Bank Negara issues policy document on e-KYC for financial institutions
13 July 2020
Bank Negara Malaysia (‘BNM’) issued a policy document,
Electronic Know-Your-Customer (e-KYC)[1] (‘Policy Document’) and a set of
Frequently Asked Questions on the Policy Document on 30 June 2020. The Policy Document came into effect on the date of its issuance.
The Policy Document will apply to each of the following entities (‘Financial Institution’) which proposes to implement electronic Know-Your-Customer (‘e-KYC’) solutions for on-boarding of customers who are individuals –
- licensed bank;
- licensed investment bank;
- licensed Islamic bank;
- licensed life insurer;
- licensed family takaful operator;
- prescribed development financial institution;
- licensed money-changing operator;
- licensed remittance service provider; and
- approved non-bank issuer of designated payment instruments and designated Islamic payment instruments.
Among the requirements set out in the Policy Document are the following –
- A Financial Institution must obtain its board approval on its overall risk appetite and internal framework governing the implementation of e-KYC;
- The board is to set and ensure the effective implementation of appropriate policies and procedures to address risks associated with the implementation of e-KYC (including operational, customer information, human capital, information technology and money laundering and terrorism financing risks);
- The requirement to adopt an appropriate combination of authentication factors to verify the identity of a customer being on-boarded;
- Where artificial intelligence, machine learning or other forms of predictive algorithms are used to verify a customer’s identity, a Financial Institution must ensure that the e-KYC solution is capable of accurately distinguishing between genuine and non-genuine cases of customer on-boarding; for this purpose, BNM has proposed a formula to be applied to determine False Acceptance Rates (FAR) and provided considerations and parameters to be observed by a Financial Institution in Appendix 1 of the Policy Document;
- Additional procedures are set out in Appendix 2 of the Policy Document for on-boarding of customers for current account, savings account and unrestricted investment account[2] due to the higher risks that may arise from inaccurate identification of such customers;
- To monitor the effectiveness and accuracy of e-KYC solutions that use artificial intelligence, machine learning or other forms of predictive algorithms, a Financial Institution that uses such solutions is required maintain a record of the performance of such e-KYC solution segregated on a monthly basis in accordance with the template set out in Appendix 3 of the Policy Document and to submit the record to BNM on a half yearly basis;
- The records maintained under the Policy Document are to be made readily available for inspection by BNM;
- A licensed person under the Financial Services Act 2013 or the Islamic Financial Services Act 2013 (i.e. a licensed bank, licensed investment bank, licensed insurer, licensed Islamic bank, licensed international Islamic bank, licensed takaful operator, licensed international takaful operator)[3] and a prescribed development financial institution under the Development Financial Institutions Act 2002 may proceed to implement and utilise the e-KYC solution after 14 working days from the receipt by the relevant departments of BNM of the complete submission of the information listed in Appendix 4; and
- A Financial Institution other than a licensed person or a prescribed development financial institution is required to obtain the written approval of BNM before implementing e-KYC.
Upon the implementation of e-KYC, most individuals will no longer be required to visit the physical premises of a Financial Institution to establish an account.
[1] The Policy Document was preceded by the issue of an exposure draft on 16 December 2019 seeking feedback from the public.
[2] The expression ‘unrestricted investment account’ is defined in the policy document on Investment Account dated 14 March 2014.
[3] There may be an inconsistency in reference in the Policy Document to a “
licensed person” as defined in the Financial Services Act 2013 and the Islamic Financial Services Act 2013 as a “financial institution”, as defined in paragraph 5.2 of the Policy Document does not include the following entities which are licensed persons under those legislation, namely a licensed general insurer and a licensed takaful operator who carries on general takaful business, a licensed international Islamic bank and a licensed international takaful operator.