AUSTRAC publishes its examination priorities for the year. The CCO at a regional Australian bank reads the list. Calibrated alert thresholds. Documentation of alert dispositions. EDD for high-risk customers. Periodic re-screening for PEPs.

The list looks the same as last year. And the year before.

The difference is that her team is 8 people — not 80. The obligation does not scale down with the headcount.

This is the operating reality for AML compliance at Tier 2 banks across Australia, Singapore, and Malaysia. Regional banks, digital banks, foreign bank branches, credit unions with banking licences — institutions that are fully regulated, fully examined, and fully liable, but are not Commonwealth Bank, DBS, or Maybank. The same rules apply. The resources do not.

This article covers where Tier 2 AML programmes most commonly fail examination, what "proportionate" compliance actually requires in practice, and how mid-size institutions build programmes that hold up without the 50-person compliance team.

The Regulatory Reality: Same Obligations, Different Resources

AUSTRAC, MAS, and BNM do not operate two-tier AML standards. The AML/CTF Act 2006 applies to every reporting entity in Australia regardless of asset size. MAS Notice 626 applies to every bank licensed in Singapore. BNM's AML/CFT Policy Document applies to every licensed institution in Malaysia.

The only concession regulators make is proportionality. A risk-based approach means the scale of an AML programme should reflect the scale of the risk — the volume and nature of transactions, the customer risk profile, the jurisdictions involved. But the programme must exist, be effective, and produce documentation that survives examination.

Proportionality is not a waiver.

Westpac's AUD 1.3 billion penalty in 2020 was for a major bank. But AUSTRAC has also pursued civil penalty orders against smaller ADIs and credit unions for the same category of failures: uncalibrated monitoring thresholds, inadequate EDD, insufficient transaction reporting. The regulator's methodology does not change based on the institution's size. The fine may differ; the finding does not.

For Tier 2 banks in Singapore, MAS has been direct: digital banks licensed under the 2020 digital banking framework should reach AML maturity equivalent to established banks within 2–3 years of licensing. "We are new" has a shelf life. For Tier 2 institutions in Malaysia, BNM's Policy Document draws no distinction between Maybank and a smaller licensed Islamic bank on the core obligations for CDD, transaction monitoring, and suspicious transaction reporting.

Five Gaps Where Tier 2 Banks Fail Examination

Gap 1: Default Threshold Settings on Transaction Monitoring

The most common finding across AUSTRAC and MAS examinations of smaller institutions is transaction monitoring software running on vendor-default alert thresholds.

Default thresholds are calibrated for a generic customer population. A regional Australian bank with 80% SME customers needs different alert logic than a consumer retail bank. A digital bank in Singapore whose customers are predominantly salaried individuals transferring payroll needs different parameters than a trade finance operation. When the thresholds do not reflect the institution's actual customer base, two things happen: analysts receive alerts that are irrelevant to real risk, and the transactions that represent genuine risk pass without triggering review.

AUSTRAC's published guidance on transaction monitoring is explicit on this point. MAS expects institutions to document their threshold calibration rationale and demonstrate that calibration is reviewed periodically against the institution's current risk profile. An undated configuration file from the vendor implementation three years ago does not meet that standard.

See our transaction monitoring software buyer's guide for the evaluation criteria that matter when institutions are selecting a platform — threshold configurability is one of five criteria that directly affect examination outcomes.

Gap 2: Alert Backlogs from High False Positive Rates

A Tier 2 bank running a legacy rules-only transaction monitoring system at a 97% false positive rate and processing 200 alerts per day needs 2–3 full-time analysts to do nothing except clear the alert queue. For a compliance team of 8, that is 25–37% of total capacity consumed by alert triage before a single investigation has started.

The consequence is not just inefficiency. It is a programme that cannot function as designed. Analysts clearing high-volume, low-quality alert queues develop pattern fatigue. Genuine risk signals get the same 30-second review as the 97% of alerts that will be closed as false positives. EDD interviews do not happen because there is no analyst capacity to conduct them. Examination preparation is squeezed into the two weeks before the examiner arrives.

False positive rates are not a fixed cost of running a transaction monitoring programme. Legacy rules-only systems produce high false positive rates because they apply static thresholds to dynamic customer behaviour. Typology-driven, behaviour-based detection — which incorporates how a customer's transaction patterns change over time, not just whether a single transaction crosses a threshold — consistently produces lower false positive rates. The technology gap between rule-based and behaviour-based monitoring is the single largest source of operational inefficiency for Tier 2 compliance teams.

For background on how transaction monitoring works and why the architecture matters, see what is transaction monitoring.

Gap 3: Inconsistent EDD Application

Large banks have EDD workflows automated into their CRM and compliance systems. When a customer's risk rating changes, the system triggers an EDD task, assigns it to an analyst, and tracks completion. The process is not dependent on an individual's memory.

Tier 2 banks frequently run manual EDD processes. PEP screening happens at onboarding. Periodic re-screening often does not — or it happens for some customers and not others, depending on which analyst handles the review. Corporate customers with complex beneficial ownership structures receive initial CDD at onboarding; the review when the ultimate beneficial owner changes is missed because there is no system trigger.

BNM's Policy Document, MAS Notice 626, and AUSTRAC's rules all require EDD to be applied to high-risk customers on an ongoing basis, not just at the point of relationship establishment. "Ongoing" is not annual if the customer's risk profile changes quarterly. An examination finding in this area typically cites specific customer accounts where EDD was not conducted after a risk rating change — not a policy gap, but an execution gap.

Gap 4: Inadequate Documentation of Alert Dispositions

Alert closed. No SAR filed. No written rationale recorded.

In a team under sustained volume pressure, documentation shortcuts are predictable. An analyst who closes 40 alerts in a day and writes a full rationale for 15 of them is not cutting corners deliberately — the queue does not allow otherwise.

AUSTRAC and MAS treat undocumented alert closures as programme failures. Not because the disposition decision was necessarily wrong, but because there is no evidence that a human reviewed the alert and made a considered decision. From an examination standpoint, an alert with no documented rationale is indistinguishable from an alert that was never reviewed. The regulator cannot distinguish between "reviewed and correctly closed" and "bypassed."

This is a systems problem, not a people problem. Alert documentation should be generated as part of the disposition workflow, not as a separate manual step. Every alert closure should require a rationale field — even if the rationale is a structured selection from a drop-down of standard reasons. The documentation burden should be close to zero per alert for straightforward dispositions.

Gap 5: No Model Validation for ML-Based Detection

Tier 2 banks that have moved to AI-augmented transaction monitoring frequently lack the model governance infrastructure to validate that detection models are performing correctly over time.

A model trained on transaction data from 2022 that has never been retrained is not performing at specification in 2026. Customer behaviour shifts. Payment methods change. New typologies emerge. Without periodic model validation — testing whether the model's detection performance against current transaction patterns matches its baseline specification — the institution cannot make the assertion that its monitoring programme is effective.

MAS has flagged model governance as an emerging examination area. For Tier 2 banks, the challenge is that model validation at large banks is done by internal quant teams with the expertise to run performance tests, backtesting, and drift analysis. A 10-person compliance team at a regional bank does not have that capability in-house.

The answer is not to avoid AI-augmented monitoring. It is to select platforms where model validation documentation is generated automatically, and where retraining and recalibration is a vendor-supported function, not a requirement to build internal data science capability.

What "Proportionate" AML Compliance Actually Means

Proportionality is frequently misread as a licence to do less. It is not. It is permission to concentrate compliance resources where the actual risk is — rather than spreading equal effort across all customers regardless of their risk profile.

For a Tier 2 bank, proportionate compliance means three things in practice.

Automate the process work. Alert generation, threshold calibration triggers, EDD workflow initiation, documentation of alert dispositions — none of these should require analyst decision-making at each step. Every manual step is a point where volume pressure leads to shortcuts, and shortcuts are what examination findings are made of.

Free analyst capacity for work that requires judgement. Complex alert investigations, EDD interviews, SAR filing decisions, examination preparation — these require an experienced analyst's attention and cannot be automated. A team of 8 can do this work well, but only if they are not consuming 3–4 hours per day clearing a backlog of 200 low-quality alerts.

The arithmetic is specific: at a 97% false positive rate on 200 daily alerts, an analyst spends approximately 2.5 minutes on each alert just to clear the queue — that is 500 analyst-minutes, or roughly 8.3 hours, across a team. At a 50% false positive rate on the same 200 alerts, 100 alerts require substantive review. The remaining 100 are flagged for quick closure. Total review time drops to approximately 4–5 hours — returning 3–4 hours of analyst capacity daily for investigation and EDD work. At a 10-person team, that is 30–40% of daily compliance capacity returned to meaningful work.

Build documentation in, not on. Every compliance workflow should generate examination-ready records as a byproduct of normal operation, not as a separate documentation task.

Technology Requirements Specific to Tier 2

The enterprise transaction monitoring systems built for Tier 1 banks assume implementation resources that Tier 2 banks do not have. Multi-month professional services engagements, dedicated data engineering teams, internal model governance functions — these are not realistic for a regional bank with a 5-person technology team and a compliance budget that was set before the current regulatory environment.

Four technology requirements are specific to Tier 2:

Integration simplicity. Many Tier 2 banks run legacy core banking platforms. Cloud-native transaction monitoring platforms with standard API connectivity can connect to core banking data in weeks, not months, without requiring a custom integration project.

Compliance-configurable thresholds. Compliance staff should be able to adjust alert thresholds and add detection scenarios without vendor involvement. Calibration is a compliance function. If it requires a professional services engagement every time a threshold needs updating, calibration will not happen at the frequency regulators expect.

Predictable pricing. Per-transaction pricing models become unpredictable as transaction volumes grow. Tier 2 banks should look for flat-fee or tiered pricing that is budget-predictable against their transaction volume — one less variable in a constrained budget environment.

Exam-ready documentation, automatically. Alert audit trails, calibration records, and model validation documentation should be outputs of the platform's standard operation, not custom report builds. If producing the documentation package for an examination requires a week of manual compilation, the documentation package will always be incomplete.

For a structured framework on evaluating transaction monitoring vendors against these criteria, see the TM Software Buyer's Guide.

APAC-Specific Regulatory Context for Tier 2

Australia. AUSTRAC's risk-based approach explicitly accommodates proportionality — but AUSTRAC has examined and found against credit unions and smaller ADIs for the same monitoring failures as major banks. The AUSTRAC transaction monitoring requirements cover the specific obligations that apply to all reporting entities, regardless of size.

Singapore. MAS Notice 626 applies to all banks licensed in Singapore. For digital banks — which are structurally Tier 2 in Singapore's context — MAS has set explicit expectations that AML maturity should reach equivalence with established banks within 2–3 years of licensing. The MAS transaction monitoring requirements article covers the specific MAS standards in detail.

Malaysia. BNM's AML/CFT Policy Document applies to all licensed institutions. Smaller licensed banks, Islamic banks, and regionally focused institutions have the same CDD, monitoring, and reporting obligations as the major domestic banks. BNM's examination methodology does not grade on institution size.

What an Examination-Ready Tier 2 AML Programme Looks Like

Six elements characterise programmes that hold up to examination at Tier 2 institutions:

1. A written AML/CTF programme, Board-approved and reviewed annually
2. Transaction monitoring thresholds documented and calibrated against the institution's own customer risk assessment — with a dated record of when calibration was last reviewed and by whom
3. An alert investigation workflow that generates a written rationale for every closed alert, including a structured reason code for dispositions that do not result in SAR filing
4. EDD workflows triggered automatically by risk rating changes, not by analyst memory
5. Annual model validation or rule-set review with documented outcomes, even where the outcome is "no changes required"
6. Staff training records, including dates, completion rates, and assessment outcomes by employee

None of these six elements require a large compliance team. They require systems configured to produce the right outputs and workflows designed to generate documentation as a byproduct of normal operation.

How Tookitaki FinCense Fits the Tier 2 Context

Tookitaki's FinCense AML suite is deployed across institution sizes, including Tier 2 banks, digital banks, and licensed challengers in Australia, Singapore, and Malaysia.

FinCense is cloud-native with standard API connectivity, which reduces integration time for institutions that do not have dedicated implementation teams. Compliance staff can configure alert thresholds and detection scenarios without vendor support — calibration happens on the institution's schedule, not when a professional services engagement can be arranged.

APAC-specific typologies and pre-built documentation for AUSTRAC, MAS Notice 626, and BNM's Policy Document are included in the platform. These are not professional services add-ons; they are part of the standard deployment.

In production deployments, FinCense has reduced false positive rates by up to 50% compared to legacy rule-based systems. At a 10-person compliance team processing 200 daily alerts, that returns approximately 3–4 hours of analyst capacity per day — enough to run substantive investigations, keep EDD current, and arrive at examination with documentation that was built during normal operations, not assembled in a panic the week before.

See FinCense in a Tier 2 Bank Context

If your institution is carrying the same AML obligations as the major banks with a fraction of the compliance resources, the question is not whether you need a programme that works — it is whether your current programme will hold up when the examiner arrives.

Book a demo to see FinCense configured for a Tier 2 bank: realistic transaction volumes, a compliance team of fewer than 20, and the documentation outputs that AUSTRAC, MAS, and BNM expect.

If you are still evaluating options, the TM Software Buyer's Guide provides a structured framework for comparing platforms on the criteria that matter most for smaller compliance teams.

On 20 April 2026, Philippine media reported that the National Bureau of Investigation had arrested 48 individuals after raiding an alleged online scamming hub in Parañaque City. The timing matters. This is not an old case being revisited. It is a fresh reminder that scam operations across Southeast Asia are still active, organised, and scaling fast.

When authorities entered the site, they did not just uncover another isolated scam. They walked into something far more structured — an operation that looked less like opportunistic fraud and more like a production line.

Dozens of individuals. Multiple devices. Coordinated activity. A setup that resembled a call centre more than a loose group of fraudsters.

For compliance teams, this is not just another headline. It is a signal. Modern scam networks are becoming more industrialised, and the financial trails they leave behind are becoming harder to detect with static, siloed controls.

What Actually Happened in Parañaque

The raid exposed an online scamming hub operating at scale. Investigators found individuals actively engaged in defrauding victims, likely through a mix of social engineering tactics — investment scams, impersonation schemes, and possibly romance or job scams.

What stood out was not just the activity itself, but the structure:

• Multiple operators working simultaneously
• Dedicated systems and devices
• Coordinated workflows
• A controlled environment, almost like a call centre

This was not a loose group of fraudsters. It was organised, repeatable, and designed for volume.

That distinction matters.

Because once fraud becomes structured like this, it stops being unpredictable and starts becoming scalable.

The Shift from Scams to Scam Infrastructure

For years, fraud has often been viewed as a series of isolated incidents. A phishing email here. A social engineering case there.

That lens no longer holds.

What the Parañaque case reveals is something deeper: the rise of scam infrastructure.

These are not individuals improvising. These are networks designed with:

• Recruitment pipelines
• Scripted engagement models
• Operational roles and hierarchies
• Performance-driven execution

In many ways, these setups mirror legitimate businesses — except the product being “sold” is deception.

And like any efficient system, they optimise over time.

They test what works. They refine messaging. They reuse successful playbooks. They scale quickly.

For financial institutions, this changes the challenge entirely.

You are no longer detecting one-off fraud. You are up against systems that are constantly learning and adapting.

Why This Matters for Financial Institutions

At first glance, a physical raid in the Philippines may feel distant to a bank in Singapore or a fintech in Australia.

But the financial footprint of such operations is rarely local.

Scam proceeds move quickly — often across borders, across institutions, and across channels.

A typical flow might look like this:

• Victim transfers funds via online banking or wallet
• Funds are routed through mule accounts
• Split into smaller transactions
• Moved across jurisdictions
• Layered further to obscure origin

By the time the money surfaces in a financial institution’s system, it often appears routine.

That is the real risk.

Not at the point of the scam, but at the point where illicit funds blend into legitimate financial flows.

The Hidden Complexity Behind “Simple” Scams

It is easy to dismiss scams as basic manipulation.

But cases like this show how layered they have become.

Behind a single victim interaction, there may be:

• A recruitment network sourcing operators
• A technical setup managing communication channels
• A financial layer handling fund movement
• A supervisory layer coordinating activity

Each layer introduces its own signals.

But those signals are rarely obvious in isolation.

A transaction might look normal.
A customer profile might appear clean.
A payment pattern may not trigger any threshold.

Yet, when viewed together, they form a pattern.

This is the daily reality for compliance teams — connecting weak, fragmented signals into something meaningful.

Where Traditional Detection Starts to Break Down

Most financial institutions still rely, at least in part, on rule-based monitoring.

And rules do have their place.

But against structured scam operations, they begin to show limitations:

• Static thresholds struggle against evolving behaviour
• Isolated alerts fail to capture network patterns
• Manual tuning cannot keep pace with changing typologies

In the Parañaque case, individual transactions may not have appeared suspicious.

What made them risky was the context — the coordination, the repetition, the connections.

This is where traditional systems fall short.

They are built to detect anomalies, not ecosystems.

The Role of Mule Networks in Scaling Fraud

No large-scale scam operation works without one critical component: money mules.

These accounts absorb, move, and disguise illicit funds.

And they are becoming increasingly sophisticated.

Some are unwitting — recruited through job offers or incentives.
Others are complicit — knowingly participating in exchange for a share.

Either way, they create a buffer between fraudsters and the financial system.

In operations like the Parañaque hub, mule networks likely operate in parallel:

• Receiving funds from multiple victims
• Redistributing across accounts
• Moving funds rapidly across borders

From a compliance perspective, mule activity often appears as:

• High-velocity transactions
• Rapid inflows and outflows
• Accounts with little genuine economic activity

But again, these signals are rarely conclusive on their own.

The Cross-Border Reality

Modern fraud rarely stays within one jurisdiction.

A scam initiated in one country can impact victims in another, with funds routed through multiple regions.

This creates three persistent challenges:

1. Fragmented visibility
   No single institution sees the full transaction chain
2. Jurisdictional differences
   Regulatory expectations and data access vary
3. Delayed intervention
   By the time alerts are triggered, funds have already moved

The Parañaque case reinforces a simple truth: financial crime is global, even when it appears local.

What Compliance Teams Should Be Looking For

Rather than focusing on isolated red flags, institutions need to identify patterns of behaviour.

Indicators aligned with operations like this include:

• Clusters of accounts exhibiting similar transaction flows
• Repeated low-to-mid value transfers across multiple beneficiaries
• Rapid movement of funds with minimal retention
• Shared identifiers such as devices, IPs, or contact details
• Activity inconsistent with stated customer profiles

Individually, these may not trigger concern.

Collectively, they signal coordination.

Moving from Detection to Understanding

There is a broader shift underway in financial crime prevention.

From generating alerts…
To understanding behaviour.

It is no longer enough to flag transactions.

Teams need to ask:

• Why is this activity happening?
• How is it connected to other behaviour?
• What broader typology does it resemble?

This shift is not easy.

Because understanding requires context — and context requires intelligence beyond internal data.

The Role of Collaborative Intelligence

Cases like the Parañaque scam hub highlight a structural gap.

No single institution has full visibility.

Fraud patterns are distributed across:

• Banks
• Fintech platforms
• Payment processors
• Geographies

Which means detection cannot rely on isolated systems.

Collaborative intelligence becomes critical.

By sharing typologies, behavioural patterns, and risk signals without exposing sensitive data institutions can:

• Detect emerging threats earlier
• Improve accuracy
• Reduce false positives

This is where community-driven intelligence models are gaining traction.

Where Technology Needs to Evolve

To keep pace with structured fraud operations, detection systems need to evolve in three ways:

1. From rules to adaptive intelligence
Systems must continuously learn from emerging patterns

2. From transactions to networks
Detection must capture relationships, not just events

3. From alerts to actionable insights
Outputs must support faster, clearer investigation decisions

This is not about replacing existing systems overnight.

It is about enhancing them to reflect how fraud actually operates today.

The Cost of Getting This Wrong

The impact of missing these signals goes beyond financial loss.

There are broader consequences:

• Increased regulatory scrutiny
• Reputational damage
• Erosion of customer trust

In fast-growing digital markets, trust is not easily rebuilt once lost.

And fraud, left unchecked, directly undermines it.

A More Grounded Way Forward

The Parañaque case is not an anomaly. It is part of a pattern.

Fraud is becoming:

• More organised
• More scalable
• More adaptive

And increasingly embedded within legitimate financial systems.

Responding to this requires a shift:

From reactive to proactive
From siloed to collaborative
From static to adaptive

For compliance teams, this is not about chasing every new scam.

It is about building the capability to recognise patterns — even as they evolve.

Conclusion: Beyond the Raid

The arrest of 48 individuals is a meaningful enforcement action.

But it is not the end of the story.

Operations like these rarely disappear. They adapt, relocate, and re-emerge.

For financial institutions, the real question is not whether such scams exist.

It is whether their systems can detect the financial signals these operations inevitably leave behind.

Because while enforcement can shut down a physical hub, the financial trails continue to move.

And that is where the real battle is being fought.

Picture a compliance officer at a Malaysian licensed bank three weeks out from a BNM AML/CFT examination. She has read AMLATFPUAA. She knows the Act was amended in 2014 and again in 2020. What she needs now is not another legislative summary. She needs to know what BNM's examiners will actually open on their laptops when they arrive — which files, which logs, which policy documents — and where programmes at institutions like hers most commonly fall short.

That is what this guide covers.

The legislative history of AMLATFPUAA and its impact on Malaysia's financial sector is covered in our [overview of AMLA and its impact on the Malaysian financial landscape](/compliance-hub/understanding-amla-impact-on-malaysia-financial-landscape). This article focuses on the operational layer: the ongoing compliance obligations that BNM-supervised institutions must meet, the specific thresholds and timelines that govern reporting, and the recurring examination gaps that BNM has identified in practice.

The Regulatory Framework in Brief

Two instruments govern AML/CFT compliance for BNM-supervised institutions in Malaysia.

AMLATFPUAA 2001 is the primary legislation. The 2014 amendment expanded the list of predicate offences and brought Designated Non-Financial Businesses and Professions (DNFBPs) into the compliance perimeter. The 2020 amendment strengthened beneficial ownership requirements and raised maximum penalties to MYR 3 million per offence, or 5 years imprisonment, or both. For financial institutions, the penalties can run per transaction or per day of non-compliance — which changes the risk calculus considerably.

BNM's AML/CFT and TF Policy Document (2023) is where the day-to-day compliance standards sit. The Policy Document translates AMLATFPUAA's obligations into specific programme requirements: who must be screened, how, at what intervals, and with what documentation. BNM's Financial Intelligence and Enforcement Department (FIED) is the enforcement arm that reviews STR filings and leads enforcement action.

When a BNM examiner cites a deficiency, the reference is almost always to the Policy Document, not to the Act itself. Knowing the Act is necessary; knowing the Policy Document is what keeps a programme compliant.

Who Must Comply: Reporting Institutions Under AMLATFPUAA

AMLATFPUAA defines "Reporting Institutions" across three categories, each carrying distinct obligations.

Category 1 covers licensed banks, Islamic banks, and development financial institutions. These institutions carry the fullest set of AML/CFT obligations under the Policy Document, including mandatory enterprise-wide risk assessments and comprehensive transaction monitoring programmes.

Category 2 covers money service businesses (MSBs), remittance operators, and e-money issuers. The obligations are materially equivalent to Category 1 for CDD and reporting, but the Policy Document recognises that the risk typologies differ — particularly for remittance operators processing high-frequency, lower-value cross-border transfers.

Category 3 covers DNFBPs: lawyers, accountants, and real estate agents, brought in under the 2014 amendment. DNFBP obligations are threshold-triggered — they apply when a transaction reaches a defined cash value or when the DNFBP is facilitating a category of activity specified in the Act.

The DNFBP category matters for banks because banks deal with these professionals as customers. When a law firm holds a client account at your institution, BNM expects you to recognise that relationship as carrying elevated risk — and to apply the CDD standards appropriate to it.

Customer Due Diligence: Three Tiers, Different Standards

BNM's AML/CFT Policy Document sets three CDD tiers. Which tier applies depends on the risk profile of the customer and the nature of the business relationship — not on an institution's convenience.

Standard CDD

Standard CDD applies to all new customers unless simplified CDD conditions are met. It requires identification and verification of the customer, documentation of the purpose and intended nature of the business relationship, and a customer risk assessment at onboarding. Verification must be based on independent and reliable sources — a customer self-certifying their identity is not sufficient.

For individual customers, verification typically involves government-issued identification. For corporate customers, it extends to directors, authorised signatories, and ultimate beneficial owners (UBOs).

Simplified CDD

Simplified CDD is available for customers assessed as low-risk: listed companies on a regulated exchange, government entities, and FIs supervised by BNM or an equivalent foreign regulator. Under simplified CDD, identification is still required but the depth of verification can be reduced, and ongoing monitoring can operate at lower intensity.

The Policy Document is explicit that simplified CDD is a risk-based determination — not a category exemption. An institution cannot apply simplified CDD to a listed company without first concluding that the specific company and the specific transaction type present low money laundering risk.

Enhanced Due Diligence

Enhanced Due Diligence (EDD) is mandatory for four customer categories:

• Politically Exposed Persons (PEPs) — domestic and foreign
• Customers from FATF-identified jurisdictions with strategic AML/CFT deficiencies
• Corporate customers with complex or non-transparent ownership structures
• Customers engaged in cash-intensive businesses

EDD requirements under the Policy Document are specific. For PEPs, the institution must verify source of funds and source of wealth — not just identify the customer's occupation. Senior management approval is required before establishing or continuing a relationship with a PEP. The approval must be documented, with a named approver. Periodic review of PEP relationships is mandatory at least every 2 years.

For all EDD customers, monitoring intensity must be increased. What "increased" means in practice is calibrated monitoring rules, not a generic note in the file that the customer is high-risk.

Beneficial ownership threshold: BNM sets the threshold for identifying UBOs at 25% ownership or control — consistent with the FATF standard. Institutions must trace ownership to natural persons. Nominee structures, trusts, and multi-layer corporate arrangements are not a legitimate stopping point. If your CDD file shows a holding company as the UBO rather than the individuals who own it, the file is incomplete.

For institutions operating digital onboarding channels, the BNM eKYC Policy Document sets out the technical requirements that must be met for remote CDD to carry the same assurance as face-to-face verification. The specifics for digital banks and e-money issuers are covered in our eKYC Malaysia guide.

Ongoing Monitoring Requirements

Onboarding CDD is not a one-time event. BNM's Policy Document requires institutions to monitor the business relationship throughout its duration — which means monitoring transactions for consistency with the customer's risk profile, stated purpose, and expected transaction patterns.

When Re-KYC Is Required

The Policy Document specifies triggers that require re-assessment of a customer's KYC data:

• A material change in the customer's circumstances (change in business activity, change in ownership structure, change in country of domicile)
• A change in the customer's risk rating — either triggered by a system alert or a periodic review
• Reactivation of a dormant account (inactive for 12 months or more)
• Scheduled periodic review for high-risk customers — at minimum every 2 years

The 12-month dormancy trigger and the 2-year PEP review cycle are not recommendations. They are requirements. BNM examiners check whether these cycles are documented and whether the reviews are substantive — not whether a checkbox was ticked.

Transaction Monitoring Calibration

BNM's examination findings have repeatedly cited one gap above others: institutions running transaction monitoring with default threshold settings that have not been calibrated to the institution's own customer risk profile.

Default thresholds — those that come with a monitoring system out of the box — are designed to be functional across a broad range of institutions. They are not designed to reflect the specific risk profile of your customer book. A licensed bank whose retail clients are primarily salaried employees in Klang Valley has a different expected transaction pattern than an MSB processing remittances to Southeast Asian labour markets. Their monitoring should look different.

BNM expects institutions to document why their thresholds are set where they are, when they were last reviewed, and who approved the current calibration. If the answer is "these are the system defaults," that is a finding waiting to be written.

To understand what an effective transaction monitoring programme should look like — and what to evaluate when selecting or upgrading a system — see our Transaction Monitoring Software Buyer's Guide and What Is Transaction Monitoring.

Reporting Obligations: Timelines and Thresholds

BNM-supervised institutions have two primary reporting obligations to FIED. Both have defined timelines that examination teams check.

Cash Threshold Reports (CTRs)

Any cash transaction — or series of related cash transactions — of MYR 25,000 or above must be reported to FIED via the goAML system (Malaysia adopted the UNODC goAML platform in 2020). The filing deadline is 3 business days from the date of the transaction.

CTR filing is largely mechanical for institutions with core banking systems capable of automated flagging. Where BNM has found gaps is in the manual detection of structured transactions — multiple sub-MYR 25,000 cash deposits by the same customer within a short period, designed to stay below the CTR threshold. Structuring is a predicate offence under AMLATFPUAA. Failing to detect it is a monitoring failure, not just a reporting failure.

Suspicious Transaction Reports (STRs)

An STR must be filed when a staff member or system alert produces grounds to suspect that a transaction involves the proceeds of a scheduled offence or is connected to terrorist financing. The deadline is 3 working days from the point at which suspicion is formed — not from when the transaction occurred.

That distinction matters. If a transaction alerts in your monitoring system on Monday and a compliance analyst forms a reasonable suspicion on Wednesday, the STR clock started on Wednesday, not Monday.

BNM examination findings have identified a specific quality gap in STR filings: reports submitted without an adequate documented basis for suspicion. An STR that records "transaction appeared unusual" without specifying what pattern triggered the suspicion, what investigation was conducted, and why the analyst concluded suspicion was warranted, does not meet the standard. The goAML system requires structured data fields to be completed — but the narrative quality of what goes into those fields is what BNM examiners assess.

The internal pathway matters too. Institutions must have a documented process for staff to escalate concerns to the MLRO via an Internal Suspicious Transaction Report (ISTR). Frontline staff who identify red flags and have no clear escalation route — or who fear that escalating will reflect poorly on them — are a systemic gap. BNM expects staff training to address this directly.

AML/CFT Programme Governance

A compliant AML/CFT programme is not a set of policies in a folder. BNM's Policy Document specifies the governance structure that must be in place.

Board-approved compliance programme. The institution's AML/CFT programme must be documented, formally approved by the Board of Directors, and reviewed at minimum annually. A programme that exists only in the compliance officer's head — or that was last updated before the 2020 AMLATFPUAA amendments — is non-compliant.

Designated Compliance Officer (DCO). The DCO must sit at senior management level and must have direct access to the Board or Board Audit Committee when escalation is required. BNM examiners specifically check whether the DCO has the seniority and independence to escalate concerns without internal obstruction. An institution where the MLRO reports upward through the business line whose clients they are monitoring has a structural governance problem.

Independent AML/CFT audit. The audit function — whether internal or conducted by a qualified external party — must assess the AML/CFT programme at least once per year. The scope must cover policy adequacy, operational effectiveness, and staff training outcomes. An audit that confirms the policies exist but does not test whether they work is not what BNM requires.

Staff training. Training must be documented, with records of attendance and assessment results. BNM examiners have cited institutions where training records were incomplete or where training had not been updated to reflect regulatory changes — including the goAML transition and the 2020 AMLATFPUAA amendments.

Common BNM Examination Gaps

Based on publicly available BNM guidance and supervisory feedback, five gaps recur across examinations of Malaysian institutions.

Outdated customer risk assessments. Customers onboarded years ago under different risk criteria and never re-assessed — even when their transaction patterns have materially changed.

Incomplete beneficial ownership documentation for corporate customers. Files that identify a corporate structure but stop at the holding company level, without tracing to the natural persons who ultimately control it.

STRs filed without documented analytical basis. The filing exists, but the rationale is absent. This satisfies neither the spirit nor the operational requirement of the obligation.

Default monitoring thresholds. System thresholds not calibrated to the institution's specific customer risk profile — and no documentation that the calibration question was ever asked.

Inadequate scrutiny of DNFBPs as customers. Banks treating law firm client accounts or real estate agent trust accounts the same as ordinary business accounts, without recognising the elevated risk profile those relationships carry under AMLATFPUAA.

Malaysia's FATF Context: Why Examination Intensity Has Increased

Malaysia's FATF Mutual Evaluation in 2023 assessed both technical compliance and effectiveness — two different standards. Technical compliance measures whether the laws and regulations are in place. Effectiveness measures whether they work.

Malaysia's technical compliance ratings were largely Compliant or Largely Compliant. Its effectiveness ratings were lower — particularly for the transparency of corporate beneficial ownership, where the evaluation found that beneficial ownership information was not always available to competent authorities in a timely way.

For BNM-supervised institutions, the practical effect is this: BNM is under pressure to demonstrate that AML controls are operationally effective, not just formally present. Examination intensity has increased since 2023. The scrutiny on beneficial ownership documentation, on monitoring calibration, and on STR quality is not coincidental. These are the areas the FATF evaluation identified as weakest, and they are the areas BNM examiners are examining most carefully.

Preparing for What Examiners Actually Review

The compliance officer three weeks out from her BNM examination should be checking seven things:

1. Are customer risk assessments current — specifically for dormant accounts and for customers whose transaction patterns have changed?
2. Do all corporate customer files trace beneficial ownership to natural persons at the 25% threshold?
3. Are monitoring thresholds documented with a calibration rationale — and reviewed within the last 12 months?
4. Do STR files contain a structured basis for suspicion, not just a transaction reference?
5. Is the DCO's seniority and Board access documented?
6. Was the AML/CFT audit conducted in the past year, and did its scope include operational testing?
7. Are staff training records complete and current for all frontline and compliance staff?

These are not abstract compliance questions. They are the specific items that BNM examinations have produced findings on. Getting them right before the examination is considerably easier than explaining gaps during it.

If you want to see how Tookitaki's platform supports CDD, transaction monitoring calibration, and STR quality management for BNM-supervised institutions, book a demo. Or download our Malaysia AML compliance checklist for a full pre-examination review framework tailored to AMLATFPUAA and the BNM AML/CFT Policy Document. For institutions evaluating or upgrading their monitoring systems, the Transaction Monitoring Software Buyer's Guide covers what to look for and what to ask vendors about calibration and alert management. If you're new to the foundations of KYC and CDD, our What Is KYC guide provides the conceptual grounding the Policy Document assumes you have.