As of January 2020, new Malaysian AML/CFT compliance obligations came into effect. Bank Negara Malaysia, the central bank and the primary AML regulator in the country, introduced these updates in the form of two new policy documents:
These documents complement the main AML law.
The new requirements apply to all of the companies, which are regulated by Bank Negara Malaysia.
The AML/CFT policy document for financial institutions targets businesses such as banks (including investment and Islamic banks), insurance companies, and money service businesses, to name a few.
The second AML/CFT policy document affects all non-financial businesses and non-bank financial institutions. Among them are casinos, precious metal dealers, pawnbrokers, and others. From now on, we’ll refer to this diverse group as “non-financial businesses” for short.
Let’s start by covering the AML requirements that differ for financial and non-financial companies. We’ll then move on to the requirements that these two types of companies have in common.
The latest AML/CFT policy document for financial institutions has substituted several separate policy documents and introduced unified AML/CTF compliance for all types of financial business.
Previously, each category of financial institution (banks, insurance companies, etc.) had its own requirements for when to conduct CDD. The new AML/CFT policy document unified the list of cases for the application of the check. Here are the instances when companies are to apply CDD:
CDD must also be conducted for certain categories of transaction:
A company is required to conduct CDD if a customer’s activity, or a particular transaction, raises any suspicion of money laundering or terrorist financing (ML/TF).
The new AML/CFT policy document for financial institutions has permitted simplified checks for the first time. Companies can now apply SDD when the risks of coming across ML/TF are low. However, each decision to implement SDD requires the board’s approval. Here is a list of information that needs to be obtained about a person or a business for SDD:
In the case of SDD, it is permitted to apply verification after a business relationship has been established.
For the first time, Bank Negara Malaysia has introduced limits for remittance transactions: RM30,000 (around $6900) per day for locals and RM5,000 (around $1200) per month for foreign workers.
Bank Negara Malaysia extended the list of reporting non-financial businesses and unified the AML/CFT requirements for all of them. The regulator also updated a risk-based approach and introduced sanctions screening for all customers. Let’s take a closer look at each of these updates.
Here is the list of small-sized companies that now have to comply with AML/CFT requirements:
The requirements for small-sized businesses are not as strict as those in place for medium and large-sized firms. For instance, small companies do not have to develop their own AML policies or have regular independent audits. See the full list of exemptions at §11.1.
Now that we’ve covered separate AML requirements for financial and non-financial institutions, let’s talk about the updates that both types of company have in common.
There are new requirements that target both financial and non-financial companies.
The new risk-based approach must include two types of assessment: business-related and customer-related. These types have different names in the AML/CFT policy documents for financial and non-financial institutions, but the idea remains the same.
Business-related risk assessment entails the evaluation and management of ML/TF risks that a business faces. These risks depend on the type of business, location, and some other factors. The list of factors for financial firms can be found at Appendix 1, §3.2, for non-financial firms, please see Appendix 8, §3.2.
Customer-related risk assessment implies the supervision of the risks related to customers. In other words, businesses must mitigate the risks that arise from the types of services, products, and distribution channels that customers use. This type of assessment also includes evaluating customers as high, medium, or low risk (see Appendix 1, §4.0 (financial companies) and Appendix 8, §4.0 (non-financial).
How a company performs these two components of a risk assessment must be recorded in the AML compliance program.
In short, businesses are now required to apply standard CDD checks for state-owned businesses.
Before the updates, such companies enjoyed a relative easing of AML/CFT obligations. However, in response to the recent corruption scandals, Bank Negara Malaysia introduced the same due diligence requirements for state-owned businesses, as for any other businesses. At present, to establish a relationship with another firm, they must 1) provide a copy of the certificate of incorporation or constitution; 2) undergo director and shareholder verification procedures.
Businesses have 12 months to comply with this requirement to apply standard CDD procedures for existing customers who are government companies.
After the new AML updates, businesses must not only check Politically Exposed Persons (PEP), but also their relatives and close associates.
Family members of the PEP include their parents, siblings, children, a spouse and his or her parents.
Close associates are relatives, close friends, people salaried by the PEP (like bodyguards and drivers), work colleagues, and prominent members of the organization in which the PEP works.
Whereas before, both the company’s board and the senior management established AML/CFT policies and internal safeguards, the board now only functions to approve the policies created by the senior management.
To perform their duty, an officer is required to be ‘fit and proper’, which means that he or she has personal and financial integrity, a good reputation, and necessary competency. It is not yet mandatory for officers to receive a professional AML/CFT qualification, but they are encouraged to obtain one.
From due diligence, to internal safeguards and the compliance duties of staff, the latest Malaysian AML/CTF updates are all-embracing. Bank Negara Malaysia has given businesses 12 months, within which, they will be required to comply with the new CDD requirements—those that concern existing customers who are state-owned businesses. Companies still have time for this, as the deadline is January of 2021.