The Financial Technology Law Review: Malaysia


It is fair to say that the respective regulators of the financial and capital markets sectors in Malaysia have encouraged fintech developments and, where necessary, proactively adjusted the regulatory framework to facilitate growth. For example, the Malaysian Securities Commission (the SC) was one of the first regulators in the Association of Southeast Asian Nations (ASEAN) region to introduce equity crowdfunding (ECF) guidelines.

There is no specific regulation or special licence for fintech companies in Malaysia. Regulation and licensing requirements are dependent upon the nature of fintech businesses that the company engages in. The Central Bank of Malaysia (the BNM) and the SC are the main regulatory bodies that regulate fintech. In the BNM's Fintech Regulatory Bootcamp conducted in August 2020, the BNM indicated that regulation must not stifle innovation or focus on maintaining the status quo, but rather safeguard the public and ensure financial and monetary stability. According to Mr Suhaimi Bin Ali, director of the Financial Development and Innovation Department at the BNM, when the BNM looks at innovations from fintech, they will look at how these innovations are helping the BNM to deliver its mandates and whether there are facilitations that can help address the issue of inclusivity, ensuring that our financial ecosystem is more competitive and progressive. In this case it would be something that the BNM would be willing to help advance and make sure that the regulatory framework is right, enabling the financial ecosystem to support the economic transformation.

There are no tax incentives specifically catering to fintech companies. However, there are tax incentives and preferential tax rates available for certain categories of businesses that could be applicable to fintech start-ups, depending on their business areas. For example, the Malaysia Digital Economy Corporation Sdn Bhd (MDEC) offers a corporate tax exemption for technology start-ups in the Malaysian Digital Hub. Because of the covid-19 pandemic, the government has also committed 100 billion ringgit to help various types of business, including small and medium-sized enterprises (SMEs).


i Licensing and marketing

A large number of fintech players in Malaysia are involved in the payments and cryptocurrency sectors. A fintech company should always consider in advance whether any licence, approval or registration is required from a regulatory authority, as there is no one-size-fits-all regulation that applies to every fintech player. The regulations that apply will depend on the specific scope of activities of the fintech product or service the company has to offer. Generally, the BNM regulates payment services and currency administration while the SC regulates activities related to capital markets.

The table below captures typical as well as upcoming fintech businesses and their respective regulators and licensing rules, if any.

Fintech serviceRegulatory bodyLicensing/approval/registration
E-money – a payment instrument that stores funds electronically in exchange of funds paid to the issuer and is able to be used as a means of making payment to any person other than the issuer; it can be issued in different forms such as a digital wallet (e-wallet), which is a type of prepaid account in which a user can store their money for any future online transaction.The BNME-money issuers must obtain approval from the BNM pursuant to Section 11 of the Financial Services Act 2013 (the FSA 2013). According to Division 1, Part 1, Schedule 1 of the FSA 2013, businesses that require approval include those that issue designated payment instruments.
Merchant acquiring service – a business of an operator of a payment system that enters into a contract with a merchant for the purpose of accepting payment instruments for payment of goods and services. The BNMMerchant acquiring services is one of the registered businesses under Schedule 1, Part 2 of the FSA 2013. As such, a person must register with the BNM and comply with the requirements in Section 17 to carry on a merchant acquiring service.
ECF – enables individuals to invest in a start-up in exchange for shares in that particular company.The SCUnder the Guidelines on Recognised Markets issued on 17 May 2019 pursuant to the Capital Markets and Services Act 2007 (the CMSA 2007) (the RM Guidelines), an ECF operator must register as a recognised market operator (RMO) with the SC.
Property crowdfunding (PCF) – a form of fundraising that envisages a homebuyer obtaining funds to pay for the property's purchase price through investments from multiple investors, through an online platform facilitating such transactions.The SCUnder the RM Guidelines, a PCF operator must register as an RMO with the SC.
Digital currencies or tokens offered through initial exchange offerings (IEOs) or initial coin offerings (ICOs) – an issuer, typically an early-stage venture, that seeks to raise funds through offering of digital currencies or tokens.The SCThe Capital Markets and Services (Prescription of Securities) (Digital Currency and Digital Token) Order 2019 (Order 2019) which recognises digital currencies and digital tokens as securities came into force on 15 January 2019. With that, any person who intends to make available, offer for purchase, or issue an invitation to purchase digital currencies or tokens needs to seek authorisation of the SC to do so.
Further, an issuer must obtain approval from an IEO operator to offer digital tokens as per the Guidelines on Digital Assets issued on 15 January 2020 pursuant to the CMSA 2007 (the DA Guidelines). An IEO operator refers to an electronic platform operator that is registered pursuant to the DA Guidelines to operate an IEO platform, while IEO refers to offering of digital tokens by an issuer through an electronic platform.
Peer-to-peer lending (P2P) – a platform enabling individuals to lend money without the use of a bank or a financial institution as an intermediary.The SCUnder the RM Guidelines, a P2P operator must register as an RMO with the SC.
Digital asset exchange (DAX) – an electronic platform that facilitates the trading of digital currencies and digital tokens.The SCUnder the RM Guidelines, a DAX operator must register as an RMO with the SC. Additionally, the trading of any digital asset is subject to the approval of the SC.
Digital investment management (DIM) – a company carrying on the business of fund management incorporating technologies into its automated discretionary portfolio management services.The SCDIM is a regulated activity pursuant to Part 1, Schedule 2 of the CMSA 2007, and as such must obtain a capital markets services licence (CMSL) from the SC pursuant to Section 58 of the CMSA 2007.
E-services platform (ESP) – an electronic platform that arranges or facilitates the sale, purchase or subscription of a capital market product offered by a CMSL holder to investors. The SCUnder the RM Guidelines, an ESP operator must register as an RMO with the SC.
Digital banking – a banking business or Islamic banking business carried on primarily or wholly through digital or electronic means.The BNMDigital banks and Islamic digital banks must apply for a licence with the BNM pursuant to Section 10 of the FSA 2013 or Section 10 of Islamic Financial Services Act 2013 (the IFSA 2013) (whichever applicable).
Insurance and takaful aggregation business – a business of providing services through any electronic means that: (1) sources, aggregates and compares insurance or takaful products of more than one licensed person; and (2) makes referrals to any such licensed person in respect of the procurement of such insurance or takaful products; or (3) arranges the procurement of such insurance or takaful products through such electronic means. The BNMBased on the Exposure Draft for Insurance and Takaful Aggregation Business Registration Procedure and Requirements issued by the BNM on 18 June 2019 (the ITAB Exposure Draft), any persons intending to become a registered insurance and takaful aggregator will be required to be registered under the FSA 2013 to carry on insurance and takaful aggregation business. An amendment to the FSA 2013 is expected to be effected to set out the scope of insurance and takaful aggregation business.

Credit information services

The BNM's credit bureau, which operates under the Central Bank of Malaysia Act 2009 (the CBA 2009), collects credit-related information on borrowers from lending institutions and supplies the credit information back to the institutions in the form of a credit report via an online system known as the central credit reference information system (CCRIS).

The CCRIS automatically processes the credit-related data received from participating financial institutions and synthesises the information into credit reports, which are made available to the financial institutions and the borrowers, upon request. The credit report contains information on outstanding credit facilities obtained by the borrower, information on credit applications that have been approved in the previous 12 months and pending credit applications made by the borrower.

Subject to approval by the BNM, credit reporting agencies (CRAs) registered under the Credit Reporting Agencies Act 2010 can access the credit information of individual borrowers in CCRIS. There are currently three CRAs that have obtained approval from the BNM, namely Credit Bureau Malaysia Sdn Bhd, CTOS Data Systems Sdn Bhd and RAM Credit Information Sdn Bhd.

Digital advisory or asset management company

A DIM is a form of fund management regulated under the CMSA 2007. DIM companies providing automated discretionary portfolio management services must obtain a CMSL from the SC pursuant to Section 58 of the CMSA 2007.

Besides the requirements that fund management companies are typically subject to in the Guidelines on Compliance Function for Fund Management Companies issued on 14 May 2019 pursuant to the CMSA 2007 (the FMC Guidelines), Chapter 13 of the FMC Guidelines imposes additional requirements on the DIM itself (e.g., risk management, and algorithm design and oversight) as well as on its board of directors and compliance officer.

In 2018, StashAway Malaysia was the first DIM company to obtain a CMSL from the SC to commence operations.

Marketing of fintech products and services

Marketing of fintech products and services depends on whether the fintech company is providing services and products that are regulated in Malaysia. In particular, the following fintech products and services are subject to certain marketing rules:

  1. Digital assets issued through an IEO – An issuer is required to ensure that all information disseminated for marketing or promotion is consistent with the contents of its white paper for investors, which is appropriately displayed in all marketing and promotional materials, including its website. An issuer must not engage any third-party individual or entity, other than an IEO operator, to endorse or represent the issuer with the intended purpose of marketing, promoting, gaining publicity or soliciting funds for its digital token offering.
  2. DIM – Any representations, including in the form of an electronic communication made to clients must be conducted with due care, skill and diligence to enable the clients to make balanced and informed decisions. The DIM company must provide clients with, among other things, adequate information about the DIM company's shareholding, business address, relevant conditions or restrictions under which its business is conducted, key personnel and persons with whom clients may have contact, and subsequent changes made thereafter.

ii Cross-border issues

Regulated or licensed activities cannot be passported from another jurisdiction into Malaysia. Fintech companies licensed in a foreign jurisdiction that intend to offer their services or products in Malaysia must obtain the relevant licences and approvals under the applicable Malaysian laws.

Presently, all ECF, P2P, DAX, PCF, ESP and IEO operators are required to be locally incorporated. There are also additional requirements for issuers on ECF, P2P and IEO platforms to be locally incorporated or registered (other types of issuers will be allowed as may be permitted by the SC). Besides the requirement for issuers on IEO platforms to be locally incorporated, the issuer must also carry out its main business operations in Malaysia and its board of directors must include at least two directors whose principal or only place of residence is in Malaysia.

Malaysia has a liberal foreign exchange policy whose rules apply depending on residency status. Non-resident investors are free to undertake any type of investment in ringgit assets or foreign currency assets in Malaysia (direct or portfolio investment) without any restriction, and to repatriate divestment proceeds, profits, dividends or any income arising from investments in Malaysia. Similarly, residents without domestic ringgit borrowing are free to invest in foreign currency assets onshore and abroad.

Digital identity and onboarding

In 2001, it was made compulsory for all Malaysians to hold a national identity card known as 'MyKad', which contains an individual's name, address, race, citizenship status, religion and an inbuilt chip that stores fingerprint biometric data. The MyKad is primarily used as an official identification document to verify an individual's identity and can also be used as an ATM card, an e-wallet and a transit card. The MyKad also enables Malaysians to access MyEG – an electronic government (e-government) service platform – that provides an array of government services such as renewal of foreign workers' permits, replacement of national identity cards, payment of parking summons, car insurance and road tax renewals, and temporary transfers of vehicle ownership. The e-government services are also available to companies. A representative of a company would be required to provide their MyKad as a verification tool to access the e-government services. As the MyKad is a physical identification document used to verify a person's identification, it does not qualify as a digital identity.

In August 2019, the Minister for Communications and Multimedia (the Minister) announced the Cabinet's approval of the implementation of the National Digital Identity initiative. According to the Minister, although the National Digital Identity is an advanced method of authenticating a user's identity online, it does not substitute the MyKad, nor will it be made compulsory.

According to the Malaysian Communications and Multimedia Commission (MCMC), the National Digital Identity provides for the electronic verification of an individual's identity based on biometric characteristics such as fingerprints, facial recognition, iris scanning and demographic information such as names and dates of birth.

It was reported in September 2020 that the public consultation initiated by the MCMC received more than 35,000 responses, which involved the public and stakeholders across various ministries, government agencies, regulators and industry players. The top five uses of a National Digital Identity selected by participants were for electronic healthcare records, government assistance, government services, financial institutions and the telecommunications sector. The feedback obtained from the public consultation will be considered when evaluating and improving the proposal paper on a suitable National Digital Identity Framework for Malaysia. As the framework is still being formulated, it is not known whether it will extend to fintech businesses and non-residents.

Digitised onboarding is a relatively new process in the financial services sector. On 30 June 2020, the BNM issued a policy document on electronic know-your-customer (e-KYC) (e-KYC Policy Document), which is applicable to all financial institutions and sets out the minimum requirements and standards that a financial institution must observe in implementing e-KYC for the identification and verification of individuals. Among others, the e-KYC Policy Document sets out requirements for a financial institution to obtain its board approval on its overall risk appetite and internal framework governing the implementation of e-KYC, to adopt an appropriate combination of authentication factors to verify the identity of a customer though e-KYC and where the decision to verify a customer's identity through e-KYC is automated with the use of artificial intelligence, a financial institution shall ensure that the e-KYC solution is capable of accurately distinguishing between genuine and non-genuine cases of customer identification and verification. The requirements outlined in the policy document are aimed at enabling safe and secure application of e-KYC technology in the financial sector, facilitating the BNM's continued ability to carry out effective supervisory oversight over financial institutions, and ensuring effective anti-money laundering and counter financing of terrorism (AML/CFT) control measures.

Following the issuance of the e-KYC Policy Document, in October 2020, Hong Leong Bank Bhd and Hong Leong Islamic Bank became the first bank in Malaysia to offer a digital onboarding experience for Malaysians who are looking to open a bank account. Customers would only need to download the bank's mobile app to open an account, and their debit cards will be delivered to their location. It was reported that on the same day, Maybank also virtually launched their refreshed mobile app that offers a fully digital onboarding process. In implementing e-KYC, financial service providers may be subject to the Personal Data Protection Act 2010 (the PDPA 2010), which sets out the seven data protection principles including the general principle establishing the legal requirements for processing data: notice, choice, disclosure, data security, integrity and retention, and rights of access.

Digital markets, payment services and funding

As stated in Section II, the regulations that apply will depend on the specific scope of activities of the fintech product or service the company has to offer. The relevant licence, approval or regulations required for the relevant fintech product or service is set out in Section II above.

The SC, which regulates activities related to capital markets appears to also be regulating specific areas of fintech relating to ECF, P2P, PCF, ESP and DAX pursuant to the CMSA 2007. These respective areas of fintech are also subject to additional requirements as set out in the RM Guidelines. For ECF and P2P financing, the RM Guidelines impose additional requirements on platform operators (e.g., operation of trust account, obligations and managing conflict of interest) and the issuer (e.g., limit to funds raised on platform and disclosure requirement). Investors may also be subject to a restriction on investment amounts, depending on the status of the investor. Additional requirements relating to a PCF platform would mainly be imposed on the platform operator (e.g., criteria to qualify, prohibition on financial assistance, obligations, exit certainty, eligibility and obligations of homebuyers, disclosure requirements, client's asset protection), although homebuyers would also be subject to certain restrictions on the amount of funds permitted to be raised through a PCF platform, and only a property that satisfies the criteria prescribed under the RM Guidelines is eligible to be hosted on a PCF platform. Additional requirements for an ESP operator would be similar to a PCF platform but with a focus on capital market products. Among other things, DAX operators are prohibited from providing financial assistance to investors to invest or trade in digital assets on its platform.

On the other hand, the BNM regulates payment systems and currency administration, and, therefore, the operation of a payment system and the issuance of a designated payment instrument requires the approval of the BNM pursuant to the FSA 2013.

Collective investment schemes, which consists of unit trusts, real estate investment trusts, exchange-traded funds, closed-end funds, sustainable and responsible investment funds, foreign collective investment schemes and ASEAN collective investment schemes, are presently governed by the SC. It appears that fintech schemes presently do not fall within the scope of collective investment schemes although certain fintech products and services are regulated pursuant to the CMSA 2007.

The RM Guidelines allow for trading of investment notes and Islamic investment notes on a PCF platform provided that such investment note has been hosted and successfully funded through the PCF platform. In this regard, a PCF operator would be required to comply with the relevant requirements in the RM Guidelines (e.g., disclosure of information; adequate arrangements to deter market manipulation; manage error trades; manage systems error, failure or malfunction; make available pre-trade and post-trade information on non-discriminatory basis to all users on a timely basis).

Any disclosure of client data or product data to third parties is subject to the PDPA 2010.

Cryptocurrencies, initial coin offerings (ICO) and security tokens

Order 2019 recognises digital currencies and tokens as securities and would therefore be subject to applicable securities law (i.e., the CMSA 2007). Any person who offers or issues an invitation to purchase digital currencies or tokens will need to seek authorisation of the SC to do so.

Digital tokens are regulated as securities where they represent a right or interest of a person in any arrangement made for the purpose of, or having the effect of, providing facilities for the person where:

  1. the person receives the digital token in exchange for a consideration;
  2. the consideration or contribution from the person, and the income or returns, are pooled;
  3. the income or returns of the arrangement are generated from the acquisition, holding, management or disposal of any property or assets or business activities;
  4. the person expects a return in any form from the trading, conversion or redemption of the digital token or the appreciation in value of the digital token;
  5. the person does not have day-to-day control over the management of the property, assets or business of the arrangement; and
  6. the digital token is not issued or guaranteed by any government body or central bank as may be specified by the SC.

On 15 January 2020, the SC further issued the DA Guidelines, which outline the framework for fundraising through digital token offerings in Malaysia. The DA Guidelines set out requirements for an issuer to carry out all digital token offerings through an IEO operator registered with the SC. An issuer must be a company incorporated in Malaysia and carry out its main business operations in Malaysia. The issuer's board of directors must have at least two directors whose principal or only place of residence is in Malaysia. An issuer must not be hosted concurrently on multiple IEO platforms or on an ECF platform.

Additionally, the IEO operator must also be a locally incorporated company and is required to carry out the necessary assessment and due diligence to verify the business of the issuer as well as to understand the features of the digital tokens that are to be issued. In the event that the IEO operator wishes to facilitate the trading of digital assets on its platform, the IEO operator must also register with the SC as a DAX operator.

The DA Guidelines also emphasise that if a digital token serves as a payment instrument, the digital token may only be used in exchange for the issuer's goods and services disclosed in the issuer's white paper, which is approved by the IEO operator.

Amendments made to the Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001 (the AMLA 2001), which came into effect on 2 January 2018, sought to extend the scope of a reporting institution to include any person who carries out activities that provide services in relation to the exchange of digital currencies. The reporting obligations pursuant to the AMLA 2001 include keeping a record of or promptly reporting to the competent authority any transaction involving the domestic currency or any foreign currency exceeding such amount as the competent authority may specify. The BNM also issued the Anti-Money Laundering and Counter Financing of Terrorism – Digital Currencies (Sector 6), which came into effect on 27 February 2018 (the Sector 6 Policy Document). The Sector 6 Policy Document sets out minimum requirements and standards that a reporting institution must observe to increase the transparency of activities relating to digital currencies including in relation to risk assessment and customer due diligence.

While there is no specific provision for digital currency in the Income Tax Act 1967, Malaysia's Inland Revenue Board (IRB) has indicated as recently as January 2021 that cryptocurrency investors who trade their assets at the DAX will be required to declare their gains to IRB via their annual income tax declaration – do note that this will only apply to those who are actively, systematically and repeatedly trading the digital assets where there are patterns of badges of trade and does not apply to a capital gain transaction.

Other new business models

There is no specific law governing the use of self-executing contracts (smart contracts) in Malaysia. However, these contracts would need to adhere to the general principles of creating a legally valid contract, including offer and acceptance, consideration and intention to create a legal relationship. The increased number of fintech companies that offer smart contract development services demonstrates the increasing demand for smart contracts in Malaysia, which may affect the need to regulate smart contracts in Malaysia.

The Electronic Commerce Act 2006 (the ECA 2006) recognises the validity of a contract that is formed wholly or partly in electronic form. Communication of proposals and acceptance of proposals in the form of electronic messages is recognised as a valid and enforceable contract. Furthermore, the ECA 2006 provides that the Digital Signature Act 1997 (the DSA 1997) applies to any digital signature used as an electronic signature in any commercial transaction. The DSA 1997 states that where a document is signed with a digital signature it shall be as legally binding as a document signed with a handwritten signature, an affixed thumbprint or any other mark.

Third-party websites comparing or providing information about financial products are not regulated per se. However, the BNM recently issued the ITAB Exposure Draft whereby, upon coming into effect, any person carrying out such business must register with the BNM pursuant to the FSA 2013. Activities of price-comparison sites would also be subject to existing laws, such as the Competition Act 2010 (the CA 2010) and the PDPA 2010. The main prohibitions against anticompetitive agreements or abuse of dominance would govern the activities of price-comparison sites. In other words, cases actioned in other jurisdictions as being anticompetitive or potentially so can be actioned under the provisions of the CA 2010. For example, where:

  1. price-comparison sites have been found to facilitate information exchange between competitors; or
  2. the use of most-favoured-nation clauses leads to one comparison site always having the best deals, making it harder for other sites to effectively compete in the market, thus leading to the foreclosure of these other sites from the market.

Intellectual property and personal data protection considerations are further discussed in Section VII.

Artificial intelligence (AI) has made headway in the local banking sector in the form of chatbots and digital banking service mobile applications. RHB Bank Berhad launched an AI-powered messenger platform that operates in real time to streamline the credit card application process. Hong Leong Bank Berhad and the CIMB Group have also launched virtual assistants by employing AI technology. On 21 October 2020, United Overseas Bank (Malaysia) Bhd launched Mighty Insights which is Malaysia's first AI-based digital banking service. Customers can manage their finances via a mobile banking app, UOB Mighty, and are also able to receive personalised information of their behaviour patterns on banking and spending. This AI-based service empowers customers to manage their savings and expenses easily and smoothly. Presently, there are no special rules applicable to the use of AI in financial products as imposed by the BNM. However, the e-KYC Policy Document recently issued by the BNM recognises the utilisation of AI, machine learning or other types of predictive algorithms for accurate customer identification and verification in e-KYC solutions – such utilisation is accompanied with specific requirements on false acceptance rates (to ensure accuracy), addressing potential vulnerabilities, additional safeguards for deployment as well as reporting the performance of the e-KYC solution. In any event, it is likely that businesses modelled on AI would still be subject to existing laws.

Intellectual property and data protection

Fintech business models and related software can be protected by various intellectual property rights, namely copyright and patent. Alternatively, protection as confidential information under common law in Malaysia is also available, depending on the nature of the business model. Software is generally protected by copyright under the Copyright Act 1987, with no requirements for registration.

Patent protection is available for new inventive steps involving industrially applicable products and processes. In short, it provides a wider range of protection than copyright as it protects the idea or concept rather than just the work (e.g., source codes for software); hence, business models would likely gain patent protection by filing a patent application.

If an employee develops an original work during his or her term of employment, the default rule is that ownership of the copyright vests in the employer. Alternatively, if a contractor develops an original work, the default rule is that the contractor continues to own the original work. However, it is common for employees and contractors to be bound by written contractual obligations that specify ownership of the intellectual property they develop, and these default rules may be overridden. Compensation, if any, owed to the author of the copyright work would also depend on the nature of the relationship or the agreements entered into between the parties. Fintech companies should ensure that their employees and contractors enter into agreements specifying the rules on ownership of intellectual property.

The PDPA 2010 would also apply to fintech companies if they process any personal data (e.g., client data). Apart from the seven principles set out in the PDPA 2010, there are no rules that apply specifically to the digital profiling of clients. A data subject must consent to the processing of the personal data unless the processing is necessary for specific exempted purposes. Although the PDPA 2010 does not define or prescribe any formalities in terms of consent, the Personal Data Protection Regulations 2013 provide that the data user must keep a record of consent from data subjects and that the Personal Data Protection Commissioner or an inspection officer may request this.

There is no system of registration for confidential information. Business models and software can be protected if they are confidential in nature, disclosed in circumstances imposing confidentiality and there is actual or anticipated unauthorised use or disclosure of the information.

In addition, financial institutions in Malaysia are subject to secrecy rules in relation to customer affairs or account information as per Section 133 of the FSA 2013.

Year in review

The following highlights the SC and BNM initiatives in the regulation of fintech services in Malaysia.

In line with the BNM's efforts to facilitate greater digital offerings of financial services and as part of a series of measures adopted by the BNM in ensuring that regulatory requirements support the country's agenda on digital economy, the BNM issued the e-KYC Policy Document which seeks to promote the safe and secure application of e-KYC technology in the financial sector by clarifying desirable outcomes in the use of e-KYC and sets out best practices, as well as parameters to ensure security and integrity of the on-boarding process for customers.

The BNM has also been working on the much-anticipated digital banking framework. Following a six-month-long public consultation, on 31 December 2020, the BNM issued its Policy Document on Licensing Framework for Digital Banks (Digital Banks Licensing Framework). The Digital Banks Licensing Framework adopts a balanced approach to enable admission of digital banks with strong value propositions while safeguarding the integrity and stability of the financial system as well as depositors' interests. Digital banks will be required to comply with the requirements under the FSA 2013 or the IFSA 2013, including standards on prudential, shariah, business conduct and consumer protection, as well as on AML and CFT. Submission of applications to conduct digital banking business or Islamic digital banking business shall be made to the BNM no later than 30 June 2021 and the BNM further announced that only up to five licences may be issued to qualified applicants.

In a move to regulate IEOs and Digital Asset Custodians (DAC), the SC has revised its DA Guidelines which came into force on 28 October 2020. In addition to an IEO operator's obligation to conduct the necessary due diligence on the issuer, an IEO operator must review the issuer's proposal and the disclosures in the white paper and assess the issuer's ability to comply with the requirements of the DA Guidelines and the SC's Guidelines on Prevention of Money Laundering and Terrorism Financing. A DAC is a person who provides the services of safekeeping, storing, holding or maintaining custody of digital assets for the account of another person. The revised DA Guidelines include rules and regulations on a DAC to facilitate interested parties who wish to provide custody services for digital assets. The revised DA Guidelines will facilitate the SC's objectives in promoting responsible innovation in the digital asset space, while at the same time managing emerging risks and safeguarding the interests of issuers and investors.

There is indication that the DA Guidelines may be revised further, as the SC is presently seeking industry feedback on the regulatory framework for digital asset wallet providers, which will complement the existing frameworks for DAXs and IEOs. Digital asset wallet providers are persons who provide custody or storage services on behalf of digital asset owners and play an important role within the ecosystem in safeguarding the digital assets of the client.

Outlook and conclusions

The BNM's and the SC's efforts to support the financial services industry in its transition into the digital age is seen to be more prominent with its continued commitment in developing policies and regulations within the industry.

The coming into force of the e-KYC Policy Document has opened up the possibility of offering end-to-end digital financial services for customers. The digitalisation of identification and verification processors to enable the opening of accounts anytime and anywhere is seen to be of increased importance with the current covid-19 pandemic, which has led to movement restrictions within the nation.

The BNM's efforts in joining the ranks of its Asian counterparts in the development of the fintech industry can also be seen with its issuance of the Digital Banks Licensing Framework. There is much anticipation following BNM's announcement on the limited number of licences that may be issued to qualified applicants to conduct digital banking businesses, as this is seen to have sparked the interest of non-banking players to venture into the fintech industry, with business and even state governments announcing their intentions to bid for a licence. It is believed that the notification on the granting of licences will be made by the first quarter of 2022.

Further, the revision to the DA Guidelines to enable the SC to regulate IEOs and DACs, and the near-future possibility of a regulatory framework for digital asset wallet providers suggests that the SC is likely to extend its regulatory purview to the full scope of digital assets (which includes offering of digital tokens as well as trade and storage of digital assets).


1 Shanthi Kandiah is a partner at SK Chambers. She was assisted in writing this chapter by Thong Xin Lin, Nimraat Kaur and Karisma.

Get unlimited access to all The Law Reviews content