AML Compliance for Malaysian Fintechs: What BNM Expects from PSPs, eWallets and Lenders

Bank Negara Malaysia treats fintech compliance with the same seriousness as bank compliance. The AMLATFPUAA 2001 (Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act) applies to all reporting institutions, not just licensed banks. Payment system operators, e-money issuers, remittance service providers, and licensed moneylenders are all within scope. BNM's AML/CFT Policy Document, revised in 2020, sets out the obligations that every reporting institution must meet regardless of its licence type or business model.

For Malaysian fintechs, the compliance challenge is not a lack of regulatory clarity. BNM has published detailed guidance. The challenge is operational: building a monitoring and investigation programme capable of handling the transaction volumes, customer onboarding speeds, and cross-border payment flows that define fintech business models, while meeting the same documentation and audit standards that BNM examines in traditional financial institutions.

What BNM requires from fintech reporting institutions

A documented AML/CFT programme. Every reporting institution must maintain a written AML/CFT compliance programme covering its policies, procedures, and controls for detecting and managing ML/TF risk. The programme must be approved at board or senior management level, reviewed regularly, and updated when the institution's risk profile changes materially. BNM assesses the programme for operational embedding: a policy document that is not reflected in actual process is not compliant.

A risk assessment. The AML/CFT programme must be grounded in a documented risk assessment that identifies the institution's specific ML/TF risks by customer type, product, delivery channel, and geographic exposure. For fintechs, this means assessing risks that do not appear in traditional bank risk assessments: anonymous or pseudonymous onboarding flows, high-velocity micro-transaction patterns, digital wallet top-up and cash-out cycles, and cross-border remittance corridors to markets with weaker AML/CFT frameworks.

Customer due diligence. BNM's CDD framework applies from the point of customer onboarding. eKYC is permitted under BNM's eKYC Policy Document: fintech companies may verify customer identity through digital means, including biometric verification and document scanning, provided the process meets BNM's reliability and independence standards. For e-money issuers, tiered CDD applies: lower-tier accounts with transaction and balance limits may qualify for simplified CDD, while accounts above BNM's defined thresholds require full standard CDD. EDD is required for higher-risk customers, PEPs, customers from high-risk jurisdictions, and any customer whose transaction profile raises unexplained inconsistencies.

Transaction monitoring. Ongoing monitoring of customer transactions is required to detect patterns inconsistent with the customer's known profile, account purpose, or stated occupation. For high-volume payment platforms and e-wallets processing thousands of transactions per hour, this monitoring must be automated and calibrated to flag genuinely unusual activity rather than simply high-volume activity.

Suspicious Transaction Reports. STRs must be filed with BNM's Financial Intelligence and Enforcement Department (FIED) when the institution has reason to suspect a transaction involves proceeds of a serious offence or terrorism financing. There is no minimum value threshold. BNM assesses both the volume and the quality of STR filings: investigation narratives must document the specific indicators of suspicion and the steps taken before filing.

Record keeping. All CDD documents, transaction records, and investigation files must be retained for a minimum of six years under the AMLATFPUAA. This is longer than the five-year minimum in several comparable APAC jurisdictions and applies from the date of the transaction or the end of the relationship, whichever is later.

The AML risk profile specific to Malaysian fintechs

E-wallet top-up and cash-out cycles. E-money accounts can be funded from multiple sources (bank transfers, cash agents, debit cards, and peer transfers) and cashed out through merchant payments, peer transfers, or bank withdrawals. This cycle is a standard feature of legitimate e-wallet use, but the same pattern is used to layer funds through multiple accounts. Monitoring that flags every high-velocity cycle as suspicious generates unmanageable false positive volumes. Monitoring calibrated to distinguish layering patterns from legitimate usage requires behavioural analysis, not just threshold rules.

Cross-border remittance corridors. Malaysia has significant remittance flows to Indonesia, Bangladesh, Nepal, Myanmar, and the Philippines. These corridors carry variable ML/TF risk, and FATF's evolving grey list means that risk levels on specific corridors change over time. Remittance service providers licensed by BNM must maintain monitoring that incorporates current jurisdiction risk classifications, not static settings last updated at system implementation.

Mule account exploitation. Online scam proceeds, investment fraud payouts, and business email compromise flows increasingly move through fintech accounts before exiting to offshore destinations. Mule accounts at e-wallet providers and PSPs are identified at a later stage than traditional bank mule accounts because the transaction cycles are faster and the individual transaction values are lower. Detection requires network-level analysis across account relationships.

Tiered account limits and structuring. BNM's tiered CDD framework creates natural transaction limits on lower-tier accounts. Financial crime networks structure transfers to stay within those limits across multiple accounts. Standard threshold-based rules that look at individual account activity miss structured patterns that only become visible at the network level.

How Tookitaki's FinCense supports Malaysian fintech compliance

AFC Ecosystem: typology coverage for fintech-specific patterns. FinCense's detection is powered by Tookitaki's Anti Financial Crime (AFC) Ecosystem, a federated intelligence network of 30+ financial institutions across APAC that share financial crime typologies without exchanging customer data. The AFC Ecosystem's typology library includes patterns specifically relevant to the Malaysian fintech environment: e-wallet layering structures, remittance corridor typologies for the corridors BNM identifies as elevated risk, and mule account network patterns identified across the network's member institutions. When a new structuring technique targeting tiered e-money accounts is identified at one member institution, it is validated through the network and made available to every other member. Detection stays current without internal scenario engineering cycles.

Transaction monitoring calibrated for high-volume fintech portfolios. FinCense's transaction monitoring uses scenario-based detection rather than static threshold rules. Each scenario encodes the full behavioural pattern of a known financial crime typology, drawn from AFC Ecosystem intelligence. Automated Threshold Tuning recommends optimal monitoring thresholds for distinct customer segments within the institution's portfolio. A high-volume merchant payment account and a retail e-wallet customer have genuinely different normal transaction profiles, and monitoring calibrated to each segment generates fewer false positives while maintaining coverage across both. Institutions using FinCense reduce false positive volumes by up to 70% compared to legacy rule-based systems, freeing investigation capacity for the alerts that represent genuine suspicious activity.

Screening at onboarding and on an ongoing basis. FinCense's screening module uses natural language processing and machine learning to match customer and transaction data against BNM's sanctions lists, UN Security Council designations, PEP databases, and adverse media sources. Fuzzy matching handles name variants and transliterations that exact-string matching misses, reducing false positive screening volumes while maintaining the coverage BNM's CDD obligations require. For remittance transactions, real-time screening covers originator, beneficiary, and intermediary details before settlement, addressing the travel rule obligation for cross-border transfers under BNM's AML/CFT framework. For a detailed view of BNM's KYC and CDD requirements, see our KYC requirements Malaysia guide.

Case management for BNM FIED reporting. FinCense's integrated case management connects monitoring alerts, screening results, investigation workflows, and STR report generation in a single environment. AI-generated investigation notes document the specific indicators of suspicion and the steps taken for each case, directly improving the narrative quality of STRs filed with BNM FIED. The investigation record creates the six-year audit trail BNM expects to find when examining a reporting institution's monitoring programme. For fintech compliance teams managing high alert volumes with lean teams, the reduction in investigation time per case has a direct operational impact.

Unified AML and fraud detection. For Malaysian fintech institutions managing both AML obligations and fraud risks, including scam-linked flows and mule account exploitation, FinCense provides unified detection across both on a single engine and shared data layer. The cross-typology view closes the gap that separate fraud and AML systems create, and the operational workflow for e-wallet scam proceeds combines fraud indicators and AML indicators in a single case. For more on how unified fraud and AML detection works, see our FRAML guide.

BNM's supervisory focus on fintech compliance has intensified as the sector has grown. Institutions that build their AML programme on a platform calibrated to the specific risk profile of high-volume digital payments, updated continuously as financial crime typologies evolve, are positioned for current examination cycles and the regulatory expectations ahead.

For a broader view of AML compliance for digital banks in Malaysia, see our digital banking Malaysia AML guide. For a complete overview of BNM's AML/CFT requirements, see our Malaysia AML compliance guide.

To see how FinCense is deployed for BNM-regulated fintech institutions, book a demo with our Malaysia compliance team.