BNM Annual Report 2025: The AML/CFT Risks Regulated Institutions Need to Watch in 2026

18.4 billion reasons to rethink your AML/CFT controls.

Malaysia didn't just inch towards a cashless future in 2025 - it sprinted.

According to Bank Negara Malaysia's (BNM) Annual Report 2025 that was recently published, e-payments surged 25% to 18.4 billion. The average Malaysian now makes 538 digital payments a year. DuitNow QR doubled to 3 billion transactions. Cross-border payments jumped 179%. And RENTAS+ means the national settlement engine never sleeps.

By every measure, Malaysia's payments revolution is a genuine success story.

But here's the uncomfortable truth that doesn't make the headline: every billion transactions added to that number is also a billion more opportunities for financial crime to hide in plain sight. BNM Annual Report 2025

The payments infrastructure has levelled up. The question compliance professionals need to be asking (loudly, and often) is whether AML/CFT controls have kept pace. In most cases, the honest answer is: not quite.

5 Key AML/CFT Risks that Grow with Every Tap and Scan

1. The Need for Speed vs. The Need for Safety

   Malaysia's payment infrastructure now operates 24/7. What used to take days now takes seconds.

   Let's be honest. Speed is the whole point of modern payments. But what's convenient for consumers is equally convenient for criminals.

   In a 24/7 settlement environment like RENTAS+, a scam victim's funds can be transferred, layered across multiple accounts, and rendered nearly untraceable all within minutes. The old playbook of end-of-day batch monitoring or next-morning manual reviews? That's history now.

   
   

   The Shift Required: We ought to be moving from a reactive monitoring to real-time monitoring. Pre-transaction controls and real-time intervention are no longer aspirational - they're the baseline. If your monitoring is still primarily post-settlement and retrospective, you're always arriving after the crime scene has been cleaned up.

   
   

2. 'Normal' becomes the Perfect Disguise

   When everyone makes hundreds of digital payments a year, high volume stops being a red flag.

   This creates a dangerous blind spot where structuring or 'smurfing', the practice of breaking large illicit sums into smaller and less suspicious transaction, easily blends into normal behaviour. Alert thresholds become outdated quickly, false negatives increase and compliance teams are left overwhelmed. Unfortunately, many institutions still rely on rule-based transaction monitoring calibration.

   
   

   The Shift Required: The question isn't whether you have a transaction monitoring system. It is whether it still knows what suspicious looks like. Monitoring has to evolve from static rules into adaptive, risk-based models that reflect real usage patterns.

   
   

3. The DuitNow QR Explosion and the Hidden CDD Problem

   Malaysia now has nearly 3 million DuitNow QR touchpoints, largely driven by micro and small businesses (MSMEs). While this is a massive win for the economy, it introduces a new AML/CFT pressure point: onboarding at scale without compromising Customer Due Diligence (CDD).

   Informal businesses often lack formal documentation and verifiable transaction histories, creating the perfect cover for 'shell' or fake merchants. A bad actor can easily register as a merchant, generate a QR code and use it to process illicit funds disguised as legitimate retail sales.

   
   

   The Shift Required: Basic Know-Your-Customer (KYC) at merchant onboarding to robust Know-Your-Business (KYB), an ongoing, risk-based assessment of merchant behaviour that doesn't end the moment the QR code goes live.

   
   

4. Mobile-First Nation is also Mule Account Playground

   64% of online banking activity now happens on mobile with 25 million active users. Impressive numbers. Scammers understand this just as well.

   Mule accounts, accounts rented or controlled by criminal networks, are easy to create, simple to operate remotely and difficult to detect through traditional methods. Fraud today is rarely about a single account. It is about networks of accounts, often linked by a shared device, IP address or login patterns.

   
   

   The Shift Required: Device intelligence needs to be part of your detection framework. When multiple accounts are accessed from the same device, suspicious cross-wallet login patterns and shared infrastructure like IP address or device ID, the device is often telling you a truer story than the customer profile.

   
   

5. ASEAN Payment Connectivity: Opportunity Meets Jurisdictional Risk

   Malaysia is rapidly integrating with its neighbours through cross-border QR payments and regional system linkages. While it heavily supports tourism and regional trade, it also introduces a complex reality - that not jurisdictions operates on equal AML/CFT standards.

   
   

   The Shift Required: Real-time sanctions screening, Politically Exposed Person (PEP) checks and adverse media screening need to be woven into cross-border flows. Convenience cannot come at the cost of control integrity.

The Real Risk Isn't the Payment System — It's the Gap

Across many institutions, a recurring issue remains: a lack of integration between customer data, transaction monitoring, and behavioral analytics.

From what we noted in the BNM Annual Report 2025, Malaysia’s digital payment ecosystem is not the problem; it is a profound success. The real risk lies in misalignment - where payment systems race ahead in real-time while AML/CFT controls are left playing catch-up.

How Financial Institutions Should Respond

To remain effective in this high-velocity environment, institutions should prioritise:

1. Real-Time Monitoring: Move beyond batch processing to live transaction intervention.

2. Dynamic Risk Rating: Continuously update thresholds and typologies based on current user behavior.

3. Stronger KYB for MSMEs: Treat merchant onboarding as a rigorous risk-based process, not just a volume exercise.

4. Device & Behavioral Analytics: Incorporate non-traditional data points into your detection frameworks.

5. Cross-Border Risk Intelligence: Adopt corridor-specific AML controls for ASEAN payment flows.

   
   

The future of AML/CFT is not about slowing payments down. It is about making controls just as fast.

Are your AML/CFT controls keeping pace with your growth?

If your organisation is reassessing its AML/CFT framework for a digital-first environment,

Biji Deals supports you in closing the gap between regulatory expectations and operational reality.