Anti-money laundering compliance in the Philippines is no longer only a concern for banks. Real estate developers, brokers, casinos, remittance businesses, virtual asset service providers, jewelry dealers, corporate service providers, and certain professionals may all have direct obligations under the Anti-Money Laundering Act. Even businesses that are not formally classified as “covered persons” increasingly face customer-verification and source-of-funds questions from banks, investors, payment processors, auditors, and commercial partners.
The practical starting point is to determine whether the business is legally covered, identify its supervising authority, and build procedures that can detect and report unusual transactions without unnecessarily blocking legitimate customers. This guide explains the applicable Philippine laws, reporting thresholds, registration process, customer due diligence requirements, common red flags, penalties, and practical steps for building a workable compliance program.
What Is Anti-Money Laundering Compliance?
Money laundering is the process of handling property or funds derived from crime so that they appear legitimate. It can involve transferring, converting, spending, possessing, concealing, or disguising criminal proceeds.
Under Section 4 of the Anti-Money Laundering Act, money laundering may be committed by a person who knowingly:
- Transacts property connected with an unlawful activity;
- Converts, transfers, moves, acquires, possesses, or uses it;
- Conceals its true source, ownership, location, or movement;
- Attempts or conspires to commit money laundering;
- Assists, advises, or facilitates the offense; or
- As a covered person, knowingly fails to file a required transaction report.
The underlying crime is called an unlawful activity or predicate offense. Philippine predicate offenses include drug trafficking, kidnapping for ransom, graft, plunder, estafa under Articles 315 and 316 of the Revised Penal Code, qualified theft, smuggling, trafficking in persons, securities fraud, bribery, malversation, tax fraud meeting the statutory threshold, and comparable foreign offenses. (Supreme Court E-Library)
A business does not need to prove that a customer committed a crime before treating a transaction as suspicious. The compliance question is whether the available facts create a reasonable concern that the transaction lacks a legitimate purpose, is inconsistent with the customer’s profile, or may involve unlawful proceeds.
Main Philippine Anti-Money Laundering Laws
The central law is Republic Act No. 9160, or the Anti-Money Laundering Act of 2001. It has been substantially amended by:
- RA 9194 (2003), which expanded reporting and suspicious-transaction rules;
- RA 10167 (2012), which strengthened bank-inquiry and freezing powers;
- RA 10365 (2013), which expanded covered persons and predicate offenses;
- RA 10927 (2017), which brought casinos within AMLA coverage; and
- RA 11521 (2021), which added real estate developers, real estate brokers, tax crimes meeting specified conditions, proliferation financing, and additional enforcement powers. (Supreme Court E-Library)
Other important rules include:
- RA 10168, the Terrorism Financing Prevention and Suppression Act of 2012;
- The 2018 Implementing Rules and Regulations of the AMLA, as amended;
- Sector-specific BSP, SEC, Insurance Commission, PAGCOR, and AMLC regulations;
- The AMLC Guidelines on Compliance Optimization and Registration System, or CORS;
- The Guidelines on Transaction Reporting and Compliance Submissions, or GoTRACS; and
- RA 10173, the Data Privacy Act of 2012, which applies to the collection, storage, disclosure, and security of customer information.
The AMLC has been implementing GoTRACS requirements in phases since 2025, with additional reporting requirements and formats taking effect according to official implementation notices. Businesses should check the latest AMLC news and announcements before relying on an old reporting manual or file format. (ACCRALAW)
Which Philippine Businesses Are Covered Persons?
A covered person is a person or entity directly required to follow AMLA preventive, registration, record-keeping, and reporting rules.
| Covered-person category | Common examples |
|---|---|
| BSP-supervised persons | Banks, non-bank financial institutions, quasi-banks, trust entities, foreign exchange dealers, pawnshops, money changers, remittance companies, electronic money issuers, and regulated virtual asset service providers |
| Insurance Commission-supervised persons | Insurance companies, pre-need companies, insurance brokers, mutual benefit associations, and other regulated entities |
| SEC-supervised financial entities | Securities brokers and dealers, investment houses, investment companies, fund managers, financing and lending entities where covered by applicable regulations, and similar intermediaries |
| Jewelry and precious-material businesses | Dealers in precious metals or precious stones handling transactions above the statutory threshold |
| Company service providers | Businesses that form companies, provide nominee shareholders, arrange directors or corporate secretaries, or provide registered-office and administrative-address services |
| Certain professional service providers | Persons managing client funds, securities or accounts, arranging company capital, creating or managing legal entities, or buying and selling business entities |
| Casinos | Land-based, internet-based, and ship-based casinos with respect to covered gaming transactions |
| Real estate businesses | Real estate developers and licensed real estate brokers |
| Offshore gaming operators and service providers | Listed in RA 11521, although licensed Philippine offshore gaming operations were required to cease by December 31, 2024 under Executive Order No. 74 |
The statutory categories are found principally in RA 10365, RA 10927, and RA 11521. (Supreme Court E-Library)
Although offshore gaming operators remain mentioned in the AMLA text, Executive Order No. 74 banned Philippine offshore gaming, internet gaming licensees, and related services and required licensed operations to wind up by December 31, 2024. An entity claiming to hold a current PAGCOR offshore gaming licence should therefore be treated as a major legal and compliance red flag. (Lawphil)
Are Lawyers and Accountants Covered?
Lawyers and accountants are not automatically exempt simply because of their profession.
They may fall within AMLA coverage when they perform activities such as:
- Managing client money or securities;
- Managing bank or investment accounts;
- Organizing contributions for a company;
- Creating or managing corporations, partnerships, trusts, or similar arrangements; or
- Buying or selling business entities.
However, information obtained under legal professional privilege or professional secrecy may be protected. The exemption is tied to the nature of the information and engagement; it is not a blanket exemption covering every financial or corporate service performed by a lawyer or accountant. (Supreme Court E-Library)
Covered Transactions and Suspicious Transactions
Covered transaction thresholds
A covered transaction is reportable because it exceeds a specific monetary threshold, even when there is no apparent criminal activity.
| Business or transaction | Reporting threshold |
|---|---|
| Most covered persons | More than ₱500,000 within one banking day |
| Jewelry dealers and dealers in precious metals or stones | More than ₱1,000,000 |
| Casinos | More than ₱5,000,000 in a single casino cash transaction |
| Real estate developers and brokers | More than ₱7,500,000 in a single cash transaction |
For most covered persons, GoTRACS generally requires reporting based on the covered amount even where settlement is made through checks, fund transfers, account credits or debits, or similar methods, subject to applicable low-risk and deferred-reporting rules. Casinos and real estate developers or brokers remain primarily subject to their statutory cash-transaction thresholds. (Supreme Court E-Library)
Amounts equal to the threshold are generally not covered where the law uses the phrase “in excess of.” For example, a real estate cash transaction of exactly ₱7.5 million does not cross the statutory threshold, but it may still require a suspicious transaction report if suspicious circumstances exist.
What makes a transaction suspicious?
A suspicious transaction is reportable regardless of amount when one or more of the following circumstances exist:
- There is no clear legal, trade, or economic purpose;
- The customer cannot be properly identified;
- The amount is inconsistent with the customer’s business or financial capacity;
- The transaction appears structured to avoid reporting;
- It materially departs from the customer’s normal activity;
- It appears connected with an unlawful activity; or
- It is similar to any of these circumstances.
These indicators are written directly into Section 3 of the AMLA. (Supreme Court E-Library)
A ₱100,000 transaction can therefore be reportable as suspicious even though it is below every covered-transaction threshold.
Step-by-Step AML Compliance Guide for Philippine Businesses
1. Confirm whether the business is a covered person
Review the company’s actual activities, not merely the description in its Articles of Incorporation or DTI registration.
A company may become a covered person because it:
- Holds a BSP, SEC, Insurance Commission, PAGCOR, or professional licence;
- Receives or transfers money for customers;
- Provides registered-office or nominee services;
- Handles client funds;
- Develops or brokers real estate; or
- Trades in precious metals or stones above the relevant threshold.
Document the assessment in writing. If management concludes that the company is not covered, retain the explanation and review it whenever the business launches a new service.
2. Identify the supervising authority
The supervising authority determines which additional rules apply:
- BSP for banks, money service businesses, electronic money issuers, pawnshops, foreign exchange dealers, and regulated virtual asset businesses;
- SEC for covered securities and investment-sector entities;
- Insurance Commission for insurance and pre-need entities;
- PAGCOR or another competent gaming authority for lawful casino operations; and
- AMLC directly, particularly for designated non-financial businesses and professions.
A business can be answerable both to the AMLC and to its sector regulator. Passing an AMLC registration check does not replace compliance with BSP, SEC, Insurance Commission, or PAGCOR rules.
3. Appoint accountable officers
The board or proprietor should formally designate:
- A compliance officer or primary designated officer;
- An alternate officer who can access the AMLC portal during absences;
- Personnel responsible for customer onboarding;
- Personnel responsible for transaction review; and
- The officer or committee authorized to approve or decline an STR filing.
For corporations, appointments are commonly supported by a board resolution or secretary’s certificate. Where the CORS portal or applicable sector rules require notarization, an unsigned internal memorandum is not an adequate substitute.
4. Conduct an institutional risk assessment
The company should assess its exposure based on:
- Customer type;
- Product or service;
- Transaction size and frequency;
- Delivery channel;
- Geographic exposure;
- Use of cash, virtual assets, nominees, or third parties;
- Cross-border activity;
- Politically exposed persons; and
- Sanctions and terrorism-financing risks.
A small real estate brokerage dealing mainly with salaried local buyers has a different risk profile from one selling high-value properties to offshore corporations using layered payment arrangements.
The assessment should identify the company’s high-risk situations and the controls applied to them. A copied risk assessment that does not match the actual business is often less defensible than a short but accurate one.
5. Prepare an AML and counter-terrorism financing program
A Money Laundering and Terrorism Financing Prevention Program, commonly called an MTPP, should address:
- Governance and management responsibility;
- Customer acceptance standards;
- Customer and beneficial-owner identification;
- Risk classification;
- Enhanced due diligence;
- Politically exposed persons;
- Sanctions screening;
- Transaction monitoring;
- Covered and suspicious transaction reporting;
- Record retention;
- Confidentiality and anti-tipping-off rules;
- Employee screening and training;
- Independent testing; and
- Escalation and decision-making procedures.
The AMLC provides an official MTPP outline for designated non-financial businesses and professions. (Anti-Money Laundering Council)
6. Register through the AMLC CORS portal
Covered persons must register with the AMLC through its current Compliance Optimization and Registration System.
Documents vary by business category, but commonly include:
- SEC, DTI, CDA, PRC, or other business-registration records;
- Current regulatory or professional licence;
- Articles of Incorporation, partnership documents, or equivalent records;
- Latest General Information Sheet, where applicable;
- Board resolution, secretary’s certificate, or written designation of the compliance officer and alternate;
- Valid identification and contact information;
- Business-address and branch details; and
- Additional declarations required by the portal.
The legal name, registration number, address, and officer details should match the issuing agency’s records. Differences between the trade name and corporate name are a frequent cause of delay.
A provisional certificate or portal acknowledgement should not be treated as a permanent Certificate of Registration. Businesses should monitor the certificate’s validity and promptly update changes in ownership, address, licence status, or compliance officers.
The AMLC has also directed covered persons to deal only with registered designated non-financial businesses and professions holding a valid Certificate of Registration or Provisional Certificate of Registration. This means an unregistered real estate broker, jewelry dealer, or company service provider may encounter difficulties with banks and other covered counterparties. (Anti-Money Laundering Council)
7. Perform customer due diligence
Customer due diligence, or CDD, means knowing who the customer really is and understanding why the transaction is taking place.
For an individual, collect and verify information such as:
- Full legal name;
- Date and place of birth;
- Nationality;
- Residential address;
- Contact details;
- Government-issued identification;
- Occupation, employer, or business;
- Tax identification where relevant;
- Purpose of the transaction; and
- Expected source of funds.
For a corporation, partnership, trust, or similar arrangement, obtain:
- Registration documents;
- Registered and operating addresses;
- Business purpose;
- Directors, partners, trustees, or authorized signatories;
- Board or partnership authority;
- Ownership structure;
- Latest GIS or comparable registry extract;
- The natural persons who ultimately own or control the entity; and
- The source of the transaction funds.
The beneficial owner is the natural person who ultimately owns, controls, or benefits from the customer or transaction. Stopping at the name of a holding company is not enough when another person controls that company. Philippine corporations also disclose beneficial ownership information through the GIS and the SEC’s developing Harbor Beneficial Ownership Registry. (Bureau of Soils and Water Management)
8. Apply enhanced due diligence to higher-risk customers
Enhanced due diligence may require:
- More detailed source-of-funds evidence;
- Source-of-wealth information;
- Senior management approval;
- Independent registry or database checks;
- Verification of business operations;
- More frequent KYC updates; and
- Closer transaction monitoring.
Higher-risk situations commonly include:
- Politically exposed persons and close associates;
- Customers from high-risk jurisdictions;
- Cash-intensive businesses;
- Complex offshore ownership;
- Nominee shareholders or directors;
- Unexplained third-party payments;
- Transactions involving virtual assets;
- Businesses with little visible commercial activity; and
- Customers unwilling to disclose beneficial ownership.
Political exposure does not automatically mean that a person is involved in corruption. It means the relationship requires stronger controls because of the person’s position and potential access to public resources.
9. Monitor transactions and investigate alerts
Monitoring should compare actual activity with the customer’s known profile.
An alert should ordinarily record:
- What triggered the review;
- The customer’s profile and expected activity;
- The relevant transactions;
- Documents requested and received;
- Explanations given;
- Independent checks performed;
- The reviewer’s analysis; and
- The final decision to file or not file an STR.
A decision not to report should be documented. An undocumented verbal conclusion is difficult to defend during an examination.
10. File reports within the required period
Covered persons must generally file covered and suspicious transaction reports within five working days from occurrence, unless the AMLC prescribes a different period that cannot exceed 15 working days. (Supreme Court E-Library)
Reports are submitted electronically through the AMLC reporting facilities governed by GoTRACS. The reporting chain must allow enough time for alert review, validation, approval, and submission within the legal deadline.
A business should not delay filing merely because the customer has not answered every question or because law enforcement has not confirmed a crime. The report should clearly distinguish verified facts, customer explanations, and the company’s reasonable concerns.
11. Keep records for at least five years
Covered persons generally must retain:
- Customer identification and verification records;
- Beneficial ownership documents;
- Account and transaction records;
- Contracts, invoices, receipts, and payment instructions;
- Internal alerts and investigation notes;
- CTRs and STRs;
- Approval and escalation records; and
- Training and audit records.
Transaction records must generally be kept for at least five years from the transaction date. Customer identification records are generally retained for at least five years after the relationship ends. Records connected with an investigation, freeze order, or pending case must be preserved longer until the proper authority confirms that the matter has been resolved. (Supreme Court E-Library)
12. Protect customer information
KYC obligations do not cancel data privacy duties.
Personal information should be:
- Collected for a legitimate compliance purpose;
- Limited to what is reasonably necessary;
- Accessible only to authorized personnel;
- Protected through physical and technical safeguards;
- Retained according to a documented schedule; and
- Securely disposed of after the applicable retention period.
The Data Privacy Act recognizes processing based on legal obligations and applicable laws, but businesses must still follow transparency, legitimate purpose, proportionality, and security requirements. (National Privacy Commission)
Documents Commonly Requested During KYC
| Customer type | Common supporting documents |
|---|---|
| Filipino individual | PhilID, passport, driver’s licence or other accepted ID; proof of address; employment or business information |
| Sole proprietor | DTI registration, mayor’s permit, BIR registration, invoices, bank records, ownership information |
| Philippine corporation | SEC certificate, Articles and By-Laws, current GIS, board resolution, IDs of signatories, beneficial ownership information |
| Foreign corporation | Foreign registry extract, constitutional documents, certificate of incumbency or equivalent, ownership chart, board authority, passports of beneficial owners |
| Real estate buyer | Reservation or sale documents, source-of-funds records, loan approval, bank statements, proof of sale of another asset, remittance evidence |
| High-risk customer | Tax returns, audited financial statements, contracts, inheritance documents, property-sale records, loan agreements, or other source-of-wealth evidence |
Foreign public documents may need certification, consular legalization, or an apostille depending on the issuing country, intended use, and the covered person’s risk assessment. An apostille authenticates the origin of a public document; it does not prove that every statement in the document is true.
For documents issued in an Apostille Convention country, the apostille is normally issued by the competent authority of that country. Documents from non-Apostille countries may require authentication or legalization through the relevant embassy or consulate. The DFA provides current requirements through the Philippine Apostille portal. (Apostille Philippines)
Not every foreign KYC document must automatically be apostilled. A covered person may accept reliable electronic registry records or certified copies in lower-risk cases, while requiring apostilled originals, certified translations, or legal opinions for higher-risk structures.
Common AML Red Flags in Philippine Business Transactions
Structuring transactions below the threshold
A customer makes several payments of ₱480,000 instead of one payment exceeding ₱500,000, or divides a ₱9 million real estate cash payment among relatives.
Transactions should be assessed collectively when the timing, parties, purpose, and circumstances suggest deliberate avoidance of reporting.
Third-party payments without a clear relationship
A buyer asks that payment come from an unrelated person, offshore company, employee, driver, or newly formed corporation.
The business should identify the payer, determine the relationship, and establish why the payer is funding the transaction.
Use of nominees or “dummies”
A customer places ownership in the name of another person who lacks the financial ability to acquire the asset.
The AMLC has specifically warned about the use of Filipinos and businesses as dummies. Beneficial ownership must be established rather than assumed from the registered name. (Anti-Money Laundering Council)
Inconsistent source of funds
A customer claiming to be unemployed purchases several condominium units in cash, or a newly incorporated company with minimal declared capital receives large international transfers.
CDD should examine the actual economic source, not merely obtain a signed statement saying “savings” or “business income.”
Unusual real estate arrangements
Red flags include:
- Rapid resale at a substantial unexplained gain or loss;
- Overpayment followed by a refund to another account;
- Assignment of rights to an unrelated party;
- Purchase through several shell companies;
- Cash payments inconsistent with the buyer’s profile; and
- Requests to state a false consideration in the deed of sale.
Trade-based money laundering
Importers or exporters may manipulate invoices, quantities, quality descriptions, shipping routes, or counterparties to move value across borders.
Warning signs include repeated over-invoicing, payments to parties not named in the contract, goods inconsistent with the company’s business, and shipments routed through unrelated jurisdictions.
Sudden digital or virtual-asset activity
A previously inactive customer begins receiving numerous transfers from e-wallets, cryptocurrency platforms, online gaming accounts, or unrelated individuals and immediately converts or transfers the funds.
Rapid movement without a clear business purpose may indicate layering, mule-account activity, fraud, or scam proceeds.
Penalties for AMLA Violations
Money laundering carries serious criminal penalties.
For the principal acts of transacting, converting, transferring, possessing, using, concealing, attempting, or conspiring to launder property, the penalty may include:
- Seven to 14 years’ imprisonment; and
- A fine of at least ₱3 million, but not more than twice the value of the property involved.
Aiding, assisting, counselling, or facilitating money laundering may carry:
- Four to seven years’ imprisonment; and
- A fine of ₱1.5 million to ₱3 million.
A covered person who knowingly fails to file a required report may face:
- Six months to four years’ imprisonment;
- A fine of ₱100,000 to ₱500,000; or
- Both. (Supreme Court E-Library)
Administrative penalties may reach ₱500,000 per violation, subject to an aggregate ceiling of five percent of the covered person’s asset size under the AMLC administrative sanctions rules. Violations can be counted per customer, transaction, account, order, examination, or day, depending on the requirement breached. Separate sanctions may also be imposed by the BSP, SEC, Insurance Commission, or other supervising authority. (Supreme Court E-Library)
The Anti-Tipping-Off Rule
Employees and officers must not tell a customer that:
- An STR has been filed;
- An STR is being prepared;
- The AMLC has requested information;
- The customer is being investigated; or
- A report contains particular information.
This prohibition is known as the anti-tipping-off rule. It prevents customers from destroying evidence, moving funds, intimidating witnesses, or changing their transaction pattern.
Normal questions such as requesting proof of income, asking about a third-party payer, or temporarily conducting a compliance review are not necessarily tipping off. The risk arises when personnel reveal the existence or contents of a confidential report or investigation.
Breach of AMLA information-security and confidentiality requirements may be punished by three to eight years’ imprisonment and a fine of ₱500,000 to ₱1 million. (Supreme Court E-Library)
Freeze Orders and Asset Preservation
When probable cause exists that property is related to an unlawful activity, the Court of Appeals may issue an ex parte freeze order upon a verified AMLC petition.
Under RA 11521:
- The initial freeze order is immediately effective for 20 days;
- The Court of Appeals conducts a summary hearing within that period;
- The order may be modified, lifted, or extended;
- The total freeze period generally cannot exceed six months without the required case;
- The freeze should be limited to the amount reasonably connected with the alleged proceeds; and
- Only the Supreme Court may issue an injunction against an ordinary AMLA freeze order.
Special rules apply to targeted financial sanctions involving terrorism or proliferation financing, where freezing may be implemented without delay. (Supreme Court E-Library)
Practical Compliance Timelines and Costs
| Compliance activity | Practical timeframe |
|---|---|
| Initial covered-person assessment | Several days to two weeks |
| Institutional risk assessment | Two to six weeks, depending on complexity |
| Preparation of MTPP and procedures | Two to eight weeks |
| CORS registration | Several days to several weeks if documents are complete |
| Customer onboarding | Same day for simple low-risk customers; longer for foreign or complex structures |
| Enhanced due diligence | Several days to multiple weeks |
| CTR or STR filing | Normally within five working days from occurrence |
| Internal AML training | At onboarding and periodically thereafter |
| Record retention | At least five years, and longer where a case remains pending |
There is no single statutory professional fee for building an AML program. Actual costs may include:
- Notarial fees;
- SEC or registry-certified documents;
- Foreign corporate searches;
- Apostille or consular authentication;
- Certified translations;
- Screening and transaction-monitoring systems;
- Secure document storage;
- Training; and
- Independent compliance testing.
Small businesses can reduce costs by using a clear risk-based process rather than collecting excessive documents from every customer. High-risk customers should receive deeper review; low-risk customers still require proper identification but should not be subjected to arbitrary or discriminatory barriers.
Frequently Asked Questions
Does every Philippine business need to register with the AMLC?
No. Registration is mandatory for businesses and professionals classified as covered persons. Other businesses may still adopt AML controls because their banks, investors, payment providers, or counterparties require them.
Is a transaction automatically suspicious because it exceeds ₱500,000?
No. A transaction exceeding the applicable threshold may be a covered transaction even when completely legitimate. Suspicion depends on factors such as purpose, customer profile, source of funds, structure, and connection to unlawful activity.
Can a business accept cash above the reporting threshold?
The AMLA does not generally prohibit legitimate cash transactions merely because they exceed a threshold. A covered person must perform appropriate due diligence and file the required report. Other sector-specific cash or payment restrictions may also apply.
What happens if a customer refuses to provide KYC documents?
The business should not proceed when it cannot establish the customer’s identity, authority, or beneficial ownership to the standard required by its risk-based procedures. It should also evaluate whether the refusal itself creates grounds for an STR.
Do I need to tell a customer that I filed an STR?
No. Telling the customer may violate the anti-tipping-off rule.
Can a company rely only on the SEC General Information Sheet?
No. The GIS is useful, but it may be outdated, incomplete, or fail to show indirect control. A covered person should verify the current ownership structure and identify the natural persons who ultimately own or control the customer.
Are transactions involving foreigners automatically high risk?
No. Nationality alone does not make a transaction suspicious. Relevant factors include residence, source and destination of funds, jurisdictional risk, political exposure, ownership complexity, business purpose, sanctions exposure, and the reliability of supporting documents.
Must all foreign documents be apostilled?
No. The requirement depends on the document, issuing country, purpose, and risk level. Higher-risk or formal government transactions are more likely to require an apostille, consular authentication, certified copy, or certified translation.
How long must AML records be kept?
Generally, at least five years from the transaction date or termination of the customer relationship. Records connected with a pending investigation, freeze order, or case must be retained longer.
Can a covered person be fined even if no money laundering occurred?
Yes. Administrative liability can arise from defective customer identification, failure to register, late reporting, inadequate records, missing transaction monitoring, or non-compliance with an AMLC order even if no customer is ultimately convicted of money laundering.
Key Takeaways
- Determine whether the business is a covered person based on its actual activities and licences.
- Covered transactions are threshold-based; suspicious transactions are reportable regardless of amount.
- Most covered persons must report transactions exceeding ₱500,000 within one banking day, while special thresholds apply to jewelry, casinos, and real estate.
- Identify and verify both the customer and the natural person who ultimately owns or controls the transaction.
- Register through the AMLC CORS portal and keep compliance-officer and business information current.
- Maintain a written risk assessment, MTPP, reporting chain, and defensible record of every alert decision.
- File required reports within the applicable period, normally five working days.
- Never disclose that an STR has been filed or is being considered.
- Retain transaction and KYC records for at least five years and protect them under the Data Privacy Act.
- AML violations can result in criminal prosecution, regulatory sanctions, substantial per-violation fines, licence consequences, freeze orders, and forfeiture.