Bank Negara Malaysia (“BNM”) for Reporting Institutions ... · institutions will need to review...

Circular No 303/2020

Dated 17 Sept 2020

To Members of the Malaysian Bar

Guidance Documents Issued by Bank Negara Malaysia

Bank Negara Malaysia (“BNM”), on 1 Sept 2020, had issued three documents as additional

guidelines for Reporting Institutions (“RIs”) when complying with the Anti-Money

Laundering and Countering Financing of Terrorism (“AML/CFT”) requirements, as listed

below:

(1) Guidance on Verification of Individual Customers for Customer Due Diligence

(“CDD”);

(2) Guidance on Beneficial Owner (“BO”);

(3) Frequently Asked Questions on AML/CFT and Targeted Financial Sanctions for

Designated Non-Financial Businesses and Professions & Non-Bank Financial

Institutions.

Please click here (see page 2 onwards) to view the guidance documents.

Should you have any enquiries relating to the guidance documents, please contact the

following BNM Officers:

(a) Amarjit Kaur Paridam Singh (03-2698 8044 ext 8836, [email protected]);

(b) Arni Jailun ((03-2698 8493 ext 8152, [email protected]); or

(c) Syaza Nadiah Azmi (03-2698 8044 ext 7401, [email protected]).

Thank you.

A G KALIDAS

Secretary

Malaysian Bar

https://www.malaysianbar.org.my/document/members/circulars/2020---2024/2020&rid=40274

mailto:[email protected]



Date: 1 September 2020

Guidance on Verification of Individual Customers for

Customer Due Diligence

Anti-Money Laundering, Countering Financing of Terrorism and

Targeted Financial Sanctions for Financial Institutions,

Designated Non-Financial Businesses and Professions and Non-Bank Financial

Institutions (AML/CFT and TFS for FIs, DNFBPs and NBFIs)

Guidance on Verification of Individual Customers for Customer Due Diligence

Page 1 of 17

TABLE OF CONTENTS

Part A: Overview

1.0 Foreword ....................................................................................................... 2

2.0 Objectives ....................................................................................................... 2

Part B: Guidance

3.0 CDD: Customer Identification and Verification ............................................... 4

4.0 Application of Risk-based Approach .............................................................. 6

5.0 Reliable and Independent Source of Documents, Information and Data ....... 8

6.0 Illustration of Application of Risk-based Approach ....................................... 13


Page 2 of 17

Part A: Overview

1.0 Foreword

1.1 This Guidance is intended to provide clarification and recommended practices

in relation to identification and verification of the customer due diligence (CDD)

requirements under the Anti-Money Laundering, Countering Financing of

Terrorism and Targeted Financial Sanctions for Financial Institutions,

Designated Non-Financial Businesses and Professions and Non-Bank

Financial Institutions (AML/CFT and TFS for FIs, DNFBPs and NBFIs) Policy

Documents (hereinafter referred to as Policy Documents).

1.2 The Guidance is not intended to replace any requirements in the

abovementioned Policy Documents. Reporting institutions should not regard

the information in the Guidance as exhaustive nor should it be used as evidence

of compliance.

1.3 Any updates to the Guidance will be notified to the reporting institutions from

time to time. Should there be any need to obtain further clarification or

explanation on the Guidance, enquiries may be mailed to the following

addresses:

(i) For FIs : [email protected]

(ii) For DNFBPs & NBFIs : [email protected]

2.0 Objectives

2.1 An effective CDD is the cornerstone of a robust AML/CFT and TFS program.

The CDD process involves identifying and verifying the identity of customers as

well as understanding the purpose and nature of business relationship.

2.2 The objective of this process is fundamentally to:

(a) prevent reporting institutions from creating anonymous and fictitious

accounts1; and

(b) assess the extent of money laundering and terrorism financing (ML/TF)

risks posed by customers and businesses, for the development of

appropriate controls and mitigation that commensurate with identified

risks.

1 Section 16 of the AMLA prohibits RIs to open or operate anonymous account or account which is in a fictitious,

false or incorrect name.


Page 3 of 17

2.3 Identification in the context of CDD refers to the process where reporting

institutions obtain information about customers in accordance with the Policy

Documents.

2.4 Verification refers to the process of confirming the customers’ information

collected at the identification stage against documents, data or information from

reliable sources, independent of the customers.

2.5 Reporting institutions are expected to determine the extent of verification,

depending on the identified ML/TF risks. For example, where there are higher

ML/TF risks, the extent to which information must be verified should expand,

while where ML/TF risks are lower, verification process may be more simplified.

2.6 This document aims to clarify the definition of customer’s identity, factors to

guide risk-based verification, types of reliable and independent sources of

documents, information and data, as well as suggested risk-based applications

for verification particularly with regard to individual customers, and where

applicable, to beneficial owners.


Page 4 of 17

Part B: Guidance

3.0 CDD: Customer Identification and Verification

3.1 The mandatory components of CDD as outlined in the Policy Documents entail

the following processes:

Paragraph 14 of the Policy Documents on CDD:

Identification of customer, beneficial owner and

whenever applicable, person conducting

transaction

Objective: To enable reporting institutions to

distinguish the individual from any other person they

are dealing with and whether the person is acting on

behalf of another.

Verification of the information through reliable and

independent documentation, electronic data or

any other measures deemed necessary

Objective: To ensure that the information about the

individual is accurate and up-to-date.

Understanding the purpose and nature of business

relationship between the reporting institutions and

the customer

Objective: To assess whether the business

relationship is in line with the reporting institutions’

expectation and to provide the reporting institutions

with a meaningful basis for ongoing monitoring.

3.2 Similar verification measures should be adopted for persons conducting

transactions on behalf of a customer.

Customer identification

3.3 Reporting institutions are required to obtain, at minimum, a prescriptive list of

identification information from customers and beneficial owners. However, it

should be noted that the list is non-exhaustive, hence additional information

may be obtained by reporting institutions, based on their risk appetite to

facilitate risk profiling, wherever necessary.


Page 5 of 17

Paragraph 14 of the Policy Documents:

Minimum list of identification information as outlined in

the Policy Documents2:

Full name;

National Registration Identity Card (NRIC), number or

passport number or reference number of any other

official documents of the customer or beneficial owner;

Residential or mailing address;

Date of birth;

Nationality;

Occupation;

Name of employer or nature of self-employment or

nature of business;

Contact number; and

Purpose of transaction.

Reporting institutions may obtain additional information

based on AML/CFT risks appetites

Example: e-mail address, gender, marital status.

What constitutes ‘identity’?

Identity refers to official identity that is based on

characteristics, attributes or identifiers of a person that

establish the person’s uniqueness in the population,

recognized by the country for regulatory or other official

purposes. The identity of an individual has a number of

principal and fixed aspects, which include given name, date

of birth, official identification number or biometric

characteristics e.g. facial and thumbprint.

There may also be information that are fluid but are central to

distinguish the identity of a person from the population,

particularly for persons with common names including

nationality, residential address, employment and business

career. This information, however, may change over time.3

2 For financial sector’s reporting institutions, lesser information may be obtained from customers if they qualify for Simplified CDD under the Policy Documents for FIs, that, include full name, NRIC, number or passport number or reference number of any other official documents of the customer or beneficial owner, residential or mailing address, date of birth, nationality. The ‘simplified CDD’ regime is not applicable to DNFBPs.

3 Refer to paragraph on Electronic Evidence.


Page 6 of 17

Customer Verification

3.4 Reporting institutions should verify information of their customers and beneficial

owners, collected during identification stage or at any point of the business

relationship, as per verification requirements.

3.5 Verification of identity must be based on documents or information obtained

from a reliable source, which is independent of the customer.

Documents, data or information issued or made available by

an official body are to be regarded as being independent of a

person even if they are provided or made available to the

reporting institutions by or on behalf of that person.

Additionally, for electronic or digital data and information, their

reliability and independence would depend on the assurance

levels of the systems or sources in light of ML/TF, fraud, and

other risks including cybersecurity risks4.

4.0 Application of Risk-Based Approach

4.1 Reporting institutions may adopt a risk-based approach to determine the

manner of performing verification, in ensuring it is satisfactorily completed:

(a) the extent or volume of information collected;

(b) types of reliable document, data and information; and

(c) the manner/technology used.

4.2 In this regard, reporting institutions should take into account any higher risk

circumstances as laid out in the Policy Documents5, which include, but are not

limited to:

(a) the nature of the product or service sought by customers;

(b) the nature and length of any existing or previous relationship between

customers and the reporting institutions;

4 Refer to paragraph on Electronic Evidence. 5 Please refer to paragraph 10 of the Policy Documents.


Page 7 of 17

(c) the nature and extent of any assurance from other reporting institutions

that may be relied on; and

(d) whether the customer is physically present.

4.3 For transactions involving cross-border wire transfer under Paragraph 19.2.1(a)

of the Policy Documents6, reporting institutions may rely on the residential

address or date of birth obtained and verified during the CDD process or during

on-going CDD, if the reporting institution is satisfied that such information are

up to date.

Beneficial owner

4.4 The verification process for a beneficial owner is different from an individual

customer. Although the identity of both customer and beneficial owner must be

verified through an independent and reliable source, reporting institutions are

only expected to take appropriate and reasonable measures so that they are

satisfied with the identity of the beneficial owner, having regard to ML/TF risks

associated with the customer and business relationship.

Framework for the application of risk-based approach

4.5 Reporting institutions should consider incorporating in their AML/CFT risk

management policies and procedures a framework for the application of risk-

based approach with regards to the verification of customers.

6 Applicable to PD for Financial Institutions only.

Recommended Practice for Reasonable Measures include:

Make use of records of beneficial owners in the public

domain, ask customers for relevant data, or require

evidence of the beneficial owner’s identity, on the basis

of documents or information obtained from a reliable

source which is independent of the customer.

In low risk situations, it may be reasonable for the

reporting institution to confirm the beneficial owner’s

identity based on the information supplied by the

customer. This may include a declaration confirming and

recognizing the identity of the beneficial owner, be it by

the customer, trustees or other persons whose identities

have been verified.


Page 8 of 17

5.0 Reliable and Independent Sources of Documents, Information and Data

5.1 There is no restriction on the form of evidence to be taken by reporting

institutions in verifying the identity. Reporting institutions may accept either

physical documents, electronic or digital information and data, or a combination

of both.

Documentary evidence

5.2 In the event where reporting institutions use documentary evidence to verify a

person’s identity, reporting institutions are encouraged to sight the original

copies of the documents and retain records of them, in line with record keeping

requirements in the Policy Documents.

5.3 Documents purporting to offer evidence of identity differ in their level of integrity,

reliability and independence and may come from a number of sources as

follows:

(a) Documents issued for the purpose of official identification bearing

photographs and without photographs;

(b) Documents issued by courts, government departments, public sector

bodies, or local authorities;

(c) Bank statements, or credit/debit card statements issued by regulated

financial sector in Malaysia; and

(d) Documents issued by other regulated organizations, for instance a

regulated utility company.

5.4 Reporting institutions are recommended to verify customers’ identity using the

following types of documents which are viewed as offering a high level of

reliability and independence for verification:

Recommended Practice

The framework may include:

a correlation list of the documents, information or data

accepted for each risk class.

assessment of the level of integrity, reliability and

independence of each document, data or information.

Where appropriate, the level of reliability required may

be the result of the combined use of two or more

supporting documents.


Page 9 of 17

Official and valid identification documents issued by

certain government departments with photograph

Features that contribute to reliability:

Primary identification document (ID) that is widely

recognised, used and accepted by government and

private sector in Malaysia as identification,

authentication and authorisation for specific services.

The photograph enables reporting institutions to

conduct visual review to reduce risk of impersonation

and identity theft.

Examples:

ID issued by the National Registration Department

including NRIC, MyTentera, MyPR, and MyKAS.

Passport issued by Immigration Department of

Malaysia.

Driving licence bearing photograph issued by the Road

Transport Department of Malaysia in view of its

interlinkages with NRIC.

5.5 Reporting institutions may also accept official and valid identification documents

issued by certain government departments without photograph. In this instance,

reporting institutions are recommended to increase the level of reliability and

corroborative value of the documents with other additional independent and

reliable documents as set out in paragraph 5.3 above.

Official and valid identification documents issued by

government departments without photograph, with

additional corroborating documents.

Examples, MyKid, birth certificate and pension card.

Features that contribute to reliability:

ID that is recognised by the government and private

sector in Malaysia as identification, authentication and

authorisation for specific services.


Page 10 of 17

Supported by corroborative documents such as –

In case of a child below the age of 12, ID of the

parent/guardian.

Current bank statements issued by banks including

development financial institutions licensed and

incorporated in Malaysia.

Current utility bills for specific duration as determined by

reporting institutions.

Quit rent and assessment notice as issued by state

municipal councils.

5.6 For foreigners, reporting institutions are recommended to accept only official

and valid foreign passport issued by a foreign government, and if applicable, a

visa to enter Malaysia.

In the event where foreigners are unable to produce passport,

such as refugees, reporting institutions should consider:

Keeping records of their assessment on the challenges

and proposed measures to verify the identity of the

customer (at minimum, the name or date of birth).

Accepting as identity evidence; a document, letter, or

statement from United Nations or its agency (examples,

United Nations High Commissioner for Refugees cards)

or appropriate person who knows the individual, that

indicates that the person is who she/he says she/he is.

5.7 Reporting institutions are advised to refrain from accepting an expired passport

and/or visa, if applicable, at the initial stage of establishing business relationship

with foreign customers.

Recommended Practice

Passport and other international documents should be

valid for a period for at least six (6) months before expiry

dates at the time of CDD. The validity of these

documents must be monitored as part of the on-going

due diligence process.


Page 11 of 17

5.8 Reporting institutions should take cognizance of the type of documents which

are more easily forged than others.

5.9 Reporting institutions should consider prescribing appropriate measures and

controls that leads to a reasonable conclusion that the documents presented

are not forged or falsified. This includes referring to other regulatory sources as

set out in paragraph 5.15 and additional measures in paragraph 5.16 below:

Electronic evidence

5.10 Reporting institutions may use electronic or digital data and information to verify

identity, for example digital identity or e-KYC solutions, either on its own or

taken together with documentary evidence.

5.11 Similar to documentary evidence, electronic or digital data and information are

also subject to the reliability and independence test.

5.12 In assessing whether an electronic or digital data and information is sufficiently

reliable and independent to prove identity for the purpose of CDD, reporting

institutions are recommended to:

(a) understand the assurance levels of the systems or sources including the

underlying data they relied on, technology, architecture and governance

to determine their reliability and independence;

Examples of Current Practice

Use of NRIC reader

FIs:

Reporting institutions commonly require NRIC for

identification and verification where the card terminal is

used to read biometric (thumbprint) and NRIC

information.

DNFBPs:

Businesses employ the use of NRIC reader that links

the NRIC to its holder via thumbprint to avoid misuse of

NRIC to conduct transactions such as false signing of

legal documents in the client’s capacity. There is also

an initiative at the association level to develop a system

that links details of the customer to the NRIC reader for

verification purpose. This system is being deployed by

the industry players.


Page 12 of 17

(b) given the assurance levels, make a risk-based determination of whether

it is appropriately reliable, independent in light of the ML/TF, fraud, and

other risks including cybersecurity risks; and

(c) fulfill requirements as set out in the Electronic Know-Your-Customer (e-

KYC) Policy Document7.

5.13 Reporting institutions are advised to incorporate within their AML/CFT risk

management policies and procedures information on-

(a) the assessment of factors in paragraph 5.12 above; and

(b) determination whether there is a need for additional measures as

specified in paragraph 5.16 to supplement the use of electronic evidence

in certain circumstances including in higher ML/TF risk situations or by

virtue of reporting institutions own AML/CFT, anti-fraud and general risk

management policies.

5.14 Reporting institutions shall document and record their internal assessments to

be made available to supervisors or the competent authority upon request.

5.15 Reporting institutions are encouraged to refer to policy documents or guidances

issued by Bank Negara Malaysia and other standard setting bodies, pertaining

to verification through this means.

Additional verification measures

5.16 Reporting institutions should consider applying additional verification measures

to mitigate the risk of impersonation fraud in circumstance where there is

uncertainty over the customers’ identity. This includes whenever:

(a) copies of original documents are used;

(b) customers are not met face-to-face in the process of establishing

relationship;

(c) there is a need to supplement the use of electronic or digital data and

information for verification; or

(d) there is doubt on the legitimacy and authenticity of the documents

provided by the customer.

7 BNM/RH/PD 030-10 Issued on: 30 June 2020


Page 13 of 17

5.17 The additional verification measures may consist of anti-fraud measures that

the reporting institutions routinely undertake as part of their existing CDD

procedures.

5.18 The following are examples of additional measures, which are non-exhaustive

and should be undertaken to commensurate with the assessed ML/TF risks:

Corroborating copies of original documents with the

National Registration Department database or the

Immigration Department of Malaysia databases,

telecommunication companies, sanctions lists issued by

credible domestic or international sources.

Requiring the first payment to be carried out through an

account in the customer’s name with a bank incorporated

and registered in Malaysia.

Video or conference call with the customer prior to

opening the account and before transactions are

permitted, for the purpose of comparing the physical

identity of a customer with copies of original documents

and to verify additional aspects of identity information

collected during identification stage.

Internet sign-on following verification where the

customer uses security codes, tokens, or passwords,

which have been set up during account opening stage.

Copies of original documents to be certified by an

appropriate person. Appropriate persons refer to

solicitors, police, court officials, medical doctor,

commissioner of oath, notary, or any credible person

authorized to certify documents.

6.0 Illustrations of application of risk-based approach

Verification in ‘normal risk’ cases

6.1 “Normal risk” here refers to all situations that are not recognised as presenting

a high risk or low risk in the context of the individual risk assessment. In this

situation, reporting institutions may consider applying documentary and

electronic data, source and information as set out above, or a combination

thereof.


Page 14 of 17

Recommended practices:

For local customers, reporting institutions commonly

require NRIC for identification and verification, where the

card terminal is used to read biometric (thumbprint) and

NRIC information.

Where residential and NRIC address are different, utility

bills will be required from customers to justify such

mismatch.

Reporting institutions may also require supplementary

documents to justify account-opening purposes

(examples: university admission/ offer letter for student

accounts, employer referral letter for salary accounts,

etc.).

For student accounts, reporting institutions may also

establish a list of learning institutions in demarcating

level of ML/TF risk.

Similar requirements are applied to foreign nationals,

where the key difference is, passport and travel visa are

used as main photo-bearing government-issued

evidences for identity verification purposes.

Verification in ‘higher risk’ cases

6.2 “Higher risk” here refers to circumstances where reporting institutions assess

the ML/TF risks as higher, taking into account risk factors arising from customer,

country or geographic location of customer, type of product, service, transaction

or delivery channel8.

6.3 In higher risk situations, reporting institutions’ AML/CFT risk management

policies and procedures should consider only authorising the use of the

documents and information that offer the most reliable information, and where

appropriate, require the use of a combination of sources of documents, data

and information, to increase level of reliability and verification performed.

8 Description of ‘higher risk’ in paragraph 6 of the Policy Documents.


Page 15 of 17

Recommended Practices

Face-to-face verification

Reporting institutions to sight and make copies of valid official

identification documents with photograph, or in the case of a

foreigner, passports/visa.

Non face-to-face (electronic and digital source of data and

information)

Reporting institutions to heighten the assurance levels, by

assessing the necessity to conduct additional verification

measures to supplement verification.

6.4 Reporting institutions should be guided by the list of verification documents,

data or information which are acceptable in higher-risk situations based on a

thorough assessment to demonstrate that their high level of reliability is

appropriate in view of the high level risk and the nature of the ML/TF risk

incurred.

Verification in ‘low risk’ cases

6.5 Where relevant, if the risk assessment has established a case of low ML/TF

risk, and if reporting institutions’ AML/CFT risk management policies and

procedures explicitly specify that simplified due diligence measures can be

applied, or lead to the conclusion that the risk level is low, verification remains

obligatory. However, reporting institutions may develop appropriate and

proportionate measures in their AML/CFT risk management policies and

procedures in view of such lower risks.

6.6 Naturally, all reliable and independent sources of documents and information,

which the reporting institutions have identified as eligible for verifying the

identity of the customer in a normal risks business relationship, are also

applicable in low-risks situations.

However, although a copy or electronic image of a supporting document is

insufficiently reliable in itself to be accepted for verification, it could be accepted

in certain circumstances where the relationship is subject to strict limitations

and safeguards (e.g. limited features of products and services) that can reduce

ML/ TF risks.


Page 16 of 17

As an example, for insurance products assessed as low

risk products, reporting institutions may obtain attestation

from:

Village Head (“ketua kampung”);

Human resource department of the corporate customer

on the identity of insured members of group policies and

board of the corporate entity on the authorized person

representing the company; or

Third party administrator (TPA) or hospital for verification

at claims stage.

6.7 Reporting institutions are expected to include, in their due diligence procedures

and measures, a correlation table of the supporting documents required for

each class of reporting risk, as well as a list of the circumstances in which

certain supporting documents need not be submitted.


Page 17 of 17

OVERVIEW OF CDD PROCESS

Official Identity

Documentary evidence Electronic or digital data

Official ID issued by the government departments with photograph

Official ID issued by the government departments without photograph Supported with corroborative evidence: Documents issued by court, government departments, local authorities, regulated financial institutions, other RIs, or regulated utility companies

Copy of documentary evidence are used

IDENTIFICATION

VERIFICATION

RIs may determine extent of verification using risk-based approach (customer, country/geographical, product/service/transaction or delivery channel risk factors)

See paragraph 14 of the Policy Document on the

information to be obtained from customer/ beneficial owner

Understand level of trustworthiness and confidence (assurance) of data sources the providers relied on, technology, processes, governance and other safeguards

Customers’ identity verified non face-to-face

Electronic or digital ID verification, if

MEA

SUR

ES C

OM

MEN

SUR

ATE

WIT

H M

L/TF

RIS

KS

Face to face or otherwise, documentary or electronic sources of documents, data or information, verification

must be reliable, independent from customer

Beneficial owners

Individual Customer

Additional verification measures under paragraph 5.16 to 5.18 of this Guidance under these circumstances:

Reasonable measures to verify, may

include similar

verification as per

customer, or lesser having

regard to ML/TF risks

OR

Date: 1 September 2020

Guidance on Beneficial Ownership


Targeted Financial Sanctions for Financial Institutions,

Designated Non-Financial Businesses and Professions and Non-Bank Financial

Institutions (AML/CFT and TFS for FIs, DNFBPs and NBFIs)


Page 1 of 19

TABLE OF CONTENTS

Part A: Overview

1.0 Foreword ....................................................................................................... 2

2.0 Glossary and terms ......................................................................................... 2

Part B: Guidance

3.0 Introduction .................................................................................................... 3

4.0 Identification of Beneficial Owner ................................................................... 4

5.0 Methods to Identify Beneficial Owner ........................................................... 10

6.0 Verification of Beneficial Owner .................................................................... 13

7.0 Record Keeping on Beneficial Ownership .................................................... 15

8.0 Examples of Identification of Beneficial Owners .......................................... 16


Page 2 of 19

Part A: Overview

1.0 Foreword

1.1 This Guidance is intended to provide clarification and recommended best

practices in relation to beneficial ownership obligation under the Anti-Money

Laundering, Countering Financing of Terrorism and Targeted Financial

Sanctions for Financial Institutions, Designated Non-Financial Businesses and

Professions and Non-Bank Financial Institutions (AML/CFT and TFS for FIs,

DNFBPs and NBFIs) Policy Documents.

1.2 The Guidance is not intended to replace any requirements in the

abovementioned Policy Documents. Reporting institutions should not regard the

information in the Guidance as exhaustive nor should it be used as evidence of

compliance.

1.3 Any updates to the Guidance will be notified to reporting institutions from time to

time. Should there be any need to obtain further clarification or explanation on

the Guidance, enquiries may be emailed to the following addresses:

(i) For FIs : [email protected] (ii) For DNFBPs & NBFIs : [email protected]

2.0 Glossary and Terms

2.1 Below are clarifications to the terms used in this Guidance:-

“Policy Document” refers to the Policy Document on AML/CFT and TFS for FIs.

Any corresponding provisions in other parts of the same Policy Document or in

the Policy Document on AML/CFT and TFS for DNFBPs and NBFIs, shall be

reflected in the footnotes.

“Corporate Vehicles” refers to legal persons and legal arrangements.


Page 3 of 19

Part B: Guidance

3.0 Introduction

3.1 Since the early 2000s, there has been growing concern on the misuse of

corporate vehicles for criminal purposes. Criminals have been relying on different

corporate vehicles to conceal their illegal assets by maintaining a legitimate front.

This includes, among others, the usage of shell companies and the creation of

companies, partnerships, foundations, trusts and other types of corporate

vehicles with complex ownership and control structure, to avoid detection by

authorities. The lack of transparency on the ultimate beneficial owners of these

corporate vehicles became a hindrance to governments around the world in their

effort to effectively combat criminal activities.

3.2 In response, the Financial Action Task Force (FATF), an intergovernmental

body responsible for combatting money laundering, terrorism financing and other

related threats, has issued the FATF Recommendations requiring countries to

ensure that adequate, accurate and timely information on the beneficial

ownership of corporate vehicles is available and can be accessed by competent

authorities in a timely fashion. This includes the requirements to identify and

verify beneficial ownership information. Apart from the FATF Recommendations,

the FATF has issued various guidance on this topic including the “Guidance on

Transparency and Beneficial Ownership” and “Best Practices on Beneficial

Ownership for Legal Persons”, in October 2014 and October 2019 respectively.

3.3 As such, the reporting institutions under the Anti-Money Laundering, Anti-

Terrorism Financing and Proceeds of Unlawful Activities Act 2001 (AMLA) play

an important role by obtaining beneficial ownership information which helps

prevent the misuse of corporate vehicles in the financial system. Identifying

beneficial owners benefit stakeholders, including:

Reporting

Institution

Reporting institutions are able to make appropriate assessments on

the level of money laundering and terrorism financing risks

associated with their customers, consequently leading to necessary

decision making on control measures required to contain these risks.

Financial

landscape

Ensuring and upholding the integrity of all sectors within the financial

landscape.

Country

Early detection of criminals hiding behind natural persons, legal

persons and legal arrangements, facilitate law enforcements’ efforts

and prevents money laundering and terrorism financing activities

from prospering.


Page 4 of 19

3.4 Primarily, the obligations of a reporting institution on beneficial ownership

requirements are:

(a) Identifying a natural person who is the beneficial owner of the customer and

obtaining information that describes the ownership, control and structure of

the legal persons/ legal arrangements relating to the beneficial owner;

(b) Taking reasonable measures to verify the accuracy of the information

obtained and keeping records of all relevant documents;

(c) Conducting customer risk profiling to identify the risk category of the

beneficial owner; and

(d) Performing further regulatory obligations based on the risk category of the

beneficial owner such as CDD, sanction screening and high risk jurisdiction.

4.0 Identification of Beneficial Owner

4.1 Issues concerning beneficial owners having ultimate ownership and exercising

and/or having ultimate control are relevant to the following types of customers:

Legal persons

(a) Private and public companies;

(b) Bodies corporates;

(c) Government-linked companies;

(d) Partnerships;

(e) Foundations;

(f) Cooperatives;

(g) Associations such as clubs and societies; and

(h) Non-governmental organisations such as charities.

Legal arrangements

(a) Trust bodies/arrangement or other similar arrangements

Understanding beneficial ownership in different types of entities

A. Legal persons

In the context of legal persons, the concept of beneficial ownership

must be distinguished from the concepts of legal ownership and

control.

o Legal ownership refers to the natural or legal persons who,

according to the respective laws governing legal persons in

Malaysia (such as the Companies Act 2016 or the Labuan

Companies Act 1990), own the legal person.

o Control refers to the person with decision making ability within the

legal person who has the power to impose those decisions.


Page 5 of 19

o Beneficial owner refers to the natural person who either ultimately

owns, through capital, assets or other means, or has control over

a legal person, be it directly or indirectly. A person who controls a

legal person may or may not have legal ownership per se.

Example of arrangements within a legal person that may

obscure beneficial ownership information:

(a) Bearer shares and bearer share warrants;

(b) Unrestricted use of legal persons as directors;

(c) Nominee shareholders and directors;

(d) Informal nominee shareholders and directors, such

as close associates and family; and

(e) Use of intermediaries in forming legal persons,

including professional intermediaries.

B. Legal Arrangements

In the context of legal arrangements such as trust, beneficial owner

refers to natural person(s), at the end of the chain, who ultimately owns

or controls the legal arrangement, including those persons who

exercise ultimate effective control over the legal arrangement.

In a trust, the legal title and control of an asset are separated from the

equitable interests in the asset. Hence, different persons might own,

benefit from, and control the trust, depending on the law and the

provisions of the document establishing the trust such as the trust

deed.

How a trust can conceal control of assets

a) created in one jurisdiction and used in another to hold

assets across jurisdictions to disguise the origins of

criminal proceeds.

b) used to enhance anonymity by completely

disconnecting the beneficial owner from the names of

the other parties including the trustee, settlor, protector

or beneficiary.

4.2 To determine the identity of beneficial owners of a customer, reporting institutions

should seek to understand the complexities of the customer’s ownership

structure, governance and/or arrangement at each layer. An entity may have

several beneficial owners, depending on its size and the complexity of its

structure and governance.


Page 6 of 19

4.3 There may be more than one beneficial owner associated with a customer.

Reporting institutions’ regulatory obligations relating to beneficial ownership are

applicable on all the beneficial owners.

4.4 As outlined under Paragraph 6.2 of the Policy Document1, beneficial owner is

defined as a natural person:

(a) who ultimately owns a customer;

(b) who ultimately controls a customer;

(c) on whose behalf a transaction is being conducted2; and/or

(d) who exercises ultimate effective control over a legal person or

arrangement.

Legal persons

4.5 As provided in Paragraph 14A.9.6 of the Policy Document3, reporting institutions

should identify the beneficial owners of legal persons through the cascading

steps reflected below:

Step 1 Identify the natural person(s), if any, who ultimately have

controlling ownership interest in the legal person

(a) Having ultimate controlling ownership interest over an entity includes

having more than 25% ownership or equity interest in an entity4 which may

be observed, among others, through share capital or voting rights. The

ownership may either be direct ownership (through ownership of shares

within the entity itself) or indirect ownership (through chain of corporate

vehicles).

Having a golden share within an entity is similar to having ultimate

ownership of the entity, as it refers to 51% ownership.

1 Corresponding provision in Paragraph 6.2 in the Policy Document on AML/CFT and TFS for DNFBPs and NBFIs.

2 Such a situation may exist where a transaction conducted by another person is structured in such a manner to deliberately avoid control or ownership transparency by the beneficial owner.

3 Corresponding provision in Paragraph 14B.11.12, 14C.10.7 and 14D.9.6 of the Policy Document as well as, Paragraph 14.10.6 of the Policy Document on AML/CFT and TFS for DNFBPs and NBFIs

4 The requirement on more than 25% ownership threshold for beneficial ownership identification is issued under the AML/CFT Policy Document and should be differentiated with the beneficial ownership threshold set by other regulatory authorities which were set for other purposes.


Page 7 of 19

Illustration 4.1

(left diagram) Direct ownership

(right diagram) Indirect ownership

As provided in Illustration 4.1, if

Company A is legally owned by

Company B (according to its

corporate registration information),

the beneficial owners are the natural

persons behind the Company B (or

behind the ultimate holding company

in the chain of ownership).

(b) There may also be circumstances where a natural person owns less than

25% direct shareholding in an entity but is identified as the beneficial owner

through his indirect and aggregated ownership of the entity, as reflected in

Illustration 4.2 below.

Illustration 4.2

Although all direct shareholders of

company A equally owns 20% of its

shares, Mr. Z is considered the

beneficial owner of Company A due

to his aggregated ownership of

Company R and Company S,

making Mr. Z the indirect owner of

40% of Company A.

(c) Shareholder may exercise control together with other shareholders,

including through any contract, understanding, relationship, intermediary or

tiered entity to increase control as illustrated in Illustration 4.3

Although all direct shareholders of

company A equally owns 20% of its

shares, Mr. D and Mr. E are

considered the beneficial owners

through their exerts of control over

the company collectively via

shareholders’ contract.

Illustration 4.3


Page 8 of 19

In most circumstances, ownership over an entity implies control over the

entity, as ownership may come with the power and authority to take actions

and make decisions for the entity. Such a situation can be observed, among

others, where:

i. The natural person has majority voting power within the entity to make

decisions; or

ii. The natural person exercises his right to appoint or remove directors

or senior management, as a major shareholder.

(d) In implementing Step 1, a natural person identified as fulfilling the criteria in

(a) shall be identified as the beneficial owner. However, where there is

doubt that the person identified under Step 1 is not the beneficial owner; or

where no natural person has ultimate controlling ownership interest over the

legal person, the reporting institution shall carry out Step 2.

Step 2 Identify the natural person, if any, exercising control of the legal

person, through other means

(e) A natural person may also exercise effective control over an entity if he has

the powers and authority to take actions and make decisions for the entity,

including on matters relating to its financial affairs, financial relationships,

operations or other matters that may fundamentally affect the business or

direction of the entity, without having ownership interest over the entity.

Such powers may be attained through other means, such as:

i. Reflecting dominant influence to appoint or remove directors/ senior

management;

ii. Having the power of attorney over the entity;

iii. Owning stocks or rights over outstanding debts that are convertible

into voting equity;

iv. Participating in the financing of the enterprise; or

v. Having control through trusts, agreements, arrangements,

understandings, policies or practices, close and intimate family

relationships or if a company defaults on certain payments.

A natural person demonstrating control may be, among others, the entity’s

senior management, directors, authorised signatory, controller and etc.


Page 9 of 19

Illustration 4.4

Ms. K has complete managerial powers

over Company F. Under Step 2, Ms. K is

the beneficial owner of Company F.

How-to

Where, in the course of identifying beneficial owners,

reporting institutions identified natural persons who exert

control over an entity but have no direct ownership or

apparent control over the entity, this assessment along with

the person suspected of being a beneficial owner, should be

recorded. Such a situation may be observed through:

a. personal connections to persons in positions of

power within the entity or persons who possess

ownership over an entity (close or intimate family

relationships and historical or contractual

associations)

b. participated in financing of enterprises which may

allow enjoyment or benefits from assets of the legal

person

c. In the case of MSB, executive staff who are

empowered to make important decisions on behalf

of the senior management

(f) In implementing Step 2, a natural person identified as fulfilling the criteria

under (e), shall be identified as the beneficial owner. However, where,

through Step 1, no natural person is identified to have ultimate ownership

interest over the legal person and through Step 2, no natural person is

identified to have and exercise, either directly or indirectly, control over the

entity, the reporting institution shall carry out Step 3.

Step 3 Identify the identity of natural persons holding the position of senior

management within the legal person

(g) “Senior management” are identified as persons who exercise executive

control over the daily or regular affairs of the legal person, which may

include, but are not limited to, directors, deputy directors, Board members,

chief executive officer, chief financial officer, chief operating officer, or any

other individual performing similar management functions.


Page 10 of 19

4.6 In moving down the cascading steps in paragraph 4.5 above, reporting

institutions should ensure that they have identified either:

(a) the lack of a natural person under (a) as the ultimate owner of the entity;

and/or

(b) the lack of a natural person under (e) who exercises ultimate control over

the entity.

Good

practice

Reporting institutions should endeavour to record and keep

documentations reflecting all the findings in moving down the

cascading steps, as well as all shareholders identified throughout

the chain of ownership, leading to the ultimate beneficial owner.

Legal arrangements

4.7 For legal arrangements, persons with “ultimate control” over the legal

arrangement shall be identified as the beneficial owners. For example, in a trust,

such persons may include, among others, the trustee (person who manages the

trust), the settlor (the person who creates the trust), the protector (person

appointed by settlor to oversee the trustee) and the beneficiary (person who

benefits from the trust). The following are examples of positions denoting control

over a trust:

(a) A settlor with power to revoke the trust and return property of trust back to

the settlor;

(b) A protector with power to remove or appoint a trustee;

(c) An investment manager with power to direct the trustee’s action; and

(d) A person who benefits from the legal arrangement.

5.0 Methods to Identify Beneficial Owner

5.1 Reporting institutions may seek to review the beneficial ownership information

relating to an entity, based on the following recommended source documents to

determine the ownership structure and governance of an entity. The following list

is non-exhaustive and reporting institutions are encouraged to explore

other possible sources of documents to review such information.

Type of legal

person/ legal

arrangement

Information relating to

beneficial ownership

Source documents

Private and public

companies/

Bodies corporate/

Partnership/

i. Legal vehicle (e.g.

corporate,

partnership etc)

Certificate of incorporation

Certificate of registration

Company constitution

Minutes of Board meeting


Page 11 of 19

Type of legal

person/ legal

arrangement

Information relating to

beneficial ownership

Source documents

Government-

linked companies

ii. Shareholding

including

information on

parent company

and subsidiaries

information

iii. Direct or indirect

ownership

iv. Relationship to

conglomerates/

corporate groups

v. Company tree

Director’s and shareholder’s

resolution

Partnership agreement

Appointment/ Authorisation

letter

Senior management list

Company’s annual report and

annual return

Joint venture agreement,

shareholder’s agreements

and other related agreements

Director nomination

agreement

Register of member including

BO

Any other source documents

that sufficiently identifies the

beneficial owner

Trust arrangement i. Parties to the trust

ii. Persons involved in

the trust

establishment

iii. Administrator of the

trust

iv. Type of trust

Trust deed

Trust registration document

Cooperatives i. Management of the

cooperatives

ii. Rules governing

the cooperatives

Registration form of the

Cooperatives

By-laws of the cooperative

Minutes of General Meeting

Clubs/ Societies/

Foundations/

Charities/ NGOs

i. Rules governing the

clubs/ societies/

foundations/

charities/ NGOs

Constitution/ charter/ rules

Registration form

Minutes of meeting

List of members of committee

5.2 Depending on the type of legal person or legal arrangement, identity of beneficial

owners may be determined based on the following relationships:


Page 12 of 19

Type of legal person/

legal arrangement

Relationships to be determined, if any

Companies

(Private & Public)

Shareholders

Senior management

Joint venture agreement

Persons with voting rights

Nominee directors/ shadow directors

Persons with power to appoint or remove directors

Other persons with interest within the company

Partnership Partners within the partnership

Other natural persons with effective control over

the partnership

Government linked

companies

o Government

investment linked

companies, state

based company etc.

Person authorised in the government to exercise

or influence decision making on the GLC

Other persons who exercise or influence decisions

over the GLC

Clubs/ Societies/

Foundations/ Charities/

NGOs/ Cooperatives

Office bearer (e.g. president, secretary, treasurer

or other committee)

Senior management/ management team

Other member with effective control over the club/

societies/ charities/ foundations/ cooperatives

Trust arrangement Settlor

Trustee

Protector

Beneficiaries or class of beneficiaries

Other natural persons with effective control over

the trust

5.3 Reporting institutions shall take all reasonable measures to identify their

customers’ beneficial owner and shall be satisfied, based on the measures taken,

that they know the ultimate beneficial owner.

5.4 Reporting institutions are recommended to examine as many levels of

information from the company structure as they deem necessary to accomplish

this. “Reasonable measures5”, in this situation, refer to practical, necessary and

appropriate steps taken in line with the reporting institutions’ risk assessment, at

best efforts basis.

5 Reporting institutions are recommended to translate the extent of reasonable measures they take into a clear set of internal policies and procedures for consistency of conduct and to guide their employees actions.


Page 13 of 19

Illustration of

reasonable

measures on

best efforts

basis

In determining the beneficial owner of a company, the reporting

institution has taken a best efforts basis by thoroughly

enquiring the customer on information of beneficial owner,

obtaining all relevant documents relating to the customer,

reviewing all the relevant company documents and obtaining

information through online and offline publically available

sources including information maintained by public registrars.

5.5 Where the reporting institutions are unable to identify, or further verify, the

information of beneficial owners, including those who are foreign natural persons,

reporting institutions shall record that they have exhausted all reasonable

measures that may be taken to obtain such information. This may include

obtaining a statutory declaration from the customer on the identification of the

foreign beneficial owner.

Good

practice

Reporting institutions may choose to implement and adopt stricter

internal policies and procedures with regard to identification and

verification of beneficial ownership information. For example,

reporting institutions may choose to collect information of

shareholders with less than 25% ownership if they so wish.

5.6 Reporting institutions should identify and take reasonable measures to verify all

the information of the beneficial owner as required in the Policy Document.

6.0 Verification of Beneficial Owner

6.1 Reporting institutions shall use reliable and independent source documents6 to

verify the identity of beneficial owners.

6.2 Reporting institutions are expected to perform identification and verification of

beneficial owners at the on-boarding stage, as well as when there are any

changes to the beneficial ownership information. Depending on the risk

assessment of the customer and their beneficial owner, reporting institutions may

conduct a delayed verification of the beneficial owner, by adhering to the

requirements of the Policy Documents. Beneficial ownership obligation should

still be satisfied regardless of the level of risk associated with the customer and

beneficial owner.

6 Example of reliable and independent source documents are provided in the “Guidance on Verification of Individual Customers for CDD”. The list is not exhaustive and any other verification sources may be relied on, with due regard to be given to the requirements under the Policy Documents.


Page 14 of 19

6.3 Similar to the identification process, reporting institutions should ensure that they

have taken all reasonable measures to verify the identity of the beneficial

owner(s) of their customer. This may include, but is not limited to, conducting

verification through independent documents provided by the customer, reliance

on public registries or government bodies, researching publicly available

information or arranging a face-to-face meeting with the beneficial owner to

corroborate the undertaking or declaration provided by the customer

Good

practice

Where reporting institutions are unable to verify the beneficial owner’s

identity, reporting institutions may manage the risks of customer’s

activities, by either limiting the activities of the customer, treating the

customer’s activities as high risk or apply enhanced on-going due

diligence on the customer, as per the best practices of other countries

6.4 Where a customer falls under the list of exempted legal persons listed under

Paragraph 14A.9.8 of the Policy Document7, reporting institutions are not

required to verify their directors or shareholders. Notwithstanding this, reporting

institutions are still required to identify and maintain the information relating to the

identity of the directors and shareholders, based on public register, reliable

sources or other information provided by the customer.

6.5 For foreign beneficial owners, where there is no existing independent and reliable

document submitted on the beneficial owner, reporting institutions may verify the

identity of the beneficial owners through open available sources. Reporting

institutions should reflect that they have exhausted all reasonable measures that

may be taken to verify the foreign beneficial owners’ identity.

Good

practice

Reporting institutions may conduct a self-assessment to determine

whether they have taken adequate steps to verify the beneficial

owner’s identity and whether they understands the rationale for the

beneficial owner’s use of complex corporate structures.

7 Corresponding provision in Paragraph 14B.11.14, 14C.10.9 and 14D.9.8 of the Policy Document as well as, Paragraph 14.10.9 of the Policy Document on AML/CFT and TFS for DNFBPs and NBFIs


Page 15 of 19

7.0 Record Keeping of Beneficial Ownership

7.1 Reporting institutions shall obtain and retain records of beneficial owner

information in accordance with the requirements under the Policy Document. The

following are best practices on record keeping:

DO’s All records may be:

DON’T’s All records may NOT be:

retained and recorded in a readily auditable manner.

retained in a convoluted manner or parts of documents missing and untraceable.

retained as per requirement of maintaining court evidence.

retained without records on CTC/ veracity or acknowledgement of documents and/or recorded without reference to sources.

regularly updated through on-going due diligence.

updated only during on-boarding, without any further review or on-going due diligence throughout the course of business relationship.

retained consistently according to CDD & record keeping procedures for every process stage.

i.e. identification, verification, risk profiling of beneficial owners and updating & maintaining records of beneficial owners.

maintained without a standard operating procedure on CDD & record keeping.

i.e. no clear procedure on verification process, frequency of updating beneficial owner’s records and etc.

retained for at least 6

years from the date

customer cease

business relationship

with reporting

institution.

removed immediately

following cessation of

customer’s business

relationship.


Page 16 of 19

8.0 Examples of identification of beneficial owners

Illustration 8.1

From the offset, there is no direct ownership by a natural person of more

than 25% of Company A’s shareholding. The beneficial ownership

breakdown once the complex structure is reviewed is as follows:

A Mr. W has 40% ownership of Company A and is a beneficial

owner

(10% direct ownership + 30% indirect ownership through Company R

and Company S)

B Mr Z has only 20% ownership of Company A and is not a

beneficial owner (direct ownership)

C Ms. Y has 25.6% ownership of Company A and is a beneficial

owner

(9.6% indirect ownership through Company T and Company Q and

16% indirect ownership through Company T and Company M)


Page 17 of 19

Illustration 8.2

Based on the shareholding, there is neither a beneficial owner with 25%

or more shareholding nor is there any person with effective control over

the company apart from the senior management. In this case, the senior

management with control of decisions over Company A is Mr. X. Mr. X is

considered the beneficial owner for AML/CFT requirements purposes.

Where there is any doubt on other persons having effective control,

reporting institutions may take the effort to explore nature of relationship

between shareholders (i.e. spousal, familial relationship, power of

attorney relationship). For example, based on the above shareholding, if

Ms. M is the daughter of Mr. Z, Mr. Z may have effective control over

Company A even though there is no control through shareholding and

may be deemed the beneficial owner.

Similarly, if Mr. Y allows Mr. Z the power of attorney over his shareholding,

Mr. Z may also have effective control over Company A and may be

deemed the beneficial owner.

The relationships between the relevant stakeholders can be determined

and established if the reporting institution truly knows its customer, as

required through customer due diligence requirement. Reporting

institutions may practise best efforts basis in ensuring these information

are discovered.


Page 18 of 19

Illustration 8.3

Based on the shareholding, Ms. P is the beneficial owner of Company A,

through her ownership of Company XX. The reporting institution having a

banking relationship with Company A has endeavoured to obtain all

necessary identification documents from Company A relating to Company XX

and Ms. P. In verifying those information, the reporting institution has

explored all online and offline platforms with publicly available information on

Ms. P such as news outlet and websites with company profiles such as

Reuters, Asian Nikkei Review etc., reflecting that verification has been

conducted on a best efforts basis.

As Ms. P is a foreign beneficial owner, the reporting institution should also

determine whether she is a citizen from high risk jurisdiction or whether she

falls within the sanctions list. If Ms. P falls under the category of high risk

customers requiring enhanced CDD, the reporting institution should also

determine, among others, the sources of funds and wealth of Ms. P.

The reporting institution has the option to choose not to establish or continue

business relationship with the customer if it is deemed that Ms. P is not within

the reporting institution’s risk appetite or if the reporting institution believe it

does not have the capacity to appropriately manage the increased risk in

relation to the customer/ Ms. P, in accordance with the institution’s business

decision.


Page 19 of 19

Illustration 8.4

Trust XYZ has 100% ownership of Company A, with the trustee Ms. D holding the

shares as the titled legal owner. In such scenario, the BO of Company A is not Trust

XYZ, but rather the individuals that are parties to the trust (e.g. the settlor, protector,

trustee and beneficiary) and any other person exercising effective control of the

trust.

As one of the beneficiaries of Trust XYZ is not a natural person, i.e. Company F, the

BOs of Company F shall also be identified. As such, the BOs in this case for

Company A are Ms B, Mr. C, Ms. D, Mr. E and Mr. G.

Issue Date: 1 September 2020

Frequently Asked Questions on


Targeted Financial Sanctions for Designated Non-Financial Businesses and Professions & Non-Bank Financial

Institutions

(FAQs on AML/CFT and TFS for DNFBPs and NBFIs)

FAQs on AML/CFT and TFS for DNFBPs and NBFIs

Page 1 of 41

Introduction

The Frequently Asked Questions (FAQs) are intended to provide clarification to reporting

institutions on common queries in relation to the Anti-Money Laundering, Countering

Financing of Terrorism and Targeted Financial Sanctions for Designated Non-Financial

Businesses and Professions and Non-Bank Financial Institutions Policy Document (Policy

Document).

These FAQs are not intended to replace any requirements in the Policy Document.

Any refinements to the FAQs will be updated by Bank Negara Malaysia from time to time.

Should you have any additional queries related to the Policy Document, please submit the

queries via any of the following means:

a. Mail : Director Financial Intelligence and Enforcement Department Bank Negara Malaysia Jalan Dato’ Onn 50480 Kuala Lumpur

b. Email : [email protected]

Bank Negara Malaysia 1 September 2020


Page 2 of 41

TABLE OF CONTENTS

Introduction ................................................................................................................... 1

Glossary ......................................................................................................................... 3

Applicability ................................................................................................................... 4

Definition and Interpretation ........................................................................................ 4

Application of Risk-Based Approach .......................................................................... 6

AML/CFT Compliance Programme .............................................................................. 9

Customer Due Diligence (CDD) .................................................................................. 16

Politically Exposed Persons ...................................................................................... 26

Reliance on Third Parties ........................................................................................... 26

Higher Risk Countries ................................................................................................. 27

Cash Threshold Report (CTR) .................................................................................... 28

Suspicious Transaction Report (STR) ....................................................................... 29

Record Keeping ........................................................................................................... 30

Management Information System (MIS) .................................................................... 31

Targeted Financial Sanctions .................................................................................... 31

Appendices ……………………………………………………………………………………36

APPENDIX A: Sector Specific CDD for REAs ........................................................... 37

APPENDIX B: Infographic on Higher Risk Countries ............................................... 39


Page 3 of 41

GLOSSARY

No Abbreviation Description

1 AMLA Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001

2 AML/CFT Anti-Money Laundering and Countering Financing of Terrorism

3 BO Beneficial Owner

4 CDD Customer Due Diligence

5 CTR Cash Threshold Report

6 DNFBPs Designated Non-Financial Businesses and Professions

7 DPMS Dealers in Precious Metals or Precious Stones

8 e-KYC Electronic Know Your Customer

9 FATF Financial Action Task Force

10 GLCs Government Linked Companies

11 IRA Institutional Risk Assessment

12 MIS Management Information System

13 ML/TF Money Laundering and Terrorism Financing

14 NRIC National Registration Identity Card

15 PCT Person Conducting Transaction

16 PEPs Politically Exposed Persons

17 REAs Registered Estate Agents

18 STR Suspicious Transaction Report

19 TFS Targeted Financial Sanctions

20 UNSC United Nations Security Council

21 UNSCR United Nations Security Council Resolutions


Page 4 of 41

NO. QUESTION ANSWER

Applicability

1 Do AML/CFT requirements apply to

individual reporting institutions,

such as accountants, company

secretaries, lawyers and registered

estate agents (REAs)?

The AML/CFT requirements apply to all

reporting institutions, and may be

administratively developed by the

accountants, company sectaries, lawyers

and REAs at the firm level to ensure

consistent application of AML/CFT

requirements within the firm.

However, some responsibilities under the

AML/CFT requirements, such as the

submission of suspicious transaction report

still rest with the individual reporting

institution.

2 Are all activities carried out by

accountants, company secretaries,

and lawyers subject to Part IV of the

Anti-Money Laundering, Anti-

Terrorism Financing and Proceeds

of Unlawful Activities Act 2001

(AMLA)?

For accountants, company secretaries and

lawyers, Part IV of the AMLA is only

applicable to those carrying on Gazetted

Activities as published in P.U.(A) 340/2004

and P.U.(A) 293/2006.

However, for lawyers, there could be

circumstances of spill-over, in which the

funds from litigation process may pass-

through the client account, and hence form

part of the Gazetted Activities.

Definition and Interpretation

Beneficial Owner

3 Does the definition of “beneficial

owner” refer to the chains of

shareholders and directors, and

exclude the people who holds

senior management position in a

company, for example, Chief

Executive Officer (CEO), Chief

Financial Officer (CFO), Chief

Operating Officer (COO), or the

similar kind of positions in the

company?

Generally, the first step of identifying the

beneficial owner (BO) referred to in

"…situations in which ownership or control is

exercised through a chain of ownership..." is

by identifying the shareholders and directors,

not the individuals appointed as executives

e.g. CEO, CFO, COO, unless these

executives are also the shareholders or

directors.


Page 5 of 41

NO. QUESTION ANSWER

The "chain" here is in relation to parent-

subsidiary situations which extend across

several levels, where the reporting

institutions will need to review the entire

chain of companies and subsidiaries to

determine who is the ultimate beneficial

owner of a particular customer that the

reporting institution is dealing with.

However, reporting institutions should be

aware that for BO of a legal person, if the

natural person cannot be identified through

the controlling ownership interest, then the

senior management of that legal person e.g.

CEO, CFO, COO or similar position is to be

identified as the BO.

Details on the above sequential process to

identify the BO can be found in paragraph

14.10.6 of the Policy Document.

For further details on beneficial owner,

please refer to the “Guidance on Beneficial

Ownership” issued by the Bank Negara

Malaysia.

Please also refer to Part D of the Policy

Document (Appendix 12).

Legal Person

4 What are the different types of

government linked companies

(GLCs)?

GLCs refer to entities where the government

is:

(a) the majority shareholder; or

(b) the single largest shareholder; and/or

(c) has the ability to exercise and influence

major decisions such as appointment of

board members and senior

management.


Page 6 of 41

NO. QUESTION ANSWER

The definition would also be applicable in

instances where the government is not a

single largest shareholder but is able to

exercise control e.g. through golden shares

(where the government is entitled to certain

special rights).

This may also include state-owned

corporation (SOC) which is a body formed by

the government through legal means to be

able to take part in activities of a commercial

nature. As activities of a state-invested entity

(SIE) also involve investment on behalf of the

government, they may be treated the same

as SOCs and GLCs.

Person Conducting the Transaction

5 What are the examples of person

conducting the transaction (PCT)?

PCT is defined in paragraph 6.2 of the Policy

Document and refers to any natural person

conducting or purporting to act on behalf of

the customer, such as person depositing

into another customer’s account or person

undertaking a transaction on behalf of

another person.

Examples of PCT may include the following:

(a) a company representative making

payments on behalf of the company; or

(b) a third party paying on behalf of a

customer.

Application of Risk-Based Approach

Risk Assessment

6 Are reporting institutions required

to submit their AML/CFT risk

assessment information to Bank

Negara Malaysia?

Reporting institutions are generally not

required to submit the AML/CFT risk

assessment information to Bank Negara

Malaysia. However, such report may be

required to be submitted to Bank Negara

Malaysia during supervisory visits or as and

when required as part of supervisory or risk

assessment.


Page 7 of 41

NO. QUESTION ANSWER

7 What is the expectation for

reporting institutions in conducting

their institutional risk assessment

(IRA)? Can the IRA be thematic

and how frequent must it be

conducted?

Paragraph 10.2.1 of the Policy Document

requires reporting institutions to identify,

assess and understand their money

laundering and terrorism financing (ML/TF)

risk in relation to:

(a) customers;

(b) countries or geographical areas;

(c) products, services, transactions or

delivery channels; and

(d) other relevant risk factors.

Reporting institutions’ first IRA must be

comprehensive, covering all the above

mentioned parameters, i.e. customers,

countries/geographical areas and products/

services/ transactions and delivery channel,

at minimum. Reporting institutions may

choose to update the IRA on a thematic

basis.

Reporting institutions may consider to set the

frequency of the IRA on a specific period e.g.

every 1 to 2 years or where circumstances

have changed that may warrant a refresh of

the IRA, e.g. material changes in risk profile,

significant internal audit finding, changes in

business direction, new typologies

suggested by authorities or Financial Action

Task Force (FATF), or when embarking in

new technologies, etc.

Reporting institutions may refer to the

guidance documents on risk-based approach

available in Part D of the Policy Document

and guidance issued by the FATF which are

available on its website at: http://www.fatf-

gafi.org/


Page 8 of 41

NO. QUESTION ANSWER

8 Is there a specific template to

conduct the IRA?

There is no standard template to conduct the

IRA. Reporting institutions may refer to

Appendix 9 of the Policy Document as a

guidance to assist the conduct of ML/TF risk

assessment collectively at the institutional

level.

While Appendix 9 has generally covered the

basic requirements, it should not be treated

as the sole reference in conducting the risk

assessment as the list of factors or examples

or criteria are not exhaustive.

Risk Profiling

9 Are reporting institutions required to

assess the ML/TF risks based on all

criteria specified in Paragraph

10.4.2 of the Policy Document?

In profiling the customers, reporting

institutions are required to take appropriate

steps to identify, assess and understand

risks, by considering the relevant factors

under Paragraph 10.2.1 of the Policy

Document. In cases where some of the

criteria are irrelevant to the reporting

institution’s business, those criteria may not

be considered in profiling and assessing the

risks of the customers.

10 What is deemed as a valid

justification when re-rating a

customer’s risk from higher to

lower? Should the reporting

institution document the procedures

for reference purposes?

Reporting institutions are to assess the

customers’ risk based on the type of

customer, geographical location, products,

services, transactions or delivery channels

and other relevant factors (such as emerging

threats, trends, change in behaviours, past

suspicious transaction report experience,

etc.).

Reporting institutions are expected to

consider the applicable factors at the stage of

on-boarding and during re-rating to determine

the risk of a customer. Reporting institutions

are also expected to document internal

customer risk profiling assessments, for

record keeping and audit purposes.


Page 9 of 41

NO. QUESTION ANSWER


guidance provided in Part D of the Policy

Document, in particular the Customer Due

Diligence Form for suggested approach to

conduct customer risk profiling.

AML/CFT Compliance Programme

Application for Small-sized Reporting Institution

11 When a reporting institution meets

the small-sized definition, is the

reporting institution exempted from

implementing all AML/CFT

requirements? Must the reporting

institution apply for Bank Negara

Malaysia’s approval?

If a reporting institution meets the small-sized

definition (please refer Appendix 2 of the

Policy Document), the reporting institution

can apply the simplifications and exemptions

in relation to the AML/CFT Compliance

Programme as per paragraph 11.1.1 of the

Policy Document.

Please note that the simplification or

exemption does not apply to the substantive

AML/CFT requirements, such as customer

due diligence, suspicious transaction report,

record keeping etc.

Bank Negara Malaysia's approval prior to the

application of the simplifications or

exemptions is not required.

Notwithstanding, Bank Negara Malaysia,

may at any time, specify that a reporting

institution is required to comply with any of

the AML/CFT Compliance Programme.

12 For accountants and lawyers, is the

small-sized reporting institution

definition based on the number of

practicing certificate holders

undertaking Gazetted Activities?

No, the definition is based on total number

of practicing certificate holders in the firm,

regardless of whether they undertake

Gazetted Activities or otherwise. For

example, a firm with 7 practising certificate

holders, of which only 3 undertake Gazetted

Activities, such a firm does not meet the

small-sized reporting institution criteria.


Page 10 of 41

NO. QUESTION ANSWER

13 For DPMS, does a company with

less than 30 employees but annual

sales turnover exceeding RM 10

million satisfy the small-sized

reporting institution definition?

No, under such scenario, the company is not

a small-sized reporting institution and must

implement the complete AML/CFT

Compliance Programme requirements.

Where a sector is subject to more than one

criteria for definition of small-sized reporting

institution, both criteria must be satisfied to

apply the flexibility. If the company only

meets one of the criteria and not the other,

the company is not considered as a

small-sized reporting institution.

14 What is the expectation when a firm

meets the criteria for small-sized

reporting institution in one year, but

not in the subsequent year?

The determination of whether a reporting

institution meets the small-sized criteria

shall be based on the figures at the end of

the preceding calendar year, i.e. January to

December. Hence, where the reporting

institution does not meet the criteria as per

the reference figures, the reporting

institution must comply with the complete

AML/CFT Compliance Programme.

Compliance Management Arrangements at the Head Office

15 Is a small-sized reporting institution

required to appoint a compliance

officer?

Yes, all reporting institutions, regardless of

size, are required to appoint a compliance

officer, as per section 19 of the AMLA.

16 For a small-sized reporting

institution, can the Director or

Manager act as the compliance

officer?

Yes, the reporting institution may appoint any

individual with management responsibilities

within the reporting institution to be the

compliance officer. The person appointed

must satisfy the criteria provided under

paragraph 11.5 of the Policy Document. He

or she must have the sole discretion and

independence to evaluate and report

suspicious transactions.

The appointed compliance officer may also

be carrying on other functions within the

reporting institution.


Page 11 of 41

NO. QUESTION ANSWER

While the Policy Document does not provide

a definition of “management” per se, the

appointed compliance officer must have

sufficient stature, authority and seniority

within the reporting institution to participate

and be able to effectively influence decisions

relating to AML/CFT matters.

17 Must the appointed compliance

officer be based within the reporting

institution or can be from other

subsidiaries within the Group?

Reporting institution may appoint compliance

officer from other subsidiaries within the

Group provided that he or she fulfils the

criteria provided under paragraph 11.5 of the

Policy Document.

Regardless whether the compliance officer is

internally or externally appointed, the

reporting institution remains responsible and

accountable to ensure the effectiveness of

the compliance functions.

18 For a reporting institution with

branches, can the compliance

officer be centralised at head

office?

Section 19(4) of the AMLA require reporting

institutions to designate compliance officers

at management level in each branch, for the

purpose of application of AML/CFT

compliance programme as well as reporting

of suspicious transactions.

Further, paragraph 11.5 of the Policy

Document stipulates compliance

management arrangements at Head Office

including the requirement to notify Bank

Negara Malaysia on the appointment or

change in the appointment of compliance

officer at Head Office.

In this regard, reporting institutions are

required to appoint a compliance officer at

each branch, but are only required to notify

Bank Negara Malaysia on the compliance

officer appointed at the Head Office.


Page 12 of 41

NO. QUESTION ANSWER

Nevertheless, for some DNFBP sectors,

branch offices operate independently of the

Head Office. Under such scenario, each

branch is required to notify Bank Negara

Malaysia on the appointment of the

compliance officer.

19 Must the appointed compliance

officer be certified?

No, AML/CFT certification is not compulsory

for compliance officers, but highly

encouraged to enable effective discharge of

their responsibilities.

20 What is the reliable source of

reference to assess whether the

compliance officer is “fit and

proper”?

Reporting institutions may be guided by the

examples provided under paragraphs 11.5.5,

11.5.6, 11.5.7 and 11.5.8 of the Policy

Document when assessing the fitness and

propriety of an individual to be appointed as

a compliance officer.

21 In the event of failure to comply with

requirements under Part IV AMLA

or the Policy Document, will the

compliance officer be held liable?

Any employee of a reporting institution may

be held personally liable for any failure to

observe the AML/CFT requirements, in

accordance with their respective job

function, including the compliance officer.

22 Is there a due date for the

appointment of a compliance

officer?

No, there is no specific due date for the

appointment of a compliance officer.

However, reporting institutions are required

to appoint a compliance officer and notify

Bank Negara Malaysia within 10 working

days from the appointment, or for any

change in the appointment.

Employee Screening

23 Can screening be differentiated for

different employees?

Yes, the screening of employees can be

differentiated on a risk-based basis,

depending on the position, job scope or

other relevant factors related to the

employee.


Page 13 of 41

NO. QUESTION ANSWER


assess their employees’ vulnerability to

money laundering, terrorism financing, fraud

and bribery risks, and use various sources

of information to assist in the screening

process to ensure that employees do not

abuse their position or be vulnerable or used

as a conduit to facilitate ML/TF activities.

24 What are the methods to conduct

employee screening?

Reporting institutions may choose any

suitable method to conduct employee

screening and be guided by methods

provided in paragraph 11.7 of the Policy

Document.

Examples of methods for the conduct of

employee screening may include face-to-

face meeting, phone or video interviews,

online checks, skills test, submission of

documents or statutory declarations,

criminal checks with relevant authorities,

consumer credit reports, transaction

monitoring, obtaining employment

reference, etc.

25 Would trigger events such as

transaction monitoring, periodic

negative news screening suffice as

the parameter for rescreening?

The parameters and triggers for re-screening

are to be determined by each reporting

institution.

Examples of best practices would include

consideration of global watch list (including

negative news screening), criminal checks

with relevant authorities, transaction

monitoring as well as credit reports and also

changes in circumstances, either

professionally or personally e.g. promotion,

secondment to another division function,

financial hardships, or staying in the same

position for a long period of time, etc.


Page 14 of 41

NO. QUESTION ANSWER

Employee Training and Awareness Programmes

26 What forms of employee trainings

are acceptable?

Training should be conducted regularly and

supplemented with refresher courses at

appropriate intervals. Any form of training,

e.g. classroom, online or webinar, are

acceptable depending on the needs of the

employee, the job function and

responsibilities undertaken by the employee.

Reporting institutions should have clear and

comprehensive training contents. The

training materials should be frequently

reviewed to include any latest changes to

the AML/CFT or other regulatory

requirements. In addition, tests or

examinations are highly encouraged to

demonstrate higher levels of effectiveness.

Where a reporting institution satisfies the

small-sized reporting institution definition, a

more simplified training approach can be

adopted, including via on-the-job training.

Reporting institutions are to ensure that the

training provided to its employees is properly

documented.

Reporting institutions are also encouraged to

contact their respective self-regulatory

bodies, regulatory or licensing authorities and

their relevant training institutes for AML/CFT

training specific for their sectors. This could

be as part of the on-going Continuing

Professional Education (CPE) / Continuing

Professional Development (CPD)

programmes.


Page 15 of 41

NO. QUESTION ANSWER

Independent Audit Function

27 Can the Board level function be

delegated to other Board level

committees (i.e. audit or risk)?

Yes, the function may be delegated to other

Board level committees (i.e. audit or risk) so

long as the committee is independent and the

AML/CFT findings or issues relating to the

adequacy and implementation of the

AML/CFT policies and procedures are

ultimately tabled to the Board.

For example, the decision on frequency and

scope of the audit can be delegated to the

Board Audit Committee.

28 Who can undertake the

independent audit function?

The role of AML/CFT independent audit

function can be undertaken internally by any

officer, with relevant knowledge and

expertise to carry out the function, who is

independent of the compliance function (i.e.

Compliance Officer). Alternatively, the

reporting institution may also appoint external

auditors to carry out the function. The

appointment of an independent auditor,

internal or external and its roles and

responsibilities shall be determined by the

Board or Senior Partners.

In carrying out the independent audit review,

as per paragraph 11.9.4 of the Policy

Document, the auditors must, at a minimum,

check and test the firm's compliance with

AML/CFT policies, procedures and controls

and the effectiveness or extent of its

implementation when dealing with clients or

on the necessary approvals by Board or

Senior Partners, as well as assess whether

the firm's current measures are in line with

requirements under AMLA and the Policy

Document.


Page 16 of 41

NO. QUESTION ANSWER

29 When should the reporting

institution conduct independent

audit? Are reporting institutions

required to conduct an annual

audit? What is the scope?

The frequency of the independent audit

depends on the firm’s assessment of its

ML/TF risk exposure and is determined by

the Board or Senior Partners.

On the scope of the independent audit,

reporting institutions may refer to paragraph

11.9.6 of the Policy Document. Further,

reporting institutions must also consider

whether there were previous non-

compliances under the AMLA which resulted

in enforcement actions taken against the


30 Are reporting institutions no longer

required to prepare an audit report

and submit to the Financial

Intelligence & Enforcement

Department, Bank Negara Malaysia

(FIED, BNM)?

Yes, except for licensed casino and non-

bank financial institutions, all other

reporting institutions are no longer required

to submit an annual audit report to FIED,

BNM.

However, reporting institutions must ensure

that the audit report and necessary corrective

measures undertaken are made available to

FIED, BNM and the relevant supervisory

authorities upon request.

Customer Due Diligence (CDD)

Verification

31

What sources of documents, data

or information are deemed as

reliable? Can a reporting institution

seek BNM’s confirmation to

determine the level of reliability?

Verification can be a combination of various

data points that the reporting institution

deems to be “reliable and independent” which

could cumulatively ensure the accuracy of

customer and beneficial owner’s identification

data. Any measures adopted should be

subjected to the reporting institution’s internal

governance process.


Page 17 of 41

NO. QUESTION ANSWER

Generally, the reporting institution is required

to verify the identity of a customer through

acceptable government issued documents

with or without photograph (e.g. MyKad,

MyKid, MyPR, OKU card, driving licence,

birth certificate, marriage certificate), foreign

passport, employee identification documents,

etc.

Alternatively, subject to the reporting

institution’s assessment whether it is

appropriate to mitigate the risks, reporting

institutions may accept scanned or copy

documentation and apply additional

measures which include:

(a) third party verification of identity from

the client’s primary bank account

provider, lawyer or accountant in

accordance with paragraph 16 of the

Policy Document;

(b) corroborative evidence from Jabatan

Pendaftaran Negara, Suruhanjaya

Syarikat Malaysia and Central Credit

Reference Information System (CCRIS)

databases;

(c) use of commercial providers to validate

documentation provided;

(d) use of new and robust technology

solutions including but not limited to,

biometric technologies which should be

linked incontrovertibly to the customer;

(e) through non face-to-face mechanisms

e.g. video conference with customers

and submission of selfies to compare

the physical identity of a customer with

scanned or photographed copies of

identification documents; and/or

(f) other reliable and independent source.


Page 18 of 41

NO. QUESTION ANSWER


undertake adequate and reasonable

measures to mitigate risks arising from the

adoption of any non face-to-face

mechanisms. For further details, please refer

to the “Guidance on Verification of Individual

Customers for CDD” issued by Bank Negara

Malaysia.

32 For verification, are reporting

institutions required to make a copy

of the customer’s NRIC?

Any documents requested or obtained during

the CDD process should be kept and

recorded to meet the record keeping

requirement as set out under paragraph 21.1

of the Policy Document.

The record keeping of these documents may

be in the form of a photocopy, soft copy

(scanned copy or snapped picture) or

biometric record (such as Government Multi-

Purpose Card Consortium (GMPC)

verification, etc.).

33 What are the acceptable

documents for verification of legal

persons?

Paragraph 14.10.4 of the Policy Document

specifies the information that a reporting

institution should obtain to identify and verify

the identity of customers that are legal

persons.

The reporting institution is required to take

adequate measures to confirm the identity of

its customers which may include constituent

documents, such as certificate of

incorporation, and other searches available in

the public registrar databases.

34 For foreign shareholders, what is

the expectation on verification

requirement?

Reporting institutions are required to assess

the relevant risks in verifying the foreign

shareholders.

Verification process must be on a reasonable

basis, and can be satisfied by obtaining

documents from foreign official public

registers or by way of self-declaration by the

client, depending on the reporting institution’s

risk assessment in on-boarding such client.


Page 19 of 41

NO. QUESTION ANSWER

35 What is the expectation if a public

listed company is identified to be

wholly owned by a GLC or a SOC

company?

Under such circumstance, the exemption on

verification of the identity of directors and

shareholders of that legal person applies (see

paragraph 14.10.9 of the Policy Document).

Reporting institutions are required to identify

and maintain information relating to the

identity of the directors and shareholders of

the public listed company using reliable

sources (see paragraph 14.10.10 of the

Policy Document).

Standard CDD

36 What is the expectation for

reporting institutions in dealing with

authorised persons?

A person authorised must be represented

with a letter of authority or director’s

resolution from the legal person.

Where it involves an authorised signatory,

i.e. when a legal person opens an account,

establishes business relations and

authorises another person to conduct

transactions on its behalf, the reporting

institution must obtain documentary

evidence on the appointment of such person

and the specimen signatories and/or

recognised digital signature of the person

appointed.

Reporting institutions must be guided by

their risk assessment on what documentary

evidence would suffice for the purposes of

identifying and verifying the person

authorised.

Beneficial Owner

37 In the case of more than one person

having more than 25%

shareholding, are reporting

institutions required to identify

ultimate beneficial owner of all such

shareholding?

Yes, consistent with paragraph 14.10.6 (a) of

the Policy Document, reporting institutions

are required to identify directors or

shareholders or partners with equity interest

of more than 25%.


Page 20 of 41

NO. QUESTION ANSWER


conduct CDD on holders of

Redeemable Convertible

Preference Shares (“RCPS”) for

legal person customers?

The requirement to conduct CDD on RCPS

holders of a legal person client will depend on

whether the RCPS holding could give rise to

the holder having a controlling ownership

interest, at minimum, with equity interest of

more than 25 percent, as required under

Paragraph 14.10.6(a) of the Policy Document

and other conditions as stipulated under the

same paragraphs (b) and (c).

For example, after a certain specified period,

the RCPS holders may redeem and hence

resulting in the holders having controlling

ownership interest in the legal person, which

is when the beneficial ownership

requirements on identification and verification

of the persons apply.

CDD : Clubs, Societies and Charities


conduct CDD on all of members for

clients that are club, society or

charity?

No, for such clients, reporting institutions are

required to conduct CDD on the persons with

controlling ownership interests. This may

include the office bearers (i.e. the Executive

Committee) or any person authorised to

represent the said club, society or charity,

and any party who may have controlling

ownership interest, and not its members per

se. Please see paragraph 14.10.17 of the

Policy Document.

Simplified CDD

40 Can a DNFBP reporting institution

conduct simplified CDD where

ML/TF risks are assessed as low?

No, simplified CDD is not applicable to

DNFBP and NBFI reporting institutions. All

DNFBPs and NBFI reporting institutions are

required to conduct standard CDD when

establishing business relations or conducting

transactions with its customers or clients, as

required under paragraphs 14.10 and 14A to

14H of the Policy Document.


Page 21 of 41

NO. QUESTION ANSWER

Enhanced CDD

41 Do reporting institutions need to

establish source of fund or wealth

for every customer?

No. The requirement to obtain information on

source of funds and/or source of wealth only

applies when overall ML/TF risks are

assessed as higher risk. Reporting

institutions are not expected to establish

source of funds or wealth for each and every

customer or transaction.

Generally, reporting institutions are required

to enquire on source of funds and/or source

of wealth, as part of the enhanced CDD under

the following scenarios:

after customer risk profiling, when a

customer is assessed as having higher

ML/TF risks, regardless of any amount of

transaction;

for all foreign politically exposed persons

(PEPs) or when a domestic PEP is

assessed as having higher ML/TF risks, in

which case, both source of fund and

wealth must be obtained; or

when providing nominee services to the

customers or clients, i.e. nominee

shareholding, directorship or partnership

services, by reporting institutions who are

lawyers, accountants, company

secretaries or trust companies.

42 What is the difference between

“source of wealth” and “source of

funds”?

Information on the source of wealth and

source of funds are good sources of

monitoring for the reporting institutions.


Page 22 of 41

NO. QUESTION ANSWER

“Source of wealth” refers to the source of a

person’s total assets. Documents and

information that may reflect the source of

wealth of a person include inheritance

document, property title, copies of trust

deeds, audited accounts, salary details, tax

returns and bank statements. It may be

possible to gather general information from

commercial databases or other open

sources.

“Source of funds”, on the other hand, refers

to the origin of a specific asset used in

connection to the business relations with the

reporting institution. Source of funds may be

determined through enquiry on the customer.

In the case of PEPs, both information on the

source of wealth and source of funds are to

be obtained.

Understanding both the source of wealth and

source of funds of a PEP is also necessary

for on-going due diligence purposes where

the aim is to ensure that the reason for the

business relationship between reporting

institutions, the PEP and the transactions

undertaken on the PEP’s behalf, are

commensurate with what one could

reasonably expect from that PEP, given

his/her particular circumstances.

Non Face-to-Face Business Relationship

43 Can reporting institutions establish

business relationships on non face-

to-face basis?

Yes, DNFBP and NBFI reporting institutions

can establish non face-to-face business

relationship with their clients, having put in

place policies and procedures to address any

specific risks associated with non face-to-

face relationships.


Page 23 of 41

NO. QUESTION ANSWER

This includes appropriate measures for

identification and verification of a client's

identity that must be as effective as that for

face-to-face client and implement monitoring

and reporting mechanisms to identify

potential ML/TF activities, as required under

paragraph 14.14 of the Policy Document.

Before such non face-to-face measures are

implemented, reporting institutions are

required to seek their Board’s approval (see

paragraph 14.14.2 of the Policy Document).

44 Is Board approval required for each

new product and services on-

boarded via non face-to-face

channel / e-KYC?

The requirement for Board approval is

connected to the risk levels of the product

and services.

If the process and procedures in place for the

said products and services are the same,

Board approval is only required once, for all

product and services on-boarded via non

face-to-face channel or e-KYC.

A new approval would need to be obtained

when there are changes to the ML/TF risk

level of the parameters assessed by the


45 Is it a requirement for non face-to-

face business arrangements

implemented prior to the effective

date of the Policy Document to be

approved by the Board of the

reporting institutions?

The requirements for non face-to-face (non-

FTF) do not have a retrospective effect. For

non-FTF business relationships, reporting

institutions shall ensure their non-FTF

arrangements for customer identification and

verification of identity is as effective as a face-

to-face relationship.

Should there be any changes to the ML/ TF

risk levels, reporting institutions need to re-

assess the parameter and may require a new

Board approval.


Page 24 of 41

NO. QUESTION ANSWER

Failure to Satisfactorily Complete CDD

46 Can reporting institutions continue

business relationship with its

customer in the event of a failure to

obtain the complete CDD

information?

Reporting institutions must obtain all CDD

information (9 data points) as specified in

paragraph 14.10.1 of the Policy Document

before continuing any business relationship.

In the event of a failure to obtain the

complete information, reporting institutions

must not continue the business relationship

or transaction with the customer and must

consider lodging a suspicious transaction

report.

However, where a reporting institutions

form suspicion of ML/TF and reasonably

believe that performing CDD may tip-off the

customer, the reporting institutions are

permitted to proceed to establish business

relation or transaction without completing

the CDD process, document the basis of

not completing the CDD process and

immediately lodge a suspicious transaction

report.

Specific CDD : Lawyers

47 Are lawyers acting on behalf of the

seller required to conduct CDD on

both the seller and purchaser?

The CDD obligation does not extend to both

parties to a sale and purchase transaction but

applies to the client of the lawyer. If the lawyer

is representing a seller, CDD applies on the

seller and vice-versa.

However, in the course of facilitating the

transaction, if any suspicion arises on either

party to the transaction, i.e. seller or buyer,

the reporting institution may consider

submitting a suspicious transaction report on

either party to FIED, BNM.


Page 25 of 41

NO. QUESTION ANSWER

Specific CDD : Dealers in Precious Metals and Stones

48 Are DPMS reporting institutions

required to conduct CDD on their

customers for the following

transactions?:

the transaction involves other

goods being sold by the DPMS

and does not involve any sale of

precious metals nor precious

stone; or

the transaction involves the sale

of precious metals or stones

together with other types of

goods, however, the value of the

precious metals or stones is less

than RM50,000.

DPMS reporting institutions are required to

conduct CDD on customers and persons

conducting the transaction when engaging in

any cash transaction equivalent to RM50,000

and above, including:

in a single transaction or through several

transactions in a day that appear to be

linked and across all branches of the

reporting institution;

aggregate payments over a period of time

for a single purchase; or

for both buying and selling of precious

metals or precious stones from or to

customers.

In view of the above, CDD is not applicable if

the transaction does not involve sale of

precious metals or precious stones.

Specific CDD : Registered Estate Agents (REAs)

49 Are REAs required to conduct CDD

on both purchaser and seller, or

landlord and tenant of a property in

the case of co-broke or co-agency

transaction, where both, purchaser

and seller, or landlord and tenant

are respectively represented by

REAs?

In the event of a co-broke or co-agency

transaction, the REAs are required to conduct

CDD on their respective client. For example,

REA A representing the purchaser is

required to conduct CDD on the purchaser;

and

REA B representing the seller is required

to conduct CDD on the seller.

In the absence of co-broke or co-agency

arrangement, REA is required to conduct

CDD on both parties to a property or tenancy

transaction. Please refer to Appendix A for

illustration.


Page 26 of 41

NO. QUESTION ANSWER

Specific CDD : Licensed Gaming Outlet

50 Can the winning fund be paid to

third party instead of to the winner?

The AML/CFT requirements do not restrict

third party payment. However, in the case

that the payment is above RM50,000, the

reporting institution must conduct CDD on the

third party i.e. either as person conducting the

transaction or beneficial owner.

Politically Exposed Persons

51 What is the extent of checking

required to ascertain information on

close associates or family members

of PEPs, as a basic internet search

may not reveal the required

information? Does Bank Negara

Malaysia maintain a central

database of PEPs?

Reporting institutions are encouraged to

develop internal references or database in

identifying family members or close

associates of PEPs. Alternatively, reporting

institutions may also refer to public or

commercial databases and supplement this

with a customer’s self-declaration.

Bank Negara Malaysia does not maintain a

central database on PEPs, family members

and close associates of PEPs.

52 To what extent is the reporting

institution required to identify the

connectivity to a PEP especially

where the connection with close

associate can be through multiple

layers e.g. close associates of PEP

setting up a company with another

person(s), work colleagues, etc.?

The identification of close associates should

be on a best effort basis, based on

information obtained and available to the

reporting institutions and subject to the risk

assessment of the reporting institution.

In the case of personal relationships, this can

be deduced based on the social, economic

and cultural context which can determine the

closeness of the relationship.

Reliance on Third Parties

53 Can reporting institutions rely on

third parties to conduct CDD?

Reporting institutions may rely on third

parties for the conduct of CDD or to introduce

business provided that the relationship

between the reporting institution and the third

party must be governed by an arrangement

that clearly specifies the rights,

responsibilities and expectations of all

parties, as required under paragraph 16.5 of

the Policy Document.


Page 27 of 41

NO. QUESTION ANSWER

Nevertheless, the conduct of CDD is the

ultimate responsibility of the reporting

institution, and must ensure that it is able to

obtain the CDD information from the third

party, immediately, upon request.

Sharing of data is allowed strictly for CDD

purposes and subject to prerequisites stated

in the above paragraphs.

Reporting institutions are to take note that

‘third parties’ in the context of paragraph 16

refers to another reporting institution

supervised by Bank Negara Malaysia. It does

not include outsourcing or agency

relationships because the outsourced service

provider or agent would be regarded as

synonymous with the reporting institution.

54 What form of “attestation” is

required from the third party under

paragraph 16.6 of the Policy

Document?

The “attestation” can be in any form that is

mutually agreed by both parties.

The “attestation” should clearly specify the

rights, responsibilities and expectations of all

parties and satisfy the requirements stated

under paragraph 16 of the Policy Document.

Higher Risk Countries

55

How do reporting institutions deal

with higher risk countries?

Paragraph 17 of the Policy Document deals

with higher risk countries that are called for

by the FATF or by the Government of

Malaysia as well as other jurisdictions that

have strategic AML/CFT deficiencies for

which they have developed an action plan

with the FATF.

This includes conducting enhanced CDD and

applying effective countermeasures, when

required.

For further details on dealing with customers

from higher risk countries, please see

Appendix B.


Page 28 of 41

NO. QUESTION ANSWER

Reporting institutions should refer to the

FATF website for the latest list of higher risk

countries or the latest circular issued by Bank

Negara Malaysia and any change in that

requirements at: https://amlcft.bnm.gov.my.

56 Where can reporting institutions

source for a list of higher risk

countries issued by the

Government of Malaysia?

Bank Negara Malaysia will publish any higher

risk countries that have been officially

specified by the Government of Malaysia, by

way of circular.

Such specification has yet to be made at the

date of the publication of this FAQ.

57 Are reporting institutions refrained

from providing services to

customers from higher risk

countries subject to a call for action

by FATF?

Reporting institutions are not refrained from

dealing with customers originating from

countries that are subjected to a call for action

by the FATF. Clients from such countries are

subjected to more stringent CDD

requirements as stipulated under the Policy

Document.

Cash Threshold Report (CTR)

58 Are all reporting institutions under

the AMLA required to submit

CTRs?

At the time of publication of this FAQ, CTR

obligation of RM25,000 and above in a day,

pursuant to section 14(1)(a) of the AMLA, is

applicable only to banking institutions,

selected prescribed development financial

institutions, Lembaga Tabung Haji and

licensed casino.

Other reporting institutions are not yet

required to submit CTR.

Nevertheless, Bank Negara Malaysia will

continue to conduct assessments on

reporting institutions from time to time.

Reporting institutions will be notified if the

CTR obligations become applicable to them.

https://amlcft.bnm.gov.my/


Page 29 of 41

NO. QUESTION ANSWER

Suspicious Transaction Report (STR)

Reporting Mechanism

59 Can a senior management of the

reporting institution, who is not the

appointed compliance officer

evaluate and report suspicious

transaction to FIED, BNM?

Only the appointed compliance officer has

the sole discretion and independence to

evaluate and report suspicious transactions

to FIED, BNM.

In this regard, the reporting institution must

ensure that the appointed compliance officer

has the sufficient stature, authority and

seniority within the reporting institution to be

able to make effective AML/CFT related

decisions, including STR submission.

60 What is the threshold for reporting

of suspicious transaction?

There is no threshold for reporting of

suspicious transaction. It is based on any

suspicion that arises when establishing

business relationship or conducting a

transaction regardless of any amount.

However, a reporting institution may set an

internal threshold based on the reporting

institution’s own risk assessment.

61 Should reporting institutions

continue to submit STRs for the

same customer or should reporting

institutions update the details in the

previous STR case filed?

As per paragraph 19.2.10 of the Policy

Document, where an STR has been lodged,

reporting institutions may opt to update or

make a fresh STR as and when a new

suspicion arises.

Reporting institutions are encouraged to

submit a new STR if there is new critical

information. Where a new STR is submitted,

reporting institutions should include the

previous reference number (or date of

submission, if submitted manually) as part of

the reporting description.

Internally Generated STRs

62

What is the duration for the

reporting institutions to maintain the

internally generated reports and

supporting documents?

These reports and supporting documents are

to be kept for at least 6 years, as specified

under the Record Keeping requirements in

paragraph 21.3 of the Policy Document.


Page 30 of 41

NO. QUESTION ANSWER

63 Can reporting institutions maintain

internally generated reports in soft

copy form, e.g. excel format?

Reporting institution must ensure that any

internal STRs and supporting documents or

records must be made available to the

relevant supervisory authorities upon

request, as required under paragraph 19.4.2

of the Policy Document. The information must

be maintained in a form that is admissible as

evidence in court pursuant to the Evidence

Act 1950.

Record Keeping

64 Is record keeping requirement

applicable to attempted customer?

The record keeping requirement is only for

existing customers who have entered

business relationship with reporting

institutions, and not applicable on attempted

customers.

However, if an STR has been submitted on

an attempted transaction or customer, the

relevant records must be kept and be made

available if required by law enforcement

agencies or the supervisory or competent

authorities.

65 Where documents are kept in

multiple different forms (e.g.

physical copies or in electronic

format), what are the expectation on

the requirements?

Reporting institutions must ensure that all the

retained forms of record keeping remain

relevant and are kept up-to-date. They must

also conform to section 15 of the AMLA on

centralisation of information collected to

provide timely information to reporting

institutions to enable detection of

irregularities and/or any suspicious activity.

The information must also be maintained in a

form that is admissible as evidence in court

pursuant to the Evidence Act 1950.


Page 31 of 41

NO. QUESTION ANSWER

Management Information System (MIS)

66 Is there any restriction for reporting

institutions to keep their MIS’ server

offshore?

There is no restriction on how the

centralisation of CDD information and

transaction monitoring should be performed,

as long as the MIS is able to provide the

reporting institutions with timely information

and enable the reporting institution to detect

any irregularity. In addition, the reporting

institutions must be able to provide records,

when required by the supervisory or

competent authorities or law enforcement

agencies, in a timely manner.

Reporting institutions need to assess and

satisfy themselves that such arrangement of

the infrastructure is in compliance with other

secrecy obligations pertaining to customer

information, where applicable.

Targeted Financial Sanctions

Definition

67 What is the definition of “without

delay”?

“Without delay”, in respect of maintenance of

sanctions list and freezing, blocking and

rejecting is ideally within a matter of hours of

designation by the United Nations Security

Council (UNSC) or its relevant Sanctions

Committee or the Minister of Home Affairs.

The aim is to prevent the flight or dissipation

of funds or other assets which are linked to

terrorists, terrorist activities, financing of

terrorism or financing of proliferation of

weapons of mass destruction.


following websites for the lists:

UNSCR Lists:

https://www.un.org

Domestic List:

http://www.federalgazette.agc.com.my

https://www.un.org/


Page 32 of 41

NO. QUESTION ANSWER

Maintenance of Sanctions List

68 How often does the UNSCR Lists

and Domestic List get updated?

How can reporting institutions know

when there is an update?

Reporting institutions are required to keep

updated with the UNSCR Lists and Domestic

List, which is updated without any

specific intervals.

In this regard, reporting institutions shall refer

the UNSCR and Ministry of Home Affairs'

website (and the relevant subsidiary

legislation or Gazette Orders) regularly to

ensure the lists maintained remain updated

and relevant.

69 Does the delisting of individuals

and entities from UNSCR list

automatically remove them from

the Domestic List?

No. Removal from UNSCR list does not

automatically mean that the entities are

removed from the Domestic List. The

delisting from Domestic List will only take

effect upon publication of the Gazette to

declare the removal of such specified entities

through the relevant subsidiary legislation

issued by the Minister of Home Affairs.

Sanctions Screening


screen every director, shareholder,

nominee and company names

against the UNSCR Lists and

Domestic List for legal person

customers?

Reporting institutions are required to conduct

sanctions screening on existing, potential

or new customers against the UNSCR Lists

and Domestic List which state names and

particulars of specified or designated entities

as declared by the UNSC or Minister of Home

Affairs, as part of the customer due diligence

process and on-going due diligence.

For customers which are legal persons,

reporting institutions are required to

screen the name of the customer, i.e.

companies, bodies corporate, foundations,

partnerships, or associations and other

similar entities, as well as the beneficial

owners, i.e. directors, shareholders including

nominees, against the sanctions lists.


Page 33 of 41

NO. QUESTION ANSWER

71 In conducting sanctions screening,

reporting institutions may perform

name searches based on a set of

possible permutations. What does

this refer to?

This refers to various ways of conducting

search against the UNSCR Lists and

Domestic List, for example, varying sequence

and order of keywords of a name or the use

of different spelling of a name, to prevent

unintended omissions.

Further, to eliminate false positives, reporting

institutions may make enquiries for additional

information and identification documents

from the customer or credible sources to

assist in determining whether the potential

match is a true match or may direct any query

to FIED, BNM, in the case of similar or

common names.

Dealing with False Positive

72 Must reporting institutions match all

identifiers for parameters of a true

match or could matching at least 2

of the identifiers be sufficient?

Reporting institutions are required to

ascertain that potential matches are true

matches and not false positives. It is the

reporting institution’s responsibility to take

further measures or steps (e.g. make further

inquiries for additional information, etc.) to

determine whether the potential match is a

true match.

Reporting institutions are to ensure that the

identifiers are strong and corroborative for the

reporting institution to make their own

assessment on the parameters used to

ensure true matches.

Related Parties

73 Who would fall under the definition

of “related parties”?

Related party refers to:

(a) person related to the funds, other

financial assets or economic resources

that are wholly or jointly owned or

controlled, directly or indirectly, by a

designated person; and

(b) a person acting on behalf or at the

direction of a designated person.


Page 34 of 41

NO. QUESTION ANSWER

Based on the above, it may extend to

shareholders, directors, authorized person,

senior management and also the beneficial

owner.

Freezing, Blocking and Rejecting – Customers and Related Parties

74 In the event of name match after

funds have been deposited into the

reporting institution’s clients

account, how are such funds to be

treated?

Reporting institutions are required to hold or

freeze funds deposited by a listed individual

or entity into their clients’ account until its

delisting or the sanction is uplifted.

75 In relation to targeted financial

sanctions, are reporting institutions

allowed to inform the customer why

their accounts or transactions have

been frozen, blocked or rejected?

Reporting institutions are only allowed to

inform the customer on the reason why the

account or transaction has been frozen,

blocked or rejected for publicly listed names,

e.g. under the Gazette Orders, UNSCR Lists,

etc.

76 Is there a need for the reporting

institution to freeze a loan or

financing account or pawn items in

the event of name match against

the sanction lists?

A loan / financing account should not be

frozen and can continue to receive

repayments. However, when the repayment

is completed, the property, pawn items or

vehicle, if any, must not be redeemed,

transferred or sold.

77 Can reporting institutions transfer

any funds from a frozen account to

the Registrar of Unclaimed Moneys

under the Unclaimed Moneys Act

1965?

Funds are to remain frozen as long as the

specified entities remained listed. No dealing

with the funds is allowed, which includes the

transfer of funds to the Registrar of

Unclaimed Moneys.

78 Can reporting institutions decide to

freeze, block or reject any positive

matches with individuals or entities

listed in other unilateral sanctions

lists?

In relation to unilateral sanction list such as

those by the US Department of Treasury, the

decision whether to freeze, block, reject or

conduct transaction with persons listed under

the unilateral list should be based on the

reporting institution’s own assessment and its

risk appetite.

Reporting institutions may consider

submitting STR on any positive name match

with individuals or entities listed in other

unilateral sanctions list.


Page 35 of 41

NO. QUESTION ANSWER

Allowable transactions

79 Are reporting institutions permitted

to receive payments for loan or

financing account of the specified

entities?

Yes. Reporting institutions are permitted to

receive payments into the specified entities

loan or financing accounts. However, should

the payment be for the purchase of assets,

the assets should remain frozen even after

the full settlement of the financing facilities

i.e. no transfer of ownership to the specified

entity or a third party.

In the event of any non-payment of loans, the

reporting institution shall not proceed with

legal action or any subsequent court process

without prior application to, and approval by:

(a) the Minister of Home Affairs for Domestic

List and UNSCR Lists for terrorism

financing; or

(b) the Strategic Trade Controller for

UNSCR Lists for proliferation financing

and others sanctions regime.

80 Can reporting institutions close any

account where loans are not

serviced?

Reporting institutions may close any account

where loans are not serviced, only upon

approval from:

(a) the Minister of Home Affairs for Domestic

List and UNSCR Lists for terrorism

financing; or

(b) the Strategic Trade Controller for

UNSCR Lists for proliferation financing

and others sanctions regime.

Reporting on Positive Name Match

81 In the event of a positive match, are

reporting institutions required to

submit STR to FIED, BNM in

addition to the submission of a TFS

determination report?

Yes. Submission of STR is still required in

addition to submission of TFS determination

report. The STR should contain further

information beyond the information reported

in the TFS determination report, for example,

details of related transactions or parties.


Page 36 of 41

NO. QUESTION ANSWER

82 If there is no name match with the

specified entity or designated

person, is a reporting institution still

required to submit the

determination and periodic

reporting forms?

Reporting institutions are not required to

submit determination or periodic reporting

form in the event of no name match with the

specified entity or designated person.

Appendices

Forms and Template

83 Are the forms and templates

intended as a guide or must be

incorporated in the reporting

institution’s policies and

procedures?

It is a combination of guidance and

compulsory to be used forms, as follows:

Forms or template under Appendices 3, 4

and 9 are intended as guidance, which

can be amended and incorporated as part

of the policies and procedures

accordingly.

Forms under Appendix 5 for suspicious

transaction reporting, as well as

Appendices 6A, 6B, 7A and 7B for

targeted financial sanctions reporting

must be adopted as is.


Page 37 of 41

APPENDIX A


Page 38 of 41

Sector Specific CDD for REAs

CDD on both parties to a property sale and purchase or tenancy

transactions


Page 39 of 41

APPENDIX B


Page 40 of 41

End of document.


Page 41 of 41

This page has been intentionally left blank.

Date post:	27-Sep-2020
Category:	Documents
Upload:	others
View:	0 times
Download:	0 times