear manageable. Together, they undermine AML effectiveness.

Why Traditional AML Models Are Under Strain

Many of these gaps stem from legacy AML operating models.

Traditional architectures rely heavily on static rules, manual investigations, and institution-specific intelligence. This approach struggles in an environment where financial crime is increasingly fast-moving, cross-border, and digitally enabled.

Compliance teams face persistent pressure. Alert volumes remain high, false positives consume investigator capacity, and regulatory expectations continue to rise. When resources are stretched, timeliness becomes harder to maintain.

Explainability is another challenge. Regulators expect institutions to articulate why decisions were made, not just that actions occurred. Systems that operate as black boxes make this difficult.

The result is a growing disconnect between regulatory expectations and operational reality.

The Shift Toward Effectiveness-Led AML

The RBNZ action reflects a broader move toward effectiveness-led AML supervision.

Under this approach, success is measured by outcomes rather than intent. Regulators are asking:

• Are risks identified early or only after escalation?
• Are enhanced due diligence triggers applied consistently?
• Are suspicious activities reported promptly and with sufficient context?
• Can institutions clearly explain and evidence their decisions?

Answering these questions requires more than incremental improvements. It requires a rethinking of how AML intelligence is sourced, applied, and validated.

Rethinking AML for the New Zealand Context

Modernising AML does not mean abandoning regulatory principles. It means strengthening how those principles are executed.

One important shift is toward scenario-driven detection. Instead of relying solely on generic thresholds, institutions increasingly use typologies grounded in real-world crime patterns. This aligns monitoring logic more closely with how financial crime actually occurs.

Another shift is toward continuous risk recalibration. Customer risk is not static. Systems that update risk profiles dynamically support more effective ongoing due diligence and reduce downstream escalation issues.

Collaboration also plays a growing role. Financial crime does not respect institutional boundaries. Access to shared intelligence helps institutions stay ahead of emerging threats rather than reacting in isolation.

Finally, transparency matters. Regulators expect clear, auditable logic that explains how risks are assessed and decisions are made.

Where Technology Can Support Better Outcomes

Technology alone does not solve AML challenges, but the right architecture can materially improve effectiveness.

Modern AML platforms increasingly support end-to-end workflows, covering onboarding, screening, transaction monitoring, risk scoring, investigation, and reporting within a connected environment.

Advanced analytics and machine learning can help reduce false positives while improving detection quality, when applied carefully and transparently.

Equally important is the ability to incorporate new intelligence quickly. Systems that can ingest updated typologies without lengthy redevelopment cycles are better suited to evolving risk landscapes.

How Tookitaki Supports This Evolution

Within this shifting environment, Tookitaki supports institutions as they move toward more effective AML outcomes.

FinCense, Tookitaki’s end-to-end compliance platform, is designed to support the full AML lifecycle, from real-time onboarding and screening to transaction monitoring, dynamic risk scoring, investigation, and reporting.

A distinguishing element is its connection to the AFC Ecosystem. This is a collaborative intelligence network where compliance professionals contribute, validate, and refine real-world scenarios based on emerging risks. These scenarios are continuously updated, allowing institutions to benefit from collective insights rather than relying solely on internal discovery.

For New Zealand institutions, this approach supports regulatory priorities around effectiveness, timeliness, and explainability. It strengthens detection quality while maintaining transparency and governance.

Importantly, technology is positioned as an enabler of better outcomes, not a substitute for oversight or accountability.

What Compliance Leaders in New Zealand Should Be Asking Now

In light of the RBNZ action, there are several questions worth asking internally.

• Can we evidence the effectiveness of our AML controls, not just their existence?
• How quickly do alerts move from detection to suspicious transaction reporting?
• Are enhanced due diligence triggers dynamic or static?
• Do we regularly test monitoring logic against emerging typologies?
• Could we confidently explain our AML decisions to the regulator tomorrow?

These questions are not about fault-finding. They are about readiness.

Looking Ahead

The Reserve Bank’s action against ASB marks a clear shift in New Zealand’s AML supervisory landscape. Effectiveness, timeliness, and accountability are now firmly in focus.

For financial institutions, this is both a challenge and an opportunity. Those that proactively strengthen their AML operating models will be better positioned to meet regulatory expectations and build long-term trust.

Ultimately, the lesson extends beyond one case. AML compliance in New Zealand is entering a new phase, one where outcomes matter as much as intent. Institutions that adapt early will define the next standard for financial crime prevention in the market.