26 February 2020

Bank Negara Malaysia (“BNM”) is the designated competent authority and regulator under the Anti Money Laundering, Anti-Terrorism Financing Act and Proceeds of Unlawful Activities Act 2001 (“AML Act”). The AML Act imposes obligations on legal entities, institutions and persons (“reporting institutions”) to monitor the business activities of the reporting institutions, and impose obligations on the reporting institutions to report “suspicious transactions” to BNM.

BNM has issued anti-money laundering guidelines, policies and procedures under its Policy Documents on Anti-Money Laundering and Countering Financing of Terrorism (“AML Policy Documents”). The AML Policy Documents impose reporting institution obligations not only on financial institutions, but also on non-financial businesses and professional service providers to the financial services industry. This includes lawyers, company secretaries, accountants, trust companies and real estate agents (BNM defines these service providers as “designated non-financial businesses and professions” or “DNFBP”).

In 2019, BNM announced its intention to issue a new Policy Document for DNFBPs, to replace the existing Policy Document on Anti-Money Laundering and Counter Financing of Terrorism (AML/CFT) – Designated Non-Financial Businesses and Professions and Other Non-Financial Sectors (Sector 5) dated 1 November 2013 (“Sector 5 Policy Document”). There was widespread engagement by BNM throughout 2019 to alert and prepare DNFBPs for the new Policy Document.

On 31 December 2019, BNM issued the Policy Document on Anti-Money Laundering (AML), Countering Financing of Terrorism (CFT) and Targeted Financial Sanctions (TFS) for Designated Non-Financial Businesses and Professions (DNFBPs) and Non-Bank Financial Institutions (NBFIs) (“2020 Policy Document”). The 2020 Policy Document came into force just a day later, on 1 January 2020, and supersedes the Sector 5 Policy Document.

The first few weeks of 2020 has seen many compliance departments in DNFBPs such as lawyers, accountants, corporate secretaries, trust companies and real estate agents, scrambling to update and revise their internal AML policies, procedures and checklists, in order to fulfil their obligations as reporting institutions. Changes under the 2020 Policy Document ought to be welcomed by DNFPBs as it clarifies many of their reporting obligations.

Key material changes to the AML, CFT and TFS compliance regime brought about by the 2020 Policy Document are set out below.

Small-Sized Reporting Institutions

One major change in the new BNM AML Policy Document is the introduction of the concept of a “Small-sized Reporting Institution”. These refer to, inter alia:

  • moneylenders, pawnbrokers and trust companies with annual sales turnover below RM3 million and less than 30 employees;
  • law, accounting and corporate secretarial practices with five or fewer holders of practicing certificates; and
  • registered real estate agents with total annual fees of less than RM3 million.

The concept of a Small-sized Reporting Institution recognises the differences in risk profiles and availability of resources between larger reporting institutions and smaller reporting institutions. For example, Small-Sized Reporting Institutions are:

  • not required to have bespoke AML policies, procedures and controls, so long as they comply with the policies and procedures under the 2020 Policy Document;
  • not required to have their Board approve mechanisms for review, internal control systems and oversight, lines of authority and responsibility, and internal audit functions;
  • not required to have their Senior Management formulate AML policies, mechanisms and procedures and implement training programmes;
  • only required to conduct employee AML screenings on hiring, and not on an ongoing basis;
  • may conduct employee training and awareness programmes in a simplified approach and may rely on third party training; and
  • not required to have regular independent audits of their AML policies, procedures and programmes.

Strategic Trade Act 2010, Targeted Financial Sanctions and Proliferation Financing

The 2020 Policy Document extends the obligations of a reporting institution to not just the monitoring and reporting of money-laundering and terrorism financing risks, but also to monitoring and supervising the implementation of the obligations and restrictions under the Strategic Trade Act 2010 (“STA”), the Strategic Trade (Restricted End-Users and Prohibited End-Users) Order 2010 and Directive on Implementation of Targeted Financial Sanctions Relating to Proliferation Financing (“Directive on TFS-PF”) issued by the Strategic Trade Controller, Ministry of International Trade and Industry in April 2018.

Under the STA and the Directive on TFS-PF, reporting institutions are obliged to extend client screening processes to cover persons, legal entities and countries which are restricted under the STA and the relevant United Nations Security Council Resolutions on Proliferation Financing.

“Accurate” information which has been verified

The 2020 Policy Document has defined the term “accurate” as referring to “information which has been verified for accuracy”. This introduces multi-stage verification obligations on reporting institutions when it comes to obtaining any information as part of the reporting institution’s client due diligence (“CDD”) processes. Not only must the relevant information be obtained on the subject of the CDD, but the information has to be “verified for accuracy”.

We are of the opinion that it is not sufficient that a reporting institution, for example, just asks the client the source of funds for a transaction which the reporting institution is handling. The reporting institution should also verify, using another data point, that the source of funds are indeed the source of funds that has been disclosed by the client.

Government-linked Companies and State-owned Corporations

Previously, based on the Sector 5 Policy Document, reporting institutions were exempted from having to obtain a copy of the the incorporation documents, and identifying and verifying the directors and shareholders of the following entities:

  • public listed companies or corporations listed in Bursa Malaysia;
  • foreign public listed companies:
  • listed in recognised exchanges;
  • not listed in higher risk countries;
  • foreign financial institutions that are not from higher risk countries;
  • government-linked companies in Malaysia;
  • state-owned corporations and companies in Malaysia;
  • an authorised person, an operator of a designated payment system, a registered person, as the case may be, under the Financial Services Act 2013 and the Islamic Financial Services Act 2013;
  • persons licensed or registered under the Capital Markets and Services Act 2007;
  • licensed entities under the Labuan Financial Services and Securities Act 2010 and Labuan Islamic Financial Services and Securities Act 2010; or
  • prescribed institutions under the Development Financial Institutions Act 2002.

Many reporting institutions would have put the entities listed in (a) to (i) above on a “white list”. Once the beneficial owner of the client has been identified as one of the above entities and their details are recorded, the CDD check would be deemed sufficient to satisfy the requirements of the Sector 5 Policy Document.  For example, the directors and shareholders of a licensed bank in Malaysia would be set out in its Annual Report or corporate website. Obtaining a copy of the Annual Report of such licensed bank should satisfy the requirements of the Sector 5 Policy Document.

Interestingly, the equivalent provision of the new 2020 Policy Document omitted “government-linked companies in Malaysia” and “state-owned corporations and companies in Malaysia”. This omission means that reporting institutions would need to:

  • obtain the Constitution and corporate documents; and
  • verify the identities of the directors and shareholders,

of even Malaysian government-linked companies (for example, Khazanah Nasional Berhad) and Malaysian state-owned corporations and companies (for example, the various State Economic Development Corporations).

The omissions of government-linked companies and state-owned corporations may not be that surprising, considering the largest money-laundering scandals over the past decade in Malaysia involved perpetrators using shell companies incorporated in tax-haven jurisdictions, with similar sounding names to government-linked companies and sovereign wealth funds.

Forms, Templates and Guidance Notes on AML CFT and TFS issues

The 2020 Policy Document eases compliance risks and uncertainties for reporting institutions with the insertion of guidance notes, guidance and forms in the Appendices to the 2020 Policy Document, such as:

  • Appendix 4 – Customer Due Diligence Forms;
  • Appendix 8 – Guidance on Application of Risk Based Approach;
  • Appendix 9 – Institutional Risk Assessment Template;
  • Appendix 10 – Infographic on Risk Based Approach;
  • Appendix 11 – Infographic on Compliance Officer’s Roles and Responsibilities;
  • Appendix 12 – Infographic on Customer Due Diligence;
  • Appendix 13 – Infographic on Suspicious Transaction Reports; and
  • Appendix 15 – Examples of Red Flags

Many reporting institutions have developed their own internal AML risk management processes and procedures. These processes and procedures may not be consistent with each other, and may not be up to the standards of diligence expected by BNM. As such, the sample forms, templates, guidance notes and infographics should be welcomed by reporting institutions for certainty and consistency.

Institutional Risk Assessments (IRA) for AML, CFT and TFS issues

The requirement for reporting institutions to conduct detailed institutional risk assessments (“IRA”) is emphasised in the 2020 Policy Document, which helpfully includes Guidance Notes on IRAs in Section 2.0 of Appendix 8 thereof. Paragraph 10.2.1 of the 2020 Policy Document states that reporting institutions are required to take appropriate steps to identify, assess and understand their ML/TF risks at the institutional level, in relation to their customers, countries or geographical areas, products, services, transactions or delivery channels, and other relevant risk factors.

While the 2020 Policy Document does not prescribe any methodology in conducting the IRA, the IRA is expected to reflect material and foreseeable AML threats and vulnerabilities which a reporting institution is exposed to. The reporting institution is expected to:

  • formulate parameters that indicate the reporting institution’s risk appetite in relation to AML, CFT and TFS risks that the reporting institution is exposed to; and
  • formulate and implement risk mitigation control measures, which may include transaction limits, additional layers of internal approvals, restrictions on the types of clients by geographical location or client type, and employ tech-based services and solutions to mitigate such risks.

IRAs will likely increase considerably compliance costs for reporting institutions. Most professionals would be experts in their respective areas of expertise, such as law, accounting, trustee services or corporate secretarial services. Unless the professionals also have risk management expertise, there would likely be an increase in the requirement for the services of risk management consultants.


The 2020 Policy Document imposes considerably higher standards of AML, CFT and TFS compliance for DNFBPs such as lawyers, accountants, trustees and corporate secretaries. This is consistent with the requirements of the Financial Action Task Force (FATF) and worldwide trends over the past decade on increased compliance requirements for financial institutions and entities that provide services to financial institutions.

It is hoped that with higher awareness of AML, CFT and TFS risks, and increased compliance by the various financial institutions in Malaysia and the service providers to such financial institutions, the sort of egregious fraud and money-laundering activities, which led to Malaysia’s name being mentioned alongside the world’s largest financial scandals over the past decade, would be a thing of the past.

If you have any questions or require any additional information, you may contact Loo Tatt King or the Zaid Ibrahim & Co. partner you usually deal with.

This alert is for general information only and is not a substitute for legal advice.


On 1 December 2022, KPMG and ZICO Law entered into an agreement under which a number of law firms and teams from the ZICO Law network have joined the KPMG network of firms.

The deal will see more than 275 lawyers join over 2,900 legal professionals in the KPMG global organization, creating a significant legal footprint across Asia. It will offer legal services and solutions, a globally connected legal services platform, and specialists who work with leading technology providers to modernize legal functions across organizations. The strategic combination increases the total number of legal professionals in the KPMG network to over 3,750 across 84 jurisdictions. You may read the press release here.

For more information and to see how we can assist you in your desired jurisdiction, please follow the links below: