Imagine: a Malaysian payments provider screens its customers carefully.
Customer due diligence (CDD) is solid. The sanctions lists are current. The programme looks clean.
But the funds moving through its rails touch correspondent accounts in Myanmar, Vietnam, and Cambodia.
Some of those counterparties have never been screened. Some of the entities they deal with are designated.
The Malaysian institution had no idea because the risk didn't start with their customer. It started two steps further up the chain.
This is the sanctions screening challenge that most Malaysian compliance teams haven't fully solved.
Not because their programme is weak.
Because the region makes it structurally harder than it looks.
Key takeaways
Malaysia's own FATF status is clean – but its regional exposure is significant. And correspondent banking makes that exposure direct
Bank Negara Malaysia (BNM), the country's central bank's 2024 amendments and 2025 e-money guidance make sanctions screening explicitly non-negotiable for all reporting institutions
List coverage, name-matching quality, and ongoing re-screening are the three points where most programmes break down
The right sanctions screening setup fits Malaysia's specific regulatory obligations and regional risk profile – not a generic global template
Why Malaysia's sanctions screening challenge is regional, not just domestic
Malaysia is not on the Financial Action Task Force's (FATF) grey or blacklist.
The 2025 FATF/APG mutual evaluation (dated 11 December 2025) found Malaysia compliant on 24 and largely compliant on 16 of the 40 Recommendations – a materially stronger result than its 2015 assessment.
A three-year roadmap of Key Recommended Actions has been issued, with strengthening international cooperation and improving sanctions framework implementation among the priorities.
That's the domestic picture.
However, the regional picture is quite different.
A clean rating in a complex neighbourhood
Malaysia's immediate neighbourhood contains some of the most acute sanctions and anti-money laundering (AML) exposure in the world.

🇲🇲 Myanmar (Burma) is on the FATF blacklist – the most severe designation, unchanged since 2022. OFAC (Office of Foreign Assets Control) sanctions under Executive Order 14014 target military-linked entities directly. Formal banking channels to Myanmar are effectively cut off, yet illicit flows don't stop at the border.
🇻🇳 Vietnam and 🇱🇦 Laos (officially, the Lao People's Democratic Republic) are on the FATF grey list as of June 2026 – jurisdictions under increased monitoring with committed action plans to address identified AML/CFT deficiencies.
🇰🇭 Cambodia is not currently grey-listed, but remains a ocumented high-risk jurisdiction. Cross-border scam compound infrastructure – concentrated along the borders with Thailand and Myanmar – generates fraud and trafficking proceeds that flow regionally, including through Malaysian correspondent accounts.
🇵🇭 The Philippines recently exited the FATF grey list in February 2025 after completing its action plan. The exit reflects real regulatory progress, but the underlying typological risks – including offshore gaming operator (POGO) sector exposure and cross-border payment flows – remain present.
None of these are abstract risks for a Malaysian financial institution. They're the practical operating environment – for cross-border payments, remittances, and correspondent banking relationships that Malaysian FinTechs, payments providers, and banks manage every day.
The correspondent banking exposure most teams underestimate
Every programme screens its own customers. That's the starting point, not the finish line.
The harder problem is indirect exposure.
When a Malaysian institution
- processes a payment that passes through a correspondent bank in a higher-risk jurisdiction, or
- receives funds routed through a chain of intermediaries (some of which may include designated entities)
the Malaysian institution's own screening programme didn't see those links.
The customer was clean. The transaction appeared legitimate. The exposure was two steps away.
This isn't a failure of intent. It's a failure of scope.
A sanctions screening programme calibrated only to the domestic customer base isn't calibrated to the actual risk – in Malaysia’s case, regional risk.
What sanctions screening in Malaysia actually requires
The regulatory framework: AMLATFPUAA and BNM's policy documents
Malaysia's primary AML statute is the Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001 (AMLATFPUAA), enforced by BNM and its Financial Intelligence and Enforcement Department (FIED). The Securities Commission Malaysia (SC) holds parallel authority for capital markets participants.
The December 2024 amendment to AMLATFPUAA – passed by parliament and now in force – explicitly expanded the scope of obligations to cover proliferation financing (CPF) and targeted financial sanctions (TFS). Failure to freeze or report designated specific entities carries direct legal liability.
BNM's AML/CFT, CPF, and TFS Policy Documents are where the day-to-day obligations sit. They define who must be screened, how, at what intervals, and with what documentation standards.
For e-money issuers specifically, BNM's revised Policy Document on Electronic Money – effective January 31, 2025 – made sanctions and PEP screening explicitly non-negotiable. Every new customer screened at onboarding, existing customers re-screened regularly, with no exceptions for lower-value accounts.
The enforcement record makes the stakes concrete. In 2023, BNM fined TNG Digital Sdn Bhd – the operator of Touch 'n Go eWallet – RM 600,000 (approximately 145,000 USD or 126,000 EUR at current rates) after it allowed two sanctioned individuals to register accounts by failing to screen their names against sanctions lists. BNM enforced the penalty despite the breach being voluntarily self-reported.
For financial institutions, penalties can run per transaction or per day of non-compliance.
List coverage: which lists? – And why the Domestic List alone isn't enough
Malaysian reporting institutions are required to screen against two minimum lists: BNM's Domestic List and the United Nations Security Council Resolutions (UNSCR) list. These are the regulatory floor – not the ceiling.
The UNSCR and Domestic List are the regulatory floor. A risk-based programme for an institution with cross-border exposure – particularly to Myanmar, Vietnam, or Cambodia – should additionally screen against
- OFAC's Specially Designated Nationals (SDN) list,
- the EU Consolidated Sanctions List, and
- the UK Sanctions List maintained by the Office of Financial Sanctions Implementation (OFSI).
Each captures designations the others may not, particularly for Myanmar-linked military entities where OFAC's coverage is the most extensive.
An institution that screens only against the Domestic List and UNSCR is meeting its minimum legal obligation. However, it is not managing its actual risk.
The name-matching problem in Southeast Asia
Southeast Asia presents a specific matching challenge that generic screening configurations don't handle well.
Names in Burmese, Khmer, Vietnamese, Lao, and other regional scripts are romanised inconsistently across documents, jurisdictions, and databases. The same individual may appear as three different strings across three different records. A standard exact-match screening engine will miss two of them.

Effective sanctions screening in this region requires fuzzy matching logic, transliteration handling, alias coverage, and configurable match thresholds – calibrated carefully enough to surface genuine hits without generating the alert volumes that lead to analyst fatigue and systematic dismissal.
Where sanctions screening programmes break down in practice
Outdated lists and uneven update cycles
Designations happen continuously. OFAC, the UN, the EU, and HM Treasury each operate on their own update schedules – and a designation that appears overnight is a live exposure from the moment it's published.
A programme that updates its lists weekly has a window of up to seven days during which a newly designated entity could transact without being flagged. In a region where Myanmar-linked entities and their networks are subject to ongoing designation activity, that window is a material risk, not a theoretical one.
Alert volume without regional calibration
A generic screening configuration applied to a Malaysian institution's transaction flows will produce alert volumes shaped by the configuration, not by the actual risk.
Broad matching thresholds generate false positives on common personal names in the region.
Narrow thresholds miss transliteration variants.
Neither outcome serves the compliance team.
Regional calibration, that is
matching thresholds tuned to the specific name characteristics of the relevant source jurisdictions, lists weighted by the institution's actual counterparty exposure
is what separates a screening programme that works from one that generates noise.
Screening at onboarding, silence after
Customer risk doesn't stop changing at onboarding.
A counterparty that was clean at account opening may be designated six months later. An entity that appeared in no watchlist at the time of a payment may appear in three by the time the transaction settles.
BNM's requirements are explicit on this point: ongoing re-screening of existing customers is mandatory, not optional.
Most programmes acknowledge this in their policies. Fewer have the tools or operational infrastructure to execute it consistently across their full customer portfolio.
Sanctions screening best practices: six questions to audit your programme
Before your next BNM examination – or better yet: before your next cross-border payment clears – these are the questions worth asking.
1. Which lists are you screening against, and are they the right ones for your counterparty exposure? The UNSCR and Domestic List are the regulatory minimum. If your institution has correspondent banking relationships, cross-border payment flows, or exposure to Myanmar, Vietnam, or Cambodia, that minimum isn't sufficient.
2. How are your lists updated, and what is the maximum lag between a new designation and your screening engine seeing it? Weekly batch updates are no longer an adequate answer for institutions with real-time payment flows.
3. How does your matching logic handle romanised Southeast Asian names, transliterations, and aliases? If the answer is "exact match only," your screening has gaps that a regional typology audit will find.
4. Are you re-screening your existing customer base, and on what cycle? A documented re-screening cadence, with evidence of execution, is what BNM examiners will ask for. Policy intent without operational evidence isn't a defence.
5. What is your alert-to-case conversion rate? If a significant proportion of alerts are being dismissed without investigation, your thresholds need reviewing. Either they're too broad, or your team is making systematic dismissal decisions that will be hard to justify in an examination.
6. Where does your screening data live, and who can access it? For Malaysian institutions with data residency obligations under PDPA (Personal Data Protection Act), the answer to this question shapes the architecture of your entire screening programme.
How Marble fits Malaysia's sanctions screening requirements
Most screening tools are built for one market. One deployment model. One set of lists. They work until your regulatory environment changes. Until your counterparty exposure shifts. Or a new jurisdiction enters your risk profile.
Then, they need replacing.
Marble is built differently: its architecture fits your obligations – and adapts when those obligations change.
List coverage and update automation
Marble screens against the full range of lists Malaysian institutions need. BNM Domestic List, UNSCR, OFAC SDN, EU Consolidated, and HM Treasury, with additional list support configurable for specific counterparty exposure. List updates are automated – so the gap between a new designation and your screening engine is measured in minutes, not days.
Fuzzy matching and transliteration handling for Southeast Asian names
Marble's matching engine applies fuzzy logic, alias detection, and transliteration handling – configured specifically to the name characteristics of the lists and populations relevant to your screening programme. Common regional names are handled without generating alert volumes that overwhelm your team. Genuine matches surface clearly.
Real-time and scheduled screening, without the operational overhead
Screen at the moment of onboarding. And also at the point of payment. Run scheduled re-screening across your existing customer portfolio. All these modes are auditable, configurable without downtime. All of them can be adjusted by your compliance team as your BNM obligations evolve – without any help from IT.
Data sovereignty: keeping screening data where PDPA and BNM expect it
Marble supports both SaaS and on-premise deployment – with the ability to switch as your requirements change.
For Malaysian institutions with data residency obligations, that means your screening data stays where your regulatory and privacy obligations require – without compromising the screening capability itself.
An audit trail that proves your programme works
Every screening check, every alert, every decision, and every list update is logged, timestamped, and unalterable.
When BNM examiners arrive, the record is already ordered.
You're not reconstructing your programme from memory – you're presenting it.
Build a sanctions screening programme that holds up in Southeast Asia – and beyond
Malaysia's clean FATF rating is an asset worth protecting.
The regional environment makes that harder than any single-jurisdiction screening programme can handle.
The right approach covers all the right lists. It applies matching logic calibrated to the region. It keeps data where your obligations require it. And it generates a ceaseless record that proves your programme works – before anyone asks.
See how Marble handles sanctions screening for Malaysian compliance teams →
Frequently asked questions about sanctions screening in Malaysia
What is sanctions screening?
Sanctions screening is the process of checking customers, counterparties, and transactions against official watchlists of designated individuals, entities, and jurisdictions – to prevent financial institutions from processing funds that flow to or from sanctioned parties.
In the Malaysian context, it is a mandatory component of AML/CFT compliance under BNM's policy framework and AMLATFPUAA.
What sanctions lists apply in Malaysia?
Malaysian reporting institutions are required to screen against
- BNM's Domestic List and
- the UNSCR list as a minimum.
Institutions with cross-border exposure, correspondent banking relationships, or counterparty risk linked to Myanmar, Vietnam, or other higher-risk jurisdictions should additionally screen against OFAC's SDN list, the EU Consolidated Sanctions List, and HM Treasury's UK financial sanctions register.
Is Malaysia on the FATF grey list?
No. Malaysia is not on the FATF grey list or blacklist.
The 2025 FATF/APG mutual evaluation found Malaysia compliant or largely compliant on all 40 Recommendations, with a three-year roadmap of Key Recommended Actions issued.
However, Malaysia's regional environment – including Myanmar on the FATF blacklist and Vietnam and Laos on the grey list – means that institutions operating across the region face significant indirect sanctions exposure regardless of Malaysia's own status.
How do cross-border sanctions risks affect Malaysian financial institutions?
Cross-border risk enters through correspondent banking relationships, payment chains, and trade finance flows. A Malaysian institution may screen its own customers correctly and still process a payment that passes through a designated entity two steps up the chain. Managing this exposure requires list coverage that extends beyond the domestic minimum, and screening logic calibrated to the counterparty risk of the specific corridors the institution operates in.
What does Bank Negara Malaysia require for sanctions screening?
BNM requires all reporting institutions to conduct sanctions screening as part of customer due diligence (CDD) at onboarding and as part of ongoing due diligence throughout the customer relationship. The 2025 e-money policy document makes this explicit for e-money issuers: every new customer must be screened, and existing customers must be re-screened regularly, against both the Domestic List and UNSCR list. The 2024 AMLATFPUAA amendment extended obligations to cover proliferation financing and targeted financial sanctions, with direct legal liability for failure to freeze or report designated entities.

