March 29, 2024

A Guide to Travel Rule Compliance in Malaysia

A Guide to Travel Rule Compliance in Malaysia
  • Malaysia mandates the sharing of transaction data under the FATF Travel Rule with no minimum threshold.
  • VASPs must enforce strict AML and CFT compliance measures, including thorough customer due diligence to comply with the Travel Rule in Malaysia.
  • Companies must retain transaction records for seven years and present them to authorities when demanded. 

Malaysia, a Southeast Asia country with a population of 33 million, classifies crypto as a security and requires those involved in crypto activities to maintain the highest standards of compliance for Anti-Money Laundering (AML) and Countering the Financing of Terrorism (CFT) by adopting FATF’s Travel Rule.

The Background of the Crypto Travel Rule in Malaysia

In Malaysia, crypto is regulated by the Securities Commission Malaysia (SCM), which in 2019 published the Capital Markets and Services Order. This classified certain cryptocurrencies as securities, subjecting them to securities laws. 

In April 2021, the Malaysian statutory body responsible for the development and regulation of capital markets in the country made amendments to officially introduce Travel Rule requirements in the region. Then, in April 2022, the Crypto Travel Rule came into force.

What Does Travel Rule Mandate?

The Travel Rule mandates that crypto service providers share transaction information for digital assets, complying with AML regulations. This involves detailing both the sender and receiver's information and implementing robust, risk-based policies and procedures.

To comply with the FATF Travel Rule, VASPs in Malaysia must appoint a compliance officer, train employees, and apply a risk-based approach tailored to relevant risk factors. 

Additionally, crypto companies must conduct Customer Due Diligence checks, which entail identifying and verifying customers. Moreover, depending on the customer's risk level, companies must carry out either Simplified Due Diligence (SDD) or Enhanced Due Diligence (EDD).

Those involved in crypto-related activities are required to monitor transactions closely and perform sanctions and AML screenings, which involve checking if a customer is designated as a Politically Exposed Person (PEP) or appears on sanctions lists. Additionally, they must report any suspicious transactions immediately. 

The companies are also obligated to retain all records for a minimum period of seven years, making the data accessible to authorities upon request.

Compliance Requirements

When it comes to Malaysia's Crypto Travel Rule requirements, the Originator VASP is required to collect and then share personally identifiable information (PII) with the Beneficiary VASP. Notably, Malaysia has no minimal threshold for reporting, mandating that information must be gathered and shared regardless of the transaction amount.

The personally identifiable information (PII) an originating VASP must collect, verify, and transmit from its customer includes:

- Name 

- National registration identity card number or passport number

- Account number or unique transaction number to trace the transaction

- Address or date of birth and place of birth.

When it comes to the beneficiary VASPs, they must collect the following customer information: 

- Name

- Account number or unique transaction number to trace the transaction.

The beneficiary VASP is required to have an effective risk-based procedure to monitor transactions and identify transfers lacking the required information. It must also have policies to determine when to execute a wire transfer lacking the required originator/beneficiary information or when to reject or suspend it. The beneficiary VASPs must also have the appropriate follow-up action to be taken.

Impact on Cryptocurrency Exchanges and Wallets

In Malaysia, a Virtual Asset Service Provider (VASP) facilitates the buying, selling, or transferring of digital assets on behalf of its customers. In order to operate in the country and offer its services, the company must be Malaysian-incorporated and registered with the SCM.

Besides being locally incorporated, digital asset exchanges must have a minimum paid-up capital of RM5 million (approximately $1 mln). For an IEO applicant as well, the min. paid-up capital is RM5,000,000 (just over $1 mln). A digital asset custodian, meanwhile, is required to have a minimum paid-up capital of RM500,000 (approximately $107,000) and shareholders’ funds of RM500,000 that must be maintained at all times. 

The exact criteria vary based on the type of services one provides, which can be found in the Guidelines on the Recognized Market

Moreover, in order to offer the services in Malaysia, VASPs must enforce the Crypto Travel Rule. These rules ensure the crypto company is fully compliant with AML and CFT regulations and provides a secure trading experience.

When it comes to cross-border transactions, the SCM applies the same scope of Travel Rule information-sharing obligations no matter whether the transaction involves a national or foreign counterparty.

As for the self-hosted, un-hosted, or non-custodial wallet requirements, the Malaysian regulator doesn’t specify anything. 

Global Context and Comparisons

Only in the last few years has the implementation of the Travel Rule ramped up. So, it is still early in its adoption phase, and Malaysia is among a limited number of countries, including the UK, the US, Germany, Estonia, Gibraltar, Liechtenstein, Hong Kong, Singapore, South Korea, and Japan, that have adopted the Crypto Travel Rule. 

Different countries interpret the FATF recommendation in their own ways, leading to varied requirements for VASPs. This results in differences in the specifics of the personal data to be collected during transactions, and the threshold, which the FATF sets at $1,000, varies by country. However, with no minimum threshold, unlike Canada (CAD 1,000), Germany (EUR 1,000), Hong Kong (HKD 8,000), and Singapore (S $1,500), Malaysia adopts a more stringent stance than other nations.

Concluding Thoughts

Overall, to comply with the FATF Travel Rule in Malaysia, VASPs must rigorously collect, verify, and share transactional and customer data, adhere to strict AML and CFT protocols, and maintain records to ensure transparency and security in the digital asset space.


Q1: What's the transaction threshold for the Travel Rule in Malaysia?

Malaysia has no minimum threshold for transaction reporting under the Travel Rule.

Q2: What compliance measures must Malaysian VASPs implement?

Malaysian VASPs must enforce detailed AML and CFT compliance procedures, including thorough customer due diligence.

Q3: How long are transaction records required to be kept?

Transaction records in Malaysia must be maintained for seven years, making them accessible to regulatory authorities as needed.

Q4: What customer information do VASPs need to collect in Malaysia under the Travel Rule?

VASPs in Malaysia are required to collect and verify customer names, identity numbers, account numbers, and addresses or dates and places of birth under the Travel Rule.

About Veriscope

Veriscope, the compliance infrastructure on Shyft Network, empowers Virtual Asset Service Providers (VASPs) with the only frictionless solution for complying with the FATF Travel Rule. Enhanced by User Signing, it enables VASPs to directly request cryptographic proof from users’ non-custodial wallets, streamlining the compliance process. 

For more information, visit our website and contact our team for a discussion.To keep up-to-date on all things crypto regulations, sign up for our newsletter, and follow us on X (Formerly Twitter), LinkedIn, Telegram, and Medium.