Malaysia is a regional and global political power with the third-largest economy in Southeast Asia, following Indonesia and Thailand. Attracting business interests from across the world, and with high investment in the technology and digital sectors, Malaysian fintech has grown in prominence in recent years. As a result, financial regulators have had to adapt in order to safeguard their financial systems against emerging AML/CFT threats.
Accordingly, companies should ensure they understand how to comply with AML in Malaysia and what their priority AML/CFT considerations should be.
The Malaysian financial system is overseen by Bank Negara Malaysia (BNM), which acts as the country’s regulator and central bank. The bank was established by the Central Bank of Malaysia Act 2009 and operates under the authority of Malaysia’s main articles of banking legislation: the Financial Services Act 2013 and the Islamic Financial Services Act 2013, which covers the Islamic banking sector. BNM sets AML/CFT policy in Malaysia, adopting a risk-based supervisory approach and issuing periodic guidance to Malaysian financial institutions in line with the recommendations of the Asia/Pacific Group on Money Laundering (APG).
BNM is joined in its supervision of the Malaysian financial system by the Securities Commission (SC), which acts as the regulatory authority for the capital market, and the Labuan Financial Services Authority (Labuan FSA), which specifically regulates the Labuan International Business Financial Centre, the special economic zone on the island of Labuan.
The Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001 (AMLA) is the primary piece of AML/CFT legislation in Malaysia. The Act defines the offenses of money laundering and the financing of terrorism and sets out the measures that financial institutions must take to detect and prevent those criminal activities. It also details the investigatory powers that authorities have in the prosecution of money laundering and terrorism financing cases.
The Labuan Financial Services Authority issues its own guidelines, directives, and circulars to financial institutions within the special economic zone.
Fintechs: There is no specific AML/CFT legislation applicable to fintechs in Malaysia. All fintech businesses operate under the country’s existing legislative infrastructure. Provisions have, however, been made to extend some AML/CFT regulation to fintechs:
- BNM launched the Financial Technology Regulatory Sandbox Framework in 2016. The framework aims to eventually deliver a regulatory environment that works with the needs of Malaysia’s fintechs.
- The framework adapts existing AML/CFT regulations to the environments in which fintechs operate, aiming to protect their innovative objectives.
The primary piece of data protection legislation in Malaysia is the Personal Data Protection Act 2010 (PDPA), which specifically concerns the treatment of personal data in commercial contexts. The PDPA requires commercial data users, such as banking and financial institutions, to register as data users and comply with the relevant regulations.
The PDPA is limited to Malaysia, which means that personal data processed outside the country is not subject to its rules. Similarly, the PDPA has no specific provisions for the treatment of personal data online.
The AMLA imposes certain monitoring obligations on banks and financial institutions in Malaysia that must be integrated into internal AML/CFT programs. Those monitoring programs should reflect the level of risk the institution faces and must monitor continuously to address new and emerging risks. In practice, financial institutions must monitor for:
- Transactions in unusually large amounts or in unusual patterns;
- Transactions that have no clear purpose;
- Transactions that appear illegal or involve proceeds from illegal activities; and
- Transactions originating or being directed to countries with high levels of AML/CFT risk.
Where suspicious activity is detected, financial institutions must promptly submit a suspicious activity report (SAR) to BNM.
Under the AMLA, sanctions screening is an important priority for banks and financial institutions, which must report any sanctions alerts to BNM. Institutions must not only screen new customers against sanctions lists but conduct regular checks on existing customers to ensure risk profiles have not changed. Sanctions imposed in Malaysia are based on United Nations Security Council resolutions and can be found in the Ministry of Home Affairs’ List of Sanctioned Entities and List of Sanctioned Individuals.
AMLA requires banks and financial institutions to conduct ongoing customer due diligence (CDD) checks on all customer accounts, relationships, transactions and activities. CDD checks should establish and verify a customer’s identity during onboarding and then throughout the ongoing relationship to ensure that the customer’s risk profile has not changed.
Malaysia’s Financial Technology Regulatory Sandbox Framework is intended to help integrate fintechs with Malaysia’s wider AML/CFT regime over the coming years. Beyond the framework, an upcoming change to the Anti-Money Laundering and Counter Financing of Terrorism rules will see the introduction of minimum standards for money-changing services during the onboarding of new customers online or via mobile devices.
How ComplyAdvantage Can Help
The complexity of Malaysia’s AML/CFT regulations means that banks and financial institutions must expend significant administrative effort to achieve compliance and avoid potential errors and penalties.
To overcome that challenge, ComplyAdvantage employs a range of cutting-edge screening tools: our automated AML/CFT solutions deliver speed and efficiency to your AML program, complementing the expertise of employees with smart technology and passing the benefits onto customers and clients.