AMLA Malaysia: The Anti-Money Laundering Act and Compliance Guide for 2026
AMLA Malaysia refers to the Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001. Think of it as the law that governs how firms in the country detect and report money laundering. Who must comply? AMLA answers that, and it also fixes the records firms keep along with the penalties for getting any of it wrong. What follows walks through the legislation, the regulators behind it, and the changes that landed after Malaysia's 2025 mutual evaluation.
Money laundering has climbed the priority list for Malaysia's government and the institutions it supervises. Financial crime keeps rising. Pair that with the pressure to enforce a serious legal standard against laundering and terrorism financing, and the topic stops being optional. Below, we open with the legal and regulatory framework of AML in Malaysia. From there the guide moves through the core components of the Act, then the screening controls firms lean on day to day, before closing on the risks and trends now shaping the work.
Malaysia's 2025 FATF Review and What Follows
Malaysia came through its FATF and Asia/Pacific Group mutual evaluation in strong shape. Assessors made their on-site visit in February 2025. Adoption of the joint Mutual Evaluation Report followed in October 2025, with publication that December. Malaysia landed in Regular Follow-Up, which is the best outcome the process offers, and Bank Negara Malaysia credited progress on both technical compliance and real-world effectiveness.
Few reviews go this deep. Assessors held more than 70 meetings with public authorities. Add to that 45 private sector entities they sat down with. That group ran from banks to virtual asset service providers, and designated non-financial businesses came into it too. Their finding was that Malaysia had strengthened its defences against illicit finance since 2015. One gap stood out, and compliance teams should note it. Turning money laundering investigations into prosecutions and actual convictions is still a struggle. For firms, the upgraded rating raises the bar. Supervisors will want to see the framework working in practice, not just on paper.
What AMLA Malaysia Covers
The Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001 is the key piece of anti-money laundering legislation in the country. Legal requirements for reporting institutions sit in it, along with the consequences of failing to meet them. Behind its arrival was a direct trigger: rising incidents of financial crime. Amendments have followed several times since, as Malaysia worked to align with standards set by bodies such as the Financial Action Task Force (FATF).
Legal and Regulatory Framework for AML in Malaysia
Malaysia has built a broad set of AML legal provisions to fight money laundering effectively. Customer due diligence is one demand the rules make. Firms also have to report suspicious transactions and retain records. On top of that, every firm needs a compliance program sized to its own AML/CFT risk. Underpinning all of it is the Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001 (AMLATFPUAA).
Several bodies share oversight of AML compliance:
- Bank Negara Malaysia (BNM): The central bank holds the main mandate for implementing the AML regulations.
- Securities Commission Malaysia (SC): Oversees the capital market and the compliance of financial service providers in that space.
- Malaysian Anti-Corruption Commission (MACC): Primarily focused on corruption, which frequently overlaps with money laundering activity.
- Royal Malaysia Police: Investigates and prosecutes money laundering and terrorism financing offences.
Who Counts as a Reporting Institution
AMLA frames its obligations around "reporting institutions," and the category runs wider than banks alone. Licensed banks, Islamic banks, and development financial institutions carry the fullest set of duties, including enterprise-wide risk assessments and detailed transaction monitoring. Sitting alongside them are money service businesses, remittance operators, and e-money issuers. Their CDD and reporting obligations look broadly equivalent even where their risk patterns differ.
The third group is the one firms most often overlook. Designated Non-Financial Businesses and Professions, or DNFBPs, reach a long way beyond finance. Lawyers and accountants fall inside the net. So do real estate agents, company secretaries, and dealers in precious metals and stones. Their obligations are threshold-triggered. Duties apply once a transaction reaches a defined cash value or the firm starts facilitating a category of activity the Act captures. If you work in one of these sectors and assume AMLA is a banking problem, the rules say otherwise.
Customer Due Diligence Under AMLA
Customer Due Diligence sits at the heart of the Act. BNM's policy document sets three CDD tiers. Which one applies turns on the customer's risk profile and the nature of the relationship, not on what is convenient for the firm. Standard CDD covers all new customers unless conditions for simplified CDD are met. At that tier, the firm identifies and verifies the customer. Documenting the purpose and intended nature of the relationship comes next, along with a customer risk assessment at onboarding.
Enhanced Due Diligence, or EDD, kicks in for higher-risk cases. That includes politically exposed persons and customers connected to high-risk jurisdictions. EDD means gathering more information and securing senior approval before the relationship proceeds, which gives the firm a fuller view of the risk it is taking on.
Record retention ties the process together. Several categories have to be kept. Documents gathered during CDD are one. Transaction records and business correspondence are another, and so is any risk analysis or suspicious transaction report the firm produces. The retention period runs at least six years after the transaction completes or the relationship ends. Regulators can ask to see all of it, so the clock matters.
What Is AML Screening?
AML screening is the process of checking customers and transactions against watchlists and risk data to catch money laundering before it takes hold. Onboarding is where it starts. After that, it carries on for the life of the relationship through ongoing transaction monitoring. A reporting institution screens a new customer's name, then keeps checking as sanctions lists update and behaviour shifts. Skip it, and a firm has no reliable way to know whether it is doing business with a sanctioned party or a known launderer.
Three checks make up the core of most programs. Sanctions screening tests names against government and international restriction lists. PEP screening flags politically exposed persons who warrant closer review. Adverse media screening surfaces negative news that may signal risk long before it reaches an official list. Each plays a distinct role. A thin program that runs one but skips the others leaves obvious gaps.
Sanction Screening in AML
Sanction screening checks whether a customer, beneficial owner, or related party appears on a sanctions list. Governments and bodies such as the UN maintain these lists. Named on them are individuals and companies, and whole countries land there too, subject to economic and trade restrictions often tied to terrorism or proliferation risk. For a Malaysian reporting institution, screening against the relevant lists is not optional. Done right, it stops the firm from handling funds for a restricted party.
Most of the time the process follows a clear sequence. First, the firm verifies the customer's identity at the start of the relationship. Then that identity is screened against the applicable lists. Any match gets investigated rather than waved through, because false positives are common and a real hit carries serious consequences. Screening then continues on an ongoing basis, since a customer who was clean at onboarding can appear on a list later. Strong matching logic matters here. Tune it too loose and analysts drown in false positives. Too tight and a genuine match slips past.
Name Screening and PEP Screening
Name screening is the broader discipline that sanctions and PEP checks sit within. Comparing a customer's details against multiple data sources at once is the job, and the hard part is rarely the lookup itself. Names transliterate differently. Spelling varies, and the same name repeats across thousands of unrelated people, so the screening engine has to balance catching true matches against flooding the team with noise.
PEP screening is a specific slice of that work. A politically exposed person holds a prominent public role, which brings a higher risk of bribery or corruption, so regulators expect closer scrutiny. Screening flags whether a customer is a PEP, applies enhanced due diligence if so, and keeps monitoring the relationship over time. A minister flagged at onboarding does not stop being a PEP. Their risk can climb with a change in office, which is why one-time screening falls short. Records of each screen should be retained for regulators to review on request.
How to Choose AML Screening Software
Picking AML screening software comes down to a few questions that cut through the feature lists. How current and how wide is the underlying data? Coverage has to span the sanctions sources your risk profile demands, plus PEP data and adverse media. Can the matching logic be tuned, so the team is not buried under false positives or, worse, missing real ones? Does ongoing monitoring run automatically, or does someone have to remember to re-screen?
Fit with your own stack matters too. A tool that screens well but cannot push alerts into your case workflow creates manual handoffs that slow everything down. Look at how the software handles sanctions screening end to end, from the initial check to alert resolution, and weigh whether it scales as your customer base grows. The right choice depends on your sector, your transaction patterns, and the regulators you answer to.
Money Laundering Risks in Malaysia
Malaysia's geography, strong financial sector, and open borders all create money laundering exposure. The main risks include:
- Corruption: Corruption feeds both terrorism financing and money laundering, and it remains a persistent channel for moving illicit funds through the system.
- Drug and human trafficking: These offences generate large volumes of cash that need to be laundered to look legitimate.
- Cybercrime: As financial services move online, cyber-enabled financial crime has become a growing source of risk.
Penalties Under AMLA Malaysia
AMLA sets out the money laundering offences and the penalties that follow a conviction. Under Section 4 of the Act, a person convicted of money laundering faces imprisonment for a term not exceeding 15 years. A fine comes with it, set at not less than five times the value of the proceeds or instrumentalities involved, or five million ringgit, whichever is higher. These rank among the steepest financial crime penalties in Malaysia.
Beyond the criminal track, the Act lets law enforcement freeze and seize property linked to money laundering, then forfeit it outright, cutting off the financial base that crime depends on. Failure to file suspicious transaction reports carries its own legal exposure. Hence the reason timely suspicious activity reports to the BNM Financial Intelligence Unit sit at the centre of every compliance program. Taken together, these consequences reinforce Malaysia's commitment to AML compliance.
Recent Developments and Trends in AML Regulations in Malaysia
Malaysia has kept pace with new risks by updating its rules and supervising more actively. On 5 February 2024, Bank Negara Malaysia issued revised policy documents, with effect from the following day. Coverage ran to anti-money laundering and the countering of terrorism financing. Countering proliferation financing and targeted financial sanctions came in the same set. Both financial institutions and DNFBPs fall within scope, and the revisions raised the baseline for how firms run their programs.
The bigger shift came through legislation. A 2024 amendment bill, later enacted as the AMLA (Amendment) Act 2025, broadened the framework to cover proliferation financing and targeted financial sanctions. It introduced a new offence of financing restricted activity, meaning the provision of financial services or property used in the proliferation of weapons of mass destruction. The amendment also extended the reach of dealing restrictions beyond Malaysian citizens and locally incorporated bodies to any person inside or outside the country. And it gave supervisors the power to take administrative action, such as imposing monetary penalties, for breaches. As of mid-2025, the amendment awaited its in-force date by notification in the Gazette, so firms should track the commencement notice rather than assume the new offence is already live.
On the technology side, the Financial Technology Regulatory Sandbox Framework brings fintech firms into the wider AML system and tests that they meet the rules as they grow. Two goals run side by side here. Malaysia is tightening controls on illicit finance while keeping room for the digital financial sector to develop.
How KYC Hub Supports AML Compliance in Malaysia
KYC Hub's AML screening and ongoing monitoring solution gives Malaysian reporting institutions an end-to-end way to meet the obligations AMLA sets. Exhaustive AML screening comes first, so customers and counterparties are checked against the sanctions and watchlists that matter. Continuous monitoring and AML alerts then keep the relationship under review after onboarding, which is exactly where the Act expects ongoing diligence to live.
Two further pillars round out the picture. Global adverse media intelligence surfaces negative news that can flag risk before it lands on an official list. Connections between entities are the other half. Network intelligence helps teams see the links that simple name checks miss. Backed by global data coverage, the platform gives compliance teams a single place to screen, monitor, and resolve alerts rather than stitching together separate tools. For a DNFBP or a remittance operator trying to scale without scaling its false-positive workload, that consolidation is the practical win.



