What Are Cambodia's AML Requirements for FinTech?

Cambodia's AML/CFT regime is anchored by the 2020 Law on Anti-Money Laundering and Combating the Financing of Terrorism, which replaced and strengthened the original 2007 law. The 2020 revision aligned Cambodia's framework with all 40 FATF Recommendations, expanding the scope of covered entities, strengthening penalties, and establishing clearer obligations for digital financial services. The law designates "reporting entities" that must comply with AML/CFT requirements, including all banks, MFIs, payment service providers, e-money issuers, securities firms, casinos, real estate agents, and dealers in precious metals. For FinTech firms, this means that any entity licensed by the NBC is automatically a reporting entity subject to the full AML/CFT compliance framework. The NBC issues supplementary Prakas (regulations) that translate the law's requirements into specific operational mandates for financial technology operators.

Customer due diligence (CDD) is the cornerstone of Cambodia's AML framework. All FinTech firms must verify customer identity before establishing a business relationship, opening an account, or processing transactions above prescribed thresholds. Standard CDD requires collecting the customer's full name, date of birth, national ID or passport number, residential address, and source of funds declaration. For individual customers, identity verification must be conducted against a government-issued document. For legal entities, CDD extends to identifying beneficial owners holding 20% or more ownership interest. Enhanced due diligence (EDD) is required for politically exposed persons (PEPs), high-risk jurisdictions, complex transaction patterns, and business relationships involving correspondent banking. FinTech firms must retain CDD records for at least five years after the relationship ends.

CamDigiKey, Cambodia's national digital identity platform, has become the most efficient pathway for FinTech firms to meet CDD requirements. The system provides government-verified identity data through secure API integration, enabling electronic Know Your Customer (e-KYC) processes that replace manual document collection and verification. When a customer authenticates via CamDigiKey during onboarding, the FinTech firm receives verified identity attributes including full legal name, date of birth, national ID number, and photograph -- all authenticated by the government's identity database. This eliminates the need for physical document inspection, reduces identity fraud risk, and cuts onboarding time from days to under 10 minutes. Over 25 financial institutions have integrated CamDigiKey for KYC purposes as of 2025. For FinTech firms, CamDigiKey integration also demonstrates regulatory commitment to the NBC, which actively encourages digital identity adoption as part of Cambodia's Government-as-a-Platform strategy.

All NBC-licensed FinTech firms must implement automated transaction monitoring systems capable of detecting potentially suspicious activity in real-time. The monitoring system must flag transactions that exceed prescribed thresholds (currently $10,000 or equivalent for currency transaction reports), identify patterns consistent with money laundering typologies, and detect structuring or smurfing behavior. When suspicious activity is identified, the firm must file a Suspicious Transaction Report (STR) with CAFIU within the prescribed timeline -- typically within 3 business days of detection, or immediately for terrorism financing concerns. CAFIU received over 4,200 STRs in 2024, a 45% increase from the prior year. FinTech firms must also implement a compliance escalation framework where frontline staff can flag concerns to the designated compliance officer, who evaluates and submits STRs. Importantly, tipping off -- informing the customer that an STR has been filed -- is a criminal offense under Cambodian law.

Cambodia's AML/CFT framework is subject to periodic assessment by the Asia/Pacific Group on Money Laundering (APG), which conducts mutual evaluations to determine compliance with FATF standards. The 2024 mutual evaluation assessed both the technical compliance of Cambodia's legal framework and the effectiveness of its AML/CFT implementation. The evaluation has driven significant regulatory tightening across the financial sector. The NBC has increased examination frequency for licensed institutions, demanded enhanced transaction monitoring capabilities, and required all reporting entities to update their institutional risk assessments. For FinTech firms, this means heightened scrutiny of AML compliance programs during both licensing and ongoing supervision. Firms that entered the market with minimal compliance infrastructure are facing remediation orders, while new applicants must demonstrate more robust AML systems than were required even two years ago.

Cambodia's AML/CFT penalties are severe and have been strengthened under the 2020 law. Criminal penalties for money laundering offenses include imprisonment of 5-10 years and fines up to $2.5 million for individuals, with higher penalties for organized criminal involvement. Legal entities can face fines of up to five times the laundered amount, forced dissolution, and asset confiscation. For FinTech firms, regulatory penalties short of criminal prosecution can be equally devastating. The NBC can impose administrative fines, require immediate remediation of compliance deficiencies, restrict business activities, suspend processing capabilities, or revoke licenses entirely. CAFIU can impose sanctions for failure to file STRs, late filing, or inadequate record keeping. In practice, the most common enforcement actions against FinTech firms involve inadequate transaction monitoring systems and incomplete CDD documentation -- operational deficiencies rather than intentional violations, but penalized nonetheless.

An effective AML compliance program for a Cambodian FinTech firm requires five core components. First, a documented AML/CFT policy approved by the board of directors and reviewed annually. Second, a designated compliance officer with sufficient authority, resources, and direct board reporting. Third, automated CDD and transaction monitoring systems integrated with CamDigiKey and Bakong data feeds. Fourth, regular staff training covering money laundering typologies, reporting obligations, and sanctions screening. Fifth, independent audit of the AML program at least annually. The compliance program must be risk-based, meaning the intensity of monitoring and due diligence scales with assessed risk. Higher-risk products (cross-border transfers, anonymous prepaid instruments), higher-risk customers (PEPs, cash-intensive businesses), and higher-risk jurisdictions require proportionally more intensive controls. CamFinTech helps firms design and implement AML compliance architectures that meet NBC and CAFIU requirements while remaining operationally efficient.

CamFinTech provides specialized AML/CFT advisory services for FinTech firms operating or entering Cambodia. Our services cover the full compliance lifecycle: institutional risk assessment development, AML/CFT policy and procedure drafting aligned with NBC Prakas requirements, CamDigiKey integration architecture for e-KYC workflows, transaction monitoring system specification and vendor selection, CAFIU registration and STR filing process setup, and staff training program development. Our advisory approach recognizes that AML compliance is not a one-time project but an ongoing operational function that must evolve with regulatory changes and business growth. CamFinTech maintains active engagement with NBC and CAFIU regulatory developments, ensuring our clients' compliance programs remain current. For firms preparing for NBC examinations, we provide pre-examination readiness assessments that identify and remediate gaps before the regulator arrives. Our goal is to make AML compliance a competitive advantage rather than a cost burden for Cambodia's FinTech operators.