Sep 21, 2023
4 min read

Crypto regulations in Malaysia—2024 Guide

Learn everything you need to know about crypto regulations in Malaysia.

Crypto adoption is on the rise worldwide, and Malaysia is no exception. While the country doesn’t consider digital assets to be legal tender, it still defines them as a form of securities. Meanwhile, Malaysia has been continuously working to provide a coherent legal framework for digital assets and service providers of these assets.

We at Sumsub have prepared a complete guide to Malaysian crypto regulations. You’ll learn about the regulatory authorities overseeing the industry, as well as the main requirements for service providers to work legally in the country.

Who is affected?

According to the Malaysia’s Prescription Order 2019, digital assets are separated into two categories: 

  • “Digital currency—digital representation of value, which is recorded on a distributed digital ledger whether cryptographically-secured or otherwise, that functions as a medium of exchange and is interchangeable with any money, including through the crediting or debiting of an account
  • Digital tokens—a digital representation which is recorded on a distributed digital ledger whether cryptographically-secured or otherwise”

The document also specifies in what cases digital currencies and digital tokens are considered securities.

Companies that wish to operate in Malaysia have to define whether they deal with digital tokens or digital currencies. Based on this, companies fall into one of the following categories: 

  • Recognized Market Operator for Digital Asset Exchanges (RMO-DAX)—an electronic platform that facilitates the trading of digital assets
  • Digital Asset Custodian (DAC)​—provides custody services for digital assets. Plays an important role in the ecosystem to safeguard digital asset of investors 
  • Initial Exchanges Offering (IEO)—offers an alternative channel for fundraising for innovative businesses through digital tokens.

Who are the regulators?

The main regulator for digital asset service providers in Malaysia is the Securities Commission Malaysia (SCM). Any company that wishes to operate in Malaysia and provide services with assets qualified as securities has to register with the SCM.

What are the regulations?

The SCM regulates digital assets in Malaysia through the Capital Markets & Services (Prescription of Securities) (Digital Currency and Digital Token) Order 2019, which enables the SCM to set guidelines on offering and trading of digital assets. ​

 RMO-DAX companies have to follow the Guidelines on Recognized Markets. Meanwhile, DAC and IEO have to comply with the Guidelines on Digital Assets

Companies must also follow the Anti-Money Laundering and Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001, as well as related guides from the SCM, in addition to the Personal Data Protection Act 2010.

How to register

In order to register, the business must be a Malaysian-incorporated company unless specified otherwise by the SCM. The exact criteria varies depending on the type of services provided. For example, IEO and DAC that wish to legally operate in Malaysia have to satisfy the following criteria:

  • “The applicant, its directors, controller and senior management are fit and proper
  • The applicant will be able to carry out its obligations 
  • The applicant will appoint at least one responsible person to carry out the obligations
  • The applicant will be able to manage risks associated with its business and operation including demonstrating the processes and contingency arrangement in the event the applicant is unable to carry out its operations
  • The applicant has sufficient financial, human and other resources for its operation at all times and
  • The applicant has appropriate security arrangements, taking into account the scale of its business operations and risks, which include maintaining a secured environment pursuant to the guidelines issued by the SCM for the management of cyber risk and other relevant guidelines”

An IEO applicant must have a minimum paid-up capital of RM5,000,000 (approximately $1.07 mln). However, the SCM may at any time impose additional financial requirements commensurate with the nature, operations, and risks posed by a given company. Finally, the IEO company must immediately notify the SCM if there’s a possibility of a breach of the minimum financial requirement.

A digital asset custodian must have a minimum paid-up capital of RM500,000 (approximately $107,000) and shareholders’ funds of RM500,000 maintained at all times.

Meanwhile, digital asset exchanges must be locally incorporated and have a minimum paid-up capital of RM5 million (approximately $1.07 mln) and, for DAX operators operating a Digital Broker model, an additional RM 5 million in shareholders’ funds must be maintained at all times.

The rest of the criteria for RMO-DAX differ from those set for IEO companies. 

The complete list of criteria can be found in the Guidelines on the Recognized Market.

How to comply with AML regulations

Registered companies have to implement and carry out a set of procedures to comply with AML regulations. This includes: 

  • Appoint a compliance officer
  • Provide staff training for employees working in relevant areas
  • Implementing a risk-based approach by considering all the relevant risk factors (e.g., the size of the company and the number of new customers) 
  • Conducting Customer Due Diligence checks, which include identifying and verifying customers. Depending on the customer’s risk level, companies should conduct either Simplified Due Diligence (SDD) or Enhanced Due Diligence (EDD)
  • Transaction monitoring, which involves checking the size, trajectory, and frequency of transactions
  • Sanctions and AML screening, which check if customers are on sanctions lists or designated as Politically Exposed Persons (PEP)
  • Retaining records that must be maintained for at least seven years from the last completed transaction or the moment of account termination
  • Reporting suspicious transactions, which have to be submitted immediately

Travel Rule

Per AML requirements, digital asset service providers have to follow the Travel Rule. Therefore, regulated companies have to share information on originators and beneficiaries of wire transfers or digital asset transactions. 

This includes the following information about the originator and beneficiary:

From the originator—

  • Name
  • National registration identity card number or passport number
  • Account number or digital wallet address or a unique transaction reference number used to process the transaction which permits traceability of the transaction
  • Address or date and place of birth

From the beneficiary—

  • Name
  • Account number or digital wallet address or a unique transaction reference number used to process the transaction which permits traceability of the transaction

A receiving company is required to have effective risk-based policies and procedures for determining:

  • When to execute, reject, or suspend a wire transfer lacking the required originator or required beneficiary information
  • The appropriate follow-up action

More information on the Travel Rule can be found here, as well as in our help center

Become a crypto compliance expert!

Join Sumsub’s free crypto Travel Rule course starting on October 3, 2024. Master compliance with practical insights from industry leaders.

Register now
Become a crypto compliance expert!

FAQ

  • Is cryptocurrency legal in Malaysia?

    Crypto in Malaysia is legal. However, Malaysia doesn’t recognize digital assets as legal tender or as a payment instrument. According to the Prescription Order 2019, they are recognized as securities.

  • Who regulates crypto in Malaysia?

    The main regulator for digital asset service providers in the country is the Securities Commission Malaysia (SCM).

  • Does the Travel Rule apply to crypto in Malaysia?

    Yes, it applies. Information between initiator and beneficiary company has to be shared whenever a crypto transfer occurs.

AMLCryptoEDDKYCMalaysiaRisk-Based ApproachTravel Rule