Skip to main content Skip to navigation
AMLA Malaysia

Everything you need to know about Malaysia’s AML/CFT regulations

According to the International Monetary Fund (IMF), Malaysia is the sixth-largest economy in Southeast Asia, with a GDP estimated at approximately $516 billion, just behind Indonesia (the region’s largest economy at $1.55 trillion, Singapore, Thailand, the Philippines, and Vietnam. 

One of the sectors in Malaysia that has attracted significant investment from around the world is FinTech, which has grown tremendously in recent years. With a market valuation of $12 billion as of 2026, forecast to double by 2031, and comprising more than 500 companies, Malaysia has become the third-largest FinTech ecosystem in Southeast Asia, after Singapore and Indonesia. 

These trends don’t come without risk. Financial regulators have had to adapt to safeguard their financial systems against emerging anti-money laundering and countering the financing of terrorism (AML/CFT) threats and comply with the Anti-Money Laundering, Anti-Terrorism Financing, and Proceeds of Unlawful Activities Act 2001 (AMLA) in Malaysia.

Accordingly, companies should ensure they understand how to comply and which AML/CFT considerations are their priority to prevent money laundering in Malaysia. Below, we answer commonly asked questions.

What are the Malaysian financial authorities?

The Malaysian financial system is overseen by Bank Negara Malaysia (BNM), the country’s central bank and regulator. 

BNM was established under the Central Bank of Malaysia Act 2009 and operates under the authority of Malaysia’s main banking legislation: the Financial Services Act 2013 and the Islamic Financial Services Act 2013, which covers the Islamic banking sector. 

BNM sets AML/CFT policy in Malaysia, adopting a risk-based supervisory approach and issuing periodic guidance to Malaysian financial institutions (FIs) in line with the recommendations of the Asia/Pacific Group on Money Laundering (APG).

BNM is joined in its supervision of the Malaysian financial system by the Securities Commission (SC), which acts as the regulatory authority for the capital market, and the Labuan Financial Services Authority (Labuan FSA), which specifically regulates the Labuan International Business Financial Center, the special economic zone on the island of Labuan.

What is the AMLA legislation in Malaysia for?

AMLA is the cornerstone of Malaysia’s financial crime framework. It defines money laundering and terrorism financing offenses, sets out the obligations placed on reporting institutions, and details enforcement and investigatory powers.

The AMLA Amendment Act 2025 is the most significant reform to this legislation since its enactment. Passed by parliament in December 2024 and pending gazette notification to take effect, the Amendment Act extends the full name of the legislation to: Anti-Money Laundering, Anti-Terrorism Financing, Anti-Restricted Activity Financing, and Proceeds of Unlawful Activities Act. The new provisions introduce a dedicated offense for financing restricted activities – specifically the proliferation of weapons of mass destruction – aligning Malaysia’s legal framework with the Financial Action Task Force (FATF) Recommendation 7 and related UN Security Council resolutions.

Key changes introduced by the Amendment Act include:

  • New proliferation financing offense: Any person who, directly or indirectly, provides or makes available financial services or property knowing it will be used to support the proliferation of weapons of mass destruction may face imprisonment of up to 15 years and a fine of no less than RM5 million or five times the value of the proceeds – whichever is higher.
  • Mandatory sentencing for money laundering: The Amendment Act removes judicial discretion in sentencing for money laundering offenses under Section 4(1), replacing it with mandatory combined penalties of imprisonment and fines.
  • Personal liability and non-cooperation: Directors, officers, and employees can be held personally liable for compliance failures. Non-cooperation with AML inspections carries penalties of up to RM3 million and/or up to five years’ imprisonment. (These governance obligations are covered in full in section 3.)
  • Extended record retention: Institutions have to retain customer and transaction records for a minimum of six years from the date a relationship, account, or transaction is closed or terminated.
  • Asset seizure periods: Maximum seizure periods have been extended from 12 to 18 months, and continuation orders are now tied to the prosecution of the property rather than the person.

DNFBPs and NBFIs: The February 2024 BNM policy document extended the same core AML/CFT and counter-proliferation financing (CPF) obligations to a broad range of non-financial entities, including law firms, accountancy practices, real estate agents, trust companies, casinos, moneylenders, and pawnbrokers. Compliance officers at these institutions should review their customer due diligence (CDD), targeted financial sanctions (TFS) screening, and internal program documentation against the revised requirements.

FinTechs: No separate AML/CFT legislation applies to FinTechs in Malaysia – all FinTech businesses are subject to the existing legislative framework. BNM’s Financial Technology Regulatory Sandbox Framework, launched in 2016, remains the primary mechanism for developing FinTech-specific regulatory guidance. In 2025, BNM issued an exposure draft on e-money that set out strengthened AML/CFT obligations for e-money issuers and wallet providers, including more explicit expectations for CDD, transaction monitoring, and sanctions screening.

The Labuan FSA issues separate guidelines, directives, and circulars for institutions operating within its jurisdiction.

What are governance, accountability, and internal program requirements for firms?

BNM’s AML/CFT/CPF policy framework places explicit obligations on boards, senior management, and compliance officers – not just on the institution as a whole. These governance requirements apply to both FIs and, under the February 2024 policy documents, designated non-financial businesses and professions (DNFBPs) and non-banking financial institutions (NBFIs).

At the board level, governing bodies have to directly oversee and approve their institution’s AML/CFT/CPF policies. This includes reviewing the adequacy of internal controls, overseeing the use of non-face-to-face onboarding methods, and ensuring the institution’s risk appetite and compliance framework remain aligned with BNM’s requirements.

Senior management bears responsibility for implementing and operationalizing the AML/CFT/CPF program. That means appointing a fit-and-proper AML Compliance Officer, providing adequate resources and training, and ensuring clear communication channels so compliance concerns can be escalated without obstruction.

The AMLA Amendment Act 2025 significantly sharpens these obligations. Directors, officers, and employees of reporting institutions can now be held personally liable for compliance failures – not only for outright non-compliance but for failing to adopt and implement effective internal programs. This is a meaningful departure from the previous regime, in which liability rested primarily with the reporting institution itself. Compliance Officers, in particular, should carefully document their oversight activities, as this documentation may be material evidence if a failure is investigated.

How are data privacy and personal data protection regulated in Malaysia?

The primary data protection legislation relevant to AML operations is the Personal Data Protection Act 2010 (PDPA), as modernized by the Personal Data Protection (Amendment) Act 2024. The 2024 amendments introduce mandatory data breach notification requirements, a new obligation to appoint Data Protection Officers, enhanced penalties of up to RM1 million and/or three years’ imprisonment for breaches of data protection principles, and a right to data portability.

FIs subject to BNM’s oversight operate under both the PDPA and BNM’s sectoral rules. Where the two overlap, the more specific BNM requirements govern. Institutions storing or processing customer data for AML/CFT/CPF purposes – particularly where that data is hosted in cloud environments or transferred across borders – should ensure their data governance policies are aligned with both regimes.

The PDPA’s territorial scope remains limited to Malaysia, meaning personal data processed outside the country is not automatically subject to its rules. However, institutions using offshore cloud infrastructure for AML data processing should take legal advice on applicable requirements, particularly given BNM’s expectations around data access and resilience.

Why can transaction monitoring help with AML/CFT in Malaysia?

AMLA requires all reporting institutions to maintain ongoing transaction monitoring programs as part of their internal AML/CFT/CPF controls. These programs need to be calibrated to the institution’s specific risk profile and updated continuously as new threats emerge.

In practice, institutions have to monitor for transactions in unusually large amounts or unusual patterns, transactions with no apparent lawful purpose, transactions that appear to involve proceeds of unlawful activity, and transactions originating from or directed to jurisdictions identified as high-risk for financial crime. BNM’s risk-based approach means that monitoring intensity should reflect assessed risk – higher-risk customer segments, products, or geographies warrant greater scrutiny.

Where suspicious activity is detected, FIs should promptly submit a suspicious activity report (SAR) to BNM’s Financial Intelligence and Enforcement Department. Malaysia’s December 2025 FATF/APG Mutual Evaluation Report noted that while the financial sector’s effectiveness is substantial, the conversion of suspicious activity reports into money laundering prosecutions and convictions remains an area for improvement – one that is likely to attract supervisory focus in the coming years. 

How does Malaysia implement targeted financial sanctions?

Malaysia implements targeted financial sanctions (TFS) through a framework based on UN Security Council resolutions and domestic designations. The Ministry of Home Affairs maintains the List of Sanctioned Entities and List of Sanctioned Individuals, which all reporting institutions should screen against.

Under BNM’s February 2024 policy documents, TFS obligations now apply explicitly to both FIs and DNFBPs/NBFIs, and CPF-related TFS screening has been formally incorporated into the compliance framework. This means institutions need to screen not only for terrorism financing designations but also for entities and individuals linked to the proliferation of weapons of mass destruction.

Institutions have to screen new customers during onboarding and conduct regular rescreening of existing customers to identify changes in risk profile. Any sanctions alerts should be reported to BNM without delay. The AMLA Amendment Act 2025 also extends the legal basis for freezing order applications to cover terrorism financing and restricted activity financing offenses, broadening the enforcement tools available to regulators when acting on TFS alerts.

When should firms conduct customer due diligence (CDD)?

AMLA and BNM’s policy framework requires reporting institutions to conduct CDD throughout the customer lifecycle, establishing and verifying customer identity at onboarding, and then maintaining ongoing checks to detect changes in the customer’s risk profile.

Under the FI policy document, CDD is required when handling transactions over RM25,000, when changing money, when handling wire transfers or e-services, and when establishing new business relationships. CDD must confirm the customer’s identity, the nature and purpose of the business relationship, and, for corporate customers, the beneficial ownership and control structure.

The risk-based approach mandates enhanced due diligence (EDD) for higher-risk customers and activities, including screening for politically exposed persons (PEPs) and adverse media monitoring. The AMLA Amendment Act 2025 adds further emphasis on PEP and high-risk jurisdiction oversight as part of the expanded personal liability provisions for compliance officers.

Non-face-to-face onboarding via electronic know your customer (e-KYC) is permitted under BNM’s e-KYC policy document, subject to specific controls. Institutions using digital onboarding channels must ensure their CDD measures are at least equivalent to those applied in-person.

What are AML/CFT obligations for digital assets?

The Securities Commission Malaysia regulates digital assets as securities under the Capital Markets and Services Order 2019. Digital asset exchanges and issuers operating in Malaysia are classified as reporting institutions under AMLA, meaning they are subject to the full AML/CFT/CPF obligations – including CDD, transaction monitoring, TFS screening, and SAR filing.

In January 2026, the SC clarified that licensed Capital Markets Services License (CMSL) holders may offer digital asset broking services under specific regulatory conditions, expanding the regulated perimeter and bringing additional intermediaries within the scope of AMLA obligations.

Firms operating in the digital asset space should monitor SC and BNM guidance closely and ensure their compliance frameworks reflect both the SC’s AML/CFT/CPF guidelines and BNM’s broader policy requirements.

What are the recent and upcoming regulatory developments in Malaysia?

Malaysia’s regulatory environment has shifted considerably since 2024, with the pace of change accelerating rapidly in 2026. Compliance teams should focus on five key areas of development:

  • FATF/APG mutual evaluation: Malaysia achieved “Regular Follow-Up” – the highest category. BNM is focusing on increasing prosecutions and expanding oversight to lower-scrutiny sectors – such as real estate, legal, and accounting.
  • AMLA Amendment Act 2025: This pending Act introduces mandatory sentencing, personal officer liability, and proliferation financing offenses. Firms should proactively update policies and retrain compliance teams now.
  • E-money and digital payments: Revamped BNM policies mandate stronger technology and cybersecurity resilience standards. Gap analysis must be fully compliant by March 2027.
  • Stablecoins and tokenized deposits: Under the Digital Asset Innovation Hub (DAIH), BNM expects to release official regulatory guidance by late 2026. Stricter AML and reserve controls will target retail products.
  • Project Nexus: Targeting live regional cross-border payment corridors in 2026. Real-time transaction rails require compliance teams to upgrade to instant AML and sanctions screening.

Meet Malaysia’s AML compliance requirements with ComplyAdvantage Mesh

The complexity of Malaysia’s AML/CFT/CPF framework, now spanning financial institutions, DNFBPs, digital asset operators, and e-money issuers, means compliance teams face an expanding set of obligations across the full customer lifecycle. 

AI-native financial crime risk platform ComplyAdvantage Mesh combines proprietary risk intelligence with configurable screening and monitoring applications and supports firms in covering the full compliance lifecycle – from customer onboarding through to ongoing monitoring and payment screening in a single platform throughout:

  • Customer Screening: Screen individuals against global sanctions lists, PEP databases, and adverse media with risk-scored results and beneficial ownership visibility for corporate CDD.
  • Ongoing Monitoring: Automatically alerts compliance teams when a customer’s sanctions status, PEP classification, or adverse media profile changes, supporting BNM’s continuous rescreening obligations.
  • Transaction Monitoring: Applies configurable, risk-based rules to detect the transaction patterns BNM specifies – including unusual amounts, unclear purpose, and high-risk jurisdiction routing – and prioritizes alerts for review.
  • Payment Screening: Screens payments against sanctions and watchlists at the speed required by real-time payment infrastructure, relevant for firms handling cross-border flows under Project Nexus or e-money channels.

Meet Malaysia’s AML compliance requirements with ComplyAdvantage Mesh

ComplyAdvantage Mesh helps financial institutions and DNFBPs across APAC screen customers, monitor transactions, and stay ahead of evolving regulatory requirements, including BNM's policy framework.

Get a demo

Originally published 28 January 2020, updated 07 July 2026

Disclaimer: This is for general information only. The information presented does not constitute legal advice. ComplyAdvantage accepts no responsibility for any information contained herein and disclaims and excludes any liability in respect of the contents or for action taken based on this information.

Copyright © 2026 IVXS UK Limited (trading as ComplyAdvantage).