Malaysia -- AML/CFT Compliance Regulatory Overview

**Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001 (AMLATFPUAA 2001)**

**Capital Markets and Services Act 2007 (CMSA):** For digital assets that are deemed "securities," the Securities Commission Malaysia (SC) regulates entities like Digital Asset Exchanges (DAX) under this Act and its accompanying guidelines. These entities are also subject to specific AML/CFT requirements imposed by the SC.

**Guidelines on Recognised Markets (SC Guidelines):** Specifically for operators of recognised markets, including DAX, detailing operational, conduct, and AML/CFT requirements.

**Role:** The central bank of Malaysia and the primary regulator for AML/CFT compliance across all reporting institutions, including VASPs, under the AMLATFPUAA 2001. BNM also houses the Financial Intelligence Unit (FIU) responsible for receiving Suspicious Transaction Reports (STRs).

**Role:** Regulates the capital markets in Malaysia. The SC specifically licenses and oversees Digital Asset Exchanges (DAX) and other entities involved in the offering or trading of digital assets that are classified as securities. SC-regulated entities must comply with both SC-specific AML/CFT requirements and the broader BNM framework.

Exchanges between digital currencies and fiat currencies.

Exchanges between one or more forms of digital currencies.

Safekeeping and/or administration of digital currencies or instruments enabling control over digital currencies.

Participation in and provision of financial services related to an issuer’s offer and/or sale of a digital currency.

Obtain and verify the identity of individual customers (name, address, date of birth, nationality, identification document details, contact information).

For legal entities/corporate customers, obtain and verify: legal name, legal form, proof of existence (e.g., certificate of incorporation), address of registered office, names of directors/partners/trustees, details of shareholders and beneficial owners, and constitution/governing documents.

For partnerships and trusts, similar information must be collected for partners, trustees, settlors, and beneficiaries.

**Beneficial Ownership:** Identify and verify the ultimate beneficial owner (UBO) for all corporate and legal arrangements. This involves looking through layers of ownership to identify the natural person(s) who ultimately own or control the customer, or on whose behalf a transaction is being conducted.

**Purpose and Intended Nature of Business Relationship:** Understand the rationale behind the customer's request to use the VASP's services and the anticipated level and type of activity.

**Source of Funds/Wealth:** For higher-risk customers or transactions, obtain information on the source of funds or source of wealth.

**Ongoing Monitoring:** Continuously monitor the business relationship and transactions to ensure consistency with the VASP's knowledge of the customer, their business, risk profile, and source of funds. Update customer information regularly.

**Non-Face-to-Face (NFF) Customers:** Given the online nature of many VASPs, robust measures for NFF CDD are crucial, including multi-factor authentication, video verification, and cross-referencing with reliable independent sources.

**Politically Exposed Persons (PEPs):** Implement Enhanced Due Diligence (EDD) measures for PEPs, their family members, and close associates, including obtaining senior management approval to establish or continue the relationship and taking reasonable measures to establish the source of wealth and funds.

**High-Risk Customers:** PEPs, customers from high-risk jurisdictions (e.g., those identified by FATF), customers involved in cash-intensive businesses.

**High-Risk Products/Services:** Products or services that facilitate anonymity (e.g., privacy coins, mixing services).

**High-Risk Delivery Channels:** Non-face-to-face relationships without sufficient mitigating controls.

**Large, Complex, or Unusual Transactions:** Transactions that have no apparent economic or lawful purpose.

**Cross-border Correspondent Relationships:** If applicable, especially with VASPs in high-risk jurisdictions.

**Obligation:** All VASPs, as reporting institutions, are legally obliged to report any transaction (including attempted transactions) that they know or have reason to suspect is related to money laundering, terrorism financing, or proceeds of unlawful activities.

**Recipient:** Reports must be submitted to the Financial Intelligence Unit (FIU) within Bank Negara Malaysia.

**No Tipping-Off:** VASPs and their employees are prohibited from disclosing to the customer or any third party that a STR has been or will be made.

**Reporting Thresholds:** While there are no specific monetary thresholds for STRs (suspicion is key), BNM's policy document also outlines Currency Transaction Reports (CTR) for cash transactions exceeding a certain amount. However, for most virtual asset transactions, suspicion drives the reporting.

**Customer Identification Data:** All records obtained during CDD and EDD (identification documents, verification records, beneficial ownership information) must be kept for at least **five (5) years** after the business relationship has ended.

**Transaction Records:** Records of all transactions (date, type, amount, parties involved, digital asset addresses, hash IDs) must be kept for at least **five (5) years** from the date of the transaction.

**STRs and Internal Reports:** Records of all STRs filed and any internal suspicious activity reports or investigations.

**AML/CFT Policies and Procedures:** Records of all policies, procedures, risk assessments, training materials, and audit reports.

**Internal Policies and Procedures:** Develop and implement robust internal AML/CFT policies, procedures, and controls commensurate with the VASP's risk profile.

**Compliance Officer:** Appoint a dedicated Compliance Officer (often referred to as an Money Laundering Reporting Officer - MLRO) responsible for overseeing AML/CFT compliance, receiving internal suspicious activity reports, and submitting STRs to the FIU.

**Employee Training:** Provide regular and comprehensive AML/CFT training to all relevant employees to ensure they understand their obligations and can identify suspicious activities.

**Independent Audit:** Periodically review and audit the effectiveness of the VASP's AML/CFT programs.

**Sanctions Screening:** Implement measures to screen customers and transactions against targeted financial sanctions lists issued by the United Nations Security Council (UNSC) and domestic authorities to prevent terrorism financing and proliferation financing.

**Regulator Name:** Securities Commission Malaysia (SC Malaysia)

**Entity Targeted:** Binance Holdings Limited and its CEO, Changpeng Zhao (CZ).

**Violation Type:** Operating a Digital Asset Exchange (DAX) without registration/license, which is a violation under the Capital Markets and Services Act 2007. The SC considers digital assets as securities, and operating a platform for trading them requires authorization.

**Penalty Amount:** No explicit monetary fine was announced at the time of the public reprimand. The penalties were operational: a public reprimand, an order to cease all operations in Malaysia, disable access to its website and mobile applications, and cease all media and marketing activities targeting Malaysian investors.

**Outcome:** Binance was forced to shut down its direct operations in Malaysia. Malaysian users were advised to withdraw their funds. The action led Binance to later pursue a compliant pathway to re-enter the Malaysian market by acquiring a stake in and partnering with a licensed local Digital Asset Exchange (DAX), MX Global, demonstrating the effectiveness of the SC's enforcement in driving regulatory compliance.

**SC Malaysia Official Press Release:** https://www.sc.com.my/resources/media-releases-and-announcements/sc-takes-enforcement-action-against-binance-for-operating-illegally-in-malaysia

**News Article on Binance's subsequent partnership with MX Global (for context):** https://www.thestar.com.my/business/business-news/2022/03/10/binance-acquires-stake-in-malaysias-mx-global

**Entity Targeted:** Various unauthorized digital asset platforms, investment schemes involving crypto, and individuals promoting them. (Specific names are too numerous to list here, but are updated frequently).

**Violation Type:** Operating or promoting unauthorized investment schemes, digital asset exchanges, or services without the necessary licenses or approvals from the SC Malaysia.

**Penalty Amount:** Typically no specific monetary penalty is announced publicly for being added to the alert list. The "penalty" is a public warning, which often leads to the platform being unable to operate effectively in Malaysia and subsequent cessation of operations or blocking of access.

**Outcome:** Public awareness is raised, and investors are warned against dealing with these entities. This often leads to reduced or ceased operations for the targeted entities within Malaysia.

**SC Malaysia Investor Alert List:** https://www.sc.com.my/investor-alert

**Risk-based:** Regulations are introduced where risks are most apparent (e.g., trading, fundraising, AML/CFT).

**Phased:** The framework has evolved over time, starting with AML/CFT and then expanding to encompass capital market activities.

**Technology-neutral where possible:** Applying existing securities laws to digital assets that exhibit characteristics of securities.

**Focus on investor protection and market integrity:** Especially for digital assets deemed as securities.

**Emphasis on AML/CFT:** A core pillar of all digital asset regulation.

**Role:** The primary regulator for digital assets that are deemed "securities" under Malaysian law. It oversees the offering, trading, and intermediation of such digital assets. This includes licensing Digital Asset Exchanges (DAXes) and regulating fundraising via Initial Exchange Offerings (IEOs).

**Digital Assets Specific Page:** https://www.sc.com.my/regulation/guidelines/digital-assets

**Bank Negara Malaysia (BNM) – Central Bank of Malaysia**

**Role:** Primarily responsible for the financial system's stability, payment systems, and Anti-Money Laundering/Counter-Terrorism Financing (AML/CFT). BNM designates "virtual asset service providers" (VASPs) as reporting institutions under the AMLATFPUAA, requiring them to report suspicious transactions and adhere to AML/CFT measures. BNM also monitors the broader implications of digital assets on financial stability, monetary policy, and payment systems, including stablecoins and central bank digital currencies (CBDCs).

**Capital Markets and Services Act 2007 (CMSA 2007)**

**Date:** Enacted 2007 (amended periodically).

**Relevance:** Provides the foundational legal framework for the SC to regulate capital market activities. Digital assets deemed as "securities" fall under the purview of this Act.

**URL (SC Legislation page):** https://www.sc.com.my/regulation/legislation/acts/cmsa

**Capital Markets and Services (Prescription of Securities) (Digital Currency and Digital Token) Order 2019**

**Date:** Effective 15 January 2019.

**Relevance:** This is a crucial piece of legislation. It formally **prescribes digital currencies and digital tokens as "securities"** if they are traded on a digital asset exchange or offered through an Initial Exchange Offering (IEO) platform. This brought certain virtual assets squarely under the SC's regulatory ambit.

**URL (SC Media Release announcing guidelines):** https://www.sc.com.my/resources/media-releases-and-announcements/sc-issues-guidelines-on-digital-assets (The Order itself is a gazetted law, not always directly linked as a PDF on the SC site, but its effect is explained in the guidelines and press releases.)

**Guidelines on Digital Assets (Revised as of October 2023)**

**Date:** First issued 2019, revised multiple times (latest revision October 2023).

**Relevance:** Issued by the SC, these guidelines provide detailed requirements for:

Persons seeking to operate a Digital Asset Exchange (DAX).

Persons seeking to operate an Initial Exchange Offering (IEO) platform.

Issuers of digital tokens through an IEO platform.

**URL:** https://www.sc.com.my/api/documentms/download.ashx?id=ee851174-8b63-44f2-9844-4824578b7a42 (Direct PDF link to the Guidelines on Digital Assets, dated 27 October 2023).

**Date:** Enacted 2001 (amended periodically).

**Relevance:** This Act is the cornerstone of Malaysia's AML/CFT regime. BNM leverages this Act to designate "virtual asset service providers" (VASPs) as "reporting institutions," compelling them to implement robust AML/CFT measures, conduct customer due diligence, and report suspicious transactions.

**URL (BNM Legislation page):** https://www.bnm.gov.my/legislation/acts/aml-cft

**Policy Document on Anti-Money Laundering, Countering Financing of Terrorism and Targeted Financial Sanctions for Financial Institutions (AML/CFT and TFS Policy Document)**

**Date:** Various iterations, latest effective 1 January 2020 (with subsequent clarifications/revisions).

**Relevance:** Issued by BNM, this policy document details the specific AML/CFT obligations for various financial institutions, including virtual asset service providers (VASPs) operating in Malaysia. It outlines requirements for risk assessment, customer due diligence, record-keeping, and suspicious transaction reporting.

**URL:** https://www.bnm.gov.my/documents/20124/960527/PD_AML+CFT+and+TFS_FI.pdf (Direct PDF link to BNM's AML/CFT and TFS Policy Document, updated as of 17 April 2023).

**Legality:** Engaging in crypto trading and establishing crypto exchanges is legal, provided they comply with the SC's regulatory framework.

**Licensing Requirement:** Any entity that wishes to operate a Digital Asset Exchange (DAX) in Malaysia, or an Initial Exchange Offering (IEO) platform, must be **licensed by the Securities Commission Malaysia (SC)**. Operating without an SC license is illegal and carries severe penalties.

**Investor Protection:** The SC's framework focuses heavily on investor protection, requiring licensed DAXes to implement robust cybersecurity measures, adequate capital, clear rules for listing digital assets, dispute resolution mechanisms, and transparent fee structures.

**AML/CFT Compliance:** Licensed DAXes and IEO platforms are designated as reporting institutions under the AMLATFPUAA and must comply with BNM's stringent AML/CFT requirements. This involves "Know Your Customer" (KYC) procedures, transaction monitoring, and suspicious transaction reporting.

**List of Licensed DAXes:** The SC publicly maintains a list of licensed Digital Asset Exchanges. As of my last update, licensed DAXes typically include operators like Luno, SINEGY, Tokenize Technology, and MX Global. It is crucial for users to verify that they are using an SC-licensed platform.

**URL (SC Licensed and Registered Persons - filter by Digital Asset Exchange):** https://www.sc.com.my/regulation/licensing/licensed-and-registered-persons