Skip to content
马来西亚数字货币交易所设立指南

Chapter 5: AML/CFT Compliance

A DAX is a “reporting institution” under AMLA 2001. AML/CFT compliance is the baseline — without it, nothing else matters.

5.1 Your statutory obligations

flowchart LR KYC[CDD/KYC] --> Risk[Risk rating] Risk --> Monitor[Ongoing monitoring] Monitor --> Detect[Detect suspicious activity] Detect --> STR[File STR/SAR to FIED] KYC --> Record[Record keeping] Monitor --> Record

Under AMLA and the SC’s AML/CFT guidelines you must:

  1. Customer Due Diligence (CDD / KYC): verify identity at onboarding.
  2. Risk rating: assess customers, products and geographies.
  3. Enhanced Due Diligence (EDD): extra scrutiny for high-risk customers and PEPs.
  4. Ongoing monitoring: watch transaction patterns for anomalies.
  5. Suspicious Transaction Reports (STR/SAR): file with BNM’s Financial Intelligence and Enforcement Department (FIED).
  6. Record keeping: customer and transaction records typically ≥ 6 years.
  7. Sanctions screening: against UN / local sanctions lists.

5.2 KYC essentials

CustomerCollect at minimum
IndividualFull name, ID/passport, proof of address, selfie/liveness, source of funds
CorporateRegistration docs, directors/shareholders, UBO, authorized persons
  • Integrate e-KYC / liveness and a third-party KYC vendor.
  • Run blockchain analytics (e.g. Chainalysis/Elliptic-type tools) to screen tainted addresses.
  • Define a risk-appetite policy: which countries/customers/assets you won’t accept.

5.3 Organization & personnel

  • Appoint a dedicated AML Compliance Officer (AMLCO / MLRO) with authority to report independently to the board and regulator.
  • Make compliance independent of the business lines.
  • Provide regular AML/CFT training with records.
  • Run periodic independent audits of AML effectiveness.

5.4 Policy & document checklist (for the SC application)

  • Enterprise AML/CFT policy & procedures manual.
  • Risk assessment methodology (customer/product/channel/geography).
  • CDD/EDD flows and triggers.
  • Transaction monitoring rules and alert thresholds.
  • STR reporting flow and internal escalation.
  • Sanctions screening process.
  • Training plan and independent audit schedule.

5.5 Data protection (don’t forget PDPA)

KYC collects extensive personal data — comply with the Personal Data Protection Act 2010 (PDPA): lawful collection, clear purpose, secure storage, restricted cross-border transfer, retention management.

Summary / action items

  • Appoint a dedicated AMLCO with an independent reporting line.
  • Write the AML/CFT manual + risk-assessment methodology.
  • Select and integrate e-KYC, sanctions screening, blockchain analytics.
  • Design transaction-monitoring rules and the STR reporting flow.
  • Schedule all-hands training and annual independent audit.
  • Establish a PDPA-compliant data-protection process.

➡️ Next: Technology & Security