FATF-aligned policies, Travel Rule across the 15 APAC thresholds, KYC/EDD workflows, transaction monitoring, SAR/STR filings, pre-audit ready on day one. Built for the regulator that will actually inspect it.
In every APAC regime we work in, the AML/CFT programme is the document the regulator reads first and longest. MAS rejections of digital-payment-token applicants between 2020 and 2023 were driven overwhelmingly by weak AML submissions rather than capital or fit-and-proper deficiencies; Japan's JFSA applies the same logic through JVCEA self-regulatory gate-keeping; Hong Kong's SFC VATP regime under VATP licensing inspects policy-to-control traceability line by line. The international enforcement backdrop, the DOJ's USD 500M+ action against OKX in 2025 and the USD 4.3bn Binance settlement in 2023, is why APAC reviewers now open with transaction-monitoring scenarios and SAR quality before examining governance.
We build the programme for the regulator that will actually inspect it. That means the risk assessment, written procedures, technology integration and audit trail must survive a walk-through by a MAS compliance examiner, an SFC on-site, a JFSA quarterly report review, an AUSTRAC compliance assessment or an FIU-IND audit, without re-writing.
A programme that passes regulator scrutiny in APAC shares the same eight building blocks, configured to the local statute. We design each one to the relevant framework. MAS Notice PSN02, HK AMLO Schedule 2, Japan's APTCP, Korea's SFTRA, AUSTRAC AML/CTF programme Parts A and B, India PMLA 2002 (as amended for VDA SPs March 2023), BSP Circular 1108 for the Philippines, and SEC Thailand notifications.
Three tiers of customer due diligence map to the statute. Simplified CDD is permitted only where the regime explicitly provides for it, for example, MAS Notice PSN02 simplified-CDD scope for low-turnover non-custodial wallets, and is always capped by transaction or balance thresholds. Standard CDD covers government-ID verification, liveness or in-person attestation, address proof, and screening against sanctions and PEP lists. Enhanced CDD applies to PEPs, high-risk geographies, complex ownership structures and large-ticket customers, and layers source of funds and source of wealth.
Source of funds explains the origin of the specific monies in a transaction or funding event, typically corroborated by bank statements, sale contracts, loan documentation or salary evidence. Source of wealth explains the customer's overall economic accumulation, audited accounts for a business owner, tax returns for a professional, inheritance paperwork for beneficiaries, investment-portfolio statements for high-net-worth individuals. MAS, HKMA, JFSA and AUSTRAC expect both for every high-risk relationship, not one or the other, and they expect the file to show how the corroboration was obtained, not merely asserted.
Screening runs at onboarding, on every transaction, and continuously on the customer book for list-delta changes. The baseline coverage is the UN Consolidated Sanctions List, OFAC SDN and sectoral lists, the EU Consolidated Financial Sanctions List and UK OFSI. Regime-specific overlays include Hong Kong's UN Sanctions Ordinance designations, MAS Targeted Financial Sanctions under MAS Notice PSN01, Japan's METI and Ministry of Finance designations, Australia's DFAT Consolidated List, and Korea MOFA notifications.
PEP screening follows FATF Recommendation 12: domestic and foreign PEPs, their close associates and family, with match-score thresholds, human-in-the-loop disposition and four-eye sign-off for senior foreign PEPs. Adverse-media taxonomy aligns with FATF typologies and feeds the risk-scoring model. We integrate tier-1 list providers. Dow Jones Risk & Compliance, LexisNexis WorldCompliance, Refinitiv World-Check, ComplyAdvantage, selected case-by-case on coverage and false-positive profile.
A baseline scenario library is the starting point; calibration to the product mix and customer base is where programmes pass or fail inspection. MAS, HKMA, JFSA and AUSTRAC reviewers ask explicitly for scenario rationale, tuning logs and the alert-to-SAR conversion rate.
There is no monetary threshold for suspicion-based reporting, any reasonable ground to suspect triggers a filing. Deadlines vary materially:
Regulators do not mandate a specific vendor but expect evidenced use of a recognised blockchain-analytics provider and a Travel Rule protocol with sufficient counterparty coverage. In practice MAS, SFC, JFSA, AUSTRAC and FIU-IND reviewers accept Chainalysis KYT and Reactor, TRM Labs and Elliptic Lens/Navigator for analytics; Sumsub, Notabene, TRP (TRUST), Shyft and 21 Analytics for Travel Rule messaging. We integrate one primary analytics provider and often keep a secondary for investigations, and we document selection logic, false-positive governance and model-risk oversight in the AML technology policy, what FATF virtual-asset guidance calls a "risk-sensitive approach" to vendor selection.
The MLRO (or AML Compliance Officer, AMLCO) is a senior resident individual with independence from revenue functions. Regulator expectations across APAC converge on ACAMS or ICA advanced certification, a minimum of five years of AML experience in regulated financial services, local-jurisdiction residency (mandatory in Singapore, Hong Kong, Australia, Korea), and a direct reporting line to the board. The MLRO owns STR filings, sign-off on high-risk relationships and the annual AML report to the board.
Training runs at least annually for all staff, with role-specific modules for front office, onboarding, compliance, technology and the board, plus new-joiner training within the first 30 days before any customer contact. Independent audit frequency follows the statute: New Zealand's AML/CFT Act 2009 requires a biennial independent audit; MAS expects risk-based independent review, typically annual for PSA major-payment institutions; Hong Kong AMLO and AUSTRAC expect annual independent review; JFSA conducts on-site monitoring alongside the licensee's internal audit. We scope reviews, engage an independent reviewer separate from the programme designer, and remediate findings before the regulator's next inspection cycle.
FATF Recommendation 16 implementation differs by jurisdiction. We integrate the right Travel Rule solution at the right threshold, the FATF updated guidance (Oct 2021) sets the de minimis at USD/EUR 1,000 but permits local variation:
We design the programme and integrate one of the established AML/Travel Rule vendors (Sumsub, Notabene, Chainalysis KYT, TRM Labs). We do not build proprietary software, that is not our practice.
Typically 6–10 weeks for a full programme, risk assessment, policies, workflow design, vendor integration. Pre-audit gap analysis adds 2–4 weeks.
We provide outsourced AMLO services in jurisdictions where local-resident officers are required and the licensee has not yet hired in-house. Singapore, Korea, Hong Kong (MIC) and others.
FATF Recommendation 15/16 is implemented at regime-specific floors: Singapore SGD 1,500 (MAS Notice PSN02 Para 7), Hong Kong HKD 8,000 (AMLO Schedule 2, in force 1 June 2023), Japan JPY 100,000 (APTCP, 1 June 2023). The EU Transfer of Funds Regulation applies from EUR 1,000 with no de minimis for crypto-asset transfers where counterparty VASPs are involved, relevant when APAC licensees route to EU counterparties.
Three tiers. Simplified / no-doc, only where the regime permits (e.g., low-value non-custodial wallets under SG PSN02 simplified CDD, capped at SGD 1,000 monthly turnover). Standard CDD, government ID, liveness, address proof, screening. Enhanced CDD, source of funds, source of wealth, corroborating documentation, senior-management approval for PEPs, high-risk geographies and structures. Tier triggers are written into the risk assessment and transaction-monitoring rules.
Source of funds explains the origin of the specific monies being transacted (e.g., salary credit, sale of specific asset, loan disbursement) and is corroborated with bank statements or contracts. Source of wealth explains the overall economic accumulation of the customer (business ownership, inheritance, investment portfolio) and is corroborated with audited accounts, tax returns or beneficial-owner disclosures. Regulators. MAS, HKMA, JFSA, expect both for enhanced CDD, not one or the other.
We integrate tier-1 list providers (Dow Jones Risk & Compliance, LexisNexis WorldCompliance, Refinitiv World-Check, ComplyAdvantage) for PEP, RCA and adverse media. Scope covers domestic and foreign PEPs (FATF R.12 requires both), close associates and family, with match-score thresholds, human-in-the-loop disposition, and four-eye approval for senior foreign PEPs. Adverse-media taxonomy aligns with FATF typologies and is tied to the risk-scoring model.
At minimum: UN Consolidated, OFAC SDN and sectoral lists, EU Consolidated, UK OFSI. Regime-specific overlays: Hong Kong's UN Sanctions Ordinance designations, MAS Targeted Financial Sanctions regulations (MAS Notice PSN01 AML/CFT), Japan's METI / MoF designations, Australia DFAT Consolidated List, Korea's MOFA list. Screening runs at onboarding, on every transaction, and continuously on the customer book for list-delta changes.
A baseline library covers structuring and smurfing, rapid movement in/out, darknet-market and mixer exposure (Tornado Cash, Sinbad, Wasabi), sanctions-nexus chains, high-risk jurisdiction nexus, unhosted-wallet concentration, peel chains, and velocity anomalies. Scenarios are calibrated against the institutional risk assessment. MAS, HKMA and JFSA reviewers explicitly ask for scenario rationale, tuning logs, and alert-to-SAR conversion rates.
Regulators do not mandate a specific vendor but expect evidenced use of a recognised blockchain-analytics provider. In practice MAS, SFC, JFSA, AUSTRAC and FIU-IND reviewers accept Chainalysis KYT/Reactor, TRM Labs and Elliptic Lens/Navigator. We integrate one primary and often keep a secondary for investigations. The selection is documented in the AML technology policy with sampling logic, false-positive governance and model-risk oversight.
There is no monetary threshold for suspicion-based reporting, any reasonable ground to suspect triggers filing. Deadlines by regime: Singapore STR to STRO "as soon as practicable" (typically 15 business days internal SLA); Hong Kong STR to JFIU without delay; Japan STR to JAFIC promptly; Australia SMR to AUSTRAC within 3 business days (24 hours for terrorism financing); Philippines STR to AMLC within 5 working days; India STR to FIU-IND within 7 working days of establishing suspicion. We also implement CTR/TTR filings where applicable (AUSTRAC TTR AUD 10,000; AMLC CTR PHP 500,000).
A documented model combines customer factors (residency, occupation, PEP status, entity complexity), product factors (custodial vs non-custodial, privacy coins, fiat rails), channel factors (face-to-face vs remote onboarding), geography (FATF grey/black, own-regime high-risk lists) and behaviour (on-chain exposure score from the analytics partner). Weightings produce a low/medium/high/prohibited tier that drives CDD depth, monitoring sensitivity and review cadence. The model is revalidated annually and after any material regime change.
Frequency depends on the regime. New Zealand AML/CFT Act 2009 requires biennial independent audit. MAS expects risk-based independent review, typically annual for PSA major-payment institutions. Hong Kong AMLO and AUSTRAC expect an annual independent review. JFSA conducts its own on-site monitoring alongside the licensee's internal audit. We scope the review, select an independent reviewer (not the programme designer), and remediate findings before the regulator's next inspection cycle.
The MLRO (or AML Compliance Officer, AMLCO) must be a senior, resident individual with sufficient seniority and independence. Typical regulator expectations: ACAMS or ICA advanced certification, minimum 5 years AML experience in financial services, residency in the licensing jurisdiction (mandatory in Singapore, Hong Kong, Australia, Korea), and direct reporting line to the board. The MLRO owns STR filings, sign-off on high-risk relationships and the annual AML report to the board.
Minimum annual refresher for all staff, plus role-specific modules for front office, onboarding, compliance, technology and the board. New-joiner training within the first 30 days before any customer contact. Topics include typologies, sanctions, Travel Rule mechanics, STR escalation, record-keeping, and regime-specific updates (e.g., Tranche 2 for Australia, stablecoin issuer obligations for Hong Kong). Attendance logs, test scores and material versions are retained. MAS, HKMA and AUSTRAC inspections routinely sample them.
A 30-minute scoping call with the country lead. Programme design scoped to your regime, product mix and Travel Rule requirements.
