Bank Negara issues Exposure Draft of Policy Document on Currency Processing Business

The Currency Act 2020 (“the Act”) which provides, inter alia, for the management of currency of Malaysia, the regulation of currency processing business and currency processing activities came into operation on 1 October 2020. Thereafter, the Currency Registration Requirements Order 2021 [P.U.(A) 127/2021] (“CRR Order”) which, inter alia, sets out the requirements for the registration of “currency processing business1 was gazetted and came into operation on 24 March 2021.
Our previous articles / alerts on the Act and the CRR Order, in particular, the currency processing business aspects thereof, can be accessed here, here, here and here.
On 17 January 2024, Bank Negara Malaysia (“BNM”) issued an exposure draft of the Policy Document on Currency Processing Business (“Exposure Draft”) seeking feedback on the proposals set out therein.
When the Policy Document arising from the Exposure Draft is issued (“Policy Document”), it will apply to persons registered under section 26(1) of the Act to carry on currency processing business (individually an “RCP” and collectively “RCPs”).
The Exposure Draft sets out the proposed standards and guidelines to be observed by RCPs in order to ensure prudent practice, professionalism, integrity, accountability and transparency of currency processing business.
The key areas covered by the Exposure Draft are:
  • governance;
  • operational requirements;
  • internal control; and
  • information technology (IT) requirements. 
Part B - Registration Requirements
An RCP is required to continuously comply with the CRR Order (as amended from time to time) when carrying on its currency processing business.2
Part C - Governance
The Exposure Draft sets out the responsibilities of the RCP and the board and senior management of an RCP.
An RCP is required to establish appropriate governance arrangements which are effective and transparent to ensure continued integrity of its business. These include: (a) ensuring the board and senior management consist of people with calibre, credibility and integrity3; (b) clearly defining and documenting organisational arrangements, such as ownership and management structure4; and (c) segregating duties and control function5 to reduce potential mismanagement and fraud6.
The board
The responsibilities of the board of an RCP include, among others, setting out the mandate, responsibilities and procedures of the board and its committees (if any), including the matters reserved for the board’s decision.7
The board of an RCP is to have overall responsibility for promoting sustainable business growth and financial soundness of the RCP and preventing mismanagement, fraud and abuse of the RCP for illegal purposes.8 In fulfilling this role, the board shall: (a) approve the risk appetite, business plans, and other initiatives which would, individually or collectively, have a material impact on the RCP’s risk profile9; (b) oversee the selection, appointment and performance of senior management in achieving the business objectives set by the board and in meeting the legal and fiduciary duties of the RCP10; (c) ensure that an effective oversight and risk management mechanism is put in place and is periodically reviewed for continued effectiveness11; and (d) oversee the management of the RCP’s control function12.
An RCP and its board must comply with the requirements set out in the Exposure Draft relating to board appointments, board composition and board meetings.13
Senior management
An RCP shall only appoint as its senior management, a person who has been assessed to have complied with the fit and proper criteria requirements specified in paragraph 11.1 of the Exposure Draft.14
The senior management primarily responsible for managing the day-to-day business operations of the RCP must ensure that the operation of the RCP is carried out ethically and professionally with integrity.15
The senior management shall: (a) consist of individuals with the appropriate skill set and experience to adequately support the RCP’s business16; and (b) ensure adequate allocation of resources as well as appropriately skilled and competent staff to support all critical functions17.
Fit and proper
An RCP shall: (a) assess and ensure that its directors and senior management are persons that fulfil the criteria as stipulated in the CRR Order18; and (b) notify BNM in writing together with the assessment made on any new appointment of directors or senior management within 14 days of such appointment, or existing appointment of its directors or senior management within 14 days from the effective date of the Policy Document19.
Part D - Operational Requirements
Opening and closing of cash processing centre
In relation to the opening of its cash processing centre (“CPC”), an RCP must: (a) ensure that the premises is in compliance with the requirement outlined in the CRR Order20; and (b) provide BNM with the information prescribed in paragraph 12.1(b) of the Exposure Draft within 30 days together with attestation that the newly opened premises complies with the relevant requirements in the CRR Order21.
An RCP shall establish appropriate plans for the closing of its CPC and orderly exit, including its communication strategy with other relevant stakeholders, such as the RCP’s customers and local authorities, to mitigate any unintended consequences.22 It shall also notify BNM in writing and consult with BNM for such closure of CPC together with information as required in the Appendix of the Exposure Draft.23
Outsourcing arrangement
An RCP shall remain responsible and accountable for any services performed by an outsourced service provider (“OSP”).24
The responsibilities of an RCP in relation to an outsourcing arrangement are set out in paragraphs 13.2 to 13.7 of the Exposure Draft. Among others, they include: (a) ensuring availability of sufficient expertise within the RCP to oversee and manage the outsourcing relationship25; (b) ensuring the scope and nature of services and operations to be outsourced would not compromise the controls and risk management of the RCP26; (c) conducting appropriate due diligence of the OSP when considering new outsourcing arrangements or renewing or renegotiating existing outsourcing arrangement with the OSP27; and (d) exercising effective oversight on the OSP28.
Part E - Risk Management and Internal Control
Risk management framework
An RCP shall establish a risk management framework taking into account its size, scope and complexity of business to facilitate identification, measurement and continuous monitoring of all relevant and material risks.29 In doing so, the RCP must: (a) align the framework with its risk appetite30; (b) clearly assign responsibilities and accountabilities for risk decisions31; and (c) ensure the framework facilitates efficient decision making in crises32.
An RCP must also: (a) periodically review the framework for continued effectiveness and be supported by a robust management information system that facilitates the timely and reliable monitoring and reporting of risks33; and (b) establish risk monitoring and reporting requirements, which include periodic reporting to the board and senior management on the assessment of material risks affecting the RCP, to ensure risks are managed and mitigated in a timely manner. The reports must be readily available to the internal audit function of the RCP and BNM.34
An RCP is required to effectively manage and control all material risks associated with the conduct of currency processing business, taking into account the size, scope and complexity of its business activities.35
In addition, an RCP is required to establish appropriate and properly documented processes, systems and controls that are approved by the board to manage risks in its business, which are reviewed by the key responsible persons and the board regularly to ensure its effectiveness.36
Internal control
In relation to internal controls, an RCP is required, among others, to: (a) put in place appropriate processes, systems and controls37; (b) maintain detailed business records to provide a comprehensive view of its operations and financial standing38; (c) put in place proper segregation of duties and functions for critical operations to prevent likelihood of mismanagement and avoid conflicts of interest39; (d) establish control function that complies with prescribed requirements40; and (e) implement an effective business continuity management (BCM) framework within the RCP41.
Fraud risk management
An RCP is required to put in place an effective mechanism, process and procedures on mitigation of fraud risk, fraud prevention, fraud detection and fraud monitoring which include, but are not limited to, the requirements prescribed in paragraphs 16.1(a) to 16.1(d) of the Exposure Draft.42
Part F - Information Technology Requirements
Technology risk management
An RCP is required to establish a Technology Risk Management Framework (“TRMF”) to safeguard the RCP’s information infrastructure, systems and data. The TRMF is to be an integral part of the RCP’s risk management framework in relation to its currency processing business.43
Technology operations management
The following are some of the technology operations management requirements imposed on an RCP under the Exposure Draft: (a) ensure proper management of data centres44; (b) ensure its network infrastructure is designed to be resilient, secure and scalable proportionate to the RCP’s business risk and model45; (c) ensure network services supporting critical systems are designed and implemented to ensure the confidentiality, integrity and availability of data46; (d) implement appropriate access controls policy for identification, authentication and authorisation of users (internal and external users such as OSP)47; and (e) implement appropriate physical access control to the RCP’s IT equipment (e.g. physical access controls to its servers, firewalls, routers and switches) which include identification, authentication and authorisation of the user (internal and external users) accessing the IT equipment48.
Technology Service Provider Management
An RCP that subscribes to services offered by an OSP shall establish the following controls to safeguard themselves in the service level agreement (“SLA”): (a) clearly define roles and responsibilities between the RCP and the OSP; (b) arrangements for disaster recovery and backup capabilities, where applicable; (c) written undertaking by the OSP on compliance with secrecy provisions under relevant legislation including survival of confidentiality provisions in the SLA after the engagement has ended; (d) clearly affirm the RCP’s ownership of its data stored on the OSP’s system; and (e) arrangements to secure business continuity in the event of exit or termination of the OSP.49
Patch and End-of-Life System Management
An RCP shall ensure that critical systems are not running on outdated systems with known security vulnerabilities or end-of-life (“EOL”) technology systems. In this regard, the RCP must clearly assign responsibilities to identified functions: (a) to continuously monitor and implement latest patch releases in a timely manner; and (b) identify critical technology systems that are approaching EOL for further remedial action.50
Part G - Other Requirements
Changes to business model
An RCP is required to notify BNM in writing of any proposed changes to its business or operating model which are significant or changes the risk profile of their business. If BNM considers the proposed change to business model will cause risk to quality and integrity of currency, it may require the RCP to implement risk mitigating measures before implementing such change.51
Information and data submission
An RCP shall submit the following to BNM: (a) its annual audited financial statements not later than three months after its financial year end; (b) statistical report on the operation of its business on a monthly basis; and (c) any other information as required by BNM.52
Effective date
The Policy Document is intended to come into effect in two stages. Parts A (Overview), Part B (Registration Requirements), Part D (Operational Requirements), Part E (Risk Management and Internal Control) and Part G (Other Requirements) will come into effect first whilst Part C (Governance) and Part F (Information Technology (IT) Requirements) are to come into effect at a later stage.53
Deadline for comments
The deadline for submission of responses to BNM on the Exposure Draft is 15 March 2024.
Article by Lee Ai Hsian (Partner) and Javene Fan (Associate) of the Banking and Finance Practice of Skrine.

1 The expression “currency processing business” means the business of: (a) collecting currency note or currency coin; (b) sorting currency note or currency coin by authenticity and quality; and (c) packing currency note or currency coin by quality, quantity and denomination.
2 Paragraph 7.1 of the Exposure Draft.
3 Paragraph 8.1(a) of the Exposure Draft.
4 Paragraph 8.1(b) of the Exposure Draft.
5 The expression “control function” refers to a function that has a responsibility independent from business lines to provide objective assessments, reporting and assurance on the effectiveness of policies and operations, and its compliance with legal and regulatory obligations. This includes the risk management function, the compliance function and the internal audit function or equivalent functions, by whatever name called.
6 Paragraph 8.1(c) of the Exposure Draft.
7 Paragraph 9.1 of the Exposure Draft.
8 Paragraph 9.2 of the Exposure Draft.
9 Paragraph 9.2(a) of the Exposure Draft.
10 Paragraph 9.2(b) of the Exposure Draft. Refer to sub-paragraphs (i) to (iii) of paragraph 9.2(b) for further details.
11 Paragraph 9.2(c) of the Exposure Draft. Refer to sub-paragraphs (i) to (v) of paragraph 9.2(c) for further details.
12 Paragraph 9.2(d) of the Exposure Draft. Refer to sub-paragraphs (i) to (iv) of paragraph 9.2(d) for further details.
13 Paragraphs 9.3 to 9.10 of the Exposure Draft.
14 Paragraph 10.1 of the Exposure Draft.
15 Paragraph 10.3 of the Exposure Draft. Refer to paragraphs 10.3(a) to 10.3(d) for further details.
16 Paragraph 10.4 of the Exposure Draft.
17 Paragraph 10.5 of the Exposure Draft.
18 Paragraph 11.1 of the Exposure Draft and paragraph 6 of the Schedule to the CRR Order.
19 Paragraph 11.2 of the Exposure Draft.
20 Paragraph 12.1(a) of the Exposure Draft.
21 Paragraph 12.1(b) of the Exposure Draft. Refer also to paragraphs 3 and 4 of the CRR Order.
22 Paragraph 12.2 of the Exposure Draft.
23 Paragraph 12.3 of the Exposure Draft.
24 Paragraph 13.1 of the Exposure Draft.
25 Paragraph 13.2(b) of the Exposure Draft.
26 Paragraph 13.2(c) of the Exposure Draft. Refer to sub-paragraphs (i) to (iv) of paragraph 13.2(c) for further details.
27 Paragraph 13.3 of the Exposure Draft.
28 Paragraph 13.6 of the Exposure Draft. Refer to paragraphs 13.7(a) to 13.7(e) for further details.
29 Paragraph 14.1 of the Exposure Draft.
30 Paragraph 14.2(a) of the Exposure Draft.
31 Paragraph 14.2(b) of the Exposure Draft.
32 Paragraph 14.2(c) of the Exposure Draft.
33 Paragraph 14.3 of the Exposure Draft.
34 Paragraph 14.4 of the Exposure Draft.
35 Paragraph 14.5 of the Exposure Draft. Refer to paragraph 14.7 for examples of specific risks associated with conduct of currency processing business.
36 Paragraph 14.6 of the Exposure Draft.
37 Paragraph 15.1.1 of the Exposure Draft. Refer to sub-paragraphs (a) to (d) of paragraph 15.1.1 for further details.
38 Refer to paragraphs 15.2.1 to 15.2.4 of the Exposure Draft for details.
39 Refer to paragraphs 15.3.1 and 15.3.2 of the Exposure Draft for details.
40 Refer to paragraphs 15.4.1 and 15.4.2 of the Exposure Draft for details.
41 Refer to paragraphs 15.5.1 to 15.5.8 of the Exposure Draft for details.
42 Paragraph 16.1 of the Exposure Draft.
43 Paragraph 17.1 of the Exposure Draft. Refer to paragraph 17.2 of the Exposure Draft for guidance on specific matters to be included in the TRMF.
44 Paragraph 18.1 of the Exposure Draft.
45 Paragraph 18.2 of the Exposure Draft.
46 Paragraph 18.5 of the Exposure Draft.
47 Paragraph 18.6 of the Exposure Draft.
48 Paragraph 18.9 of the Exposure Draft.
49 Paragraph 18.11 of the Exposure Draft.
50 Paragraph 18.12 of the Exposure Draft.
51 Paragraphs 19.2 and 19.3 of the Exposure Draft.
52 Paragraph 19.4 of the Exposure Draft.
53 Paragraph 4.1 of the Exposure Draft.

This alert contains general information only. It does not constitute legal advice nor an expression of legal opinion and should not be relied upon as such. For further information, kindly contact