COMPLIANCE · AML/CFT
AMLA 2001 in Malaysia: who is a reporting institution?
Banks are not the only ones covered. Accountants, company secretaries, lawyers, property and precious-metals dealers can all be reporting institutions — here is how to tell, and what you must do.
Under the Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001 (AMLATFPUAA 2001), a reporting institution is any person carrying on an activity listed in the Act's First Schedule. That covers banks and financial institutions and designated non-financial businesses and professions (DNFBPs) — accountants, company secretaries, lawyers, real-estate agents and precious-metals dealers. If you are one, you must run an AML/CFT compliance programme and report suspicious transactions to Bank Negara Malaysia.
Most business owners assume anti-money-laundering law is a banking problem. It is not. The AMLA — the AMLATFPUAA 2001 — reaches a wide band of professional firms and dealers, and Bank Negara Malaysia (BNM) is the supervisor and financial intelligence unit that enforces it. This guide answers the question owners and finance managers actually ask: does my business count as a reporting institution, and if so, what exactly must I do? Every figure here is tied to a section reference and an authoritative source. Carriera is a compliance-focused recruitment and training partner — AML/CFT literacy is part of the finance and governance skill set we both screen for and teach.
Who counts
What is a reporting institution under AMLA 2001?
A reporting institution is any person who carries on a business activity listed in the First Schedule of AMLATFPUAA 2001. The First Schedule is the single test — if your activity is named there, you are a reporting institution and the Act's obligations apply to you, whether you are a multinational bank or a one-person practice. The full Act and the supervisory framework are published on Bank Negara Malaysia's official AML/CFT portal.
The First Schedule splits into two broad groups. The first is financial institutions — licensed banks and investment banks, insurers, money-changers, remittance providers and similar. The second, and the one most owners overlook, is designated non-financial businesses and professions (DNFBPs) together with certain non-bank financial institutions, which BNM supervises directly. See our glossary for plain-language definitions of AML/CFT, DNFBP, CDD and STR.
Are you a DNFBP?
Is my business a reporting institution — the DNFBP list
You are most likely a DNFBP reporting institution if you carry on one of the activities below for clients. The list reflects the DNFBP and non-bank categories that Bank Negara Malaysia supervises for AML/CFT, set out in its DNFBP/NBFI sector page. Use it as an are-you-a-reporting-institution checklist.
| Profession / business | Typical gazetted activity that triggers coverage |
|---|---|
| Accountants | Managing client money, accounts or securities; buying or selling real property; forming or operating companies on a client's behalf |
| Company secretaries | Acting as, or arranging for a person to act as, a company secretary; forming, managing or operating legal entities for clients |
| Lawyers / advocates & solicitors | Handling client funds, conveyancing, and forming or managing companies and trusts for clients |
| Real-estate / property agents | Acting in the buying and selling of immovable property on behalf of clients |
| Dealers in precious metals & stones | Trading in gold, precious metals and gemstones above prescribed cash thresholds |
| Trust companies | Creating, operating or managing trusts and acting as trustee for clients |
| Casinos & licensed gaming | Receiving, holding or paying out funds in the course of gaming operations |
The principle to remember: it is the activity, not the job title, that brings you in. A small accounting or corporate-secretarial firm that manages client money or forms companies is a reporting institution exactly as a bank is. The Malaysian Institute of Accountants confirms this for practising members, noting a firm must appoint a compliance officer regardless of firm size (MIA, Raising STRs Under AMLA).
The four obligations
What are the four main obligations of a reporting institution?
Once you are a reporting institution, AMLA imposes four core duties. They are cumulative — you cannot pick one and skip the rest. The table summarises each duty, what it means in practice and the key timing or threshold attached to it.
| Obligation | What it means | Key detail |
|---|---|---|
| 1. Compliance officer & programme | Appoint a compliance officer and put an AML/CFT compliance programme in place | Notify Bank Negara Malaysia of the compliance officer within 10 working days; required regardless of firm size |
| 2. Customer due diligence (CDD) | Identify and verify each customer and any beneficial owner; understand the purpose of the relationship | Triggered on new relationships, certain one-off transactions, and whenever suspicion arises |
| 3. Record-keeping | Retain customer identification and transaction records, including STR files | Keep for at least 6 years, in a form admissible as evidence under the Evidence Act 1950 |
| 4. Reporting (STR & CTR) | Report suspicious transactions, and large cash transactions, to Bank Negara Malaysia | STR under section 14; cash threshold report (CTR) for cash of RM25,000 or more |
The record-keeping period and the next-working-day STR deadline are drawn from the MIA's guidance for accountants, which states STR files should be kept for six years and that the compliance officer should submit an STR by the next working day from when the suspicion is established (MIA). Reporting channels and forms are published by BNM on its reporting page.
STRs and CTRs
What is an STR, and when must I file one under section 14?
A suspicious transaction report (STR) is the obligation at the heart of AMLA. Under section 14, a reporting institution that suspects, or has reasonable grounds to suspect, that any transaction — including an attempted or proposed one — is connected to money laundering or terrorism-financing proceeds must report it to Bank Negara Malaysia. A separate cash threshold report (CTR) is triggered by cash transactions of RM25,000 or more.
You do not need proof of a crime to file. The trigger is reasonable suspicion. Common red flags that should prompt an STR include:
- Unexplained capital inflows shortly after a company is incorporated, with no commercial rationale.
- Funds split into smaller transfers to stay under reporting thresholds ("structuring").
- A client reluctant to provide identification, or who hides the beneficial owner behind nominees.
- Transactions with no apparent economic or lawful purpose, or inconsistent with the client's known profile.
- A client who repeatedly changes professional advisers without a logical explanation.
Filing in good faith protects you: a person who reports is shielded from civil, criminal or disciplinary action for having done so. The practical message for a finance team is that strong CDD is what surfaces these flags in the first place — weak onboarding means missed reports.
Penalties & enforcement
What happens if a reporting institution does not report?
Non-compliance is enforced, and not only against banks. A recent and concrete example: in April 2026 a Malaysian company secretary, operating through Continuum Corporate House Sdn Bhd, was fined RM50,000 by the Sessions Court under section 86 read with section 14(1)(b) of AMLA for failing to submit two suspicious transaction reports to Bank Negara Malaysia (The Star, 4 May 2026).
That case is the clearest possible answer to "does this really apply to small professional firms?" — it does, and BNM acts on it. More broadly, the MIA notes that non-compliance with the obligation to report an STR can attract a fine of up to RM1 million under AMLA (MIA). Because the law is technical and the exact penalty depends on the offence and section charged, treat the AMLA itself and BNM's policy document as the binding reference rather than any summary.
Check the First Schedule
Match your activities against the First Schedule and BNM's DNFBP list. If any line fits, you are a reporting institution.
Appoint a compliance officer
Name a compliance officer, build your AML/CFT programme, and notify Bank Negara Malaysia within 10 working days.
Train your finance team
Equip the people who onboard clients and approve payments to run CDD and spot STR red flags — fundable through HRD Corp.
Where AMLA meets finance training
How do finance teams build AMLA capability?
AML/CFT compliance is, at root, a finance-and-controls discipline: you cannot spot a suspicious transaction if your people do not understand the cash flows, the customer profile and the controls around them. That is why AMLA literacy belongs alongside budgeting, variance analysis and internal control in any finance team's skill set. Carriera Academy, an HRD Corp Approved Training Provider, runs the programme Financial Analysis, Budgetary Control, and AMLA Compliance — built precisely for this overlap. For the wider context on financial controls in Malaysia, see our pillar guide on financial analysis and budgetary control.
Because Carriera Academy is HRD Corp-recognised, eligible Malaysian employers can fund the training through their HRD Corp levy under SBL-Khas, subject to HRD Corp's current rules. Browse the live programme list on our training page, or speak to us directly about an in-house run for your finance and compliance team.
AMLA reporting institution — FAQ
This guide is general information, not legal advice. For the binding text, refer to the AMLATFPUAA 2001 and Bank Negara Malaysia's AML/CFT policy documents at amlcft.bnm.gov.my. Updated 18 June 2026.
Build AMLA-ready finance capability
Carriera Academy runs the HRD Corp-claimable programme Financial Analysis, Budgetary Control, and AMLA Compliance — so your team can read the numbers and meet the reporting duties. Ask us about an in-house run.
WhatsApp Carriera →