Essential AML/CFT Guidelines for Financial Institutions in Malaysia

The fintech industry in Malaysia has witnessed remarkable growth in recent years, driven by rapid digitalization, increasing smartphone penetration, and a tech-savvy population. However, this growth has also brought about new challenges, particularly in the realm of anti-money laundering (AML) and counter-financing of terrorism (CFT) compliance.

As fintech companies offer innovative financial products and services, they must navigate a complex regulatory landscape and implement robust AML/CFT measures to mitigate the risks associated with money laundering, terrorist financing, and other illicit activities.

Malaysia's Economic Landscape

Malaysia is a rapidly developing economy and a key player in the Southeast Asian region. The country has a diverse economic base, with significant contributions from sectors such as manufacturing, services, and agriculture. Malaysia's strategic location, well-developed infrastructure, and business-friendly policies have attracted substantial foreign direct investment (FDI) over the years.

Key Challenges and Vulnerabilities

While Malaysia's economy has shown remarkable resilience, it faces several challenges and vulnerabilities that can potentially contribute to money laundering and terrorist financing risks. These include:

  • Reliance on cash-based transactions in certain sectors
  • Exposure to international trade and cross-border financial flows
  • The presence of organized crime groups and corruption
  • Risks associated with the real estate and gaming sectors

AML Regulatory Framework of Malaysia

Malaysia has a comprehensive legal and regulatory framework to combat money laundering and terrorist financing. The primary legislation governing AML/CFT in the country is the Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001 (AMLATFPUAA). This Act is supplemented by various guidelines and regulations issued by Bank Negara Malaysia (BNM), the central bank, and other regulatory bodies.

To date, the Central Bank of Malaysia has issued the following policy documents and guidelines to the reporting institutions:

  1. Anti-Money Laundering, Countering Financing of Terrorism and Targeted Financial Sanctions for Financial Institutions (AML/CFT and TFS for FIs), applicable to, among others, banks, insurers, and financial advisers.
  2. Anti-Money Laundering, Countering Financing of Terrorism and Targeted Financial Sanctions for Designated Non-Financial Businesses and Professions (DNFBPs) & Non-Bank Financial Institutions (NBFIs) (AML/CFT and TFS for DNFBPs and NBFIs), applicable to, among others, professionals like lawyers and accountants, trust companies, casinos, and dealers of precious metals or stones.
  3. Anti-Money Laundering and Counter Financing of Terrorism (AML/CFT) – Digital Currencies (Sector 6).
  4. Policy Document on Exposure Draft of the Risk-Based Capital Adequacy Framework for Virtual Banks.

The AMLATFPUAA provides for the offence of money laundering, the measures to be taken for the prevention of money laundering and terrorism financing offences, investigation powers, and the forfeiture of property involved in or derived from money laundering and terrorism financing offences, as well as terrorist property, proceeds of unlawful activity and instrumentalities of an offence.

Inside the Machinery: Malaysia's AML/CFT Institutions

The implementation and enforcement of AML/CFT measures in Malaysia involve several key institutions:

  • Bank Negara Malaysia (BNM): The central bank acts as the primary regulator and supervisor for AML/CFT compliance in the financial sector. BNM has been appointed as the competent authority under the AMLATFPUAA.
  • Unit Pelaporan Melayu (STRO): This financial intelligence unit under BNM is responsible for receiving, analyzing, and disseminating information related to suspicious transactions.
  • Royal Malaysia Police: The law enforcement agency plays a crucial role in investigating and prosecuting money laundering and terrorist financing cases.
  • Malaysian Anti-Corruption Commission (MACC): This independent body is tasked with preventing and combating corruption, which can be a predicate offense for money laundering.
  • Securities Commission (SC): Acts as the regulatory authority for the capital market.
  • Labuan Financial Services Authority (Labuan FSA): Specifically regulates the Labuan International Business Financial Centre, the special economic zone on the island of Labuan.

Detailed Breakdown of AML/CFT Requirements

Institutions, businesses, and professions that are involved in, among others, the following activities as listed in the First Schedule, Part 1 of the AMLA Act are known as "reporting institutions", and they are subject to the AML requirements under the Act:

Financial institutions

  1. Licensed banks, investment banks, insurers, approved financial advisers, insurance brokers, issuers of designated payment instruments, money brokers under the Financial Services Act 2013, or the Islamic counterparts under the Islamic Financial Services Act 2013.
  2. Prescribed development financial institutions.
  3. Dealers in securities or derivatives, or fund management, licensed under the Capital Markets and Services Act 2007.
  4. Lembaga Tabung Haji (pilgrimage board).

Non-financial businesses and professions

  1. Licensed gaming outlets.
  2. Accountants.
  3. Lawyers.
  4. Company secretaries.
  5. Trust companies.
  6. Registered estate agents.
  7. Licensed casinos.
  8. Moneylenders.
  9. Pawnbrokers.
  10. Leasing and factoring business.
  11. Dealers in precious metals or stones.
  12. Cryptocurrency-related activities carried out by licensed or registered persons under the Capital Markets and Services Act 2007 relating to one or more of the following:
  13. Providing safekeeping, storing, holding or custody of a digital currency or digital token for the account of another person.
  14. Providing intermediation and advisory services relating to an offer or sale of a digital currency or digital token.

Generally, both financial institutions and non-financial businesses and professions are subject to the same AML requirements/obligations under the AMLA Act, which include:

  1. The obligation to conduct Customer Due Diligence (CDD) and risk assessments.
  2. The obligation to report suspicious transactions to the Central Bank of Malaysia.
  3. The obligation to maintain and retain records of transactions.
  4. The obligation to implement an AML compliance program that is reflective of the reporting institution's money laundering risk exposure and its size, nature, and complexity.


The following entities are additionally subject to the obligation to submit a Cash Transaction Report (CTR) to the Central Bank of Malaysia when their customers conduct single or multiple cash transactions (in the form of either cash or e-money) within the same account in a day in the amount of MYR 25,000 and above:

  1. Banking institutions.
  2. Selected prescribed development financial institutions.
  3. Lembaga Tabung Haji (pilgrimage board).
  4. Licensed casinos.

Compliance Program Requirements

As per the AMLA Act, reporting institutions are required to have the following controls in their compliance program:

  • Procedures in place to ensure high standards of integrity of employees and a system to evaluate the personal, employment, and financial history of these employees.
  • Employee training programs, such as "know your customer" programs, and instructing employees on their responsibilities about recordkeeping, reporting suspicious transactions, the prohibition of disclosure of suspicious transaction reports, CDD, and retention of records.
  • An independent audit function to check compliance with such programs.

Recordkeeping and Reporting Large Currency Transactions


Reporting institutions are obligated to maintain pertinent records, encompassing accounts, files, business correspondence, and transaction-related documents with their clientele. The records mandated for retention by a reporting institution include:

  • Documentation acquired during the Customer Due Diligence (CDD) process, like copies of identification cards, passports, and incorporation documents.
  • Any documents or records linked to the customer's transactions, inclusive of business correspondence.
  • Records of any analyses conducted by the reporting institution, such as the assessment of Money Laundering/Terrorism Financing (ML/TF) risks concerning customers and any analyses of internally filed suspicious transaction reports or submissions to Bank Negara Malaysia.

Reporting institutions must ensure that all pertinent records concerning transactions are comprehensive enough to facilitate the reconstruction of individual transactions, thereby furnishing evidence, if required, for the prosecution of criminal activities.

Reporting institutions are mandated to retain these records for a minimum of six years following the conclusion of the transaction, the termination of the business relationship, or after the date of the occasional transaction.

Reporting Large Cash Transactions

Selected reporting institutions are obliged to furnish a Currency Transaction Report (CTR) to the Central Bank of Malaysia when their customers execute single or multiple cash transactions (either in cash or e-money) within the same account, amounting to MYR 25,000 or more in a single day.

At present, the obligation to report CTRs applies solely to banking institutions, select prescribed development financial institutions, Lembaga Tabung Haji (pilgrimage board), and licensed casinos.

Reporting of Suspicious Transactions

No mandatory requirements exist for routinely reporting transactions aside from significant cash transactions.

Nevertheless, reporting institutions are compelled to report suspicious transactions (including attempted and proposed ones) to the Central Bank of Malaysia. The criteria for reporting suspicious activity are as follows:

To submit a Suspicious Transaction Report (STR), reporting institutions must complete and deliver the STR form to the Financial Intelligence and Enforcement Department (FIED) of the Central Bank of Malaysia via any of the following channels:

  • E-mail to:
  • Mail to: Director, Financial Intelligence and Enforcement Department, Bank Negara Malaysia, Jalan Dato' Onn, 50480 (Kuala Lumpur), (To be opened by addressee only)
  • Financial Intelligence System (FINS) (where applicable)

The following information must be included in an STR:

  • Information on the account holder, client, or beneficial owner of the transaction.
  • Information on the individual conducting the transaction.
  • Transaction details, such as the type of products or services, the amount involved, and the review period.
  • A description of the suspicious transaction or its circumstances.
  • The suspected offense.
  • Any other pertinent information that may assist the FIED in identifying potential offenses and individuals or entities involved.


Customer Due Diligence and Enhanced Due Diligence

Standard Customer Due Diligence (CDD)

When conducting Standard CDD, reporting institutions are required to:

  • Identify the customer and verify the customer's identity using reliable, independent source documents, data, or information.
  • Verify that any person acting on behalf of the customer is so authorized, and identify and verify the identity of that person.
  • Identify the beneficial owner and take reasonable measures to verify the identity of the beneficial owner, using relevant information or data obtained from reliable sources to the satisfaction that the identity of the beneficial owner is known.
  • Understand, and where relevant, obtain information on the purpose and intended nature of the business relationship.

Customers and transactions shall be identified per the following requirements:

For an individual customer and beneficial owner:

  • Full name and/or other names used by the customer
  • National Registration Identity Card (NRIC) number, passport number, or reference number of any other official documents of the customer or beneficial owner
  • Residential and mailing address
  • Date of birth
  • Nationality
  • Occupation type
  • Name of employer or nature of self-employment or business
  • Contact number
  • Purpose of transaction

For legal persons:

  • Name
  • Legal form and proof of existence (such as certificate of incorporation/constitution/partnership agreement (certified true copies/duly notarized copies may be accepted) or any other reliable references to verify the identity of the customer)
  • The powers that regulate and bind the customer such as the directors' resolution
  • Names of relevant persons having a senior management position
  • The address of the registered office and, if different, a principal place of business
  • The nature of business

For legal persons, additionally, measures need to be taken to verify the identity of the beneficial owner per the following sequence:

  1. The identity of the natural person(s) who ultimately has a controlling ownership interest in a legal person. At a minimum, this includes identifying the directors/shareholders with an equity interest of more than 25 percent/who are partners.
  2. Where there is doubt as to whether the person(s) with the controlling ownership interest is the beneficial owner(s), or where no natural person(s) exerts control through ownership interests, the identity of the natural person (if any) exercising control of the legal person through other means.
  3. Where no natural person is identified, the identity of the relevant natural person who holds the position of senior management.

Enhanced Due Diligence (EDD)

In addition to the Standard CDD requirements, the following Enhanced CDD actions must be adopted for higher-risk customers/transactions – the reporting institutions shall:

  • Obtain additional information on the customer and beneficial owner (e.g., volume of assets and other information from commercial or public databases).
  • Enquire on the source of wealth or source of funds. In the case of politically exposed persons (PEPs), both sources must be obtained.
  • Obtain approval from senior management before establishing (or continuing, for an existing customer) such business relationship with the customer. In the case of PEPs, senior management refers to senior management at the head office.

Higher-risk customers/transactions may include, but are not limited to, the following:

  • When a PEP is assessed as a higher risk.
  • Any transaction involving a Foreign PEP.
  • Any transaction involving a customer from a country is included in the list of high-risk jurisdictions issued by the Financial Action Task Force (FATF) or by the Government of Malaysia.
  • Any transaction involving a customer from other jurisdictions that have strategic AML/CFT deficiencies for which they have developed an action plan with the FATF.
  • Customers are assessed as having higher risks based on customer risk profiling.

Sanctions Screening

Reporting institutions are required to keep an updated sanctions database consistent with the updates of the United National Security Council Resolutions (UNSCR) List and Domestic List issued by the Ministry of Home Affairs of Malaysia containing names and particulars of specified entities which are assessed to have been involved in terrorism-related activities. Where applicable, sanctions screening on existing, potential or new customers and related parties against the Domestic List and UNSCR List shall be conducted as part of the due diligence process.


As the fintech industry continues to evolve and expand in Malaysia, it is imperative for companies operating in this space to prioritize AML/CFT compliance. By implementing robust measures, conducting risk assessments, and fostering a culture of compliance, FinTech companies can mitigate the risks associated with money laundering and terrorist financing while contributing to the overall integrity and stability of the financial system.

Failure to adhere to AML/CFT requirements can have severe consequences, including reputational damage, financial penalties, and legal implications. The AMLATFPUAA grants authorities the power to freeze, seize, and confiscate assets that are either directly involved in money laundering activities or derived from such activities, empowering law enforcement to disrupt and dismantle money laundering operations effectively.

By staying informed and proactively addressing regulatory obligations, fintech companies can navigate the complex landscape and position themselves for sustainable growth in the Malaysian market. Compliance with AML/CFT regulations is not only a legal requirement but also a crucial step towards building trust and confidence among customers, stakeholders, and the broader financial community.

Related Posts

Time to reform your compliances

Kickstart your journey by exploring our products or book a demo with us.

illustration tookitaki colors-09