Chapter 14: Ongoing Compliance & Reporting Calendar
Getting the RMO registration is not the finish line — it’s the start of obligations. The SC supervises continuously; breaches bring penalties or even deregistration. This chapter turns “what you must keep doing” into an executable rhythm.
14.1 The four pillars of ongoing compliance
flowchart TD
A[Capital maintenance
RM 5M + liquidity] B[Periodic reporting
financial/compliance/ops/STR] C[Audit
statutory + AML + technical] D[Change notification
ownership/personnel/systems/assets] A --> SC[SC ongoing supervision] B --> SC C --> SC D --> SC
RM 5M + liquidity] B[Periodic reporting
financial/compliance/ops/STR] C[Audit
statutory + AML + technical] D[Change notification
ownership/personnel/systems/assets] A --> SC[SC ongoing supervision] B --> SC C --> SC D --> SC
14.2 Reporting & obligation calendar (illustrative)
⚠️ The table is an illustration of typical cadence; exact frequency, forms and deadlines must follow SC guidelines and your registration conditions.
| Cadence | Activity |
|---|---|
| Continuous / real-time | STR — report on detection; act on sanctions hits |
| Daily / weekly | Internal reconciliation (client assets vs ledger), alert handling, hot-wallet balance checks |
| Monthly | Management compliance review, internal ops reports, capital-adequacy self-check |
| Quarterly | Periodic reports to SC (financial/ops/compliance, as required), risk-committee meeting |
| Annually | Statutory financial audit, independent AML/CFT audit, technical/security audit & pen-test, annual compliance assessment, all-hands AML refresher |
| On trigger | Major incidents (hack/outage/data breach), material changes (see 14.4) |
14.3 Hard metrics to maintain long-term
- Capital: shareholders’ funds ≥ RM 5M, continuously (see Ch.2).
- Client-asset segregation: fiat trust account + separate client wallets, provable via reconciliation (see Ch.7).
- Record keeping: customer and transaction records ≥ 6 years (see Ch.5).
- Key roles: Compliance Officer and AMLCO continuously in post (replace and notify promptly on departure).
- Insurance: cyber/crime/D&O policies kept in force.
14.4 Material changes: notify/approve first
These usually require prior SC notification or approval — changing unilaterally is a breach:
| Change | Examples |
|---|---|
| Ownership / control | New shareholder, control change, UBO change |
| Key personnel | Director, CEO, Compliance Officer, AMLCO replacement |
| Business scope | New trading categories, major new features |
| Listing/delisting | Each asset is assessed; material moves need notice |
| Systems / custody | Replacing matching system, major wallet/custody change |
| Outsourcing | Outsourcing a key function to a third party |
14.5 Governance: make compliance sustainable
- Three lines of defense: business (1st) → compliance & risk (2nd) → internal audit (3rd).
- Compliance and risk are independent of the business and can reach the board directly.
- The board regularly reviews compliance/risk reports, with records.
- Keep a regulator-communication log: archive every SC interaction.
flowchart LR
L1[1st line
Business] --> L2[2nd line
Compliance & Risk] L2 --> L3[3rd line
Internal Audit] L3 --> Board[Board / Risk Committee] Board --> SC[SC]
Business] --> L2[2nd line
Compliance & Risk] L2 --> L3[3rd line
Internal Audit] L3 --> Board[Board / Risk Committee] Board --> SC[SC]
Summary / action items
- Build a compliance calendar (daily/weekly/monthly/quarterly/annual + triggers) with owners
- Establish periodic self-checks + reconciliation for capital and client-asset segregation
- Define the “notify/approve first” list for material changes and internal approval flow
- Implement three-lines-of-defense governance with compliance independence
- Keep a regulator-communication log; archive all SC interactions
➡️ Next: Risk & Incident Response