Crypto Regulations in Malaysia—2025 Guide

Crypto adoption is on the rise worldwide, and Malaysia is no exception. While the country doesn’t consider digital assets to be legal tender, it still defines them as a form of securities. Meanwhile, Malaysia has been continuously working to provide a coherent legal framework for digital assets and service providers of these assets.

Malaysia may soon implement new laws for cryptocurrency and blockchain to oversee the industry and stay aligned with global regulatory trends. According to the Securities Commission Malaysia, the prime minister of Malaysia said he is considering introducing crypto and blockchain legislation during his visit to Abu Dhabi in January 2025.

We at Sumsub have prepared a complete guide to Malaysian crypto regulations. You’ll learn about the regulatory authorities overseeing the industry, as well as the main requirements for service providers to work legally in the country.

Recent developments

There have been updates in Malaysia’s regulatory framework, including Guidelines on Prevention on Money Laundering in 2024 and the amendment of the Capital Markets and Services Act in 2025.

In June 2024, Malaysia had tax enforcement actions to target tax evasion in cryptocurrency trading. Malaysia’s Inland Revenue Board initiated “Ops Token,” which uncovered significant undeclared digital asset transactions, prompting authorities to urge traders to declare their earnings to avoid penalties.

Additionally, in August 2024, authorities arrested individuals involved in unauthorized Bitcoin mining operations using stolen electricity, highlighting the government’s commitment to combating illicit activities in the crypto space.

Who is affected?

According to Malaysia’s Prescription Order 2019 and the amended Capital Markets and Services Order 2025, digital assets are separated into two categories: 

• “Digital currency—digital representation of value, which is recorded on a distributed digital ledger whether cryptographically-secured or otherwise, that functions as a medium of exchange and is interchangeable with any money, including through the crediting or debiting of an account
• Digital tokens—a digital representation which is recorded on a distributed digital ledger whether cryptographically-secured or otherwise, but does not include:
  (a) debentures, stocks, or bonds issued or proposed to be issued by any government;
  (b) shares in or debentures of a body corporate or an unincorporated body; or
  (c) units in a unit trust scheme or prescribed investments and includes any right, option, or interest in respect thereof.

The document also specifies in what cases digital currencies and digital tokens are considered securities.

Companies that wish to operate in Malaysia have to define whether they deal with digital tokens or digital currencies. Based on this, companies fall into one of the following categories: 

• Recognized Market Operator for Digital Asset Exchanges (RMO-DAX)—an electronic platform that facilitates the trading of digital assets
• Digital Asset Custodian (DAC)​—provides custody services for digital assets. Plays an important role in the ecosystem to safeguard digital assets of investors 
• Initial Exchanges Offering (IEO)—offers an alternative channel for fundraising for innovative businesses through digital tokens.

Who are the regulators?

The main regulator for digital asset service providers in Malaysia is the Securities Commission Malaysia (SCM). Any company that wishes to operate in Malaysia and provide services with assets qualified as securities has to register with the SCM.

Another regulator is Bank Negara Malaysia (BNM), the country’s central bank. While cryptocurrencies are not recognized as legal tender in Malaysia, BNM monitors their use to ensure they do not threaten the financial system’s integrity.

What are the regulations?

The SCM regulates digital assets in Malaysia through the Capital Markets & Services (Prescription of Securities) (Digital Currency and Digital Token) Order 2019 and the 2025 amendment of the document, which enables the SCM to set guidelines on offering and trading of digital assets. ​

 RMO-DAX companies have to follow the Guidelines on Recognized Markets. Meanwhile, DAC and IEO have to comply with the Guidelines on Digital Assets. 

Companies must also follow the Anti-Money Laundering and Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001, as well as related guides from the SCM, in addition to the Personal Data Protection Act 2024.

Main challenges for businesses

Despite Malaysia’s efforts to regulate the cryptocurrency sector, crypto-operating businesses face several challenges.

• Regulatory uncertainty: While Malaysia has established a regulatory framework for digital assets, gaps remain in comprehensive legislation tailored explicitly to cryptocurrencies. This creates uncertainty for businesses, as evolving policies and enforcement actions may affect operational stability. Companies must navigate complex licensing requirements, adhere to financial regulations, and comply with the securities laws of multiple regulatory bodies, like SCM and BNM.
• Consumer protection concerns: A critical issue in Malaysia’s Digital Assets sector is the absence of clear consumer protection measures. Without a dedicated legal framework to protect investors, individuals are left vulnerable to fraud, scams, and market manipulation. This uncertainty complicates crypto businesses’ efforts to establish trust with potential customers, although SCM has implemented measures to reduce investor vulnerability.
• Compliance risks: Businesses dealing with digital assets must now ensure full compliance with digital asset regulations, which remains a challenge in many aspects. This increased regulatory pressure may lead to higher compliance costs and additional administrative burdens for companies operating in the sector.

How to register

In order to register, the business must be a Malaysian-incorporated company unless specified otherwise by the SCM. The exact criteria varies depending on the type of services provided. For example, IEO and DAC that wish to legally operate in Malaysia have to satisfy the following criteria:

• “The applicant, its directors, controller and senior management are fit and proper
• The applicant will be able to carry out its obligations 
• The applicant will appoint at least one responsible person to carry out the obligations
• The applicant will be able to manage risks associated with its business and operation including demonstrating the processes and contingency arrangement in the event the applicant is unable to carry out its operations
• The applicant has sufficient financial, human and other resources for its operation at all times and
• The applicant has appropriate security arrangements, taking into account the scale of its business operations and risks, which include maintaining a secured environment pursuant to the guidelines issued by the SCM for the management of cyber risk and other relevant guidelines”

An IEO applicant must have a minimum paid-up capital of RM5,000,000 (approximately $1.1 mln). However, the SCM may at any time impose additional financial requirements commensurate with the nature, operations, and risks posed by a given company. Finally, the IEO company must immediately notify the SCM if there’s a possibility of a breach of the minimum financial requirement.

A digital asset custodian must have a minimum paid-up capital of RM500,000 (approximately $110,000) and shareholders’ funds of RM500,000 maintained at all times.

Meanwhile, digital asset exchanges must be locally incorporated and have a minimum paid-up capital of RM5 million (approximately $1.1 mln) and, for DAX operators operating a Digital Broker model, an additional RM 5 million in shareholders’ funds must be maintained at all times.

The rest of the criteria for RMO-DAX differ from those set for IEO companies. 

The complete list of criteria can be found in the Guidelines on the Recognized Market.

How to comply with AML regulations

Registered companies have to implement and carry out a set of procedures to comply with AML regulations. This includes: 

• Appoint a compliance officer
• Provide staff training for employees working in relevant areas
• Implementing a risk-based approach by considering all the relevant risk factors (e.g., the size of the company and the number of new customers) 
• Conducting Customer Due Diligence checks, which include identifying and verifying customers. Depending on the customer’s risk level, companies should conduct either Simplified Due Diligence (SDD) or Enhanced Due Diligence (EDD)
• Transaction monitoring, which involves checking the size, trajectory, and frequency of transactions
• Sanctions and AML screening, which check if customers are on sanctions lists or designated as Politically Exposed Persons (PEP)
• Retaining records that must be maintained for at least seven years from the last completed transaction or the moment of account termination
• Reporting suspicious transactions, which have to be submitted immediately

Travel Rule

Travel Rule is a FATF Recommendation 16 requirement that mandates financial institutions and VASPs to collect and share originator and beneficiary information for VA and crypto transactions. Currently, there is no de minimis threshold for the applicability of the Travel Rule in Malaysia, which requires the Ordering Institution to obtain, hold, and transmit customer information during transactions with the Beneficiary Institution, regardless of the amount. However, Reporting Institutions must comply with the Travel Rule, which requires VASPs to share customer information during transactions.

To stay compliant, Reporting Institutions need a Travel Rule compliance solution that enables secure data sharing. Implementing automated systems for verifying and transmitting transaction details ensures adherence to regulations without disrupting operations. By adopting a robust compliance framework, companies can mitigate risks, enhance trust, and maintain seamless transactions in the evolving regulatory landscape.

According to the Travel Rule, regulated companies must share information on the originators and beneficiaries of wire transfers or digital asset transactions. This includes the following information about the originator and beneficiary:

From the originator—

• Name
• National registration identity card number or passport number
• Account number or digital wallet address, or a unique transaction reference number used to process the transaction, which permits traceability of the transaction
• Address or date and place of birth

From the beneficiary—

• Name
• Account number or digital wallet address, or a unique transaction reference number used to process the transaction, which permits traceability of the transaction

A Beneficiary Institution is required to have effective risk-based policies and procedures for determining:

• When to execute, reject, or suspend a wire transfer lacking the required originator or required beneficiary information
• The appropriate follow-up action

More information on the Travel Rule can be found here, as well as in our help center.

The future of crypto regulations in Malaysia

As Malaysia continues to develop its cryptocurrency regulatory framework, new policies and guidelines are expected to be introduced in several key areas soon.

• Comprehensive cryptocurrency legislation: The current regulatory framework classifies digital assets as securities under the Capital Markets and Services Act 2007. In the future, Malaysia may introduce dedicated legislation to provide clearer legal definitions, compliance guidelines, and consumer protections.
• Stronger consumer protection measures: As the number of cryptocurrency-related fraud cases continues to rise, authorities may introduce stricter consumer protection policies. These could include mandatory risk disclosures from crypto service providers, improved anti-fraud measures, and compensation schemes for investors who fall victim to scams. Strengthening these policies would help to boost public confidence and promote safer participation in the digital asset market.
• Expanded licensing: Digital Asset Exchanges (DAX), Initial Exchange Offering (IEO) platforms, and Digital Asset Custodians (DAC) are currently required to register with the Securities Commission Malaysia (SC). Future regulations may broaden these licensing requirements to include other crypto-related businesses, such as decentralized finance (DeFi) platforms, and staking or lending platforms. This expansion would help reduce risks associated with unregulated entities while promoting compliance throughout the wider digital asset ecosystem.
• Strengthening collaboration with international regulators: As countries around the world establish frameworks for regulating digital assets, Malaysia is expected to align its policies with international standards. By collaborating with global financial watchdogs like the Financial Action Task Force (FATF), Malaysia could adopt best practices for anti-money laundering (AML) compliance and monitoring cross-border cryptocurrency transactions.

Suggested read: AML and Anti-Fraud in the Crypto Industry: Complete Guide

FAQ

• Is cryptocurrency legal in Malaysia?

  Crypto in Malaysia is legal. However, Malaysia doesn’t recognize digital assets as legal tender or as a payment instrument. According to the Prescription Order 2019 (amended in 2025), they are recognized as securities.

• Who regulates crypto in Malaysia?

  The main regulator for digital asset service providers in the country is the Securities Commission Malaysia (SCM).

• Does the Travel Rule apply to crypto in Malaysia?

  Yes, it applies. Information between initiator and beneficiary company has to be shared whenever a crypto transfer occurs.