Malaysia -- Sanctions Compliance Regulatory Overview

Malaysia, as a member of the Financial Action Task Force (FATF), is committed to combating money laundering, terrorism financing, and the proliferation of weapons of mass destruction. Its legal and regulatory framework for cryptocurrency (referred to as "digital assets" in Malaysia) reflects these international obligations, including compliance with targeted financial sanctions.

The primary regulator for digital asset activities, specifically Digital Asset Exchanges (DAX), in Malaysia is the Securities Commission Malaysia (SC). The Bank Negara Malaysia (BNM) (the central bank) oversees the broader anti-money laundering and counter-terrorism financing (AML/CTF) framework for financial institutions, including those involved with digital assets, ensuring compliance with international sanctions regimes.

Here's a breakdown of cryptocurrency sanctions and restrictions in Malaysia:

1. Primary Legal Framework and Applicability to VASPs

The cornerstone of Malaysia's AML/CTF and sanctions regime is the Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001 (AMLA 2001).

Under AMLA 2001, entities dealing with digital assets are considered "reporting institutions" for AML/CTF purposes. The SC, under its Capital Markets and Services Act 2007 (CMSA), regulates Digital Asset Exchanges (DAX) as Recognized Market Operators (RMOs).

• Securities Commission Malaysia (SC) Guidelines on Digital Assets: These guidelines, particularly the latest amendments, impose specific AML/CTF requirements on DAX operators (VASPs) licensed by the SC. They mandate the implementation of policies and procedures to prevent money laundering and terrorism financing, which inherently includes sanctions compliance.

  • Reference:
    • SC Guidelines on Digital Assets (Revised as at 13 June 2023): https://www.sc.com.my/api/documentms/download.ashx?id=f06536b1-0941-4c67-9c98-dfd79b90c29f
    • (Refer particularly to Chapter 8: Anti-Money Laundering and Countering Financing of Terrorism and Proliferation Financing)

• Bank Negara Malaysia (BNM) Policy Document on Anti-Money Laundering, Countering Financing of Terrorism and Targeted Financial Sanctions (AML/CFT and TFS Policy Document): This document sets out the regulatory requirements for financial institutions, including reporting institutions dealing with digital assets, regarding AML/CTF and targeted financial sanctions. It is mandatory for VASPs to adhere to the principles and requirements outlined in this policy.

  • Reference:
    • BNM AML/CFT and TFS Policy Document (issued 28 September 2023): https://www.bnm.gov.my/documents/20124/963836/AML+CFT+and+TFS+Policy+Document.pdf

2. OFAC/EU/UN Sanctions Compliance Requirements for VASPs

a. UN Sanctions

Malaysia, as a UN member state, is legally bound to implement sanctions imposed by the United Nations Security Council (UNSC) under Chapter VII of the UN Charter.

• Direct Implementation: Malaysia implements UN Security Council Resolutions (UNSCRs) related to targeted financial sanctions (TFSR) through the AMLA 2001 and specific Ministerial Orders.

  • The Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities (Declaration of Specified Entities and Reporting Requirements) Order 2014 (and subsequent amendments) lists individuals and entities designated by the UN Security Council as terrorists or terrorist financiers, and those involved in proliferation financing.
  • Reference:
    • AMLA 2001: https://www.bnm.gov.my/documents/20124/963836/AMLA+2001.pdf
    • Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities (Declaration of Specified Entities and Reporting Requirements) Order 2014: While a direct official government link might be harder to find due to frequent updates, it is enacted under Section 66B of AMLA 2001 and is referenced extensively in the BNM AML/CFT and TFS Policy Document. The consolidated list is found on the UN website.
    • UN Security Council Consolidated List: https://www.un.org/securitycouncil/sanctions/consolidated-list

• VASP Obligations: VASPs in Malaysia are required to immediately freeze the funds and assets of individuals and entities on the UN Security Council Consolidated List and the domestic list (derived from the UN list), and report such freezes to the Financial Intelligence Unit (FIU) at BNM without delay. They must also prohibit making any funds or financial services available to such designated persons.

b. OFAC (U.S. Office of Foreign Assets Control) Sanctions

While OFAC sanctions are U.S. domestic law, they have significant extraterritorial reach due to the dominance of the U.S. dollar in international finance and the global presence of U.S. financial institutions.

• Indirect Applicability & Risk: Malaysian VASPs may not be legally compelled by Malaysian law to enforce OFAC sanctions directly, but practical and commercial realities dictate compliance:
  • Correspondent Banking Relationships: Most Malaysian financial institutions rely on U.S. correspondent banks for international transfers. Non-compliance with OFAC sanctions could lead to de-risking by these correspondent banks, affecting a VASP's ability to conduct international transactions.
  • Secondary Sanctions: Engaging in transactions with OFAC-sanctioned entities or jurisdictions could expose a Malaysian VASP, its directors, or its personnel to secondary sanctions by the U.S. government, impacting their ability to access the U.S. financial system or conduct business with U.S. persons.
  • Reputational Risk: Associating with sanctioned entities carries significant reputational risk.
• VASP Obligations: Due to these risks, prudent Malaysian VASPs typically screen their customers and transactions against OFAC's Specially Designated Nationals (SDN) List and other sanctions lists (e.g., related to Cuba, Iran, North Korea, Syria, Russia) as a best practice for risk management.

c. EU Sanctions

Similar to OFAC, EU sanctions are primarily binding on EU persons and entities.

• Indirect Applicability & Risk: While not directly enforceable in Malaysia, EU sanctions also carry extraterritorial implications, especially for VASPs that deal with EU customers, have EU counterparties, or process transactions involving EU financial systems. Non-compliance could lead to:
  • De-risking by EU financial institutions.
  • Reputational damage.
  • Loss of business with EU-connected entities.
• VASP Obligations: Similar to OFAC, many Malaysian VASPs will screen against EU sanctions lists (e.g., the EU Sanctions Map or Consolidated List of Persons, Groups, Entities Subject to EU Financial Sanctions) as part of their robust compliance programs.

3. Sanctioned Entity Screening Obligations

Malaysian VASPs are required to conduct robust screening as part of their customer due diligence (CDD) and ongoing monitoring processes.

• Mandatory Screening:
  • UN Security Council Consolidated List: This is the primary and mandatory list for screening, as it is directly implemented into Malaysian law.
  • Domestic TFSR List: Any specific lists declared by the Minister under AMLA 2001.
• Best Practice Screening: Given the indirect applicability of OFAC and EU sanctions, and the global nature of crypto, leading VASPs in Malaysia will also screen against:
  • OFAC SDN List and other relevant OFAC lists.
  • EU Consolidated List of Sanctions.
  • Other reputable sanctions lists (e.g., UK HM Treasury, G7 nations).
• Timing: Screening must occur:
  • During customer onboarding (initial CDD).
  • During ongoing monitoring of existing customers.
  • Prior to executing transactions, especially those of high value or complexity.
  • Whenever an entity or individual appears on a newly updated sanctions list.
• Methods: Screening should leverage reliable, up-to-date sanctions databases, often through third-party compliance software solutions that integrate multiple sanctions lists and provide continuous monitoring.

4. Geographic Restrictions

Malaysian VASPs must identify and manage risks associated with geographic locations, particularly those under international sanctions or identified as high-risk for ML/TF.

• Sanctioned Jurisdictions: Transactions with jurisdictions under comprehensive UN sanctions are strictly prohibited. This primarily includes North Korea and Iran (subject to specific proliferation financing sanctions). Engaging in transactions with these countries, directly or indirectly, through digital assets is a severe violation.
• High-Risk Jurisdictions: VASPs must apply enhanced due diligence (EDD) to customers and transactions linked to jurisdictions identified by FATF as high-risk (e.g., those on the FATF Public Statement), or other countries designated as having strategic AML/CTF deficiencies.
• OFAC/EU Designated Jurisdictions: For practical reasons and to mitigate secondary sanctions risk, many VASPs will avoid or apply extremely stringent controls to transactions originating from or destined for countries under broad OFAC or EU sanctions, such as Cuba, Syria, Venezuela, and specific regions of Ukraine/Russia.

5. Penalties for Violations

Violations of Malaysia's AML/CTF and sanctions laws carry severe penalties, as outlined in AMLA 2001 and the Capital Markets and Services Act 2007 (CMSA).

• Under AMLA 2001:
  • Money Laundering Offences (Section 4): Individuals found guilty can face imprisonment for up to 15 years and a fine of not less than five times the value of the proceeds of unlawful activities or RM5 million, whichever is higher.
  • Terrorism Financing Offences (Section 130N, 130P): Carry even more severe penalties, including imprisonment for life for individuals.
  • Failure to Report Suspicious Transactions or Sanctions Breaches (Section 14): Reporting institutions (VASPs) that fail to report suspicious transactions or freezes of sanctioned assets can face fines of up to RM1 million.
  • Tipping Off (Section 15): Disclosing that a suspicious transaction report has been made can lead to imprisonment of up to five years or a fine of up to RM250,000, or both.
• Under Securities Commission Malaysia (SC) Regulations (CMSA):
  • Administrative Actions: The SC can impose various administrative penalties on licensed Digital Asset Exchanges (RMOs) for non-compliance with its guidelines, including reprimands, financial penalties, suspension, or even revocation of the license.
  • Enforcement Actions: Depending on the severity, non-compliance with AML/CTF requirements could lead to criminal prosecution under the CMSA or other relevant laws.

6. Country-Specific Sanctions Lists that Apply to Crypto

Malaysia does not maintain a sanctions list specific to cryptocurrency. Instead, the general sanctions lists (primarily derived from the UN Security Council Consolidated List) apply to all financial activities and assets, including digital assets.

Therefore, the UN Security Council Consolidated List (and any domestic lists derived from it under AMLA 2001) is the core country-specific sanctions list that VASPs in Malaysia must comply with for crypto transactions.

In summary, Malaysian VASPs are subject to a robust AML/CTF framework that mandates compliance with UN sanctions. While OFAC and EU sanctions are not directly enforceable under Malaysian law, adherence is a practical necessity due to global financial interconnectedness and the risk of secondary sanctions. A comprehensive compliance program for a Malaysian VASP must include thorough screening against all relevant international sanctions lists, robust geographic risk assessment, and immediate reporting of any hits or suspicious activities to the authorities.