Bank Negara Malaysia issues revised policy document on e-KYC for financial institutions

29 April 2024

• licensed banks, licensed investment banks and licensed life insurers under the Financial Services Act 2013 (“FSA”);
• licensed Islamic banks and licensed family takaful operators under the Islamic Financial Services Act 2013 (“IFSA”);
• prescribed development financial institutions under the Development Financial Institutions Act 2002;
• approved issuers of designated payment instruments under the FSA;
• approved issuers of designated Islamic payment instruments under the IFSA; and
• licensed money services businesses under the Money Services Business Act 2011. 

• enable safe and secure application of e-KYC technology in the financial sector;
• facilitate BNM’s continued ability to carry out effective supervisory oversight of FIs; and
• ensure effective anti-money laundering, countering financing of terrorism and countering of proliferation financing (AML/CFT/CPF) control measures are in place. 

• something the customer possesses (e.g. national identity document such as an identity card, registered mobile number, company’s certificate of incorporation);
• something the customer knows (e.g. PIN, personal information, transaction history); and
• in the case of individuals, something the customer is (e.g. biometric characteristics). 

• Document verification – i.e. ensuring that the government issued ID to support e-KYC customer verification is authentic by utilising appropriate fraud detection mechanisms;
• Biometric matching – i.e. verifying the customer against a government issued ID by utilising biometric technology; and/or
• Liveness detection – i.e. ensuring the customer is a live subject and not an impersonator (e.g. through use of photos, videos, synthetic human face masks) by utilising liveness detection. 

• identification and verification of a legal person as an entity to establish the existence of a legitimate business¹;
• identification and verification of the authorised person appointed by the legal person to establish business relations and conduct transactions on its behalf; and
• identification and reasonable measures for verification of beneficial owners of the legal person. 

• electronic communication or documents that capture collective decision making by the directors of the legal person (e.g. digital forms of Directors’ Resolution or Letter of Authority) to appoint the authorised person and establish business relations are maintained in accordance with relevant record keeping requirements specified in paragraph 24 of the FI-AML Policy Document;
• the electronic means adopted to identify and verify the authorised person are within the legal person’s constitution or any other document which sets out the powers of the legal person; and
• the authorised person is identified and verified through e-KYC as an individual, having due regard to the measures set out in the Revised Policy Document for identifying and verifying a customer who is an individual. 

• utilising electronic technologies that identify and verify the directors, and subsequently capture evidence of directors’ consent (e.g. audited/circulated email trails, providing agreement or disagreement through personal secure authentication links for directors to consent, video-conferencing to verify consent, digital signatures and use of secure electronic voting platforms); and/or
• using third parties (e.g. Digital Company Secretaries) that may provide confirmation on the legitimacy of relevant evidence such as the Directors’ Resolution or Letter of Authority; 

• ensure that the e-KYC solution, encompassing the three e-KYC modules namely document verification, biometric matching and liveness detection has been assessed by a credible external independent assessor in accordance with the scope and criteria as provided in Appendix 3 of the Revised Policy Document; the FI must also ensure that the technology provider has put measures in place to address the gaps or weaknesses identified from such assessment in a timely manner; and
• ensure that the relevant certification(s) is obtained for the various modules under e-KYC solution, where such certification is available. 

• perform due diligence on the identified technology provider and the e-KYC solution; the due diligence which must be validated by an independent party, shall include: (i) assessing whether the technology provider has a good track record, experience and expertise in offering solutions involving regulated entities and products; and (ii) assessing the e-KYC solution’s technical capabilities (e.g. parameters, methodology of models used); and
• the requirements in paragraph 8.22 of the Revised Policy Document are fulfilled before implementing the e-KYC solution. 

• for the period of January to June of each year, the record shall be submitted no later than 4 August of the same year; and
• for the period of July to December each year, the record shall be submitted no later than 4 February the following year.³

• a FI which is a licensed person (namely a licensed bank, licensed investment bank, licensed insurer, licensed Islamic bank or licensed family takaful operator) or a prescribed development financial institution may implement and utilise an e-KYC solution after 14 working days from the receipt by BNM of the complete set of documents and information referred to in Appendix 5 of the Revised Policy Document; and
• a FI which is a licensed money-changing operator, licensed remittance service provider, approved non-bank issuer of designated payment instruments or designated Islamic payment instruments is required to obtain the written approval from BNM prior to implementing e-KYC; such FI must submit a complete set of documents and information referred to in Appendix 5 of the Revised Policy Document with its application.