Global FinTech Guide
Country Name
KYC requirements
The know your customer or know your client (KYC) guidelines and regulations for financial services require that professionals try to verify the identity, suitability, and risks involved with maintaining a business relationship.

Legal affairs

National regulatory framework regarding AML and effective date of the regulations

The Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001 (“AMLA”) is the primary statute governing the AML regime in Malaysia. It was gazetted as law on 5 July 2001.

FIs are also required to comply with the AML/CFT Policy. 

In addition, BNM issued an electronic know-your-customer (e-KYC) policy document (e-KYC Policy Document) on June 30, 2020, that is applicable to all FIs and sets out the minimum requirements and standards that a FI must follow when implementing e-KYC for the identification and verification of individuals. The e-KYC Policy Document outlines the requirements for FIs to obtain board approval on its overall risk appetite and internal mechanism governing the implementation of e-KYC which impose accountability on the board, to use an appropriate combination of authentication factors to verify a customer’s identity through e-KYC, and to use artificial intelligence to automate the decision to verify a customer’s identity through e-KYC.

National regulator or relevant authority for AML controls

BNM is the designated competent authority and regulator under AMLA.

Customer Due Diligence

Conduct of a typical KYC identification process

Generally, pursuant to the AML/CFT Policy, standard CDD measures include:

    a) Identifying an individual customer and beneficial owner by obtaining information such as full name, national registration identity card or passport number and background information;
    b) For customers that are legal persons, FIs must verify the customer’s information by obtaining relevant information such as certificate of incorporation etc., the powers that regulate and bind the customer such as director’s resolution as well as the names of senior management personnel;
    c) Identify and take reasonable measures to verify the identity of beneficial owners; and
    d) Identify and maintain information relating to the identity of directors and shareholders of the customers.

Enhanced CDDs are required to be carried out where the money laundering and terrorism financing are assessed as higher risk. An enhanced CDD requires the FI to take additional measures, which include obtaining additional information, enquiring on the source of wealth or funds, and obtaining approvals from senior management of the FI before establishing such business relationship with the customer. 

The AML/CFT Policy also sets out specific CDD processes for money-changing and wholesale currency business, wire transfers, e-money. Additionally, the AML/CFT also sets out similar CDD processes to be complied with by insurance and takaful entities, money services business and non-bank issuers of designated payment instruments and designated Islamic payment instruments. 

Possibility to meet customer due diligence requirements by relying on third parties who are obliged by law themselves to comply with AML regulations

Yes, it is possible to meet CDD requirements by relying on third parties, provided that the relationship between the FI (i.e. institutions that are obligated to comply with the reporting obligations provided in AMLA) and the third party must be governed by an arrangement that clearly specifies the rights, responsibilities, and expectations of all parties, as required under the AML/CFT Policy.

Nevertheless, the conduct of CDD is the ultimate responsibility of the FI and must ensure that it is able to obtain the CDD information from the third party, immediately, upon request. 

However, FIs are not permitted to rely on third parties to conduct on-going due diligence of its customers. 

Possibility to outsource customer due diligence by contract to other third parties who are not obliged by law to meet AML regulations and rely on these (e.g., WebID, IDnow, PostIdent)

No, the AML/CFT Policy requires the FI to ensure that the third party is regulated and subject to AML regulations.

Presence of a license or registration requirement for the third party in case of outsourcing customer due diligence

The third party itself must be properly regulated and subjected to AML supervision by the relevant supervisory authority (e.g. BNM). There are no licensing or registration requirements.

Further questions

Entities that could be relied on specifically by law as a third party to comply with AML regulations (regardless of outsourcing)

Yes credit institutions
Yes financial institutions
Yes auditors, external accountants, and tax advisors
Yes notaries and other independent legal professionals
Yes other trust or company service providers
No estate agents
No other persons trading high-value goods
No providers of gambling services



© 2022, Lee Hishammuddin Allen & Gledhill. All rights reserved by Lee Hishammuddin Allen & Gledhill as author and the owner of the copyright in this chapter. Lee Hishammuddin Allen & Gledhill has granted to Multilaw non-exclusive worldwide license to use and include this chapter in this guide and to sublicense Lexis Nexis, a division of RELX Inc. and its affiliates certain rights to use and distribute this guide.

The information in this guide provides a general overview at the time of publication and is not intended to be a comprehensive review of all legal developments nor should it be taken as opinion or legal advice on the matters covered. It is for general information purposes only and readers should take legal advice from a Multilaw member firm.


Choose country