Labuan (Malaysia) -- AML/CFT Compliance Regulatory Overview

**Labuan Financial Services Authority (Labuan FSA)**

**Role:** Licenses and regulates all financial services entities in Labuan IBFC, including VASPs. It issues specific guidelines and policies that licensees must adhere to.

**Bank Negara Malaysia (BNM) - Financial Intelligence Unit (FIU)**

**Role:** While Labuan FSA is the primary regulator, BNM's FIU is the body to which suspicious transaction reports (STRs) are submitted. It acts as Malaysia's central agency for receiving, analysing, and disseminating financial intelligence.

**Website:** https://www.bnm.gov.my/financial-intelligence-and-enforcement (for information on FIU and AML/CFT)

**Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001 (AMLA 2001):** This is the cornerstone legislation. It imposes obligations on reporting institutions (which include VASPs) to detect, deter, and report suspicious transactions, and to implement robust AML/CFT measures, including sanctions screening.

**Description:** This is the overarching national legislation in Malaysia that provides the legal framework for combating money laundering and terrorism financing. It defines "reporting institutions" (which include VASPs) and outlines their obligations, including CDD, record-keeping, and STRs.

**Applicability:** Applies to all financial institutions in Malaysia, including those operating within Labuan.

**Labuan Financial Services and Securities Act 2010 (LFSSA):**

**Description:** These Acts govern the licensing and regulation of financial businesses in Labuan IBFC. They grant Labuan FSA the power to issue specific regulations, guidelines, and directives to its licensees, including those related to AML/CFT.

**Labuan FSA Guidelines on Digital Asset Businesses (2020, with subsequent updates)**

**Description:** This crucial guideline specifically addresses the licensing and regulatory requirements for entities engaging in digital asset businesses (which encompass VASPs) in Labuan. It integrates AML/CFT obligations directly into the operational requirements for licensees. It defines what constitutes a "digital asset business" and sets forth specific conditions.

**Labuan FSA Guidelines on Anti-Money Laundering and Countering Financing of Terrorism (AML/CFT)**

**Description:** These comprehensive guidelines provide detailed instructions to all Labuan financial institutions (including VASPs) on how to comply with AMLA 2001 and international FATF standards. They cover areas such as risk assessment, CDD, ongoing monitoring, STRs, internal controls, and training.

**Customer Due Diligence (CDD) / Know Your Customer (KYC)**

**Risk-Based Approach:** VASPs must adopt a risk-based approach to CDD, meaning the intensity of verification should be commensurate with the assessed money laundering/terrorism financing risk of the customer, product, service, or transaction.

**Natural Persons:** Obtain and verify identity through reliable, independent sources (e.g., government-issued ID, proof of address, date of birth, nationality).

**Legal Entities:** Obtain and verify legal name, legal form, proof of existence, powers that bind the entity, names of relevant persons (directors, senior management), and crucially, the **beneficial owners**.

**Beneficial Ownership:** Identify and take reasonable measures to verify the identity of the beneficial owner(s) – the natural person(s) who ultimately own or control the customer, or the natural person(s) on whose behalf a transaction is being conducted. This is particularly critical for VASPs dealing with potentially opaque structures.

**Purpose and Intended Nature of Business Relationship:** Understand the purpose and intended nature of the business relationship or occasional transaction.

**Ongoing Monitoring:** Regularly scrutinize transactions undertaken throughout the course of the relationship to ensure consistency with the VASP’s knowledge of the customer, their business, and risk profile. This includes reviewing CDD information periodically.

**Enhanced Due Diligence (EDD):** Apply EDD for higher-risk customers and transactions, including:

Customers from high-risk jurisdictions (as identified by FATF or Labuan FSA)

Transactions involving significant amounts of virtual assets

Complex, unusual large transactions, or unusual patterns of transactions that have no apparent economic or lawful purpose.

Require additional information on the source of funds/wealth for high-risk accounts.

**Simplified Due Diligence (SDD):** May be applied in specifically defined lower-risk situations, but never in circumstances where there is a suspicion of ML/TF.

**Obligation:** VASPs, as "reporting institutions," are legally obligated under AMLA 2001 to report any transaction (regardless of amount) that gives rise to a suspicion of money laundering or terrorism financing.

**Reporting Body:** All STRs must be submitted to the **Financial Intelligence Unit (FIU) of Bank Negara Malaysia (BNM)**.

**Internal Procedures:** VASPs must have internal procedures for identifying, evaluating, and reporting suspicious transactions. This includes training staff to recognize red flags.

**No Tipping Off:** It is strictly prohibited to disclose to the customer or any third party that a STR has been or will be made.

**Types of Records:** VASPs must maintain all records obtained through CDD procedures, transaction data, correspondence, internal reports (including STRs and their assessment), and any other relevant documentation.

**Duration:** Records must be retained for a minimum period of **six (6) years** after the business relationship has ended or after the date of the occasional transaction.

**Accessibility:** Records must be organized and readily accessible to Labuan FSA and/or BNM upon request for compliance monitoring or investigation purposes.

**Internal Controls, Policies, and Procedures**

**Comprehensive Policies:** VASPs must establish and maintain comprehensive internal policies, procedures, and controls to mitigate ML/TF risks.

**Compliance Officer:** Appoint a qualified Compliance Officer (often referred to as an AML/CFT Compliance Officer) responsible for overseeing the VASP's AML/CFT program.

**Employee Training:** Provide ongoing AML/CFT training to all relevant employees, ensuring they are aware of their obligations, the risks involved, and how to identify and report suspicious activities.

**Independent Audit:** Regularly conduct independent audits of the AML/CFT program to assess its effectiveness and identify areas for improvement.

**Risk Assessment:** Conduct regular institutional risk assessments to identify, assess, and understand the ML/TF risks specific to their business, customers, products, and geographies.

**Penalties:** Fines and/or imprisonment for individuals under AMLA 2001.

**License Revocation/Suspension:** Labuan FSA has the power to revoke or suspend a VASP's license.

**Reputational Damage:** Significant harm to the VASP's reputation and trust among clients and partners.

**Operational Restrictions:** Orders to cease certain operations or restrictions on business activities.

**Legal Reference:** Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001

**Financial Sanctions Act 2009 (FSA 2009):** This Act provides the legal basis for implementing financial sanctions imposed by the United Nations Security Council (UNSC) in Malaysia. It empowers the Minister of Finance to issue freezing orders against designated persons and entities, and to enforce other restrictive measures.

**Legal Reference:** Financial Sanctions Act 2009

**Labuan FSA Policy on Digital Asset Businesses (2020) and related Guidance Notes:** This policy document sets out the regulatory framework for digital asset businesses in Labuan. It explicitly requires VASPs to comply with AMLA 2001 and FSA 2009, and to implement robust AML/CFT systems and controls. This includes:

**Customer Due Diligence (CDD) and Know Your Customer (KYC):** Identifying and verifying customers, including beneficial owners.

**Risk-Based Approach:** Assessing and managing AML/CFT risks, including sanctions risks, associated with customers, products, services, and geographic locations.

**Monitoring Transactions:** Identifying unusual or suspicious patterns.

**Reporting Suspicious Transactions (STRs):** To the Financial Intelligence Unit (FIU) of Bank Negara Malaysia (BNM).

**Record Keeping:** Maintaining records of customer identification and transactions.

**Sanctions Compliance:** Implementing measures to ensure compliance with relevant sanctions regimes.

**Legal Reference:** While a direct public link to the latest consolidated "Policy on Digital Asset Businesses" isn't always stable, it's a key regulatory document issued by LFSA. Relevant information can be found on the Labuan FSA website under Digital Asset Businesses.

**UN Sanctions Compliance (Direct Enforcement):**

**Legal Basis:** Implemented through the **Financial Sanctions Act 2009** and specific **Financial Sanctions Orders** issued by the Minister of Finance.

**Obligations:** VASPs in Labuan are legally required to freeze assets and deny services to individuals and entities designated by the UN Security Council. Bank Negara Malaysia (BNM) periodically circulates updated UN sanction lists to all financial institutions, including those in Labuan.

**Screening:** Mandatory screening against the UN Security Council Consolidated List and specific UN sanctions lists (e.g., Al-Qaeda, Taliban, DPRK, Iran) is required for all customers, beneficial owners, and relevant counterparties.

**Reporting:** Any hits or suspected matches must be immediately reported to the relevant authorities (BNM's FIU).

**OFAC/EU Sanctions Compliance (Indirect but Critical Enforcement):**

**Legal Basis:** While OFAC (U.S.) and EU sanctions are not directly enforceable as Malaysian law, compliance is **critical and practically mandatory** for Labuan VASPs due to several factors:

**De-risking by Correspondent Banks:** Global financial institutions (many of which are U.S. or EU-based) involved in facilitating fiat on/off-ramps or other services will enforce their own OFAC/EU compliance obligations on their partners, including Labuan VASPs. Non-compliance can lead to account termination, loss of banking relationships, and exclusion from the global financial system.

**Extraterritorial Reach:** OFAC sanctions, in particular, have broad extraterritorial reach. Transactions involving U.S. persons, U.S. dollar clearing, or a U.S. nexus (even indirectly) can fall under OFAC's jurisdiction, leading to severe penalties for non-U.S. entities.

**Reputational Risk:** Engaging with OFAC or EU sanctioned entities, even without a direct legal obligation in Malaysia, carries significant reputational risk that can damage a VASP's standing and trust.

**Obligations:** Labuan VASPs are expected to implement screening mechanisms for OFAC's Specially Designated Nationals (SDN) and Blocked Persons List, other OFAC sanctions lists, and relevant EU sanctions lists, as part of their comprehensive risk management and good corporate governance. This is often an implicit requirement for maintaining international operations and banking access.

**Customers:** At onboarding (CDD/KYC) and on an ongoing basis.

**Beneficial Owners:** Of corporate customers.

**Key Personnel:** Directors, senior management.

**Transactions:** Especially for high-value or unusual transactions.

**Counterparties:** When engaging with other VASPs, payment providers, or financial institutions.

**Sanctioned Jurisdictions:** VASPs are explicitly prohibited from engaging in transactions with individuals or entities located in, or associated with, jurisdictions under comprehensive UN financial sanctions (e.g., DPRK, Iran under certain resolutions). Due to the indirect enforcement mentioned above, engagement with OFAC-sanctioned jurisdictions (e.g., Cuba, Iran, North Korea, Syria, certain regions of Ukraine) and EU-sanctioned jurisdictions is also severely restricted or prohibited.

**High-Risk Jurisdictions:** Beyond sanctioned countries, VASPs must apply enhanced due diligence (EDD) to customers and transactions originating from or destined for countries identified by the Financial Action Task Force (FATF) as high-risk or under increased monitoring (e.g., "grey list" countries). BNM also issues advisories on high-risk jurisdictions.

**Individuals:** Imprisonment for up to 15 years, and/or a fine of not less than five times the sum or value of the proceeds of an unlawful activity or instrumentalities, or RM5 million, whichever is higher.

**Legal Persons/Companies:** A fine of not less than ten times the sum or value of the proceeds of an unlawful activity or instrumentalities, or RM15 million, whichever is higher.

**Individuals:** Imprisonment for up to 5 years, or a fine of up to RM5 million, or both.

**Legal Persons/Companies:** A fine of up to RM20 million.

**Labuan FSA Enforcement:** LFSA can also impose administrative penalties, revoke licenses, issue directives, and take other supervisory actions against non-compliant VASPs under its regulatory powers.

**Indirect Penalties (OFAC/EU):** While not Malaysian legal penalties, non-compliance with OFAC/EU sanctions can lead to:

Blocking of assets in U.S. or EU jurisdictions.

Significant fines imposed by U.S. or EU authorities (potentially billions of dollars in extreme cases).

Loss of access to global financial markets.

**UN Security Council Consolidated List and other UN Sanctions Lists:** These are the primary lists legally enforced in Malaysia through the FSA 2009. BNM ensures these lists are disseminated.

**Legal Reference:** UN Security Council Consolidated List

**Malaysia's Domestic Terrorism Financing Lists:** While Malaysia has domestic lists related to terrorism financing, these are primarily for law enforcement purposes and less for general financial sanctions blocking obligations compared to the UN lists. Financial institutions' primary focus for blocking is the UN lists.

**Advisory Lists:** BNM may issue circulars or advisories to financial institutions regarding high-risk entities or jurisdictions based on international assessments (e.g., FATF findings), which VASPs should consider in their risk assessment.

**Cross-border transactions:** Transfers exceeding **RM4,000 (or equivalent to USD1,000)**.

**Domestic transactions:** Transfers exceeding **RM10,000 (or equivalent to USD3,000)**.

Operating a digital asset exchange

Operating a digital asset trading platform

Providing digital asset custodian services

Other businesses dealing with or facilitating the exchange of digital assets.

Originator's account number (or unique transaction identifier)

Originator's physical address (or national identity number, customer identification number, or date and place of birth).

Beneficiary's account number (or unique transaction identifier).

**Secure Transmission:** The information must be transmitted securely and immediately with the virtual asset transfer.

**Verification:** Digital Asset Businesses must take reasonable measures to verify the identity of their customers (originators and beneficiaries) when collecting this information.

**Record-Keeping:** All collected information and records of transmission must be retained for at least **6 years**.

**Policies and Procedures:** VASPs must establish robust internal policies, procedures, and controls to ensure compliance with these requirements, including procedures for handling missing or incomplete information from counterparties (especially in unhosted wallet or non-compliant VASP scenarios).

**Risk Assessment:** VASPs are expected to conduct a risk assessment related to their Travel Rule obligations and implement controls proportionate to their identified risks.

**Corporate bodies:** A fine not less than five times the amount of the proceeds of an unlawful activity or instrumentalities of an offence, or RM25 million, whichever is higher.

**Labuan Financial Services Authority (LFSA) Enforcement Powers:** LFSA has wide-ranging powers under the Labuan Financial Services and Securities Act 2010 (LFSSA) and the Labuan Islamic Financial Services and Securities Act 2010 (LIFSSA). These include:

Taking criminal action against individuals or entities.

**Labuan FSA Guidelines on AML/CFT for Digital Asset Businesses (11 August 2022):**

**Labuan FSA (Business of Digital Asset) Regulations 2022:**

*Defines "digital asset business" requiring an LFSA license.*

*While the full Act isn't hosted by LFSA directly, it's the overarching Malaysian AML law. BNM often hosts it:* https://www.bnm.gov.my/documents/20124/96092/AMLA_2001.pdf

*Penalties are detailed in various sections, particularly Part IV.*

*Provides LFSA's regulatory and enforcement powers.*