How to Comply With Anti-Money Laundering Laws for Philippine Businesses

For a Philippine business, anti-money laundering compliance starts with a deceptively simple question: Are you a “covered person” under the Anti-Money Laundering Act, or are you merely a customer of one? Not every corporation, partnership, or sole proprietorship must register with the Anti-Money Laundering Council or file transaction reports. However, every business should understand how banks and other regulated entities assess unusual payments, identify beneficial owners, and verify the source of funds.

A workable compliance program is more than collecting photocopies of IDs. It requires the business to know its customers, understand who ultimately owns or controls corporate clients, monitor transactions, document unusual activity, protect confidential information, and file reports on time when legally required.

What Philippine laws govern anti-money laundering compliance?

The main law is Republic Act No. 9160, or the Anti-Money Laundering Act of 2001, commonly called the AMLA. It has been expanded by several laws, including:

  • RA No. 9194 of 2003
  • RA No. 10167 of 2012
  • RA No. 10365 of 2013
  • RA No. 10927 of 2017, which brought casinos within the AML framework
  • RA No. 11521 of 2021, which added real estate developers and brokers and strengthened the powers of the Anti-Money Laundering Council
  • RA No. 10168 of 2012, or the Terrorism Financing Prevention and Suppression Act
  • RA No. 12010 of 2024, or the Anti-Financial Account Scamming Act, which addresses money-mule activity and misuse of financial accounts

The Anti-Money Laundering Council, or AMLC, is the Philippines’ financial intelligence unit. It receives covered and suspicious transaction reports, conducts financial investigations, coordinates asset-freezing and forfeiture proceedings, and issues compliance rules for covered persons.

The current statutory definitions and transaction thresholds appear in Republic Act No. 11521 through the Supreme Court E-Library. (Supreme Court E-Library)

Which Philippine businesses are covered by the AMLA?

A covered person is a person or organization specifically required by law to implement anti-money laundering and counter-terrorism financing controls.

Major categories include:

Category Common examples Main regulator or supervisor
Banks and other financial institutions Banks, quasi-banks, trust entities, money changers, foreign exchange dealers, remittance companies, e-money issuers, pawnshops and certain non-bank financial institutions Bangko Sentral ng Pilipinas
Insurance businesses Insurers, pre-need companies, insurance brokers, agents, reinsurers and mutual benefit associations Insurance Commission
Securities-sector businesses Brokers, dealers, investment houses, investment advisers, mutual funds and investment companies Securities and Exchange Commission
Casinos Land-based, ship-based and internet-based casinos within the statutory definition PAGCOR or another applicable gaming regulator
Jewelry and precious-material dealers Dealers in jewelry, precious metals and precious stones meeting the applicable activity or transaction criteria AMLC and applicable trade regulators
Company service providers Businesses that form companies, provide nominee directors or shareholders, supply registered offices or arrange corporate management services AMLC and, where applicable, SEC
Certain lawyers, accountants and professionals Professionals carrying out specified financial or corporate transactions for clients, subject to rules on privileged communications AMLC and professional regulators
Real estate developers and brokers Licensed brokers and developers covered by RA No. 11521 DHSUD, PRC, HLURB-related successor functions and AMLC, as applicable
Other businesses expressly brought within the law Other persons or activities designated by statute or regulation Relevant supervising authority

The exact classification depends on what the business actually does, not merely on the description written in its Articles of Incorporation. For example, a consulting company that occasionally helps a client prepare incorporation papers is not necessarily operating as a company service provider. A business that regularly forms companies, supplies nominee shareholders, manages client funds, or provides registered offices may fall within the covered category.

The AMLC’s current reporting guidelines contain a detailed list of BSP-, SEC-, Insurance Commission- and AMLC-supervised covered persons, including designated non-financial businesses and professions.

Ordinary businesses that are not covered persons

A restaurant, construction contractor, online seller, manufacturing company or regular professional-services firm is not automatically a covered person simply because it:

  • Is registered with the SEC or DTI
  • Receives a large payment
  • Maintains a corporate bank account
  • Has foreign shareholders
  • Sells goods to overseas customers
  • Receives investments or shareholder advances

Nevertheless, its bank is a covered person. The bank may therefore request contracts, invoices, tax documents, ownership records, explanations of unusual transfers, or evidence showing the source of funds.

A request from a bank does not necessarily mean the business is suspected of a crime. Banks must understand whether transactions are consistent with the customer’s declared business, expected turnover and financial capacity.

An ordinary business may also incur criminal liability if its owners or officers knowingly transact with, conceal, convert, transfer or help disguise property derived from unlawful activity. Being outside the “covered person” list is not permission to ignore obviously suspicious funds.

Covered transactions versus suspicious transactions

These two reports serve different purposes.

Covered transaction

A covered transaction report, or CTR, is generally a threshold-based report. It does not by itself mean that the customer committed money laundering.

Covered person or transaction Reporting threshold
General AMLA threshold More than ₱500,000 within one banking day
Casino cash transaction More than ₱5 million in a single transaction
Real estate developer or broker cash transaction More than ₱7.5 million in a single transaction
Covered jewelry, precious-metal or precious-stone transaction More than ₱1 million, subject to the applicable DNFBP rules

The law says “in excess of” the stated threshold. A transaction of exactly ₱500,000 is therefore not a covered transaction solely because of the general threshold. It can still be suspicious based on its purpose, structure, source, parties or surrounding circumstances. (Supreme Court E-Library)

Suspicious transaction

A suspicious transaction report, or STR, is based on circumstances, not merely an amount. A transaction can be suspicious even if it involves only a few thousand pesos.

The AMLA identifies warning signs such as:

  • No apparent legal, commercial or economic purpose
  • Failure or refusal to identify the customer properly
  • An amount inconsistent with the customer’s business or financial capacity
  • Structuring transactions to avoid a reporting threshold
  • Activity that significantly departs from the customer’s profile or past transactions
  • A connection with an unlawful activity or money laundering offense
  • Circumstances similar to any of the above

Attempted transactions may also require reporting. For example, a customer who abandons a transaction after being asked for beneficial ownership or source-of-funds documents may still create a reportable concern. (Supreme Court E-Library)

Step-by-step guide to AML compliance for Philippine businesses

1. Determine whether the business is a covered person

Review the business model, licenses, revenue streams and actual services.

Ask:

  1. Does the company receive, hold, move or manage money for customers?
  2. Does it provide remittance, payment, foreign exchange, lending or investment services?
  3. Does it form or administer companies for clients?
  4. Does it act as a real estate developer or licensed broker?
  5. Does it deal in jewelry, precious metals or precious stones?
  6. Does it manage client bank accounts, securities, assets or contributions?
  7. Does a regulator such as the BSP, SEC, Insurance Commission, PAGCOR or AMLC classify the activity as covered?

Businesses with several activities should assess each activity separately. A group may contain both covered and non-covered companies.

2. Assign responsibility at board and senior-management level

The board of directors, partners or sole proprietor remains ultimately responsible for compliance. A covered business should formally designate a compliance officer with sufficient seniority, authority, resources and direct access to the governing body.

The designation should be supported by a board resolution, partners’ resolution or written appointment. The officer should not be treated merely as the person who uploads reports. The role normally includes:

  • Maintaining the AML program
  • Overseeing customer due diligence
  • Reviewing internal transaction alerts
  • Deciding whether an STR should be filed
  • Coordinating with the AMLC and sector regulator
  • Organizing training
  • Keeping evidence of compliance
  • Reporting significant deficiencies to the board

AMLC rules for designated non-financial businesses require active governing-body oversight, a senior compliance officer and a direct reporting line to the board, partners or proprietor. (Supreme Court E-Library)

3. Register through the AMLC’s current registration system

Covered persons must register with the AMLC using its electronic registration framework. The former online registration arrangements were replaced by the Compliance Optimization and Registration System, or CORS.

Businesses should use the official AMLC registration portal and follow the portal-generated checklist. Companies registered under an older system should confirm that their CORS registration and authorized-user details remain active. The AMLC required covered persons to re-register under CORS and has continued issuing implementation and registration advisories. (AMLC Portal)

Documents commonly needed include:

  • SEC, DTI or CDA registration documents
  • Articles of Incorporation, partnership documents or equivalent records
  • Latest General Information Sheet, when applicable
  • Business and regulatory licenses
  • Board or partners’ resolution appointing the compliance officer
  • Identification and contact details of authorized officers
  • Information on branches and business locations
  • Other declarations or certifications generated by the portal

Corporate names, addresses, compliance officers and branch information should be updated promptly when they change.

4. Conduct an institutional risk assessment

A covered person should identify how its products, customers, locations and payment channels could be misused.

The assessment should consider:

  • Cash-intensive transactions
  • Cross-border transfers
  • Customers from higher-risk jurisdictions
  • Non-face-to-face onboarding
  • Complex ownership structures
  • Nominee shareholders or directors
  • Politically exposed persons
  • Transactions involving virtual assets
  • Third-party payments
  • Rapid movement of funds
  • Businesses with no clear operating activity
  • Products that allow anonymity or quick conversion of value

Risk ratings should lead to actual controls. A high-risk client may require additional approval, more frequent reviews, stronger source-of-funds verification and closer monitoring. A “high-risk” label without corresponding action is of little practical value.

For DNFBPs, the institutional risk assessment and the written program should generally be reviewed at least once every two years, or earlier when the business, law, risks or regulatory guidance changes. (Supreme Court E-Library)

5. Adopt a written Money Laundering and Terrorism Financing Prevention Program

The program is often called an MTPP or ML/TF Prevention Program. It should be tailored to the business instead of copied from a generic template.

At minimum, it should explain:

  • Customer acceptance and risk classification
  • Customer due diligence procedures
  • Beneficial ownership verification
  • Enhanced due diligence
  • Politically exposed person handling
  • Sanctions and name screening
  • Transaction monitoring
  • Escalation of internal red flags
  • CTR and STR decision-making
  • AMLC reporting procedures
  • Recordkeeping and retention
  • Confidentiality and prohibition against tipping off
  • Staff screening and training
  • Independent audit and correction of deficiencies
  • Handling of subpoenas, freeze orders and AMLC requests
  • Risks from new products, technologies and delivery channels

The board, partners or proprietor should approve the program formally. Staff who handle customers, payments, records or compliance should be able to access and understand the portions relevant to their work. (Supreme Court E-Library)

6. Perform proper customer due diligence

Customer due diligence, or CDD, means identifying the customer, verifying the customer’s identity using reliable documents, understanding the purpose of the relationship and monitoring activity over time.

For an individual, the file will commonly contain:

  • Full legal name
  • Date and place of birth
  • Residential and business addresses
  • Nationality
  • Contact information
  • Occupation, employer or business
  • Government-issued photo identification
  • Tax or other identifying numbers when required
  • Purpose of the transaction or relationship
  • Expected source and volume of funds

For a corporation, partnership or other juridical entity, obtain:

  • SEC, DTI or CDA registration records
  • Articles of Incorporation, bylaws or partnership documents
  • Current General Information Sheet
  • Principal business address
  • Nature of business
  • Board resolution or secretary’s certificate authorizing the transaction
  • IDs of authorized representatives
  • Ownership and control structure
  • Beneficial ownership declaration
  • Source-of-funds information appropriate to the risk

Verification should normally occur before establishing the relationship. DNFBP rules allow limited post-onboarding verification in genuinely low-risk situations where immediate verification is not possible, but the verification must generally be completed within five working days. (Supreme Court E-Library)

7. Identify the real beneficial owner

The beneficial owner is the natural person who ultimately owns or controls the customer, even when shares or assets appear under another company, nominee or intermediary.

Current AMLC reporting guidelines include persons who exercise ultimate effective control and persons who own at least 20% of the shares, contributions or equity interest. Ownership percentages are not the only test: a person may control a company through agreements, voting arrangements, family relationships or decision-making authority even without reaching the stated percentage.

Do not stop after obtaining a corporate client’s SEC certificate. Trace ownership until the business identifies the relevant natural persons.

Useful documents include:

  • Latest General Information Sheet
  • SEC beneficial ownership declaration
  • Group ownership chart
  • Share registers
  • Trust or nominee agreements
  • Shareholders’ agreements
  • Audited financial statements
  • Records from the SEC HARBOR beneficial ownership system, where access and filing rules permit

A customer’s refusal to identify its true owner is a serious red flag. (harbor.sec.gov.ph)

8. Apply enhanced due diligence where the risk is higher

Enhanced due diligence, or EDD, means obtaining more information and applying closer scrutiny.

EDD may be appropriate when:

  • The customer is a politically exposed person or close associate
  • Ownership involves several offshore entities
  • Funds come from an unrelated third party
  • The transaction has no clear commercial explanation
  • The customer operates in a high-risk or cash-intensive industry
  • The customer comes from or transacts with a higher-risk jurisdiction
  • Public information links the customer to fraud, corruption or other serious offenses
  • The value of the transaction is inconsistent with declared income or operations
  • The customer insists on secrecy or unexplained urgency

Additional checks may include bank statements, tax returns, contracts, invoices, audited financial statements, proof of asset sale, loan agreements, inheritance documents or evidence of business income.

Political exposure should not automatically result in rejection. It normally requires senior approval, source-of-wealth and source-of-funds verification, and enhanced ongoing monitoring.

9. Monitor transactions and document red flags

Monitoring can be electronic or manual, depending on the business’s size and risk.

The system should detect patterns such as:

  • Repeated payments immediately below a threshold
  • Several related customers using the same address, phone number or representative
  • Refund requests to a different account
  • Payment by persons unrelated to the contract
  • Sudden activity in a previously inactive relationship
  • Large cash payments for assets usually purchased through financing
  • Rapid purchase and resale at an unusual price
  • Transactions inconsistent with the customer’s known occupation or business
  • Funds moving through several entities without a clear economic reason

Every alert does not require an STR. It does require a documented review. Record what was checked, what documents were obtained, who made the decision and why the transaction was or was not reported.

10. File CTRs and STRs within the current deadlines

The AMLC’s current filing framework is the Guidelines on Transaction Reporting and Compliance Submissions, or GoTRACS. Reports are filed electronically through the AMLC’s designated reporting facility using the current prescribed formats.

The principal timing rules include:

  • CTR: Within five working days from the covered transaction
  • STR: Generally by the next working day after the business finally determines, within the applicable determination period, that the activity is suspicious
  • Highly unusual, terrorism-related and other specially classified reports: Accelerated rules may apply
  • Attempted suspicious activity: Included where applicable

Under GoTRACS, a CTR submitted after 11:59:59 p.m. on the fifth working day is late. An STR submitted after 11:59:59 p.m. on the next working day following its date of occurrence or final determination may likewise be treated as noncompliant. Different categories of alerts have specific investigation or determination periods, so a business should not rely on an outdated blanket assumption that every STR may be filed five days after the transaction.

If the same transaction is both covered and suspicious, follow the report classification and instructions prescribed by the applicable AMLC rules.

11. Never tip off the customer

Employees must not tell a customer that:

  • An STR has been or will be filed
  • The AMLC is examining the transaction
  • A confidential report has been requested
  • The customer is the subject of an AML review
  • Law enforcement may be investigating the funds

This prohibition is known as the anti-tipping-off rule.

Customer-facing personnel may ask for documents or explain that the request is part of regulatory compliance. They should not disclose an internal decision to report the customer.

Breach of AMLA information security or confidentiality can carry imprisonment of three to eight years and a fine of ₱500,000 to ₱1 million, apart from regulatory sanctions and employment consequences. (Supreme Court E-Library)

12. Retain records securely

Covered DNFBPs must generally retain customer identification and transaction records for at least five years. Records relating to closed or terminated relationships, electronic copies of CTRs and STRs, and internal reporting decisions also have five-year retention requirements.

If a case or investigation is pending, relevant records must be preserved beyond the ordinary period until the matter is officially resolved. (Supreme Court E-Library)

Records should be organized so that the business can reconstruct:

  • Who initiated and approved the transaction
  • Who provided or received the funds
  • The amount, date and method of payment
  • The customer’s identity and beneficial ownership
  • The commercial reason for the transaction
  • Documents reviewed during compliance checks
  • Internal alerts, findings and reporting decisions

13. Protect KYC information under the Data Privacy Act

KYC files often contain passports, addresses, signatures, financial statements and other sensitive information. Collection may be lawful because it is necessary to comply with a legal obligation, but the business must still follow RA No. 10173, or the Data Privacy Act of 2012.

Practical safeguards include:

  • Limit access to authorized personnel
  • Use secured folders and role-based permissions
  • Encrypt sensitive electronic records
  • Avoid sending IDs through personal email or unapproved messaging applications
  • Maintain a retention and secure-disposal schedule
  • Require confidentiality from employees and service providers
  • Keep incident-response and breach-notification procedures
  • Coordinate the AML compliance officer’s work with the company’s data protection officer

The Data Privacy Act permits processing necessary for compliance with a legal obligation while requiring proportionality, confidentiality and reasonable organizational, physical and technical security measures. The full statute is available from the National Privacy Commission. (National Privacy Commission)

14. Train employees and test the program

Training should be practical and role-specific. A cashier needs different instruction from the board, compliance team or customer-onboarding staff.

Training should cover:

  • Basic money laundering and terrorism financing concepts
  • The business’s customer identification rules
  • Red flags relevant to the industry
  • Internal escalation channels
  • CTR and STR confidentiality
  • Data protection
  • Handling of AMLC requests and freeze instructions
  • Consequences of helping customers evade controls

Keep the training materials, attendance records, dates and assessment results.

For DNFBPs, independent internal audits should generally be conducted at least once every two years, or more frequently when justified by risk. The review should test actual files and reports rather than merely confirming that a written policy exists. (Supreme Court E-Library)

Common compliance mistakes and real-life scenarios

Splitting one payment into smaller amounts

A customer asks to pay ₱2 million through four transactions of ₱500,000 because the customer believes this avoids reporting.

This is a classic structuring concern. Exactly ₱500,000 may not cross the general threshold by itself, but deliberately splitting a larger transaction to avoid reporting is a statutory suspicious circumstance.

Accepting payment from an unrelated person

A buyer signs a contract, but payment comes from several individuals or companies with no documented connection to the buyer.

Obtain a written explanation, verify the third-party payers, establish the source of funds and determine the commercial reason for the arrangement. Do not simply change the receipt name to match whoever sent the money.

Treating SEC registration as complete KYC

A shell company can be legally registered while concealing the people who control it.

Review the General Information Sheet, beneficial ownership declaration, ownership chart, authorized signatories and actual business operations. Confirm that declared income and activity reasonably support the transaction.

Using a copied AML manual

A manual written for a bank will not work for a small real estate brokerage. A policy copied from another company may refer to products, departments and systems that do not exist.

Regulators commonly test whether employees follow the manual and whether the procedures match actual operations.

Failing to document a decision not to report

A compliance officer verbally decides that an alert is not suspicious but keeps no review notes.

Months later, the business may be unable to show what information was considered. Maintain records of alerts, inquiries, supporting documents and the reason for closing the review without an STR.

Telling the customer about an STR

An employee says, “We already reported you to AMLC,” hoping to justify a delayed transaction.

This can violate confidentiality rules. Staff should use neutral language, such as explaining that additional documents are required under the company’s compliance procedures.

Delays involving foreign documents

A foreign shareholder or corporate customer may need to provide a passport, foreign registry extract, board authorization, ownership records and proof of address.

Foreign public documents may be requested with an apostille when issued in an Apostille Convention country. Documents from non-convention countries may require the applicable authentication or legalization process. Requirements depend on the receiving covered person and regulator, so the document checklist should be confirmed before execution abroad. The DFA explains that the Apostille Convention has applied in the Philippines since May 14, 2019. (Philippine Embassy in New Delhi)

Compliance documents and practical timelines

Requirement Practical document or evidence Typical legal or operational timing
Covered-person classification Legal and regulatory assessment of activities Before commencing a potentially covered service
Compliance officer appointment Board, partners’ or proprietor’s resolution Before registration and operations
AMLC registration CORS application and supporting records Before carrying on covered activities, subject to current AMLC rules
Institutional risk assessment Written risk assessment with methodology and approval At onboarding and periodically; DNFBP rules generally require review at least every two years
AML program Board-approved MTPP or ML/TFPP Before or at commencement of covered operations; update when risks or rules change
Customer due diligence IDs, entity documents, authority and beneficial ownership records Before establishing the relationship, subject to limited low-risk exceptions
Covered transaction report Electronic CTR Within five working days
Suspicious transaction report Electronic STR and supporting information required by the reporting format Generally by the next working day after final determination under GoTRACS
Customer and transaction records Secure physical or electronic records At least five years; longer for pending cases or investigations
Independent audit Audit report and remediation plan At least every two years for DNFBPs, or more frequently based on risk
Training Materials, attendance logs and assessments Ongoing, with refreshers after legal, risk or procedural changes

There is no single standard compliance cost. Expenses depend on the business’s size and risk and may include corporate-document preparation, secure record systems, screening tools, employee training, independent audits and professional review of the AML program.

Frequently Asked Questions

Does every Philippine corporation need to register with the AMLC?

No. Registration is required for businesses and professionals falling within the statutory and regulatory definition of a covered person. Ordinary operating companies are not automatically covered merely because they are SEC-registered.

Will my bank automatically report a deposit above ₱500,000?

Banks have reporting obligations for covered and suspicious transactions. The general threshold is an amount in excess of ₱500,000 within one banking day, subject to applicable aggregation and reporting rules. A report does not automatically mean the transaction is illegal.

Can a transaction below ₱500,000 be reported?

Yes. Suspicious transactions are reportable regardless of amount. Repeated smaller transactions, unusual third-party payments or activity inconsistent with the customer’s profile can justify an STR.

Can a business refuse to proceed when the customer will not provide KYC documents?

A covered person should not establish or continue a relationship when mandatory identification and verification cannot be completed. It should follow its customer acceptance policy, document the refusal and consider whether the circumstances require an STR.

What should we do if a customer wants to divide a payment?

Determine the commercial reason and examine the entire series of related transactions. Deliberately dividing a larger payment to avoid reporting is a suspicious circumstance and should be escalated to the compliance officer.

Are foreign customers subject to Philippine KYC rules?

Yes. A foreigner may be asked for a passport, Philippine immigration or work documents when applicable, proof of address, source-of-funds evidence and beneficial ownership information. Foreign companies may need registry documents, ownership records and apostilled or authenticated corporate authorizations.

Must a real estate broker report a ₱7.5 million payment by check?

The statutory real estate covered-transaction threshold refers to a single cash transaction in excess of ₱7.5 million. A check, transfer or other payment that is unusual, structured or connected with unlawful activity may still require suspicious transaction review regardless of amount or payment method.

Are lawyers and accountants exempt from AML rules?

Not entirely. The AMLA covers specified services performed by lawyers, accountants and other professionals, but the law protects legitimate privileged communications and attorney-client confidentiality. Privilege is not a blanket exemption for every corporate, financial or administrative service.

How long must AML records be kept?

The general retention period is at least five years for customer identification, transaction records, reports and relevant internal decisions. Records connected with a pending case or investigation must be preserved longer.

Can we tell a customer that we filed an STR?

No. STRs and related information are confidential. Employees may request documents and explain general compliance requirements but must not reveal that a suspicious transaction report was filed or is being considered.

Key Takeaways

  • First determine whether the business is legally classified as a covered person; not every Philippine company must register with the AMLC.
  • Covered persons need active management oversight, an authorized compliance officer, CORS registration and a risk-based written AML program.
  • Identify customers and the natural persons who ultimately own or control corporate clients.
  • A CTR is threshold-based and does not itself establish wrongdoing; an STR is based on suspicious circumstances and can involve any amount.
  • Under current GoTRACS rules, CTRs are generally due within five working days, while STRs are generally due by the next working day after final determination within the applicable review period.
  • Document transaction alerts and decisions even when an STR is ultimately not filed.
  • Never tell a customer that an STR was filed or is being considered.
  • Keep KYC, transaction and reporting records for at least five years, and protect them under the Data Privacy Act.
  • Train employees regularly and test the program through independent, risk-based audits.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.