If your business is a bank, insurer, remittance company, trust company, or one of the professional firms now caught under Malaysia’s anti-money-laundering laws — lawyers, accountants, auditors, company secretaries, real-estate agents, or dealers in precious metals — you are what the law calls a reporting institution. And if you are, an AMLA audit is not optional: it is a standing legal obligation, and increasingly an enforcement priority for Bank Negara Malaysia (BNM) and the Labuan FSA.
This guide brings together what a reporting institution needs to know about the AMLA audit — what it is, who it applies to, the framework behind it, a full readiness checklist, the findings that most often trip organisations up, and the distinct dual-audit obligation Labuan entities face. It is written from the perspective of a practice that performs these reviews across Kuala Lumpur, Petaling Jaya, and Labuan.
What is an AMLA audit?
‘AMLA’ refers to the Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001 (AMLA / AMLATFPUAA) — Malaysia’s primary law for detecting and preventing money laundering and terrorism financing. Bank Negara Malaysia is the competent authority that enforces it, issues supporting policy documents, and receives Suspicious Transaction Reports (STRs).
An AMLA audit is an independent review of a reporting institution’s AML/CFT framework. It exists to answer one question: does the compliance programme actually work in practice, or does it only exist on paper?
Unlike a BNM supervisory examination — conducted by the regulator — an AMLA audit is the independent audit function the institution must maintain internally or through a qualified external party. Its frequency is determined by the Board based on the institution’s ML/TF risk, commonly at least once a year for higher-risk institutions.
During an AMLA audit, the auditor typically evaluates:
- Risk-management frameworks — whether ML/TF risks are identified and rated
- Customer due diligence — how customers are identified, verified, and monitored
- Transaction-monitoring systems — whether suspicious activity is actually caught
- Internal policies and governance — whether AML/CFT policy is current and Board-approved
- Staff awareness and training — whether employees can recognise red flags
- Reporting and record-keeping — whether STRs are filed correctly and records retained
The purpose is not to catch the institution out. It is to confirm — with evidence, not assurances — that the organisation can detect and prevent misuse for money laundering or terrorism financing, and demonstrate it to a regulator on demand.
Who needs an AMLA audit?
The obligation attaches to anyone classified as a reporting institution under the Act — a far wider net than most business owners assume.
Financial institutions (FIs) — banks, investment banks, insurers, takaful and retakaful operators, money changers, remittance providers, and capital-market intermediaries — supervised primarily under BNM’s AML/CFT and TFS policy document for financial institutions.
Designated Non-Financial Businesses and Professions (DNFBPs) and Non-Bank Financial Institutions — brought into full AML/CFT scope from 1 January 2020. These include:
- Lawyers and legal firms
- Chartered accountants and audit firms
- Company secretaries
- Trust companies
- Notaries public
- Real-estate agents
- Dealers in precious metals and precious stones
Labuan-licensed entities — banks, insurers, trust companies, fund managers, leasing and money-broking licensees, and others supervised by the Labuan FSA, which issues its own AML/CFT guidelines aligned with AMLA and FATF standards.
The legal basis for CDD and reporting sits in Part IV of AMLA (‘Reporting Obligations’), with programme requirements set out in BNM’s sector-specific AML/CFT and TFS policy documents — one for financial institutions, one for DNFBPs and NBFIs.
AMLA audit vs statutory audit
One of the most common points of confusion — especially among Labuan entities and SMEs newly caught under AML/CFT rules — is the difference between an AMLA audit and a statutory audit. They sound similar and are both performed by auditors, but they test entirely different things.
| Statutory audit | AMLA audit | |
|---|---|---|
| What it tests | Whether financial statements give a true and fair view | Whether the AML/CFT programme is designed and operating effectively |
| Governing law | Companies Act 2016 (or Labuan Companies Act 1990) | AMLA 2001 |
| Reporting framework | MFRS or MPERS | AMLA + BNM AML/CFT policy document (or Labuan FSA guidelines) |
| What is reviewed | Balance sheet, income statement, cash flow, internal financial controls | Risk assessment, CDD/KYC files, monitoring, STR process, training, compliance-officer function |
| Who requires it | SSM / Labuan FSA / IRB | Bank Negara Malaysia / Labuan FSA |
| Typical frequency | Annually | At least annually, or as the Board determines by ML/TF risk |
A company can pass its statutory audit with a clean opinion and still fail an AMLA audit outright — because the AMLA audit is not asking whether the numbers are correct, but whether the business has functioning controls to stop illicit money moving through it. For Labuan entities, both obligations run in parallel and neither substitutes for the other.
The AMLA audit checklist: 8 areas to review
With the five pillars as the framework, here is a practical, area-by-area checklist mirroring what an AMLA auditor actually walks through.
AMLA risk assessment
The foundation everything else is built on — almost always the first document an auditor asks to see.
- A documented, enterprise-wide ML/TF risk assessment exists
- Reviewed and updated on a regular cycle, not just at licensing
- Customer, product, geographic, and delivery-channel risks are individually identified
- Controls are calibrated to risk
Policies & procedures
Outdated or incomplete policies remain among the most common findings across all sectors.
- Written AML/CFT policies exist and are formally approved by management
- Policies align with current AMLA and BNM (or Labuan FSA) requirements
- Procedures are documented clearly enough for staff to follow
- Policies are reviewed and updated on a regular schedule
Customer due diligence (CDD)
The single area regulators scrutinise most heavily during examinations.
- Identification and verification processes are consistently applied
- Beneficial ownership is verified for corporate and trust customers
- A risk rating is assigned to every customer
- Enhanced Due Diligence is applied to high-risk clients, including PEPs
- Ongoing monitoring runs throughout the relationship
Transaction monitoring & reporting
Auditors test whether suspicious activity can actually be identified in practice.
- Monitoring can detect unusual or suspicious patterns
- Escalation procedures for suspicious activity are clearly defined
- STRs are submitted promptly once suspicion is established
- Rules and thresholds are periodically reviewed and recalibrated
Compliance Officer responsibilities
A senior, genuinely independent compliance function is one of the strongest governance signals.
- A Compliance Officer is formally appointed at senior level
- Roles and responsibilities are documented in writing
- The officer has independent oversight and direct Board access
- Regular compliance reporting reaches management and the Board
Staff training & awareness
Gaps here are easy for auditors to spot by simply asking front-line staff.
- Training is conducted on a regular schedule, not just at induction
- Attendance and assessment records are maintained
- Staff understand their personal reporting obligations
- New employees are trained before handling customer relationships
Record keeping & documentation
Incomplete or hard-to-retrieve records generate observations even when the work was done.
- Customer records are retained for the required period (commonly 7 years)
- Transaction records are securely stored and tamper-protected
- A clear audit trail exists for CDD decisions, risk ratings, and escalations
- Documentation can be retrieved quickly on request
Independent testing & internal review
What demonstrates continuous monitoring rather than once-a-year attention.
- Periodic internal reviews run between full external audits
- Independent testing matches the institution's risk profile
- Issues are documented and tracked to resolution
- A corrective-action log exists and is reviewed by the Board
Common findings (and how to avoid them)
Across engagements, a small set of issues account for the majority of AMLA audit findings — and nearly all are preventable with proactive preparation.
These findings track closely with the gaps Malaysia’s FATF Mutual Evaluation identified nationally — particularly around ongoing-monitoring quality and STR consistency. Examiner attention tends to concentrate where a jurisdiction has already been flagged, which is one more reason CDD quality and monitoring calibration deserve real attention.
Frequently asked questions
In conclusion
The organisations that come through cleanly are rarely the ones with the most resources. They are the ones that treat compliance as continuous rather than reactive: risk assessments that stay current, policies that are actually followed, training that is documented, and a Compliance Officer empowered to raise concerns without friction.
For Labuan entities carrying both a statutory audit and an AML/CFT audit obligation, the stakes are higher still, given the direct link between compliance standing and preferential tax treatment. Engaging an auditor who understands both — and how they interact — is the most efficient way to satisfy two regulators with one coordinated process.
Facing an AMLA audit?
We perform independent AML/CFT audits and act as outsourced compliance officer for reporting institutions across KL, PJ, and Labuan. Speak with a partner.