Labuan (Malaysia)

**Labuan Financial Services and Securities Act 2010 (LFSSA 2010)**

**Guidance Note on the Offering and Trading of Digital Assets in Labuan IBFC (the DA Guidance Note)**: This is the most crucial document, specifically outlining the regulatory requirements for digital asset businesses. It was initially issued in 2019 and may undergo updates.

**Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001 (AMLA 2001)**: The national AML/CFT law applicable to Labuan entities.

**LFSA's Guidelines on AML/CFT**: Specific guidelines issued by LFSA to complement AMLA 2001.

**For Digital Asset Exchanges (DAX):**

**Required License:** A Labuan company intending to operate a digital asset exchange (i.e., operating a trading platform, brokering, dealing, or acting as an intermediary for digital assets) must obtain a license as a **Labuan Digital Asset Exchange** or generally fall under the scope of a **Labuan Digital Asset Business** as defined in the DA Guidance Note.

This license permits the licensee to:

Operate a platform for the primary and secondary trading of digital assets.

Facilitate the matching of buy and sell orders.

Provide related services like listing new digital assets.

**Required License:** Standalone digital asset custody services often fall under the broader definition of a **Labuan Digital Asset Business** regulated by the LFSA, or it may be an ancillary service provided by a licensed Labuan Digital Asset Exchange.

The DA Guidance Note explicitly covers aspects related to the custody of digital assets, requiring robust security, operational resilience, and client asset segregation. While there isn't a *separate, specific* "custody license" distinct from the "Digital Asset Business" umbrella, providing custody is a regulated activity within that framework.

**For Payment Processors (involving Digital Assets):**

**Required License:** This category is more nuanced:

**Crypto-to-Crypto or Crypto-only Payments:** If the service solely involves processing payments in digital assets without converting to or from fiat currency, it would likely fall under the scope of a **Labuan Digital Asset Business** or specific approvals from LFSA under the DA Guidance Note, focusing on the transfer and settlement aspects of digital assets.

**Fiat-to-Crypto / Crypto-to-Fiat Payments (Remittance/Money Changing):** If the payment processor facilitates the exchange of fiat currency for digital assets, or vice-versa, or offers remittance-like services using digital assets, it would typically require a **Labuan Money Broking License** *in addition to* or *in conjunction with* being regulated as a digital asset business. A Labuan Money Broking license covers money changing and remittance services.

It is crucial to clarify the exact nature of the payment processing activity with LFSA during the pre-application stage.

The DA Guidance Note does not specify a fixed minimum paid-up capital for all digital asset businesses but requires capital commensurate with the proposed business activities, scale, and risk profile.

For a Labuan Money Broking license (if applicable for payment processing), the minimum paid-up capital is RM250,000 (approx. USD 50,000-60,000, subject to exchange rates).

For full-fledged digital asset exchanges or complex operations, LFSA will expect significantly higher capital, potentially in the range of RM 500,000 to RM 1,000,000 or more, depending on the business model and risk assessment.

Strict compliance with AMLA 2001 and LFSA's AML/CFT guidelines.

Implementation of comprehensive Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD) procedures.

Reporting of suspicious transactions (STRs) to the Financial Intelligence Unit (FIU) of Bank Negara Malaysia.

Appointment of a qualified Compliance Officer (often a local resident).

Adherence to international sanctions lists.

**Physical Office:** A physical office space in Labuan.

**Resident Director:** At least one resident director (often two are preferred or required by corporate service providers).

**Qualified Personnel:** Appointment of sufficient and appropriately qualified personnel residing in Labuan to manage and operate the business.

**Operational Control:** Demonstration that key decisions and operational activities are conducted from Labuan.

A robust corporate governance framework.

Fit and Proper criteria for all directors, shareholders, and senior management.

Experienced and competent management team.

Strong risk management, internal control, and audit frameworks.

Demonstration of robust and secure IT infrastructure.

Comprehensive cybersecurity measures (e.g., penetration testing, encryption, access controls).

Data integrity and privacy protection.

Business continuity and disaster recovery plans.

For custody, secure storage solutions (e.g., hot/cold wallet management, multi-signature authentication).

A detailed and comprehensive business plan outlining the proposed activities, operational procedures, financial projections, target market, risk assessment, and technological infrastructure.

**Pre-Consultation (Optional but Recommended):** Engage with LFSA or an authorized Labuan company secretary/advisory firm to discuss the proposed business model and clarify regulatory requirements.

Information on directors, shareholders, and senior management (KYC documents, professional qualifications, fit and proper declarations).

Financial projections (minimum 3-5 years).

Detailed operational manual, including AML/CFT policies and procedures.

Technological whitepaper outlining system architecture, security measures, and IT infrastructure.

**Submission of Application:** The complete application package is submitted to LFSA, usually through a licensed Labuan corporate service provider.

**LFSA Review and Due Diligence:** LFSA will conduct thorough due diligence on the applicant, its principals, and the proposed business model. This may involve requests for further information or clarification.

**Interview(s):** Key principals of the applicant company may be required to attend an interview with LFSA.

**Conditional Approval:** If the application is successful, LFSA may issue a conditional approval, stipulating conditions to be met before the final license is granted (e.g., injection of paid-up capital, setting up the physical office, hiring key personnel).

**Fulfillment of Conditions:** The applicant must satisfy all conditions within the stipulated timeframe.

**Final License Issuance:** Upon successful fulfillment of all conditions, LFSA will issue the official license.

**Labuan Financial Services Authority (LFSA) Official Website:**

This is typically found under the "Areas of Business" -> "Financial Services" -> "Investment Banking and Fund Management" -> "Digital Asset Businesses" section on the LFSA website.

Direct link to the section where the Guidance Note can be found (the specific PDF link may change with updates):

*Note: You may need to navigate this page to find the latest version of the "Guidance Note on the Offering and Trading of Digital Assets in Labuan IBFC" PDF.*

Often available on the LFSA website under "Legislation" or via legal databases.

Governed by Bank Negara Malaysia (BNM).

These general guidelines apply to all regulated entities in Labuan. Search the LFSA website for "AML/CFT" in their "Guidelines" section.

*URL Reference:* LFSA website - Policy Documents section (You'll need to navigate to the "Digital Asset Businesses" section within Policy Documents, or search for "Digital Asset Businesses").

**Labuan Perspective:** While the LFSA regulates financial services in Labuan, Bank Negara Malaysia (BNM) is the primary regulator for e-money in Malaysia itself. For a stablecoin to be classified as e-money within the Labuan IBFC, it would likely fall under existing financial services provisions, requiring appropriate licensing for payment system operators or money broking activities, depending on its specific use case. The LFSA would assess whether the stablecoin issuer's activities fall within the scope of regulated financial services under the LFSSA 2010.

**Specific Legislation/Reference:** The **Payment Systems Act 2003 (PSA)** and related BNM policies primarily govern e-money in Malaysia. For Labuan, the LFSSA 2010 and the Policy Document on Digital Asset Businesses would be applied to the entity operating the stablecoin.

**Labuan Perspective:** Such stablecoins would fall under the provisions for securities or collective investment schemes as per the LFSSA 2010. Offering such a stablecoin would require the issuer to be licensed for capital markets services.

In cases where stablecoins don't fit squarely into e-money or securities, they are generally treated as "digital assets" within the LFSA's framework, which regulates the *businesses* dealing with these assets.

**No specific, standalone stablecoin reserve requirements** are explicitly detailed in Labuan's general digital asset policy documents.

Instead, the LFSA focuses on the **financial soundness, capital adequacy, and robust risk management** of the *licensed entity* (the stablecoin issuer or platform).

**Key Considerations for Licensed Entities:**

**Capital Adequacy:** Licensed digital asset businesses must maintain adequate capital to support their operations and risks.

**Segregation of Client Assets:** A crucial requirement for custodians (which a stablecoin issuer holding reserves effectively is) is the segregation of clients' digital assets from the firm's own assets.

**Custody Arrangements:** Clear and robust arrangements for the custody of underlying reserve assets (fiat currency, other assets) are expected. This includes multi-signature wallets, cold storage for digital assets, and reputable financial institutions for fiat holdings.

**Audit and Transparency:** LFSA would expect regular independent audits of the reserves to ensure they match the stablecoin in circulation. Transparency regarding the composition and location of reserves would be a key expectation for investor/user confidence.

**AML/CFT:** All licensed entities must comply with anti-money laundering and counter-financing of terrorism (AML/CFT) requirements, which indirectly relate to the security and oversight of funds.

**Legislation/Reference:** **LFSSA 2010** (general powers for financial soundness) and the **Policy Document on Digital Asset Businesses** (details requirements for licensed digital asset operators).

**Digital Asset Business (DAB) License:** This framework covers activities such as operating a digital asset exchange, acting as a digital asset custodian, or potentially other services involving digital assets.

**Requirements for DAB Licensees typically include:**

Robust business plan, risk management framework, and internal controls.

Qualified and fit & proper directors and management.

Clear rules of operation, particularly concerning client asset protection and dispute resolution.

**Other Licenses:** If the stablecoin functions as a security, a capital markets services license might be required. If it involves significant foreign exchange or money changing activities, a money broking license might be relevant.

**Legislation/Reference:** **Labuan Financial Services and Securities Act 2010 (LFSSA 2010)** empowers LFSA to license financial services. The **Policy Document on Digital Asset Businesses** specifically outlines the licensing requirements for entities dealing with digital assets.

Labuan's regulatory framework does **not contain specific legislation solely on stablecoin redemption rights**.

However, general principles of **consumer protection, contractual law, and transparency** apply.

**Clear Terms:** Stablecoin issuers must clearly articulate the terms and conditions for redemption in their whitepaper or terms of service. This includes eligibility, timelines, fees, and the process for converting the stablecoin back to its pegged asset (e.g., fiat currency).

**Operational Capability:** Licensed issuers are expected to have the operational capacity and liquidity to honour redemption requests in a timely manner as per their stated terms.

**LFSA Oversight:** The LFSA, in its oversight of licensed digital asset businesses, would ensure that the issuer's stated redemption policies are fair, transparent, and adhered to. Any misleading statements or inability to meet redemption obligations could lead to regulatory action.

There are **no specific rules or guidelines in Labuan's framework that directly address algorithmic stablecoins.**

Algorithmic stablecoins, which rely on smart contracts and market mechanisms rather than direct fiat-backed reserves to maintain their peg, present unique and higher risks (e.g., de-pegging, market manipulation vulnerability).

**LFSA's Approach:** The LFSA would likely subject any proposal for an algorithmic stablecoin to **intense scrutiny** under its general risk management and investor protection principles for digital asset businesses.

The issuer would need to demonstrate a robust and resilient mechanism for maintaining stability, clear risk disclosures, adequate capitalisation to absorb potential shocks, and strong governance.

The inherent volatility and complexity of algorithmic designs might make it challenging to meet the LFSA's expectations for financial stability and consumer protection for a regulated financial product.

**No specific regulatory framework for private stablecoins interacting with a Central Bank Digital Currency (CBDC) in Labuan.**

**Malaysia's CBDC Exploration:** Bank Negara Malaysia (BNM), the central bank for Malaysia, has been actively exploring the potential issuance of a CBDC. However, this is primarily focused on the domestic Malaysian financial system and national policy.

**Reference:** BNM publishes reports and updates on its digital currency initiatives.

*URL Reference:* Bank Negara Malaysia - Digital Currencies (Look for their latest publications on CBDCs).

**Labuan's Role:** As an IBFC, Labuan's framework is distinct from BNM's domestic market focus. Any interaction between private stablecoins in Labuan and a potential future Malaysian CBDC would likely be determined at a national policy level by BNM, which would then influence any adjustments needed in Labuan's regulatory landscape. At present, there are no established rules.

**Labuan Financial Services Authority (Labuan FSA)**

**Purpose:** This is the primary legislation governing the licensing and regulation of financial services and financial-related businesses in Labuan IBFC. It empowers Labuan FSA to issue licenses and guidelines for various financial activities, which extends to digital financial services.

**URL (Labuan FSA Legislation page):** https://www.labuanfsa.gov.my/laws-guidelines/laws/labuan-acts

**Labuan Islamic Financial Services and Securities Act 2010 (LIFSSA 2010)**

**Purpose:** Parallels LFSSA 2010 but for Islamic financial services. Digital asset activities structured under Shariah principles would fall under this.

**Specific Digital Asset/Fintech Guidelines (issued by Labuan FSA):**

**Policy on the Establishment of Digital Financial Services in Labuan IBFC**

**Date:** Initially issued around 2018/2019, periodically updated.

**Purpose:** This foundational policy outlines Labuan FSA's approach to digital financial services, including digital currencies, blockchain, and fintech innovations. It sets the stage for a facilitative yet regulated environment.

**URL (usually found under Labuan FSA's "Guidelines" or "Policies" section):** While a direct dated PDF link can be unstable, it's consistently covered in their official communications on Digital Finance: https://www.labuanfsa.gov.my/areas-of-business/digital-financial-services

**Guidelines on the Application for Digital Currency Exchange (DCE) Business**

**Purpose:** These specific guidelines detail the licensing requirements, operational standards, capital adequacy, risk management, and Anti-Money Laundering/Combating Financing of Terrorism (AML/CFT) obligations for entities wishing to operate a Digital Currency Exchange in Labuan.

**Guidelines on Digital Asset Issuance/Tokenisation**

**Purpose:** These guidelines regulate the issuance of digital assets (e.g., Security Token Offerings - STOs) and tokenisation activities in Labuan IBFC, covering aspects like whitepaper requirements, issuer eligibility, disclosure, and investor protection.

**Crypto Exchanges (Digital Currency Exchanges - DCEs):**

Entities wishing to operate a platform for the exchange of digital currencies (including fiat-to-crypto, crypto-to-crypto, or crypto-to-fiat) must apply for and obtain a **Digital Currency Exchange (DCE) license** from Labuan FSA.

Licensed DCEs are subject to stringent requirements, including:

Comprehensive AML/CFT policies and procedures (in line with FATF recommendations).

Cybersecurity frameworks and data protection.

Fit and proper criteria for shareholders, directors, and senior management.

Operational risk management and corporate governance.

Reporting obligations to Labuan FSA.

Labuan FSA aims to attract well-capitalised and reputable digital asset businesses, including those offering custody services, brokerage, and other related activities.

Trading of cryptocurrencies by individuals or institutions on licensed DCEs is generally permissible. Users of these platforms would be subject to the KYC/AML procedures implemented by the licensed exchange.

The focus of Labuan FSA's regulation is on the *service providers* (exchanges, brokers, issuers, custodians) rather than directly on individual traders, assuming they are trading on regulated platforms.

**Labuan Financial Services Authority (Labuan FSA)**

**Role:** Licenses and regulates all financial services entities in Labuan IBFC, including VASPs. It issues specific guidelines and policies that licensees must adhere to.

**Bank Negara Malaysia (BNM) - Financial Intelligence Unit (FIU)**

**Role:** While Labuan FSA is the primary regulator, BNM's FIU is the body to which suspicious transaction reports (STRs) are submitted. It acts as Malaysia's central agency for receiving, analysing, and disseminating financial intelligence.

**Website:** https://www.bnm.gov.my/financial-intelligence-and-enforcement (for information on FIU and AML/CFT)

**Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001 (AMLA 2001):** This is the cornerstone legislation. It imposes obligations on reporting institutions (which include VASPs) to detect, deter, and report suspicious transactions, and to implement robust AML/CFT measures, including sanctions screening.

**Description:** This is the overarching national legislation in Malaysia that provides the legal framework for combating money laundering and terrorism financing. It defines "reporting institutions" (which include VASPs) and outlines their obligations, including CDD, record-keeping, and STRs.

**Applicability:** Applies to all financial institutions in Malaysia, including those operating within Labuan.

**Labuan Financial Services and Securities Act 2010 (LFSSA):**

**Description:** These Acts govern the licensing and regulation of financial businesses in Labuan IBFC. They grant Labuan FSA the power to issue specific regulations, guidelines, and directives to its licensees, including those related to AML/CFT.

**Labuan FSA Guidelines on Digital Asset Businesses (2020, with subsequent updates)**

**Description:** This crucial guideline specifically addresses the licensing and regulatory requirements for entities engaging in digital asset businesses (which encompass VASPs) in Labuan. It integrates AML/CFT obligations directly into the operational requirements for licensees. It defines what constitutes a "digital asset business" and sets forth specific conditions.

**Labuan FSA Guidelines on Anti-Money Laundering and Countering Financing of Terrorism (AML/CFT)**

**Description:** These comprehensive guidelines provide detailed instructions to all Labuan financial institutions (including VASPs) on how to comply with AMLA 2001 and international FATF standards. They cover areas such as risk assessment, CDD, ongoing monitoring, STRs, internal controls, and training.

**Customer Due Diligence (CDD) / Know Your Customer (KYC)**

**Risk-Based Approach:** VASPs must adopt a risk-based approach to CDD, meaning the intensity of verification should be commensurate with the assessed money laundering/terrorism financing risk of the customer, product, service, or transaction.

**Natural Persons:** Obtain and verify identity through reliable, independent sources (e.g., government-issued ID, proof of address, date of birth, nationality).

**Legal Entities:** Obtain and verify legal name, legal form, proof of existence, powers that bind the entity, names of relevant persons (directors, senior management), and crucially, the **beneficial owners**.

**Beneficial Ownership:** Identify and take reasonable measures to verify the identity of the beneficial owner(s) – the natural person(s) who ultimately own or control the customer, or the natural person(s) on whose behalf a transaction is being conducted. This is particularly critical for VASPs dealing with potentially opaque structures.

**Purpose and Intended Nature of Business Relationship:** Understand the purpose and intended nature of the business relationship or occasional transaction.

**Ongoing Monitoring:** Regularly scrutinize transactions undertaken throughout the course of the relationship to ensure consistency with the VASP’s knowledge of the customer, their business, and risk profile. This includes reviewing CDD information periodically.

**Enhanced Due Diligence (EDD):** Apply EDD for higher-risk customers and transactions, including:

Customers from high-risk jurisdictions (as identified by FATF or Labuan FSA)

Transactions involving significant amounts of virtual assets

Complex, unusual large transactions, or unusual patterns of transactions that have no apparent economic or lawful purpose.

Require additional information on the source of funds/wealth for high-risk accounts.

**Simplified Due Diligence (SDD):** May be applied in specifically defined lower-risk situations, but never in circumstances where there is a suspicion of ML/TF.

**Obligation:** VASPs, as "reporting institutions," are legally obligated under AMLA 2001 to report any transaction (regardless of amount) that gives rise to a suspicion of money laundering or terrorism financing.

**Reporting Body:** All STRs must be submitted to the **Financial Intelligence Unit (FIU) of Bank Negara Malaysia (BNM)**.

**Internal Procedures:** VASPs must have internal procedures for identifying, evaluating, and reporting suspicious transactions. This includes training staff to recognize red flags.

**No Tipping Off:** It is strictly prohibited to disclose to the customer or any third party that a STR has been or will be made.

**Types of Records:** VASPs must maintain all records obtained through CDD procedures, transaction data, correspondence, internal reports (including STRs and their assessment), and any other relevant documentation.

**Duration:** Records must be retained for a minimum period of **six (6) years** after the business relationship has ended or after the date of the occasional transaction.

**Accessibility:** Records must be organized and readily accessible to Labuan FSA and/or BNM upon request for compliance monitoring or investigation purposes.

**Internal Controls, Policies, and Procedures**

**Comprehensive Policies:** VASPs must establish and maintain comprehensive internal policies, procedures, and controls to mitigate ML/TF risks.

**Compliance Officer:** Appoint a qualified Compliance Officer (often referred to as an AML/CFT Compliance Officer) responsible for overseeing the VASP's AML/CFT program.

**Employee Training:** Provide ongoing AML/CFT training to all relevant employees, ensuring they are aware of their obligations, the risks involved, and how to identify and report suspicious activities.

**Independent Audit:** Regularly conduct independent audits of the AML/CFT program to assess its effectiveness and identify areas for improvement.

**Risk Assessment:** Conduct regular institutional risk assessments to identify, assess, and understand the ML/TF risks specific to their business, customers, products, and geographies.

**Penalties:** Fines and/or imprisonment for individuals under AMLA 2001.

**License Revocation/Suspension:** Labuan FSA has the power to revoke or suspend a VASP's license.

**Reputational Damage:** Significant harm to the VASP's reputation and trust among clients and partners.

**Operational Restrictions:** Orders to cease certain operations or restrictions on business activities.

**Legal Reference:** Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001

**Financial Sanctions Act 2009 (FSA 2009):** This Act provides the legal basis for implementing financial sanctions imposed by the United Nations Security Council (UNSC) in Malaysia. It empowers the Minister of Finance to issue freezing orders against designated persons and entities, and to enforce other restrictive measures.

**Legal Reference:** Financial Sanctions Act 2009

**Labuan FSA Policy on Digital Asset Businesses (2020) and related Guidance Notes:** This policy document sets out the regulatory framework for digital asset businesses in Labuan. It explicitly requires VASPs to comply with AMLA 2001 and FSA 2009, and to implement robust AML/CFT systems and controls. This includes:

**Customer Due Diligence (CDD) and Know Your Customer (KYC):** Identifying and verifying customers, including beneficial owners.

**Risk-Based Approach:** Assessing and managing AML/CFT risks, including sanctions risks, associated with customers, products, services, and geographic locations.

**Monitoring Transactions:** Identifying unusual or suspicious patterns.

**Reporting Suspicious Transactions (STRs):** To the Financial Intelligence Unit (FIU) of Bank Negara Malaysia (BNM).

**Record Keeping:** Maintaining records of customer identification and transactions.

**Sanctions Compliance:** Implementing measures to ensure compliance with relevant sanctions regimes.

**Legal Reference:** While a direct public link to the latest consolidated "Policy on Digital Asset Businesses" isn't always stable, it's a key regulatory document issued by LFSA. Relevant information can be found on the Labuan FSA website under Digital Asset Businesses.

**UN Sanctions Compliance (Direct Enforcement):**

**Legal Basis:** Implemented through the **Financial Sanctions Act 2009** and specific **Financial Sanctions Orders** issued by the Minister of Finance.

**Obligations:** VASPs in Labuan are legally required to freeze assets and deny services to individuals and entities designated by the UN Security Council. Bank Negara Malaysia (BNM) periodically circulates updated UN sanction lists to all financial institutions, including those in Labuan.

**Screening:** Mandatory screening against the UN Security Council Consolidated List and specific UN sanctions lists (e.g., Al-Qaeda, Taliban, DPRK, Iran) is required for all customers, beneficial owners, and relevant counterparties.

**Reporting:** Any hits or suspected matches must be immediately reported to the relevant authorities (BNM's FIU).

**OFAC/EU Sanctions Compliance (Indirect but Critical Enforcement):**

**Legal Basis:** While OFAC (U.S.) and EU sanctions are not directly enforceable as Malaysian law, compliance is **critical and practically mandatory** for Labuan VASPs due to several factors:

**De-risking by Correspondent Banks:** Global financial institutions (many of which are U.S. or EU-based) involved in facilitating fiat on/off-ramps or other services will enforce their own OFAC/EU compliance obligations on their partners, including Labuan VASPs. Non-compliance can lead to account termination, loss of banking relationships, and exclusion from the global financial system.

**Extraterritorial Reach:** OFAC sanctions, in particular, have broad extraterritorial reach. Transactions involving U.S. persons, U.S. dollar clearing, or a U.S. nexus (even indirectly) can fall under OFAC's jurisdiction, leading to severe penalties for non-U.S. entities.

**Reputational Risk:** Engaging with OFAC or EU sanctioned entities, even without a direct legal obligation in Malaysia, carries significant reputational risk that can damage a VASP's standing and trust.

**Obligations:** Labuan VASPs are expected to implement screening mechanisms for OFAC's Specially Designated Nationals (SDN) and Blocked Persons List, other OFAC sanctions lists, and relevant EU sanctions lists, as part of their comprehensive risk management and good corporate governance. This is often an implicit requirement for maintaining international operations and banking access.

**Customers:** At onboarding (CDD/KYC) and on an ongoing basis.

**Beneficial Owners:** Of corporate customers.

**Key Personnel:** Directors, senior management.

**Transactions:** Especially for high-value or unusual transactions.

**Counterparties:** When engaging with other VASPs, payment providers, or financial institutions.

**Sanctioned Jurisdictions:** VASPs are explicitly prohibited from engaging in transactions with individuals or entities located in, or associated with, jurisdictions under comprehensive UN financial sanctions (e.g., DPRK, Iran under certain resolutions). Due to the indirect enforcement mentioned above, engagement with OFAC-sanctioned jurisdictions (e.g., Cuba, Iran, North Korea, Syria, certain regions of Ukraine) and EU-sanctioned jurisdictions is also severely restricted or prohibited.

**High-Risk Jurisdictions:** Beyond sanctioned countries, VASPs must apply enhanced due diligence (EDD) to customers and transactions originating from or destined for countries identified by the Financial Action Task Force (FATF) as high-risk or under increased monitoring (e.g., "grey list" countries). BNM also issues advisories on high-risk jurisdictions.

**Individuals:** Imprisonment for up to 15 years, and/or a fine of not less than five times the sum or value of the proceeds of an unlawful activity or instrumentalities, or RM5 million, whichever is higher.

**Legal Persons/Companies:** A fine of not less than ten times the sum or value of the proceeds of an unlawful activity or instrumentalities, or RM15 million, whichever is higher.

**Individuals:** Imprisonment for up to 5 years, or a fine of up to RM5 million, or both.

**Legal Persons/Companies:** A fine of up to RM20 million.

**Labuan FSA Enforcement:** LFSA can also impose administrative penalties, revoke licenses, issue directives, and take other supervisory actions against non-compliant VASPs under its regulatory powers.

**Indirect Penalties (OFAC/EU):** While not Malaysian legal penalties, non-compliance with OFAC/EU sanctions can lead to:

Blocking of assets in U.S. or EU jurisdictions.

Significant fines imposed by U.S. or EU authorities (potentially billions of dollars in extreme cases).

Loss of access to global financial markets.

**UN Security Council Consolidated List and other UN Sanctions Lists:** These are the primary lists legally enforced in Malaysia through the FSA 2009. BNM ensures these lists are disseminated.

**Legal Reference:** UN Security Council Consolidated List

**Malaysia's Domestic Terrorism Financing Lists:** While Malaysia has domestic lists related to terrorism financing, these are primarily for law enforcement purposes and less for general financial sanctions blocking obligations compared to the UN lists. Financial institutions' primary focus for blocking is the UN lists.

**Advisory Lists:** BNM may issue circulars or advisories to financial institutions regarding high-risk entities or jurisdictions based on international assessments (e.g., FATF findings), which VASPs should consider in their risk assessment.

**Cross-border transactions:** Transfers exceeding **RM4,000 (or equivalent to USD1,000)**.

**Domestic transactions:** Transfers exceeding **RM10,000 (or equivalent to USD3,000)**.

Operating a digital asset exchange

Operating a digital asset trading platform

Providing digital asset custodian services

Other businesses dealing with or facilitating the exchange of digital assets.

Originator's account number (or unique transaction identifier)

Originator's physical address (or national identity number, customer identification number, or date and place of birth).

Beneficiary's account number (or unique transaction identifier).

**Secure Transmission:** The information must be transmitted securely and immediately with the virtual asset transfer.

**Verification:** Digital Asset Businesses must take reasonable measures to verify the identity of their customers (originators and beneficiaries) when collecting this information.

**Record-Keeping:** All collected information and records of transmission must be retained for at least **6 years**.

**Policies and Procedures:** VASPs must establish robust internal policies, procedures, and controls to ensure compliance with these requirements, including procedures for handling missing or incomplete information from counterparties (especially in unhosted wallet or non-compliant VASP scenarios).

**Risk Assessment:** VASPs are expected to conduct a risk assessment related to their Travel Rule obligations and implement controls proportionate to their identified risks.

**Corporate bodies:** A fine not less than five times the amount of the proceeds of an unlawful activity or instrumentalities of an offence, or RM25 million, whichever is higher.

**Labuan Financial Services Authority (LFSA) Enforcement Powers:** LFSA has wide-ranging powers under the Labuan Financial Services and Securities Act 2010 (LFSSA) and the Labuan Islamic Financial Services and Securities Act 2010 (LIFSSA). These include:

Taking criminal action against individuals or entities.

**Labuan FSA Guidelines on AML/CFT for Digital Asset Businesses (11 August 2022):**

**Labuan FSA (Business of Digital Asset) Regulations 2022:**

*Defines "digital asset business" requiring an LFSA license.*

*While the full Act isn't hosted by LFSA directly, it's the overarching Malaysian AML law. BNM often hosts it:* https://www.bnm.gov.my/documents/20124/96092/AMLA_2001.pdf

*Penalties are detailed in various sections, particularly Part IV.*

*Provides LFSA's regulatory and enforcement powers.*

Labuan Financial Services and Securities Act 2010 (LFSSA 2010)

Labuan Islamic Financial Services and Securities Act 2010 (LIFSSA 2010)

**Guidelines on Digital Asset Business** (LFSA/GL/2020-002, last updated January 2023)

**Entity Type:** Must be incorporated or registered as a Labuan company under the Labuan Companies Act 1990.

**Physical Presence:** Must have a substantive presence in Labuan.

**Capital Requirements:** Maintain adequate paid-up capital and working capital, as determined by LFSA based on the nature, scale, and complexity of the business (Section 4.1.3 & 5.1).

**Fit and Proper Criteria:** Directors, controllers, and key management personnel must meet LFSA's "fit and proper" criteria (Section 4.1.5 & 4.1.6).

**Business Plan:** Submission of a comprehensive business plan detailing services offered, target market, operational procedures, risk management framework, and technology infrastructure.

**Internal Controls & Risk Management:** Robust internal control systems, governance framework, and risk management policies, particularly addressing cybersecurity, operational risks, and market risks (Section 5.3).

**AML/CFT Compliance:** Strict adherence to anti-money laundering and countering financing of terrorism (AML/CFT) requirements in line with the Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001 (AMLA) and LFSA's relevant guidance (Section 5.4).

**Technology & Security:** Demonstrate robust IT systems, security protocols, and expertise in distributed ledger technology (DLT) and cybersecurity (Section 5.3).

**Section 5.3.1 (e):** "The entity shall establish robust internal controls and safeguards to segregate and protect clients' assets from its own assets. Client funds and digital assets must be held in designated segregated accounts or wallets and must not be commingled with the company's proprietary assets."

This ensures that in the event of insolvency or other financial distress of the custodian, client assets are protected and not treated as assets of the firm.

**Section 5.3.1 (c):** Requires the entity to "establish an adequate capital management framework to ensure sufficient capital is maintained to absorb potential losses arising from its business activities."

**Section 5.3.1 (e):** Implies the need for safeguards to protect client assets, which can include various risk mitigation strategies, potentially including insurance coverage for certain risks (e.g., cyber theft) as part of a comprehensive risk management framework.

**Section 5.3.1 (g):** "The entity shall implement appropriate and comprehensive cybersecurity measures and controls to safeguard clients' digital assets from theft, loss, and unauthorised access, which include, but are not limited to, the use of secure private key management, multi-signature wallets, and cold storage for a significant portion of digital assets."

This explicitly mandates the use of **cold storage** (offline storage) for a significant portion of digital assets, alongside other security measures like multi-signature wallets and robust private key management.