The Philippines was grey-listed by FATF in June 2021. The formal findings cited several strategic deficiencies — inadequate suspicious transaction report filings, weak transaction monitoring calibration, and gaps in oversight of virtual asset service providers. These were not abstract policy failures. They reflected real examination findings inside real financial institutions.

The Philippines exited the grey list in January 2023 after demonstrating legislative reform and measurable supervisory improvement. That exit was a significant regulatory milestone. It was not the end of BSP's focus on transaction monitoring quality.

If anything, the post-exit period has intensified examination scrutiny. BSP examiners now have two years of data on which institutions improved their AML programmes during the grey-list period and which made the minimum adjustments to satisfy the timeline. Compliance teams treating January 2023 as the end of a compliance improvement cycle are misreading where BSP examination focus is heading in 2026.

The Philippines AML Framework: The Foundation for Transaction Monitoring

Transaction monitoring obligations for Philippine financial institutions rest on a layered statutory and regulatory framework.

The primary legislation is Republic Act 9160, the Anti-Money Laundering Act of 2001, as amended by RA 9194, RA 10167, RA 10365, and RA 11521 in 2021. RA 11521 was the most significant package of amendments — it expanded the list of covered persons, strengthened freeze and forfeiture powers, and addressed VASP oversight, which had been a specific FATF deficiency finding.

The Anti-Money Laundering Council (AMLC) is the Philippines' Financial Intelligence Unit. It is a collegial body comprising the BSP Governor, the SEC Chairperson, and the Insurance Commissioner. AMLC issues implementing rules and regulations under AMLA, maintains the Philippines' FIU reporting systems, and receives CTR and STR filings from covered institutions.

BSP functions as the prudential supervisor for banks, quasi-banks, e-money issuers, remittance companies, and virtual asset service providers. In the AML context, BSP issues its own circulars that operationalise AMLA requirements for supervised institutions. BSP Circular 706 is the foundational AML circular, establishing the programme requirements — customer due diligence, transaction monitoring, record-keeping, reporting — that all BSP-supervised institutions must implement. Subsequent circulars have amended and extended these requirements.

For a detailed explanation of how transaction monitoring works as a function within a broader AML programme, the compliance hub guide covers the mechanics. What this article addresses is the specific Philippine regulatory framework that governs how that function must be structured.

BSP Circular 706: What the Monitoring Requirement Actually Requires

BSP Circular 706 does not prescribe a specific system architecture or vendor. It requires covered institutions to implement a risk-based transaction monitoring system commensurate with the nature, size, and complexity of their business.

The system must be capable of detecting:

• Unusual transactions that deviate from the customer's established pattern
• Suspicious patterns across multiple transactions over time
• Transactions inconsistent with the customer's stated business purpose or risk profile
• Structuring activity — transactions split or sequenced to avoid reporting thresholds

Alert investigation is where many institutions' programmes fall short. Under Circular 706, every alert generated by the monitoring system must be assessed by the designated AML compliance officer or a delegated AML officer. The assessment must be documented. Either the alert is closed with a written rationale explaining why it does not require escalation, or it is escalated to an STR review. An alert queue with no documented dispositions is an examination finding regardless of the sophistication of the detection logic that generated those alerts.

Calibration requirements are explicit: monitoring thresholds and detection scenarios must be reviewed when the institution's customer profile changes materially, when new products are launched, and at minimum on an annual basis. Institutions that deployed a monitoring system with vendor-default thresholds and have not since documented a calibration review — with written evidence, specific dates, and sign-off from a named responsible officer — cannot demonstrate compliance with this requirement.

Record retention applies to all investigation records. BSP examiners will sample alert dispositions. They expect to see both the trigger logic that generated the alert and the investigation rationale that determined its outcome. A system that generates alerts but cannot produce the decision trail does not meet the documentation standard.

AMLC Reporting: Thresholds, Timelines, and the Tipping-Off Prohibition

Two primary reporting obligations flow from an effective transaction monitoring programme.

Covered Transaction Reports (CTRs) apply to cash transactions or cash equivalents within a single banking day amounting to PHP 500,000 or more. The filing deadline is 5 working days from the date of the transaction. CTRs are volume-driven — a compliant programme needs a workflow that captures these transactions automatically and routes them to the filing process within the deadline.

Suspicious Transaction Reports (STRs) have no minimum threshold. The reporting obligation is triggered by suspicion, not by transaction size. A PHP 5,000 transaction can require an STR if the compliance officer determines that it is suspicious. The filing deadline is 5 working days from the date of determination — meaning the date on which the compliance officer concluded that the transaction or attempted transaction is suspicious. This distinction is important. The clock does not start when the underlying transaction occurred. It starts when the determination is made. Institutions with investigation workflows that allow alerts to sit unworked for days before a determination is reached are systematically at risk of missing this deadline.

The tipping-off prohibition under AMLA is absolute. An institution is strictly prohibited from informing, or taking any action that would inform, the subject of a transaction that an STR has been or is being prepared. Violation is a criminal offence. This prohibition must be embedded in investigation procedures — particularly for institutions where front-line relationship managers are involved in the investigation process and may have direct contact with the customer.

All CDD records, transaction records, and monitoring documentation must be retained for a minimum of 5 years.

VASP-Specific Transaction Monitoring: BSP Circular 1108

BSP Circular 1108, issued in 2021, established the regulatory framework for Virtual Asset Service Providers — crypto exchanges, custodian wallet providers, and peer-to-peer virtual asset trading platforms. VASPs are classified as covered persons under AMLA and must register with both BSP and AMLC.

The transaction monitoring requirements for VASPs are structurally the same as for other BSP-supervised institutions: automated monitoring system, calibrated thresholds, documented alert investigations, CTR and STR filing. There is no lighter-touch version of these requirements because the institution is dealing in virtual assets rather than fiat currency.

VASP-specific compliance under AMLC also incorporates the FATF Travel Rule — Recommendation 16. BSP has signalled alignment with this requirement, meaning VASPs must collect and transmit originator and beneficiary information for virtual asset transfers above the USD 1,000 equivalent threshold. This is not a future aspiration — it is part of the BSP-supervised VASP compliance framework now.

The monitoring challenge for VASPs is that generic bank TM scenario libraries do not cover the typologies that matter in the virtual asset context. Peer-to-peer volume clustering, rapid stablecoin conversion, mixing and tumbling patterns, and cross-chain transfers all require scenario coverage that a standard bank monitoring ruleset does not include. A VASP that has deployed a bank-oriented monitoring system without building crypto-specific detection logic has a coverage gap that a BSP examination of its VASP activities will find.

For Philippine institutions managing sanctions screening obligations under BSP and AMLC alongside their transaction monitoring programme, the VASP context adds a further dimension — virtual asset transfers require real-time sanctions screening at the point of instruction, not batch processing.

Risk-Based Monitoring in Practice: What BSP Expects

BSP's supervision approach is explicitly risk-based. The monitoring programme must reflect the institution's own customer risk assessment. An institution with a predominantly retail customer base has different monitoring requirements than one serving high-net-worth individuals, corporate treasuries, or remittance corridors into high-risk jurisdictions.

High-risk customer categories in the Philippines context include:

• Politically exposed persons (PEPs) and their relatives and close associates — the Philippines context includes domestic PEPs at national and local government level
• Customers from FATF-listed high-risk and other monitored jurisdictions
• Customers with beneficial ownership structures involving foreign holding entities
• Remittance customers sending to AMLC-designated high-risk corridors, including specific Middle East and US remittance routes

Philippine-specific typologies that monitoring scenarios must cover include e-wallet mule account networks — GCash and Maya are both BSP-supervised e-money platforms with significant retail penetration, and BSP has specifically flagged mule account exploitation as a monitored typology. Authorised push payment scam layering through bank accounts is a growing pattern. Cross-border structuring via remittance corridors to the US and Middle East is a documented Philippines financial crime pattern.

BSP examination practice has consistently identified one category of finding above others: institutions that use vendor-default monitoring thresholds without any documented evidence that those thresholds were reviewed against the institution's specific customer risk profile. A threshold set to vendor defaults is not a risk-based threshold. It is a vendor threshold that may or may not be appropriate for a given institution's risk profile — and the institution cannot demonstrate which without a documented calibration exercise.

Common Transaction Monitoring Examination Findings

Based on BSP examination findings and regulatory guidance since the grey-list period, the following deficiency patterns appear repeatedly.

STR filing delays. The 5-working-day deadline runs from determination. Institutions with investigation backlogs — where alerts sit in a queue without active review — push the determination date later, which compresses the filing window. When the investigation eventually concludes, the STR filing is already late. This is a workflow problem, not a detection problem.

Alert backlog. BSP examiners will note alert queues older than 15 working days. This signals either inadequate compliance staffing relative to alert volume, or threshold miscalibration generating more alerts than the team can process. Examiners will record both problems. Hiring more staff to work an oversized alert queue from miscalibrated thresholds is an expensive partial fix; recalibrating thresholds to produce a manageable, risk-relevant alert population addresses the root cause.

E-money product gaps. Institutions that monitor deposit accounts but have not extended monitoring to their e-money wallet products have a coverage gap that BSP has specifically flagged. If the institution's covered products include e-wallet services, those products must be within the monitoring scope.

STR quality. Since the grey-list period, BSP and AMLC have focused on the quality of STR content, not just filing volume. An STR that is filed within the deadline but contains insufficient information for AMLC to take investigative action is still a finding. The report must contain enough context — transaction history, customer background, the specific facts that triggered suspicion — for AMLC to act on it.

Beneficial ownership monitoring gaps. Corporate accounts where the ultimate beneficial owner changes without triggering a monitoring review represent a structural gap. If a corporate customer's UBO changes, the customer risk profile may have changed materially. A monitoring programme that does not incorporate this trigger into its review logic will miss the shift.

A Practical Checklist for a BSP-Compliant Transaction Monitoring Programme

For compliance officers conducting a gap assessment of their current programme, the following items constitute the minimum floor of BSP compliance:

Automated monitoring system in place — not a manual review process. The system name and version should be documented and available for examiner reference.

Thresholds calibrated to the institution's customer risk assessment, not vendor defaults. Written evidence of calibration reviews, with dates and sign-off from a named responsible officer.

Coverage across all product lines: deposit accounts, remittance products, e-money wallets, and VASP services where applicable. A monitoring programme that covers some products but not others leaves documented gaps for examiners to find.

CTR and STR workflows with investigation trails and filing deadline tracking. The 5-working-day CTR and STR filing deadlines must be tracked systematically, not managed informally.

Annual typology review: do the scenarios in the monitoring system cover current Philippine financial crime patterns? APP scams, e-wallet fraud networks, and crypto layering typologies have become examination-relevant — they should be reflected in active detection scenarios.

When evaluating transaction monitoring software against these requirements, the buyer's guide provides a structured framework covering system functionality, calibration capability, case management, and audit trail requirements.

How FinCense Addresses the BSP and AMLC Framework

FinCense is pre-configured with BSP-aligned typologies, including e-wallet fraud patterns and Philippines remittance corridor scenarios. These are not generic rules relabelled for the Philippine market — they reflect the specific financial crime patterns that BSP and AMLC examination programmes have flagged as priorities.

The CTR and STR filing workflow is built into FinCense case management. The 5-working-day filing deadline is tracked automatically from the determination date, with escalation triggers when deadlines are at risk. Compliance officers do not manage this deadline manually.

VASP scenario coverage is included within the same platform — crypto-specific detection does not require a separate system layered alongside a bank monitoring deployment. The Travel Rule data collection workflow is integrated.

In production deployments across Southeast Asian financial institutions, FinCense has reduced false positive rates by up to 50% compared to legacy rule-based systems. For compliance teams managing alert backlogs that strain staffing capacity, this is not a secondary benefit — it is the operational change that makes risk-based investigation feasible.

Book a demo to see FinCense running against Philippines-specific BSP and AMLC scenarios, including e-wallet typologies, remittance corridor detection, and the CTR/STR workflow with filing deadline tracking.

It is a Thursday afternoon. Your firm is processing remittances on the Singapore–Philippines corridor — six thousand transactions before the weekend. You are licensed under MAS as a Major Payment Institution and registered as a Remittance and Transfer Company with the BSP in Manila. MAS published updated PSN02 guidance last month. This morning, the BSP examination schedule landed in your inbox. Two regulators. Two compliance programmes. One compliance team of four people. That is the daily operating reality for most APAC-licensed remittance operators, and it is the starting point for every AML programme design conversation.

This guide covers what money transfer AML compliance APAC-wide actually requires — by jurisdiction, by obligation, and by what good operational execution looks like.

Why Remittance Companies Carry Higher AML Risk

FATF has consistently identified remittance and money transfer as a high-risk sector. Not because remittance operators are bad actors, but because of the transaction patterns that characterise the business.

Remittance is cash-intensive in many corridors. Some jurisdictions allow senders to pay in cash at agent locations with limited identification requirements. High-volume, low-value transactions create conditions where structuring — the practice of breaking amounts to stay below reporting thresholds — is easier to conceal than in lower-volume banking environments. A customer sending MYR 500 twice a week looks almost identical to a customer structuring around MYR 25,000 CTR thresholds.

FATF Recommendation 16 — the Travel Rule — applies specifically to wire transfers. Remittance companies are wire transfer originators. They must collect, transmit, and retain originator and beneficiary information with every qualifying transfer. This is not the same obligation as KYC. It is a data transmission requirement that sits on top of the CDD framework.

The cross-border nature of remittance creates bilateral exposure. A transfer from Singapore to Manila passes through both MAS and BSP oversight. A compliance failure — a missed STR, an inadequate CDD record, a Travel Rule data gap — does not stay in one jurisdiction. Both regulators can examine the same transaction.

The APAC corridors under heaviest examination scrutiny are among the highest-volume remittance corridors in the world: Singapore–Philippines, Malaysia–Bangladesh, Australia–India, and Philippines–Middle East. High volume does not reduce examiner focus. It increases it.

APAC Regulatory Obligations by Jurisdiction

Singapore (MAS)

Cross-border money transfer above SGD 3 million per month requires a Major Payment Institution licence under the Payment Services Act. The MAS PSA AML obligations for payment institutions are set out in PSN02, which covers CDD, ongoing monitoring, and STR and CTR filing requirements.

The FATF Travel Rule applies at SGD 1,500. For every transfer at or above that threshold, the MPS must transmit originator name, account number, and address or national identity number — plus beneficiary name and account number — to the receiving institution with the payment. The obligation to transmit sits with the sender regardless of whether the beneficiary institution can receive the data in structured form.

STR filing must occur within five business days of the determination that the transaction is suspicious. MAS examiners in 2024 specifically cited STR quality — not volume — as an examination focus area. An STR that describes the suspicious transaction in one sentence without analysis of the pattern does not meet the standard.

Australia (AUSTRAC)

All remittance dealers must register with AUSTRAC before commencing operations. Unregistered remittance dealing is a criminal offence under the AML/CTF Act 2006. This is not a technicality — AUSTRAC has prosecuted unlicensed remittance dealing, and its enforcement record includes actions against informal value transfer networks operating in parallel to registered dealers.

Registered remittance dealers carry the same AML/CTF programme obligations as banks under Chapter 16 of the AML/CTF Rules, without the same IT infrastructure to support them. Threshold Transaction Reports apply to cash transactions above AUD 10,000. Suspicious Matter Reports must be filed for qualifying transactions without a fixed deadline, but AUSTRAC expects prompt filing — delays beyond a few days are examined.

Malaysia (BNM)

Remittance operators require a Money Services Business licence under the MSB Act 2011. The AMLATFPUAA framework applies — the same statutory framework as banks — imposing CDD, ongoing monitoring, and STR and CTR obligations.

CTR threshold is MYR 25,000 for cash transactions. STR filing is required within three business days of the determination. BNM's most recent national risk assessment specifically identifies hawala-style informal remittance networks operating alongside licensed MSBs as a risk vector. That finding has translated directly into elevated examination scrutiny for licensed operators, who face more frequent and detailed examinations as regulators attempt to map the boundary between formal and informal channels.

Philippines (BSP)

Remittance operators require a Remittance and Transfer Company licence from the BSP. The AML programme obligations are set by AMLA and BSP Circular 950 — the same framework that governs banks, applied in full to RTCs.

CTR threshold is PHP 500,000. STR filing is required within five business days. The Philippines exited the FATF grey list in January 2023, but exit has not reduced examination pressure — BSP has increased examination frequency for RTCs since 2023, consistent with post-grey-list monitoring by both the BSP and AMLC.

New Zealand (DIA)

Remittance operators are Phase 2 reporting entities under the AML/CFT Act 2009, supervised by the Department of Internal Affairs. The same CDD, ongoing monitoring, and SAR and PTR obligations that apply to banks apply in full to remittance operators. The DIA's supervisory approach includes sector-wide audits and thematic reviews — it does not reserve examination resources only for larger entities.

The FATF Travel Rule in Practice for APAC Remittance Operators

FATF Recommendation 16 requires the originating institution to transmit originator and beneficiary information with every wire transfer above the applicable threshold. Across APAC, the operative thresholds are SGD 1,500 under MAS, AUD 1,000 under AUSTRAC, and USD 1,000 equivalent as the FATF baseline for jurisdictions without a lower domestic threshold.

The data that must travel with the payment: originator name, account number, address or national identity number; beneficiary name and beneficiary account number. These fields must populate the payment message — they cannot be retained on file at the sending institution and supplied only on request.

The operational problem is well-documented. Many beneficiary institutions in the corridors where APAC remittance volumes are highest — particularly in developing-market corridors — do not have systems capable of receiving structured Travel Rule data. The sending institution's obligation does not dissolve because the receiving institution lacks the infrastructure. Compliance requires transmitting the data within whatever message structure the payment uses: MT103 field population for SWIFT transactions, or the equivalent structured fields in ISO 20022 message formats.

Travel Rule technology solutions — TRISA, VerifyVASP, and Sygna Bridge are the most widely deployed in APAC for virtual asset transfers — are increasingly being applied to fiat remittance payment flows as well. For most APAC remittance operators on real-time domestic rails, the Travel Rule data obligation sits inside the payment message design, not in a separate data transmission layer.

Transaction Monitoring Requirements Specific to Remittance

High-volume, low-value transaction environments cannot be monitored with the dollar-threshold rules designed for retail banking. A rule that fires above USD 5,000 will miss the dominant remittance pattern entirely — hundreds of transactions at USD 200 to USD 500 per customer per month — and generate alert noise on the routine flows that constitute most of the business.

For an overview of how automated transaction monitoring works, the underlying detection logic matters more than the threshold level. Remittance monitoring is a typology problem, not a threshold problem.

Velocity monitoring is the primary detection method for mule accounts in remittance networks. The pattern is not a single large transfer — it is twenty transactions in forty-eight hours across multiple corridors from the same account or beneficial owner. A system calibrated only to flag high-value single transactions will not detect this.

Corridor-specific scenario calibration is not optional. The Singapore–Philippines corridor has different fraud typologies from the Malaysia–Bangladesh corridor. Monitoring scenarios applied generically across all corridors without tuning for the specific patterns in each one will produce both false positives on legitimate traffic and false negatives on actual suspicious activity.

Round-number structuring is the simplest pattern and the one most often missed by single-threshold rules. Transactions consistently placed just below the CTR threshold — MYR 24,500, AUD 9,800, PHP 499,000 — are a textbook structuring indicator. A rule with a single threshold at the CTR level will not catch this. The detection logic must look at the cluster of transactions below the threshold, not just the individual transaction value.

Beneficiary account reuse is a mule indicator: multiple unrelated customers sending to the same unfamiliar beneficiary account. This pattern requires a system capable of cross-customer analysis, not just single-customer transaction review. Rules-based systems that process each customer's alerts in isolation cannot detect it.

For remittance operators evaluating their technology choices, the same detection architecture issues apply as those covered in TM for payment companies and e-wallets — the product and customer profiles are different, but the architectural requirements for cross-customer scenario coverage are the same.

What Good Looks Like for a Multi-Jurisdiction Remittance Operator

A compliance officer managing two or three APAC licences simultaneously with a small team is not running a bank compliance programme at reduced scale. The operational structure is different.

A single TM platform across all jurisdictions is operationally necessary, not aspirational. Compliance officers in multi-jurisdiction firms who reconcile alerts from separate system instances — one per market — spend time on logistics that should go into analysis. The same transaction, flagged differently in two systems because the rule calibrations differ, creates reconciliation work that multiplies with volume.

Pre-settlement processing on real-time rails is required where payment is irrevocable on settlement. On PayNow, DuitNow, NPP, and InstaPay, a payment that clears cannot be recalled. Batch monitoring that runs after settlement has already processed the payment before the alert fires. The monitoring must run against the payment instruction before settlement, not the settled record.

Travel Rule data workflow integrated into the payment process eliminates the manual population of originator and beneficiary data as a separate step. When Travel Rule data handling is separated from payment processing and managed by different team members, the data quality degrades and the audit trail becomes inconsistent.

STR and CTR filing workflows built per jurisdiction address the material operational differences between regulatory regimes: different templates, different filing portals, different time windows, different field requirements. A case management system that requires the analyst to manually navigate those differences for each jurisdiction adds material risk. The workflows should enforce the right template for the jurisdiction of the filing, triggered by the currency of the transaction.

Selecting the right platform requires working through a structured evaluation. The Transaction Monitoring Software Buyer's Guide covers the criteria relevant to multi-jurisdiction operators, including how to assess vendor coverage across APAC regulatory regimes.

FinCense for APAC Remittance Operators

FinCense is deployed at remittance and payment operators across APAC — not only at banks. The platform is configured for the transaction patterns, corridor structures, and regulatory filing requirements that remittance operators encounter, not adapted from a banking deployment.

The scenario library includes more than fifty financial crime typologies covering the patterns most prevalent in remittance: mule account networks identified by cross-customer beneficiary account reuse, APP scam indicators in outbound payment flows, velocity structuring across corridors, and cross-border layering patterns. These are pre-built scenarios, not configurations that require the compliance team to write detection logic from scratch.

Pre-settlement processing is available across PayNow, DuitNow, NPP, InstaPay, and FAST — covering the real-time rails in Singapore, Malaysia, Australia, and the Philippines where irrevocable payment risk requires monitoring before settlement, not after.

Multi-jurisdiction STR and CTR filing workflows are built into the case management interface. Filing to AUSTRAC, BNM, AMLC, or MAS FIU from a single case triggers the correct jurisdiction-specific template, with the applicable time window displayed for the analyst at the case level.

In production deployments, FinCense has reduced false positive rates by up to 50% compared to legacy rules-based systems. For a remittance operator managing three hundred thousand transactions per month with a compliance team of four, a 50% reduction in false positive volume is not a performance metric — it is the difference between a workable alert queue and one that structurally cannot be cleared before the next batch arrives.

Book a demo to see FinCense configured for APAC remittance compliance — with corridor-specific scenarios already calibrated and multi-jurisdiction filing workflows built in.

For the full vendor evaluation framework, see the Transaction Monitoring Software Buyer's Guide.

Bank Negara Malaysia shifted from prescriptive to risk-based supervision several years ago. For transaction monitoring, that shift has specific consequences. Institutions that run static threshold-only systems — rules set at go-live and unchanged since — are increasingly out of step with what BNM examiners expect to see.

Malaysia's FATF Mutual Evaluation, conducted in 2021 and published in 2022, rated the country as partially compliant or non-compliant across several technical recommendations, including Recommendation 10 (customer due diligence) and Recommendation 16 (wire transfers). The evaluation flagged weaknesses in ongoing monitoring and STR quality at reporting institutions. BNM's supervisory response has been direct: examinations since 2022 have placed transaction monitoring programmes under considerably more scrutiny than before the assessment.

This article covers what BNM specifically requires from a transaction monitoring programme, the reporting thresholds institutions must meet, what examiners look for in practice, and where FinCense addresses the framework.

For background on Malaysia's full AML/CFT regulatory framework, see our overview of Malaysia's AML/CFT obligations under AMLATFPUAA and the BNM Policy Document.

Malaysia's AML/CFT Regulatory Framework — the TM Foundation

Transaction monitoring in Malaysia sits on two legal instruments.

AMLATFPUAA 2001 (as amended) is the primary legislation. The Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001 establishes the obligations of Reporting Institutions — who they are, what they must do, and what penalties apply when they fail. The 2014 and 2020 amendments expanded the predicate offence list, brought Designated Non-Financial Businesses and Professions (DNFBPs) into scope, and raised maximum penalties to MYR 3 million per offence.

BNM's AML/CFT/CPF/TFS Policy Document (2023) is the operational standard. This is where BNM translates the Act's obligations into programme requirements — including the specific requirements for transaction monitoring systems, alert investigation processes, and calibration governance. When a BNM examiner cites a deficiency, the reference is almost always to the Policy Document, not to the Act itself.

Reporting Institutions under AMLATFPUAA cover a wide range of entities: licensed banks, Islamic banks, development financial institutions, insurance companies, capital market intermediaries, money services businesses, e-money issuers, digital banks, and — since the Phase 2 expansion in 2020 — lawyers, accountants, and real estate agents.

BNM supervises financial institutions. The Securities Commission supervises capital market intermediaries. The Companies Commission oversees designated company service providers. Each supervisor applies the AMLATFPUAA framework to its regulated population. For BNM-supervised institutions, the Policy Document is the day-to-day compliance standard.

What BNM's Policy Document Requires for Transaction Monitoring

Section 14 of the Policy Document covers ongoing monitoring and record-keeping. The requirements are specific.

Automated systems are mandatory. Institutions must implement an automated transaction monitoring system adequate for the nature, scale, and complexity of their business. Manual review of sampled transactions does not satisfy this requirement. The system must be capable of detecting patterns across the full transaction population, not a sample.

Calibration must reflect the institution's own risk profile. This is the element that static threshold systems most commonly fail on. BNM does not prescribe specific thresholds. It requires that the thresholds and scenarios in use reflect the institution's customer risk assessment — the output of the enterprise-wide risk assessment, not the vendor's default configuration. A rural cooperative bank and a digital bank processing international remittances have materially different customer risk profiles. The same rule library cannot serve both, and BNM's Policy Document makes clear that it is the institution's responsibility to demonstrate that calibration is appropriate to their specific population.

Monitoring must be continuous. BNM's ongoing monitoring language mirrors FATF Recommendation 10 — monitoring must operate across the full course of the customer relationship, not as a periodic batch process that reviews a subset of transactions once a month. For real-time payment channels, this has practical implications: batch processing that catches a transaction two days after settlement is not equivalent to monitoring at the point of transaction.

Every alert must be assessed and documented. BNM expects a documented investigation workflow. Each alert must be assessed, the assessment must be recorded, and the disposition — whether the alert is closed with rationale or escalated to STR review — must be traceable. An alert queue that shows "reviewed" with no supporting investigation record does not satisfy the Policy Document's requirements.

Calibration must be reviewed periodically. At minimum, BNM expects annual calibration reviews. Reviews are also required when the customer base or product profile changes materially — new product launch, significant customer segment growth, entry into a new geographic market. The review and any resulting threshold adjustments must be documented with dated sign-off from a senior compliance officer.

Section 11 of the Policy Document, which covers customer due diligence, is directly relevant to transaction monitoring design. The CDD risk classification assigned to each customer — standard, medium, or high risk — should determine the intensity of monitoring applied to that customer's transactions. An institution that applies identical monitoring rules to all customers regardless of CDD risk classification is not meeting the risk-based requirement.

Reporting Thresholds and STR Obligations

Cash Transaction Reports (CTRs). Transactions in cash or cash equivalents above MYR 25,000 must be reported to BNM's Financial Intelligence and Enforcement Department (FIED) within 3 business days of the transaction.

Suspicious Transaction Reports (STRs). There is no threshold for STR filings. The obligation is triggered by suspicion — when a compliance officer, having reviewed available information, determines that a transaction or pattern of transactions is suspicious. Once that determination is made, the STR must be filed with BNM/FIED within 3 business days.

The 3-business-day clock on STR filings is a common source of examination findings. Where the investigation workflow requires multiple sequential sign-offs before filing, the clock can expire before the report reaches the MLRO. Institutions whose internal escalation processes consistently result in filings on day 3 or later are at risk.

Tipping off prohibition. Institutions must not inform the customer — directly or indirectly — that an STR has been or will be filed. This prohibition extends to staff below compliance officer level and applies during the alert investigation process, not only at the point of filing.

Record retention. All transaction records and CDD documentation must be retained for 6 years from the end of the business relationship. BNM examiners reviewing a programme may request records from any point within that 6-year window. Institutions whose systems do not retain complete alert investigation records for the full retention period will be unable to demonstrate compliance for the period not covered.

Digital Banks and E-Money Issuers — Specific TM Considerations

BNM issued the Digital Bank licensing framework in 2022. Five digital banks have been licensed under that framework. They are subject to the same AMLATFPUAA obligations as conventional licensed banks — including the full Policy Document requirements for transaction monitoring systems, calibration, alert investigation, and reporting.

The assumption that digital banks operate under a lighter compliance perimeter than conventional banks is incorrect. BNM's licensing documentation is explicit: digital banks must meet equivalent standards, adapted for their operating model and customer base.

E-money issuers licensed under the Financial Services Act 2013 have tiered account structures. Tier 1 accounts carry a MYR 5,000 cumulative balance limit and are treated as lower-risk. That lower-risk designation reduces CDD intensity — it does not eliminate transaction monitoring obligations. E-money issuers must monitor for anomalies within the Tier 1 population, including patterns that would not be unusual in isolation but become suspicious in aggregate.

BNM's financial crime risk assessments have specifically identified typologies associated with digital banking and e-wallet channels:

• Mule account layering through e-wallets, where proceeds move through multiple accounts in rapid succession before withdrawal
• Rapid in-out velocity patterns — high-value inflows immediately followed by bulk transfers or withdrawals, with no plausible commercial purpose
• Account takeover followed by bulk transfers, where the transaction pattern changes sharply after a suspected credential compromise

These typologies require specific monitoring rules. Generic monitoring scenarios designed for conventional banking products will not detect them reliably.

BNM has signalled through its 2025 e-money AML/CFT exposure draft that CDD and monitoring requirements for e-money issuers will be tightened if enacted — with specific requirements for transaction monitoring aligned to each institution's customer risk assessment rather than applied at the product level. Institutions that currently apply product-level defaults should treat this as a forward indicator of examination direction.

For BNM's specific KYC and CDD requirements for digital banks and e-money issuers, see our guide to BNM's digital bank and e-money KYC requirements.

Six Criteria for an Effective TM Programme Under BNM

These criteria are derived from BNM's Policy Document requirements and recurring examination findings.

1. Risk-based calibration. Alert thresholds and scenarios must reflect the institution's specific customer risk profile — the output of the enterprise-wide risk assessment, reviewed and updated when the population changes. Vendor defaults are a starting point, not a destination. BNM's examination record shows that institutions running unmodified vendor configurations are routinely cited.

2. Coverage of Malaysian financial crime typologies. BNM's financial crime risk assessments identify specific patterns relevant to the Malaysian market: cross-border trade-based money laundering, corporate account structuring, e-wallet mule networks, and instant payment fraud. These typologies must be in the active rule library, not on a watch list for future implementation.

3. Pre-settlement screening for instant payments. Malaysia's Real-time Retail Payments Platform — RPP, operating as DuitNow — processes irrevocable instant payments. Batch monitoring that reviews DuitNow transactions after settlement cannot intercept a suspicious payment. Pre-settlement evaluation logic, equivalent to what Singapore's PayNow and Australia's NPP require, is necessary for institutions with material DuitNow volumes.

4. Alert quality over alert volume. BNM examination findings have consistently cited alert investigation backlogs — queues with unreviewed alerts older than 30 days — as evidence of inadequate programme maintenance. A system that generates high alert volumes at low accuracy does not demonstrate active monitoring. It demonstrates an overwhelmed compliance function. Reducing false positive rates is not a nice-to-have; it is a programme governance requirement.

5. Explainable alert logic. Compliance analysts must understand why an alert was raised in order to make a quality investigation decision. A model that outputs a suspicion score without an explanation of which behaviours contributed to it puts the analyst in the position of making a filing decision based on a number rather than evidence. BNM examiners reviewing investigation records will ask the analyst what they found and why they made their disposition decision. "The system flagged it" is not an answer.

6. Documented calibration. BNM expects evidence that thresholds are reviewed and adjusted over time. A rule set deployed at system go-live and unchanged for two or three years — with no documentation of reviews, no record of what was considered and rejected, and no sign-off from senior compliance — is a finding in waiting. The documentation requirement exists regardless of whether the thresholds themselves are appropriate.

For a broader overview of how transaction monitoring works and what an effective programme requires, see our introduction to transaction monitoring.

Common BNM Examination Findings in Transaction Monitoring

Based on publicly available supervisory guidance and BNM examination themes, the following findings recur across reporting institutions:

Alert investigation backlogs. Queues with alerts unreviewed for more than 30 days are treated as a red flag. BNM examiners will ask how long the backlog has existed and what steps the compliance function took to address it.

Insufficient typology coverage for digital banking products. Institutions with e-wallet or digital banking products that apply conventional banking monitoring rules without product-specific scenarios are consistently cited for typology gaps.

No evidence of calibration review. Institutions that cannot produce documentation of when thresholds were last reviewed, what data informed the review, and who approved the outcome have a governance failure regardless of whether their thresholds happen to be appropriate.

STR filing delays. Investigation workflows with multiple sequential sign-offs that consistently result in filings on day 3 or later — or that have produced late filings — generate findings. BNM treats the 3-business-day requirement as a firm deadline, not a target.

Inadequate alert disposition documentation. An examiner reviewing a closed alert needs to understand the analyst's rationale. A disposition record that shows the alert was reviewed without documenting what was found, what was considered, and why the decision was made does not meet the Policy Document standard.

How FinCense Addresses the BNM Framework

FinCense is pre-configured with BNM-aligned typologies. The rule library includes DuitNow-specific scenarios — pre-settlement screening logic for instant payments — and e-wallet fraud patterns documented in BNM's financial crime risk assessments.

Alert thresholds are calibrated to each institution's customer risk assessment during implementation. Generic vendor defaults are not applied. The calibration rationale is documented and retained for examination review.

CTR and STR workflows are built into the case management module, with filing deadline tracking. Compliance officers see the filing deadline at the point of alert escalation, not after the 3-business-day window has passed.

In production deployments, FinCense has reduced false positive rates by up to 50% compared to legacy rule-based systems. For a compliance team managing 300 daily alerts, that reduction represents approximately 150 fewer dead-end investigations per day — which directly addresses the backlog problem that BNM examination findings most commonly cite.

Audit trail exports are structured for BNM examination review. Every alert record includes the rule or scenario that triggered it, the investigation timeline, the analyst's documented rationale, and the disposition outcome.

Taking the Next Step

For the complete vendor evaluation framework — including the seven questions to ask any transaction monitoring vendor — see our Transaction Monitoring Software Buyer's Guide.

Book a demo to see FinCense running against BNM-specific Malaysian financial crime scenarios, including DuitNow pre-settlement screening and e-wallet mule detection.