The MAS approval letter arrives. The Major Payment Institution licence is granted. The founders celebrate. The press release goes out.

Then the compliance team sits down.

The PSA licence covers seven categories of payment service activity, and the AML/CFT obligations attached to each are substantive. Unlike MAS Notice 626 for banks, which has years of published guidance, examination findings, and industry interpretation built around it, the PSA AML framework is less documented. The notices exist. The obligations are real. But the compliance team at a newly licensed MPI often has to build from scratch, without the institutional knowledge that banks have accumulated since 2002.

This guide covers what the Payment Services Act requires from licensed payment institutions in Singapore, specifically on AML/CFT. It is written for compliance officers, MLROs, and legal teams at standard payment institutions (SPIs) and major payment institutions (MPIs) who know what the PSA is but need to understand their specific obligations in detail.

The PSA Framework: Scope and Licence Tiers

The Payment Services Act 2019 (PSA) came into force on 28 January 2020 and was substantially amended by the Payment Services (Amendment) Act 2021 (PS(A)A 2021), which extended regulatory coverage to previously unregulated services and introduced stricter obligations for digital payment token providers.

The PSA regulates seven categories of payment service:

1. Account issuance services
2. Domestic money transfer services
3. Cross-border money transfer services
4. Merchant acquisition services
5. E-money issuance services
6. Digital payment token (DPT) services
7. Money-changing services

A firm does not need to offer all seven to be licensed. Many MPIs hold licences for two or three categories — a cross-border remittance operator with an e-money issuance component is common. Each service category the firm is licensed for carries AML/CFT obligations independently.

Two Licence Tiers, Different AML Exposure

The PSA creates two licence tiers that determine the depth of AML obligations.

Standard Payment Institutions (SPIs) are subject to monthly transaction thresholds: SGD 3 million per month across all regulated services, or SGD 1.5 million per month for any single regulated service. At these volumes, SPIs can apply simplified CDD in some circumstances and face lighter ongoing monitoring requirements.

Major Payment Institutions (MPIs) exceed those thresholds. MPIs face the full suite of AML/CFT obligations under MAS Notice PSN01 (or PSN02 for DPT services). MAS expects MPI-level controls to be equivalent in standard to those at licensed banks — the fact that a firm is a payment institution rather than a bank does not reduce the expectation.

One important clarification on scope: the PSA exempts certain intra-group transfers and specific corporate treasury services from its regulated activities. Whether a firm's particular activity falls within an exemption requires analysis of the specific transaction flows — MAS has not published a comprehensive list, and several firms have sought clarification through the licensing process itself.

MAS Notice PSN01: The Core AML Obligations

MAS Notice PSN01 — "Prevention of Money Laundering and Countering the Financing of Terrorism — Holders of a Standard Payment Institution Licence or a Major Payment Institution Licence (Non-DPT Services)" — was issued under section 103 of the PSA and took effect when the Act commenced in January 2020.

PSN01 applies to payment institutions providing any of the seven regulated services except DPT services (which fall under PSN02, covered below). Its structure mirrors MAS Notice 626 for banks, adapted for the payment context.

The four core obligation areas under PSN01 are:

1. Customer Due Diligence (CDD)

Payment institutions must identify and verify customers, understand the nature and purpose of the business relationship, and conduct ongoing monitoring. The CDD threshold for occasional transactions is SGD 1,500 — lower than the SGD 5,000 threshold that applies to banks under Notice 626. This difference reflects the higher anonymity risk in payment services, where customer relationships are typically shorter and account history shallower than in traditional banking.

Enhanced due diligence (EDD) is required for:

• Any transaction above SGD 5,000
• Cross-border transfers to or from jurisdictions on the FATF grey or black list
• Customers who present higher-risk indicators under the institution's risk assessment

Simplified CDD is available only for SPI-tier products with capped e-money balances — the maximum cap for simplified CDD to apply is SGD 5,000 in stored value.

2. Ongoing Monitoring

PSN01 requires payment institutions to monitor transactions for unusual or suspicious patterns. The monitoring standard is explicitly equivalent to that imposed on banks under Notice 626. There is no licence-tier carve-out for MPIs: a major payment institution must run monitoring that meets bank-grade expectations.

In practice, this is where many payment institutions fall short. [Transaction monitoring in the MAS context](/compliance-hub/transaction-monitoring-singapore-mas-requirements) requires calibrated alert logic, documented investigation workflows, and audit trails that MAS can review. Payment institutions often have none of these at the point of licence grant — they have the licence, but not the infrastructure.

3. Suspicious Transaction Reporting (STR)

STR obligations do not come from the PSA itself — they come from the Corruption, Drug Trafficking and Other Serious Crimes (Confiscation of Benefits) Act (CDSA). Section 39 of the CDSA requires any person who knows or has reasonable grounds to suspect that property represents proceeds of drug trafficking or other serious crimes to file a report with the Suspicious Transaction Reporting Office (STRO).

The practical timeline is one business day from the point at which suspicion forms. That formation date matters: MAS examination findings have treated cases where the suspicion formation date was left blank or set to the date of filing (rather than the date of the underlying discovery) as incomplete reports — even where the filing itself was technically made within the window.

4. Record-Keeping

CDD documents and transaction records must be retained for five years from the date the transaction was conducted or the business relationship ended. MAS can request records going back up to five years in the course of an examination.

One PSN01 Obligation Per Service

PSN01 contains a provision that compliance teams at multi-service payment institutions sometimes miss: a firm licensed to provide both cross-border money transfer services and e-money issuance services must comply with PSN01 separately for each service. CDD performed for a customer under the cross-border transfer service does not automatically satisfy CDD requirements for the same customer's e-money transactions. The records, processes, and monitoring must address each licensed service independently.

MAS Notice PSN02: DPT Service Providers

MAS Notice PSN02 — "Prevention of Money Laundering and Countering the Financing of Terrorism — Holders of a Standard Payment Institution Licence or Major Payment Institution Licence Carrying on Digital Payment Token Service" — applies to firms licensed to offer DPT services: crypto exchanges, digital asset custodians, and related providers.

PSN02 carries higher-risk obligations than PSN01, reflecting MAS's view that DPT services present specific money laundering and terrorism financing risks not present in traditional payment services.

The additional obligations under PSN02 include:

Travel Rule compliance: PSN02 implements FATF Recommendation 16 for virtual assets. Licensed DPT service providers must collect, verify, and transmit originator and beneficiary information for DPT transfers above SGD 1,500. For transfers to or from unhosted wallets (wallets not held at a licensed provider), enhanced procedures apply. MAS has not mandated a specific technical standard for travel rule compliance, but expects firms to use an approved solution with documented coverage for the counterparty jurisdictions they transact with.

Blockchain-specific monitoring: Alert logic for DPT transactions must address blockchain-native risk indicators — rapid multi-hop transfers across wallets, use of mixing or tumbling services, high-velocity micro-transactions consistent with layering, and activity consistent with known illicit addresses. Standard bank transaction monitoring typologies do not map cleanly to on-chain behaviour, and PSN02 examiners expect DPT-specific rule sets.

Heightened examination intensity post-2022: Following the collapse of FTX in November 2022 and MAS's subsequent review of licensed DPT providers, MAS substantially increased the frequency and depth of PSN02 examinations. Several DPT licence holders received remediation requirements in 2023 and 2024. STR filing quality and travel rule implementation were the two most commonly cited deficiencies.

CDD Under the PSA: What the Thresholds Mean in Practice

The SGD 1,500 occasional transaction threshold in PSN01 is one of the more misunderstood elements of the PSA framework.

Under Notice 626, banks do not need to apply full CDD to occasional transactions below SGD 5,000. Payment institutions under PSN01 must apply CDD at SGD 1,500. That is not a minor administrative difference. In a remittance business processing hundreds of transactions daily, a significant proportion of transactions will fall between SGD 1,500 and SGD 5,000. Each of those requires customer identification and verification under PSN01 — which requires a technology and process infrastructure that can handle that volume.

In examination, MAS specifically checks whether SGD 1,500 thresholds are being applied in practice — not just whether the institution's CDD policy says they should be. The gap between policy and operational execution is a recurring finding.

For KYC processes at licensed payment institutions, the relevant question is not just whether the institution can identify a customer, but whether the identification is being triggered at the correct transaction threshold, documented correctly, and linked to the transaction monitoring record.

Transaction Monitoring: Where Payment Institutions Fall Short

MAS's 2024 supervisory expectations document specifically noted that transaction monitoring at payment institutions is "less mature" than at banks. This is both a diagnostic and a warning — MAS has signalled that payment institution TM controls are now an examination priority.

Three factors make transaction monitoring operationally harder for payment institutions than for banks:

Shorter customer history: Banks accumulate years of transaction history per customer before alerts are calibrated. Many payment institution customers have been active for months. Baseline behaviour is harder to establish, which means both that unusual patterns are harder to identify and that alert false positive rates tend to be higher.

Faster transaction cycles: Payment transactions settle in minutes or seconds. A structuring pattern that would take weeks to manifest in a bank account can appear and disappear in a payment institution in 48 hours. Monitoring rules must be configured to detect compressed timescales.

Higher cross-border exposure: Cross-border money transfer services, by definition, move funds across jurisdictions — often to markets with weaker AML frameworks. Alert rules for cross-border transfers need jurisdiction-specific calibration, not a single global threshold.

The full MAS transaction monitoring framework covers how these factors should be addressed in a Singapore-compliant monitoring programme.

What MAS Examines at PSA-Licensed Firms

Based on published MAS supervisory findings and the 2024 expectations document, PSA examinations focus on five areas:

CDD threshold application: Are SGD 1,500 triggers actually running in production? Examiners test this by pulling a sample of transactions in the SGD 1,500–5,000 range and checking whether CDD was conducted and documented.

Travel rule compliance for cross-border transfers: For MPI-licensed firms providing cross-border money transfer services, examiners check whether FATF Recommendation 16 originator/beneficiary information is being collected, verified, and transmitted — and whether the institution has procedures for counterparties who cannot receive travel rule data.

STR filing quality: MAS does not measure STR performance primarily by volume. Examiners look at the narrative content of individual STR filings — specifically whether the filing documents the basis for suspicion, the investigation steps taken, and the transaction evidence reviewed. Filings that state "suspicious activity detected" without specifying what made the activity suspicious are treated as incomplete, regardless of whether they were filed on time.

Alert calibration for payment-specific typologies: Generic bank-derived alert rules applied without adaptation are a common finding. Examiners look for rules that address mule account patterns in remittance flows (rapid inbound/outbound cycling with no retention), sub-threshold structuring designed to avoid PSN01 CDD triggers, and rapid account turnover in payment accounts.

PS(A)A 2021 compliance: The 2021 amendment extended PSA coverage to previously unregulated services and increased MAS supervisory powers, including the ability to impose restrictions on MPI licence holders mid-licence. Firms that were operating before the amendment took effect and were brought within scope had a transition period — but that period has elapsed. Any firm that believes its legacy service structure still falls outside the PSA framework should obtain current legal advice.

The 2021 Amendment: What Changed

The Payment Services (Amendment) Act 2021 made three changes relevant to AML compliance:

First, it extended the PSA's regulated activity definitions to capture services previously argued to be outside scope — in particular, certain token-based payment services and digital representation of fiat currency.

Second, it introduced new obligations for DPT service providers, bringing Singapore into alignment with FATF's revised Recommendation 15 on virtual assets. This is the legislative foundation for PSN02 and its enhanced requirements.

Third, it expanded MAS's supervisory toolkit. Under the amended Act, MAS can impose conditions on MPI licences that restrict specific product lines or transaction types while an investigation or remediation is ongoing. This is a more targeted instrument than suspension, and MAS has used it in at least two disclosed cases since 2022.

Building Compliance Infrastructure That Meets PSA Expectations

A PSA licence is not a compliance programme. The licence grants permission to operate; the AML/CFT framework is built after that.

For newly licensed MPIs and SPIs, the gap between what MAS requires and what most firms have at licence grant is significant. PSN01 requires calibrated transaction monitoring, documented CDD at SGD 1,500 thresholds, investigation workflows that leave auditable records, and STR filings with substantive narrative content. These are not features that come pre-configured — they require technology, process design, and trained personnel.

If you are building or evaluating a transaction monitoring programme for a Singapore-licensed payment institution, the Transaction Monitoring Software Buyer's Guide covers what to look for in a system designed for payment services risk — including alert calibration for remittance typologies, travel rule integration, and MAS-examination-ready documentation.

For compliance teams at payment institutions assessing whether their current controls meet MAS's 2024 supervisory expectations, Tookitaki works with licensed payment institutions in Singapore to implement AML/CFT programmes built for PSN01 and PSN02 requirements. Book a demo to see how FinCense addresses payment-specific transaction monitoring and STR documentation.

In today's financial landscape, understanding the source of funds (SOF) is crucial for ensuring compliance and preventing financial crimes. Financial institutions must verify the origin of funds to comply with regulations and mitigate risks. This blog post delves into the meaning, importance, best practices, and challenges of verifying the source of funds.

Source of Funds in AML: What It Is and How Banks Verify It

Source of Funds Meaning

The term "source of funds" refers to the origin of the money used in a transaction. This can include earnings from employment, business revenue, investments, or other legitimate income sources.

{{cta-first}}

Source of Funds Example

For instance, if someone deposits a large sum of money into their bank account, the bank needs to verify whether this money came from a legitimate source, such as a property sale, inheritance, or salary.

Here are some common sources of funds:

• Salary: Imagine you've been saving up from your job to buy a new gaming console. When you finally get it, your salary is the Source of Funds for that purchase. In the grown-up world, this could mean someone buying a house with the money they've saved from their job.
• Inheritance: Now, let's say your grandma left you some money when she passed away (may she rest in peace), and you use it to start a college fund. The inheritance is your Source of Funds for that college account.
• Business Profits: If you have a lemonade stand and make some serious cash, and then you use that money to buy a new bike, the profits from your business are your Source of Funds for the bike.
• Selling Assets: Let's say your family decides to sell your old car to buy a new one. The money you get from selling the old car becomes the Source of Funds for the new car purchase.
• Investments and Dividends: Suppose you've invested in some stocks, and you make a nice profit. If you use that money to, say, go on vacation, then the money you made from your investments is the Source of Funds for your trip.

Difference Between Source of Funds and Source of Wealth

Source of Funds (SOF) refers to the origin of the specific money involved in a transaction, such as income from employment, sales, or loans. It is focused on the immediate funds used in a particular financial activity.

Source of Wealth (SOW), on the other hand, pertains to the overall origin of an individual’s total assets, including accumulated wealth over time from various sources like investments, inheritances, or business ownership. It provides a broader view of the person's financial background.

Importance of Source of Funds Verification

Regulatory Requirements and Compliance

Verifying the source of funds is essential for financial institutions to comply with regulations such as anti-money laundering (AML) laws. Regulatory bodies like the Financial Action Task Force (FATF) mandate stringent checks to ensure that funds do not originate from illegal activities.

Financial and Reputational Risks

Failure to verify the source of funds can result in significant financial penalties and damage to an institution's reputation. Banks and other financial entities must implement robust verification processes to avoid involvement in financial crimes and maintain public trust.

Best Practices for Source of Funds Verification

Risk-Based Approach

Implementing a risk-based approach means assessing the risk level of each transaction and customer. Higher-risk transactions require more rigorous verification, ensuring that resources are allocated efficiently and effectively.

Advanced Technology Utilization

Utilizing advanced technologies such as artificial intelligence and machine learning can enhance the efficiency and accuracy of source of funds verification. These technologies can analyze large datasets quickly, identifying potential red flags.

Regular Updates and Audits

Maintaining updated records and conducting regular audits are crucial for an effective source of funds verification. This ensures that the verification processes remain robust and compliant with the latest regulations.

Source of Funds Requirements Across APAC

FATF Recommendation 13 requires financial institutions to apply enhanced due diligence, including source of funds verification for high-risk customers and transactions. In practice, each APAC regulator has translated this into specific obligations.

Australia (AUSTRAC)

Under the AML/CTF Rules Part 7, AUSTRAC requires ongoing customer due diligence that includes verifying source of funds when a transaction or customer profile is inconsistent with prior behaviour or stated purpose. Enhanced customer due diligence — triggered by high-risk customer classification, PEP status, or unusual transaction patterns — requires documented source of funds evidence before the transaction proceeds or the relationship continues.

Acceptable documentation under AUSTRAC guidance includes: recent pay slips (last 3 months), business financial statements, tax returns, property sale contracts, or investment account statements. For inheritance-sourced funds, a grant of probate or solicitor letter is required.

Singapore (MAS)

MAS Notice 626 requires Singapore-licensed FIs to verify source of funds as part of enhanced due diligence for high-risk customers and any customer whose funds originate from high-risk jurisdictions. MAS examination findings have consistently cited inadequate SOF documentation as a gap — specifically, accepting verbal declarations without supporting evidence.

Malaysia (BNM)

BNM's AML/CFT Policy Document requires source of funds verification for EDD-triggered customers, high-value transactions above MYR 50,000 in cash-equivalent form, and corporate accounts where beneficial ownership is complex. BNM specifically requires that SOF evidence be independently verifiable — a customer's own declaration is not sufficient for high-risk accounts.

Philippines (BSP)

BSP Circular 706 and its amendments require source of funds verification for customers classified as high-risk under the institution's risk assessment, and for any transaction that appears inconsistent with the customer's known financial profile. AMLC's guidance notes that source of funds documentation must be retained for a minimum of 5 years.

Common Sources of Funds

Legitimate Sources

Legitimate sources of funds include earnings from employment, business income, investment returns, loans, and inheritances. These sources are generally verifiable through official documentation such as pay slips, tax returns, and bank statements.

Illegitimate Sources

Illegitimate sources of funds might include money from illegal activities such as drug trafficking, fraud, corruption, or money laundering. These sources often lack proper documentation and can pose significant risks to financial institutions if not properly identified and reported.

Challenges in Verifying Source of Funds

Complex Transactions

Complex transactions, involving multiple parties and jurisdictions, pose significant challenges in verifying the source of funds. Tracing the origin of such funds requires comprehensive analysis and robust systems to track and verify all related transactions.

Privacy and Data Protection Concerns

Verifying the source of funds often involves handling sensitive personal data. Financial institutions must balance the need for thorough verification with strict adherence to privacy and data protection regulations, ensuring that customer information is secure.

{{cta-guide}}

What Good Source of Funds Verification Looks Like in Practice

The institutions that handle SOF verification most effectively treat it as a tiered process, not a one-size-all checklist.

For standard-risk customers, verification at onboarding is enough — pay slips, a bank statement, or a tax return. For high-risk customers, EDD-triggered accounts, or transactions that don't fit the pattern, that standard is higher: independently verifiable documentation, a paper trail that shows the funds' journey from origin to arrival, and a compliance officer's written sign-off.

The documentation requirement is not the hard part. The hard part is knowing when to apply it — and that is a transaction monitoring question as much as a KYC question. A source of funds issue that doesn't get flagged at monitoring never reaches the verification stage.

For more on building the monitoring programme that surfaces these cases, see our Transaction Monitoring Software Buyer's Guide and our complete guide to KYC and customer due diligence.

Talk to Tookitaki's team about how FinCense handles source of funds flags as part of an integrated AML and transaction monitoring programme.

Frequently Asked Questions

1. What is source of funds in AML?
Source of funds refers to where the money used in a specific transaction or business relationship comes from. In AML compliance, financial institutions review source of funds to understand whether the money is legitimate and whether it matches the customer’s profile and declared activity.

2. Why is source of funds important in AML compliance?
Source of funds is important because it helps financial institutions assess whether the money involved in a transaction is consistent with what they know about the customer. It supports due diligence, helps identify unusual activity, and reduces the risk of money laundering or other financial crime.

3. What is the difference between source of funds and source of wealth?
Source of funds refers to the origin of the money used in a particular transaction or account activity. Source of wealth refers to how a customer built their overall wealth over time. In simple terms, source of funds looks at where this money came from, while source of wealth looks at how the person became wealthy in general.

4. How do financial institutions verify source of funds?
Financial institutions may verify source of funds using documents such as bank statements, salary slips, business income records, property sale agreements, inheritance papers, dividend records, or other documents that explain where the money originated. The exact documents required depend on the customer, the transaction, and the level of risk involved.

5. When is source of funds verification required?
Source of funds verification is commonly required during customer onboarding, enhanced due diligence, high-risk transactions, or periodic reviews. It may also be requested when a transaction appears unusual or does not match the customer’s known financial behaviour.

6. Is source of funds verification required for every customer?
Not always. The depth of source of funds verification usually depends on the customer’s risk level, the nature of the transaction, and applicable AML regulations. Higher-risk customers and more complex transactions generally require closer scrutiny.

7. What source of funds documentation does AUSTRAC accept?
AUSTRAC's AML/CTF guidance accepts: recent pay slips (last 3 months), business financial statements or tax returns, property sale contracts with settlement documentation, investment account statements, and for inherited funds, a grant of probate or solicitor's letter. Verbal declarations are not sufficient for high-risk customers or transactions triggering enhanced due diligence.

8. Is source of funds verification required for every transaction?No. Source of funds verification is triggered by risk level, not transaction volume. Standard-risk retail customers verified at onboarding do not require SOF documentation for routine transactions. The trigger points are: EDD classification, PEP status, transactions inconsistent with the customer's stated financial profile, high-value cash transactions above reporting thresholds, and periodic review of high-risk accounts. See your regulator's specific guidance — AUSTRAC's Part 7, MAS Notice 626, or BNM's AML/CFT Policy Document — for the applicable triggers in your jurisdiction.

In 2022, Bank Negara Malaysia awarded digital bank licences to five applicants: GXBank, Boost Bank, AEON Bank (backed by RHB), KAF Digital, and Zicht. None of these institutions have a branch network. None of them can sit a customer across a desk and photocopy a MyKad. For them, remote identity verification is not a product feature — it is the only way they can onboard a customer at all.

That is why BNM's eKYC framework matters. The question for compliance officers and product teams at these institutions — and at the e-money issuers, remittance operators, and licensed payment service providers that operate under the same rules is not whether to implement eKYC. It is whether the implementation will satisfy BNM when examiners review session logs during an AML/CFT examination.

This guide covers what BNM's eKYC framework requires, where institutions most commonly fall short, and what the rules mean in practice for tiered account access.

The Regulatory Scope of BNM's eKYC Framework

BNM's eKYC Policy Document was first issued in June 2020 and updated in February 2023. It applies to a wide range of supervised institutions:

• Licensed banks and Islamic banks
• Development financial institutions
• E-money issuers operating under the Financial Services Act 2013 — including large operators such as Touch 'n Go eWallet, GrabPay, and Boost
• Money service businesses
• Payment Services Operators (PSOs) licensed under the Payment Systems Act 2003

The policy document sets one overriding standard: eKYC must achieve the same level of identity assurance as face-to-face verification. That standard is not aspirational. It is the benchmark against which BNM examiners assess whether a remote onboarding programme is compliant.

For a deeper grounding in what KYC requires before getting into the eKYC-specific rules, the KYC compliance framework guide covers the foundational requirements.

The Four BNM-Accepted eKYC Methods

BNM's eKYC Policy Document specifies four accepted verification methods. Institutions must implement at least one; many implement two or more to accommodate different customer segments and device capabilities.

Method 1 — Biometric Facial Matching with Document Verification

The customer submits a selfie and an image of their MyKad or passport. The institution's system runs facial recognition to match the selfie against the document photo. Liveness detection is mandatory — passive or active — to prevent spoofing via static photographs, recorded video, or 3D masks.

This is the most widely deployed method among Malaysian digital banks and e-money issuers. It works on any smartphone with a front-facing camera and does not require the customer to be on a live call or to own a device with NFC capability.

Method 2 — Live Video Call Verification

A trained officer conducts a live video interaction with the customer and verifies the customer's face against their identity document in real time. The officer must be trained to BNM's specified standards, and the session must be recorded and retained.

This method provides strong identity assurance but introduces operational cost and throughput constraints. Some institutions use it as a fallback for customers whose biometric verification does not clear automated thresholds.

Method 3 — MyKad NFC Chip Reading

The customer uses their smartphone's NFC reader to read the chip embedded in their MyKad directly. The chip contains the holder's biometric data and personal information, and the read is cryptographically authenticated. BNM considers this the highest assurance eKYC method available under Malaysian national infrastructure.

The constraint is device compatibility: not all smartphones have NFC readers, and the feature must be enabled. Adoption among mass-market customers remains lower than biometric methods as a result.

Method 4 — Government Database Verification

The institution cross-checks customer-provided information against government databases — specifically, JPJ (Jabatan Pengangkutan Jalan, road transport) and JPN (Jabatan Pendaftaran Negara, national registration). If the data matches, the identity is considered verified.

BNM treats this as the lowest-assurance method. Critically, it does not involve any biometric confirmation that the person submitting the data is the same person as the registered identity. BNM restricts Method 4 to lower-risk product tiers, and institutions that apply it to accounts exceeding those tier limits will face examination findings.

Liveness Detection: What BNM Expects

BNM's requirement for liveness detection in biometric methods is explicit in the February 2023 update to the eKYC Policy Document. The requirement exists because static facial matching alone — matching a selfie against a document photo — can be defeated by holding a photograph in front of the camera.

BNM expects institutions to document the accuracy performance of their liveness detection system. The specific thresholds the policy document references are:

• False Acceptance Rate (FAR): below 0.1% — meaning the system incorrectly accepts a spoof attempt in fewer than 1 in 1,000 cases
• False Rejection Rate (FRR): below 10% — meaning genuine customers are incorrectly rejected in fewer than 10 in 100 cases

These are not defaults — they are floors. Institutions must document their actual FAR and FRR in their eKYC programme documentation and must periodically validate those figures, particularly after model updates or changes to the verification vendor.

Third-party eKYC vendors must be on BNM's approved list. An institution using a vendor not on that list — even a globally recognised biometric vendor — does not have a compliant eKYC programme regardless of the vendor's technical capabilities.

Account Tiers and Transaction Limits

BNM applies a risk-based framework that links account access limits to the assurance level of the eKYC method used to open the account. This is not optional configuration — these are regulatory caps.

Tier 1 — Method 4 (Database Verification Only)

• Maximum account balance: MYR 5,000
• Maximum daily transfer limit: MYR 1,000

Tier 2 — Methods 1, 2, or 3 (Biometric Verification)

• E-money accounts: maximum balance of MYR 50,000
• Licensed bank accounts: no regulatory cap on balance (subject to the institution's own risk limits)

If a customer whose account was opened via Method 4 wants to move into Tier 2, they must complete an additional verification step using a biometric method. That upgrade process must be documented and the records retained — the same as any primary onboarding session.

This tiering structure means product decisions about account limits are also compliance decisions. A digital bank that launches a savings product with a MYR 10,000 minimum deposit and relies on Method 4 for onboarding has a compliance problem, not just a product design problem.

Record-Keeping: What Must Be Retained and for How Long

BNM requires that all eKYC sessions be recorded and retained for a minimum of 6 years. The records must include:

• Raw images or video from the verification session
• Facial match confidence scores
• Liveness detection scores
• Verification timestamps
• The outcome of the verification (approved, rejected, referred for manual review)

During AML/CFT examinations, BNM examiners review eKYC session logs. An institution that can demonstrate a successful biometric match but cannot produce the underlying scores and timestamps for that session does not have compliant records. This is a documentation failure, not a technical one and it is one of the more common findings in Malaysian eKYC examinations.

eKYC Within the Broader AML/CFT Programme

A compliant eKYC onboarding process does not discharge an institution's AML/CFT obligations for the full customer lifecycle. BNM's AML/CFT Policy Document — separate from the eKYC Policy Document — requires institutions to apply risk-based customer due diligence (CDD) continuously.

Two areas where this creates friction in eKYC-based operations:

High-risk customers require Enhanced Due Diligence (EDD) that eKYC cannot complete. A customer who is a Politically Exposed Person (PEP), operates in a high-risk jurisdiction, or presents unusual transaction patterns requires EDD. Source of funds verification for these customers cannot be completed through biometric verification alone. Institutions must have documented rules specifying when an eKYC-onboarded customer triggers the EDD workflow — and those rules must be reviewed and enforced in practice, not just documented.

Dormant account reactivation is a re-verification trigger. BNM expects institutions to treat the reactivation of an account dormant for 12 months or more as an event requiring re-verification. This is a common gap: many institutions have onboarding eKYC workflows but no corresponding re-verification process for dormant accounts coming back to active status.

For institutions that have deployed transaction monitoring alongside their eKYC programme, integrating eKYC assurance levels into monitoring rule calibration is good practice — a Tier 1 account that begins transacting at Tier 2 volumes is exactly the kind of pattern that should generate an alert. The transaction monitoring software buyer's guide covers what to look for in a system capable of handling this kind of integrated logic.

Common Implementation Gaps

Based on BNM examination findings and the February 2023 policy document guidance, four gaps appear most frequently in Malaysian eKYC programmes:

1. Using Method 4 for accounts that exceed Tier 1 limits. This is the most consequential gap. If an account opened via database verification reaches a balance above MYR 5,000 or a daily transfer above MYR 1,000, the institution is operating outside the regulatory framework. The fix requires either enforcing hard caps at the product level or requiring biometric re-verification before account limits expand.

2. No liveness detection documentation. An institution that has deployed biometric eKYC but cannot demonstrate to BNM that it tested for spoofing — with documented FAR/FRR figures — does not have a defensible eKYC programme. The technology alone is not enough; the validation and documentation must exist.

3. Third-party eKYC vendor not on BNM's approved list. BNM maintains an approved vendor list for a reason. An institution that integrated a non-listed vendor, even one with strong global credentials, needs to remediate — either by migrating to an approved vendor or by engaging BNM directly on the approval process before continuing to use that vendor for compliant onboarding.

4. No re-verification trigger for dormant account reactivation. Institutions that built their eKYC programme around the onboarding workflow and never implemented re-verification logic for dormant accounts have a gap that BNM examiners will find. This requires both a policy update and a system-level trigger.

What Good eKYC Compliance Looks Like

A compliant eKYC programme in Malaysia has five elements that work together:

1. At least one BNM-accepted verification method, implemented with a BNM-approved vendor and validated to the required FAR/FRR thresholds
2. Hard account tier limits enforced at the product level, with a documented upgrade path that triggers biometric re-verification for Tier 1 accounts requesting higher access
3. Complete session records — images, scores, timestamps, and outcomes — retained for the full 6-year period
4. EDD triggers documented and enforced for high-risk customer categories, including PEPs and high-risk jurisdiction connections
5. Re-verification workflows for dormant accounts reactivating after 12 months of inactivity

Meeting all five is not a one-time project. BNM expects periodic validation of vendor performance, regular review of threshold calibration, and documented sign-off from a named senior officer on the state of the eKYC programme.

For Malaysian institutions building or reviewing their eKYC programme, Tookitaki's AML compliance platform combines eKYC verification with transaction monitoring and ongoing risk assessment in a single integrated environment — designed for the requirements BNM examiners actually check. Book a demo to see how it works in a Malaysian digital bank or e-money context, or read our KYC framework overview for a broader view of where eKYC sits within the full compliance programme.