New Zealand sits under less external scrutiny than Singapore or Australia, but its domestic enforcement record tells a different story. Three supervisors — the Reserve Bank of New Zealand, the Financial Markets Authority, and the Department of Internal Affairs — run active examination programmes. A mandatory Section 59 audit every two years creates a hard compliance deadline. And the AML/CFT Act's risk-based approach means institutions cannot rely on vendor defaults or generic rule sets to satisfy supervisors.

For banks, payment service providers, and fintechs operating in New Zealand, transaction monitoring is the operational centre of AML/CFT compliance. This guide covers what the Act requires, how the supervisory structure affects monitoring obligations, and where institutions most commonly fail examination.

The AML/CFT Act 2009: New Zealand's Core Framework

New Zealand's AML/CFT framework is governed by the Anti-Money Laundering and Countering Financing of Terrorism Act 2009. Phase 1 entities — banks, non-bank deposit takers, and most financial institutions — came into scope in June 2013. Phase 2 extended obligations to lawyers, accountants, real estate agents, and other designated businesses in stages from 2018 to 2019.

The Act operates on a risk-based model. There is no prescriptive list of transaction monitoring rules an institution must run. Instead, institutions must:

• Conduct a written risk assessment that identifies their specific ML/FT risks based on customer type, product set, and delivery channels
• Implement a compliance programme derived from that assessment, including monitoring and detection controls designed to address identified risks
• Review and update the risk assessment whenever material changes occur — new products, new customer segments, new channels

This principle-based approach gives institutions flexibility but removes the ability to claim compliance by pointing to a vendor's default configuration. If your monitoring is not designed around your assessed risks, supervisors will find the gap.

Three Supervisors: FMA, RBNZ and DIA

New Zealand's supervisory structure is unusual among APAC jurisdictions. While Australia has AUSTRAC and Singapore has MAS, New Zealand has three supervisors, each with jurisdiction over distinct entity types:

Each supervisor publishes its own guidance and runs its own examination priorities. The practical implication: guidance from AUSTRAC or MAS does not map directly onto New Zealand's framework. Institutions need to engage with their specific supervisor's published materials and annual risk focus areas.

For most banks and payment companies, RBNZ is the relevant supervisor. For digital asset businesses and VASPs, DIA is the supervisor following the 2021 amendments.

Who Must Comply

The Act applies to "reporting entities" — a defined category covering most financial businesses operating in New Zealand:

• Banks (including branches of foreign banks)
• Non-bank deposit takers: credit unions, building societies, finance companies
• Money remittance operators and foreign exchange dealers
• Life insurance companies
• Securities dealers, brokers, and investment managers
• Trustee companies
• Virtual asset service providers (VASPs) — brought in scope June 2021

The VASP inclusion is significant. The AML/CFT (Amendment) Act 2021 extended reporting entity obligations to crypto exchanges, digital asset custodians, and related businesses. DIA supervises most VASPs, with specific guidance on digital asset typologies.

Transaction Monitoring Obligations

The AML/CFT Act does not use "transaction monitoring" as a defined technical term the way MAS Notice 626 does. What it requires is that institutions implement systems and controls within their compliance programme to detect unusual and suspicious activity.

In practice, a compliant transaction monitoring function requires:

Documented risk-based detection scenarios. Monitoring rules or behavioural detection scenarios must be designed to detect the specific ML/FT risks identified in your risk assessment. A retail bank serving Pacific Island remittance customers needs different scenarios than a corporate securities dealer. Supervisors check the alignment between the risk assessment and the monitoring controls — generic vendor defaults that have not been configured to your institution's risk profile will not satisfy this requirement.

Alert investigation records. Every alert generated must be investigated, and the investigation and disposition decision must be documented. An alert closed as a false positive requires documentation of why. An alert that escalates to a SAR requires the full investigation trail. Alert backlogs — alerts generated but not reviewed — are among the most common examination findings.

Annual programme review with board sign-off. The Act requires the compliance programme, including monitoring controls, to be reviewed annually. The compliance officer must report to senior management and the board. Evidence of this reporting chain is a standard examination request.

Calibration and effectiveness review. Supervisors look for evidence that monitoring scenarios are reviewed for effectiveness — whether they are generating useful alerts or producing excessive false positives without adjustment. A monitoring programme that has not been reviewed or calibrated since deployment will attract scrutiny.

Reporting Requirements: PTRs and SARs

Transaction monitoring outputs feed two mandatory reporting obligations:

Prescribed Transaction Reports (PTRs) are threshold-based and mandatory — they do not require suspicion. PTRs must be filed with the New Zealand Police Financial Intelligence Unit (FIU) via the goAML platform for:

• Cash transactions of NZD 10,000 or more
• International wire transfers of NZD 1,000 or more (in or out)

The filing deadline is within 10 working days of the transaction. PTR monitoring requires specific detection for transactions at and around these thresholds, including structuring patterns where customers conduct multiple sub-threshold transactions to avoid PTR obligations.

Suspicious Activity Reports (SARs) — New Zealand uses "SAR" rather than "STR" (Suspicious Transaction Report). SARs must be filed as soon as practicable, and no later than three working days after forming a suspicion. The threshold for suspicion is lower than many teams assume: reasonable grounds to suspect money laundering or financing of terrorism are sufficient — certainty is not required.

SARs are filed with the NZ Police FIU via goAML. The tipping-off prohibition under the Act makes it a criminal offence to disclose to a customer that a SAR has been filed or is under consideration.

The Section 59 Audit Requirement

The most operationally distinctive element of New Zealand's framework is the Section 59 audit. Every reporting entity must arrange for an independent audit of its AML/CFT programme at intervals of no more than two years.

The auditor must assess whether:

• The risk assessment accurately reflects the entity's current ML/FT risk profile
• The compliance programme is adequate to manage those risks
• Transaction monitoring controls are functioning as designed and generating appropriate outputs
• PTR and SAR reporting is accurate, complete, and timely
• Staff training is adequate

The two-year cycle creates a hard deadline. Institutions with monitoring gaps, stale risk assessments, or unresolved findings from the previous audit cycle will face those issues again. The audit is also a forcing function for calibration: institutions that have not reviewed their detection scenarios or addressed alert backlogs before the audit will have those gaps documented in the audit report — which supervisors can and do request.

How NZ Compares to Australia and Singapore

For compliance teams managing obligations across multiple APAC jurisdictions, the structural differences matter:

The wire transfer threshold is the most operationally significant difference. New Zealand's NZD 1,000 threshold for international wires generates substantially more PTR volume than Australian or Singapore equivalents. Institutions managing cross-border payment flows into or out of New Zealand need PTR-specific monitoring that can handle this volume.

Common Transaction Monitoring Gaps in NZ Examinations

Supervisors across all three agencies have documented recurring compliance failures. The most common transaction monitoring gaps are:

Risk assessment not driving monitoring design. The risk assessment identifies high-risk customer segments or products, but the monitoring system runs generic rules that do not target those specific risks. Supervisors treat this as a material failure — the Act requires the programme to be derived from the risk assessment, not run alongside it.

PTR monitoring gaps. Institutions with strong SAR-based monitoring often have inadequate controls for PTR-triggering transactions. Structuring below the NZD 10,000 cash threshold requires specific detection scenarios that standard bank rule sets do not include.

Alert backlogs. Alerts generated but not reviewed within a reasonable timeframe are a consistent finding. Unlike some jurisdictions with prescribed investigation timelines, the Act does not specify deadlines — but supervisors expect evidence of timely review, and large backlogs indicate the monitoring system is generating more output than the team can process.

Stale risk assessments. The Act requires risk assessments to be updated when material changes occur. Institutions that have launched new products, added new customer segments, or changed delivery channels without updating their risk assessment are out of compliance with this requirement.

VASP-specific coverage gaps. For DIA-supervised VASPs, standard bank-oriented monitoring rule sets do not address digital asset typologies: wallet clustering, rapid conversion between asset types, cross-chain transfers, and structuring patterns in low-value token transactions. VASPs need detection scenarios specific to their product and customer risk profile.

What a Compliant NZ Transaction Monitoring Programme Requires

For institutions operating under the AML/CFT Act, a compliant monitoring programme requires:

• A current, documented risk assessment aligned to your actual customer base and product set
• Monitoring scenarios designed to detect the specific risks in that assessment, not vendor defaults
• Alert investigation workflows with documented disposition for every alert
• PTR-specific detection for cash and wire transactions at and around the NZD 10,000 and NZD 1,000 thresholds
• SAR workflow with a three-working-day filing deadline built into case management
• Annual programme review with board sign-off documentation
• Section 59 audit preparation: calibration review, rule effectiveness documentation, and remediation of any open findings before the audit cycle closes

For institutions evaluating whether their current monitoring system can support these requirements across New Zealand and other APAC markets, see our Transaction Monitoring Software Buyer's Guide.

In April 2026, a Thai court sentenced the son of a former senator to more than 130 years in prison in connection with a major online gambling and money laundering operation that authorities say moved billions of baht through an extensive criminal network.

At the centre of the case was not merely illegal gambling activity, but a sophisticated financial ecosystem allegedly built to process, distribute, and disguise illicit proceeds at scale.

Authorities said the operation involved online betting platforms, nominee accounts, layered fund transfers, and interconnected financial flows designed to move gambling proceeds through the financial system while obscuring the origin of funds.

For banks, fintechs, payment providers, and compliance teams, this is far more than a gambling enforcement story.

It is another example of how organised financial crime increasingly operates through structured digital ecosystems that combine:

• illicit platforms,
• mule-account networks,
• layered payments,
• and coordinated laundering infrastructure.

And increasingly, these operations are beginning to resemble legitimate digital businesses in both scale and operational sophistication.

Inside Thailand’s Alleged Online Gambling Network

According to Thai authorities, the investigation centred around an online gambling syndicate accused of operating illegal betting platforms and laundering significant volumes of illicit proceeds through interconnected financial channels.

Reports linked to the case suggest the network allegedly relied on:

• multiple bank accounts,
• nominee structures,
• rapid movement of funds,
• and layered transaction activity designed to complicate tracing efforts.

That structure matters.

Modern online gambling networks no longer function as isolated betting operations.

Instead, many operate as financially engineered ecosystems where:

• payment collection,
• account rotation,
• fund layering,
• customer acquisition,
• and laundering mechanisms
  are all tightly coordinated.

The gambling platform itself often becomes only the front-facing layer of a much larger financial infrastructure.

Why Online Gambling Remains a Major AML Risk

Online gambling presents a unique challenge for financial institutions because the underlying financial activity can initially appear commercially legitimate.

High transaction volumes, rapid fund movement, and frequent customer transfers are often normal within betting environments.

That creates operational complexity for AML and fraud teams attempting to distinguish:

• legitimate gaming behaviour,
• from structured laundering activity.

Criminal networks exploit this ambiguity.

Funds can be:

• deposited,
• redistributed across multiple accounts,
• cycled through betting activity,
• withdrawn,
• and transferred again across payment rails
  within relatively short periods of time.

This creates an ideal environment for:

• layering,
• transaction fragmentation,
• and obscuring beneficial ownership.

And increasingly, digital payment ecosystems allow this movement to happen at scale.

The Role of Mule Accounts and Nominee Structures

No large-scale online gambling operation can effectively move illicit proceeds without access to account infrastructure.

The Thailand case highlights the critical role of:

• mule accounts,
• nominee account holders,
• and intermediary payment channels.

Authorities allege the network used multiple accounts to receive and redistribute gambling proceeds, helping distance the organisers from the underlying transactions.

These accounts may belong to:

• recruited individuals,
• account renters,
• synthetic identities,
• or nominees acting on behalf of criminal operators.

Their role is operationally simple but strategically important:
receive funds, move them rapidly, and reduce visibility into the true controllers behind the network.

For financial institutions, this creates a major detection challenge because individual transactions may appear ordinary when viewed in isolation.

But collectively, the patterns may indicate coordinated laundering behaviour.

The Industrialisation of Gambling-Linked Financial Crime

One of the most important lessons from this case is that organised online gambling is becoming increasingly industrialised.

This is no longer simply a matter of illegal betting websites collecting wagers.

Modern gambling-linked financial crime networks increasingly resemble structured digital enterprises with:

• payment workflows,
• operational hierarchies,
• customer acquisition systems,
• layered account ecosystems,
• and dedicated laundering mechanisms.

That evolution changes the scale of risk.

Instead of isolated illicit transactions, financial institutions are now confronting criminal systems capable of processing large volumes of funds through interconnected digital channels.

And because many of these flows occur through legitimate banking infrastructure, detection becomes significantly more difficult.

Why Traditional Detection Models Struggle

One of the biggest operational problems in gambling-linked laundering is that many suspicious activities closely resemble normal transactional behaviour.

For example:

• rapid deposits and withdrawals,
• frequent transfers between accounts,
• high transaction velocity,
• and fragmented payments
  may all occur legitimately within digital gaming environments.

This creates substantial noise for compliance teams.

Traditional rules-based monitoring systems often struggle because:

• thresholds may not be breached,
• transaction values may appear routine,
• and individual accounts may initially show limited risk indicators.

The suspicious behaviour often becomes visible only when viewed collectively across:

• multiple accounts,
• devices,
• counterparties,
• transaction patterns,
• and behavioural relationships.

Increasingly, organised financial crime detection is becoming less about isolated alerts and more about understanding networks.

The Convergence of Gambling, Fraud, and Money Laundering

The Thailand case also reinforces a broader regional trend:
the convergence of multiple financial crime categories within the same ecosystem.

Online gambling networks today may overlap with:

• mule-account recruitment,
• cyber-enabled scams,
• organised fraud,
• illicit payment processing,
• and cross-border laundering activity.

This convergence matters because criminal organisations rarely specialise narrowly anymore.

The same infrastructure used to process gambling proceeds may also support:

• scam-related fund movement,
• account abuse,
• identity fraud,
• or broader organised criminal activity.

For financial institutions, separating these risks into isolated categories can create dangerous blind spots.

The financial flows are increasingly interconnected.

Detection strategies must evolve accordingly.

What Financial Institutions Should Monitor

Cases like this highlight several important behavioural and transactional indicators institutions should monitor more closely.

Rapid pass-through activity

Accounts receiving and quickly redistributing funds across multiple beneficiaries.

Clusters of interconnected accounts

Multiple accounts sharing behavioural similarities, counterparties, devices, or transaction structures.

High-volume low-value transfers

Repeated fragmented payments designed to avoid scrutiny while moving significant aggregate value.

Frequent account rotation

Beneficiary accounts changing rapidly within short timeframes.

Unusual payment velocity

Transaction behaviour inconsistent with expected customer profiles.

Links between gambling-related transactions and broader suspicious activity

Connections between betting-related flows and potential scam, fraud, or mule-account indicators.

Individually, these signals may appear weak.

Together, they can reveal coordinated laundering ecosystems.

Why Financial Institutions Need More Connected Intelligence

The Thailand gambling case highlights why static AML controls are increasingly insufficient against organised digital financial crime.

Modern criminal ecosystems evolve quickly:

• payment channels change,
• laundering routes shift,
• mule structures rotate,
• and digital platforms adapt constantly.

This creates operational pressure on institutions still relying heavily on:

• isolated transaction monitoring,
• static rules,
• manual investigations,
• and fragmented fraud-AML workflows.

What institutions increasingly need is:

• behavioural intelligence,
• network visibility,
• typology-driven monitoring,
• and the ability to connect signals across fraud and AML environments simultaneously.

That is especially important in gambling-linked laundering because the suspicious behaviour often emerges gradually through relationships and coordinated movement rather than single anomalous transactions.

How Technology Can Help Detect Organised Gambling Networks

Advanced AML and fraud platforms are becoming increasingly important in identifying complex laundering ecosystems linked to online gambling.

Modern detection approaches combine:

• behavioural analytics,
• network intelligence,
• entity resolution,
• and typology-driven detection models
  to uncover hidden relationships within financial activity.

Platforms such as Tookitaki’s FinCense help institutions move beyond isolated transaction monitoring by combining:

• AML and fraud convergence,
• behavioural monitoring,
• collaborative intelligence through the AFC Ecosystem,
• and network-based detection approaches.

In scenarios involving gambling-linked laundering, this allows institutions to identify:

• mule-account behaviour,
• suspicious account clusters,
• layered payment structures,
• and coordinated fund movement patterns
  earlier and with greater operational context.

That visibility becomes critical when criminal ecosystems are specifically designed to appear operationally normal on the surface.

How Tookitaki Helps Institutions Detect Gambling-Linked Laundering Networks

Cases like the Thailand gambling investigation demonstrate why financial institutions increasingly need a more connected and intelligence-driven approach to financial crime detection.

Traditional monitoring systems are often designed to review transactions in isolation. But organised gambling-linked laundering networks operate across:

• multiple accounts,
• payment rails,
• beneficiary relationships,
• mule structures,
• and layered transaction ecosystems simultaneously.

This makes fragmented detection increasingly ineffective.

Tookitaki’s FinCense platform helps financial institutions strengthen detection capabilities by combining:

• AML and fraud convergence,
• behavioural intelligence,
• network-based risk detection,
• and collaborative typology insights through the AFC Ecosystem.

In gambling-linked laundering scenarios, this allows institutions to identify:

• suspicious account clusters,
• rapid pass-through activity,
• mule-account behaviour,
• layered payment movement,
• and hidden relationships across customers and counterparties
  more effectively and earlier in the risk lifecycle.

The AFC Ecosystem further strengthens this approach by enabling institutions to leverage continuously evolving typologies and real-world financial crime intelligence contributed by compliance and AML experts globally.

As organised financial crime becomes more interconnected and operationally sophisticated, institutions increasingly need detection systems capable of understanding not just transactions, but the broader ecosystems operating behind them.

The Bigger Picture: Online Gambling as Financial Infrastructure Abuse

The Thailand case reflects a broader regional and global shift in how organised crime uses digital infrastructure.

Online gambling platforms are increasingly functioning not merely as illicit entertainment channels, but as financial movement ecosystems capable of:

• processing large transaction volumes,
• redistributing illicit funds,
• and integrating criminal proceeds into the legitimate economy.

That distinction matters.

Because the challenge for financial institutions is no longer simply identifying illegal gambling transactions.

It is understanding how legitimate financial systems can be systematically exploited to support broader criminal operations.

And increasingly, those operations are designed to blend into normal digital financial activity.

Final Thoughts

The massive online gambling and money laundering case uncovered in Thailand offers another clear reminder that organised financial crime is becoming more digital, more structured, and more operationally sophisticated.

What appears outwardly as illegal betting activity may actually involve:

• coordinated laundering infrastructure,
• mule-account ecosystems,
• layered financial movement,
• nominee structures,
• and highly organised criminal coordination operating behind the scenes.

For financial institutions, this creates a difficult but increasingly important challenge.

The future of financial crime prevention will depend less on identifying isolated suspicious transactions and more on understanding hidden financial relationships, behavioural coordination, and evolving laundering typologies across interconnected payment ecosystems.

Because increasingly, organised financial crime does not look chaotic.

It looks operationally efficient.

Most CDD failures that auditors find are not in the trigger decision. Compliance teams generally know when to apply enhanced due diligence. The problem is what happens next: the review gets done, the account stays open, and three years later an examiner opens the file and finds a risk assessment with no source-of-wealth narrative, a senior management approval that amounts to a single line in an email chain, and no evidence that monitoring was ever adjusted upward.

A poorly documented EDD review is treated by supervisors the same as no EDD at all. That is the uncomfortable reality driving examination findings across MAS, BNM, BSP, and AUSTRAC-regulated institutions right now.

This guide is not a glossary. It is a working reference for compliance professionals at banks, fintechs, and payment institutions across APAC who need to understand what CDD and EDD require, how the three tiers operate under each major regulator, and what examiners actually look at when they review a customer file.

What Is Customer Due Diligence (CDD)?

Under the FATF Recommendations, customer due diligence is the process of identifying and verifying a customer's identity, understanding the purpose and nature of the business relationship, and conducting ongoing monitoring of that relationship and the transactions flowing through it.

CDD is the core of the KYC process. It sits at the foundation of every AML/CFT programme and applies from the moment a customer relationship is established.

FATF Recommendations 10 through 12 set out four core CDD elements:

1. Customer identification and verification — collect identifying information and verify it against reliable, independent source documents
2. Beneficial ownership identification and verification — identify the natural persons who ultimately own or control a legal entity, and verify their identities
3. Understanding the purpose and intended nature of the business relationship — establish why the customer wants an account, what they intend to do with it, and what transaction volumes to expect
4. Ongoing monitoring — continuously review the customer relationship, monitor transactions against the customer's profile, and keep CDD records current

The fourth element is where most programmes are weakest. Institutions invest heavily in onboarding controls and then treat the relationship as static. Customers' risk profiles change. Beneficial ownership structures change. Transaction behaviour changes. A customer who was low-risk at onboarding may not remain low-risk at year three — and the programme has to be capable of detecting and responding to that shift.

Three Tiers of CDD: Simplified, Standard, and Enhanced

Simplified Due Diligence (SDD)

Simplified CDD applies where the risk of money laundering or terrorism financing is demonstrably low. FATF allows reduced identification requirements and less frequent monitoring — but it does not eliminate CDD obligations entirely.

Across APAC, SDD is generally permissible for:

• Government entities and state-owned enterprises
• Companies listed on recognised stock exchanges in low-risk jurisdictions
• Certain low-value financial products, such as basic deposit accounts below a specified threshold

The key word is demonstrably. SDD is a documented, risk-based decision. Using it as a default to reduce onboarding friction — without a written risk rationale — is a compliance failure, not an efficiency gain. Examiners will ask for the rationale and they will expect to find it in the file.

Standard CDD

Standard CDD is the default tier. It applies to all customers who do not qualify for SDD and do not trigger EDD.

For individual customers, standard CDD requires:

• Government-issued photo identification
• Proof of address — or an equivalent verification method where physical documents are not available (see the guide to eKYC as a CDD method under BNM's guidelines
• A record of the purpose and expected nature of the account

For legal entity customers, standard CDD requires:

• Certificate of incorporation
• Memorandum and articles of association
• Register of directors
• Beneficial ownership identification — who owns 25% or more of the entity, or who exercises effective control
• Business description and expected transaction patterns

The purpose-of-account requirement is often under-documented. "General business transactions" is not sufficient. The record should capture the customer's stated business activity, the expected transaction types, the anticipated value range, and the source of the initial deposit for corporate accounts.

Enhanced Due Diligence (EDD)

EDD is not optional when it is triggered. It applies to customers with higher-risk characteristics and requires:

• Source of funds verification — where did the money come from for this specific transaction or deposit?
• Source of wealth verification — how did the customer accumulate their overall wealth?
• Senior management or board approval before establishing or continuing the relationship
• Enhanced ongoing monitoring — higher alert sensitivity and more frequent periodic reviews

FATF Recommendation 12 specifies EDD for politically exposed persons. Individual APAC regulators have extended these requirements to cover additional high-risk categories (see the comparative table below).

EDD is a process of investigation, not a checklist. Collecting a salary slip and noting "source of funds: employment income" does not constitute adequate source-of-wealth documentation for a PEP with an account balance of SGD 4 million. The quality of the investigation is what an examiner assesses.

EDD Triggers — When Standard CDD Is Not Enough

The following characteristics trigger EDD requirements across APAC jurisdictions:

PEP status. Any customer identified as a politically exposed person — or a known close relative or close associate of a PEP — triggers mandatory EDD. See our PEP screening guide for the full classification framework, including how "close associate" is defined across different regimes.

High-risk jurisdiction. Customers resident in, or transacting with, jurisdictions on the FATF grey or black lists trigger EDD. The FATF list currently includes Iran, North Korea, and Myanmar. APAC regulators may apply additional country designations based on their own risk assessments.

Complex ownership structure. Beneficial ownership held through multiple layers of legal entities, trusts, or nominee arrangements — particularly in offshore jurisdictions — triggers EDD. The structural complexity itself is a risk indicator, not just the underlying beneficial owner's profile.

High-value transaction inconsistent with profile. A transaction materially inconsistent with the customer's stated purpose, income level, or established transaction history triggers a review. Whether that review rises to EDD depends on what the initial investigation reveals.

Monitoring alerts that cannot be resolved at standard investigation. An alert that the transaction monitoring team cannot close through normal investigation escalates to EDD review. The two processes are connected: transaction monitoring is the mechanism by which ongoing CDD obligations are operationalised. When a customer's transaction behaviour diverges from their risk profile, the CDD record must be updated.

Correspondent banking. Under FATF Recommendation 13, correspondent banking relationships always require EDD. Before establishing a correspondent relationship, the respondent institution's AML/CFT programme must be assessed, the nature of the relationship must be documented, and senior management approval must be obtained.

APAC Regulatory Requirements — Comparative Overview

The following table summarises how the major APAC regulators implement the FATF CDD framework. The instruments and specific requirements differ, but the underlying obligations are consistent.

MAS Notice 626 is the most prescriptive of these instruments on the question of PEP approval — it requires that a senior officer approves the establishment or continuation of a PEP relationship, not just that the relationship is flagged. BSP's Circular 706 requires approval at board or senior management level for all high-risk customers, which is broader than the PEP-specific requirement in some other jurisdictions.

Beneficial Ownership — The Hardest Part of CDD in Practice

FATF Recommendation 10 requires identifying the ultimate beneficial owner (UBO) — the natural person or persons who ultimately own or control a legal entity. The standard FATF threshold is 25% ownership or effective control.

APAC regulators apply variations: BNM and MAS both use 25%. BSP applies 20% for certain entity types. Effective control — the ability to direct the decisions of a legal entity regardless of ownership percentage — applies across all jurisdictions regardless of the threshold.

UBO verification is the most common CDD gap in APAC examination findings. The reasons are practical: complex layered ownership structures, nominee shareholding arrangements, and trusts without publicly accessible beneficiary registers make verification genuinely difficult.

The practical approach is to collect the full ownership chain — every layer, every entity, until you reach the natural person at the top. If a structure is genuinely opaque after reasonable investigation, that opacity is itself a risk indicator requiring EDD, not a reason to proceed with the account on the basis of what the customer has disclosed. An examiner will ask whether the institution made reasonable efforts to verify, and what happened when verification was incomplete.

Ongoing CDD — What "Continuous" Means in Practice

FATF's requirement for ongoing monitoring is not satisfied by periodic review alone. It has two components: scheduled reviews and event-based triggers.

Periodic reviews vary by risk tier. Most APAC regulators expect high-risk customers to be reviewed at least annually. Standard-risk customers are typically reviewed every two to three years, though the specific interval should be documented in the institution's risk appetite and CDD policy.

Event-based triggers require a review regardless of the scheduled cycle. These include:

• A transaction monitoring alert linked to the customer
• Adverse media coverage naming the customer
• A change in the customer's beneficial ownership
• A material change in transaction patterns
• A change in the customer's business activity or geographic footprint

Re-KYC is required when a periodic review or event trigger shows that existing CDD documentation is insufficient, outdated, or no longer accurate. The institution must re-verify the customer's identity and update the CDD record.

Every review must be documented. An examiner looking at a three-year-old account should be able to open the file, find the review dates, see what was assessed at each review, and understand what was found. A review that happened but was not recorded is indistinguishable from a review that did not happen.

What Examiners Actually Check

Documentation requirements differ by customer type, but the principle is the same across all of them: the file must tell a coherent story about who the customer is, what they do, and why the institution assessed them at the risk tier they sit in.

Individual customer files should contain:

• The original ID document reference or eKYC session record, including the verification method and date
• Address verification
• A purpose-of-account statement, not a generic field entry
• Any review dates and what the review assessed

Corporate customer files should contain:

• A complete corporate structure chart reaching the UBO
• UBO identification with the verification source documented
• Business purpose documentation that goes beyond the registered company description
• Expected transaction volume and product usage at account opening

EDD customer files should contain:

• Source of funds evidence — bank statement, salary slip, property sale contract, or equivalent
• Source of wealth narrative — not just an assertion that wealth came from "business activities," but a documented account of how
• The senior management or board approval record, with the date and the approver named
• Confirmation that enhanced monitoring has been configured and is active

The audit trail requirement covers every step: each CDD review, each document update, each approval decision. Everything should be timestamped and linked to the customer record. When examiners trace an alert back to the customer file, they expect to find a complete picture of the relationship, not a collection of disconnected documents.

How Technology Supports CDD

A modern CDD and KYC platform automates document collection, verification — including remote eKYC — UBO mapping, risk scoring, and the ongoing monitoring review cycle. The automation does not reduce the compliance obligation; it reduces the operational cost of meeting it and produces the audit trail that manual processes frequently fail to generate.

The critical integration point is between CDD and transaction monitoring. When a customer's monitoring profile changes — new alert patterns, unusual activity, a shift in counterparty geography — that signal should trigger a CDD review. In institutions where these systems operate independently, the connection rarely happens in a timely or documented way. For a full framework covering how to evaluate software that handles both CDD and transaction monitoring together, see our Transaction Monitoring Software Buyer's Guide.

Book a demo to see how FinCense manages CDD, customer risk scoring, and ongoing monitoring in a single integrated platform — with a full audit trail that meets examiner expectations across MAS, BNM, BSP, and AUSTRAC-regulated environments.