Malaysia -- Travel Rule Implementation Regulatory Overview

Malaysia has adopted the principles of the FATF Travel Rule for Virtual Asset Service Providers (VASPs). The implementation primarily falls under the purview of Bank Negara Malaysia (BNM) as the central bank and main financial regulator, and the Securities Commission Malaysia (SC) for entities dealing with digital assets within the capital markets.

Here's a breakdown of the status:

1. Whether Adopted

Yes, the FATF Travel Rule principles have been adopted in Malaysia.

Malaysia's regulatory framework extends the obligations for wire transfers to virtual assets. This means VASPs are required to collect, hold, and transmit originator and beneficiary information for virtual asset transfers, similar to traditional financial institutions for wire transfers.

• Key Legislation/Guidance:

  • Bank Negara Malaysia (BNM) Policy Document on Anti-Money Laundering, Counter-Terrorism Financing and Targeted Financial Sanctions for Financial Institutions (AML/CFT and TFS Policy Document): This is the primary document.

    • Specifically, Paragraph 10.1.2 states: "A reporting institution that conducts virtual asset transfers shall apply the obligations outlined in this policy document relating to funds or wire transfers to virtual assets." This explicitly extends the Travel Rule to virtual assets.
    • Official URL (latest version): You can typically find the latest version on BNM's website under their AML/CFT section. As of my last update, a significant version was issued in 2020 with subsequent amendments. Search for "BNM AML CFT Policy Document" on www.bnm.gov.my.

  • Securities Commission Malaysia (SC) Guidelines on Digital Assets: These guidelines govern Digital Asset Exchanges (DAX) and other entities dealing with digital assets. They mandate compliance with BNM's AML/CFT framework.

    • Section 9 (Anti-Money Laundering and Counter-Terrorism Financing): Requires registered Digital Asset Exchanges (DAX) to comply with the AMLA and BNM's AML/CFT and TFS Policy Document.
    • Official URL (latest version): Search for "SC Guidelines on Digital Assets" on www.sc.com.my.

2. Effective Date

The explicit extension of wire transfer obligations to virtual assets under the BNM AML/CFT and TFS Policy Document generally became effective with the issuance/amendment of the relevant policy document. The 2020 BNM Policy Document (issued 31 December 2020, effective 1 January 2021) included the critical Paragraph 10.1.2, making the Travel Rule principles applicable to VASPs from that point.

3. Threshold Amounts

The thresholds generally mirror those for traditional wire transfers, as the virtual asset requirements are an extension of those rules:

• Cross-Border Transfers (both traditional and virtual assets): All required originator and beneficiary information must be obtained and transmitted, regardless of the amount.
• Domestic Transfers (both traditional and virtual assets):
  • For transfers equal to or exceeding RM3,000 (or equivalent in foreign currency/virtual assets): All required originator and beneficiary information must be obtained and transmitted.
  • For transfers below RM3,000 (or equivalent): Reporting institutions are permitted to omit certain information (e.g., originator's address or national identity number, beneficiary's address), provided they can produce this information within 3 working days if requested by authorities.

4. Which VASPs Are Covered

The term "reporting institution" under Malaysia's Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001 (AMLA) and BNM's Policy Document is broad.

Specifically, for virtual assets, this primarily covers:

• Digital Asset Exchanges (DAX) registered with the Securities Commission Malaysia: These are explicitly identified as VASPs and reporting institutions under the SC's guidelines and are thus fully covered.
• Other entities providing VASP services (e.g., crypto custodians, issuers of certain virtual assets, brokers dealing in virtual assets) would be covered if their activities fall within the definitions of "financial institutions" or "reporting institutions" under the AMLA or are otherwise regulated by BNM or SC.

5. Technical Implementation Requirements

Malaysian legislation and guidance do not prescribe a specific technical solution (e.g., a particular protocol like TRISA, Sygna, Travel Rule Universal Protocol (TRUP), etc.). Instead, the focus is on the outcome:

• Information Collection: VASPs must collect the required originator (sender) and beneficiary (recipient) information, including names, account numbers (or wallet addresses), and physical addresses or national identity numbers/customer identification numbers.
• Information Holding: This information must be securely stored and readily retrievable.
• Information Transmission: The collected information must be transmitted to the beneficiary VASP during or before the virtual asset transfer.
• Sanctions Screening: Both originator and beneficiary information must be screened against relevant sanctions lists.
• Record Keeping: Records of all transactions and the associated Travel Rule data must be maintained for a prescribed period (typically at least 7 years under AMLA).
• Risk-Based Approach: VASPs are expected to adopt a risk-based approach to assess and mitigate ML/TF risks, which includes enhanced due diligence where appropriate.

VASPs are expected to implement their own technical solutions or use third-party providers that enable them to comply with these data collection, storage, and transmission requirements in a secure and efficient manner.

6. Penalties for Non-Compliance

Non-compliance with AML/CFT requirements, including the Travel Rule, can lead to severe penalties under the Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001 (AMLA). These penalties can apply to both the VASP entity and its responsible officers.

General penalties include:

• Fines: Significant monetary penalties, which can run into millions of Ringgit for entities.
• Imprisonment: Individuals (e.g., directors, compliance officers) found responsible for non-compliance may face imprisonment.
• Revocation or Suspension of Licenses: For regulated entities like DAXes, their licenses can be revoked or suspended by the SC or BNM.
• Reputational Damage: Significant damage to the VASP's reputation.
• Enforcement Actions: BNM and SC have the power to issue directives, impose administrative penalties, or take other enforcement actions.

The specific penalties vary depending on the nature and severity of the breach, whether it's a first offense, and other mitigating or aggravating factors.

It is crucial for any VASP operating in or serving customers in Malaysia to consult the latest versions of the BNM and SC guidelines and, if necessary, seek legal advice to ensure full compliance.