In April 2026, a Thai court sentenced the son of a former senator to more than 130 years in prison in connection with a major online gambling and money laundering operation that authorities say moved billions of baht through an extensive criminal network.

At the centre of the case was not merely illegal gambling activity, but a sophisticated financial ecosystem allegedly built to process, distribute, and disguise illicit proceeds at scale.

Authorities said the operation involved online betting platforms, nominee accounts, layered fund transfers, and interconnected financial flows designed to move gambling proceeds through the financial system while obscuring the origin of funds.

For banks, fintechs, payment providers, and compliance teams, this is far more than a gambling enforcement story.

It is another example of how organised financial crime increasingly operates through structured digital ecosystems that combine:

• illicit platforms,
• mule-account networks,
• layered payments,
• and coordinated laundering infrastructure.

And increasingly, these operations are beginning to resemble legitimate digital businesses in both scale and operational sophistication.

Inside Thailand’s Alleged Online Gambling Network

According to Thai authorities, the investigation centred around an online gambling syndicate accused of operating illegal betting platforms and laundering significant volumes of illicit proceeds through interconnected financial channels.

Reports linked to the case suggest the network allegedly relied on:

• multiple bank accounts,
• nominee structures,
• rapid movement of funds,
• and layered transaction activity designed to complicate tracing efforts.

That structure matters.

Modern online gambling networks no longer function as isolated betting operations.

Instead, many operate as financially engineered ecosystems where:

• payment collection,
• account rotation,
• fund layering,
• customer acquisition,
• and laundering mechanisms
  are all tightly coordinated.

The gambling platform itself often becomes only the front-facing layer of a much larger financial infrastructure.

Why Online Gambling Remains a Major AML Risk

Online gambling presents a unique challenge for financial institutions because the underlying financial activity can initially appear commercially legitimate.

High transaction volumes, rapid fund movement, and frequent customer transfers are often normal within betting environments.

That creates operational complexity for AML and fraud teams attempting to distinguish:

• legitimate gaming behaviour,
• from structured laundering activity.

Criminal networks exploit this ambiguity.

Funds can be:

• deposited,
• redistributed across multiple accounts,
• cycled through betting activity,
• withdrawn,
• and transferred again across payment rails
  within relatively short periods of time.

This creates an ideal environment for:

• layering,
• transaction fragmentation,
• and obscuring beneficial ownership.

And increasingly, digital payment ecosystems allow this movement to happen at scale.

The Role of Mule Accounts and Nominee Structures

No large-scale online gambling operation can effectively move illicit proceeds without access to account infrastructure.

The Thailand case highlights the critical role of:

• mule accounts,
• nominee account holders,
• and intermediary payment channels.

Authorities allege the network used multiple accounts to receive and redistribute gambling proceeds, helping distance the organisers from the underlying transactions.

These accounts may belong to:

• recruited individuals,
• account renters,
• synthetic identities,
• or nominees acting on behalf of criminal operators.

Their role is operationally simple but strategically important:
receive funds, move them rapidly, and reduce visibility into the true controllers behind the network.

For financial institutions, this creates a major detection challenge because individual transactions may appear ordinary when viewed in isolation.

But collectively, the patterns may indicate coordinated laundering behaviour.

The Industrialisation of Gambling-Linked Financial Crime

One of the most important lessons from this case is that organised online gambling is becoming increasingly industrialised.

This is no longer simply a matter of illegal betting websites collecting wagers.

Modern gambling-linked financial crime networks increasingly resemble structured digital enterprises with:

• payment workflows,
• operational hierarchies,
• customer acquisition systems,
• layered account ecosystems,
• and dedicated laundering mechanisms.

That evolution changes the scale of risk.

Instead of isolated illicit transactions, financial institutions are now confronting criminal systems capable of processing large volumes of funds through interconnected digital channels.

And because many of these flows occur through legitimate banking infrastructure, detection becomes significantly more difficult.

Why Traditional Detection Models Struggle

One of the biggest operational problems in gambling-linked laundering is that many suspicious activities closely resemble normal transactional behaviour.

For example:

• rapid deposits and withdrawals,
• frequent transfers between accounts,
• high transaction velocity,
• and fragmented payments
  may all occur legitimately within digital gaming environments.

This creates substantial noise for compliance teams.

Traditional rules-based monitoring systems often struggle because:

• thresholds may not be breached,
• transaction values may appear routine,
• and individual accounts may initially show limited risk indicators.

The suspicious behaviour often becomes visible only when viewed collectively across:

• multiple accounts,
• devices,
• counterparties,
• transaction patterns,
• and behavioural relationships.

Increasingly, organised financial crime detection is becoming less about isolated alerts and more about understanding networks.

The Convergence of Gambling, Fraud, and Money Laundering

The Thailand case also reinforces a broader regional trend:
the convergence of multiple financial crime categories within the same ecosystem.

Online gambling networks today may overlap with:

• mule-account recruitment,
• cyber-enabled scams,
• organised fraud,
• illicit payment processing,
• and cross-border laundering activity.

This convergence matters because criminal organisations rarely specialise narrowly anymore.

The same infrastructure used to process gambling proceeds may also support:

• scam-related fund movement,
• account abuse,
• identity fraud,
• or broader organised criminal activity.

For financial institutions, separating these risks into isolated categories can create dangerous blind spots.

The financial flows are increasingly interconnected.

Detection strategies must evolve accordingly.

What Financial Institutions Should Monitor

Cases like this highlight several important behavioural and transactional indicators institutions should monitor more closely.

Rapid pass-through activity

Accounts receiving and quickly redistributing funds across multiple beneficiaries.

Clusters of interconnected accounts

Multiple accounts sharing behavioural similarities, counterparties, devices, or transaction structures.

High-volume low-value transfers

Repeated fragmented payments designed to avoid scrutiny while moving significant aggregate value.

Frequent account rotation

Beneficiary accounts changing rapidly within short timeframes.

Unusual payment velocity

Transaction behaviour inconsistent with expected customer profiles.

Links between gambling-related transactions and broader suspicious activity

Connections between betting-related flows and potential scam, fraud, or mule-account indicators.

Individually, these signals may appear weak.

Together, they can reveal coordinated laundering ecosystems.

Why Financial Institutions Need More Connected Intelligence

The Thailand gambling case highlights why static AML controls are increasingly insufficient against organised digital financial crime.

Modern criminal ecosystems evolve quickly:

• payment channels change,
• laundering routes shift,
• mule structures rotate,
• and digital platforms adapt constantly.

This creates operational pressure on institutions still relying heavily on:

• isolated transaction monitoring,
• static rules,
• manual investigations,
• and fragmented fraud-AML workflows.

What institutions increasingly need is:

• behavioural intelligence,
• network visibility,
• typology-driven monitoring,
• and the ability to connect signals across fraud and AML environments simultaneously.

That is especially important in gambling-linked laundering because the suspicious behaviour often emerges gradually through relationships and coordinated movement rather than single anomalous transactions.

How Technology Can Help Detect Organised Gambling Networks

Advanced AML and fraud platforms are becoming increasingly important in identifying complex laundering ecosystems linked to online gambling.

Modern detection approaches combine:

• behavioural analytics,
• network intelligence,
• entity resolution,
• and typology-driven detection models
  to uncover hidden relationships within financial activity.

Platforms such as Tookitaki’s FinCense help institutions move beyond isolated transaction monitoring by combining:

• AML and fraud convergence,
• behavioural monitoring,
• collaborative intelligence through the AFC Ecosystem,
• and network-based detection approaches.

In scenarios involving gambling-linked laundering, this allows institutions to identify:

• mule-account behaviour,
• suspicious account clusters,
• layered payment structures,
• and coordinated fund movement patterns
  earlier and with greater operational context.

That visibility becomes critical when criminal ecosystems are specifically designed to appear operationally normal on the surface.

How Tookitaki Helps Institutions Detect Gambling-Linked Laundering Networks

Cases like the Thailand gambling investigation demonstrate why financial institutions increasingly need a more connected and intelligence-driven approach to financial crime detection.

Traditional monitoring systems are often designed to review transactions in isolation. But organised gambling-linked laundering networks operate across:

• multiple accounts,
• payment rails,
• beneficiary relationships,
• mule structures,
• and layered transaction ecosystems simultaneously.

This makes fragmented detection increasingly ineffective.

Tookitaki’s FinCense platform helps financial institutions strengthen detection capabilities by combining:

• AML and fraud convergence,
• behavioural intelligence,
• network-based risk detection,
• and collaborative typology insights through the AFC Ecosystem.

In gambling-linked laundering scenarios, this allows institutions to identify:

• suspicious account clusters,
• rapid pass-through activity,
• mule-account behaviour,
• layered payment movement,
• and hidden relationships across customers and counterparties
  more effectively and earlier in the risk lifecycle.

The AFC Ecosystem further strengthens this approach by enabling institutions to leverage continuously evolving typologies and real-world financial crime intelligence contributed by compliance and AML experts globally.

As organised financial crime becomes more interconnected and operationally sophisticated, institutions increasingly need detection systems capable of understanding not just transactions, but the broader ecosystems operating behind them.

The Bigger Picture: Online Gambling as Financial Infrastructure Abuse

The Thailand case reflects a broader regional and global shift in how organised crime uses digital infrastructure.

Online gambling platforms are increasingly functioning not merely as illicit entertainment channels, but as financial movement ecosystems capable of:

• processing large transaction volumes,
• redistributing illicit funds,
• and integrating criminal proceeds into the legitimate economy.

That distinction matters.

Because the challenge for financial institutions is no longer simply identifying illegal gambling transactions.

It is understanding how legitimate financial systems can be systematically exploited to support broader criminal operations.

And increasingly, those operations are designed to blend into normal digital financial activity.

Final Thoughts

The massive online gambling and money laundering case uncovered in Thailand offers another clear reminder that organised financial crime is becoming more digital, more structured, and more operationally sophisticated.

What appears outwardly as illegal betting activity may actually involve:

• coordinated laundering infrastructure,
• mule-account ecosystems,
• layered financial movement,
• nominee structures,
• and highly organised criminal coordination operating behind the scenes.

For financial institutions, this creates a difficult but increasingly important challenge.

The future of financial crime prevention will depend less on identifying isolated suspicious transactions and more on understanding hidden financial relationships, behavioural coordination, and evolving laundering typologies across interconnected payment ecosystems.

Because increasingly, organised financial crime does not look chaotic.

It looks operationally efficient.

Most CDD failures that auditors find are not in the trigger decision. Compliance teams generally know when to apply enhanced due diligence. The problem is what happens next: the review gets done, the account stays open, and three years later an examiner opens the file and finds a risk assessment with no source-of-wealth narrative, a senior management approval that amounts to a single line in an email chain, and no evidence that monitoring was ever adjusted upward.

A poorly documented EDD review is treated by supervisors the same as no EDD at all. That is the uncomfortable reality driving examination findings across MAS, BNM, BSP, and AUSTRAC-regulated institutions right now.

This guide is not a glossary. It is a working reference for compliance professionals at banks, fintechs, and payment institutions across APAC who need to understand what CDD and EDD require, how the three tiers operate under each major regulator, and what examiners actually look at when they review a customer file.

What Is Customer Due Diligence (CDD)?

Under the FATF Recommendations, customer due diligence is the process of identifying and verifying a customer's identity, understanding the purpose and nature of the business relationship, and conducting ongoing monitoring of that relationship and the transactions flowing through it.

CDD is the core of the KYC process. It sits at the foundation of every AML/CFT programme and applies from the moment a customer relationship is established.

FATF Recommendations 10 through 12 set out four core CDD elements:

1. Customer identification and verification — collect identifying information and verify it against reliable, independent source documents
2. Beneficial ownership identification and verification — identify the natural persons who ultimately own or control a legal entity, and verify their identities
3. Understanding the purpose and intended nature of the business relationship — establish why the customer wants an account, what they intend to do with it, and what transaction volumes to expect
4. Ongoing monitoring — continuously review the customer relationship, monitor transactions against the customer's profile, and keep CDD records current

The fourth element is where most programmes are weakest. Institutions invest heavily in onboarding controls and then treat the relationship as static. Customers' risk profiles change. Beneficial ownership structures change. Transaction behaviour changes. A customer who was low-risk at onboarding may not remain low-risk at year three — and the programme has to be capable of detecting and responding to that shift.

Three Tiers of CDD: Simplified, Standard, and Enhanced

Simplified Due Diligence (SDD)

Simplified CDD applies where the risk of money laundering or terrorism financing is demonstrably low. FATF allows reduced identification requirements and less frequent monitoring — but it does not eliminate CDD obligations entirely.

Across APAC, SDD is generally permissible for:

• Government entities and state-owned enterprises
• Companies listed on recognised stock exchanges in low-risk jurisdictions
• Certain low-value financial products, such as basic deposit accounts below a specified threshold

The key word is demonstrably. SDD is a documented, risk-based decision. Using it as a default to reduce onboarding friction — without a written risk rationale — is a compliance failure, not an efficiency gain. Examiners will ask for the rationale and they will expect to find it in the file.

Standard CDD

Standard CDD is the default tier. It applies to all customers who do not qualify for SDD and do not trigger EDD.

For individual customers, standard CDD requires:

• Government-issued photo identification
• Proof of address — or an equivalent verification method where physical documents are not available (see the guide to eKYC as a CDD method under BNM's guidelines
• A record of the purpose and expected nature of the account

For legal entity customers, standard CDD requires:

• Certificate of incorporation
• Memorandum and articles of association
• Register of directors
• Beneficial ownership identification — who owns 25% or more of the entity, or who exercises effective control
• Business description and expected transaction patterns

The purpose-of-account requirement is often under-documented. "General business transactions" is not sufficient. The record should capture the customer's stated business activity, the expected transaction types, the anticipated value range, and the source of the initial deposit for corporate accounts.

Enhanced Due Diligence (EDD)

EDD is not optional when it is triggered. It applies to customers with higher-risk characteristics and requires:

• Source of funds verification — where did the money come from for this specific transaction or deposit?
• Source of wealth verification — how did the customer accumulate their overall wealth?
• Senior management or board approval before establishing or continuing the relationship
• Enhanced ongoing monitoring — higher alert sensitivity and more frequent periodic reviews

FATF Recommendation 12 specifies EDD for politically exposed persons. Individual APAC regulators have extended these requirements to cover additional high-risk categories (see the comparative table below).

EDD is a process of investigation, not a checklist. Collecting a salary slip and noting "source of funds: employment income" does not constitute adequate source-of-wealth documentation for a PEP with an account balance of SGD 4 million. The quality of the investigation is what an examiner assesses.

EDD Triggers — When Standard CDD Is Not Enough

The following characteristics trigger EDD requirements across APAC jurisdictions:

PEP status. Any customer identified as a politically exposed person — or a known close relative or close associate of a PEP — triggers mandatory EDD. See our PEP screening guide for the full classification framework, including how "close associate" is defined across different regimes.

High-risk jurisdiction. Customers resident in, or transacting with, jurisdictions on the FATF grey or black lists trigger EDD. The FATF list currently includes Iran, North Korea, and Myanmar. APAC regulators may apply additional country designations based on their own risk assessments.

Complex ownership structure. Beneficial ownership held through multiple layers of legal entities, trusts, or nominee arrangements — particularly in offshore jurisdictions — triggers EDD. The structural complexity itself is a risk indicator, not just the underlying beneficial owner's profile.

High-value transaction inconsistent with profile. A transaction materially inconsistent with the customer's stated purpose, income level, or established transaction history triggers a review. Whether that review rises to EDD depends on what the initial investigation reveals.

Monitoring alerts that cannot be resolved at standard investigation. An alert that the transaction monitoring team cannot close through normal investigation escalates to EDD review. The two processes are connected: transaction monitoring is the mechanism by which ongoing CDD obligations are operationalised. When a customer's transaction behaviour diverges from their risk profile, the CDD record must be updated.

Correspondent banking. Under FATF Recommendation 13, correspondent banking relationships always require EDD. Before establishing a correspondent relationship, the respondent institution's AML/CFT programme must be assessed, the nature of the relationship must be documented, and senior management approval must be obtained.

APAC Regulatory Requirements — Comparative Overview

The following table summarises how the major APAC regulators implement the FATF CDD framework. The instruments and specific requirements differ, but the underlying obligations are consistent.

MAS Notice 626 is the most prescriptive of these instruments on the question of PEP approval — it requires that a senior officer approves the establishment or continuation of a PEP relationship, not just that the relationship is flagged. BSP's Circular 706 requires approval at board or senior management level for all high-risk customers, which is broader than the PEP-specific requirement in some other jurisdictions.

Beneficial Ownership — The Hardest Part of CDD in Practice

FATF Recommendation 10 requires identifying the ultimate beneficial owner (UBO) — the natural person or persons who ultimately own or control a legal entity. The standard FATF threshold is 25% ownership or effective control.

APAC regulators apply variations: BNM and MAS both use 25%. BSP applies 20% for certain entity types. Effective control — the ability to direct the decisions of a legal entity regardless of ownership percentage — applies across all jurisdictions regardless of the threshold.

UBO verification is the most common CDD gap in APAC examination findings. The reasons are practical: complex layered ownership structures, nominee shareholding arrangements, and trusts without publicly accessible beneficiary registers make verification genuinely difficult.

The practical approach is to collect the full ownership chain — every layer, every entity, until you reach the natural person at the top. If a structure is genuinely opaque after reasonable investigation, that opacity is itself a risk indicator requiring EDD, not a reason to proceed with the account on the basis of what the customer has disclosed. An examiner will ask whether the institution made reasonable efforts to verify, and what happened when verification was incomplete.

Ongoing CDD — What "Continuous" Means in Practice

FATF's requirement for ongoing monitoring is not satisfied by periodic review alone. It has two components: scheduled reviews and event-based triggers.

Periodic reviews vary by risk tier. Most APAC regulators expect high-risk customers to be reviewed at least annually. Standard-risk customers are typically reviewed every two to three years, though the specific interval should be documented in the institution's risk appetite and CDD policy.

Event-based triggers require a review regardless of the scheduled cycle. These include:

• A transaction monitoring alert linked to the customer
• Adverse media coverage naming the customer
• A change in the customer's beneficial ownership
• A material change in transaction patterns
• A change in the customer's business activity or geographic footprint

Re-KYC is required when a periodic review or event trigger shows that existing CDD documentation is insufficient, outdated, or no longer accurate. The institution must re-verify the customer's identity and update the CDD record.

Every review must be documented. An examiner looking at a three-year-old account should be able to open the file, find the review dates, see what was assessed at each review, and understand what was found. A review that happened but was not recorded is indistinguishable from a review that did not happen.

What Examiners Actually Check

Documentation requirements differ by customer type, but the principle is the same across all of them: the file must tell a coherent story about who the customer is, what they do, and why the institution assessed them at the risk tier they sit in.

Individual customer files should contain:

• The original ID document reference or eKYC session record, including the verification method and date
• Address verification
• A purpose-of-account statement, not a generic field entry
• Any review dates and what the review assessed

Corporate customer files should contain:

• A complete corporate structure chart reaching the UBO
• UBO identification with the verification source documented
• Business purpose documentation that goes beyond the registered company description
• Expected transaction volume and product usage at account opening

EDD customer files should contain:

• Source of funds evidence — bank statement, salary slip, property sale contract, or equivalent
• Source of wealth narrative — not just an assertion that wealth came from "business activities," but a documented account of how
• The senior management or board approval record, with the date and the approver named
• Confirmation that enhanced monitoring has been configured and is active

The audit trail requirement covers every step: each CDD review, each document update, each approval decision. Everything should be timestamped and linked to the customer record. When examiners trace an alert back to the customer file, they expect to find a complete picture of the relationship, not a collection of disconnected documents.

How Technology Supports CDD

A modern CDD and KYC platform automates document collection, verification — including remote eKYC — UBO mapping, risk scoring, and the ongoing monitoring review cycle. The automation does not reduce the compliance obligation; it reduces the operational cost of meeting it and produces the audit trail that manual processes frequently fail to generate.

The critical integration point is between CDD and transaction monitoring. When a customer's monitoring profile changes — new alert patterns, unusual activity, a shift in counterparty geography — that signal should trigger a CDD review. In institutions where these systems operate independently, the connection rarely happens in a timely or documented way. For a full framework covering how to evaluate software that handles both CDD and transaction monitoring together, see our Transaction Monitoring Software Buyer's Guide.

Book a demo to see how FinCense manages CDD, customer risk scoring, and ongoing monitoring in a single integrated platform — with a full audit trail that meets examiner expectations across MAS, BNM, BSP, and AUSTRAC-regulated environments.

The Philippines was grey-listed by FATF in June 2021. The formal findings cited several strategic deficiencies — inadequate suspicious transaction report filings, weak transaction monitoring calibration, and gaps in oversight of virtual asset service providers. These were not abstract policy failures. They reflected real examination findings inside real financial institutions.

The Philippines exited the grey list in January 2023 after demonstrating legislative reform and measurable supervisory improvement. That exit was a significant regulatory milestone. It was not the end of BSP's focus on transaction monitoring quality.

If anything, the post-exit period has intensified examination scrutiny. BSP examiners now have two years of data on which institutions improved their AML programmes during the grey-list period and which made the minimum adjustments to satisfy the timeline. Compliance teams treating January 2023 as the end of a compliance improvement cycle are misreading where BSP examination focus is heading in 2026.

The Philippines AML Framework: The Foundation for Transaction Monitoring

Transaction monitoring obligations for Philippine financial institutions rest on a layered statutory and regulatory framework.

The primary legislation is Republic Act 9160, the Anti-Money Laundering Act of 2001, as amended by RA 9194, RA 10167, RA 10365, and RA 11521 in 2021. RA 11521 was the most significant package of amendments — it expanded the list of covered persons, strengthened freeze and forfeiture powers, and addressed VASP oversight, which had been a specific FATF deficiency finding.

The Anti-Money Laundering Council (AMLC) is the Philippines' Financial Intelligence Unit. It is a collegial body comprising the BSP Governor, the SEC Chairperson, and the Insurance Commissioner. AMLC issues implementing rules and regulations under AMLA, maintains the Philippines' FIU reporting systems, and receives CTR and STR filings from covered institutions.

BSP functions as the prudential supervisor for banks, quasi-banks, e-money issuers, remittance companies, and virtual asset service providers. In the AML context, BSP issues its own circulars that operationalise AMLA requirements for supervised institutions. BSP Circular 706 is the foundational AML circular, establishing the programme requirements — customer due diligence, transaction monitoring, record-keeping, reporting — that all BSP-supervised institutions must implement. Subsequent circulars have amended and extended these requirements.

For a detailed explanation of how transaction monitoring works as a function within a broader AML programme, the compliance hub guide covers the mechanics. What this article addresses is the specific Philippine regulatory framework that governs how that function must be structured.

BSP Circular 706: What the Monitoring Requirement Actually Requires

BSP Circular 706 does not prescribe a specific system architecture or vendor. It requires covered institutions to implement a risk-based transaction monitoring system commensurate with the nature, size, and complexity of their business.

The system must be capable of detecting:

• Unusual transactions that deviate from the customer's established pattern
• Suspicious patterns across multiple transactions over time
• Transactions inconsistent with the customer's stated business purpose or risk profile
• Structuring activity — transactions split or sequenced to avoid reporting thresholds

Alert investigation is where many institutions' programmes fall short. Under Circular 706, every alert generated by the monitoring system must be assessed by the designated AML compliance officer or a delegated AML officer. The assessment must be documented. Either the alert is closed with a written rationale explaining why it does not require escalation, or it is escalated to an STR review. An alert queue with no documented dispositions is an examination finding regardless of the sophistication of the detection logic that generated those alerts.

Calibration requirements are explicit: monitoring thresholds and detection scenarios must be reviewed when the institution's customer profile changes materially, when new products are launched, and at minimum on an annual basis. Institutions that deployed a monitoring system with vendor-default thresholds and have not since documented a calibration review — with written evidence, specific dates, and sign-off from a named responsible officer — cannot demonstrate compliance with this requirement.

Record retention applies to all investigation records. BSP examiners will sample alert dispositions. They expect to see both the trigger logic that generated the alert and the investigation rationale that determined its outcome. A system that generates alerts but cannot produce the decision trail does not meet the documentation standard.

AMLC Reporting: Thresholds, Timelines, and the Tipping-Off Prohibition

Two primary reporting obligations flow from an effective transaction monitoring programme.

Covered Transaction Reports (CTRs) apply to cash transactions or cash equivalents within a single banking day amounting to PHP 500,000 or more. The filing deadline is 5 working days from the date of the transaction. CTRs are volume-driven — a compliant programme needs a workflow that captures these transactions automatically and routes them to the filing process within the deadline.

Suspicious Transaction Reports (STRs) have no minimum threshold. The reporting obligation is triggered by suspicion, not by transaction size. A PHP 5,000 transaction can require an STR if the compliance officer determines that it is suspicious. The filing deadline is 5 working days from the date of determination — meaning the date on which the compliance officer concluded that the transaction or attempted transaction is suspicious. This distinction is important. The clock does not start when the underlying transaction occurred. It starts when the determination is made. Institutions with investigation workflows that allow alerts to sit unworked for days before a determination is reached are systematically at risk of missing this deadline.

The tipping-off prohibition under AMLA is absolute. An institution is strictly prohibited from informing, or taking any action that would inform, the subject of a transaction that an STR has been or is being prepared. Violation is a criminal offence. This prohibition must be embedded in investigation procedures — particularly for institutions where front-line relationship managers are involved in the investigation process and may have direct contact with the customer.

All CDD records, transaction records, and monitoring documentation must be retained for a minimum of 5 years.

VASP-Specific Transaction Monitoring: BSP Circular 1108

BSP Circular 1108, issued in 2021, established the regulatory framework for Virtual Asset Service Providers — crypto exchanges, custodian wallet providers, and peer-to-peer virtual asset trading platforms. VASPs are classified as covered persons under AMLA and must register with both BSP and AMLC.

The transaction monitoring requirements for VASPs are structurally the same as for other BSP-supervised institutions: automated monitoring system, calibrated thresholds, documented alert investigations, CTR and STR filing. There is no lighter-touch version of these requirements because the institution is dealing in virtual assets rather than fiat currency.

VASP-specific compliance under AMLC also incorporates the FATF Travel Rule — Recommendation 16. BSP has signalled alignment with this requirement, meaning VASPs must collect and transmit originator and beneficiary information for virtual asset transfers above the USD 1,000 equivalent threshold. This is not a future aspiration — it is part of the BSP-supervised VASP compliance framework now.

The monitoring challenge for VASPs is that generic bank TM scenario libraries do not cover the typologies that matter in the virtual asset context. Peer-to-peer volume clustering, rapid stablecoin conversion, mixing and tumbling patterns, and cross-chain transfers all require scenario coverage that a standard bank monitoring ruleset does not include. A VASP that has deployed a bank-oriented monitoring system without building crypto-specific detection logic has a coverage gap that a BSP examination of its VASP activities will find.

For Philippine institutions managing sanctions screening obligations under BSP and AMLC alongside their transaction monitoring programme, the VASP context adds a further dimension — virtual asset transfers require real-time sanctions screening at the point of instruction, not batch processing.

Risk-Based Monitoring in Practice: What BSP Expects

BSP's supervision approach is explicitly risk-based. The monitoring programme must reflect the institution's own customer risk assessment. An institution with a predominantly retail customer base has different monitoring requirements than one serving high-net-worth individuals, corporate treasuries, or remittance corridors into high-risk jurisdictions.

High-risk customer categories in the Philippines context include:

• Politically exposed persons (PEPs) and their relatives and close associates — the Philippines context includes domestic PEPs at national and local government level
• Customers from FATF-listed high-risk and other monitored jurisdictions
• Customers with beneficial ownership structures involving foreign holding entities
• Remittance customers sending to AMLC-designated high-risk corridors, including specific Middle East and US remittance routes

Philippine-specific typologies that monitoring scenarios must cover include e-wallet mule account networks — GCash and Maya are both BSP-supervised e-money platforms with significant retail penetration, and BSP has specifically flagged mule account exploitation as a monitored typology. Authorised push payment scam layering through bank accounts is a growing pattern. Cross-border structuring via remittance corridors to the US and Middle East is a documented Philippines financial crime pattern.

BSP examination practice has consistently identified one category of finding above others: institutions that use vendor-default monitoring thresholds without any documented evidence that those thresholds were reviewed against the institution's specific customer risk profile. A threshold set to vendor defaults is not a risk-based threshold. It is a vendor threshold that may or may not be appropriate for a given institution's risk profile — and the institution cannot demonstrate which without a documented calibration exercise.

Common Transaction Monitoring Examination Findings

Based on BSP examination findings and regulatory guidance since the grey-list period, the following deficiency patterns appear repeatedly.

STR filing delays. The 5-working-day deadline runs from determination. Institutions with investigation backlogs — where alerts sit in a queue without active review — push the determination date later, which compresses the filing window. When the investigation eventually concludes, the STR filing is already late. This is a workflow problem, not a detection problem.

Alert backlog. BSP examiners will note alert queues older than 15 working days. This signals either inadequate compliance staffing relative to alert volume, or threshold miscalibration generating more alerts than the team can process. Examiners will record both problems. Hiring more staff to work an oversized alert queue from miscalibrated thresholds is an expensive partial fix; recalibrating thresholds to produce a manageable, risk-relevant alert population addresses the root cause.

E-money product gaps. Institutions that monitor deposit accounts but have not extended monitoring to their e-money wallet products have a coverage gap that BSP has specifically flagged. If the institution's covered products include e-wallet services, those products must be within the monitoring scope.

STR quality. Since the grey-list period, BSP and AMLC have focused on the quality of STR content, not just filing volume. An STR that is filed within the deadline but contains insufficient information for AMLC to take investigative action is still a finding. The report must contain enough context — transaction history, customer background, the specific facts that triggered suspicion — for AMLC to act on it.

Beneficial ownership monitoring gaps. Corporate accounts where the ultimate beneficial owner changes without triggering a monitoring review represent a structural gap. If a corporate customer's UBO changes, the customer risk profile may have changed materially. A monitoring programme that does not incorporate this trigger into its review logic will miss the shift.

A Practical Checklist for a BSP-Compliant Transaction Monitoring Programme

For compliance officers conducting a gap assessment of their current programme, the following items constitute the minimum floor of BSP compliance:

Automated monitoring system in place — not a manual review process. The system name and version should be documented and available for examiner reference.

Thresholds calibrated to the institution's customer risk assessment, not vendor defaults. Written evidence of calibration reviews, with dates and sign-off from a named responsible officer.

Coverage across all product lines: deposit accounts, remittance products, e-money wallets, and VASP services where applicable. A monitoring programme that covers some products but not others leaves documented gaps for examiners to find.

CTR and STR workflows with investigation trails and filing deadline tracking. The 5-working-day CTR and STR filing deadlines must be tracked systematically, not managed informally.

Annual typology review: do the scenarios in the monitoring system cover current Philippine financial crime patterns? APP scams, e-wallet fraud networks, and crypto layering typologies have become examination-relevant — they should be reflected in active detection scenarios.

When evaluating transaction monitoring software against these requirements, the buyer's guide provides a structured framework covering system functionality, calibration capability, case management, and audit trail requirements.

How FinCense Addresses the BSP and AMLC Framework

FinCense is pre-configured with BSP-aligned typologies, including e-wallet fraud patterns and Philippines remittance corridor scenarios. These are not generic rules relabelled for the Philippine market — they reflect the specific financial crime patterns that BSP and AMLC examination programmes have flagged as priorities.

The CTR and STR filing workflow is built into FinCense case management. The 5-working-day filing deadline is tracked automatically from the determination date, with escalation triggers when deadlines are at risk. Compliance officers do not manage this deadline manually.

VASP scenario coverage is included within the same platform — crypto-specific detection does not require a separate system layered alongside a bank monitoring deployment. The Travel Rule data collection workflow is integrated.

In production deployments across Southeast Asian financial institutions, FinCense has reduced false positive rates by up to 50% compared to legacy rule-based systems. For compliance teams managing alert backlogs that strain staffing capacity, this is not a secondary benefit — it is the operational change that makes risk-based investigation feasible.

Book a demo to see FinCense running against Philippines-specific BSP and AMLC scenarios, including e-wallet typologies, remittance corridor detection, and the CTR/STR workflow with filing deadline tracking.