Cryptocurrency regulation in Malaysia is primarily overseen by the Securities Commission Malaysia (SCM). The regulatory landscape began to take shape in 2019 when the SCM classified certain digital currencies and tokens as securities. A significant development occurred in 2021 when the SCM introduced amendments to include the Crypto Travel Rule within the national framework. These amendments were part of the Guidelines on Prevention of Money Laundering and Terrorism Financing for Reporting Institutions in the Capital Market.
The Crypto Travel Rule officially came into force in Malaysia on April 1, 2022. This rule mandates that Virtual Asset Service Providers (VASPs) must share specific information about the originators and beneficiaries of cryptocurrency transactions. The goal is to enhance transparency and prevent illicit activities such as money laundering and terrorism financing.
Timeline of Regulatory Actions
- January 8, 2019: The SCM published the Capital Markets and Services Order of 2019 (Order 2019), which classified certain digital currencies and tokens as securities.
- April 26, 2021: The SCM introduced Travel Rule requirements through amendments to the AML/CFT Guidelines for the capital market.
- April 1, 2022: The Crypto Travel Rule entered into force in Malaysia.
Cryptocurrency Legality and Oversight
Is cryptocurrency legal in Malaysia?
Yes, cryptocurrencies are legal in Malaysia. They are classified as securities under Order 2019. However, it is important to note that they are not recognized as legal tender or official payment instruments by the country's central bank, Bank Negara Malaysia.
Who regulates cryptocurrency in Malaysia?
The Securities Commission Malaysia (SCM) is the primary regulatory body for cryptocurrencies, exercising its authority through Order 2019 and subsequent guidelines.
Are there AML regulations for crypto in Malaysia?
Yes. Malaysian VASPs must comply with the anti-money laundering (AML) and counter-financing of terrorism (CFT) guidelines outlined by the SCM. These rules are designed to ensure that VASPs implement robust systems to detect and prevent financial crimes.
Are there licensing requirements for VASPs?
Cryptocurrency exchanges operating in Malaysia must register with the SCM. This registration process is a key part of the regulatory framework, ensuring that only compliant and reputable platforms serve Malaysian users.
The FATF Travel Rule in Malaysia
Is the Crypto Travel Rule mandated in Malaysia?
Yes. The SCM formally introduced the Crypto Travel Rule requirements in its 2021 amendments to the AML/CFT guidelines. This aligns Malaysia with the global standards set by the Financial Action Task Force (FATF).
Was there a grace period for compliance?
Yes. The regulations were published in April 2021, but the Travel Rule requirements officially entered into force on April 1, 2022, providing VASPs with an 11-month period to prepare and implement the necessary compliance systems.
Compliance Requirements for the Travel Rule
What is the minimum threshold for the Travel Rule?
There is no minimum threshold, or de minimis, for the Crypto Travel Rule in Malaysia. This means that the same scope of information must be collected and transmitted for every transaction, regardless of its value.
What information must be shared?
Malaysian Originator VASPs are required to collect and share specific personally identifiable information (PII) with the Beneficiary VASP. This includes details such as the originator's name and account number.
Based on common industry practices, collecting a customer's Place of Birth is not standard during due diligence. Therefore, Malaysian VASPs often transmit the Originator’s Address instead of the Date and Place of Birth to fulfill their obligations. 👉 Explore more compliance strategies
Do requirements differ for domestic and cross-border transfers?
The guidelines specifically mention cross-border transactions. However, the current stance of the SCM is that the same scope of Travel Rule information transmission obligations apply to both domestic transfers and those with international counterparties.
What are the rules for non-custodial wallets?
There are no specific written rules exclusively for transactions involving self-hosted or non-custodial wallets. However, a VASP's overall policies and procedures for handling such transactions are subject to review by supervisory authorities as part of their broader compliance framework.
What are the obligations of a Beneficiary VASP?
A Beneficiary VASP in Malaysia has critical responsibilities, including:
- Implementing reasonable measures to identify transfers that lack the required originator or beneficiary information.
- Establishing risk-based policies to decide when to execute, reject, or suspend a non-compliant wire transfer.
- Determining the appropriate follow-up actions for such cases.
Frequently Asked Questions
What is the Crypto Travel Rule?
The Crypto Travel Rule is a regulatory requirement that obligates Virtual Asset Service Providers (VASPs) to share specific information about the sender and receiver of a cryptocurrency transaction. It is designed to prevent money laundering and terrorist financing by increasing transparency in digital asset transfers.
Who needs to comply with the Travel Rule in Malaysia?
All registered Virtual Asset Service Providers (VASPs) operating in Malaysia must comply with the Travel Rule. This includes cryptocurrency exchanges and other platforms that facilitate the transfer of digital assets for users.
What happens if a VASP does not comply?
Failure to comply with the Travel Rule can result in significant penalties from the Securities Commission Malaysia (SCM). These may include financial fines, suspension of operating licenses, or other enforcement actions, damaging the VASP's reputation and ability to operate.
Is there a minimum transaction amount for the rule?
No, there is no minimum threshold. The Travel Rule applies to all transactions, regardless of their value. Every transfer requires the same set of originator and beneficiary information to be shared between VASPs.
How do VASPs typically share the required information?
VASPs use specialized compliance software and secure protocols to share the required PII. These systems are designed to ensure the data is transmitted safely and efficiently between counterparties while maintaining privacy and security standards.
Can transactions be rejected for missing information?
Yes. A Beneficiary VASP is obligated to have policies in place to reject or suspend transactions that are missing the mandatory originator or beneficiary information as required by the Travel Rule guidelines. 👉 Get advanced compliance methods
Implementing a Compliance Solution
Choosing the right technology partner is crucial for efficient and secure compliance. A robust solution should offer wide reachability to connect with other VASPs, both domestically and internationally. It should also provide tools tailored to specific regulatory requirements, such as the lack of a de minimis threshold in Malaysia.
Effective compliance demonstrates a VASP's commitment to operating within the legal framework established by the Securities Commission Malaysia. It helps build trust with regulators, users, and banking partners, ensuring the long-term sustainability of their operations in the Malaysian market.