Compliance Hub

Sanctions Screening in Malaysia: What BNM Requires from Banks and Fintechs

Site Logo
Tookitaki
09 Jul 2026
5 min
read

Sanctions screening in Malaysia is a mandatory obligation under BNM's AML/CFT framework, not a discretionary risk control. Every financial institution licensed in Malaysia, including banks, payment service providers, e-wallets, remittance companies, and digital banks, is required to screen customers and transactions against targeted financial sanctions lists and to freeze the assets of any designated person or entity detected.

The obligation has two distinct components that BNM examines separately. The first is compliance with Malaysia's targeted financial sanctions framework: screening against designated persons lists, freezing assets without delay when a match is confirmed, and reporting to BNM. The second is the operational quality of the screening programme itself: list coverage, matching accuracy, timeliness of list updates, and documentation of screening decisions.

BNM has been explicit that the extension of AML/CFT obligations to payment service providers and e-wallet operators carries the same sanctions screening requirements as those imposed on banks. As the Malaysian fintech sector has grown, BNM examination findings increasingly include sanctions compliance gaps at PSPs and e-wallets that have robust onboarding controls but inadequate transaction screening programmes.

Talk to an Expert

The legal basis for sanctions screening in Malaysia

Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001 (AMLATFPUAA): Malaysia's primary AML/CFT legislation covers targeted financial sanctions alongside money laundering and terrorism financing obligations. Under AMLATFPUAA, reporting institutions are required to freeze property held on behalf of designated persons without delay, refuse to provide services to designated parties, and report to BNM's Financial Intelligence and Enforcement Department (FIED) when a designated person is identified.

BNM AML/CFT and TF Policy Document: BNM's policy document sets the operational requirements for all reporting institutions' compliance programmes. The policy document covers list screening requirements, response procedures on match identification, documentation standards, and the expected timeliness of list updates. BNM uses this document as the primary reference point when examining an institution's sanctions compliance programme.

UNSC resolutions implemented in Malaysia: Malaysia implements UN Security Council resolutions on targeted financial sanctions through BNM's consolidated designated persons list. This includes the 1267/1989/2253 Committee lists (Al-Qaeda and associated entities), the 1988 Committee list (Taliban), and proliferation financing lists under Resolutions 1718 (North Korea) and 2231 (Iran). Malaysia's obligations as a FATF member require it to give effect to these resolutions without delay.

Lists institutions must screen against

BNM Targeted Financial Sanctions (TFS) list: BNM maintains a consolidated list of designated individuals and entities drawn from UNSC resolutions and domestic designations under AMLATFPUAA. This is the minimum screening requirement for all BNM-licensed institutions. BNM updates the list when new UNSC resolutions are adopted or new domestic designations are made.

UN Security Council consolidated list: Institutions with significant cross-border transaction exposure often screen UNSC lists directly, in addition to BNM's consolidated list, to ensure they hold the most current designations without relying on BNM's update cycle. BNM's expectation of "without delay" implementation of new designations makes this a sensible operational practice.

OFAC SDN list: Malaysian banks with USD-clearing relationships, US-correspondent banking, or US-person customers include the OFAC Specially Designated Nationals and Blocked Persons list in their screening programme. OFAC compliance exposure arises through correspondent banking relationships: a Malaysian institution that processes a USD transaction involving a sanctioned party creates risk for its US correspondent, which in turn creates relationship and enforcement risk for the Malaysian institution.

Other lists based on business profile: BNM expects institutions to assess their transaction flows, correspondent relationships, and customer base, and to include additional list sources where the risk assessment indicates exposure. A bank running correspondent relationships across ten jurisdictions requires broader list coverage than a domestic retail lender.

Who must comply

Sanctions screening obligations extend to all reporting institutions under AMLATFPUAA:

  • Licensed banks, investment banks, and finance companies
  • Insurance companies and takaful operators
  • Money services businesses (remittance and money-changing operators)
  • Payment service providers and e-wallet operators licensed under BNM's Payment Systems Policy
  • Licensed digital banks
  • Development financial institutions
  • Capital market intermediaries under Securities Commission oversight

The scope for PSPs and e-wallets is worth stating directly: BNM does not create a lighter sanctions screening requirement for fintechs. A licensed e-wallet operator processing hundreds of thousands of transactions daily faces the same real-time screening obligation as a retail bank. The operational challenge differs, but the legal standard does not.

For a detailed breakdown of BNM's AML/CFT obligations specific to PSPs, e-wallets, and licensed lenders, see our AML compliance guide for Malaysian fintechs.

blog 1 9th july

What BNM examines

Timeliness of list updates: BNM expects institutions to incorporate new designations without delay from the point of publication, not at the next scheduled list update cycle. When a new UNSC resolution adds a designation, or when BNM updates its TFS list, institutions should update their screening database on the same day. BNM examines the lag between a designation being published and the institution's screening configuration reflecting that designation.

Real-time transaction screening: For cross-border payments and high-value transactions, screening must run before funds are released. BNM examines whether institutions can demonstrate that transaction screening occurs within the settlement cycle, not as an overnight batch after funds have moved. This is a specific examination focus for payment service providers that process high volumes of cross-border transfers.

Name matching quality: The names on sanctions lists present matching challenges: transliterations of Arabic and other script names, name order variations between given and family names, and historical aliases registered at different points in a designation's history. BNM expects institutions to use fuzzy-matching logic with documented thresholds and to be able to demonstrate that those thresholds are calibrated to catch genuine matches, not simply minimise false positive volume. An institution that sets its matching threshold so high that it only detects exact-string matches does not satisfy BNM's requirement.

Beneficial owner screening: Screening the named account holder is insufficient if the beneficial owner of a corporate account is a designated person. BNM expects institutions to identify and screen beneficial owners as part of their CDD process. For e-wallet operators with large numbers of corporate wallet users, this is a recurring examination gap.

Documentation of screening decisions: When a compliance officer reviews a potential match alert and concludes it is a false positive, that determination must be documented. BNM examines these records and expects to see the reasoning behind a false positive decision, the identity of the reviewing officer, and confirmation that the decision was made at the appropriate level. Undocumented alert closures are a consistent examination finding.

Common compliance gaps in Malaysia

PSPs and e-wallets not screening beneficial owners: Many payment platforms screen the registered account holder at onboarding but do not have CDD processes capturing the beneficial owner for corporate accounts. BNM has flagged this specifically for e-wallet operators.

List coverage gaps: Institutions that screen BNM's TFS list but not the UNSC Al-Qaeda and Taliban lists directly create a window between a new designation and BNM's next list update. Institutions with international transaction exposure should screen UNSC lists independently.

Batch transaction screening: Payment platforms that run screening as an overnight batch rather than at the point of transaction do not satisfy the real-time requirement. For PSPs processing cross-border transfers, this creates material compliance exposure during the period between transaction processing and the screening batch.

Delayed list updates: Institutions that update their screening database weekly, rather than on the day of publication, fall outside BNM's "without delay" standard. Automated list update feeds remove this gap more reliably than manual processes.

How FinCense supports sanctions screening compliance in Malaysia

FinCense's screening module covers BNM's TFS list, UNSC consolidated lists, OFAC, and additional sources based on the institution's profile. List updates are incorporated automatically on publication, without manual intervention, directly addressing the timeliness gap BNM examines.

Name matching uses natural language processing adapted for Malay, Arabic, and transliterated name variants common on BNM and UNSC designation lists. Fuzzy-matching thresholds are configurable and auditable, allowing compliance teams to demonstrate to BNM examiners that threshold settings are calibrated to detect genuine matches.

For PSPs and e-wallets with high transaction volumes, FinCense handles real-time screening at the transaction level before settlement, without creating a processing bottleneck. Beneficial owner screening is built into the CDD workflow, covering the corporate account gap BNM examines.

Match alerts are managed in FinCense's integrated case management environment. Compliance officers document false positive determinations, freeze decisions, and FIED reports within the same case record, creating the audit trail BNM expects.

For equivalent obligations in Singapore, see our sanctions screening guide for Singapore. To see how FinCense supports BNM-regulated institutions across sanctions and AML compliance, book a demo with our Malaysia team.

Frequently asked questions

What lists must Malaysian financial institutions screen against?

At minimum: BNM's Targeted Financial Sanctions list and the UN Security Council consolidated lists (1267/1989/2253 for Al-Qaeda, 1988 for Taliban, and proliferation financing lists for North Korea and Iran). Institutions with USD-clearing or US-correspondent banking relationships should also screen the OFAC SDN list. The appropriate scope depends on the institution's transaction flows and customer profile.

What does "without delay" mean for list updates under BNM requirements?

BNM expects new designations to be incorporated into screening systems on the same day they are published, not at the next scheduled update cycle. This applies to both BNM's own TFS list updates and new UN Security Council resolutions.

Are payment service providers and e-wallets subject to the same sanctions screening requirements as banks?

Yes. BNM's AML/CFT obligations apply to all licensed financial institutions, including PSPs and e-wallet operators. The real-time transaction screening requirement, ongoing customer screening obligation, and freeze and reporting obligations apply with the same legal force as they do to banks.

What happens when a confirmed sanctions match is identified?

The institution must freeze the matched party's assets without delay, cease any pending transactions with that party, and report to BNM's Financial Intelligence and Enforcement Department. This is a materially different response from a PEP match, which triggers enhanced due diligence. A sanctions match requires an immediate freeze; a PEP match does not. Refer to our PEP Screening guide for more details.

Does screening only need to happen at customer onboarding?

No. Screening must occur at onboarding, when lists are updated, and for transactions in real time. Customers who screened clean at onboarding may be designated during the relationship. BNM expects ongoing screening of the active customer base whenever the TFS list is updated, and real-time screening of transactions before funds are released.

How should false positive alerts be handled?

When a potential match is reviewed and determined to be a false positive, the decision must be documented: the name matched, the reason for the false positive conclusion, and the identity of the reviewing officer. BNM examines these records during examination. Undocumented alert closures are a recurring examination finding.

Talk to an Expert

Ready to Streamline Your Anti-Financial Crime Compliance?

Our Thought Leadership Guides

Blogs
09 Jul 2026
5 min
read

Sanctions Screening in Australia: Obligations for Banks and Financial Institutions

Sanctions compliance in Australia sits across two regulatory frameworks: DFAT's sanctions legislation and AUSTRAC's AML/CTF program requirements. This guide covers what financial institutions must screen against, who enforces what, and where compliance programmes commonly fall short.

Sanctions Screening in Australia: Obligations for Banks and Financial Institutions
Blogs
06 Jul 2026
5 min
read

The Luffy Group Case: Fake Officials, Stolen ATM Cards, and the AML Trail Banks Cannot Ignore

The Luffy Group case shows how fake official scams, stolen ATM cards, rapid cash-outs, mule accounts, and cross-border fund movement can create AML risk for financial institutions.

The Luffy Group Case: Fake Officials, Stolen ATM Cards, and the AML Trail Banks Cannot Ignore
Blogs
01 Jul 2026
6 min
read

From a Kuala Lumpur Luxury Condo to Mule Accounts: The AML Risk Behind Investment Scams in Malaysia

Explore how the Kuala Lumpur investment scam case highlights mule account risks, fake forex fraud, suspicious fund movement, and AML challenges for Malaysian financial institutions.

From a Kuala Lumpur Luxury Condo to Mule Accounts: The AML Risk Behind Investment Scams in Malaysia