Fintech 2022 Comparisons

It is anticipated that the trading of digital assets/tokens (such as cryptocurrencies) and the establishment of platforms to facilitate such trading will continue to thrive, given that the Securities Commission Malaysia (SC) has recently approved the fourth Digital Asset Exchange. 

The Bank Negara Malaysia (BNM) is expected to approve a maximum of five digital bank licensees in March 2022, which would accelerate the access to finance for the unserved and underserved markets. BNM has also issued a discussion paper in respect of the licensing framework for digital insurers and takaful operators (DITOs) ("DITOs Discussion Paper") and this paves the way for further growth in the fintech space when new insurance and takaful operators' licences are issued to DITOs.

BNM will continue to advocate and support the growth potential of Malaysia's broader fintech ecosystem by integrating the different frameworks and initiatives (eg, the Financial Technology Regulatory Sandbox Framework or "Sandbox"). In addition, the regulator also aims to experiment with the central bank digital currencies (CBCDs) over the course of the next few years.

While there are a number of insurtech players (eg, insurance product aggregators and online insurance product distributors) in the market, payment services providers (eg, payment gateways, remittance service providers) and e-wallet providers continue to be a predominant vertical in Malaysia. With the regulation of crypto-exchanges by the SC, there are currently only four crypto-exchanges operating in Malaysia.

There is no fintech-specific regulatory regime applicable to industry participants in the main verticals. The term "fintech" is potentially very broad and there is no statutory definition of "fintech" in Malaysia. As a result, the existing regulatory framework, generally applicable to the financial services industry, applies equally to fintech industry participants. This framework includes: 

• the Financial Services Act 2013 (FSA); 
• the Islamic Financial Services Act 2013 (IFSA); 
• the Money Services Business Act 2011 (MSBA); 
• the Capital Markets and Services Act 2009 (CMSA); and 
• various standards and guidelines issued by BNM and the SC. 

An assessment of proposed fintech activity must therefore be made to determine whether it falls under the existing regulatory framework and if so, the relevant legislation, standard and/or guideline that will apply. 

BNM has also begun to move to regulate new types of businesses, albeit within the existing regulatory framework. Examples of this are: 

• the Licensing Framework for Digital Banks, which will require digital banking businesses to be licensed under the FSA or the IFSA; and
• the DITOs Discussion Paper, which sets out, among other things, the proposed requirements for the establishment and licensing of DITOs and the key assessment criteria for the licensing of DITOs.

Assuming that fintech market players do not take the form of incumbent financial institutions or FIs (ie, insurers or banks), there is presently no publicly available framework in Malaysia regulating the compensation models (ie, the manner in which customers should be charged and the accompanying disclosures on the various new products and services) adopted by fintech market players. As the concept of freedom of contract is recognised in Malaysia, such compensation models are therefore a matter of contract between the fintech provider and the customer.

As set out in 2.2 Regulatory Regime, the existing regulatory framework applicable to incumbent FIs generally applies to fintech industry participants, and there are no differences in regulation between these entities. 

BNM introduced the Sandbox in 2016 to enable fintech solutions to be implemented and tested under live conditions. The Sandbox represents a balance between the desire to encourage technology and innovation in providing financial services, and the need to manage and appropriately regulate the unique risks and challenges posed by such developments. Note that enhancements to the Regulatory Sandbox under the Financial Sector Blueprint 2022–2026 issued by BNM are anticipated, such as providing accelerated tracks for lower-risk activities or simplified testing parameters. 

Assessment and Business Plan

The Sandbox is open to financial institutions and fintech companies that are looking to provide services (whether on their own or in collaboration with FIs) that are already, or are likely to be, regulated by BNM. Although an application may be submitted at any time, BNM typically expects applicants to have conducted an assessment of the proposed product and any associated risks and possible safeguards, and to provide a business plan to support the deployment of the product. Only genuinely innovative products with clear potential will be accepted into the Sandbox. 

Exemptions and Benefits

While a company is in the Sandbox, it may enjoy temporary exemptions from specific regulatory requirements, which it will face a challenge in meeting. The company will have the opportunity to engage in dialogue with BNM to clearly define a space in which to experiment with and test its particular products and services. At the same time, BNM will benefit from the participants' feedback and form a better understanding of the technological solutions and services that it seeks to regulate. 

Testing Period

The maximum testing period is 12 months from the starting date of the test, although BNM has the discretion to approve an extension on a case-by-case basis. BNM has made it clear that the Sandbox cannot be used to circumvent existing laws and regulations. Therefore, when the testing period expires, BNM will make an assessment as to whether the product, service or solution is able to meet the relevant legal and regulatory requirements prescribed by BNM and, therefore, whether it may be deployed in the market on a wider scale or whether development of the product should be prohibited.

Different regulatory licences and/or approvals are triggered depending on the type of business being conducted. Generally speaking, the four primary pieces of legislation which are likely to apply to fintech industry participants in Malaysia are the:   

• FSA;   
• IFSA;   
• MSBA; and   
• CMSA.   

The FSA, IFSA and MSBA are administered and enforced by BNM: 

• the FSA sets out the regulatory framework for, among others, the conventional business of banking, investment banking, insurance, operating a payment system and issuance of payment instruments;   
• the IFSA sets out the regulatory framework for, among others, the Islamic business of banking and takaful operators; and   
• the MSBA sets out the regulatory framework for the businesses of money-changing, remittance and wholesale currency.   

On the other hand, the CMSA is administered and enforced by the SC and regulates, among others, the activities involved in dealing in securities, dealing in derivatives, fund management, investment advice and financial planning.   

As there is no fintech-specific legislation in Malaysia, BNM or the SC (as the case may be) will regulate the fintech industry participant to the extent that it engages in a regulated business or activity falling within the jurisdiction of BNM or the SC. 

The inherent activity which is the subject of regulation under Malaysian law (eg, taking deposits, underwriting risks) cannot be outsourced to another party (even where such a party is a regulated entity).

Fintech providers that are reporting institutions for the purposes of the Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act, 2001 (AMLATFA) (eg, approved e-money issuers and remittance licensees) are subject to reporting requirements under the AMLATFA. To the extent that these fintech providers are regulated by BNM or the SC, they will also be subject to additional requirements under the relevant guidelines issued by these regulators pursuant to the AMLATFA, which deal with, among other things, the reporting obligations and controls that are to be put in place to counter money-laundering, terrorism-financing and proliferation financing risks (eg, BNM's Anti-Money Laundering, Countering Financing of Terrorism and Targeted Financial Sanctions for Financial Institutions, the SC's Guidelines on Prevention of Money Laundering and Terrorism Financing for Capital Market Intermediaries, and the SC's Guidelines on Implementation of Targeted Financial Sanctions Relating to Proliferation Financing for Capital Market Intermediaries). 

To date, there do not appear to have been any significant enforcement actions initiated by regulators against fintech industry participants in Malaysia.

As discussed in 2.2 Regulatory Regime, there is no fintech-specific regulatory framework in Malaysia, and fintech players are therefore subject to the same general non-financial services regulations as incumbent FIs, to the extent that they are applicable to fintech players.   

The extent to which these existing laws can be applied to fintech participants and incumbent FIs will depend on the specific regulated activity the fintech participant or incumbent FI is involved in.        

Apart from the regulators, it appears that no other bodies (such as accounting and auditing firms, or other vendors) review and monitor the activities of fintech industry participants. While there are industry associations in Malaysia (eg, the Fintech Association of Malaysia), the members do not seek to self-regulate the industry and function more as intermediaries between the fintechs and regulators.

Section 14 of the FSA and Section 15 of the IFSA restrict industry participants who have been licensed or approved by BNM to undertake certain businesses in Malaysia (Authorised Business), such as e-money issuers, operators of payment systems, financial advisers and insurance/takaful brokers, from conducting any other business or activity (whether inside or outside Malaysia) save for those in connection with, or for the purposes of, its Authorised Business. 

Therefore, industry participants regulated by BNM can only offer unregulated products and services to the extent that they are related to its Authorised Business or where such unregulated products and services are approved by BNM.   

While there are no similar restrictions on industry participants falling within the regulatory ambit of the MSBA or the CMSA, BNM and the SC have broad discretion to impose such restrictions, as part of the industry participants’ licensing conditions, where BNM and the SC deem fit. 

The anti-money laundering framework in Malaysia is primarily constituted of the Malaysian Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act ("AMLA") and supplemented by the policy documents and/or guidelines issued by BNM and/or SC, as the case may be. AMLA applies to all companies, including fintechs, regardless of whether such companies are regulated.

To the extent that fintech companies fall within the ambit of a reporting institution under AMLA, fintech companies are subject to additional reporting obligations under AMLA.  

Fintech participants providing robo-advisory services (ie, the management of funds using innovative technologies as part of an automated discretionary portfolio of management services) will need to be licensed by the SC to undertake fund management in relation to portfolio management, as a digital investment manager under the CMSA ("Digital Investment Manager").   

To this end, a Digital Investment Manager may manage various asset classes, and the SC does not require that a Digital Investment Manager should adopt different business models for different asset classes. 

Legacy players intending to implement solutions introduced by robo-advisers should enter into consultations with the SC to discuss the possibility of implementing robo-advisory solutions within their traditional model of doing business. 

The SC's Guidelines on Compliance Function for Fund Management Companies ("Fund Management Guidelines") contain certain best execution requirements which apply to all fund management companies in Malaysia, including robo-advisers. Such requirements include: 

• establishing, implementing and maintaining written policies to ensure best execution of trades for their clients; and 
• prior to executing any investments for a client, a fund management company must ensure that –   
1. the investment transaction is carried out in accordance with the client’s mandate and within the limits prescribed in the investment management agreement; and   
2. the relevant account has sufficient assets to meet the obligations of the transaction.

The existing regulatory framework does not generally make a distinction between online and non-online lenders. The activity of providing loans may potentially be regulated under a range of laws in Malaysia, depending on the precise business model. For example, a business which lends money at interest, with or without security, to a borrower, will require a money-lending licence under the Moneylenders Act 1951 (MLA); while a business which provides finance (eg, by lending money), as well as accepting deposits on current accounts, deposit accounts, savings accounts or other similar accounts, and which pays or collects cheques drawn by or paid in by customers, may require a banking licence under the FSA.   

The MLA and FSA also do not distinguish between the provision of loans to specific types of borrowers (eg, individuals, small businesses, etc). The corresponding obligations under the MLA and FSA would equally apply to the entity providing the loans, for as long as the licensing requirement is triggered. The Ministry of Housing and Local Government (the regulator that administers the MLA) has also been supportive of digitalisation initiatives, and issued up to eight new online money-lending licences to serve small and medium enterprises in 2020. 

New forms of lending via peer-to-peer (P2P) investment and equity crowdfunding (ECF) have nevertheless emerged in the market in recent times and lenders/borrowers under such schemes (and the platform operators providing such schemes) are subject to regulation by the SC under the Guidelines on Recognised Markets ("RMO Guidelines"), as follows: 

• P2P and ECF operators are required to be registered with the SC; 
• only locally incorporated private limited companies (excluding exempt private companies) and limited liability partnerships, can seek funds via ECF;   
• only locally incorporated or registered sole proprietorships, partnerships, incorporated limited liability partnerships, private and unlisted public companies and any other type of entity as may be permitted by the SC can seek funds via P2P; and 
• lenders who are retail investors in – 
1. a P2P scheme are encouraged to limit their investments on any P2P platform to a maximum of MYR50,000 at any period in time; and 
2. an ECF scheme can only invest up to a maximum of RM5,000 per issuer, with a total amount of not more than MYR50,000 across all issuers, within a 12-month period. 

There is no specific underwriting requirement, although the relevant regulators may prescribe specific requirements (eg, capital). 

Funds for loans may be sourced from, among others:   

• P2P investment;  
• ECF; and  
• the taking of deposits or shareholders' funds.  

See 4.1 Differences in the Business or Regulation of Loans Provided to Different Entities in respect of P2P and ECF regulation. The taking of deposits, in turn, is only permitted where the entity is licensed by BNM (eg, by a banking licence) to do so under the FSA.   

As long as the regulatory requirements for the provision of such loans are met and the funds do not originate from the proceeds of unlawful activity under the AMLATFA, no specific issues arise with respect to the above-mentioned sources of funds.   

As set out previously, a P2P or an ECF scheme which is undertaken via a platform, can match multiple investors (ie, lenders/investors) to fund a single loan (ie, borrower). This is analogous to a syndication of a loan in the traditional sense (see 4.1 Differences in the Business or Regulation of Loans Provided to Different Entities for a brief overview of its regulation).  

Payment processors (such as payment gateways) would typically use existing payment systems in Malaysia (eg, RENTAS, FPX, Interbank Giro) to facilitate any transfer, clearing or settlement of funds. Any creation and operation of new payment systems will require the prior approval of BNM.   

In addition to the regulatory requirements to be complied with under the MSBA when undertaking remittances, payments and remittances outside Malaysia are also subject to exchange control provisions under the FSA, as supplemented by foreign exchange notices issued by BNM ("FE Notices").   

The FE Notices set out transactions pre-approved by BNM, given the general prohibitions under the FSA. The prior approval of BNM (which is discretionary) will need to be obtained to the extent that a person wishes to carry out a transaction which is prohibited and such transaction is not specifically permitted under the FE Notices. Generally, the FE Notices permit certain cross-border payments and remittances.   

As the Malaysian ringgit is not tradeable outside Malaysia, the remittance of Malaysian ringgits by a resident to a non-resident outside of Malaysia is prohibited.   

Fund administrators who are merely outsourced service providers carrying out administrative functions for a fund are generally not regulated under any framework in Malaysia.   

However, fund management in and of itself is a regulated activity under the CMSA. A fund management licence from the SC may be required if: 

• the management of a portfolio of securities or derivatives or a combination of  both, is undertaken by a portfolio fund manager on behalf of any other person, whether on discretionary authority or otherwise; or  

• the management of an asset or a class of asset in a unit trust scheme is undertaken by an asset fund manager on behalf of any other person.   

The SC's Fund Management Guidelines allow a fund management company to outsource any of its functions to a service provider (eg, a fund administrator), subject to compliance with requirements stipulated in the SC's Licensing Handbook. The Licensing Handbook imposes certain obligations on licensees under the CMSA (such as fund managers), including:  

• selecting an appropriate and efficient service provider and monitoring the outsourcing arrangements on a continuous basis; and  
• establishing effective policies and procedures for its outsourcing arrangement, including a framework to monitor the service delivery, performance reliability and processing capacity of the service provider.   

As a result, an agreement between fund advisers (or fund managers) and fund administrators is likely to incorporate contractual terms which will enable the fund manager to comply with its obligations under the Fund Management Guidelines, Licensing Handbook and the CMSA.

In regulating securities and derivatives markets, the SC generally classifies marketplaces and trading platforms into three types, ie, an approved market, exempt market and recognised market. The level of regulation imposed depends on the characteristics of the market (eg, types of products traded and sophistication of the market-users). 

Approved Markets

An example of an approved market in Malaysia is the Malaysian stock market operated by Bursa Securities Bhd ("Bursa Malaysia"). Bursa Malaysia provides access to various investment products and securities, including equities, derivatives, offshore and Islamic assets, as well as exchange traded funds, real estate investment trusts and exchange traded bonds and sukuk. An approved market such as Bursa Malaysia is generally subject to stringent requirements given the ease of access to it by retail investors.

Exempt Markets

An exempt market is a stock or derivatives market which has been declared as an exempt stock or derivatives market under Section 7 of the CMSA. Such market may be exempted when it has already been subjected to other forms of regulation. To date, the minister of finance has not published any order declaring a particular stock or derivatives market as an exempt market under the CMSA.

Recognised Markets

A recognised market, on the other hand, covers an alternative trading venue that brings together purchasers and sellers of capital market products. Its regulation is not as stringent but the SC may impose terms and conditions on the operator of such market commensurate with the risk profile, nature and scope of the recognised market’s operations. Marketplaces that fall within this ambit include the following.  

• ECF platforms: see 4.1 Differences in the Business or Regulation of Loans Provided to Different Entities for an overview of how these are regulated.   
• P2P investing platforms: see 4.1 Differences in the Business or Regulation of Loans Provided to Different Entities for an overview of how these are regulated.    
• The digital asset exchange: see 12.2 Local Regulators’ Approach to Blockchain for an overview of how this is regulated.  
• E-Service Platforms: electronic platforms (eg, e-wallet or e-payment applications) can arrange or facilitate the sale, purchase or subscription of capital market products offered by persons licensed by the SC (eg, unit trusts by fund managers), to investors. An E-Service Platform needs to be registered with the SC pursuant to the RMO Guidelines and must, among other things – 

1. be locally incorporated and have a minimum paid-up capital of MYR500,000; 
2. obtain the prior approval of the SC if it wishes to add a different type of capital market product to its platform from the initial capital market products for which it was approved; and 
3. obtain the prior approval of its sectoral regulator if the E-Service Platform is regulated by another body when submitting an application for registration to the SC. 

Different asset classes generally have different regulatory regimes. For example, the listing, trading, clearing and depository of securities fall under:  

• Listing Requirements;   
• Rules of Bursa Malaysia Securities Bhd;   
• Rules of Bursa Malaysia Securities Clearing Sdn Bhd; and  
• Rules of Bursa Malaysia Depository Sdn Bhd.  

The trading and clearing of derivatives are, in turn, subject to the Rules of Bursa Malaysia Derivatives Bhd and the Rules of Bursa Malaysia Derivatives Clearing Bhd.  

The trading and reporting of bonds are also subject to the Rules of Bursa Malaysia Bonds Sdn Bhd. 

The emergence of cryptocurrencies and exchanges which facilitate cryptocurrency trading have spurred the SC to amend the RMO Guidelines to regulate digital asset exchange operators as a recognised market. See 12.2 Local Regulators’ Approach to Blockchain for an overview of how digital asset exchanges (and cryptocurrencies) are regulated.  

Bursa Malaysia offers a choice of three markets for companies seeking listing in Malaysia. Different listing requirements then apply depending on whether the offering is made in the Main Market, ACE Market or LEAP Market. While the requirements of the Main Market are generally more comprehensive and stringent, the listing requirements across all three markets broadly encompass the following criteria: 

• quantitative criteria – these provide the quantitative admission criteria (eg, profit test, market capitalisation test), public shareholdings' spread of the listed entity, Bumiputera equity requirement, etc; and   
• qualitative criteria – these include the obligation to report information on transactions with related parties, identification of core business, management continuity and capability, financial position and liquidity, etc. 

As it currently stands, there are order handling rules for the derivatives market. This is to ensure market integrity in the derivatives market through order activity restrictions, daily price limits, price banding, trade cancellation policy, and stop spike logic.   

The securities market does not have an equivalent, although there are references to trade cancellation policies. 

Presently, the only peer-to-peer "trading" platforms which are recognised in Malaysia are P2P investment platforms, ECF platforms and digital asset exchanges; no peer-to-peer securities or derivatives trading platforms have been recognised as yet. See 4.1 Differences in the Business or Regulation of Loans Provided to Different Entities and 12.2 Local Regulators' Approach to Blockchain for a brief overview.

There are no specific rules regarding "best execution" of customer trades in Malaysia to date. However, under the CMSA, there are rules for order-handling by licensees and capital market intermediaries that indirectly and, to a certain extent, meet the same desired objectives of "best execution". For instance, there are rules prohibiting front-running, which imposes obligations on intermediaries to put clients' orders ahead of their proprietary trades.

To date, there are no rules that expressly prohibit or permit payment for order flow. However, under the Rules of Bursa Malaysia Securities Bhd and the Rules of Bursa Malaysia Bonds, a broker must not share any commission it receives in connection with a trade executed, with any person except its dealer representatives (ie, the holders of a capital markets services representative's licence), trading representatives (ie, persons who execute securities trades for a broker), marketing representatives (ie, the introducers for a principal), or such other persons as are permitted under the Guidelines for Marketing Representatives. There is no equivalent restriction under the Rules of Bursa Malaysia Derivatives Bhd.

There are principles of market integrity which exist within the capital markets regulatory framework. For example, the Business Rules of Bursa Malaysia Securities Bhd introduced by Bursa Malaysia prescribe rules relating to conduct of business, trading, settlement, etc. The key trading rules, among others, are: 

• adhering to just and equitable principles and acting with due skill, care and diligence, and with due regard for the integrity of the market; 
• not doing anything, through any act or omission, which may result in or cause the market to not be orderly and fair; and
• having in place structures, internal controls, and written policies and procedures designed to facilitate supervision of the participating organisation’s business activities and the conduct of the participating organisation’s registered persons. 

The key trading rules under the Business Rules of Bursa Malaysia Derivatives Bhd issued by Bursa Malaysia similarly stipulate that trading participants: 

• must at all times act in a manner consistent with the promotion and protection of the goodwill and public image of the Bursa Exchange and its participants; 
• ensure that no person effects the purchase or sale of any contracts for the purpose of improperly influencing the price of the contracts or prices on the market; and 
• adhere to just and equitable principles and act with due skill, care and diligence, and with due regard for the integrity of the market, and not through any act or omission, do anything which may result in or cause the market to not be orderly and fair. 

The CMSA, compliance with which is overseen by the SC, also provides that no one is to engage in, among other things: 

• false trading/market rigging (Section 175 of the CMSA); 
• manipulating the stock market by transacting in the securities of a company so as to have or be likely to have the effect of raising or lowering or maintaining the price of the company's securities on a stock market, with the intention of inducing other persons to purchase or subscribe to the company's securities (Section 176 of the CMSA); 
• insider trading (Section 188 of the CMSA); 
• false trading (Section 202 of the CMSA); and 
• bucketing (Section 203 of the CMSA). 

On 31 December 2021, BNM issued the Code of Conduct for Malaysia Wholesale Financial Markets ("WFM Code") which, among other things: 

• sets out the conduct that is prohibited by FIs under the FSA and IFSA;
• imposes an obligation on FIs to implement best market practices to preserve a reputable, ethical and honest marketplace; and 
• sets out further guidance on prohibited conduct under the FSA and IFSA, such as market manipulation and insider dealing.

In tandem with the revised WFM Code, BNM also issued a Guidance Document on Wholesale Market Conduct Practices which seeks to provide guidance on managing conduct risks arising from activities in the wholesale financial markets. The Guidance Document is applicable to Malaysian licensed banks, licensed investment banks, licensed Islamic banks and prescribed development FIs. Other FIs such as licensed insurers, licensed takaful operators and approved money-brokers are encouraged (but not legally required) to consider adopting the guidance where relevant to their participation in the wholesale financial markets.

Bursa Malaysia allows for, among others, the use of algorithmic trading by buy-side institutions (ie, direct access), but there are no regulations in relation to the creation of algorithmic trading in Malaysia to date. 

This is not applicable in Malaysia. See 8.1 Creation and Usage Regulations. 

This is not applicable in Malaysia. See 8.1 Creation and Usage Regulations. 

This is not applicable in Malaysia. See 8.1 Creation and Usage Regulations. 

Platforms that provide pure information or research services in the fintech industry (eg, platforms which provide a market comparison of the best financial products) are not specifically subject to regulation, provided such information does not result in the platform undertaking an activity that requires a licence under the FSA or CMSA (eg, the provision of general or personal financial advice or investment management advice). 

Enforcement of the Aggregation Exposure Draft may, however, require that certain platforms providing insurance and takaful aggregation services be registered with BNM under the FSA and the IFSA respectively.   

The spreading of unverified or false information in relation to investment products is largely regulated under the CMSA and FSA. Generally, the CMSA and FSA prohibit the following behaviour by any person (including a financial research platform): 

• making a statement that is false or misleading about a material fact that is likely to induce another person to deal in a particular financial instrument, if the person making the statement does not care whether the information is true or false; or   
• making any untrue statement of a material fact or omitting to state a material fact which is necessary to ensure that a statement made about securities or derivatives is not misleading. 

Additionally, the CMSA and FSA also restrict a person (including financial research platforms) from: 

• disseminating information that is false or misleading about a material fact that is likely to induce another person to deal in financial instruments; 
• circulating or disseminating information that will affect the price of securities of a corporation or derivatives, if the person has received or will directly or indirectly receive any benefit from such circulation and dissemination; and 
• making or publishing any statement or forecast that the person knows to be misleading, or recklessly publishing any statement or forecast that is misleading or false. 

A financial research platform provider will be similarly motivated to oversee the information being published and made available on its platform.

At present, and unless such discussions by commentators are defamatory under the Defamation Act, or constitute insider trading under the CMSA, any control or oversight of discussions on a financial research platform will be a matter of internal regulation by the operator of the financial research platform itself. Financial research platforms are likely to be incentivised to regulate such discussions in light of 9.2 Regulation of Unverified Information. 

In the context of underwriting specifically, existing insurers in the market can avail themselves of large amounts of data voluntarily provided by policyholders (whether through social media, applications or smart devices) to: 

• more accurately predict risk in accordance with the policyholder's profile; and   
• encourage mitigation of risk by policyholders.   

In return, insurers are able to offer lower product premiums and better product variety to policyholders.   

Such harnessing of data from policyholders (whether by the insurer or its third-party providers) is generally subject to the requirements of the Malaysian Personal Data Protection Act 2010 (PDPA), together with any attendant codes of practice issued by the industry in relation to the same, and the guidelines issued by BNM pertaining to the protection of customer information.   

The DITOs Discussion Paper provides that BNM expects licensed DITOs to heavily leverage digital means for all critical functions, including underwriting. 

There is a distinction between general insurance under the FSA (or general takaful business under the IFSA) and life insurance under the FSA (or family takaful business under the IFSA). Depending on the type of insurance being offered, the licensee will be subject to specific restrictions and requirements imposed by BNM which are unique to its product offering.   

Under the FSA, a life insurance business refers to all insurance business concerned with life policies, including any type of insurance business carried on as apparently incidental to the life insurer’s business; whereas a general insurance business refers to all insurance business which is not life insurance business.   

Under the IFSA, a family takaful business means the business relating to administration, management and operation of a takaful arrangement under a family takaful certificate, including any type of takaful business carried on as apparently incidental to the family takaful operator’s business; whereas general takaful business means all takaful business which is not family takaful business.

Regtech providers in Malaysia are regulated according to the activities that they perform on behalf of a licensed entity (if any), not the technology utilised. Accordingly, an assessment of the proposed regtech activity must be made so as to determine to what extent it falls under the existing regulatory framework (if at all).

Where banks and insurers (both conventional and Islamic, as well as prescribed development FIs) do delegate certain regulatory monitoring, reporting and compliance functions to regtech providers; the contractual provisions will be dictated by both regulatory and commercial drivers.   

The Outsourcing Guidelines make it clear that any arrangement involving internal control functions is regarded as a material outsourcing arrangement. Accordingly (and in addition to the requirement to obtain BNM approval), the delegation of these functions will require that the regtech providers and the relevant FIs enter into a legally enforceable written agreement which must contain the terms relating to, among other things, the responsibilities of the service providers, controls relating to information security, and business continuity functions.   

Other contractual provisions will be dependent upon commercial factors and the licensed FI's risk aversion (eg, indemnities for non-compliance), or other relevant regulatory conditions imposed by the supervising regulator.

There is generally a high level of awareness of blockchain’s potential to increase the efficiency of an FI’s existing operations. The adoption and use of such technology by existing licensed FIs is also becoming more prevalent. The following are examples of how existing FIs in Malaysia are using blockchain:   

• CIMB has partnered with blockchain platforms such as Ripple to enhance CIMB’s existing proprietary remittance product for faster cross-border remittances; 
• HSBC Malaysia successfully pioneered the execution of a live blockchain letter of credit transaction in October 2019; and 
• Standard Chartered Malaysia's collaboration with Vale, DBS Bank Contour and Nanjing Steel Group to perform its first blockchain transaction for a cargo of 170,000 tonnes of Brazilian Blend Fines iron ore going from Malaysia to China.   

While the early years of fintech saw a prevalence of cryptocurrency exchanges in the market, Malaysia is now increasingly seeing the entry of start-ups utilising blockchain to offer the following services: 

• digitisation of record-keeping; 
• Islamic social financing; and 
• anti-counterfeiting solutions in respect of luxury assets. 

While blockchain as a technology in and of itself has yet to be defined or regulated in Malaysia: 

• cryptocurrencies which, among other things, are received in exchange for a consideration or the person expects a return from its trading, conversion or redemption, or appreciation in value, are nevertheless recognised as securities (ie, digital currency and digital tokens); 
• the trading of such cryptocurrencies by an exchange or platform will require – 
1. that the cryptocurrency (which is the subject of the trade) itself be approved by the SC; and   
2. that the platform also be approved by the SC as a digital asset exchange under the RMO Guidelines; and 
• the raising of funds via the issuance of digital tokens (cryptocurrencies approved by the SC) in Malaysia can be done via initial exchange offerings by issuers and on platforms registered by the SC. 

To facilitate the growth of the bond marketplace at the Labuan Financial Exchange, in December 2020 Bursa Malaysia and Hashtacs Pte Ltd ("STACS"), a Singaporean fintech technology provider, used STACS' blockchain platform to simulate the issuance, service, trade and clearance of bonds. The bond on blockchain proof-of-concept (POC) was executed and tested alongside the Labuan Financial Services Authority, SC, Maybank Investment Bhd, CIMB Investment Bank Bhd and China Construction Bank Corporation (Labuan Branch). 

See 12.2 Local Regulators' Approach to Blockchain, which sets out the framework for the regulation of specific types of blockchain asset (ie, digital tokens and securities) presently recognised in Malaysia.   

See 12.2 Local Regulators' Approach to Blockchain, which sets out the framework for the regulation of specific types of blockchain asset (ie, digital tokens and securities), presently recognised in Malaysia.   

Issuers of blockchain assets which are regarded as digital tokens under the Capital Markets and Services (Prescription of Securities) (Digital Currency and Digital Token) Order 2019 will particularly need to ensure that: 

• the issuances of the digital tokens are undertaken through, and approved by, an electronic platform operator ("IEO Operator");   
• the business is incorporated in Malaysia with a minimum paid-up capital of MYR500,000 and has on its board at least two directors whose principal or only place of residence is in Malaysia;   
• members of the board and senior management of the issuer must, on aggregate, own at least 50% of the equity of the issuer on the date of issuance of the digital tokens; and 
• any issuance of digital tokens must be accompanied by a white paper (containing the prescribed information) which has been approved by the IEO Operator.   

Other reporting obligations need to be fulfilled post-issuance of the digital token(s).

See 12.2 Local Regulators' Approach to Blockchain, which sets out the framework for the regulation of specific types of blockchain asset (ie, digital tokens and securities) presently recognised in Malaysia, and the trading platforms on which such assets are traded. 

There is no specific legislation in Malaysia prohibiting investments in business ventures providing services or products that use blockchain technology. Traditional fund regulations applicable to fund managers (together with their individual investment management policies) will therefore apply to determine the viability of investments in such ventures.   

There are, however, investment limits on angel investors and retail investors in digital token offerings, as below:   

• for angel investors – a maximum of MYR500,000 within a 12-month period; and 
• for retail investors – a maximum of MYR2,000 per issuer, with a total investment limit not exceeding MYR20,000 within a 12-month period.

Digital currencies and digital tokens (both of which are subsets of virtual currencies) are specific types of blockchain assets (ie, cryptocurrencies) which are presently recognised and regulated in Malaysia. See 12.2 Local Regulators' Approach to Blockchain, which sets out the framework for the regulation of such assets.   

The present laws do not expressly define decentralised finance ("DeFi") and do not appear to be broad enough to regulate DeFi at present.

Presently, there are no specific regulations governing NFTs or NFT platforms. To the extent that NFTs are digital currency or tokens, they will be considered as securities and the securities law will apply. 

BNM is generally facilitative and open to open banking in Malaysia. As part of its effort to kick-start open banking, BNM has rolled out the following initiatives.   

• It has established Open API Implementation Groups for both the conventional and Islamic banking and insurance industries (collectively, the "Incumbents") together with representation from a few fintechs. The Open API Implementation Groups were tasked with pursuing standardisation of open APIs to enable third-party developers to access open data published by the Incumbents in relation to product information on SME financing, credit card and motor insurance/takaful products. This then culminated in specifications being developed and published by the respective Open API Implementation Groups (in consultation with BNM) with regard to selected Open Data API (Open Data API Specifications) on github.   
• It has published the Policy Document on Publishing Open Data using Open API ("API Guideline") to provide both conventional and Islamic banks and insurers (collectively, the "Relevant FIs") with guidelines and recommendations when developing and publishing read-only APIs relating to the publicly available and usable data of the Relevant FIs (eg, key information on a financial product), which is accessible to third parties but subject to control by the Relevant FIs (Open Data API). At this stage, it is not mandatory for the Relevant FIs to publish standardised Open Data API.

In the absence of a clear framework for open banking being published at this juncture, it is not possible to assess how the framework will address the data privacy and security concerns raised by open banking. Conceptually however, the use of APIs (which would be subject to common security and technical standards) in open banking to enable technology providers to gain access to customers' data would better protect the personal data of data subjects compared to the screen-scraping process presently adopted by technology providers.