KYC Requirements in Malaysia: BNM's CDD Framework for Banks and Fintechs

Know Your Customer compliance in Malaysia is governed by the Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001 (AMLATFPUAA) and implemented through Bank Negara Malaysia's AML/CFT/CPF/TFS Policy Document, last substantively updated in 2023. For licensed banks, digital banks, investment firms, money services businesses, and e-money issuers operating under BNM's oversight, this framework sets the floor for customer identification, verification, and ongoing due diligence.

This guide covers what BNM's KYC framework requires, how the three-tier CDD structure works in practice, the digital onboarding rules for Malaysian fintechs and digital banks, and where compliance teams most often encounter examination findings.

The Regulatory Foundation

AMLATFPUAA imposes KYC obligations on all "reporting institutions" — a category that includes commercial banks, Islamic banks, investment banks, development financial institutions, money services businesses, capital market intermediaries, insurance companies, and e-money issuers. The obligation is to identify and verify the identity of customers before establishing a business relationship or conducting a transaction above the prescribed threshold.

BNM's AML/CFT/CPF/TFS Policy Document (2023) provides the implementing framework. It adopts the FATF risk-based approach: the depth of CDD applied to any customer must be proportionate to the ML/TF risk that customer presents. This means institutions cannot apply a uniform KYC process to all customers — the process must scale with assessed risk.

BNM's supervisory examinations in 2024–2026 have focused specifically on whether institutions have genuinely implemented risk-based CDD, or whether they are applying a standardised process regardless of customer risk profile and describing it as risk-based. The distinction matters — applying standard CDD to a customer who should receive enhanced due diligence is a compliance gap even if all the standard CDD steps were completed correctly.

The Three-Tier CDD Framework

Simplified Due Diligence (SDD)

SDD applies to customers assessed as presenting low ML/TF risk. BNM permits SDD where the customer type, product, and transaction profile collectively present minimal risk. Common examples include government entities, publicly listed companies with disclosure obligations, and certain regulated financial institutions.

Under SDD, institutions may apply reduced identification and verification measures and conduct less frequent ongoing monitoring. However, SDD is not a static classification — institutions must have procedures to escalate a customer from SDD to standard CDD or EDD if circumstances change. An SDD customer who begins conducting transactions inconsistent with their risk profile must be reviewed.

Standard CDD

Standard CDD applies to the majority of retail and corporate customers. BNM's requirements for standard CDD include:

Individual customers: Full name, date of birth, nationality, national registration identity card (NRIC) or passport number and expiry date, residential address. For Malaysian nationals, the MyKad is the primary identification document. For foreign nationals, a valid passport with verification of current residential address is required.

Corporate customers: Legal name, registration number, registered address, business address, nature of business, and the identity of authorised signatories. For private companies, the memorandum and articles of association or equivalent constitutional documents must be obtained.

Beneficial ownership identification: For all non-individual customers, the ultimate beneficial owner (UBO) must be identified — the natural person(s) who ultimately own or control more than 25% of the customer entity, or who otherwise exercise ultimate effective control. Where ownership structures are complex or layered, the look-through obligation extends to each intermediate entity until natural persons are identified.

Ongoing monitoring: Standard CDD customers must be subject to ongoing transaction monitoring calibrated to their risk profile and periodic review of their customer information. The frequency of review is risk-based — higher-risk standard CDD customers should be reviewed more frequently than low-risk ones.

Enhanced Due Diligence (EDD)

EDD is mandatory for customers presenting elevated ML/TF risk. BNM specifies mandatory EDD triggers:

Politically Exposed Persons (PEPs): Any customer identified as a PEP — a domestic or foreign individual who holds or has held a prominent public position, or who is a family member or close associate of such a person — requires EDD before the business relationship is established, and senior management approval before onboarding. The PEP definition under BNM's framework covers sitting officials, former officials within the relevant cooling-off period, and their immediate family members.

Customers from high-risk jurisdictions: Customers based in, or transactions directed to or from, jurisdictions identified on BNM's high-risk country list or the FATF grey and black lists. As of 2026, institutions must actively monitor FATF list updates and apply EDD for all affected jurisdictions without waiting for BNM to issue a specific instruction.

Complex or unusual ownership structures: Customers who use nominee directors or shareholders, multi-layered holding structures spanning multiple jurisdictions, or trust arrangements where the beneficial owner is not immediately apparent.

High-value customers with unusual activity: Customers whose transaction volumes or patterns are inconsistent with their stated business purpose, source of funds, or customer profile.

EDD requirements include: obtaining additional information on source of funds and source of wealth, conducting independent verification of the information provided, applying enhanced ongoing monitoring, and documenting the rationale for the risk assessment. For PEPs, ongoing adverse media screening at defined intervals is expected — not just at onboarding.

Digital Onboarding and eKYC in Malaysia

BNM has progressively expanded the framework for digital customer onboarding, particularly following the issuance of digital banking licences in 2022. The five licensed digital banks — GX Bank, Boost Bank, AEON Bank, KAF Digital Bank, and YTL Digital Capital — operate without physical branches and rely on digital onboarding for all customer acquisition.

BNM's eKYC requirements permit remote customer identification and verification subject to specific controls:

MyKad scanning and chip reading: Malaysian nationals can be onboarded using MyKad chip-reading technology that extracts identity data directly from the chip, reducing the risk of document tampering compared to optical character recognition.

Liveness detection: The customer must complete a liveness check — a real-time biometric verification step confirming that the person presenting the identity document is physically present and alive, not a recording or a photograph.

Facial comparison: The liveness capture is compared against the photograph extracted from the MyKad chip or the reference image from the National Registration Department database. Match thresholds must meet BNM's minimum accuracy standards.

Address verification: For digital onboarding, address verification may be conducted through alternative means — utility bills, financial statements, or for certain customer segments, cross-referencing against government databases.

Risk-based limits: BNM applies transaction and balance limits for customers onboarded digitally who have not undergone in-person verification. Institutions wishing to remove these limits must conduct supplementary verification steps. For a full treatment of BNM's eKYC framework, see our eKYC Malaysia guide.

Record Keeping Requirements

Under AMLATFPUAA, all KYC records must be retained for a minimum of six years from the end of the business relationship or the date of the transaction, whichever is later. Records must be maintained in a format that allows them to be retrieved and produced to BNM or other competent authorities on request, within the timeframe specified in any such request.

For digital onboarding, the eKYC process itself — including the liveness check, facial comparison result, document scan, and match confidence score — must be retained as part of the KYC record. The technical audit trail of the onboarding process is a regulatory record, not just an operational log.

STR and CTR Obligations Tied to KYC

KYC failures create downstream reporting obligations. Where an institution cannot complete CDD on a customer — because the customer refuses to provide required information, or because the information provided cannot be verified — AMLATFPUAA requires the institution to consider whether to file a Suspicious Transaction Report (STR) with BNM before terminating the relationship.

Cash Transaction Reports (CTRs) must be filed for cash transactions of MYR 25,000 or above. The CTR obligation applies regardless of whether the transaction appears suspicious — it is a threshold-based reporting requirement, not a suspicion-based one.

Common KYC Examination Findings in Malaysia

BNM's supervisory findings across examination cycles identify recurring KYC gaps:

Beneficial ownership not verified — only declared. Institutions that collect beneficial ownership declarations from corporate customers without independently verifying them against company registry records, shareholder registers, or other primary sources. A declaration is not verification.

PEP screening at onboarding only. BNM expects ongoing PEP screening — not just a one-time check at account opening. A customer who becomes a PEP after onboarding (through appointment to a government role, for example) must be identified and their risk profile updated. Screening that runs only at onboarding will miss post-onboarding PEP status changes.

EDD documentation without substantive review. Customer files contain extensive documentation — source of funds letters, corporate structure charts, audited accounts — but there is no evidence that a qualified compliance officer reviewed, questioned, or validated that documentation. An EDD file that consists of collected documents without analysis does not satisfy BNM's requirements.

eKYC processes not meeting minimum accuracy thresholds. Facial comparison match confidence scores below BNM's minimum standards, or liveness detection implementations that can be defeated by a static photograph. BNM has issued specific guidance on minimum biometric accuracy standards — institutions using vendor-provided eKYC solutions must verify that those solutions meet the standards, not assume that a licensed vendor automatically complies.

Customer risk ratings not updated for material changes. Customers whose risk classification has not been reviewed following changes in their business, transaction behaviour, or the external risk environment. A corporate customer that expands into a BNM-designated high-risk sector must have their risk rating reviewed — the initial classification is not permanent.

Building a Compliant KYC Programme in Malaysia

For banks, digital banks, and fintechs operating under BNM's oversight, an effective KYC framework requires more than completing the required forms. It requires:

• A risk-based CDD tiering system that genuinely differentiates between SDD, standard, and EDD customers based on documented risk criteria
• UBO identification processes with independent verification — not just customer declarations
• PEP screening that runs at onboarding and on an ongoing basis, with a defined review cycle for confirmed PEPs
• eKYC implementations verified against BNM's minimum accuracy standards, with full audit trail retention
• EDD documentation that demonstrates substantive analysis, not just document collection
• Customer risk review procedures triggered by material changes — in the customer's profile, business, or the external risk environment

For compliance teams evaluating transaction monitoring systems that integrate with KYC and CDD workflows to provide a complete view of customer risk, see our Transaction Monitoring Software Buyer's Guide.