KYC.IO

Global Regulations and Requirements for KYC Onboarding
(powered by KYC-Chain)

KYC to onboard domestic persons

namedate of birth

KYC to onboard international persons

date of birthnamenationalitypermanent addresspassport numberoccupationidentity cardpassportbirth certificatedriving licensephotograph

corporate requirements

articles of associationidentification documents of directorsauthorisation person to represent the companyidentification document of person to represent the companyregistered office address

National ID card name

Kad pengenalan Malaysia

National ID Photo

back of national id photo back

Does the country have Esignature Laws?

Electronic Commerce Act 2006; Digital Signature Act 1997

E-sig law files

malaysia.pdf

What year did the relevant AML laws and regulations become effective?

2002

Further details on AML regime

15 Jan 2002.

Who is the regulator for AML controls for Banking

Bank Negara Malaysia (the Central Bank)

Link to site

http://amlcft.bnm.gov.my/index.html

Other financial Services

N/A

Website of Regulator

N/A

Financial Sector regulator

N/A

Practical Guidance for AML

Anti Money Laundering Act (“AMLA”) at a Glance” summary: http://www.amlc.gov.ph/amla.html The Bangko Sentral ng Pilipinas (“BSP” (local central bank)) issues “Key Prudential Regulations” on Money Laundering for bank and non-bank financial institutions regulated by the BSP

Practical guidance PDF's

Is there a requirement to verify the identity of customers retroactively?

Retroactive details

Has the country been the subject of FATF mutal evaluation in the last 3 years?

Yes

PDF of FATF review

member-documents.aspx

Are there minimum transaction thresholds (Y/N)

More details on minimum transaction thresholds.

In broad terms there is no minimum threshold for the following: a) establishing businesses relationships; b) wire transfers; c) if there is suspicion of ML/TF; and d) if there is doubt about veracity or adequacy of previously obtained information. Otherwise: For banks and deposit taking institutions: Money changing and wholesale currency business - RM3,000 (approx. USD690) and above; occasional transactions - RM50,000 (approx. USD11,510) and above in a single transaction or several transactions in a day that appear to be linked; cash transactions - RM50,000 (approx. USD11,510) and above in a day. For insurance and takaful: May perform simplified CDD on customer, beneficial owner and beneficiary if: a) all insurance policies are sold with premium amount below RM5,000 (approx. USD1,150); or b) any single premium insurance policy is below RM10,000 (approx. USD2,300). For money service businesses: Money changing and wholesale currency business - RM3,000 (approx. USD690) and above: a) RM3,000 (approx. USD690) to RM10,000 (approx. USD2,300), sighting and keying in customer/beneficial owner identification information; and b) above RM10,000 (approx. USD2,300), sighting and keying in customer/beneficial owner identification information and making a copy of identification document. For licensed casino: Any transaction involving RM10,000 (approx. USD2,300) and above (exchange cash for cash chips, exchange cash/vouchers for chip warrants, request for cheques or wire transfers for payments of winnings/capital, use of membership cards/temporary cards in respect of e-cash out facility). CDD is also required on the third party when customer requests RM10,000 (approx. USD2,300) and above to be paid to a third party. For licensed gaming outlets: Appropriate thresholds are decided internally based on their own risk assessment. Thresholds are not publicly disclosed. For dealers in precious metals and stones: Any cash transaction equivalent to RM50,000 (approx. USD11,510) and above, either as a single transaction or multiple transactions on a given day

What are the requirements for customer identification information for individuals

reporting institutions should obtain at least: full name; date of birth; nationality; permanent and mailing address and NRIC/passport number. Institutions should verify the identity, representative capacity, domicile, legal capacity, occupation or business purpose of any person, as well as other identifying information on that person, whether an occasional or usual client, through the use of documents such as an identity card, passport, birth certificate, driving licence, or any other official or private photograph bearing document. Where a particular individual is commonly known by two or more different names, the individuals shall not use one of those names to open an account with the reporting institutions, unless he/she has disclosed the other names to the reporting institutions. The reporting institution should make a record of the different names by which the individual is commonly known as and upon request provide the information to the competent authority

Details to be Collected on Corporates

reporting institutions should require the company/business to provide original documentation and copies should be made of each of the following documents: a) Memorandum and Articles of Association/Certificate of Incorporation/partnership; b) identification documents of directors/shareholders/partners; c) authorisation for any person to represent the company/business; d) identification document of the person authorised to represent the company/business in its dealing with the reporting institution; and e) registered office address and principle place of business

What are the high level requirements around beneficial ownership (identification and verification)?

The reporting institution must identify and verify the beneficial owner. They should conduct customer due diligence on the natural person that ultimately owns or controls the customer's transaction when they suspect the transaction is conducted on behalf of a beneficial owner and not the customer who is conducting such a transaction. The customer due diligence conducted should be as stringent as that imposed on an individual customer.

What circumstances are enhanced customer due diligence measures required?

Local AML guidance requires an enhanced customer due diligence process for higher risk categories of customers, business relationships or transactions. Enhanced due diligence should include at least obtaining more detailed information from the customer and through publicly available information, in particular, on the purpose of the transaction and source of funds; and obtaining approval from the Senior Management of the reporting institution before establishing the business relationship with the customer. Examples of higher risk customers are individuals with high net worth, non-resident customers, individuals from locations known for their high rates of crime (e.g. drug producing, trafficking, smuggling), countries or jurisdictions with inadequate AML/CFT laws and regulations as highlighted by the FATF, PEPs, legal arrangements that are complex (e.g. trusts, nominee companies), cash based businesses and businesses/activities identified by the FATF as of higher money laundering and/or terrorist financing risk

How should FI's deal with Politically exposed persons

Once a PEP (local and foreign) is identified, the reporting institution should take reasonable and appropriate measures to establish the source of wealth and funds of such a person.

What enhanced due diligence must be performed for correspondent banking relationships?

Section 20 of the sectorial guidelines for banks and financial institutions, deals with correspondent banking: S. 20.1 Reporting institutions providing correspondent banking services to respondent banks are required to take the necessary measures to ensure that it is not exposed to the threat of ML/TF through the accounts of the respondent banks such as being used by shell banks. S. 20.2 In relation to cross-border correspondent banking and other similar relationships, reporting institutions are required to: a) gather sufficient information about a respondent bank to understand fully the nature of the respondent bank’s business, and to determine from publicly available information the reputation of the respondent bank and the quality of supervision exercised on the respondent bank, including whether it has been subject to a ML/TF investigation or regulatory action; b) assess the respondent bank’s AML/CFT controls against the AML/CFT measures of the country or jurisdiction in which the respondent bank operates; c) obtain approval from Senior Management before establishing new correspondent banking relationships; and d) clearly understand the respective AML/CFT responsibilities of each institution. S. 20.3 In relation to “payable-through accounts”, reporting institutions are required to satisfy themselves that the respondent bank: a) has performed CDD obligations on its customers that have direct access to the accounts of the reporting institution; and b) is able to provide relevant CDD information to the reporting institution upon request. S. 20.4 Reporting institutions shall not enter into, or continue, correspondent banking relationships with shell banks. Reporting institutions are required to satisfy themselves that respondent banks do not permit their accounts to be used by shell banks. For the non-financial institution sector, there is no specific guideline for correspondent banking.

Are relationships with banks who might be considered a 'shell' and without substance permitted?

For banks and other financial institutions, the guidelines state that they should not establish or have any business relationship with shell banks. There is no such prohibition for the non-financial sector.

In what circumstances is additional due diligence required for non face-to-face transactions and/or relationships?

Reporting institutions may establish non face-to-face business relationships with its customers. Non face-to-face relationships can only be established if the reporting institutions have in place policies and procedures to address any specific risks associated with non face-to-face business relationships. Reporting institutions are required to be vigilant in establishing and conducting non face-to-face business relationships (e.g. through the Internet) and are required to establish appropriate measures for identification and verification of customer identity that shall be as effective as that for face-to-face customers and to implement monitoring and reporting mechanisms to identify potential ML/TF activities. Reporting institutions may use the following measures to verify the identity of non face-to-face customer such as: a) requesting additional documents to complement those which are required for face-to-face customer; b) developing independent contact with the customer; or c) verifying customer information against any database maintained by the authorities.

To whom are SAR's made? (suspicious activity reports)

Financial Intelligence and Enforcement Department, Bank Negara Malaysia

Link to website of SAR reporting

http://amlcft.bnm.gov.my/AMLCFT05a.html

Other Suspicious or unusual transactions obligations.

There are no specific obligations in the non-financial sector. For banking and financial institutions, the obligations are contained at Appendix 1 of the following document:

Are there any de-minimis thresholds below which transactions do not need to be reported?

Are there any penalties for non compliance with reporting requirements e.g. tipping off?

Yes: a) failing to report suspicion (RM1m (approx. USD230,344) fine); b) tipping of (RM3m (approx. USD691,032) or jail (max 5 years) or both); and c) engaging or assisting in money laundering (jail (max 15 years) and the higher of five times the value of the proceeds or RM5m (approx. USD1.2m))

Are there any requirements (legal or regulatory) to use automated Suspicious Transaction monitoring technology?

Is there a requirement to obtain authority to proceed with a current/ongoing transaction that is identified as suspicious?

Does the local legislation allow transactions to be monitored outside the jurisdiction?

Is there a legal requirement for a bank’s external auditor/other external organisation to report on the bank’s AML systems and controls?

If an external report on the bank’s AML systems and controls is required: a) how frequently must the report be provided?

N/A

To whom should the report on AML systems be submitted?

N/A

Is an AML system part of the financial statement audit?

N/A

What are the requirements for the content of this external report on a bank’s AML systems and controls? Does it require: a) sample testing of KYC files? b) sample testing of SAR reports? c) examination of risk assessments?

N/A

Data Protection Laws And Personal Data

the law only came into effect on 15 Nov 2013

Data Protection for Corporate Data

the same law applies to corporate data in a number of scenarios however these have not yet been fully explained

Data protection for "sensitive Data" and additional protections.

yes. Sensitive personal data is any personal data consisting of information as to the physical or mental health or condition of a data subject, his political opinions, his religious beliefs or other beliefs of a similar nature, the commission or alleged commission by him of any offence or any other personal data. Due to the nature of sensitive personal data, a higher restriction is imposed for data users in processing it. A data user must not process sensitive personal data without the explicit consent of the data subject.

Do any restrictions on the transfer of credit reports exist?

The Personal Data Protection Act 2010 came into force on 15 Nov 2013. At this early stage, there is some uncertainty over how the transfer of these types of reports (e.g. for KYC etc.) will be impacted, if at

Regulator Acronym

BNMA

Year of last FATF mutual evaluation

2015

Field 67

reporting institutionsidentification&verificationadditional documentsindependent contactverifying information

National ID card details

Issued at age 12, and updated at 18.

Compulsory?

National ID source

http://www.perthmintbullion.com/How-To-Trade/Customer-Identification-Documents/Malaysia.aspx

Passport Photo

practical Guidance yes / no

Is there a risk based approach

Legal Requirement

Requirement to proceed

requirement to use automated suspicious transaction tools

Who are SARS made to?

FIED

shell banks

EDD for correspondent banking

Yes

PDF of case law

Minimum transactions

RM 50,000

Min transaction USD

11510

Personal Data protection

Data Protection for Corporates

Personal Data Protection Act

http://www.kkmm.gov.my/pdf/Personal%20Data%20Protection%20Act%202010.pdf

key restrictions

Malaysia’s electronic signature law does not contain any restrictions on the type of agreement it applies to when using a digital signature.

Summary

Section 62 requires the use of a digital signature (sometimes called advanced electronic signatures) where the law requires a signature. Summary of law Malaysia’s Digital Signature Act is modeled on the UNCITRAL Model Law on Electronic Signatures but does not permit the use of electronic signatures when a signature is required on a document. Instead, Malaysia requires the use of a digital signature. However, some documents may not require a signature to be enforceable. In these situations, an electronic signature solution may be appropriate to track and manage the final, approved version of a document.

Are e-signatures acceptable

If the AML laws and/or regulations became effective in the last 2 years, what were the requirements of the previous AML regime?

N/A

Non financial sector (e.g. casinos, high value goods etc.)

N/A

Does the country have a risk based approach?

Yes, a risk based approach is approved. However a specific approach is not detailed and it remains the responsibility of the reporting institution to devise an approach

Where copies of identification documentation are provided, what are the requirements around independent verification or authentication?

Original documents must be provided and the reporting institution should make copies, as required. Certified true copies/duly notarised copies may be accepted.

Is there case law, other constitutional law or any other laws or regulations that may impact upon the transfer of information to this jurisdiction?

N/A

List of case law, constitutional law or any other laws or regulations that may impact upon the transfer of information.

The Financial Services Act 2013 contains secrecy provisions under section 133 (http://www.bnm.gov.my/documents/act/en_fsa.pdf).