AMLA Compliance Consulting: Why Your Business Needs It
Articles & Resources
AMLA 18 min read · July 2026

AMLA Compliance Consulting: Why Your Business Needs It

A complete reference on the AMLA audit in Malaysia — and a full readiness checklist, the Labuan dual-audit obligation, and how to prepare.

If your business is a bank, insurer, remittance company, trust company, or one of the professional firms now caught under Malaysia’s anti-money-laundering laws — lawyers, accountants, auditors, company secretaries, real-estate agents, or dealers in precious metals — you are what the law calls a reporting institution. And if you are, an AMLA audit is not optional: it is a standing legal obligation, and increasingly an enforcement priority for Bank Negara Malaysia (BNM) and the Labuan FSA.

This guide brings together what a reporting institution needs to know about the AMLA audit — what it is, who it applies to, the framework behind it, a full readiness checklist, the findings that most often trip organisations up, and the distinct dual-audit obligation Labuan entities face. It is written from the perspective of a practice that performs these reviews across Kuala Lumpur, Petaling Jaya, and Labuan.

01

What is an AMLA audit?

‘AMLA’ refers to the Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001 (AMLA / AMLATFPUAA) — Malaysia’s primary law for detecting and preventing money laundering and terrorism financing. Bank Negara Malaysia is the competent authority that enforces it, issues supporting policy documents, and receives Suspicious Transaction Reports (STRs).

An AMLA audit is an independent review of a reporting institution’s AML/CFT framework. It exists to answer one question: does the compliance programme actually work in practice, or does it only exist on paper?

Unlike a BNM supervisory examination — conducted by the regulator — an AMLA audit is the independent audit function the institution must maintain internally or through a qualified external party. Its frequency is determined by the Board based on the institution’s ML/TF risk, commonly at least once a year for higher-risk institutions.

During an AMLA audit, the auditor typically evaluates:

  • Risk-management frameworks — whether ML/TF risks are identified and rated
  • Customer due diligence — how customers are identified, verified, and monitored
  • Transaction-monitoring systems — whether suspicious activity is actually caught
  • Internal policies and governance — whether AML/CFT policy is current and Board-approved
  • Staff awareness and training — whether employees can recognise red flags
  • Reporting and record-keeping — whether STRs are filed correctly and records retained

The purpose is not to catch the institution out. It is to confirm — with evidence, not assurances — that the organisation can detect and prevent misuse for money laundering or terrorism financing, and demonstrate it to a regulator on demand.

02

Who needs an AMLA audit?

The obligation attaches to anyone classified as a reporting institution under the Act — a far wider net than most business owners assume.

Financial institutions (FIs) — banks, investment banks, insurers, takaful and retakaful operators, money changers, remittance providers, and capital-market intermediaries — supervised primarily under BNM’s AML/CFT and TFS policy document for financial institutions.

Designated Non-Financial Businesses and Professions (DNFBPs) and Non-Bank Financial Institutions — brought into full AML/CFT scope from 1 January 2020. These include:

  • Lawyers and legal firms
  • Chartered accountants and audit firms
  • Company secretaries
  • Trust companies
  • Notaries public
  • Real-estate agents
  • Dealers in precious metals and precious stones

Labuan-licensed entities — banks, insurers, trust companies, fund managers, leasing and money-broking licensees, and others supervised by the Labuan FSA, which issues its own AML/CFT guidelines aligned with AMLA and FATF standards.

The legal basis for CDD and reporting sits in Part IV of AMLA (‘Reporting Obligations’), with programme requirements set out in BNM’s sector-specific AML/CFT and TFS policy documents — one for financial institutions, one for DNFBPs and NBFIs.

Non-compliance is expensiveFollowing the 2020 amendments, penalties can reach up to RM3 million per offence — separate from reputational fallout with regulators, banking partners, and clients.
03

AMLA audit vs statutory audit

One of the most common points of confusion — especially among Labuan entities and SMEs newly caught under AML/CFT rules — is the difference between an AMLA audit and a statutory audit. They sound similar and are both performed by auditors, but they test entirely different things.

Statutory auditAMLA audit
What it testsWhether financial statements give a true and fair viewWhether the AML/CFT programme is designed and operating effectively
Governing lawCompanies Act 2016 (or Labuan Companies Act 1990)AMLA 2001
Reporting frameworkMFRS or MPERSAMLA + BNM AML/CFT policy document (or Labuan FSA guidelines)
What is reviewedBalance sheet, income statement, cash flow, internal financial controlsRisk assessment, CDD/KYC files, monitoring, STR process, training, compliance-officer function
Who requires itSSM / Labuan FSA / IRBBank Negara Malaysia / Labuan FSA
Typical frequencyAnnuallyAt least annually, or as the Board determines by ML/TF risk

A company can pass its statutory audit with a clean opinion and still fail an AMLA audit outright — because the AMLA audit is not asking whether the numbers are correct, but whether the business has functioning controls to stop illicit money moving through it. For Labuan entities, both obligations run in parallel and neither substitutes for the other.

05

The AMLA audit checklist: 8 areas to review

With the five pillars as the framework, here is a practical, area-by-area checklist mirroring what an AMLA auditor actually walks through.

1

AMLA risk assessment

The foundation everything else is built on — almost always the first document an auditor asks to see.

  • A documented, enterprise-wide ML/TF risk assessment exists
  • Reviewed and updated on a regular cycle, not just at licensing
  • Customer, product, geographic, and delivery-channel risks are individually identified
  • Controls are calibrated to risk
2

Policies & procedures

Outdated or incomplete policies remain among the most common findings across all sectors.

  • Written AML/CFT policies exist and are formally approved by management
  • Policies align with current AMLA and BNM (or Labuan FSA) requirements
  • Procedures are documented clearly enough for staff to follow
  • Policies are reviewed and updated on a regular schedule
3

Customer due diligence (CDD)

The single area regulators scrutinise most heavily during examinations.

  • Identification and verification processes are consistently applied
  • Beneficial ownership is verified for corporate and trust customers
  • A risk rating is assigned to every customer
  • Enhanced Due Diligence is applied to high-risk clients, including PEPs
  • Ongoing monitoring runs throughout the relationship
4

Transaction monitoring & reporting

Auditors test whether suspicious activity can actually be identified in practice.

  • Monitoring can detect unusual or suspicious patterns
  • Escalation procedures for suspicious activity are clearly defined
  • STRs are submitted promptly once suspicion is established
  • Rules and thresholds are periodically reviewed and recalibrated
5

Compliance Officer responsibilities

A senior, genuinely independent compliance function is one of the strongest governance signals.

  • A Compliance Officer is formally appointed at senior level
  • Roles and responsibilities are documented in writing
  • The officer has independent oversight and direct Board access
  • Regular compliance reporting reaches management and the Board
6

Staff training & awareness

Gaps here are easy for auditors to spot by simply asking front-line staff.

  • Training is conducted on a regular schedule, not just at induction
  • Attendance and assessment records are maintained
  • Staff understand their personal reporting obligations
  • New employees are trained before handling customer relationships
7

Record keeping & documentation

Incomplete or hard-to-retrieve records generate observations even when the work was done.

  • Customer records are retained for the required period (commonly 7 years)
  • Transaction records are securely stored and tamper-protected
  • A clear audit trail exists for CDD decisions, risk ratings, and escalations
  • Documentation can be retrieved quickly on request
8

Independent testing & internal review

What demonstrates continuous monitoring rather than once-a-year attention.

  • Periodic internal reviews run between full external audits
  • Independent testing matches the institution's risk profile
  • Issues are documented and tracked to resolution
  • A corrective-action log exists and is reviewed by the Board
06

Common findings (and how to avoid them)

Across engagements, a small set of issues account for the majority of AMLA audit findings — and nearly all are preventable with proactive preparation.

Missing or outdated policies
Often a template adopted at licensing, never updated for later AMLA amendments or the institution's actual risk profile.
Weak CDD documentation
Identity verification performed but not evidenced, or beneficial ownership left unverified for corporate and trust structures.
Inconsistent or stale risk assessments
A risk assessment that no longer reflects the current customer base, products, or geographic footprint.
Insufficient training records
Training delivered but not documented — impossible to demonstrate during an audit.
Poor STR discipline
No clear escalation, or STRs filed inconsistently or too slowly once suspicion is established.
A Compliance Officer without real independence
Appointed on paper, but unable to escalate without going through the business line being monitored.
No evidence of ongoing monitoring
CDD performed only at onboarding, with no process for reviewing customer risk as the relationship continues.

These findings track closely with the gaps Malaysia’s FATF Mutual Evaluation identified nationally — particularly around ongoing-monitoring quality and STR consistency. Examiner attention tends to concentrate where a jurisdiction has already been flagged, which is one more reason CDD quality and monitoring calibration deserve real attention.

FAQ

Frequently asked questions

It gives independent assurance that a reporting institution's AML/CFT policies, procedures, and monitoring systems are properly designed and actually operating effectively — not just documented on paper.
Any entity classified as a reporting institution under AMLA — banks, insurers, remittance providers, and DNFBPs such as lawyers, accountants, auditors, company secretaries, trust companies, notaries, real estate agents, and dealers in precious metals or stones — must maintain an independent AML/CFT audit function.
Frequency is generally set by the Board based on the institution's ML/TF risk exposure, with at least an annual cycle common, particularly for higher-risk institutions.
A statutory audit tests whether financial statements give a true and fair view under MFRS or MPERS. An AMLA audit tests whether the AML/CFT programme functions effectively. Different laws, different criteria — one does not substitute for the other.
Yes. Labuan-licensed entities must submit audited financial statements to Labuan FSA within six months of financial year end, and separately maintain an independent AML/CFT audit function under Labuan FSA's guidelines. Both run in parallel.

In conclusion

The organisations that come through cleanly are rarely the ones with the most resources. They are the ones that treat compliance as continuous rather than reactive: risk assessments that stay current, policies that are actually followed, training that is documented, and a Compliance Officer empowered to raise concerns without friction.

For Labuan entities carrying both a statutory audit and an AML/CFT audit obligation, the stakes are higher still, given the direct link between compliance standing and preferential tax treatment. Engaging an auditor who understands both — and how they interact — is the most efficient way to satisfy two regulators with one coordinated process.

AMLA · AML/CFT Advisory

Facing an AMLA audit?

We perform independent AML/CFT audits and act as outsourced compliance officer for reporting institutions across KL, PJ, and Labuan. Speak with a partner.

Request a consultation