Essential AML/CFT Guidelines for Financial Institutions in Malaysia

The fintech industry in Malaysia is experiencing rapid growth, driven by digital transformation, increased smartphone penetration, and a thriving digital economy. However, this expansion also heightens the risk of financial crimes, particularly money laundering and terrorist financing.

As fintech firms introduce digital payments, peer-to-peer lending, and blockchain-based financial services, ensuring money laundering compliance in Malaysia is more critical than ever. Non-compliance with Anti-Money Laundering (AML) and Counter-Financing of Terrorism (CFT) regulations can lead to severe penalties, reputational damage, and even business suspension.

In this guide, we explore the regulatory landscape of AML compliance for fintech companies in Malaysia, the key challenges they face, and how they can implement robust compliance frameworks to meet regulatory expectations and prevent financial crime.

Malaysia's Economic Landscape

Malaysia is a key financial hub in Southeast Asia, boasting a diverse economy driven by manufacturing, services, and agriculture. While its economic strength attracts foreign investments and fintech innovation, it also presents significant financial crime risks, making money laundering compliance in Malaysia a critical focus for financial institutions and fintech companies.

Key vulnerabilities in Malaysia’s financial ecosystem include:

🔹 High Cash-Based Transactions – The presence of informal sectors with cash-heavy operations increases the risk of untraceable financial activities.
🔹 Cross-Border Financial Flows – Malaysia's role in international trade and remittances raises concerns about illicit fund movements.
🔹 Organized Crime Networks – Criminal organizations exploit financial loopholes to facilitate money laundering and terrorist financing.
🔹 High-Risk Sectors (Real Estate, Gaming, Luxury Assets) – These industries are frequently linked to financial crimes, requiring enhanced AML oversight.

For fintech firms operating in Malaysia, understanding these financial crime vulnerabilities is essential for developing robust AML/CFT compliance strategies that align with regulatory expectations. Strengthening money laundering controls not only ensures compliance but also enhances operational security and business credibility in Malaysia’s evolving fintech landscape.

Malaysia’s AML/CFT Regulatory Framework

Malaysia enforces a robust AML/CFT compliance framework to prevent money laundering, terrorist financing, and financial crimes. Governed by the Anti-Money Laundering, Anti-Terrorism Financing, and Proceeds of Unlawful Activities Act 2001 (AMLATFPUAA), financial institutions and fintech companies must implement risk-based AML programs, transaction monitoring, and regulatory reporting to ensure money laundering compliance in Malaysia.

Key AML/CFT Guidelines for Financial and Non-Financial Institutions

The Bank Negara Malaysia (BNM) has outlined specific AML/CFT policies that fintech firms, financial institutions, and non-financial entities must follow:

✅ AML/CFT & Targeted Financial Sanctions for Financial Institutions (FIs) – Applicable to banks, insurers, and financial advisers to enforce risk-based AML compliance.
✅ AML/CFT Guidelines for Designated Non-Financial Businesses and Professions (DNFBPs) & Non-Bank Financial Institutions (NBFIs) – Covers lawyers, accountants, trust companies, and gaming operators to mitigate financial crime risks.
✅ AML/CFT Guidelines for Digital Currencies (Sector 6) – Specifically designed for cryptocurrency exchanges, blockchain service providers, and virtual asset firms.
✅ Risk-Based Capital Adequacy Framework for Virtual Banks – Ensures fintech companies and digital banks maintain adequate capital reserves to manage financial crime risks.

These regulatory frameworks play a critical role in safeguarding Malaysia’s financial ecosystem and ensuring businesses meet global AML compliance standards.

Key AML/CFT Enforcement Bodies in Malaysia

Multiple enforcement agencies collaborate to ensure effective AML/CFT compliance in Malaysia:

🔹 Bank Negara Malaysia (BNM): The primary regulator overseeing financial institutions and enforcing AML compliance.
🔹 Unit Pelaporan Melayu (STRO): Malaysia’s financial intelligence unit (FIU) responsible for analyzing Suspicious Transaction Reports (STRs).
🔹 Royal Malaysia Police: Investigates financial crimes, including fraud, terrorist financing, and money laundering schemes.
🔹 Malaysian Anti-Corruption Commission (MACC): Focuses on corruption-linked money laundering and high-profile financial crime cases.
🔹 Securities Commission (SC): Regulates Malaysia’s capital markets, ensuring AML compliance in securities and investment sectors.
🔹 Labuan Financial Services Authority (Labuan FSA): Supervises offshore banking, financial services, and international business transactions.

By complying with Malaysia’s AML/CFT regulatory framework, fintech companies and financial institutions can strengthen their anti-money laundering defences, avoid regulatory penalties, and contribute to a secure financial system.

Detailed Breakdown of AML/CFT Requirements in Malaysia

Under Malaysia’s Anti-Money Laundering, Anti-Terrorism Financing, and Proceeds of Unlawful Activities Act 2001 (AMLA Act), certain institutions, businesses, and professions are classified as reporting institutions. These entities are subject to strict AML compliance requirements, ensuring money laundering compliance in Malaysia is upheld across the financial and non-financial sectors.

Who Must Comply with AML/CFT Regulations in Malaysia?

Financial institutions

Regulated under the Financial Services Act 2013 & Islamic Financial Services Act 2013
✅ Licensed banks, investment banks, insurers, and financial advisers
✅ Insurance brokers and issuers of designated payment instruments
✅ Money brokers and prescribed development financial institutions
✅ Dealers in securities, derivatives, or fund management under the Capital Markets and Services Act 2007
✅ Lembaga Tabung Haji (Malaysia's Pilgrimage Fund Board)

Non-Financial Businesses and Professions (DNFBPs & NBFIs)

Cryptocurrency & Digital Asset Service Providers

Regulated under the Capital Markets and Services Act 2007
✅ Businesses providing safekeeping, custody, or storage of digital currencies and tokens
✅ Crypto advisory services for digital asset trading and investments

Key AML/CFT Compliance Obligations in Malaysia

Both financial institutions and DNFBPs must adhere to standard AML compliance requirements, which include:

🔹 Customer Due Diligence (CDD) & Risk Assessments – Identifying and verifying customer identities before conducting transactions.
🔹 Suspicious Transaction Reporting (STRs) – Mandatory reporting of unusual or suspicious transactions to Bank Negara Malaysia (BNM).
🔹 Transaction Record-Keeping – Maintaining records of financial transactions and customer profiles for at least seven years.
🔹 AML Compliance Programs – Implementing internal AML policies, training programs, and risk-based monitoring systems.

Cash Transaction Reporting (CTR) Requirements

Certain reporting institutions must also submit Cash Transaction Reports (CTR) to Bank Negara Malaysia for any single or multiple cash/e-money transactions amounting to MYR 25,000 or more within the same account on a given day.

📢 Entities required to file CTRs:
✅ Banking institutions
✅ Selected development financial institutions
✅ Lembaga Tabung Haji (Malaysia’s Pilgrimage Fund Board)
✅ Licensed casinos

By ensuring strict adherence to AML/CFT regulations, businesses operating in Malaysia can strengthen financial crime defences, avoid regulatory penalties, and maintain operational credibility in a growing fintech-driven economy.

Exceptions

The following entities are additionally subject to the obligation to submit a Cash Transaction Report (CTR) to the Central Bank of Malaysia when their customers conduct single or multiple cash transactions (in the form of either cash or e-money) within the same account in a day in the amount of MYR 25,000 and above:

1. Banking institutions.
2. Selected prescribed development financial institutions.
3. Lembaga Tabung Haji (pilgrimage board).
4. Licensed casinos.

Compliance Program Requirements

As per the AMLA Act, reporting institutions are required to have the following controls in their compliance program:

• Procedures in place to ensure high standards of integrity of employees and a system to evaluate the personal, employment, and financial history of these employees.
• Employee training programs, such as "know your customer" programs, and instructing employees on their responsibilities about recordkeeping, reporting suspicious transactions, the prohibition of disclosure of suspicious transaction reports, CDD, and retention of records.
• An independent audit function to check compliance with such programs.

Recordkeeping and Reporting Large Currency Transactions

Recordkeeping

Reporting institutions are obligated to maintain pertinent records, encompassing accounts, files, business correspondence, and transaction-related documents with their clientele. The records mandated for retention by a reporting institution include:

• Documentation acquired during the Customer Due Diligence (CDD) process, like copies of identification cards, passports, and incorporation documents.
• Any documents or records linked to the customer's transactions, inclusive of business correspondence.
• Records of any analyses conducted by the reporting institution, such as the assessment of Money Laundering/Terrorism Financing (ML/TF) risks concerning customers and any analyses of internally filed suspicious transaction reports or submissions to Bank Negara Malaysia.

Reporting institutions must ensure that all pertinent records concerning transactions are comprehensive enough to facilitate the reconstruction of individual transactions, thereby furnishing evidence, if required, for the prosecution of criminal activities.

Reporting institutions are mandated to retain these records for a minimum of six years following the conclusion of the transaction, the termination of the business relationship, or after the date of the occasional transaction.

Reporting Large Cash Transactions

Selected reporting institutions are obliged to furnish a Currency Transaction Report (CTR) to the Central Bank of Malaysia when their customers execute single or multiple cash transactions (either in cash or e-money) within the same account, amounting to MYR 25,000 or more in a single day.

At present, the obligation to report CTRs applies solely to banking institutions, select prescribed development financial institutions, Lembaga Tabung Haji (pilgrimage board), and licensed casinos.

Reporting of Suspicious Transactions

No mandatory requirements exist for routinely reporting transactions aside from significant cash transactions.

Nevertheless, reporting institutions are compelled to report suspicious transactions (including attempted and proposed ones) to the Central Bank of Malaysia. The criteria for reporting suspicious activity are as follows:

To submit a Suspicious Transaction Report (STR), reporting institutions must complete and deliver the STR form to the Financial Intelligence and Enforcement Department (FIED) of the Central Bank of Malaysia via any of the following channels:

• E-mail to: str@bnm.gov.my
• Mail to: Director, Financial Intelligence and Enforcement Department, Bank Negara Malaysia, Jalan Dato' Onn, 50480 (Kuala Lumpur), (To be opened by addressee only)
• Financial Intelligence System (FINS) (where applicable)

The following information must be included in an STR:

• Information on the account holder, client, or beneficial owner of the transaction.
• Information on the individual conducting the transaction.
• Transaction details, such as the type of products or services, the amount involved, and the review period.
• A description of the suspicious transaction or its circumstances.
• The suspected offence.
• Any other pertinent information that may assist the FIED in identifying potential offences and individuals or entities involved.

Customer Due Diligence and Enhanced Due Diligence in Money Laundering Compliance in Malaysia

Standard Customer Due Diligence (CDD) Requirements

Under Malaysia’s AML/CFT regulations, reporting institutions must conduct Standard CDD to verify customer identities and assess potential risks. The key requirements include:

✅ Customer Identification & Verification – Verify customers using independent and reliable documents such as National Registration Identity Cards (NRICs), passports, or official government records.
✅ Verification of Authorized Representatives – Confirm that any person acting on behalf of the customer is authorized to do so.
✅ Identification of Beneficial Owners – Establish and verify the true owner(s) of an account or business entity to prevent shell companies and nominee structures from hiding illicit funds.
✅ Understanding the Business Relationship – Assess the nature, purpose, and expected transactional activities of the customer.

Customer Identification Requirements
For Individual Customers & Beneficial Owners:
🔹 Full name & any aliases used
🔹 NRIC/passport/reference number
🔹 Residential & mailing address
🔹 Date of birth & nationality
🔹 Occupation & employer details
🔹 Contact number & purpose of transaction

For Legal Entities (Companies & Trusts):
🔹 Business name & legal structure
🔹 Proof of incorporation (certificates, partnership agreements)
🔹 Directors' resolution & authorized signatories
🔹 Registered office & principal business address
🔹 Nature of business & management personnel details

For Corporate Beneficial Owners:
📌 Reporting institutions must verify:
🔹 Individuals with over 25% ownership or controlling interest
🔹 Persons exercising control through indirect means
🔹 If no individual is identified, the person holding a senior management position

Enhanced Due Diligence (EDD) for High-Risk Customers & Transactions

For higher-risk customers and transactions, Enhanced Due Diligence (EDD) measures must be applied to strengthen money laundering compliance in Malaysia. These requirements include:

✅ Obtaining Additional Customer Information – Collecting data on asset holdings, financial activities, and external records.
✅ Verifying Source of Wealth & Funds – Ensuring legitimate sources of income for high-risk customers, particularly Politically Exposed Persons (PEPs).
✅ Senior Management Approval – Prior approval is required before establishing or continuing business relationships with high-risk customers.

Examples of High-Risk Customers & Transactions:
📌 High-Risk PEPs – Domestic and foreign PEPs with known political influence.
📌 Transactions Involving High-Risk Jurisdictions – Customers from countries blacklisted by FATF or those with weak AML controls.
📌 Clients with Unclear Source of Funds – Transactions that lack legitimate financial documentation.

Sanctions Screening & Compliance Obligations

Reporting institutions must maintain an updated sanctions database, aligned with the latest United Nations Security Council Resolutions (UNSCR) List and the Domestic List issued by Malaysia’s Ministry of Home Affairs.

🔹 Mandatory Screening – Institutions must screen existing, new, and potential customers against sanctions lists.
🔹 Terrorism Financing Risk Management – Any match with a blacklisted entity or individual requires immediate action, including freezing assets and reporting to authorities.

By implementing strict CDD, EDD, and sanctions screening processes, financial institutions and fintech companies can enhance money laundering compliance in Malaysia, reduce financial crime risks, and maintain regulatory integrity.

Summary  

As Malaysia’s fintech industry continues to grow and evolve, companies operating in this sector must prioritize money laundering compliance in Malaysia to protect against financial crime risks and ensure regulatory adherence.

By implementing robust AML/CFT measures, conducting comprehensive risk assessments, and fostering a culture of compliance, fintech companies can mitigate money laundering and terrorist financing risks while contributing to the stability and integrity of Malaysia’s financial system.

The Consequences of Non-Compliance

Failure to comply with AML/CFT regulations can lead to:
❌ Reputational damage, undermining trust from customers and stakeholders.
❌ Financial penalties and regulatory sanctions imposed by Bank Negara Malaysia (BNM).
❌ Legal implications, including asset freezing, seizure, and confiscation under the AMLATFPUAA Act.

Malaysian authorities have the power to disrupt and dismantle money laundering operations, making compliance a critical requirement for fintech firms and financial institutions.

The Path to Sustainable Growth Through Compliance

To succeed in Malaysia’s competitive fintech landscape, companies must stay informed about evolving AML/CFT regulations and proactively implement best practices. Compliance is not just a legal obligation—it is a strategic advantage that fosters trust, security, and long-term business sustainability.

By prioritizing money laundering compliance in Malaysia, fintech firms can:

✅ Ensure regulatory approval and operational continuity.
✅ Strengthen customer confidence and investor trust.
✅ Mitigate financial crime risks and enhance fraud detection.
✅ Position themselves as leaders in responsible financial innovation.

With strict AML controls, real-time monitoring, and AI-driven compliance solutions, fintechs can navigate the regulatory landscape efficiently and contribute to a more secure and resilient financial ecosystem in Malaysia.