Why AML Can't Keep Up with Real-Time Cross-Border Payments

Part 1 of 3 - a Series on Payments and Financial Crime

Not long ago, sending money across borders meant waiting days and paying hefty fees. Today, in ASEAN, the same transaction happens in seconds.

Thailand's PromptPay linked to Singapore's PayNow in 2021. Similar connections now span Cambodia, Indonesia, Lao PDR, Malaysia, and Vietnam. Project Nexus promises to become the "internet of payments" for the region -a single hub connecting multiple fast payment systems across jurisdictions.

This is a revolution. But revolutions have consequences.

The same infrastructure that enables a tourist to pay for lunch in Bangkok using their Malaysian bank account also enables criminals to move illicit funds across borders faster than any compliance system can detect.

The Speed Problem

Traditional AML was built for a different era.

The old model worked like this:

transaction occurs → system flags it → analyst investigates → action taken.

This process could take hours, sometimes days. That was acceptable when cross-border transfers themselves took days to settle.

Real-time payments broke this model.

When funds move in seconds, the investigation window collapses to zero. By the time an alert fires, the money is gone, split across multiple accounts, moved to a different jurisdiction, converted to a different currency. The trail goes cold before anyone picks it up.

This isn't a theoretical risk. It's happening now.

The ASEAN Context

ASEAN's payment integration is accelerating faster than its regulatory harmonisation.

Consider the current landscape:

• Bilateral FPS (Faster Payment System) linkages now cover most of the region's cross-border retail flows

• QR code interoperability enables seamless small-value transactions across borders

• Local currency settlement has more than doubled in five years, from 7% to over 15% of intra-regional settlements

• Stablecoins are already popular for remittances in the Philippines and Vietnam, often bypassing traditional banking rails entirely

Each of these innovations creates efficiency. Each also creates gaps.

The AMRO (ASEAN+3 Macroeconomic Research Office) recently warned that anonymous peer-to-peer stablecoin transfers "undermine anti-money laundering efforts." They're right. But the same logic applies to legitimate instant payment rails when screening can't keep pace with settlement.

The Cross-Border Mule Network Risk

Here's where it gets dangerous.

Domestic money mule networks are well understood. Criminals recruit individuals—often unwitting—to receive and forward funds, obscuring the trail between predicate offence and final destination.

Cross-border instant payments supercharge this model.

A fraud victim in Singapore sends money to what they believe is a legitimate recipient. Within seconds, those funds hit a mule account in Malaysia. In a classic 'hop and split' maneuver, the money is divided across eight accounts in three countries. Each individual transaction looks normal. Only the pattern reveals the crime.

Traditional transaction monitoring wasn't built for this. It analyses transactions in isolation, often with significant lag. By the time the pattern emerges, the funds have been withdrawn, converted, or moved offshore.

Detecting cross-border mule networks requires:

• Real-time behavioural analytics that assess risk before settlement, not after

• Cross-institutional data sharing to connect dots across banks and borders

• Graph analytics that map relationships between accounts, not just individual transactions

• Telco integration to catch SIM-swap fraud and device anomalies that signal account takeover

Most institutions aren't there yet. Most regulators aren't requiring it yet. But the criminals are already operating as if the infrastructure exists.

The Regulatory Gap

ASEAN's regulatory frameworks vary widely.

Singapore has robust AML infrastructure. The Philippines has made significant progress. But harmonisation across the region remains incomplete. When payment rails are integrated but compliance standards aren't, arbitrage opportunities emerge.

Criminals don't respect borders. They exploit them.

The EU's MiCA regulation imposes strict licensing and reserve requirements on stablecoin issuers. Japan restricts stablecoin issuance to banks and trust companies. ASEAN has no equivalent regional framework.

AMRO's policy recommendations are sound: strengthen regulatory cooperation, coordinate on AML oversight, enhance resilience. But recommendations aren't requirements. And implementation takes time the criminals aren't giving us.

What's Needed Now

The solution isn't to slow down payment innovation. That ship has sailed. The solution is to accelerate compliance capability to match.

Five priorities for financial institutions operating in ASEAN's instant payment ecosystem:

1. Pre-transaction screening: Move from post-hoc detection to real-time, pre-settlement risk assessment. If you can't stop a bad transaction before it settles, you can't stop it at all.

   
   

2. Behavioural baselines: Static rules don't catch adaptive criminals. Machine learning models that understand normal behaviour and flag deviations in real-time are no longer nice-to-haves.

   
   

3. Cross-border intelligence sharing: Mule networks span jurisdictions. Your detection capability must too. Invest in consortiums, utilities, and bilateral arrangements that enable rapid information exchange.

   
   

4. Graph-based analytics: Individual transactions tell you nothing. Relationship patterns tell you everything. If you're not mapping networks, you're missing the crime.

   
   

5. Integration with non-financial data: Telco signals, device fingerprints, behavioural biometrics - the next generation of fraud detection lives at the intersection of financial and non-financial data.

The Bottom Line

Real-time payments are here to stay. ASEAN's integration will only deepen. Project Nexus, CBDC pilots, stablecoin adoption, the trajectory is clear.

The question is whether compliance infrastructure will evolve fast enough to protect the system.

Right now, the answer is NO.

AML frameworks designed for T+2 batch processing don't work in a T+0 real-time world. Criminals know this. They're exploiting it daily.

The institutions that thrive will be those that treat compliance modernisation not as a regulatory burden, but as a competitive necessity. Because in a world where money moves at the speed of light, trust becomes the ultimate differentiator.

The rails are built. The money is flowing. The only question is: who's watching?

This is Part 1 of our series on Payments and Financial Crime. Part 2 will examine how fraud-to-laundering pipelines exploit instant settlement, and what detection strategies actually work.

-----

JFourth works at the intersection of compliance, technology, and financial inclusion, helping organisations build frameworks that protect the financial system while enabling innovation. Get in touch to learn more.