In today's financial landscape, understanding the source of funds (SOF) is crucial for ensuring compliance and preventing financial crimes. Financial institutions must verify the origin of funds to comply with regulations and mitigate risks. This blog post delves into the meaning, importance, best practices, and challenges of verifying the source of funds.

Source of Funds in AML: What It Is and How Banks Verify It

Source of Funds Meaning

The term "source of funds" refers to the origin of the money used in a transaction. This can include earnings from employment, business revenue, investments, or other legitimate income sources.

{{cta-first}}

Source of Funds Example

For instance, if someone deposits a large sum of money into their bank account, the bank needs to verify whether this money came from a legitimate source, such as a property sale, inheritance, or salary.

Here are some common sources of funds:

• Salary: Imagine you've been saving up from your job to buy a new gaming console. When you finally get it, your salary is the Source of Funds for that purchase. In the grown-up world, this could mean someone buying a house with the money they've saved from their job.
• Inheritance: Now, let's say your grandma left you some money when she passed away (may she rest in peace), and you use it to start a college fund. The inheritance is your Source of Funds for that college account.
• Business Profits: If you have a lemonade stand and make some serious cash, and then you use that money to buy a new bike, the profits from your business are your Source of Funds for the bike.
• Selling Assets: Let's say your family decides to sell your old car to buy a new one. The money you get from selling the old car becomes the Source of Funds for the new car purchase.
• Investments and Dividends: Suppose you've invested in some stocks, and you make a nice profit. If you use that money to, say, go on vacation, then the money you made from your investments is the Source of Funds for your trip.

Difference Between Source of Funds and Source of Wealth

Source of Funds (SOF) refers to the origin of the specific money involved in a transaction, such as income from employment, sales, or loans. It is focused on the immediate funds used in a particular financial activity.

Source of Wealth (SOW), on the other hand, pertains to the overall origin of an individual’s total assets, including accumulated wealth over time from various sources like investments, inheritances, or business ownership. It provides a broader view of the person's financial background.

Importance of Source of Funds Verification

Regulatory Requirements and Compliance

Verifying the source of funds is essential for financial institutions to comply with regulations such as anti-money laundering (AML) laws. Regulatory bodies like the Financial Action Task Force (FATF) mandate stringent checks to ensure that funds do not originate from illegal activities.

Financial and Reputational Risks

Failure to verify the source of funds can result in significant financial penalties and damage to an institution's reputation. Banks and other financial entities must implement robust verification processes to avoid involvement in financial crimes and maintain public trust.

Best Practices for Source of Funds Verification

Risk-Based Approach

Implementing a risk-based approach means assessing the risk level of each transaction and customer. Higher-risk transactions require more rigorous verification, ensuring that resources are allocated efficiently and effectively.

Advanced Technology Utilization

Utilizing advanced technologies such as artificial intelligence and machine learning can enhance the efficiency and accuracy of source of funds verification. These technologies can analyze large datasets quickly, identifying potential red flags.

Regular Updates and Audits

Maintaining updated records and conducting regular audits are crucial for an effective source of funds verification. This ensures that the verification processes remain robust and compliant with the latest regulations.

Source of Funds Requirements Across APAC

FATF Recommendation 13 requires financial institutions to apply enhanced due diligence, including source of funds verification for high-risk customers and transactions. In practice, each APAC regulator has translated this into specific obligations.

Australia (AUSTRAC)

Under the AML/CTF Rules Part 7, AUSTRAC requires ongoing customer due diligence that includes verifying source of funds when a transaction or customer profile is inconsistent with prior behaviour or stated purpose. Enhanced customer due diligence — triggered by high-risk customer classification, PEP status, or unusual transaction patterns — requires documented source of funds evidence before the transaction proceeds or the relationship continues.

Acceptable documentation under AUSTRAC guidance includes: recent pay slips (last 3 months), business financial statements, tax returns, property sale contracts, or investment account statements. For inheritance-sourced funds, a grant of probate or solicitor letter is required.

Singapore (MAS)

MAS Notice 626 requires Singapore-licensed FIs to verify source of funds as part of enhanced due diligence for high-risk customers and any customer whose funds originate from high-risk jurisdictions. MAS examination findings have consistently cited inadequate SOF documentation as a gap — specifically, accepting verbal declarations without supporting evidence.

Malaysia (BNM)

BNM's AML/CFT Policy Document requires source of funds verification for EDD-triggered customers, high-value transactions above MYR 50,000 in cash-equivalent form, and corporate accounts where beneficial ownership is complex. BNM specifically requires that SOF evidence be independently verifiable — a customer's own declaration is not sufficient for high-risk accounts.

Philippines (BSP)

BSP Circular 706 and its amendments require source of funds verification for customers classified as high-risk under the institution's risk assessment, and for any transaction that appears inconsistent with the customer's known financial profile. AMLC's guidance notes that source of funds documentation must be retained for a minimum of 5 years.

Common Sources of Funds

Legitimate Sources

Legitimate sources of funds include earnings from employment, business income, investment returns, loans, and inheritances. These sources are generally verifiable through official documentation such as pay slips, tax returns, and bank statements.

Illegitimate Sources

Illegitimate sources of funds might include money from illegal activities such as drug trafficking, fraud, corruption, or money laundering. These sources often lack proper documentation and can pose significant risks to financial institutions if not properly identified and reported.

Challenges in Verifying Source of Funds

Complex Transactions

Complex transactions, involving multiple parties and jurisdictions, pose significant challenges in verifying the source of funds. Tracing the origin of such funds requires comprehensive analysis and robust systems to track and verify all related transactions.

Privacy and Data Protection Concerns

Verifying the source of funds often involves handling sensitive personal data. Financial institutions must balance the need for thorough verification with strict adherence to privacy and data protection regulations, ensuring that customer information is secure.

{{cta-guide}}

What Good Source of Funds Verification Looks Like in Practice

The institutions that handle SOF verification most effectively treat it as a tiered process, not a one-size-all checklist.

For standard-risk customers, verification at onboarding is enough — pay slips, a bank statement, or a tax return. For high-risk customers, EDD-triggered accounts, or transactions that don't fit the pattern, that standard is higher: independently verifiable documentation, a paper trail that shows the funds' journey from origin to arrival, and a compliance officer's written sign-off.

The documentation requirement is not the hard part. The hard part is knowing when to apply it — and that is a transaction monitoring question as much as a KYC question. A source of funds issue that doesn't get flagged at monitoring never reaches the verification stage.

For more on building the monitoring programme that surfaces these cases, see our Transaction Monitoring Software Buyer's Guide and our complete guide to KYC and customer due diligence.

Talk to Tookitaki's team about how FinCense handles source of funds flags as part of an integrated AML and transaction monitoring programme.

Frequently Asked Questions

1. What is source of funds in AML?
Source of funds refers to where the money used in a specific transaction or business relationship comes from. In AML compliance, financial institutions review source of funds to understand whether the money is legitimate and whether it matches the customer’s profile and declared activity.

2. Why is source of funds important in AML compliance?
Source of funds is important because it helps financial institutions assess whether the money involved in a transaction is consistent with what they know about the customer. It supports due diligence, helps identify unusual activity, and reduces the risk of money laundering or other financial crime.

3. What is the difference between source of funds and source of wealth?
Source of funds refers to the origin of the money used in a particular transaction or account activity. Source of wealth refers to how a customer built their overall wealth over time. In simple terms, source of funds looks at where this money came from, while source of wealth looks at how the person became wealthy in general.

4. How do financial institutions verify source of funds?
Financial institutions may verify source of funds using documents such as bank statements, salary slips, business income records, property sale agreements, inheritance papers, dividend records, or other documents that explain where the money originated. The exact documents required depend on the customer, the transaction, and the level of risk involved.

5. When is source of funds verification required?
Source of funds verification is commonly required during customer onboarding, enhanced due diligence, high-risk transactions, or periodic reviews. It may also be requested when a transaction appears unusual or does not match the customer’s known financial behaviour.

6. Is source of funds verification required for every customer?
Not always. The depth of source of funds verification usually depends on the customer’s risk level, the nature of the transaction, and applicable AML regulations. Higher-risk customers and more complex transactions generally require closer scrutiny.

7. What source of funds documentation does AUSTRAC accept?
AUSTRAC's AML/CTF guidance accepts: recent pay slips (last 3 months), business financial statements or tax returns, property sale contracts with settlement documentation, investment account statements, and for inherited funds, a grant of probate or solicitor's letter. Verbal declarations are not sufficient for high-risk customers or transactions triggering enhanced due diligence.

8. Is source of funds verification required for every transaction?No. Source of funds verification is triggered by risk level, not transaction volume. Standard-risk retail customers verified at onboarding do not require SOF documentation for routine transactions. The trigger points are: EDD classification, PEP status, transactions inconsistent with the customer's stated financial profile, high-value cash transactions above reporting thresholds, and periodic review of high-risk accounts. See your regulator's specific guidance — AUSTRAC's Part 7, MAS Notice 626, or BNM's AML/CFT Policy Document — for the applicable triggers in your jurisdiction.

In 2022, Bank Negara Malaysia awarded digital bank licences to five applicants: GXBank, Boost Bank, AEON Bank (backed by RHB), KAF Digital, and Zicht. None of these institutions have a branch network. None of them can sit a customer across a desk and photocopy a MyKad. For them, remote identity verification is not a product feature — it is the only way they can onboard a customer at all.

That is why BNM's eKYC framework matters. The question for compliance officers and product teams at these institutions — and at the e-money issuers, remittance operators, and licensed payment service providers that operate under the same rules is not whether to implement eKYC. It is whether the implementation will satisfy BNM when examiners review session logs during an AML/CFT examination.

This guide covers what BNM's eKYC framework requires, where institutions most commonly fall short, and what the rules mean in practice for tiered account access.

The Regulatory Scope of BNM's eKYC Framework

BNM's eKYC Policy Document was first issued in June 2020 and updated in February 2023. It applies to a wide range of supervised institutions:

• Licensed banks and Islamic banks
• Development financial institutions
• E-money issuers operating under the Financial Services Act 2013 — including large operators such as Touch 'n Go eWallet, GrabPay, and Boost
• Money service businesses
• Payment Services Operators (PSOs) licensed under the Payment Systems Act 2003

The policy document sets one overriding standard: eKYC must achieve the same level of identity assurance as face-to-face verification. That standard is not aspirational. It is the benchmark against which BNM examiners assess whether a remote onboarding programme is compliant.

For a deeper grounding in what KYC requires before getting into the eKYC-specific rules, the KYC compliance framework guide covers the foundational requirements.

The Four BNM-Accepted eKYC Methods

BNM's eKYC Policy Document specifies four accepted verification methods. Institutions must implement at least one; many implement two or more to accommodate different customer segments and device capabilities.

Method 1 — Biometric Facial Matching with Document Verification

The customer submits a selfie and an image of their MyKad or passport. The institution's system runs facial recognition to match the selfie against the document photo. Liveness detection is mandatory — passive or active — to prevent spoofing via static photographs, recorded video, or 3D masks.

This is the most widely deployed method among Malaysian digital banks and e-money issuers. It works on any smartphone with a front-facing camera and does not require the customer to be on a live call or to own a device with NFC capability.

Method 2 — Live Video Call Verification

A trained officer conducts a live video interaction with the customer and verifies the customer's face against their identity document in real time. The officer must be trained to BNM's specified standards, and the session must be recorded and retained.

This method provides strong identity assurance but introduces operational cost and throughput constraints. Some institutions use it as a fallback for customers whose biometric verification does not clear automated thresholds.

Method 3 — MyKad NFC Chip Reading

The customer uses their smartphone's NFC reader to read the chip embedded in their MyKad directly. The chip contains the holder's biometric data and personal information, and the read is cryptographically authenticated. BNM considers this the highest assurance eKYC method available under Malaysian national infrastructure.

The constraint is device compatibility: not all smartphones have NFC readers, and the feature must be enabled. Adoption among mass-market customers remains lower than biometric methods as a result.

Method 4 — Government Database Verification

The institution cross-checks customer-provided information against government databases — specifically, JPJ (Jabatan Pengangkutan Jalan, road transport) and JPN (Jabatan Pendaftaran Negara, national registration). If the data matches, the identity is considered verified.

BNM treats this as the lowest-assurance method. Critically, it does not involve any biometric confirmation that the person submitting the data is the same person as the registered identity. BNM restricts Method 4 to lower-risk product tiers, and institutions that apply it to accounts exceeding those tier limits will face examination findings.

Liveness Detection: What BNM Expects

BNM's requirement for liveness detection in biometric methods is explicit in the February 2023 update to the eKYC Policy Document. The requirement exists because static facial matching alone — matching a selfie against a document photo — can be defeated by holding a photograph in front of the camera.

BNM expects institutions to document the accuracy performance of their liveness detection system. The specific thresholds the policy document references are:

• False Acceptance Rate (FAR): below 0.1% — meaning the system incorrectly accepts a spoof attempt in fewer than 1 in 1,000 cases
• False Rejection Rate (FRR): below 10% — meaning genuine customers are incorrectly rejected in fewer than 10 in 100 cases

These are not defaults — they are floors. Institutions must document their actual FAR and FRR in their eKYC programme documentation and must periodically validate those figures, particularly after model updates or changes to the verification vendor.

Third-party eKYC vendors must be on BNM's approved list. An institution using a vendor not on that list — even a globally recognised biometric vendor — does not have a compliant eKYC programme regardless of the vendor's technical capabilities.

Account Tiers and Transaction Limits

BNM applies a risk-based framework that links account access limits to the assurance level of the eKYC method used to open the account. This is not optional configuration — these are regulatory caps.

Tier 1 — Method 4 (Database Verification Only)

• Maximum account balance: MYR 5,000
• Maximum daily transfer limit: MYR 1,000

Tier 2 — Methods 1, 2, or 3 (Biometric Verification)

• E-money accounts: maximum balance of MYR 50,000
• Licensed bank accounts: no regulatory cap on balance (subject to the institution's own risk limits)

If a customer whose account was opened via Method 4 wants to move into Tier 2, they must complete an additional verification step using a biometric method. That upgrade process must be documented and the records retained — the same as any primary onboarding session.

This tiering structure means product decisions about account limits are also compliance decisions. A digital bank that launches a savings product with a MYR 10,000 minimum deposit and relies on Method 4 for onboarding has a compliance problem, not just a product design problem.

Record-Keeping: What Must Be Retained and for How Long

BNM requires that all eKYC sessions be recorded and retained for a minimum of 6 years. The records must include:

• Raw images or video from the verification session
• Facial match confidence scores
• Liveness detection scores
• Verification timestamps
• The outcome of the verification (approved, rejected, referred for manual review)

During AML/CFT examinations, BNM examiners review eKYC session logs. An institution that can demonstrate a successful biometric match but cannot produce the underlying scores and timestamps for that session does not have compliant records. This is a documentation failure, not a technical one and it is one of the more common findings in Malaysian eKYC examinations.

eKYC Within the Broader AML/CFT Programme

A compliant eKYC onboarding process does not discharge an institution's AML/CFT obligations for the full customer lifecycle. BNM's AML/CFT Policy Document — separate from the eKYC Policy Document — requires institutions to apply risk-based customer due diligence (CDD) continuously.

Two areas where this creates friction in eKYC-based operations:

High-risk customers require Enhanced Due Diligence (EDD) that eKYC cannot complete. A customer who is a Politically Exposed Person (PEP), operates in a high-risk jurisdiction, or presents unusual transaction patterns requires EDD. Source of funds verification for these customers cannot be completed through biometric verification alone. Institutions must have documented rules specifying when an eKYC-onboarded customer triggers the EDD workflow — and those rules must be reviewed and enforced in practice, not just documented.

Dormant account reactivation is a re-verification trigger. BNM expects institutions to treat the reactivation of an account dormant for 12 months or more as an event requiring re-verification. This is a common gap: many institutions have onboarding eKYC workflows but no corresponding re-verification process for dormant accounts coming back to active status.

For institutions that have deployed transaction monitoring alongside their eKYC programme, integrating eKYC assurance levels into monitoring rule calibration is good practice — a Tier 1 account that begins transacting at Tier 2 volumes is exactly the kind of pattern that should generate an alert. The transaction monitoring software buyer's guide covers what to look for in a system capable of handling this kind of integrated logic.

Common Implementation Gaps

Based on BNM examination findings and the February 2023 policy document guidance, four gaps appear most frequently in Malaysian eKYC programmes:

1. Using Method 4 for accounts that exceed Tier 1 limits. This is the most consequential gap. If an account opened via database verification reaches a balance above MYR 5,000 or a daily transfer above MYR 1,000, the institution is operating outside the regulatory framework. The fix requires either enforcing hard caps at the product level or requiring biometric re-verification before account limits expand.

2. No liveness detection documentation. An institution that has deployed biometric eKYC but cannot demonstrate to BNM that it tested for spoofing — with documented FAR/FRR figures — does not have a defensible eKYC programme. The technology alone is not enough; the validation and documentation must exist.

3. Third-party eKYC vendor not on BNM's approved list. BNM maintains an approved vendor list for a reason. An institution that integrated a non-listed vendor, even one with strong global credentials, needs to remediate — either by migrating to an approved vendor or by engaging BNM directly on the approval process before continuing to use that vendor for compliant onboarding.

4. No re-verification trigger for dormant account reactivation. Institutions that built their eKYC programme around the onboarding workflow and never implemented re-verification logic for dormant accounts have a gap that BNM examiners will find. This requires both a policy update and a system-level trigger.

What Good eKYC Compliance Looks Like

A compliant eKYC programme in Malaysia has five elements that work together:

1. At least one BNM-accepted verification method, implemented with a BNM-approved vendor and validated to the required FAR/FRR thresholds
2. Hard account tier limits enforced at the product level, with a documented upgrade path that triggers biometric re-verification for Tier 1 accounts requesting higher access
3. Complete session records — images, scores, timestamps, and outcomes — retained for the full 6-year period
4. EDD triggers documented and enforced for high-risk customer categories, including PEPs and high-risk jurisdiction connections
5. Re-verification workflows for dormant accounts reactivating after 12 months of inactivity

Meeting all five is not a one-time project. BNM expects periodic validation of vendor performance, regular review of threshold calibration, and documented sign-off from a named senior officer on the state of the eKYC programme.

For Malaysian institutions building or reviewing their eKYC programme, Tookitaki's AML compliance platform combines eKYC verification with transaction monitoring and ongoing risk assessment in a single integrated environment — designed for the requirements BNM examiners actually check. Book a demo to see how it works in a Malaysian digital bank or e-money context, or read our KYC framework overview for a broader view of where eKYC sits within the full compliance programme.

The profits looked real. The numbers kept climbing. And that was exactly the trap.

The Scam That Looked Legit — Until It Wasn’t

She watched her investment grow to NT$250 million.

The numbers were right there on the screen.

So she did what most people would do, she invested more.

The victim, a retired teacher in Taipei, wasn’t chasing speculation. She was responding to what looked like proof.

According to a report by Taipei Times, this was part of a broader scam uncovered by authorities in Taiwan — one that used a fake investment app to simulate profits and systematically extract funds from victims.

The platform showed consistent gains.
At one point, balances appeared to reach NT$250 million.

It felt credible.
It felt earned.

So the investments continued — through bank transfers, and in some cases, through cash and even gold payments.

By the time the illusion broke, the numbers had disappeared.

Because they were never real.

Inside the Illusion: How the Fake Investment App Worked

What makes this case stand out is not just the deception, but the way it was engineered.

This was not a simple scam.
It was a controlled financial experience designed to build belief over time.

1. Entry Through Trust

Victims were introduced through intermediaries, referrals, or online channels. The opportunity appeared exclusive, structured, and credible.

2. A Convincing Interface

The app mirrored legitimate investment platforms — dashboards, performance charts, transaction histories. Everything a real investor would expect.

3. Fabricated Gains

After initial deposits, the app began showing steady returns. Not unrealistic at first — just enough to build confidence.

Then the numbers accelerated.

At its peak, some victims saw balances of NT$250 million.

4. The Reinforcement Loop

Each increase in displayed profit triggered the same response:

“This is working.”

And that belief led to more capital.

5. Expanding Payment Channels

To sustain the operation and reduce traceability, victims were asked to invest through:

• Bank transfers
• Cash payments
• Gold and other physical assets

This fragmented the financial trail and pushed parts of it outside the system.

6. Exit Denied

When withdrawals were attempted, friction appeared — delays, additional charges, or silence.

The platform remained convincing.
But it was never connected to real markets.

Why This Scam Is a Step Ahead

This is where the model shifts.

Fraud is no longer just about convincing someone to invest.
It is about showing them that they already made money.

That changes the psychology completely.

• Victims are not acting on promises
• They are reacting to perceived success

The app becomes the source of truth.This is not just deception. It is engineered belief, reinforced through design.

For financial institutions, this creates a deeper challenge.

Because the transaction itself may appear completely rational —
even prudent — when viewed in isolation.

Following the Money: A Fragmented Financial Trail

From an AML perspective, scams like this are designed to leave behind incomplete visibility.

Likely patterns include:

• Repeated deposits into accounts linked to the network
• Gradual increase in transaction size as confidence builds
• Use of multiple beneficiary accounts to distribute funds
• Rapid movement of funds across accounts
• Partial diversion into cash and gold, breaking traceability
• Behaviour inconsistent with customer financial profiles

What makes detection difficult is not just the layering.

It is the fact that part of the activity is deliberately moved outside the financial system.

Red Flags Financial Institutions Should Watch

Transaction-Level Indicators

• Incremental increase in investment amounts over short periods
• Transfers to newly introduced or previously unseen beneficiaries
• High-value transactions inconsistent with past behaviour
• Rapid outbound movement of funds after receipt
• Fragmented transfers across multiple accounts

Behavioural Indicators

• Customers referencing unusually high or guaranteed returns
• Strong conviction in an investment without verifiable backing
• Repeated fund transfers driven by urgency or perceived gains
• Resistance to questioning or intervention

Channel & Activity Indicators

• Use of unregulated or unfamiliar investment applications
• Transactions initiated based on external instructions
• Movement between digital transfers and physical asset payments
• Indicators of coordinated activity across unrelated accounts

The Real Challenge: When the Illusion Lives Outside the System

This is where traditional detection models begin to struggle.

Financial institutions can analyse:

• Transactions
• Account behaviour
• Historical patterns

But in this case, the most important factor, the fake app displaying fabricated gains — exists entirely outside their field of view.

By the time a transaction is processed:

• The customer is already convinced
• The action appears legitimate
• The risk signal is delayed

And detection becomes reactive.

Where Technology Must Evolve

To address scams like this, financial institutions need to move beyond static rules.

Detection must focus on:

• Behavioural context, not just transaction data
• Progressive signals, not one-off alerts
• Network-level intelligence, not isolated accounts
• Real-time monitoring, not post-event analysis

This is where platforms like Tookitaki’s FinCense make a difference.

By combining:

• Scenario-driven detection built from real-world scams
• AI-powered behavioural analytics
• Cross-entity monitoring to uncover hidden connections
• Real-time alerting and intervention

…institutions can begin to detect early-stage risk, not just final outcomes.

From Fabricated Gains to Real Losses

For the retired teacher in Taipei, the app told a simple story.

It showed growth.
It showed profit.
It showed certainty.

But none of it was real.

Because in scams like this, the system does not fail first.

Belief does.

And by the time the transaction looks suspicious,
it is already too late.