AUSTRAC publishes its examination priorities for the year. The CCO at a regional Australian bank reads the list. Calibrated alert thresholds. Documentation of alert dispositions. EDD for high-risk customers. Periodic re-screening for PEPs.

The list looks the same as last year. And the year before.

The difference is that her team is 8 people — not 80. The obligation does not scale down with the headcount.

This is the operating reality for AML compliance at Tier 2 banks across Australia, Singapore, and Malaysia. Regional banks, digital banks, foreign bank branches, credit unions with banking licences — institutions that are fully regulated, fully examined, and fully liable, but are not Commonwealth Bank, DBS, or Maybank. The same rules apply. The resources do not.

This article covers where Tier 2 AML programmes most commonly fail examination, what "proportionate" compliance actually requires in practice, and how mid-size institutions build programmes that hold up without the 50-person compliance team.

The Regulatory Reality: Same Obligations, Different Resources

AUSTRAC, MAS, and BNM do not operate two-tier AML standards. The AML/CTF Act 2006 applies to every reporting entity in Australia regardless of asset size. MAS Notice 626 applies to every bank licensed in Singapore. BNM's AML/CFT Policy Document applies to every licensed institution in Malaysia.

The only concession regulators make is proportionality. A risk-based approach means the scale of an AML programme should reflect the scale of the risk — the volume and nature of transactions, the customer risk profile, the jurisdictions involved. But the programme must exist, be effective, and produce documentation that survives examination.

Proportionality is not a waiver.

Westpac's AUD 1.3 billion penalty in 2020 was for a major bank. But AUSTRAC has also pursued civil penalty orders against smaller ADIs and credit unions for the same category of failures: uncalibrated monitoring thresholds, inadequate EDD, insufficient transaction reporting. The regulator's methodology does not change based on the institution's size. The fine may differ; the finding does not.

For Tier 2 banks in Singapore, MAS has been direct: digital banks licensed under the 2020 digital banking framework should reach AML maturity equivalent to established banks within 2–3 years of licensing. "We are new" has a shelf life. For Tier 2 institutions in Malaysia, BNM's Policy Document draws no distinction between Maybank and a smaller licensed Islamic bank on the core obligations for CDD, transaction monitoring, and suspicious transaction reporting.

Five Gaps Where Tier 2 Banks Fail Examination

Gap 1: Default Threshold Settings on Transaction Monitoring

The most common finding across AUSTRAC and MAS examinations of smaller institutions is transaction monitoring software running on vendor-default alert thresholds.

Default thresholds are calibrated for a generic customer population. A regional Australian bank with 80% SME customers needs different alert logic than a consumer retail bank. A digital bank in Singapore whose customers are predominantly salaried individuals transferring payroll needs different parameters than a trade finance operation. When the thresholds do not reflect the institution's actual customer base, two things happen: analysts receive alerts that are irrelevant to real risk, and the transactions that represent genuine risk pass without triggering review.

AUSTRAC's published guidance on transaction monitoring is explicit on this point. MAS expects institutions to document their threshold calibration rationale and demonstrate that calibration is reviewed periodically against the institution's current risk profile. An undated configuration file from the vendor implementation three years ago does not meet that standard.

See our transaction monitoring software buyer's guide for the evaluation criteria that matter when institutions are selecting a platform — threshold configurability is one of five criteria that directly affect examination outcomes.

Gap 2: Alert Backlogs from High False Positive Rates

A Tier 2 bank running a legacy rules-only transaction monitoring system at a 97% false positive rate and processing 200 alerts per day needs 2–3 full-time analysts to do nothing except clear the alert queue. For a compliance team of 8, that is 25–37% of total capacity consumed by alert triage before a single investigation has started.

The consequence is not just inefficiency. It is a programme that cannot function as designed. Analysts clearing high-volume, low-quality alert queues develop pattern fatigue. Genuine risk signals get the same 30-second review as the 97% of alerts that will be closed as false positives. EDD interviews do not happen because there is no analyst capacity to conduct them. Examination preparation is squeezed into the two weeks before the examiner arrives.

False positive rates are not a fixed cost of running a transaction monitoring programme. Legacy rules-only systems produce high false positive rates because they apply static thresholds to dynamic customer behaviour. Typology-driven, behaviour-based detection — which incorporates how a customer's transaction patterns change over time, not just whether a single transaction crosses a threshold — consistently produces lower false positive rates. The technology gap between rule-based and behaviour-based monitoring is the single largest source of operational inefficiency for Tier 2 compliance teams.

For background on how transaction monitoring works and why the architecture matters, see what is transaction monitoring.

Gap 3: Inconsistent EDD Application

Large banks have EDD workflows automated into their CRM and compliance systems. When a customer's risk rating changes, the system triggers an EDD task, assigns it to an analyst, and tracks completion. The process is not dependent on an individual's memory.

Tier 2 banks frequently run manual EDD processes. PEP screening happens at onboarding. Periodic re-screening often does not — or it happens for some customers and not others, depending on which analyst handles the review. Corporate customers with complex beneficial ownership structures receive initial CDD at onboarding; the review when the ultimate beneficial owner changes is missed because there is no system trigger.

BNM's Policy Document, MAS Notice 626, and AUSTRAC's rules all require EDD to be applied to high-risk customers on an ongoing basis, not just at the point of relationship establishment. "Ongoing" is not annual if the customer's risk profile changes quarterly. An examination finding in this area typically cites specific customer accounts where EDD was not conducted after a risk rating change — not a policy gap, but an execution gap.

Gap 4: Inadequate Documentation of Alert Dispositions

Alert closed. No SAR filed. No written rationale recorded.

In a team under sustained volume pressure, documentation shortcuts are predictable. An analyst who closes 40 alerts in a day and writes a full rationale for 15 of them is not cutting corners deliberately — the queue does not allow otherwise.

AUSTRAC and MAS treat undocumented alert closures as programme failures. Not because the disposition decision was necessarily wrong, but because there is no evidence that a human reviewed the alert and made a considered decision. From an examination standpoint, an alert with no documented rationale is indistinguishable from an alert that was never reviewed. The regulator cannot distinguish between "reviewed and correctly closed" and "bypassed."

This is a systems problem, not a people problem. Alert documentation should be generated as part of the disposition workflow, not as a separate manual step. Every alert closure should require a rationale field — even if the rationale is a structured selection from a drop-down of standard reasons. The documentation burden should be close to zero per alert for straightforward dispositions.

Gap 5: No Model Validation for ML-Based Detection

Tier 2 banks that have moved to AI-augmented transaction monitoring frequently lack the model governance infrastructure to validate that detection models are performing correctly over time.

A model trained on transaction data from 2022 that has never been retrained is not performing at specification in 2026. Customer behaviour shifts. Payment methods change. New typologies emerge. Without periodic model validation — testing whether the model's detection performance against current transaction patterns matches its baseline specification — the institution cannot make the assertion that its monitoring programme is effective.

MAS has flagged model governance as an emerging examination area. For Tier 2 banks, the challenge is that model validation at large banks is done by internal quant teams with the expertise to run performance tests, backtesting, and drift analysis. A 10-person compliance team at a regional bank does not have that capability in-house.

The answer is not to avoid AI-augmented monitoring. It is to select platforms where model validation documentation is generated automatically, and where retraining and recalibration is a vendor-supported function, not a requirement to build internal data science capability.

What "Proportionate" AML Compliance Actually Means

Proportionality is frequently misread as a licence to do less. It is not. It is permission to concentrate compliance resources where the actual risk is — rather than spreading equal effort across all customers regardless of their risk profile.

For a Tier 2 bank, proportionate compliance means three things in practice.

Automate the process work. Alert generation, threshold calibration triggers, EDD workflow initiation, documentation of alert dispositions — none of these should require analyst decision-making at each step. Every manual step is a point where volume pressure leads to shortcuts, and shortcuts are what examination findings are made of.

Free analyst capacity for work that requires judgement. Complex alert investigations, EDD interviews, SAR filing decisions, examination preparation — these require an experienced analyst's attention and cannot be automated. A team of 8 can do this work well, but only if they are not consuming 3–4 hours per day clearing a backlog of 200 low-quality alerts.

The arithmetic is specific: at a 97% false positive rate on 200 daily alerts, an analyst spends approximately 2.5 minutes on each alert just to clear the queue — that is 500 analyst-minutes, or roughly 8.3 hours, across a team. At a 50% false positive rate on the same 200 alerts, 100 alerts require substantive review. The remaining 100 are flagged for quick closure. Total review time drops to approximately 4–5 hours — returning 3–4 hours of analyst capacity daily for investigation and EDD work. At a 10-person team, that is 30–40% of daily compliance capacity returned to meaningful work.

Build documentation in, not on. Every compliance workflow should generate examination-ready records as a byproduct of normal operation, not as a separate documentation task.

Technology Requirements Specific to Tier 2

The enterprise transaction monitoring systems built for Tier 1 banks assume implementation resources that Tier 2 banks do not have. Multi-month professional services engagements, dedicated data engineering teams, internal model governance functions — these are not realistic for a regional bank with a 5-person technology team and a compliance budget that was set before the current regulatory environment.

Four technology requirements are specific to Tier 2:

Integration simplicity. Many Tier 2 banks run legacy core banking platforms. Cloud-native transaction monitoring platforms with standard API connectivity can connect to core banking data in weeks, not months, without requiring a custom integration project.

Compliance-configurable thresholds. Compliance staff should be able to adjust alert thresholds and add detection scenarios without vendor involvement. Calibration is a compliance function. If it requires a professional services engagement every time a threshold needs updating, calibration will not happen at the frequency regulators expect.

Predictable pricing. Per-transaction pricing models become unpredictable as transaction volumes grow. Tier 2 banks should look for flat-fee or tiered pricing that is budget-predictable against their transaction volume — one less variable in a constrained budget environment.

Exam-ready documentation, automatically. Alert audit trails, calibration records, and model validation documentation should be outputs of the platform's standard operation, not custom report builds. If producing the documentation package for an examination requires a week of manual compilation, the documentation package will always be incomplete.

For a structured framework on evaluating transaction monitoring vendors against these criteria, see the TM Software Buyer's Guide.

APAC-Specific Regulatory Context for Tier 2

Australia. AUSTRAC's risk-based approach explicitly accommodates proportionality — but AUSTRAC has examined and found against credit unions and smaller ADIs for the same monitoring failures as major banks. The AUSTRAC transaction monitoring requirements cover the specific obligations that apply to all reporting entities, regardless of size.

Singapore. MAS Notice 626 applies to all banks licensed in Singapore. For digital banks — which are structurally Tier 2 in Singapore's context — MAS has set explicit expectations that AML maturity should reach equivalence with established banks within 2–3 years of licensing. The MAS transaction monitoring requirements article covers the specific MAS standards in detail.

Malaysia. BNM's AML/CFT Policy Document applies to all licensed institutions. Smaller licensed banks, Islamic banks, and regionally focused institutions have the same CDD, monitoring, and reporting obligations as the major domestic banks. BNM's examination methodology does not grade on institution size.

What an Examination-Ready Tier 2 AML Programme Looks Like

Six elements characterise programmes that hold up to examination at Tier 2 institutions:

1. A written AML/CTF programme, Board-approved and reviewed annually
2. Transaction monitoring thresholds documented and calibrated against the institution's own customer risk assessment — with a dated record of when calibration was last reviewed and by whom
3. An alert investigation workflow that generates a written rationale for every closed alert, including a structured reason code for dispositions that do not result in SAR filing
4. EDD workflows triggered automatically by risk rating changes, not by analyst memory
5. Annual model validation or rule-set review with documented outcomes, even where the outcome is "no changes required"
6. Staff training records, including dates, completion rates, and assessment outcomes by employee

None of these six elements require a large compliance team. They require systems configured to produce the right outputs and workflows designed to generate documentation as a byproduct of normal operation.

How Tookitaki FinCense Fits the Tier 2 Context

Tookitaki's FinCense AML suite is deployed across institution sizes, including Tier 2 banks, digital banks, and licensed challengers in Australia, Singapore, and Malaysia.

FinCense is cloud-native with standard API connectivity, which reduces integration time for institutions that do not have dedicated implementation teams. Compliance staff can configure alert thresholds and detection scenarios without vendor support — calibration happens on the institution's schedule, not when a professional services engagement can be arranged.

APAC-specific typologies and pre-built documentation for AUSTRAC, MAS Notice 626, and BNM's Policy Document are included in the platform. These are not professional services add-ons; they are part of the standard deployment.

In production deployments, FinCense has reduced false positive rates by up to 50% compared to legacy rule-based systems. At a 10-person compliance team processing 200 daily alerts, that returns approximately 3–4 hours of analyst capacity per day — enough to run substantive investigations, keep EDD current, and arrive at examination with documentation that was built during normal operations, not assembled in a panic the week before.

See FinCense in a Tier 2 Bank Context

If your institution is carrying the same AML obligations as the major banks with a fraction of the compliance resources, the question is not whether you need a programme that works — it is whether your current programme will hold up when the examiner arrives.

Book a demo to see FinCense configured for a Tier 2 bank: realistic transaction volumes, a compliance team of fewer than 20, and the documentation outputs that AUSTRAC, MAS, and BNM expect.

If you are still evaluating options, the TM Software Buyer's Guide provides a structured framework for comparing platforms on the criteria that matter most for smaller compliance teams.

The email from your legal operations director lands on a Tuesday morning. It references something called the AML/CTF Amendment Act 2024. It asks whether your law firm is now a "reporting entity." It asks whether you need to enrol with AUSTRAC.

You are a managing partner. You run a mid-size conveyancing and commercial law practice. You have never thought of your firm as being in the same regulatory category as a bank. You do not have a compliance team. You do not have an AML programme. And somewhere in the back of your mind, you remember hearing about "Tranche 2" a few years ago — and then hearing it had been delayed again.

It has not been delayed again.

The AML/CTF Amendment Act 2024 received Royal Assent on 29 November 2024. If your firm provides designated legal services — real estate transactions, managing client funds, forming companies or trusts, managing assets on behalf of clients — you are captured. The clock is running.

What Tranche 2 Is, and Why It Took 17 Years

Australia's Anti-Money Laundering and Counter-Terrorism Financing Act 2006 — the AML/CTF Act — came into force as Tranche 1. It regulated financial institutions: banks, credit unions, remittance dealers, casinos. Lawyers, accountants, and real estate agents were left out, with an explicit commitment that a second tranche of reforms would extend the regime to designated non-financial businesses and professions (DNFBPs).

That commitment sat largely dormant for 17 years.

The Financial Action Task Force (FATF) conducted a Mutual Evaluation of Australia in 2015 and named the absence of Tranche 2 as a major gap in Australia's AML/CTF framework. Australia's national risk assessment consistently identified real estate, legal services, and corporate structuring as channels for money laundering — yet the lawyers, accountants, and property agents facilitating those transactions had no formal AML obligations. Australia was one of the last FATF member jurisdictions to operate without DNFBP coverage.

The AML/CTF Amendment Act 2024 ends that. It amends the AML/CTF Act 2006 to extend obligations to Tranche 2 entities for the first time. Royal Assent was 29 November 2024.

Who Is Captured Under Tranche 2

Not every professional in a captured sector becomes a reporting entity. The test is whether you provide a "designated service" as defined under the amended Act. The scope matters.

Lawyers and Law Firms

Law firms are captured when providing specific services:

• Acting in the purchase or sale of real property on behalf of a client
• Managing client money, securities, or other assets
• Forming companies, trusts, or other legal entities on behalf of a client
• Acting as a director, secretary, or nominee shareholder for a client
• Providing business sale or purchase advice involving fund transfers

Litigation is not captured. General legal advice is not captured. The obligations attach to the transaction-facing, fund-handling, and corporate-structuring work — the services most associated with money laundering risk.

Accountants

Accountants providing the following services are captured:

• Managing client funds or financial assets
• Forming companies, trusts, or other legal entities
• Providing advice on business acquisition or disposal that involves fund transfers

Tax return preparation alone is not captured. The risk-based logic is the same as for lawyers: the obligations follow the money and the structural work.

Real Estate Agents

Real estate agents acting in the purchase or sale of real property are captured. Property management services are not captured. This distinction matters for agencies that carry both a sales division and a property management business — the compliance obligations attach to the former, not the latter.

Dealers in Precious Metals and Stones

Dealers conducting cash transactions at or above AUD 5,000 are captured. This threshold reflects the cash-intensity risk in this sector. Card or bank transfer transactions below that threshold are not in scope.

Trust and Company Service Providers (TCSPs)

TCSPs are captured for the full range of their entity formation, directorship, and registered office services.

What Tranche 2 Entities Must Do: The Core Obligations

Once captured, the obligations are substantive. They mirror the framework already imposed on financial institutions under the AML/CTF Act 2006, adapted to a professional services context.

Enrol with AUSTRAC. Reporting entities must register with AUSTRAC before providing designated services after the relevant commencement date. AUSTRAC maintains a public register of reporting entities.

Develop an AML/CTF programme. The programme has two parts. Part A is a board-approved risk assessment — a documented analysis of the ML/TF risks your firm faces based on the designated services you provide, the client types you serve, the jurisdictions involved, and the delivery channels used. Part B is the set of controls: customer identification procedures, ongoing monitoring, staff training, and reporting processes.

Customer identification and verification. Before providing a designated service, the entity must identify and verify the customer. For individuals, this typically means collecting and verifying name, date of birth, and address using reliable documentation. For companies and trusts, the obligations extend to beneficial ownership — understanding who ultimately controls or benefits from the entity.

Ongoing customer due diligence. The initial CDD is not a one-time exercise. Entities must monitor existing client relationships for changes in risk profile and update their CDD records accordingly.

Transaction monitoring. Entities must monitor for unusual or suspicious activity. The definition of "unusual" depends on the firm's own risk assessment — a conveyancing practice will have different baseline transaction patterns from an accounting firm that manages investment assets.

File Suspicious Matter Reports (SMRs). Where an entity has reasonable grounds to suspect that a customer or transaction is connected to money laundering or terrorism financing, an SMR must be filed with AUSTRAC within 3 business days of forming that suspicion. The 3-day clock is statutory — it is not extendable because the matter is complex.

File Threshold Transaction Reports (TTRs). Cash transactions of AUD 10,000 or more must be reported to AUSTRAC. This is the same threshold that applies to financial institutions.

Record keeping. Customer due diligence documents and transaction records must be retained for 7 years from the date of the relevant transaction or the end of the business relationship, whichever is later.

AUSTRAC annual compliance report. Reporting entities must submit an annual compliance report to AUSTRAC covering the adequacy of their AML/CTF programme and their compliance during the reporting period.

Phased Implementation: What Is Happening When

The AML/CTF Amendment Act 2024 received Royal Assent on 29 November 2024, but that date did not trigger immediate obligations for Tranche 2 entities. Commencement of specific provisions is subject to Ministerial instruments, and AUSTRAC has signalled a phased approach to give newly captured entities time to build their programmes.

AUSTRAC's published guidance indicates that enrolment obligations and AML/CTF programme development requirements are expected to commence in 2026, with the full suite of reporting and ongoing obligations to follow. However, specific commencement dates for each obligation type remain subject to confirmation through formal commencement instruments.

This is a meaningful distinction. The legislation exists. The obligation to eventually comply is not in doubt. But the date from which AUSTRAC can take enforcement action for non-compliance with a given obligation depends on the commencement date of that obligation — and those dates are being phased, not simultaneous.

What this means in practice: Firms should monitor AUSTRAC's website (austrac.gov.au) for confirmed commencement dates and guidance specific to their sector. AUSTRAC has already published Tranche 2 guidance for lawyers, accountants, real estate agents, and TCSPs. Waiting for a final date before starting programme development is not a sound approach — the lead time required to build a compliant AML/CTF programme is measured in months, not weeks.

What This Means for Banks and Existing Reporting Entities

Tranche 2 does not only affect the newly captured entities. For banks and other financial institutions already operating under the AML/CTF Act 2006, it changes the risk environment in two ways.

The counterparty risk picture changes. Law firms, accounting practices, real estate agencies, and precious metals dealers that were previously unregulated are now reporting entities with their own AML obligations. Banks that hold accounts for these businesses can factor their regulated status into CDD assessments. A law firm that has enrolled with AUSTRAC, implemented an AML/CTF programme, and is actively monitoring for suspicious activity is a materially different risk profile from one that had no such obligations.

Expectations around correspondent and professional services accounts will rise. AUSTRAC is likely to assess whether banks are reflecting the updated regulatory status of Tranche 2 sectors in their own monitoring and CDD frameworks. A bank that continues to treat a law firm client account as low-risk without considering whether that firm has enrolled and implemented its programme is exposed to questions about the adequacy of its own risk assessment.

Property-linked layering — moving proceeds of crime through sequential real estate transactions — is documented in Australia's national money laundering risk assessments as a method that has operated with relative ease due to the absence of AML controls on real estate agents and conveyancers. That gap is now being closed. Banks whose transaction monitoring is tuned to detect this pattern should review whether the new regulated status of real estate agents affects their detection logic.

For more detail on AUSTRAC's expectations for transaction monitoring at financial institutions, see our guide to AUSTRAC transaction monitoring requirements.

Building an AML Programme from Scratch: Seven Steps

For Tranche 2 entities starting from zero, the AML/CTF programme requirement is the most substantive obligation. Here is the structure.

Step 1: Identify your designated services. Not all services a law firm or accounting practice provides are captured. Document which of your services meet the definition of a designated service under the amended Act. This is the scope boundary for everything that follows.

Step 2: Conduct a risk assessment (Part A). For each designated service, assess the money laundering and terrorism financing risks based on: client types (individuals, companies, trusts, politically exposed persons, foreign clients), delivery channels (in-person, remote, intermediary-introduced), transaction types and sizes, and the jurisdictions involved. The risk assessment must be documented and approved at board or senior management level.

Step 3: Design your customer identification procedures. Document exactly what identity information you collect from each customer type, at what point in the engagement, and how you verify it. Verification sources must be reliable and independent. Document what you do when you cannot complete verification.

Step 4: Define your ongoing monitoring approach. For your client base, define what an unusual transaction or instruction looks like. A real estate agent processing a cash contract at AUD 4,800 — just below the AUD 5,000 cash threshold — warrants scrutiny. A law firm receiving funds from an unexpected third party for a property settlement is a red flag regardless of amount. Document your red flag indicators and the escalation process.

Step 5: Establish your SMR and TTR filing process. Designate who is responsible for filing Suspicious Matter Reports. Build the 3-business-day clock into your workflow. For TTRs, create a process that captures cash transactions at or above AUD 10,000 at point of receipt — do not rely on end-of-period reconciliations.

Step 6: Train your staff. Everyone who interacts with clients or handles client funds needs AML/CTF awareness training. Training should cover: what money laundering looks like in your practice context, how to identify red flags, what to do when something feels wrong, and how to report internally without tipping off the client.

Step 7: Establish your record-keeping system. You need to retain CDD documents and transaction records for 7 years. If your firm's document management system was designed for legal file retention rather than AML compliance, you may need a separate system or process for AML records.

AUSTRAC's Enforcement Posture

AUSTRAC has a documented history of supporting newly regulated sectors through education before moving to enforcement. The regulator published Tranche 2-specific guidance and engaged with professional associations in the legal and accounting sectors during the consultation process.

That said, the context for Tranche 2 is different from previous regulatory expansions. Australia has operated without DNFBP AML coverage for 17 years, under sustained FATF scrutiny. The reputational and diplomatic pressure behind Tranche 2 is significant. AUSTRAC is unlikely to treat good-faith ignorance the same way it might have in an earlier era.

AUSTRAC's civil penalty powers apply from commencement. For body corporates, civil penalties can reach AUD 17.9 million per contravention. For individuals, penalties are lower but substantial. AUSTRAC also has the power to accept enforceable undertakings, issue infringement notices, and seek injunctions.

The enforcement risk is not theoretical. AUSTRAC has pursued major civil penalty actions against Westpac (AUD 1.3 billion), Commonwealth Bank (AUD 700 million), and SportsSuper. A newly captured entity that makes no effort to enrol or build a programme faces a different enforcement calculus from one that has enrolled, built a programme, and is working through implementation challenges.

Getting the Programme Right

For Tranche 2 entities building their first AML/CTF programme, technology makes a material difference in whether the programme works in practice. A documented policy that exists only on paper will not detect a suspicious transaction or generate a timely SMR.

For institutions already operating under the AML/CTF Act 2006 that need to review their transaction monitoring in light of Tranche 2, our transaction monitoring software buyer's guide covers what to look for in a compliant monitoring system. If you are newer to transaction monitoring concepts, our introduction to transaction monitoring sets out the fundamentals.

Tookitaki's AFC Ecosystem is built for the compliance requirements that AUSTRAC and other regulators enforce. If you are building or upgrading an AML programme for the Australian market — whether as a newly captured Tranche 2 entity or an existing reporting entity adjusting to the new environment — book a demo to see how the platform handles the specific detection and reporting requirements that apply under the AML/CTF Act.

AUSTRAC has confirmed that Tranche 2 obligations are coming. The question now is not whether to build a programme — it is whether to build one before commencement or after the first enforcement action arrives.

When fraud moves in milliseconds, detection must move faster.

Real time transaction monitoring has shifted from a “nice to have” to a “non-negotiable” for banks and fintechs navigating today’s high-speed financial environment. As criminals exploit digital rails and consumers demand instant payments, financial institutions must upgrade their surveillance systems to catch suspicious activity the moment it happens.

What is Real Time Transaction Monitoring?

Real time transaction monitoring is the process of analysing financial transactions as they happen to detect potentially fraudulent or suspicious activity. Instead of scanning data in batches or after the fact, these systems monitor each transaction in the moment — before it's fully executed or settled.

It empowers financial institutions to:

• Flag high-risk transactions instantly
• Halt or hold suspicious transfers in-flight
• Prevent losses before they occur
• Comply with tightening regulatory expectations

Why Real Time Monitoring Matters More Than Ever

The global payment landscape has transformed. In markets like Singapore, where PayNow and FAST are the norm, the speed of money has increased — and so has the risk.

Here’s why real time monitoring is critical:

1. Instant Payments, Instant Threats

With digital transfers happening in seconds, fraudsters exploit the lag between detection and action. Delayed monitoring means criminals can cash out before anyone notices.

2. Regulatory Pressure

Authorities like the Monetary Authority of Singapore (MAS) expect real time vigilance, especially with rising cases of mule accounts and cross-border scams.

3. Consumer Expectations

Customers expect seamless yet secure digital experiences. Real time monitoring helps strike this balance by allowing friction only where needed.

Key Components of a Real Time Monitoring System

A high-functioning real time monitoring platform combines multiple components:

1. Transaction Monitoring Engine

• Scans data streams in milliseconds
• Applies risk rules, scenarios, and models
• Flags anomalies for intervention

2. Risk Scoring Module

• Assigns risk scores to each transaction dynamically
• Takes into account sender/receiver profiles, frequency, amount, geography, and more

3. Alert Management System

• Routes alerts to analysts in real time
• Enables case creation and review
• Facilitates in-line or post-event decisioning

4. Integration Layer

• Hooks into core banking, payment gateways, and customer systems
• Ensures monitoring doesn’t disrupt processing

5. Analytics Dashboard

• Offers real time visibility into flagged transactions
• Allows compliance teams to monitor performance, tune thresholds, and audit responses

‍For the full evaluation framework — including the 7 questions to ask any vendor about their real-time processing architecture — see our Transaction Monitoring Software Buyer's Guide.

Real World Applications: Common Scenarios Caught by Real Time Monitoring

Real time systems help detect several typologies, such as:

• Account Takeover (ATO): Sudden login from a new device followed by high-value transfers
• Mule Account Activity: Multiple incoming credits followed by quick outward transfers
• Social Engineering Scams: High-risk transaction patterns in elderly or first-time users
• Cross-Border Fraud: Rapid layering of funds via wallets, crypto, or overseas transfers
• Corporate Payment Fraud: Unusual fund movement outside normal payroll or vendor cycles

Real Time vs. Batch Monitoring: What’s the Difference?

Real time transaction monitoring and batch monitoring serve different purposes in financial crime prevention.

Real time monitoring enables banks and fintechs to analyse transactions within milliseconds, allowing immediate action to stop suspicious transfers before they are completed. It is especially suitable for high-risk, high-speed payment environments.

Batch monitoring, on the other hand, processes transactions in groups over hours or days, which limits its effectiveness in preventing fraud as the detection happens after the event. While real time monitoring allows seamless customer experience with instant decisioning, batch monitoring may be better suited for retrospective analysis or low-risk transaction patterns. As digital payments accelerate, the limitations of batch monitoring become more evident, making real time capabilities essential for modern financial institutions.

While batch monitoring still plays a role in retrospective analysis, real time systems are essential for high-risk, high-speed payment channels.

Real-Time Monitoring in Australia's NPP Environment

Australia's New Payments Platform presents a specific challenge that Singapore's PayNow and Malaysia's DuitNow share: once a payment is confirmed, it cannot be recalled. Irrevocability is a feature of instant payment infrastructure, not a defect — but it compresses the compliance team's window for intervention to zero post-settlement.

For Australian banks, the NPP has made batch-processing monitoring architecturally insufficient. A monitoring system that evaluates transactions in end-of-day sweeps will detect fraud and structuring patterns — but only after the funds have moved irrevocably. AUSTRAC's Chapter 16 monitoring obligations expect continuous transaction monitoring as a live function, not a periodic review. "Continuous" and "batch" are incompatible.

For more detail on AUSTRAC's expectations for transaction monitoring at financial institutions, see our guide to AUSTRAC transaction monitoring requirements.

What pre-settlement processing means in practice

A pre-settlement monitoring system evaluates each transaction at the point of initiation — before the NPP payment is confirmed — rather than after settlement. The evaluation runs against the customer's risk profile, transaction history, and the institution's typology library. If the transaction is flagged, it can be held for review before it becomes irrevocable.

Pre-settlement processing is not unique to NPP — it is the same requirement that PayNow and FAST instant transfers created for Singapore institutions, and that FPX and DuitNow created for Malaysian ones. In each case, the monitoring logic must run faster than the payment rails.

When evaluating real-time monitoring systems for any APAC jurisdiction with instant payment infrastructure, ask specifically: at what point in the payment lifecycle does your system evaluate the transaction? "Real-time" and "near-real-time" are not the same thing when the payment settles in two seconds.

‍

Challenges in Implementing Real Time Monitoring

Despite its value, many institutions face hurdles in deployment:

1. Latency

Not just a technical performance issue — AUSTRAC Rule 16 expects continuous monitoring. A system with processing latency above NPP settlement time cannot satisfy the continuous monitoring requirement for instant payments.

2. False positive volume

A 95%+ false positive rate is not a minor inconvenience. At 400 alerts per day, that is 380+ dead-end investigations consuming analyst capacity that should be directed at genuine risk. AUSTRAC examination findings consistently cite "alert fatigue" and backlogged queues as evidence of inadequate programme maintenance.

3. Calibration drift

A system calibrated at go-live and never adjusted will diverge from the institution's actual risk profile within 12–18 months. AUSTRAC expects thresholds to reflect the current customer risk assessment — not the one that existed at implementation.

Tookitaki’s FinCense: Real Time Monitoring with Intelligence

Tookitaki’s compliance platform, FinCense, is designed to handle real time transaction risks with precision and scale. It offers:

• Streaming-first architecture for real time ingestion and decisioning
• AI-powered scenario engine to detect new and evolving typologies
• Auto-narration and AI investigation copilot to speed up case reviews
• Federated learning from a global AML/Fraud community
• Graph analytics to uncover hidden networks of mules, scammers, or shell firms

Deployed across major banks and fintechs in Singapore and the region, FinCense is redefining what real time compliance means.

Singapore’s Real Time Risk Landscape: Local Insights

1. Rise in Social Engineering and ATO Scams

MAS has issued multiple alerts this year highlighting the rise in impersonation and wallet-draining scams. Real time risk signals such as sudden logins or high-value transfers are critical indicators.

2. Real Time Cross-Border Transactions

Fintech players facilitating remittances must monitor intra-second fund movements across geographies. Real time sanction checks and typology simulation are essential.

3. Scam Interception Strategies

Local banks are deploying real time risk-based prompts — e.g., asking for re-confirmation or delaying high-risk transactions for manual review.

Best Practices for Effective Real Time Monitoring

Here’s how institutions can maximise their real time monitoring impact:

• Invest in modular platforms that support both AML and fraud use cases
• Use dynamic thresholds tuned by AI and behavioural analysis
• Integrate external intelligence — blacklists, scam reports, network data
• Avoid over-engineering. Start with high-risk channels (e.g., instant payments)
• Ensure full audit trails and explainability for regulatory reviews

For background on how transaction monitoring works and why the architecture matters, see what is transaction monitoring.

What's Changing in Real-Time Transaction Monitoring in 2026

Three developments are already reshaping monitoring requirements for APAC institutions — not future trends, but changes that are in effect now:

Australia's Tranche 2 expansion: The AML/CTF Amendment Act 2024 extends AML obligations to lawyers, accountants, real estate agents, and dealers in precious metals from 2026. For existing reporting entities — banks and payment institutions — the immediate effect is a more complex counterparty risk environment. More newly-regulated entities will be transacting through bank accounts. Monitoring systems need to handle a higher baseline of risk without generating proportionally more false positives.

MAS's updated supervisory focus post-2023: Following the S$3 billion enforcement action, MAS's 2024 supervisory expectations document specifically named inadequate alert calibration and weak investigation documentation as recurring examination failures. Institutions relying on out-of-the-box detection scenarios without evidence of threshold calibration will face findings in 2026 MAS examinations.

The hybrid detection standard: AUSTRAC and MAS have both signalled that rules-only monitoring systems are insufficient for modern financial crime patterns, particularly authorised push payment (APP) scams, synthetic identity fraud, and coordinated mule account networks. The current standard is hybrid: rules for known typologies, ML-based anomaly detection for emerging patterns. A monitoring system built on static rules and updated quarterly cannot keep pace with fraud that evolves in days.

For APAC compliance teams building or upgrading a real-time monitoring programme, the two most common implementation failures are selecting a system that cannot process pre-settlement transactions on instant payment rails, and deploying without a calibration process tied to the institution's customer risk assessment.

Tookitaki's FinCense evaluates transactions pre-settlement across NPP, PayNow, FAST, FPX, and InstaPay — the instant payment systems used across its APAC deployment base. Alert thresholds are calibrated to each institution's customer profile rather than applied from generic defaults, which directly addresses the calibration deficiencies that featured in both the AUSTRAC and MAS enforcement actions.

Book a demo to see FinCense running against real-time payment scenarios specific to your institution and regulatory environment. Or start with the Transaction Monitoring Software Buyer's Guide to build the evaluation framework first.