BNM’s E-Money Exposure Draft: AML/CFT Implications for Fintechs and Wallet Providers

New AML/CFT Requirements for E-Money Issuers in 2025

Bank Negara Malaysia’s (BNM) 2025 exposure draft on electronic money (“e-money”) introduces strengthened anti-money laundering and counter financing of terrorism (AML/CFT) obligations for e-money issuers (EMIs). The revised policy document – effective January 31, 2025 – is aimed at ensuring the safety and reliability of e-money services and preserving public confidence. Fintechs and wallet providers in Malaysia will face more explicit regulatory expectations around customer due diligence, sanctions screening, transaction monitoring, and risk management. Below are key AML/CFT-related requirements highlighted in the draft:

• Customer Due Diligence (CDD): E-money issuers must perform thorough CDD on all customers at onboarding. This includes verifying customer identity (and beneficiaries or beneficial owners where applicable) and understanding the purpose of the account. Crucially, CDD now explicitly integrates sanctions screening – EMIs are required to screen potential and existing customers against Malaysia’s domestic sanctions list and the United Nations Security Council resolutions (UNSCR) list as part of onboarding checks. For corporate or high-risk clients, additional verification and information (e.g. business ownership, source of funds) may be expected to satisfy enhanced due diligence requirements. All CDD information must be kept up-to-date and reviewed periodically, especially for higher-risk customers.
• Sanctions Screening: BNM emphasizes that sanctions and politically exposed person (PEP) screening is non-negotiable. Reporting institutions (including EMIs) are required to check every new customer (and regularly re-check existing ones) against the Domestic List and UN sanction lists to ensure no prohibited persons use their e-wallets. Screening should be built into both initial CDD and ongoing due diligence processes. This means e-money providers need automated name screening tools to flag matches and prevent onboarding of sanctioned individuals. Failure to do so is now explicitly recognized as a serious compliance breach, as shown by recent enforcement (discussed below).
• Ongoing Transaction Monitoring: Regulators expect e-money issuers to continuously monitor customer transactions for suspicious patterns or inconsistencies. Real-time transaction monitoring and prompt detection of suspicious activities are stressed as essential by BNM. EMIs must scrutinize transactions throughout the customer relationship to ensure they align with the customer’s known profile and risk level. Unusual or large transactions should trigger alerts and reviews. Additionally, EMIs are expected to maintain systems for transaction risk scoring and to file suspicious transaction reports (STRs) quickly when thresholds of suspicion are met. In practice, this means having rules or AI models to flag transactions indicative of money laundering (e.g. structuring, rapid in-and-out funds, usage outside expected patterns) and escalating them for investigation. Efficient investigative workflows and clear documentation of decisions are part of the expected standard.
• Risk-Based Controls & Wallet Categories: The draft adopts a risk-based approach, calibrating controls to the type and scale of e-money business. Notably, “limited purpose” e-money (such as closed-loop gift cards or loyalty points usable only at a single merchant or platform) has been carved out of the main e-money guidelines. Such limited-purpose EMIs are exempted under a separate order, reflecting their lower risk profile and usage scope. Conversely, mainstream e-wallet providers (open-loop e-money usable at multiple merchants) fall under the full scope of BNM’s AML/CFT requirements. BNM has also introduced categories like Standard EMI versus Eligible EMI (large issuers exceeding certain user or transaction thresholds). Large or “Eligible” e-money issuers face heightened regulatory expectations compared to smaller players. For example, higher capital requirements and stricter oversight apply to big e-wallet companies with significant market share. Similarly, higher-risk customers (e.g. high transaction volumes or foreign politically exposed persons) demand stronger controls – such as lower transaction limits, source-of-funds verification, or more frequent account reviews – under the risk-based approach. In summary, BNM expects EMIs to tailor their AML/CFT controls according to the nature and risk level of their wallets and user base, applying stricter measures where risk is higher.
• Licensing and Governance: Meeting AML/CFT obligations is now clearly tied to licensing and governance standards for e-money providers. To obtain and retain an EMI license, firms must demonstrate robust governance arrangements and compliance frameworks. BNM’s policy draft details governance expectations ranging from board composition and oversight duties to the responsibilities of senior management in managing financial crime risk. This implies that boards of e-money issuers should have clear accountability for AML compliance (e.g. appointing a compliance officer, setting risk appetite, and reviewing AML reports regularly). Senior management must ensure effective implementation of AML programs, staff training, and independent audits. Malaysian regulators have also signaled that individual officers (directors, compliance officers, etc.) can be held personally liable for institutional AML failures, underscoring the importance of a compliance-conscious culture from the top. In practical terms, e-money fintechs should establish an internal AML/CFT policy aligned with BNM guidelines, designate qualified compliance officers, conduct ongoing staff training, and maintain clear escalation protocols for suspicious cases. Strong governance and internal controls are not just formalities, they are prerequisites for licensing and essential to avoid regulatory action.

Enforcement Example: BNM Fine Signals Heightened Scrutiny

A recent enforcement action by BNM vividly illustrates the stakes for e-money issuers that fall short of AML/CFT expectations. In May 2023, Bank Negara fined TNG Digital Sdn. Bhd., the operator of Touch ‘n Go eWallet – RM600,000 for serious AML/CFT compliance failures. According to BNM’s notice, TNG Digital allowed two sanctioned individuals to register e-wallet accounts by failing to screen their names against the sanction lists. On one occasion, the company did not conduct any sanction screening on a new customer, and on another, it failed to cross-check a customer’s name against the UN and domestic sanctions lists. These lapses meant individuals flagged under anti-terrorism and anti-money laundering orders were able to open accounts when they should have been barred.

BNM deemed this a breach of multiple regulations, including its specific AML/CFT policy for Electronic Money (Sector 4) and the broader AML/CFT and Targeted Financial Sanctions (TFS) requirements for financial institutions. Even though TNG Digital self-identified the oversight and reported it to BNM after the fact, the regulator still imposed a hefty administrative monetary penalty, which the company paid by the end of May 2023. This enforcement sends a clear message: regulatory tolerance for AML/CFT lapses in fintech and e-money operations is extremely low.

For Malaysian wallet providers and fintechs, the Touch ‘n Go case is a cautionary tale. A seemingly small slip, a human error or a missing name screening in the onboarding flow, led to a public enforcement action and a substantial fine. Beyond the financial cost, the incident attracted media attention and could have harmed customer trust in the brand. BNM’s action signals that it is actively monitoring compliance and willing to punish even first-time or inadvertent failures in AML controls. In an environment of increasing regulator scrutiny, e-money issuers must double down on preventive measures (like automated screening and robust CDD) and early detection of issues, rather than relying on after-the-fact fixes. The cost of non-compliance now far exceeds the investment required to build a compliant program. As one industry analysis put it, failure to keep up with evolving AML/CFT regulations in Malaysia can lead to severe penalties and legal consequences, given the country’s strengthened commitment to combating financial crime. Simply put, proactive compliance is now a licensing and reputational necessity for e-money firms.

The Need for Modern, Auditable Compliance Infrastructure

With BNM raising the bar on AML/CFT, traditional manual processes or disjointed tools are no longer sufficient for compliance. Regulators expect financial institutions, including fintech e-wallet providers, to leverage technology that can meet stringent real-time monitoring and reporting demands. In the 2025 draft and other guidelines, BNM and the Securities Commission emphasize real-time transaction oversight, dynamic risk assessment, effective investigation workflows, and auditability of compliance actions. These expectations “require modern technological solutions that are agile, transparent, and easily configurable.” In practice, an e-money issuer with millions of users and transactions needs an automated system to track unusual activity across all accounts, rather than relying on a handful of compliance analysts sifting spreadsheets after the fact.

A modern AML infrastructure for e-money providers should have several key capabilities. First, it must integrate real-time analytics, flagging suspicious transactions as they happen, so that potential money laundering can be stopped or reported immediately (for example, blocking a fraudulent funds transfer before it leaves the platform). BNM explicitly stresses the necessity of immediate action on suspicious activities to prevent losses and regulatory breaches, which is only feasible with real-time monitoring engines. Second, the system should employ a risk-based approach automatically, for example by assigning risk scores to customers and transactions. This allows focusing scrutiny where it matters most (e.g. higher risk scores trigger enhanced review), aligning with the regulators’ push for dynamic risk management. Third, a robust compliance platform should facilitate comprehensive record-keeping and audit trails. Every CDD check, every alert generated, and every investigation step should be logged. This not only helps internal oversight but also puts the institution in a strong position to demonstrate compliance during BNM inspections or audits. Regulators increasingly want to see that a reporting institution can produce documented evidence of its risk controls and decision-making process, something ad-hoc manual processes struggle with.

Critically, the infrastructure must also address the challenge of scale and efficiency. Fintech e-wallets often have user bases in the hundreds of thousands or millions, with high-volume, low-value transactions. This can lead to a flood of alerts if the monitoring rules aren’t smart, and overwhelming false positives can paralyze a compliance team. Intelligent automation, such as AI-driven false positive reduction, is becoming essential to maintain efficiency. We saw in the TNG Digital case that simple human oversight allowed a sanctioned name through, highlighting that manual checks alone are error-prone. By contrast, an automated system can consistently screen 100% of accounts and transactions against the latest watchlists and risk indicators. Moreover, modern solutions can apply machine learning to distinguish truly suspicious patterns from benign customer behavior, thereby suppressing noise. The end result is a compliance setup that is not only thorough and regulator-ready, but also scalable and sustainable for the business. In short, e-money issuers need an auditable, technology-driven AML infrastructure that covers end-to-end compliance, from CDD and sanction screening to monitoring, case management, and regulatory reporting, to meet BNM’s 2025 expectations. Investing in such infrastructure is now part and parcel of being a licensed EMI in Malaysia’s fintech ecosystem.

How Flagright Helps Malaysian E-Money Providers Meet AML/CFT Demands

Flagright is a compliance technology platform that many fintechs and financial institutions (including in Malaysia) deploy to address exactly these challenges. It offers an AI-native, unified solution for real-time AML compliance and fraud prevention. Below are ways Flagright’s infrastructure aligns with BNM’s AML/CFT requirements and helps e-money issuers build a strong, auditable compliance program:

• Real-Time Transaction Monitoring & Risk Scoring: Flagright enables immediate, rules-based monitoring of all transactions. The platform’s engine identifies and responds to risks at the point of transaction, flagging or even blocking suspicious activities based on predefined scenarios and thresholds. Compliance teams can customize rules (e.g. set limits for wallet loading, detect rapid successive transactions, etc.) aligned with their risk appetite and BNM’s guidelines. Every transaction is also assigned a dynamic risk score in real time, which continuously adapts as new data comes in. This means higher-risk patterns get escalated instantly, fulfilling regulators’ expectations for prompt detection. By automating transaction surveillance, e-money providers can promptly catch anomalies like unusual spending spikes, multiple failed payments, or deviations from a customer’s typical behavior, all critical for anti-money laundering monitoring. Importantly, Flagright’s monitoring capabilities operate in real-time (sub-second), ensuring compliance teams are alerted to red flags immediately rather than days or weeks later, in line with BNM’s push for proactive oversight.
• Sanctions & PEP Screening with AI Forensics: Flagright’s solution includes robust AML screening that checks individuals against global sanctions lists, PEP databases, and other watchlists through API integrations. What sets it apart is the use of AI Forensics technology to suppress false positives. Name-screening systems can often generate many irrelevant alerts (e.g. false name matches), but Flagright’s advanced AI analysis can clear up to 93% of false positives automatically. This dramatically reduces the noise, so compliance analysts can focus on true risks rather than sifting through dozens of “false alarm” hits. For a Malaysian e-wallet operator, this means when they screen new sign-ups or existing users nightly against the Domestic and UNSC sanction lists, the AI will intelligently filter out benign name coincidences (for example, distinguishing a common name from a truly matched banned entity). Legitimate matches, however, will be immediately flagged for review. By leveraging AI to fine-tune screening, Flagright helps EMIs maintain a rigorous sanctions/PEP compliance program without overburdening their team with unnecessary alerts. This capability directly addresses BNM’s requirement for effective sanction screening, while solving the operational headache of alert overload. All screening activities and decisions are logged, and the system continuously learns, further improving accuracy over time.
• Integrated Case Management & Audit Logging: When a transaction alert is triggered or a sanction hit is identified, Flagright streamlines the investigation process through an integrated case management system. Compliance officers can triage alerts, attach notes, gather additional context (e.g. customer KYC information or transaction history), and decide on outcomes (such as filing a suspicious transaction report or closing an account) all within one platform. Each step taken in an investigation is automatically recorded, creating a detailed audit trail. This level of auditability is crucial for demonstrating compliance to regulators. If BNM inquires about a particular case or the firm’s overall AML controls, the EMI can easily produce records showing what actions were taken, by whom, and when, evidencing that proper procedures are in place. Flagright’s case management also supports collaboration, allowing multiple team members (or different departments) to work on a case and track its status. By centralizing case handling, e-money providers ensure that nothing falls through the cracks: suspicious activities are reviewed promptly and consistently, and outcomes (e.g. reporting to the Financial Intelligence Unit) are properly documented. This comprehensive logging and case workflow directly support governance expectations (e.g. board and compliance officer oversight) and keep the institution “audit-ready” at all times.
• No-Code Rule Builder for Agile Compliance: Regulatory requirements and criminal typologies are always evolving, as evidenced by updates like BNM’s 2025 policy. Flagright addresses this by providing a no-code rule configuration interface. Compliance teams can create or modify detection rules and risk scoring models through an intuitive dashboard, without needing to write code or rely on IT developers. For example, if BNM issues new guidelines to monitor transactions related to certain high-risk countries or emerging fraud schemes, a compliance officer could quickly adjust threshold values or add a new rule to flag those scenarios in Flagright’s system. The operational flexibility to adapt controls is key to staying compliant over time. No-code tooling means even mid-sized fintechs without big engineering teams can keep their AML program aligned with the latest requirements and internal risk appetite. Moreover, changes can be deployed rapidly (and even tested with shadow rules), ensuring there is no lag in response to regulatory changes. This agility in rule management allows e-money issuers to remain confident that their monitoring stays effective as new risks emerge or as BNM refines its expectations. In addition, Flagright’s platform is built with local compliance in mind, for instance, ensuring data residency in Malaysia for sensitive data and offering out-of-the-box rules tailored to Malaysian regulations, making it easier for EMIs to hit the ground running with a compliant setup.

By leveraging a platform like Flagright, Malaysian e-money providers can effectively future-proof their AML/CFT compliance. Flagright’s centralized solution combines what would otherwise require multiple tools – real-time monitoring, watchlist screening, case management, reporting, and AI analytics – into one coherent system. This not only improves efficiency but also gives compliance leads a holistic view of risk. Flagright is already trusted by leading Malaysian institutions (such as major investment funds) for critical compliance operations, which attests to its local regulatory alignment and reliability. With 99.99% uptime and quick deployment timelines, the platform ensures minimal disruption and robust performance as firms upgrade their compliance infrastructure.

Conclusion: Proactive Compliance as a Competitive Necessity

The writing on the wall is clear for Malaysia’s fintechs and e-wallet issuers: proactive AML/CFT compliance is now a core requirement for both licensing and long-term success. BNM’s 2025 e-money exposure draft, coupled with recent enforcement actions, highlights that regulators expect the highest standards of due diligence, monitoring, and governance from digital payment providers. No longer can compliance be treated as a checkbox exercise or a back-office afterthought, it must be ingrained in product design and operations from day one. The good news is that by embracing modern regtech solutions and a risk-based approach, e-money issuers can turn compliance into a strength rather than a burden. In fact, meeting these stringent standards can become a competitive advantage, signaling to bank partners, customers, and regulators that your fintech can be trusted in handling funds and data responsibly.

As the regulatory demands continue to evolve, firms that invest in agile and powerful compliance infrastructure will be best positioned to adapt and thrive. Solutions like Flagright’s AI-driven platform make it feasible to fulfill BNM’s requirements efficiently, by automating processes, reducing false positives, and providing a 360° view of risk. This allows compliance teams to focus on strategy and complex cases, rather than drowning in paperwork or manual reviews. Ultimately, a strong AML/CFT program protects not just the regulator’s interests, but also the business itself, preventing fraud losses, safeguarding the company’s reputation, and building consumer confidence in the safety of the e-money service.

Fintech and e-money executives in Malaysia should treat AML compliance as mission-critical. Those who proactively upgrade their systems and culture now will avoid regulatory troubles and be ready to scale innovation in a compliant way. On the other hand, those who lag may find themselves facing penalties or even risking their operating license in an increasingly unforgiving environment. The choice is evident.

If you’re leading a Malaysian e-money or fintech company, now is the time to ensure your compliance infrastructure meets the new standards. Explore how Flagright’s AML platform can empower your team to stay ahead of BNM’s requirements and keep financial crime out of your ecosystem. Don’t wait for a fine or directive, take a proactive step. Book a demo to see how our modern AML solution can be tailored for e-money providers in Malaysia. Strengthening your AML/CFT defenses today is an investment in your company’s future stability and growth. Compliance done right is not just about avoiding downside risks, it’s the foundation for sustainable success in Malaysia’s dynamic fintech landscape.