Anti-Money Laundering (AML)

AML is one of the most operationally demanding compliance requirements for payments businesses. Unlike PCI-DSS, which is a technical standard, AML is a legal obligation with criminal liability exposure for individuals and entities that fail to meet it. For PSPs, payment facilitators, and fintechs, AML is not a one-time implementation but an ongoing operational program.

The Three Stages of Money Laundering

AML controls target the three stages through which illicit funds are processed:

1. Placement: Introducing criminal proceeds into the financial system (e.g., depositing cash, loading prepaid cards)
2. Layering: Obscuring the trail through multiple transactions, transfers, or conversions
3. Integration: Re-introducing funds into the legitimate economy in a form that appears clean

Payment platforms are most exposed at the placement and layering stages. High-velocity small transactions, structured deposits just below reporting thresholds (structuring or “smurfing”), and round-dollar transfers are common layering indicators in payment data.

Core AML Program Components

Customer Due Diligence (CDD): Collecting and verifying identity information for customers at onboarding and on an ongoing basis. Enhanced due diligence (EDD) applies to higher-risk customers including politically exposed persons (PEPs) and those from high-risk jurisdictions.

Transaction monitoring: Automated rules and models that flag unusual transaction patterns for human review. Effective transaction monitoring requires calibration to actual baseline behavior — overly aggressive rules generate high false-positive rates that overwhelm compliance teams.

Suspicious Activity Reports (SARs) / Suspicious Transaction Reports (STRs): Formal reports filed with the financial intelligence unit (FIU) in each jurisdiction when a firm identifies a transaction that may involve money laundering. Filing a SAR does not mean a crime has occurred; it is an obligation to report suspicion.

Record-keeping: AML regulations require retention of transaction records and customer identification documents, typically for five to seven years.

AML in the Payments Context

Payment businesses face specific AML risks:

• Merchant fraud and pass-through: A merchant processing card payments on behalf of undisclosed third parties (“factoring”) is a money laundering vector. PSPs must monitor for this.
• Refund abuse: Refunds to payment methods not used in the original transaction can be used to move funds
• Peer-to-peer platforms: Wallets and P2P transfers have high layering risk due to speed and volume

Southeast Asia Regulatory Landscape

AML regulation in Southeast Asia is enforced nationally, with varying degrees of sophistication:

• Singapore: MAS Notice PSN02 imposes comprehensive AML/CFT obligations on payment service licensees. FATF-compliant framework, among the most rigorous in the region
• Malaysia: Bank Negara Malaysia enforces AML/CFT under the Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001 (AMLA)
• Indonesia: OJK and PPATK (financial intelligence unit) jointly oversee AML compliance for payment operators
• Philippines: AMLC (Anti-Money Laundering Council) supervises remittance operators and e-money issuers
• Thailand: AMLO (Anti-Money Laundering Office) is the supervisory body

Cross-border payments in SEA carry elevated AML risk due to the mix of cash-heavy economies, large informal sectors, and high-value remittance corridors. Compliance programs designed for EU or US baselines may need recalibration for SEA risk typologies.

Consequences of AML Failures

AML failures carry severe consequences: license revocation, multi-million dollar fines, reputational damage, and personal criminal liability for compliance officers and executives. Major PSP fines in recent years — several exceeding $100M — underscore that regulators treat AML as a hard requirement, not a checkbox.