As of January 2020, new Malaysian AML/CFT compliance obligations came into effect. Bank Negara Malaysia, the central bank and the primary AML regulator in the country, introduced these updates in the form of two new policy documents:
- AML/CFT and Targeted Financial Sanctions for Financial Institutions
- AML/CFT and Targeted Financial Sanctions for Designated Non-Financial Businesses and Professions & Non-Bank Financial Institutions
These documents complement the main AML law.
Who is affected
The new requirements apply to all of the companies, which are regulated by Bank Negara Malaysia.
The AML/CFT policy document for financial institutions targets businesses such as banks (including investment and Islamic banks), insurance companies, and money service businesses, to name a few.
The second AML/CFT policy document affects all non-financial businesses and non-bank financial institutions. Among them are casinos, precious metal dealers, pawnbrokers, and others. From now on, we’ll refer to this diverse group as “non-financial businesses” for short.
Let’s start by covering the AML requirements that differ for financial and non-financial companies. We’ll then move on to the requirements that these two types of companies have in common.
What has changed for financial institutions
The latest AML/CFT policy document for financial institutions has substituted several separate policy documents and introduced unified AML/CTF compliance for all types of financial business.
- Updated Customer Due Diligence (CDD)
Previously, each category of financial institution (banks, insurance companies, etc.) had its own requirements for when to conduct CDD. The new AML/CFT policy document unified the list of cases for the application of the check. Here are the instances when companies are to apply CDD:
- New business relationship
- Previously obtained information about a customer seems dubious
- Ongoing CDD for existing customers
CDD must also be conducted for certain categories of transaction:
- Money exchange and wholesale currency transactions from RM3,000 (around $690)
- Wire transfers
- Electronic-money transactions
- Occasional and cash transactions of RM25,000 (around $5730) and above
A company is required to conduct CDD if a customer’s activity, or a particular transaction, raises any suspicion of money laundering or terrorist financing (ML/TF).
- Malaysia’s introduction of Simplified Due Diligence (SDD)
The new AML/CFT policy document for financial institutions has permitted simplified checks for the first time. Companies can now apply SDD when the risks of coming across ML/TF are low. However, each decision to implement SDD requires the board’s approval. Here is a list of information that needs to be obtained about a person or a business for SDD:
- Information about a beneficial owner if there is one
- Any official ID document number
- Date of birth
In the case of SDD, it is permitted to apply verification after a business relationship has been established.
- New limits for money transfers
For the first time, Bank Negara Malaysia has introduced limits for remittance transactions: RM30,000 (around $6900) per day for locals and RM5,000 (around $1200) per month for foreign workers.
What has changed for non-financial institutions
Bank Negara Malaysia extended the list of reporting non-financial businesses and unified the AML/CFT requirements for all of them. The regulator also updated a risk-based approach and introduced sanctions screening for all customers. Let’s take a closer look at each of these updates.
- Small-sized institutions now fall under the AML law
Here is the list of small-sized companies that now have to comply with AML/CFT requirements:
- Moneylenders, pawnbrokers, and trust companies with an annual sales turnover below RM3 mln (around $690 thousand) and less than 30 employees
- Precious metals/stones dealers and retail businesses with a total annual sales turnover of less than RM10 million (about $2,3 mln); these business must also have less than 30 employees
- Lawyers, accountants, secretaries with five or fewer holders of practicing certificates
- Real estate agents with total annual fees of less than RM3 million (around $690 thousand)
The requirements for small-sized businesses are not as strict as those in place for medium and large-sized firms. For instance, small companies do not have to develop their own AML policies or have regular independent audits. See the full list of exemptions at §11.1.
- Sanctions screening for all customers
Now that we’ve covered separate AML requirements for financial and non-financial institutions, let’s talk about the updates that both types of company have in common.
What has changed for all reporting businesses
There are new requirements that target both financial and non-financial companies.
- Updated requirements for a risk-based approach
The new risk-based approach must include two types of assessment: business-related and customer-related. These types have different names in the AML/CFT policy documents for financial and non-financial institutions, but the idea remains the same.
Business-related risk assessment entails the evaluation and management of ML/TF risks that a business faces. These risks depend on the type of business, location, and some other factors. The list of factors for financial firms can be found at Appendix 1, §3.2, for non-financial firms, please see Appendix 8, §3.2.
Customer-related risk assessment implies the supervision of the risks related to customers. In other words, businesses must mitigate the risks that arise from the types of services, products, and distribution channels that customers use. This type of assessment also includes evaluating customers as high, medium, or low risk (see Appendix 1, §4.0 (financial companies) and Appendix 8, §4.0 (non-financial).
How a company performs these two components of a risk assessment must be recorded in the AML compliance program.
- Standard CDD for government-linked and state-owned companies
In short, businesses are now required to apply standard CDD checks for state-owned businesses.
Before the updates, such companies enjoyed a relative easing of AML/CFT obligations. However, in response to the recent corruption scandals, Bank Negara Malaysia introduced the same due diligence requirements for state-owned businesses, as for any other businesses. At present, to establish a relationship with another firm, they must 1) provide a copy of the certificate of incorporation or constitution; 2) undergo director and shareholder verification procedures.
Businesses have 12 months to comply with this requirement to apply standard CDD procedures for existing customers who are government companies.
- Requirements for checking of PEP extended to their close associates and family
After the new AML updates, businesses must not only check Politically Exposed Persons (PEP), but also their relatives and close associates.
Family members of the PEP include their parents, siblings, children, a spouse and his or her parents.
Close associates are relatives, close friends, people salaried by the PEP (like bodyguards and drivers), work colleagues, and prominent members of the organization in which the PEP works.
- Updated responsibilities of the board
Whereas before, both the company’s board and the senior management established AML/CFT policies and internal safeguards, the board now only functions to approve the policies created by the senior management.
- ‘Fit and proper’ requirement for compliance officers
To perform their duty, an officer is required to be ‘fit and proper’, which means that he or she has personal and financial integrity, a good reputation, and necessary competency. It is not yet mandatory for officers to receive a professional AML/CFT qualification, but they are encouraged to obtain one.
From due diligence, to internal safeguards and the compliance duties of staff, the latest Malaysian AML/CTF updates are all-embracing. Bank Negara Malaysia has given businesses 12 months, within which, they will be required to comply with the new CDD requirements—those that concern existing customers who are state-owned businesses. Companies still have time for this, as the deadline is January of 2021.