Bank Negara Malaysia (BNM) is introducing a comprehensive overhaul of anti-money laundering and counter-financing of terrorism (AML/CFT) requirements for e-money issuers under its 2025 exposure draft.
According to Flagright, the policy, which was effective 31 January 2025, sharpens compliance expectations for FinTechs and wallet providers, reinforcing the importance of robust due diligence, sanctions screening, transaction monitoring, and governance frameworks across the digital payments space.
At the heart of the draft is enhanced customer due diligence (CDD). E-money issuers must conduct full identity verification at onboarding, including understanding account purpose and screening names against Malaysia’s domestic sanctions list and the United Nations Security Council resolutions list. This applies not only to individual customers but also to corporate clients and beneficial owners, particularly those deemed high risk. Sanctions screening is now a critical part of CDD, and EMIs are expected to ensure periodic reviews and updates of all customer information.
BNM has left no room for compromise on sanctions screening, which is now mandatory and continuous. E-money providers must integrate automated systems capable of checking every customer—new or existing—against global and domestic sanctions and PEP lists. The failure to perform these checks is considered a serious compliance breach, as recent enforcement actions have shown.
The draft also mandates ongoing transaction monitoring. E-money issuers must implement real-time systems to detect suspicious activity, ensuring all customer transactions align with risk profiles. EMIs are expected to develop transaction scoring models and maintain the capacity to file suspicious transaction reports promptly. High-risk behaviours such as structuring or unusual volume spikes must trigger alerts and be documented thoroughly for regulatory scrutiny.
BNM’s risk-based approach separates limited-purpose e-money (such as single-merchant gift cards) from general-purpose wallets. While the former is exempt from most AML/CFT rules, standard and “eligible” EMIs—those with large user bases or transaction volumes—are subject to more stringent requirements. These include tighter transaction limits, higher capital requirements, and stricter oversight for high-risk customer groups.
AML/CFT compliance is also being directly linked to licensing. To obtain and retain an EMI licence, providers must demonstrate strong governance and compliance frameworks. This includes assigning compliance officers, board-level accountability, regular staff training, and documented escalation protocols. Individuals in leadership roles may be held personally accountable for AML failures, reinforcing the need for a culture of compliance.
BNM’s May 2023 enforcement against TNG Digital serves as a stark reminder of what’s at stake. The operator of Touch ‘n Go eWallet was fined RM600,000 after failing to screen sanctioned individuals. The oversight allowed two prohibited persons to access e-wallet services, highlighting the consequences of weak screening controls. Despite self-reporting the error, the firm faced financial penalties and reputational risk—sending a strong message to the industry that such lapses will not be tolerated.
To meet these rising standards, traditional compliance methods are no longer enough. BNM and the Securities Commission now expect e-money issuers to employ technology that offers real-time monitoring, risk scoring, and auditability. Manual checks and fragmented systems will not satisfy these criteria, especially at scale. FinTechs must invest in digital compliance infrastructure that can adapt quickly and maintain detailed logs of all AML/CFT actions.
Flagright, a compliance technology provider, offers a compelling solution for Malaysian e-money firms. Its AI-powered platform delivers real-time transaction monitoring, dynamic risk scoring, and name screening against global and domestic lists. By using AI forensics, Flagright reduces false positives by up to 93%, allowing compliance teams to focus on real threats. The platform’s case management and audit logging tools ensure complete traceability, meeting regulatory expectations for evidence-based compliance.
Crucially, Flagright includes a no-code rule builder, enabling FinTech compliance teams to update risk rules and scoring models without technical support. This flexibility is vital for adapting to policy changes like those in BNM’s 2025 draft. The system supports data residency in Malaysia and comes pre-configured with rules aligned with local regulations, helping firms deploy a compliant setup rapidly.
By adopting advanced RegTech like Flagright, Malaysian FinTechs can turn regulatory compliance into a competitive advantage. A unified, automated system provides real-time oversight, efficient investigation processes, and clear documentation—reducing both compliance costs and regulatory risk.
Ultimately, BNM’s revised guidelines elevate compliance from a regulatory formality to a critical business function. In today’s landscape, failure to meet AML/CFT standards can lead to fines, licence loss, and reputational damage. FinTechs and e-money providers that act now to modernise their compliance infrastructure will be best positioned to grow and innovate within Malaysia’s increasingly regulated digital payments environment.
Copyright © 2025 RegTech Analyst
Copyright © 2018 RegTech Analyst
