Philippines Financial Crime & AML Compliance: Regulators, Laws, and What Foreign Banks Need to Know

Who regulates financial crime in Philippines?

The Bangko Sentral ng Pilipinas (BSP) is the primary prudential and AML supervisor for banks, quasi-banks, money service businesses, and payment service providers. Its AML/CFT supervision sits within the Financial Supervision Sector. BSP translates RA 9160 obligations into operational circulars for every institution it licenses, and it also supervises virtual asset service providers under its fintech regulatory framework. BSP's regulatory publications are at bsp.gov.ph.

The Anti-Money Laundering Council (AMLC) is the country's Financial Intelligence Unit. It receives, analyses, and acts on suspicious transaction reports and covered transaction reports. AMLC can apply to the Court of Appeals for ex parte freeze orders, initiate civil forfeiture proceedings, and refer criminal cases to the Department of Justice. It coordinates with foreign FIUs through the Egmont Group and the Asia/Pacific Group on Money Laundering (APG). The full framework is at amlc.gov.ph.

The Securities and Exchange Commission (SEC) supervises broker-dealers, investment houses, and capital market intermediaries under RA 9160. It issues AML circulars for its regulated population and covered persons submit reports to AMLC through the Electronic Reporting System. Details at sec.gov.ph.

The Insurance Commission covers insurance companies, pre-need firms, and health maintenance organisations. All are covered persons under RA 9160, subject to full CDD and reporting requirements, and the Commission coordinates with AMLC on examinations and enforcement referrals. See insurance.gov.ph.

BSP handles bank-sector supervision. SEC covers capital markets. The Insurance Commission covers insurance. AMLC ties the system together as intelligence hub and enforcement arm.

What are the key AML and fraud laws in Philippines?

The Anti-Money Laundering Act of 2001 (RA 9160) is the primary statute. It has been amended four times. RA 9194 (2003) expanded the list of covered persons. RA 10167 (2012) gave AMLC authority to issue freeze orders without prior court approval in urgent cases. RA 10365 (2013) aligned the law with revised FATF standards. The most consequential amendment, RA 11521 (2021), added real estate brokers, offshore gaming operators (POGOs), casino junket operators, and dealers in precious metals and stones as covered persons, while significantly increasing penalties. The consolidated text is available directly from the AMLC.

The Terrorism Financing Prevention and Suppression Act of 2012 (RA 10168) criminalises TF and extends AMLC's freeze powers to terrorism-linked assets. Covered institutions must address both ML and TF exposure. The two laws operate in tandem: an STR filed under RA 9160 may simultaneously trigger RA 10168 obligations.

For customer due diligence and KYC requirements, the statutory base is RA 9160 as amended, with BSP's AML/CFT implementing regulations providing the operational detail. Those regulations directly reflect FATF Rec 10 on CDD. The five-year record-keeping requirement in Section 9(b) of RA 9160 maps precisely to FATF Rec 11.

The Data Privacy Act of 2012 (RA 10173) governs personal data collected during KYC. For AML teams, the tension is real: RA 9160 requires detailed records and disclosure to AMLC, while RA 10173 restricts unauthorized data sharing. Philippine law resolves this through an explicit exemption for legally mandated disclosures, but institutions must document the lawful basis for every data transfer, including to foreign group entities.

BSP Circular 1108 (2021) on Virtual Asset Service Providers rounds out the digital-finance framework. VASPs must register with BSP and apply full AML/CFT controls, in line with FATF Rec 15 on new technologies.

What controls do Philippines regulators expect?

BSP and AMLC expect covered institutions to maintain a complete AML/CFT control programme. In practice, the circulars require the following.

Customer Due Diligence. Identity verification at onboarding is mandatory, using government-issued ID. CDD must be risk-sensitive: simplified for lower-risk customers, enhanced for higher-risk profiles. Enhanced due diligence (EDD) is mandatory for politically exposed persons, correspondent bank relationships, and non-face-to-face onboarding.

PEP Screening. All covered persons must identify politically exposed persons at onboarding and on an ongoing basis, per FATF Rec 12. Senior management approval is required before establishing or continuing any PEP relationship. Foreign PEPs are treated as high-risk from the outset.

Transaction Monitoring. Ongoing transaction monitoring is required to detect unusual patterns. The covered transaction report (CTR) threshold is PHP 500,000 per transaction, roughly USD 8,700. CTRs must be filed with AMLC within five working days of the covered transaction. There is no minimum amount for STRs.

STR Filing. Suspicious transaction reports must be filed within five working days of determining that a transaction is suspicious. Tipping off a customer about a filed STR is a criminal offence. All filings go through AMLC's Electronic Reporting System.

Sanctions Screening. Customers and transactions must be screened against UN Security Council consolidated lists and AMLC's domestic freeze lists. Real-time screening is expected for new customers; periodic re-screening applies to the existing portfolio.

Record Keeping. Transaction records must be retained for five years from the transaction date. CDD and account records must be kept for five years after the business relationship ends.

What is unique about compliance in Philippines?

Several features of the Philippine framework catch foreign banks off guard.

FATF grey list history. The Philippines was placed on the FATF grey list in June 2021 and removed in June 2023. The Asia/Pacific Group's mutual evaluation had identified significant gaps in beneficial ownership transparency, VASP oversight, and AML supervision of designated non-financial businesses and professions. The Philippines completed 17 remediation action items to exit the list. That process is finished, but correspondent banks and group compliance functions still apply heightened scrutiny to Philippine flows. The FATF country page tracks the current status.

Beneficial Ownership. RA 11232 (Revised Corporation Code, 2019) requires Philippine corporations to maintain a beneficial ownership register. Listed companies and large private firms must disclose ultimate beneficial owners to the SEC. Banks must verify UBOs at onboarding. In practice, ownership chains involving Filipino conglomerates are often complex: layered holding structures, nominee arrangements, and family-controlled enterprises make UBO identification a substantive exercise, not a checkbox.

VASP Sector. The Philippines has one of Southeast Asia's larger retail crypto markets, driven partly by inward remittances and, historically, play-to-earn gaming. BSP Circular 1108 (2021) created the formal VASP registration regime. Banks interacting with VASPs must apply enhanced due diligence and treat unregistered VASPs as high-risk. The BSP continues to issue guidance in this area; monitor the BSP website for updates.

Remittance Exposure. The Philippines received over USD 37 billion in personal remittances in 2023, according to the Bangko Sentral ng Pilipinas. This makes the remittance channel the primary ML/TF exposure for most institutions. BSP has specific guidance for money service businesses and remittance agents. Don't assume bank-channel remittance flows carry standard risk; in this jurisdiction, they warrant closer scrutiny.

Data Localisation. Sending KYC data offshore for group-level screening requires a data processing agreement and a clear lawful basis under RA 10173. The National Privacy Commission has issued guidance, but the rules are less prescriptive than in comparable markets. Document your legal basis for every cross-border data transfer.

Recent enforcement actions in Philippines

The best-documented enforcement case in the Philippines is the 2016 Bangladesh Bank heist. Fraudulent SWIFT messages directed USD 81 million from the Bangladesh Bank's account at the Federal Reserve Bank of New York to accounts at Rizal Commercial Banking Corporation (RCBC) in Manila. The funds moved through casino junket operators and were largely dissipated before AMLC could intervene.

BSP fined RCBC PHP 1 billion in 2016, roughly USD 19 million at the time, the largest single fine the regulator had imposed at that point. AMLC filed civil forfeiture cases and referred criminal money laundering charges against several individuals. The RCBC Jupiter Street branch manager was convicted by a Manila regional trial court. The case directly drove the 2021 RA 11521 amendments: tighter controls on casino and junket transactions, and stricter correspondent banking requirements aligned with FATF Rec 13.

BSP's posture has hardened since 2016. The regulator has issued memoranda requiring real-time SWIFT monitoring and mandatory controls for correspondent banking relationships. BSP publishes enforcement orders on its website, though individual penalty amounts are not always disclosed. AMLC's civil forfeiture programme is active: between 2021 and 2023, AMLC obtained freeze orders in cases linked to online gaming fraud, drug trafficking proceeds, and tax-evasion-related deposits. AMLC publishes aggregate enforcement data in its annual reports at amlc.gov.ph.

For context on how regulators respond to transaction monitoring failures at scale, the Westpac 2020 enforcement action is instructive: 23 million alleged contraventions and a AUD 1.3 billion penalty. The RCBC case shows what happens when wire-transfer controls and correspondent bank due diligence break down in a single branch.

What foreign banks operating in Philippines need to know

Foreign banks can enter the Philippines through three modes: full branch operations, subsidiaries, or representative offices. RA 10641 (2014) allows foreign banks to own up to 100% of a Philippine domestic bank or operate branches directly. The BSP issues the licenses.

Each licensed branch or subsidiary must designate a compliance officer and a Money Laundering Reporting Officer (MLRO) resident in the Philippines. This is a statutory requirement. The MLRO must be a senior officer with direct board access, and the position must be registered with the BSP. Remote oversight from Singapore or Hong Kong is not sufficient; you need a named person on the ground.

Outsourcing AML functions, including screening systems and monitoring platforms, is permitted but requires prior BSP approval and a service-level agreement that preserves the institution's accountability. Group-level shared services can qualify, but the approval process takes time. Build this into your setup timeline.

CTR filing deadline: five working days from the covered transaction. STR filing deadline: five working days from the determination of suspicion. Both are submitted through the AMLC Electronic Reporting System, which requires advance registration and a digital certificate. Get this in place before you go live; it's not something you can set up on the day you need to file.

Language is not an obstacle. BSP circulars are issued in English, and all regulatory filings use English-language templates.

For group compliance teams integrating a Philippine operation, the key watch points are: the PHP 500,000 CTR threshold (lower than many APAC peers), the mandatory in-country MLRO requirement, and the need to screen against AMLC's domestic freeze list alongside UN sanctions. Compared to the United Kingdom, the Philippines runs a more FIU-centric model where AMLC plays a larger and more direct enforcement role than most Western FIUs do.

How FluxForce supports Philippines compliance

FluxForce maps directly to BSP and AMLC control requirements. Its real-time transaction monitoring handles the PHP 500,000 CTR threshold and generates audit-ready evidence for every alert decision. Automated sanctions and PEP screening runs against UN consolidated lists and AMLC domestic freeze orders. Automated STR drafting cuts analyst time from hours to minutes, and full decision explanations support BSP examination responses. Request a demo to see how FluxForce fits your Philippines compliance programme.