Jun 30, 2023
4 min read

Malaysian AML Regulations—Necessary Compliance Information

Everything you need to know about AML compliance in Malaysia

Malaysia is one of the biggest economies in Asia, attracting a wide range of international companies. At the same time, the Malaysian government is taking steps to ensure that its business sector is free of illegal activity. That’s why the country has been continuously developing its Anti-Money Laundering (AML) regulatory framework, introducing its main AML Act back in 2001 and adapting new legislation ever since.

Malaysia’s latest AML legislation came into effect in 2020 and consists of  two policy requirements: 

  • AML/CFT and Targeted Financial Sanctions for Financial Institutions
  • AML/CFT and Targeted Financial Sanctions for Designated Non-Financial Businesses and Professions & Non-Bank Financial Institutions

These new regulations have changed reporting and due diligence obligations for businesses. In addition, Bank Negara Malaysia (BNM) regularly issues standards and guidelines targeting reporting institutions.

To help you adapt to Malaysia’s regulatory environment, we at Sumsub prepared this article on the country’s main AML laws and the requirements each institution must follow.

Who’s affected?

The main AML Act in Malaysia refers to affected entities as “reporting institutions”. This term encompasses the following types of businesses:

  • Financial institutions (e.g., banks, insurance companies)
  • Casinos
  • Crypto companies 
  • Lawyers and accountants
  • Trust companies 
  • Real estate agents
  • Dealers in precious metals and stones

What are the regulations?

Affected entities have to comply with the Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001 (AMLA). The regulation consists of rules on customer due diligence measures, recordkeeping, reporting, and penalties. 

When it comes to investigating money laundering activities in Malaysia, there are several government institutions in charge: 

  • The Central Bank of Malaysia 
  • The Malaysian Anti-Corruption Commission 
  • Royal Malaysian Customs 
  • The Inland Revenue Board of Malaysia 
  • Labuan Financial Service Authority 
  • The Companies Commission of Malaysia
  • The Securities Commission of Malaysia
  • The Ministry of Domestic Trade, Cooperative and Consumerism 
  • Public Prosecutor

Who are the regulators?

Bank Negara Malaysia (BNM) is the designated competent authority and regulator under the AMLA. It’s responsible for examining the level of compliance of affected institutions. The BNM has also created a Financial Intelligence Unit (FIU) to analyze suspicious activity reports provided by companies.

How to stay compliant

Companies should implement due diligence measures, which include identifying and verifying the identity of customers and beneficial owners, assessing the purpose and intended nature of the business relationship, and conducting ongoing monitoring of client transactions. This includes obtaining at least the following information about customers:

  • Full name
  • National Registration Identity Card (NRIC) number or passport number or reference number of any other official documents of the customer or beneficial owner
  • Residential and mailing address
  • Date of birth
  • Nationality
  • Occupation type
  • Name of employer or nature of self- employment or nature of business
  • Contact number (home, office or mobile)
  • Purpose of transaction

Suggested read: The APAC Sentinel: Effective Transaction Monitoring Tactics

When working with legal persons/other companies, the following information should be collected:

  • Name, legal form and proof of existence, such as Certificate of Incorporation/ Constitution/Partnership Agreement (certified true copies/duly notarised copies, may be accepted) or any other reliable references to verify the identity of the customer
  • The powers that regulate and bind the customer such as directors’ resolution, as well as the names of relevant persons having a Senior Management position
  • The address of the registered office and, if different, a principal place of business

Companies should also conduct sanctions screening on existing, potential, or new customers against the Domestic List and UNSCR List. Where applicable, screening shall be conducted as part of the Customer Due Diligence process and ongoing due diligence. 

Companies also have to conduct ongoing monitoring of their customers, which includes:

  • Scrutinizing transactions undertaken throughout the course of the relationship to ensure that the transactions being conducted are consistent with the reporting institutions knowledge of the customer, their business and risk profile, including where necessary, the source of funds
  • Ensuring that documents, data, or information collected under the CDD process is kept up-to-date and relevant, by undertaking reviews of existing records particularly for higher-risk customers.


Companies should keep records of their customers for at least six years after the end of the relationship or final transaction. According to AMLA, the following information should be collected and kept:

  • The identity and address of the person in whose name the transaction is conducted
  • The identity and address of the beneficiary or the person on whose behalf the transaction is conducted, where applicable
  • The identity of the accounts affected by the transaction, if any
  • The type of transaction involved, such as deposit, withdrawal, exchange of currency, cheque cashing, purchase of cashier’s cheques or money orders or other payment or transfer by, through, or to such reporting institution
  • The identity of the reporting institution where the transaction occurred
  • The date, time, and amount of the transaction 


Companies are obliged to send reports to the FIU as soon as suspicion arises. AMLA states that the following reasons can be considered sufficient grounds for the report:

  • Any transaction exceeding such amount as the competent authority may specify
  • Any transaction where the identity of the person involved, the transaction itself or any other circumstances concerning that transaction gives any officer or employee of the reporting institution reason to suspect that the transaction involves proceeds of an unlawful activity or instrumentalities of an offense
  • Any transaction or property where any officer or employee of the reporting institution has reason to suspect that the transaction or property involved is related or linked to, is used or is intended to be used for or by, any terrorist act, terrorist, terrorist group, terrorist entity or person who finances terrorism

What are the penalties?

The maximum penalty for failing to submit a suspicious activity report, conduct CDD measures, or keep records is MYR one million (approximately $215,000). 

AMLCryptoFinancial InstitutionsMalaysiaRecordkeepingReportingSanctions