AML/CFT/CPF Is No Longer Just a Compliance Function
By: Dr. Ka Fee, Director of Risk & Governance Advisory
AML/CFT/CPF (Anti-Money Laundering, Countering the Financing of Terrorism and Counter Proliferation Financing) Is No Longer Just a Compliance Function: Why Boards and Internal Audit Must Take Ownership
When a financial institution is penalised for AML/CFT/CPF (Anti-Money Laundering, Countering the Financing of Terrorism and Counter Proliferation Financing) weaknesses, the spotlight almost always falls on the compliance team. In reality, however, that perspective is far too narrow.
The deeper question regulators are increasingly asking today is whether the board knew what was happening and, if not, why they did not.
From the collapse of Danske Bank to Wirecard, as well as numerous enforcement actions across Asia, the pattern has been remarkably consistent. The problem was never limited to weak transaction monitoring or gaps in customer due diligence. More often, the root cause was governance structures that failed to escalate financial crime risks to the individuals ultimately responsible for oversight.
In many respects, AML/CFT/CPF failures are not merely compliance failures. They are governance failures.
The Regulatory Expectations Have Changed
In Malaysia, Bank Negara Malaysia has clearly intensified its supervisory expectations under AMLA (Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001), FSA (Financial Services Act 2013), and IFSA (Islamic Financial Services Act 2013).
Regulators today are no longer satisfied with institutions having policies that appear robust on paper. The focus has shifted towards whether controls are genuinely effective in practice, whether risks are properly understood, and whether the board is actively overseeing those risks.
Malaysia’s ongoing engagement with the Financial Action Task Force mutual evaluation process has further elevated expectations. Financial institutions are now expected to demonstrate effectiveness, accountability, and genuine ownership of risk rather than relying solely on procedural compliance.
Where Many Organisations Still Struggle
The uncomfortable reality is that many AML/CFT/CPF weaknesses are deeply structural.
Discussions on risk appetite often provide limited meaningful attention to financial crime exposure. Board papers frequently focus on operational statistics such as the number of alerts closed, STRs (Suspicious Transaction Reports) filed, or training sessions completed instead of assessing whether the institution is genuinely protected against misuse.
At the same time, compliance, risk management, and internal audit functions often operate in silos. Each function performs its own responsibilities, yet no one brings together the broader picture.
Beneath all of this lies another challenge. In some organisations, there is an unspoken tension between commercial growth and risk discipline. When revenue pressures quietly outweigh control concerns, even the strongest written policies gradually lose their effectiveness.
These are not isolated operational shortcomings. They are governance issues hiding in plain sight.
The Board’s Biggest Blind Spot
Boards can only act on the information they receive.
When reporting is overly simplified, heavily filtered, or designed to avoid difficult conversations, directors may develop a false sense of comfort. Effective boards therefore do not simply receive reports. They challenge them.
They ask questions such as:
• Are we measuring activity, or are we measuring effectiveness?
• What risks are not being escalated?
• Where are our control weaknesses?
• Would we know if our AML/CFT/CPF framework was failing?
Importantly, boards must also recognise that having a compliance function does not automatically mean the organisation has effective governance.
Appointing an MLRO (Money Laundering Reporting Officer) may fulfil a regulatory requirement. Meaningful oversight, however, requires active board engagement, independent challenge, and clear accountability.
Those are entirely different matters.
Moving From Compliance Driven to Risk Driven Governance
The strongest institutions no longer approach AML/CFT/CPF as a simple box ticking exercise.
Instead of asking:
“Are we meeting regulatory requirements?”
they ask:
“Are we effectively managing the risk of being used for financial crime?”
That shift changes everything.
It requires boards to define a clear financial crime risk appetite. It requires management to treat
AML/CFT/CPF risk as a business risk rather than merely a compliance responsibility. Most importantly, it requires a culture where concerns can be raised openly, even when uncomfortable, instead of being suppressed by commercial pressures.
The Bottom Line
AML/CFT/CPF failures rarely begin with a single missed transaction or a compliance officer overlooking an alert.
More often, they begin much earlier within governance structures that failed to ask the right questions, challenge the right assumptions, or escalate the right risks.
Boards that genuinely take ownership of financial crime risk build institutions that are more resilient, more trusted, and ultimately more sustainable.
Those that fail to do so may eventually find themselves becoming the next cautionary tale.