Evolution of the fintech market in Malaysia in the first half of 2020 was limited given the occurrence of the COVID-19 pandemic. However, the much-anticipated guidelines introduced by the Malaysian regulators in the second half of 2020 are likely to stimulate the fintech space in 2021.
In particular, the trading of digital assets/tokens (such as cryptocurrencies) and the establishment of platforms to facilitate such trading is expected, given that the Guidelines on Digital Assets came into force on 28 October 2020 ("DA Guideline").
The Licensing Framework for Digital Banks (Digital Banking Framework) was also issued by Bank Negara Malaysia (BNM) towards the end of 2020, and interested parties are invited to submit their application for such a licence by 31 June 2021. The issuance of the Digital Banking Framework by BNM signals an increased focus on democratising access to finance for the unserved and underserved markets. It is expected that up to five digital banks will be issued with licences by the first quarter of 2022.
While there are a number of insurtech players (eg, insurance product aggregators and online insurance product distributors) in the market, payment services providers (eg, payment gateways, remittance service providers) and e-wallet providers continue to be a predominant vertical in Malaysia. With the regulation of crypto-exchanges by the Securities Commission Malaysia (SC), there are currently only three crypto-exchanges operating in Malaysia.
There is no fintech-specific regulatory regime applicable to industry participants in the main verticals. The term "fintech" is potentially very broad and there is no statutory definition of "fintech" in Malaysia. As a result, the existing regulatory framework generally applicable to the financial services industry applies equally to fintech industry participants. This framework includes:
An assessment of proposed fintech activity must therefore be made to determine whether it falls under the existing regulatory framework and if so, the relevant legislation, standard and/or guideline that will apply.
BNM has also begun to move to regulate new types of businesses, albeit within the existing regulatory framework. Examples of this are:
Assuming that the fintech market players do not take the form of incumbent FIs (ie, insurers or banks), there is presently no publicly available framework in Malaysia regulating the compensation models (ie, the manner in which customers should be charged and the accompanying disclosures on the various new products and services) adopted by fintech market players. As the concept of freedom of contract is recognised in Malaysia, such compensation models are therefore a matter of contract between the fintech provider and the customer.
As set out in 2.2 Regulatory Regime, the existing regulatory framework which is applicable to incumbent FIs generally applies to fintech industry participants and there are no differences in regulation between these entities.
BNM introduced the Financial Technology Regulatory Sandbox Framework ("Sandbox") in 2016 to enable fintech solutions to be implemented and tested under live conditions. The Sandbox represents a balance between the desire to encourage technology and innovation in providing financial services, and the need to manage and appropriately regulate the unique risks and challenges posed by such developments.
Assessment and Business Plan
The Sandbox is open to financial institutions and fintech companies that are looking to provide services (whether on their own or in collaboration with FIs) that already are, or are likely to be, regulated by BNM. Although an application may be submitted at any time, BNM typically expects applicants to have conducted an assessment on the proposed product and any associated risks and possible safeguards, and to provide a business plan to support the deployment of the product. Only genuinely innovative products with clear potential will be accepted into the Sandbox.
Exemptions and Benefits
While a company is in the Sandbox, it may enjoy temporary exemptions from specific regulatory requirements which it will face a challenge in meeting. The company will have the opportunity to engage in dialogue with BNM to clearly define a space in which to experiment with and test its particular products and services. At the same time, BNM will benefit from the participants' feedback and form a better understanding of the technological solutions and services that it seeks to regulate.
The maximum testing period is 12 months from the starting date of the test, although BNM has the discretion to approve an extension. BNM has made it clear that the Sandbox cannot be used to circumvent existing laws and regulations. Therefore, when the testing period expires, BNM will make an assessment as to whether the product, service or solution is able to meet the relevant legal and regulatory requirements prescribed by BNM and, therefore, whether it may be deployed in the market on a wider scale or whether development of the product should be prohibited.
Different regulatory licences and/or approvals are triggered depending on the type of business being conducted. Generally speaking, the four primary pieces of legislation which are likely to apply to fintech industry participants in Malaysia are the:
The FSA, IFSA and MSBA are administered and enforced by BNM:
On the other hand, the CMSA is administered and enforced by the SC and regulates, among others, the activities of dealing in securities, dealing in derivatives, fund management, investment advice and financial planning.
As there is no fintech-specific legislation in Malaysia, BNM or the SC (as the case may be) will regulate the fintech industry participant to the extent that it engages in a regulated business or activity falling within the jurisdiction of BNM or the SC.
The inherent activity which is the subject of regulation under Malaysian law (eg, taking deposits, underwriting risks) cannot be outsourced to another party (even where such a party is a regulated entity).
Fintech providers that are reporting institutions for the purposes of the Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act, 2001 (AMLATFA) (eg, approved e-money issuers and remittance licensees) are subject to reporting requirements under the AMLATFA. To the extent that these fintech providers are also regulated by BNM or the SC, such fintech providers will also be subject to additional requirements under the relevant guidelines issued by these regulators pursuant to the AMLATFA, which deal with, among others, the reporting obligations and controls that are to be put in place to manage money-laundering, terrorism-financing and proliferation-financing risks (eg, BNM's Anti-Money Laundering, Countering Financing of Terrorism and Targeted Financial Sanctions for Financial Institutions, the SC's Guidelines on Prevention of Money Laundering and Terrorism Financing for Capital Market Intermediaries, and the SC's Guidelines on Implementation of Targeted Financial Sanctions Relating to Proliferation Financing for Capital Market Intermediaries).
To date, there do not appear to have been any significant enforcement actions initiated by regulators against fintech industry participants in Malaysia.
As discussed in 2.2 Regulatory Regime, there is no fintech-specific regulatory framework in Malaysia, and fintech players are therefore subject to the same general non-financial services regulations as incumbent FIs, to the extent that they are applicable to fintech players.
The extent of the application of such existing laws to both fintech participants and incumbent FIs will depend on the specific regulated activity the fintech participant or incumbent FI is involved in.
Apart from the regulators, it appears that no other bodies (such as accounting and auditing firms, or other vendors) review and monitor the activities of fintech industry participants. While there are industry associations in Malaysia (eg, the Fintech Association of Malaysia), the members do not seek to self-regulate the industry and function more as intermediaries between the fintechs and regulators.
Section 14 of the FSA and Section 15 of the IFSA restrict industry participants who have been licensed or approved by BNM to undertake certain businesses in Malaysia (Authorised Business), such as e-money issuers, operators of payment systems, financial advisers and insurance/takaful brokers, from conducting any other business or activity (whether inside or outside Malaysia) save for those in connection with, or for the purposes of, its Authorised Business.
Therefore, industry participants regulated by BNM can only offer unregulated products and services to the extent that they are related to its Authorised Business or where such unregulated products and services are approved by BNM.
While there are no similar restrictions on industry participants falling within the regulatory ambit of the MSBA or the CMSA, BNM and the SC have broad discretion to impose such restrictions as part of the industry participants’ licensing conditions, where BNM and the SC deem fit.
Fintech participants providing robo-advisory services (ie, the management of funds using innovative technologies as part of an automated discretionary portfolio of management services) will need to be licensed by the SC to undertake fund management in relation to portfolio management, as a digital investment manager under the CMSA ("Digital Investment Manager").
To this end, a Digital Investment Manager may manage various asset classes, and the SC does not require that a Digital Investment Manager should adopt different business models for different asset classes.
Legacy players intending to implement solutions introduced by robo-advisers should enter into consultations with the SC to discuss the possibility of implementing robo-advisory solutions within their traditional model of doing business.
The SC's Guidelines on Compliance Function for Fund Management Companies ("Fund Management Guidelines") contain certain best execution requirements which apply to all fund management companies in Malaysia, including robo-advisers. Such requirements include:
The existing regulatory framework does not generally make a distinction between online and non-online lenders. The activity of providing loans may potentially be regulated under a range of laws in Malaysia, depending on the precise business model. For example, a business which lends money at interest, with or without security, to a borrower, will require a money-lending licence under the Moneylenders Act 1951 (MLA); while a business which provides finance (eg, by lending money), as well as accepts deposits on current accounts, deposit accounts, savings accounts or other similar accounts; and pays or collects cheques drawn by or paid in by customers, may require a banking licence under the FSA.
The MLA and FSA also do not distinguish between the provision of loans to specific types of borrowers (eg, individuals, small businesses, etc). The corresponding obligations under the MLA and FSA would equally apply to the entity providing the loans, for as long as the licensing requirement is triggered. The Ministry of Housing and Local Government (the regulator that administers the MLA) has also been supportive of digitalisation initiatives and has issued up to eight new online money-lending licences to serve small and medium enterprises in 2020.
New forms of lending via peer-to-peer (P2P) investment and equity crowdfunding (ECF) have nevertheless emerged in the market in recent times and lenders/borrowers under such schemes (and the platform operators providing such schemes) are subject to regulation by the SC under the Guidelines on Recognised Markets (RMO Guidelines), as follows:
There is no specific underwriting requirement, although the relevant regulators may prescribe specific requirements (eg, capital).
Funds for loans may be sourced from, among others:
See 4.1 Differences in the Business or Regulation of Loans Provided to Different Entities in respect of P2P andECF regulation. The taking of deposits, in turn, is only permitted where the entity is licensed by BNM (eg, a banking licence) to do so under the FSA.
As long as the regulatory requirements for the provision of such loans are met and the funds do not originate from the proceeds of unlawful activity under the AMLATFA, no specific issues arise with respect to the above-mentioned sources of funds.
As set out previously, a P2P or an ECF scheme which is undertaken via a platform, can match multiple investors (ie, lenders/investors) to fund a single loan (ie, borrower). This is analogous to a syndication of a loan in the traditional sense. See4.1 Differences in the Business or Regulation of Loans Provided to Different Entities for a brief overview of its regulation.
Payment processors (such as payment gateways) would typically use existing payment systems in Malaysia (eg, RENTAS, FPX, Interbank Giro) to facilitate any transfer, clearing or settlement of funds. Any creation and operation of new payment systems will require the prior approval of BNM.
In addition to the regulatory requirements to be complied with under the MSBA when undertaking remittances, payments and remittances outside Malaysia are also subject to exchange control provisions under the FSA, as supplemented by foreign exchange notices issued by BNM ("FE Notices").
The FE Notices set out transactions pre-approved by BNM, given the general prohibitions under the FSA. The prior approval of BNM (which is discretionary) will need to be obtained to the extent that a person carries out a transaction which is prohibited and such transaction is not specifically permitted under the FE Notices. Generally, the FE Notices permit certain cross-border payments and remittances.
As the Malaysian ringgit is not tradeable outside Malaysia, the remittance of Malaysian ringgit by a resident to a non-resident outside of Malaysia is prohibited.
Fund administrators who are merely outsourced service providers carrying out administrative functions for a fund are generally not regulated under any framework in Malaysia.
However, fund management in and of itself is a regulated activity under the CMSA. A fund management licence from the SC may be required if fund administrators also undertake, on behalf of any other person, the management of:
The SC's Fund Management Guidelines allow a fund management company to outsource any of its functions to a service provider (eg, a fund administrator), subject to compliance with requirements stipulated in the SC's Licensing Handbook. The Licensing Handbook imposes certain obligations on licensees under the CMSA (such as fund managers), including:
As a result, an agreement between fund advisers (or fund managers) and fund administrators is likely to incorporate contractual terms which will enable the fund manager to comply with its obligations under the Fund Management Guidelines, Licensing Handbook and the CMSA.
In regulating securities and derivatives markets, the SC generally classifies marketplaces and trading platforms into three types, ie, an approved market, exempt market and recognised market. The level of regulation imposed depends on the characteristics of the market (eg, types of products traded and sophistication of the market-users).
An example of an approved market in Malaysia is the Malaysian stock market operated by Bursa Securities Bhd (Bursa Malaysia). Bursa Malaysia provides access to various investment products and securities, including equities, derivatives, offshore and Islamic assets, as well as exchange traded funds, real estate investment trusts and exchange traded bonds and sukuk. An approved market such as Bursa Malaysia is generally subject to stringent requirements given the ease of access to it by retail investors.
An exempt market is a stock or derivatives market which has been declared as an exempt stock or derivatives market under Section 7 of the CMSA. Such market may be exempted when it has already been subjected to other forms of regulation. To date, the minister of finance has not published any order declaring a particular stock or derivatives market as an exempt market under the CMSA.
A recognised market, on the other hand, covers an alternative trading venue that brings together purchasers and sellers of capital market products. Its regulation is not as stringent but the SC may impose terms and conditions on the operator of such market commensurate with the risk profile, nature and scope of the recognised market’s operations. Marketplaces that fall within this ambit include:
Different asset classes generally have different regulatory regimes. For example, the listing, trading, clearing and depository of securities fall under:
The trading and clearing of derivatives are, in turn, subject to the Rules of Bursa Malaysia Derivatives Bhd and the Rules of Bursa Malaysia Derivatives Clearing Bhd.
The trading and reporting of bonds are also subject to the Rules of Bursa Malaysia Bonds Sdn Bhd.
The emergence of cryptocurrencies and exchanges which facilitate cryptocurrency trading have spurred the SC to amend the RMO Guidelines to regulate digital asset exchange operators as a recognised market. See 12.2 Local Regulators’ Approach to Blockchain for an overview of how digital asset exchanges (and cryptocurrencies) are regulated.
Bursa Malaysia offers a choice of three markets for companies seeking listing in Malaysia. Different listing requirements then apply depending on whether the offering is made in the Main Market, ACE Market or LEAP Market. While the requirements of the Main Market are generally more comprehensive and stringent, the listing requirements across all three markets broadly encompass the following criteria:
As it currently stands, there are order handling rules for the derivatives market. This is to ensure market integrity in the derivatives market through order activity restrictions, daily price limits, price banding, trade cancellation policy, and stop spike logic.
The securities market does not have an equivalent, although there are references to trade cancellation policies.
Presently, the only peer-to-peer "trading" platforms which are recognised in Malaysia are P2P investment platforms, ECF platforms and digital asset exchanges; no peer-to-peer securities or derivatives trading platforms have been recognised as yet. See 4.1 Differences in the Business or Regulation of Loans Provided to Different Entities and 12.2 Local Regulators' Approach to Blockchain for a brief overview of its regulation.
There are no specific rules regarding "best execution" of customer trades in Malaysia to date. However, under the CMSA, there are rules for order-handling by licensees and capital market intermediaries that indirectly and, to a certain extent, meet the same desired objectives of "best execution". For instance, there are rules prohibiting front-running, which imposes obligations on intermediaries to put clients' orders ahead of their proprietary trades.
To date, there are no rules that expressly prohibit or permit payment for order flow. However, under the Rules of Bursa Malaysia Securities Bhd and the Rules of Bursa Malaysia Bonds, a broker must not share any commission it receives in connection with a trade executed with any person except its dealer representatives (ie, the holder of a capital markets services representative's licence), trading representatives (ie, a person who executes securities trades for a broker), marketing representatives (ie, the introducer for a principal), or such other persons as are permitted under the Guidelines for Marketing Representatives. There is no equivalent restriction under the Rules of Bursa Malaysia Derivatives Bhd.
There are principles of market integrity which exist within the capital markets regulatory framework. For example, the Business Rules of Bursa Malaysia Securities Bhd introduced by Bursa Malaysia prescribe rules relating to conduct of business, trading, settlement, etc. The key trading rules, among others, are:
The key trading rules under the Business Rules of Bursa Malaysia Derivatives Bhd issued by Bursa Malaysia similarly stipulate that trading participants:
The CMSA, compliance with which is overseen by the SC, also provides that no one is to engage in, among others:
In 2020, BNM also introduced the Code of Conduct for Malaysia Wholesale Financial Markets (which are applicable to financial institutions in Malaysia) which, among others:
Bursa Malaysia allows for, among others, the use of algorithmic trading by buy-side institutions (ie, direct access), but there are no regulations in relation to the creation of algorithmic trading in Malaysiato date.
This is not applicable in Malaysia. See 8.1 Creation and Usage Regulations.
This is not applicable in Malaysia. See 8.1 Creation and Usage Regulations.
This is not applicable in Malaysia. See 8.1 Creation and Usage Regulations.
Platforms that provide pure information or research services in the fintech industry (eg, platforms which provide a market comparison of the best financial products) are not specifically subject to regulation, provided such information does not result in the platform undertaking an activity that would require a licence under the FSA or CMSA (eg, provision of general or personal financial advice or investment management advice).
Enforcement of the Aggregation Exposure Draft may, however, require that certain platforms providing insurance and takaful aggregation services be registered with BNM under the FSA and the IFSA.
The spreading of unverified or false information in relation to investment products is largely regulated under the CMSA and FSA. Generally, the CMSA and FSA prohibit the following behaviour by any person (including a financial research platform):
Additionally, the CMSA and FSA also restrict a person (including financial research platforms) from:
A financial research platform provider will be similarly motivated to oversee the information being published and made available on its platform.
At present, and unless such discussions by commentators are defamatory under the Defamation Act, or constitute insider trading under the CMSA, any control or oversight of discussions on the financial research platform will be a matter of internal regulation by the operator of the financial research platform itself. Financial research platforms are likely to be incentivised to regulate such discussions in light of 9.2 Regulation of Unverified Information.
In the context of underwriting specifically, existing insurers in the market can avail themselves of large amounts of data voluntarily provided by policyholders (whether through social media, applications or smart devices) to:
In return, insurers are able to offer lower product premiums and better product variety to policyholders.
Such harnessing of data from policyholders (whether by the insurer or its third-party providers) is generally subject to the requirements of the Malaysian Personal Data Protection Act 2010 (PDPA), together with any attendant codes of practice issued by the industry in relation to the same, and the guidelines issued by BNM pertaining to the protection of customer information.
There is a distinction between general insurance under the FSA (or general takaful business under the IFSA) and life insurance under the FSA (or family takaful business under the IFSA). Depending on the type of insurance being offered, the licensee will be subject to specific restrictions and requirements imposed by BNM which are unique to its product offering.
Under the FSA, a life insurance business refers to all insurance business concerned with life policies, including any type of insurance business carried on as apparently incidental to the life insurer’s business; whereas a general insurance business refers to all insurance business which is not life insurance business.
Under the IFSA, a family takaful business means the business relating to administration, management and operation of a takaful arrangement under a family takaful certificate, including any type of takaful business carried on as apparently incidental to the family takaful operator’s business; whereas general takaful business means all takaful business which is not family takaful business.
Regtech providers in Malaysia are regulated according to the activities that they perform on behalf of a licensed entity (if at all), not the technology utilised. Accordingly, an assessment of the proposed regtech activity must be made so as to determine to what extent it falls under the existing regulatory framework (if at all).
Where banks and insurers (both conventional and Islamic, as well as prescribed development financial institutions) do delegate certain regulatory monitoring, reporting and compliance functions to regtech providers; the contractual provisions will be dictated by both regulatory and commercial drivers.
The Outsourcing Guidelines make it clear that any arrangement involving internal control functions is regarded as a material outsourcing arrangement. Accordingly (and in addition to the requirement to obtain BNM approval), the delegation of these functions will require that the regtech providers and the relevant financial institutions enter into a legally enforceable written agreement which must contain the terms relating to, among others, the responsibilities of the service providers, controls relating to information security and business continuity functions.
Other contractual provisions will be dependent upon commercial factors and the licensed financial institution's risk aversion (eg, indemnities for non-compliance), or other relevant regulatory conditions imposed by the supervising regulator.
There isgenerallya high level ofawareness ofblockchain’s potential to increase the efficiency of an FI’s existing operations. The adoption and use of such technology by existing licensed financial institutions is also becoming more prevalent. Examples involving existing financial institutions in Malaysia using blockchain include:
While the early years of fintech saw a prevalence of cryptocurrency exchanges in the market, Malaysia is now increasingly seeing the entry of start-ups utilising blockchain to offer the following services:
While blockchain as a technology in and of itself has yet to be defined or regulated in Malaysia:
To facilitate the growth of the bond marketplace at the Labuan Financial Exchange, Bursa Malaysia and Hashtacs Pte Ltd ("STACS"), a Singaporean fintech technology provider, had in December 2020 also used STACS' blockchain platform to simulate the issuance, service, trade and clearance of bonds. The bond on blockchain proof-of-concept ("POC") was executed and tested alongside the Labuan Financial Services Authority, SC, Maybank Investment Bhd, CIMB Investment Bank Bhd and China Construction Bank Corporation (Labuan Branch).
See 12.2 Local Regulators' Approach to Blockchain, which sets out the framework for the regulation of the specific types of blockchain asset (ie, digital tokens and securities) presently recognised in Malaysia.
See 12.2 Local Regulators' Approach to Blockchain, which sets out the framework for the regulation of specific types of blockchain asset (ie, digital tokens and securities), presently recognised in Malaysia.
Issuers of blockchain assets which are regarded as digital tokens under the Capital Markets and Services (Prescription of Securities) (Digital Currency and Digital Token) Order 2019 will particularly need to ensure that:
Other reporting obligations need to be fulfilled post-issuance of the digital token(s).
See 12.2 Local Regulators' Approach to Blockchain, which sets out the framework for the regulation of the specific types of blockchain asset (ie, digital tokens and securities) presently recognised in Malaysia, and the trading platforms on which such assets are traded.
There is no specific legislation in Malaysia prohibiting investments into business ventures providing services or products that use blockchain technology. Traditional fund regulations applicable to fund managers (together with their individual investment management policies) will therefore apply to determine the viability of investments into such ventures.
There are, however, investment limits on angel investors and retail investors in digital token offerings, as below:
Digital currencies and digital tokens (both of which are sub-sets of virtual currencies) are specific types of blockchain assets (ie, cryptocurrencies) which are presently recognised and regulated in Malaysia. See 12.2 Local Regulators' Approach to Blockchain, which sets out the framework for the regulation of such assets.
The present laws do not expressly define decentralised finance ("DeFi") and do not appear to be broad enough to regulate DeFi at present.
BNM is generally facilitative and open to open banking in Malaysia. As part of its effort to kick-start open banking, BNM has rolled out the following initiatives.
At this stage, it is not mandatory for the Relevant FIs to publish standardised Open Data API.
In the absence of a clear framework for open banking being published at this juncture, it is not possible to assess how the framework will address the data privacy and security concerns raised by open banking. Conceptually however, the use of APIs (which would be subject to common security and technical standards) in open banking to enable technology providers to gain access to customers' data would better protect the personal data of data subjects compared to the screen-scraping process presently adopted by technology providers.