Business email compromise usually starts quietly. A changed invoice. A compromised inbox. A payment instruction that looks familiar enough to pass without question.

But what happens after the money leaves the victim’s account is where the story becomes bigger than cybercrime.

Australia’s latest BEC-related case shows how quickly stolen funds can move from a fake email trail into high-value assets such as gold bullion. For banks, fintechs, payment firms, and AML teams, the lesson is clear: scam prevention cannot stop at the moment of payment. The laundering often begins immediately after.

1. Background of the scam

In May 2026, NSW Police Cybercrime Squad detectives, assisted by the AFP-led Joint Policing Cybercrime Coordination Centre, charged three people after an investigation into an alleged AUD 600,000 business email compromise scam. The investigation, known as Strike Force Downstream, focused on suspicious funds believed to be proceeds of crime obtained through BEC activity.

The case stood out because of what allegedly happened after the funds were obtained. According to the AFP, JPC3 analysts and industry partners found evidence of a 20-year-old woman allegedly purchasing AUD 100,000 worth of gold bullion on five occasions within a two-week period. Information provided by National Australia Bank helped identify suspicious funds believed to be proceeds of a BEC scam.

Police arrested the woman at a gold dealership in Sydney’s CBD on 14 May 2026. Two men, aged 36 and 29, who were accompanying her were also arrested. During a search of the group’s car, police seized AUD 34,000 in cash and three mobile phones. A later search warrant at an apartment in Zetland uncovered further mobile phones and documents.

The trio were charged with offences including dealing with proceeds of crime, dealing with identity information to commit an indictable offence, and participating in a criminal group contributing to criminal activity. The AFP also stated that about AUD 300,000 of the funds allegedly stolen in the BEC scam had been recovered.

This is what makes the case relevant beyond the immediate arrests. It allegedly shows the next stage of the financial crime lifecycle: converting scam proceeds into a high-value, portable asset.

2. Impact of the scandal on Australian finance

Australia’s financial sector is facing a growing overlap between scams, cybercrime, identity misuse, and money laundering. BEC scams are especially dangerous because they exploit trusted business processes. A fake invoice or altered payment instruction can look legitimate until the money has already moved.

The national scam picture remains serious. The ACCC reported that Australians lost more than AUD 2 billion to scams in 2025, with the Targeting Scams Report covering scam activity across Scamwatch, ReportCyber, AFCX, IDCARE and ASIC.

For financial institutions, the issue is not only whether a scam payment can be stopped before it leaves the victim. The bigger challenge is what happens after the payment lands.

Funds can be moved across accounts, withdrawn in cash, sent to third parties, converted into crypto, used to buy luxury goods, or placed into high-value assets such as gold. In this case, the alleged repeated purchase of gold bullion became a key suspicious pattern.

This matters because it shifts the control question. Banks and payment firms need to ask not only: “Was this payment authorised?” They also need to ask: “Does the receiving account behaviour make sense?”

That distinction is important. A BEC payment may arrive in an account looking like a normal business transfer. But what follows may reveal the laundering pattern: rapid movement, asset conversion, cash handling, linked parties, or activity inconsistent with the account holder’s profile.

3. Implications and repercussions

The first implication is that BEC must be treated as both a fraud risk and an AML risk. The cyber compromise may start the event, but the movement and conversion of funds create proceeds-of-crime exposure.

The second implication is that high-value asset purchases need sharper monitoring. Gold bullion, luxury goods, vehicles, property, and digital assets can all be used to convert stolen money into assets that are easier to store, transport, resell, or conceal. The red flag is not the asset itself. The red flag is the pattern around it.

The third implication is that identity misuse remains central to scam operations. In this case, some of the charges included alleged dealing with identity information to commit an indictable offence. That points to the wider ecosystem behind scams, where identity information, mule accounts, payment rails, and asset conversion may all support the same criminal workflow.

The fourth implication is that collaboration is no longer optional. The AFP highlighted the role of JPC3, NSW Police, industry partners, and National Australia Bank in identifying suspicious funds and disrupting the activity. AFP Superintendent Marie Andersson also noted that timely information from NAB was crucial in helping police act quickly.

This is the direction of travel for financial crime prevention in Australia: faster intelligence sharing, stronger public-private coordination, and more connected controls across cyber, fraud, and AML teams.

4. Key takeaways

For banks, fintechs, payment firms, and high-value asset sectors, this case offers several practical lessons.

Scam money moves fast. Once funds are obtained, criminals may try to convert them quickly into cash, gold, crypto, luxury goods, or cross-border transfers.

The receiving account matters. Fraud prevention often focuses on the sender, but laundering detection depends heavily on what the recipient does after receiving the funds.

Asset conversion is a critical red flag. Repeated high-value purchases shortly after unusual incoming funds should trigger review, especially when the behaviour does not match the customer profile.

Identity risk and transaction risk must be connected. Identity misuse, suspicious account behaviour, and unusual fund flows should not be reviewed in separate silos.

Early escalation improves recovery. In this case, the AFP said about AUD 300,000 of the allegedly stolen funds had been recovered, reinforcing the value of timely detection and reporting.

The AFP also recommends that businesses verify payment requests through trusted contacts, implement the ACSC’s Essential Eight mitigation strategies, contact their financial institution immediately if they suspect an incorrect payment, and report suspicious activity through ReportCyber.

5. The role of AML technology in preventing future scandals

Modern AML technology can help financial institutions detect the laundering phase of scam activity faster and with better context.

In cases like this, the suspicious behaviour may not sit in one transaction. It sits in the sequence.

A large incoming transfer. A short time gap. A high-value asset purchase. Cash withdrawals. Multiple devices. Linked parties. New beneficiaries. Activity that does not match the customer’s normal profile.

Individually, some of these signals may look explainable. Together, they may point to the laundering of scam proceeds.

This is where Tookitaki’s FinCense can support financial institutions. FinCense brings AML monitoring, fraud detection, customer risk scoring, alert prioritisation, case investigation, and regulatory reporting into a more unified financial crime control environment.

For BEC-related laundering, FinCense can help institutions detect patterns such as:

• Sudden high-value credits followed by rapid outbound movement
• Repeat payments to high-value asset dealers
• Mule-like account behaviour after receiving third-party funds
• Activity inconsistent with the customer’s expected profile
• Unusual cash withdrawals after suspected scam proceeds are received
• Beneficiary and counterparty patterns linked to known typologies
• Cross-account and cross-channel movement that may be missed in siloed systems

The value is not only in generating alerts. It is in helping investigators understand why the activity is risky, how the transactions connect, and what should be reviewed next.

Technology cannot replace human judgement. But it can help compliance teams identify suspicious sequences earlier, prioritise the highest-risk cases, and act before stolen funds disappear into assets, cash, or cross-border channels.

6. Conclusion

Australia’s alleged AUD 600,000 BEC case is more than a story about fake emails and gold bullion. It is a warning about how modern financial crime works.

Cyber compromise, payment fraud, identity misuse, mule activity, and money laundering are increasingly part of the same chain. When controls operate in silos, criminals benefit from the gaps between them.

For Australian financial institutions, the path forward is clear. Scam prevention must be connected to AML monitoring. Customer risk must be connected to transaction behaviour. Fraud teams must work with compliance teams. And public-private intelligence sharing must become faster and more actionable.

The lesson from this case is simple: follow the money after the scam. That is often where the real financial crime story begins.

In August 2023, Singapore authorities charged ten foreign nationals following a three-year investigation into a money laundering network that had moved over SGD 3 billion through Singapore's financial system. The funds flowed through private banking accounts, luxury real estate, and investment holdings. Several of the individuals involved held accounts at multiple licensed private banks. The total amount seized — cash, properties, vehicles, luxury goods, and financial assets — exceeded SGD 2.8 billion, making it the largest money laundering seizure in Singapore's history.

The case was not unique in its method. It was notable for its scale. Private banking and wealth management channels in Asia have consistently featured in major money laundering investigations because they combine the features that make ML risk hardest to manage: high-value low-frequency transactions, complex beneficial ownership structures, high proportions of PEP-adjacent clients, and cross-border account relationships that limit visibility into source of funds.

For compliance teams at private banks, family offices, and wealth management firms operating in Asia, this guide covers the specific AML obligations, the most common examination failures, and what effective controls look like at this end of the market.

Why Private Banking Carries the Highest AML Risk

Three structural features of private banking make it the highest-risk segment in financial services from an AML perspective:

Client profile. High-net-worth and ultra-high-net-worth clients include a disproportionate share of PEPs, former PEPs, and PEP family members and close associates. They also include business owners with complex corporate structures, individuals from high-risk jurisdictions, and clients with offshore holding arrangements. The customer risk component of a private bank's AML risk assessment will almost always score higher than that of a retail bank serving comparable volumes.

Transaction patterns. Private banking transactions are typically infrequent but very high value — large investment flows, property purchases, trust transfers, and cross-border portfolio movements. Standard transaction monitoring rules calibrated for retail banking volumes do not detect suspicious patterns in low-frequency high-value activity. A private banking client who transfers USD 5 million to an offshore account once generates no alerts in a system looking for repeated sub-threshold transactions.

Ownership complexity. Private banking clients frequently hold assets through trusts, foundations, special purpose vehicles, and multi-layer corporate structures spanning multiple jurisdictions. Identifying the ultimate beneficial owner (UBO) behind a Cayman Islands holding company, a BVI trust, and a Singapore private limited company requires manual investigation that automated onboarding systems are not designed to perform.

The Regulatory Framework in Asia

MAS (Singapore)

MAS Notice 654 (private banks) and the broader Notice 626 framework set the requirements for Singapore-licensed private banks. Key requirements specific to private banking include:

• Cross-border private banking: Non-face-to-face account opening for non-residents must include additional verification steps. MAS requires private banks to assess the AML/CFT standards of the client's country of residence before proceeding.
• PEP requirements: Foreign PEPs require senior management approval before account opening. MAS is explicit that PEP approval cannot be delegated below the level of senior management. Documentation must evidence that the source of wealth and source of funds have been independently verified — not just declared by the client.
• Source of wealth verification: Declarations alone are insufficient. MAS expects private banks to obtain corroborating documentation: audited financial statements, business sale agreements, inheritance documentation, or other verifiable evidence of how the client accumulated their wealth.
• Ongoing monitoring: Private bank accounts must be subject to ongoing monitoring calibrated to the client's risk profile. For PEPs and high-risk clients, this should include adverse media screening at defined intervals — not just at onboarding.

Following the 2023 SGD 3 billion case, MAS issued additional guidance in 2024 tightening expectations on source of wealth documentation and cross-border account monitoring for private banking clients. Institutions should ensure their programmes reflect these updated expectations.

AUSTRAC (Australia)

AUSTRAC's AML/CTF framework applies to Australian private banks and wealth managers under the AML/CTF Act 2006 and the Tranche 2 reforms extending to lawyers and accountants involved in wealth management structures. Key obligations:

• Politically Exposed Persons: AUSTRAC's AML/CTF Rules require enhanced ongoing CDD for PEPs, including senior management sign-off and periodic review. The PEP definition under Australian law covers foreign government officials, domestic government officials (senior executive branch), and their immediate family members.
• High-value dealers and property-related transactions: Where private banking clients are purchasing Australian real estate or high-value assets, specific transaction reporting obligations apply. Suspicious Matter Reports (SMRs) must be filed when there are reasonable grounds for suspicion, regardless of the transaction value.
• Beneficial ownership: AUSTRAC requires identification of the beneficial owner for all non-individual customers. For trust structures, this includes identification of the settlor, trustee, and beneficiaries with material interest.

BNM (Malaysia)

Bank Negara Malaysia's AML/CFT Policy Document applies to Malaysian-licensed banks and financial institutions including those offering wealth management services. EDD requirements for high-risk customers are broadly consistent with the international framework, with specific guidance on:

• Customers from jurisdictions identified in BNM's high-risk country list
• PEP relationships, with senior management approval required before onboarding
• Complex ownership structures requiring look-through to the ultimate beneficial owner
• Source of funds verification for high-value transactions inconsistent with the client's known profile

Enhanced Due Diligence for HNW Clients

EDD for private banking clients goes beyond collecting more documents. It requires substantive assessment of the information collected. Three areas where EDD most commonly fails examination:

Source of wealth vs. source of funds — conflated or both missing.

These are distinct concepts that require separate verification:

• Source of wealth explains how the client built their overall net worth — business success, inheritance, professional career, investments. This is the background due diligence that confirms the client's wealth is legitimately derived.
• Source of funds explains the origin of the specific funds being deposited or invested in this transaction. A client whose wealth originated from a legitimate business sale twenty years ago may still be depositing funds from a higher-risk current source.

Private banks frequently collect source of wealth declarations at onboarding and treat this as satisfying both requirements. MAS and AUSTRAC both expect separate, documented verification of both.

PEP definitions applied too narrowly.

MAS, AUSTRAC and BNM all extend PEP status beyond sitting government ministers to include:

• Senior officials of state-owned enterprises
• Senior executives of international organisations
• Immediate family members (spouse, children, parents, siblings)
• Close associates who are known to jointly hold assets with a PEP

Private banking compliance teams often identify the obvious PEPs — current heads of state, finance ministers — but miss junior officials, former PEPs within a cooling-off period, and the extended family member category. Examination findings frequently involve clients who are spouses or children of government officials and were not flagged as PEP-connected during onboarding.

For PEP screening guidance, see our PEP Screening Guide.

EDD documentation without substantive review.

Files contain extensive documentation — source of wealth letters, audited accounts, legal opinions on ownership structures — but there is no evidence that anyone reviewed, questioned, or validated the documentation. A source of wealth letter stating "proceeds from sale of business" without supporting transaction records is not verified source of wealth. Supervisors look for evidence that the compliance team applied judgment to the documentation, not just collected it.

Beneficial Ownership Through Complex Structures

The UBO obligation in private banking requires looking through corporate and trust structures to the natural persons who ultimately own or control the assets. Common structures and their specific challenges:

Trusts: Settlors, trustees, protectors, and beneficiaries must all be identified. Where the beneficiaries are a class (e.g., "the descendants of [named individual]"), the institution must identify the natural persons within that class who have a material interest.

Foundations: Common in civil law jurisdictions (Liechtenstein, Panama, Cayman). The founder, council members, and beneficiaries with significant interests must be identified.

Special Purpose Vehicles (SPVs): Frequently used for single-asset holding. Look-through requires identifying the shareholders of the SPV and repeating the UBO analysis for any corporate shareholders until natural persons are reached.

Nominee arrangements: Where registered shareholders are nominees for undisclosed beneficial owners, the institution must identify and verify the underlying beneficial owner. Nominee declarations alone are insufficient — the identity of the beneficial owner must be independently verified.

The 25% ownership threshold for UBO identification is a regulatory minimum, not an endpoint. In private banking, where the purpose of complex structures is often to hold and manage a single family's wealth, the relevant question is control — not just who holds 25% of shares, but who directs how the assets are managed and who ultimately benefits.

Transaction Monitoring for Low-Frequency, High-Value Activity

Standard retail transaction monitoring rules — designed to detect rapid fund movement, structuring, and threshold-based patterns — are poorly suited to private banking activity profiles. A private banking client who makes three large transfers per year does not generate the pattern data that rule-based systems need.

Effective monitoring in private banking requires:

Baseline profiling. Each client's expected transaction pattern — based on stated source of funds, investment strategy, and account purpose — must be documented at onboarding. Deviations from the expected pattern are the primary alert trigger.

Event-driven monitoring. In addition to ongoing pattern monitoring, specific events should trigger enhanced review: large inflows without advance notice, outflows to new beneficiaries in high-risk jurisdictions, rapid movement of funds across multiple accounts, and requests to change beneficial owner details.

Adverse media integration. For PEPs and high-risk clients, ongoing adverse media screening should feed directly into the transaction monitoring workflow. An adverse media hit on a client should trigger review of recent transactions — not just a file note.

Cross-account and cross-entity visibility. Where a client holds multiple accounts or related entities hold accounts at the same institution, monitoring must have visibility across the full relationship. Structuring through related accounts is a documented typology in private banking investigations.

What Effective Private Banking AML Controls Look Like

For private banks and wealth managers in Asia building or reviewing their AML programmes, the controls that consistently pass examination and hold up under enforcement scrutiny share these features:

• A dedicated private banking risk assessment that distinguishes the segment's specific risk profile from the broader institutional risk assessment
• EDD procedures that require both source of wealth and source of funds verification, with documented evidence of independent corroboration — not just client declarations
• PEP screening at onboarding and ongoing, with a defined adverse media review cycle for confirmed PEPs
• UBO look-through procedures with documented analysis for every complex structure
• Transaction monitoring calibrated to expected client profiles, with event-driven review triggers
• Senior management approval gates for PEP relationships, high-risk country clients, and complex ownership structures — with evidence of genuine review rather than rubber stamp approval

For wealth management compliance teams evaluating monitoring and case management systems that can handle the specific demands of private banking — low-frequency high-value activity, complex ownership, PEP-heavy client bases — see our Transaction Monitoring Software Buyer's Guide.

An AML compliance programme is no longer a static policy document created for regulatory examinations. For banks, fintechs, payment companies and digital financial institutions in Asia, it is now a living control framework that must reflect the institution’s actual exposure to money laundering, terrorist financing and other financial crime risks.

The foundation of this framework is the risk-based approach. FATF Recommendation 1 requires countries and financial institutions to identify, assess and understand their money laundering and terrorist financing risks, and apply controls proportionate to those risks. In practice, this means every component of an AML compliance programme must be derived from the institution’s specific ML/FT risk assessment.

A generic AML compliance programme is no longer sufficient. A Singapore digital bank serving retail payment users will not have the same risk profile as an Australian remittance provider, a Malaysian trade finance bank, or a Philippine e-money issuer. Each institution needs a programme that reflects its customer base, products, delivery channels, geographies and transaction behaviour.

Since 2020, the AML landscape across APAC has changed significantly. Singapore has published its 2024 Money Laundering National Risk Assessment. Australia has passed major AML/CTF reforms, including Tranche 2 expansion. Bank Negara Malaysia has updated its AML/CFT/CPF/TFS Policy Document. The Philippines has continued to strengthen AML supervision following its FATF grey-list exit. New Zealand has also continued to update obligations across AML/CFT reporting entities.

For institutions still relying on 2020-era guidance, this is the right time to review whether their AML compliance programme remains fit for purpose.

What Is an AML Compliance Programme?

An AML compliance programme is a structured set of policies, procedures, controls, systems and governance processes designed to help financial institutions prevent, detect, investigate and report financial crime.

In APAC, the regulatory anchors differ by jurisdiction. Singapore’s framework includes the Corruption, Drug Trafficking and Other Serious Crimes Act and MAS AML/CFT Notices. Australia and New Zealand operate under AML/CTF legislation. Malaysia’s framework includes AMLATFPUAA and Bank Negara Malaysia’s policy documents. The Philippines operates under the AMLA framework and related BSP and AMLC requirements.

While the legal terminology differs, the core regulatory expectation is consistent: institutions must understand their risks and build proportionate controls that are documented, monitored, tested and governed.

The Seven Components of an AML Compliance Programme

1. ML/FT Risk Assessment

The ML/FT risk assessment is the foundation of the AML compliance programme. It identifies the institution’s inherent exposure to money laundering and terrorist financing risks, and determines the level of control required.

A strong AML risk assessment should cover four dimensions:

• Customer risk
• Product and service risk
• Geographic risk
• Delivery channel risk

Customer risk includes factors such as customer type, beneficial ownership complexity, PEP exposure, high-risk industries and non-resident customers. Product and service risk considers whether products can be used to move, layer or conceal funds. Geographic risk covers customer location, transaction corridors and exposure to high-risk jurisdictions. Delivery channel risk looks at how customers access services, including digital onboarding, agents, third-party reliance and non-face-to-face relationships.

The risk assessment must be institution-specific. A document that lists generic money laundering risks without explaining how those risks apply to the institution’s actual business model will not satisfy regulatory expectations.

It should also be reviewed at least annually and updated whenever material changes occur. These changes may include new products, entry into new markets, changes in customer segments, mergers, acquisitions, regulatory updates or new national risk assessments.

For a full framework, see our AML Risk Assessment Guide.

2. Internal Policies and Procedures

Internal AML/CFT policies translate the risk assessment into practical controls. They define how the institution identifies customers, conducts due diligence, screens names, monitors transactions, investigates alerts, escalates suspicious activity, files reports and retains records.

A strong policy framework should cover:

• Customer onboarding procedures
• Customer risk scoring
• Beneficial ownership identification
• CDD, SDD and EDD requirements
• PEP screening and approval workflows
• Transaction monitoring rules and scenarios
• Alert investigation and escalation
• STR, SMR, SAR, CTR or TTR filing workflows
• Record keeping requirements
• Staff roles and responsibilities
• Training requirements
• Independent audit and testing
• Board and senior management reporting

The key requirement is traceability. Policies should not sit separately from the risk assessment. They should clearly show how identified risks are being managed through controls.

3. Customer Due Diligence

Customer Due Diligence, or CDD, is the process of identifying customers, verifying their identity, understanding the purpose of the relationship and assessing their financial crime risk.

Most APAC AML frameworks expect a tiered CDD model:

Simplified Due Diligence: Applied only when the customer or relationship presents demonstrably low risk.

Standard CDD: Applied to most customers during onboarding and throughout the relationship.

Enhanced Due Diligence: Applied to higher-risk customers, including PEPs, customers from high-risk jurisdictions, complex corporate structures, non-resident customers and relationships with unusual source of funds or source of wealth concerns.

CDD is not limited to onboarding. Institutions must update customer information throughout the relationship and conduct ongoing monitoring to ensure activity remains consistent with the customer’s profile.

Beneficial ownership identification is also a core requirement. For corporate customers, institutions must identify the natural persons who ultimately own or control the entity. A 25% ownership threshold is often used as a baseline, but control can exist below that threshold depending on voting rights, management influence, nominee arrangements or layered structures.

For detailed requirements, see our CDD and EDD Guide. For politically exposed person controls, see our PEP Screening Guide.

4. Transaction Monitoring

Transaction monitoring is the operational centre of an AML compliance programme. It is where the institution tests whether customer behaviour matches expected activity and whether transactions indicate potential money laundering, terrorist financing, fraud, sanctions evasion or other financial crime risks.

A common failure is relying on vendor-default rules that are not connected to the institution’s risk assessment. If an institution identifies cross-border mule activity, trade-based money laundering, shell company misuse or rapid pass-through transactions as material risks, the transaction monitoring system must include scenarios designed to detect those risks.

A compliant transaction monitoring function should include:

• Detection scenarios linked to the institution’s customer, product, geographic and channel risks
• Thresholds calibrated to customer segments and expected behaviour
• Alert investigation workflows with documented disposition
• Case management processes for escalation and review
• STR, SMR, SAR, CTR or TTR reporting workflows
• Periodic threshold tuning and scenario calibration
• Audit trails that explain why an alert was generated, reviewed and closed or escalated

Every alert must have a documented outcome. Closing alerts without clear rationale creates examination risk because supervisors need to see why the institution decided not to escalate a case.

For a deep dive on what effective transaction monitoring requires and how to evaluate systems against APAC regulatory expectations, see our guide to transaction monitoring and our Transaction Monitoring Software Buyer’s Guide.

5. Suspicious Transaction and Threshold Reporting

Suspicious activity reporting is one of the most important outputs of an AML compliance programme. When suspicious activity is identified, institutions must report it to the relevant authority within the required timeframe.

Terminology and thresholds differ across jurisdictions:

• Singapore: Suspicious Transaction Reports are filed with STRO. There is no minimum threshold for suspicious reporting. Reports must be made as soon as practicable. Cash transaction reporting applies at SGD 20,000 and above in relevant contexts.
• Australia: Suspicious Matter Reports are filed with AUSTRAC. Threshold Transaction Reports apply at AUD 10,000 and above.
• Malaysia: Suspicious Transaction Reports are filed with Bank Negara Malaysia. Cash Threshold Reports apply at MYR 25,000 and above. STRs are generally expected within three business days.
• Philippines: Suspicious Transaction Reports are filed with the AMLC. Covered Transaction Reports apply at PHP 500,000 and above. STRs are generally expected within five working days.
• New Zealand: Suspicious Activity Reports are filed with the New Zealand Police FIU. Prescribed Transaction Reports apply at NZD 10,000 for cash transactions and NZD 1,000 for international wire transfers.

Across all these jurisdictions, tipping-off prohibitions apply. Staff must not inform a customer that a suspicious report has been filed or may be filed. Breaching tipping-off rules can create serious legal and regulatory consequences.

6. Record Keeping

Record keeping is essential to regulatory defensibility. Institutions must be able to demonstrate what they knew, what they reviewed, what decisions they made and why those decisions were reasonable.

AML records should include:

• Customer identification and verification documents
• Beneficial ownership information
• CDD and EDD records
• Customer risk assessments
• Transaction records
• Alert investigation notes
• Case dispositions
• STR, SMR, SAR, CTR, TTR or PTR filings
• Training records
• Audit reports
• Governance and board reporting records

Across Singapore, Australia, Malaysia and the Philippines, AML records are generally expected to be retained for at least five years from the end of the business relationship or the date of transaction. New Zealand also requires records to be kept for five years from the end of the relationship or transaction date, depending on the record type.

Records should be retrievable and producible to regulators on request. A strong AML programme does not only retain documents. It maintains a clear evidence trail from risk identification to control design, alert investigation and reporting decision.

7. Training, Testing and Governance

Training, testing and governance determine whether the AML compliance programme works in practice.

Staff training should be role-specific. Frontline onboarding teams need to understand customer identification and red flags. Relationship managers need to recognise unusual customer behaviour. Transaction monitoring analysts need to understand typologies and investigation standards. Senior management and board members need to understand the institution’s risk profile, regulatory obligations and control gaps.

Independent testing or audit is also required to assess whether the programme is effective. In New Zealand, independent audit is mandatory every two years. In other APAC jurisdictions, the frequency is often risk-based, but regulators still expect institutions to test whether their policies, systems and controls are operating as intended.

Governance is equally important. The AML compliance officer must have sufficient authority, independence and resources. Senior management and the board must receive meaningful reporting on AML risk, not just volume-based metrics.

Board reporting should include:

• Key financial crime risk themes
• High-risk customer segments
• Monitoring effectiveness
• Alert volumes and backlogs
• STR or SAR trends
• Audit findings
• Regulatory changes
• Remediation status
• Resource constraints

An AML compliance programme without board-level oversight is incomplete.

How Transaction Monitoring Sits Within the AML Compliance Programme

Transaction monitoring is the most operationally complex component of the AML compliance programme. It is also one of the areas most frequently found deficient in regulatory examinations.

The reason is simple: transaction monitoring is where the risk-based approach becomes visible.

If the institution’s risk assessment identifies high-risk products, geographies or customer segments, the monitoring system must show how those risks are being detected. Monitoring scenarios that do not target the risks identified in the assessment create a structural compliance gap.

A compliant transaction monitoring function within the AML compliance programme requires five capabilities.

First, detection scenarios must be calibrated to the institution’s specific risk profile. This includes customer segments, product types, transaction patterns, delivery channels and geographic exposure.

Second, alert investigation workflows must be documented. Every alert should have an investigation outcome, supporting rationale and clear disposition.

Third, case management must track escalation and reporting deadlines. Suspicious reporting obligations are time-sensitive, and missed filing timelines can create enforcement risk.

Fourth, annual calibration reviews should document rule effectiveness, false positive rates, scenario updates and any changes made to thresholds.

Fifth, the evidence trail must be examination-ready. Supervisors should be able to review how a risk was identified, how a scenario was deployed, how an alert was generated, how it was investigated and why it was closed or reported.

The relationship between the AML compliance programme and the transaction monitoring system is bidirectional. The risk assessment drives monitoring design, and monitoring outputs drive suspicious reporting, governance updates and future risk assessment reviews.

Institutions whose monitoring systems cannot demonstrate traceability from assessed risk to deployed scenario, alert, disposition and report have a structural compliance weakness.

Best Practices for Maintaining AML Compliance in 2026

Build the Programme Around the Risk Assessment

A strong AML compliance programme begins with the institution’s own risk profile. Controls should not be built around generic rules or legacy templates.

Each high-risk area identified in the risk assessment should map to a policy, control, monitoring scenario, reporting workflow or governance process. If the risk assessment identifies trade-based money laundering, the institution should have TBML-specific controls. If it identifies mule accounts, the transaction monitoring system should include mule detection scenarios. If it identifies high PEP exposure, the programme should include stronger EDD, adverse media review and senior management approval.

Use Regulatory-Grade AI and Explainability

AI and machine learning can improve transaction monitoring, reduce manual effort and help investigators focus on higher-risk activity. However, regulators are increasingly examining how AI-based monitoring systems make decisions.

Institutions using AI for AML monitoring must be able to explain:

• How alerts are generated
• What data inputs are used
• What factors influence the risk score
• How the model was validated
• How performance is monitored
• How human review is applied
• How model changes are governed

Black-box machine learning models that cannot produce audit-trail documentation may create regulatory risk, even if detection performance appears strong. Explainability, validation and governance are now essential.

Review Programmes Against APAC Regulatory Updates

AML programmes should be reviewed against major regulatory and supervisory developments.

Singapore’s 2024 National Risk Assessment has sharpened focus on areas such as cross-border flows, misuse of legal persons and higher-risk sectors. Australia’s AML/CTF Amendment Act 2024 extends obligations to lawyers, accountants, real estate agents and other designated non-financial businesses from 2026. Bank Negara Malaysia’s 2023 AML/CFT/CPF/TFS Policy Document strengthens expectations around enterprise-wide risk assessment and control effectiveness. In the Philippines, post-grey-list supervisory attention continues to focus on sustainable compliance, STR quality and monitoring calibration.

Institutions operating across these markets should not rely on a single regional template. They need jurisdiction-specific obligation mapping and local control alignment.

Connect AML and Fraud Controls

Fraud and money laundering are increasingly connected. Scam proceeds often flow through mule accounts, real-time payment channels, wallets, crypto platforms, remittance providers and cash-out points.

An AML compliance programme that does not connect fraud signals with transaction monitoring may miss critical patterns. Institutions should move towards a unified financial crime view that brings together onboarding, screening, customer risk scoring, fraud detection, transaction monitoring, case management and reporting.

This is especially important for APP scams, romance scams, mule networks, synthetic identities and account takeover scenarios, where the same customer or account may show both fraud and AML indicators.

Strengthen Board and Senior Management Oversight

Regulators expect AML oversight to sit at senior levels of the institution. The board and senior management should not only approve the programme, but actively understand the institution’s financial crime risk profile.

Effective governance means AML issues are reported clearly, decisions are documented and remediation is tracked. The compliance officer should have enough authority, independence and resources to challenge business decisions where required.

Common AML Compliance Challenges in APAC

High False Positives and Alert Backlogs

Many institutions still face high false positive rates in transaction monitoring. Industry estimates often place false positives at very high levels, creating heavy workloads for compliance teams.

The practical consequence is alert backlog. When alerts remain unresolved for extended periods, institutions risk missing suspicious activity and failing to meet reporting timelines. Backlogs exceeding internal investigation timelines are a recurring examination concern.

The fix is not simply to add more rules. Better outcomes come from risk-based scenario design, customer segmentation, threshold calibration, alert prioritisation and periodic tuning.

Regulatory Complexity Across Jurisdictions

APAC financial institutions often operate across markets with different terminology, thresholds, filing deadlines and supervisory expectations.

Singapore, Australia, Malaysia, the Philippines and New Zealand all follow the risk-based approach, but their reporting frameworks and operational requirements differ. This creates complexity for regional compliance teams.

Institutions should maintain a jurisdiction-specific obligations register that maps each requirement to a process owner, system control, evidence source and review cadence.

Managing AI Explainability While Maintaining Detection Effectiveness

AI-based monitoring can improve detection, but it also creates governance challenges. Compliance teams need to ensure that models are explainable, validated, monitored and auditable.

The challenge is balancing detection performance with regulatory defensibility. A model that finds suspicious activity but cannot explain how it reached a decision may not satisfy examiners. Institutions should ensure that AI outputs can be reviewed, challenged and documented by human investigators.

Siloed Systems and Fragmented Data

Fraud, AML, sanctions, onboarding and customer risk teams often operate through separate systems. Criminals exploit these gaps.

A mule account may show onboarding anomalies, device risk, unusual transaction activity and suspicious beneficiary behaviour. If these signals remain in separate systems, investigators may not see the full risk picture.

Integrated case management and unified financial crime monitoring can help institutions connect these signals and respond faster.

How Tookitaki Helps Financial Institutions Strengthen AML Compliance

Tookitaki’s FinCense helps banks, fintechs, payment companies and other financial institutions build more adaptive AML and fraud prevention programmes.

FinCense supports key components of an AML compliance programme, including customer risk scoring, screening, transaction monitoring, alert prioritisation, case management and regulatory reporting. It helps institutions move beyond static rule-based monitoring and build controls that are more closely aligned with their specific risk profile.

Tookitaki’s AFC Ecosystem adds another layer of intelligence by bringing community-driven financial crime typologies and scenarios into the compliance workflow. This helps institutions stay closer to emerging risks and continuously improve detection coverage.

For compliance teams, the value lies in connecting risk assessment, monitoring design, investigation workflows and real-world typology intelligence into one stronger financial crime control environment.

Conclusion

An effective AML compliance programme is not a checklist. It is a living framework that must evolve with the institution’s risk profile, regulatory environment, customer behaviour and financial crime threats.

For banks and fintechs in Asia, the standard is clear. The programme must begin with a documented ML/FT risk assessment. It must translate that assessment into policies, CDD controls, transaction monitoring scenarios, reporting workflows, record keeping, training, testing and board governance.

The institutions that perform best will be those that can demonstrate traceability from risk to control to alert to investigation to report. That is what regulators expect, and it is what modern financial crime prevention requires.

As financial crime becomes faster, more digital and more networked, AML compliance programmes must become more adaptive, explainable and intelligence-led. That is how financial institutions can move from meeting minimum obligations to building real resilience against financial crime.