Financial Crime World

New e-KYC Guidelines for Financial Institutions in Malaysia: Enhancing Customer Onboarding and AML/CFT Measures

Lee Ai Hsian (Partner) and Javene Fan (Associate), Banking and Finance Practice at Skrine

29 April 2024

Introduction

The Malaysian central bank, Bank Negara Malaysia (BNM), released an updated Electronic Know-Your-Customer (e-KYC) policy document and Frequently Asked Questions (FAQs) on 15 April 2024. This revision applies to various financial institutions (FIs), superseding the previous policy document and FAQs from 2020.

Key Application and Impact

The entities covered by the Revised Policy Document include licensed banks, investment banks, life insurers, Islamic banks, family takaful operators, development financial institutions, approved issuers of designated payment instruments, approved issuers of Islamic payment instruments, and licensed money services businesses (with possible extensions). Agent banking channels are not subject to this policy.

The primary objective of the Revised Policy Document is to guarantee secure and efficient e-KYC processes for financial institutions, support BNM’s regulatory supervision, and maintain strong anti-money laundering, countering financing of terrorism, and countering proliferation financing (AML/CFT/CPF) measures.

New Responsibilities for Boards and e-KYC Implementation

Financial institutions are required to obtain board approval and establish proper risk management policies and procedures for e-KYC systems. These measures must address operational, IT, and money laundering, terrorism financing, proliferation financing, and fraud risks.

Identification and Verification of Customers through e-KYC - Essential Requirements

Financial institutions must ensure that they have adequate and secure methods for e-KYC identification and verification. Risk assessments should be in place to ensure that e-KYC implementations’ security measures are commensurate to their risk levels.

Authentication factors like the following should be adopted for customer identity verification during onboarding:

  • Something the customer possesses: e.g., identity cards
  • Something they know: e.g., PINs or personal information
  • Something they are: e.g., biometric data

For individuals, e-KYC verification can include document authentication, biometric matching, and liveness detection. FIs should verify that government-issued ID documents used for e-KYC verification are genuine through fraud detection mechanisms and biometric technology.

When onboarding legal persons, FIs must adhere to customer due diligence (CDD) requirements for legal entities. This includes:

  • Identification and verification of the legal person
  • Identification and verification of the authorized person/representative
  • Identification and verification of beneficial owners

The use of electronic methods such as digital signatures, secure electronic voting platforms, and digital forms of Directors’ Resolution or Letter of Authority to document collective decisions regarding the appointment of authorized persons is encouraged.

Ensuring Effective e-KYC Implementation and Continuous Monitoring

The Revised Policy Document introduces several measures for FIs to ensure the continued effectiveness and accuracy of their e-KYC solutions:

  • Measuring and assessing false acceptance rates
  • Conducting periodic external assessments
  • Addressing vulnerabilities

Conclusion

This article provides an overview of the revised e-KYC policy in Malaysia for various financial institutions. For detailed advice on specific matters, please consult Skrine at skrine@skrine.com.

Appendices

Additional guidance may be found in the original document.

Important Considerations for FIs

  • It is unclear if FIs in the money services business sector are already required to comply with the Revised Policy Document’s e-KYC requirements due to their status as reporting institutions under the FI-AML Policy Document.
  • If a significant portion of e-KYC services is provided by a third party, e-KYC implementation may be considered a material outsourcing arrangement, which potentially requires prior written approval from BNM under the Outsourcing Policy Document.
  • FIs offering higher risk financial products like current accounts, savings accounts, and unrestricted investment accounts without the mentioned safeguards may need to develop technical capabilities, such as name matching with fuzzy logic, to prevent unintended fund transfers to external accounts with the same customer name.