Fintech Regulation

3.1 Please briefly describe the regulatory framework(s) for fintech businesses
operating in your jurisdiction, and the type of fintech activities that are regulated.

Where a fintech business falls within any business or includes an activity that is regulated or
licensed in Malaysia, the regulatory and legal requirements to conduct such business or
activity must be complied with in accordance with the applicable Malaysian laws.

Fintech activities that involve banking, investment banking, insurance or takaful, money
changing, remittance, operating a payment system or issuing payment instruments business
will come under the purview of BNM. The FSA is the statute that regulates and provides
supervision of conventional financial institutions, payment systems and operators thereof and
the oversight of the money market and foreign exchange market. BNM also regulates the
Islamic financial sector, largely under the Islamic Financial Services Act 2013.
The SC, which regulates the Malaysian capital markets, has adopted a Digital Markets
Strategy intended to enhance access to financing, increase investor participation, augment the
institutional market and develop synergistic ecosystems for the capital markets in Malaysia.
Stockbroking, provision of investment advice, financial planning, dealing in derivatives and
advising on corporate finance are among the activities regulated by the SC under the Capital
Markets and Services Act 2007 (CMSA). The SC has set up aFINity as a platform for
interaction between it and relevant fintech stakeholders.
3.2 Is there any regulation in your jurisdiction specifically directed at
cryptocurrencies or cryptoassets?

Yes, the SC is the primary regulator of the digital asset industry in Malaysia and has
developed a regulatory framework that treats certain digital currencies and digital tokens as
securities for the purposes of securities law. As part of this framework, the SC has issued the
Digital Asset Order and the Digital Asset Guidelines. These digital asset-specific regulations
must be read along with the relevant provisions of the securities laws that apply to digital
assets, namely those in the CMSA.

Under the Digital Asset Guidelines, prospective issuers wishing to issue digital assets for the
purposes of fundraising do so via IEOs. Only digital tokens that have been prescribed as
securities under the Digital Asset Order may be offered via an IEO. Issuers raising funds via
an IEO may only do so via an IEO and not through any other means. IEOs are conducted
through IEO operators who approve applications from prospective issuers. IEO operators are
electronic platform operators registered under the Digital Asset Guidelines to operate an IEO
platform.

However, both BNM and the SC have stressed that, at the current time, digital assets are not a
payment instrument regulated by BNM and are not legally accepted for the exchange of
goods and services as legal tender in Malaysia.

3.3 Are financial regulators and policy-makers in your jurisdiction receptive to

fintech innovation and technology-driven new entrants to regulated financial services
markets, and if so how is this manifested? Are there any regulatory ‘sandbox’ options
for fintechs in your jurisdiction?

Malaysia is very receptive to fintech innovation and technology. The Malaysian government
has included Islamic finance and the digital economy as key economic growth activities in its
Shared Property Vision 2030.

Specific agencies and incentives are in place to facilitate the development of the digital
economy. MDEC is an agency under the Ministry of Communications and Multimedia
Malaysia that has been entrusted to develop, coordinate and promote Malaysia’s digital
economy, ICT industry and the adoption of digital technology amongst Malaysians. It has
helped to launch several initiatives pursuant to this goal, including:

 the Malaysia Digital Hub: a programme that has been set up to attract technology
investments, support local technology innovation and create a sustainable digital
ecosystem in Malaysia; and
 Orbit: a co-working space that serves both as a physical fintech innovation hub
and a nexus point for both local and foreign fintech players, allowing start-ups to
engage with industry leaders to ease solution development and early market
entry.
Both BNM and the SC have policies encouraging fintech through the initiatives referred to
above. For instance, BNM offers regulatory flexibility to entities approved in its Regulatory
Sandbox, which was introduced to enable innovation of fintech to be deployed and tested in a
live environment within view of regulators. This ensures compliance and promotes
sustainability for early-stage fintech businesses. The Sandbox also allows BNM to review
and adapt regulatory requirements or procedures that may unintentionally inhibit innovation
or render them non-viable.

3.4 What, if any, regulatory hurdles must fintech businesses (or financial services
businesses offering fintech products and services) which are established outside your
jurisdiction overcome in order to access new customers in your jurisdiction?

A fintech business, or financial services business established outside Malaysia offering

fintech products and services, must comply with the Malaysian laws applicable to the service
or product offered. Malaysian licensing laws apply to financial services and the regulated
activities set out in the CMSA, unless any waiver or exemption specifically applies by law or
is granted by the regulator. Most of the financial services businesses regulated by BNM and
the regulated activities supervised by the SC have to be conducted by a locally incorporated
entity, so as to allow smoother monitoring of compliance with Malaysian laws. Therefore,
any foreign entity will usually have to establish a local company to apply for the relevant
licence or approval.

Malaysia’s FinTech Regulatory Framework

There is no specific legislation governing the FinTech sector. FinTech companies remain
subject to the existing legislations and regulatory framework applicable to the traditional
financial services companies depending on the nature of activities undertaken and types of
products or services they offer.

It is pertinent to carefully assess the activities in determining which framework would apply.
For example, if a FinTech company carries on any regulated activity which involve banking,
investment banking, insurance or takaful, payment system and payment instruments, or
related activities under the Financial Services Act 2013 (“FSA”) or the Islamic Financial
Services Act 2013 (“IFSA”), and money changing and remittance businesses governed under
the Money Services Business Act 2011 (“MSBA”), then such FinTech company must
observe and comply with the relevant provisions under the FSA / IFSA and MSBA, which
are under the BNM’s administration and supervision.

On the other hand, the SC regulates activities that fall under the Capital Markets and Services
Act 2007 (“CMSA”) which include, amongst others, the provision of corporate finance,
financial planning and/or investment advice, dealing with derivatives, fund/asset management
and stockbroking.

It is noted that the licensing regime for FinTech activities can be broadly divided into 3
categories: ‘License’, ‘Approval’ or ‘Registration’, each represents the degree of the
regulatory standards based on the risks they may pose to financial and monetary stability,
consumer/investor protection and credit/market risk components that may impact the
Malaysian economy. “License” being the most stringent and “Registration” are for less risky
activities. Some sub-sectors are regulated by more strictly than others. For example,
remittance and money exchange service provider are subjected to licensing by BNM[4] as
compared to the registration requirement for the provision of merchant acquiring services.[5]

In addition to the above, there are various guidelines and policies formulated by the BNM
(issued pursuant section 266 of the FSA and section 277 of the IFSA) and the SC (section
377 of the CMSA confers the power to issue guidelines as the regulator deems fit)
respectively. These guidelines and policies serve as guidance for the FinTech players to
address issues applicable to their activities.

Below are some of the pertinent regulatory guidelines and policies (non-exhaustive) issued by
the BNM:

 Guideline on Electronic Money (E-money and E-Wallets)

 Operational Risk Integrated Online Network
 Interoperable Credit Transfer Framework
 Risk Management in Technology
 Participation Rules for Payments and Securities Services
  Merchant Acquiring Services
 Framework on Electronic Trading Platforms
 Business Continuity Management (Exposure Draft)
 Payment System Operator (Exposure Draft)
 Payment Cards Framework (Exposure Draft)

 Anti-Money Laundering Policy

The Anti-Money Laundering, Anti-Terrorism Financing, and Proceeds of Unlawful Activities

Act 2001 (the AMLA 2001), which took effect on January 2, 2018, any transaction involving
the local currency or any foreign currency above the amount specified by the competent
authority must be kept on file or promptly reported to the competent authority. The BNM also
released the Digital Currencies (Sector 6) Anti-Money Laundering and Counter-Terrorism
Financing Regulations. The Sector 6 Policy Document establishes minimal rules and
standards that a reporting institution must adhere to in order to improve the transparency of
digital currency transactions, including risk assessment and customer due diligence.

 e-KYC Policy

The BNM issued an electronic know-your-customer (e-KYC) policy document (e-KYC

Policy Document) on June 30, 2020, that is applicable to all financial institutions and sets out
the minimum requirements and standards that a financial institution must follow when
implementing e-KYC for the identification and verification of individuals. The e-KYC Policy
Document, outlines the requirements for FinTech services providers to obtain board approval
on its overall risk appetite and internal mechanism governing the implementation of e-KYC
which impose accountability on the board, to use an appropriate combination of
authentication factors to verify a customer’s identity through e-KYC, and to use artificial
intelligence to automate the decision to verify a customer’s identity through e-KYC.

Other than the above, the SC issued comprehensive regulatory guidelines and policy
documents for recognised market operators (“RMOs”), digital currencies and digital assets
ecosystem players, digital investment management (“DIMs”) and the most recently, the
licensing framework for digital banking.
  RMOs

The SC first issued the Guidelines for Recognised Market Operators on 11 December 2015
(“RMO Guidelines”). A recognised market covers alternative trading venue, marketplace or
facility that brings together purchasers and sellers of capital market products. Save for an IEO
operator which is subject to registration under the DA Guidelines, all operators for ECF, P2P,
DAX, PCF and E-Services platform (“ESP”) are required to register as a recognised market
operator pursuant to section 34 of the CMSA, and adhere to the ongoing terms and
obligations set out in the RMO Guidelines. The RMO Guidelines have been recently revised
effectively on 22 November 2021 aim to:

 Increase the fundraising limit on ECF platforms from RM10 million to RM20
million.
 Expand the list of permitted issuers on ECF platforms to include unlisted public
companies (“UPCs”).
 Introduce prospectus requirements for UPCs seeking to raise funds on the ECF
platform.
 Expand the obligation of an ECF operator to assess and register prospectus
prepared by UPCs.
 Making editorial amendments and rephrasing certain provision to enhance
clarity.

 Digital Currencies and Digital Assets

The Capital Markets and Services (Prescription of Securities) (Digital Currency and Digital
Token) Order 2019 came into force on 15 January 2019 (“Order”). Pursuant to the Order, all
digital currencies and digital tokens that satisfy the requirements in the Order are prescribed
as securities for purposes of securities laws. Additionally, the SC issued the Guidelines on
Digital Assets (“DA Guidelines”) in October 2020. In line with digital currencies and digital
tokens being prescribed as securities, these DA Guidelines set out the requirements relating to
fundraising activity through digital token offering, operationalisation of IEO platform and
provision of digital asset custodian (DAC) functions. Any person who intends to make
available, offer for purchase, or issue an invitation to purchase digital currencies or tokens
needs to seek the SC’s authorisation and obtain prior approval from an IEO operator. An IEO
operator acts as an adviser, book runner and underwriter for companies that wish to raise up
to RM100 million for innovative blockchain projects through digital tokens issuance. As IEO
operator has similar roles as investment banks, it would require an IEO licence and
compliance with the stringent requirements relevant to IEO as set out under the DA
Guidelines. Since the SC’s introduction of a new framework for IEO operators in October
2020, companies that have applied for an IEO licence, amongst others include, Green Packet
Bhd, Managepay Systems Bhd, MyEG Services Bhd and Wetokenize Sdn Bhd.

 DIMs

The CMSA 2007 regulates a DIM, which is a type of fund management. Section 58 of the
CMSA 2007 requires DIM firms who provide automated discretionary portfolio management
services to apply for a Capital Market Services Licence (“CMSL”) from the SC. Chapter 13
of the Compliance Fund Management Companies Guidelines imposes additional
requirements on the DIM, as well as its board of directors and compliance officer, in addition
to the requirements that fund management companies are typically subject to in
the Guidelines on Compliance Function for Fund Management Companies issued on 14
March 2005 (revised on 4 May 2019, and the latest revision issued on 21 December 2021
with specific amendments relating to rebates and soft commissions to streamline
the Guidelines on Unit Trust Funds is scheduled to take effect by 1 March 2022) (“FMC
Guidelines”). StashAway Malaysia was the first DIM to get a CMSL in order to begin
operations in 2018.

 Digital banking

Digital banks and Islamic digital banks must apply for a licence with the BNM pursuant to
Section 10 of the FSA or Section 10 IFSA (whichever applicable). BNM issued the a more
simplified Licensing Framework for Digital Banks (“DBL Framework”) in December 2020,
which outlines the procedures for applications to establish a digital bank in Malaysia. The
DBL Framework emphasises on financial inclusion, requiring applicants for a digital banking
licence to provide quality access and responsible use of financial services, particularly to
underserved or unserved markets such as retail, micro, small, and medium businesses, in a
long-term manner.