Bank Negara issues Exposure Draft of Policy Document on e-KYC
07 March 2023
On 23 February 2023, Bank Negara Malaysia (‘BNM
’) issued an Exposure Draft of the Policy Document on Electronic Know-Your-Customer
The Exposure Draft sets out the proposed enhanced requirements and guidance in implementing electronic Know-Your-Customer (‘e-KYC
’) solutions for the on-boarding of individuals and legal persons to the financial sector. The Exposure Draft takes into consideration the advancements in technology to facilitate e-KYC solutions since the issuance of the Policy Document on Electronic Know-Your-Customer
(‘Existing Policy Document
’) on 30 June 2020. Our summary of the salient requirements of the Existing Policy Document can be accessed here
The policy document arising from the Exposure Draft will apply to the financial institutions (severally a ‘financial institution
’ and collectively ‘financial institutions
’) who are subject to the Existing Policy Document, namely:
- licensed banks;
- licensed investment banks;
- licensed Islamic banks;
- licensed life insurers;
- licensed family takaful operators;
- prescribed development financial institutions;
- licensed money-changing operators;
- licensed remittance service providers; and
- approved non-bank issuers of designated payment instruments and designated Islamic payment instruments.
e-KYC for legal persons
The main enhancements are set out in paragraphs 8.1 and 8.7 to 8.13 of the Exposure Draft which introduce the minimum requirements for conducting e-KYC on legal persons. The main requirements are as follows:
||A financial institution is required to obtain the approval of its board of directors on the overall risk appetite and internal framework governing the implementation of e-KYC for legal persons;1
||identification and verification of a legal person as an entity to establish the existence of a legitimate business3;
||identification and verification of the authorised person4 appointed by the legal person to establish business relations and conduct transactions on behalf of the legal person; and
||identification and reasonable measures for verification of beneficial owners5 of the legal person;
||In relation to paragraph 2(b) above, where the identification and verification of the authorised person is conducted via electronic means, a financial institution shall ensure that:
||electronic communication or documents that capture collective decision making by the directors of the legal person (e.g. digital forms of Directors’ Resolution or Letter of Authority) to appoint the authorised person and establish business relations are maintained in accordance with relevant record keeping requirements specified under paragraph 24 of the FI-AML/CFT/TFS Policy Document;
||such electronic means adopted to identify and verify the authorised person are within the legal person’s constitution or any other document which sets out the powers of the legal person; and
||the authorised person is identified and verified through e-KYC as an individual, having due regard to the measures set out in the Exposure Draft for identifying and verifying a customer who is an individual7;
||In respect of paragraph 5(a) above, such electronic means to capture collective decision making by the directors of the legal person on the appointment of the authorised person may, without limitation, include the following:
||utilising electronic technologies that identify and verify the directors, and subsequently capture evidence of directors’ consent (e.g. audited/circulated email trails, providing agreement or disagreement through personal secure authentication links for directors to consent, video-conferencing to verify consent); and/or
||using third parties (e.g. Digital Company Secretaries) that may provide confirmation on the legitimacy of relevant evidence such as the Directors Resolution or Letter of Authority;
||A financial institution is required to undertake its own risk assessment to clearly define parameters for classifying potential legal persons (e.g. higher risk) that are not allowed to establish business relations through e-KYC.
e-KYC of individuals for higher risk products
The e-KYC safeguards to be adopted for individuals in respect of offerings of higher risk products, such as current account, savings account and unrestricted investment account with fund placement and withdrawal flexibilities and funds transfer features, in Appendix 3 of the Exposure Draft (Appendix 2 of the Existing Policy Document), have been expanded to address individuals who do not have any existing bank account to perform a credit transfer. The new measures require the financial institution to:
||have in place sufficient controls based on internal assessment of risk arising from offering the product without the credit transfer step;
||be able to demonstrate that their e-KYC solution remains effective and secure;
||consider building in additional verification measures8 and ringfencing parameters to establish higher assurance levels and limit risk exposure;
||take reasonable measures to verify whether the individual customer has an existing bank account with another licensed person; and
||notify BNM in accordance with paragraph 10.1 of the Exposure Draft before adopting for the first time, an e-KYC process without credit transfer for higher risk products.
The policy document ensuing from the Exposure Draft will come into effect on the date to be specified in the policy document and will replace the Existing Policy Document.
Comments on the Exposure Draft are to submitted to BNM in writing, preferably by electronic submission, by 2 May 2023
The extension of the Existing Policy Document to cover e-KYC for legal persons is timely.
Article by Lee Ai Hsian (Partner) of the Banking and Property Practice of Skrine.
This alert contains general information only. It does not constitute legal advice nor an expression of legal opinion and should not be relied upon as such. For further information, kindly contact email@example.com.
Paragraph 8.1 of the Exposure Draft.
In particular, refer to the requirements relating to legal persons, clubs, societies and charities contained in paragraphs 14A.9, 14B.11, 14C.10 and 14D.9 of the FI-AML/CFT/TFS Policy Document.
Financial institutions in the money services business sector are also required to comply with the identification and verification requirements for legal persons and the authorised person under Supplementary Document No.1.
An “authorised person” is defined in paragraph 5.2 of the Exposure Draft as a natural person appointed in writing by a legal person to operate and maintain an account with a financial institution including to open, close and give any instruction for the conduct of financial transactions in the account on behalf of the legal person.
Refer to paragraphs 14A.9.6, 14B.11.12, 14C.10.7 and 14D.9.6 of the FI-AML/CFT/TFS Policy Document.
There is no corresponding appendix in the Existing Policy Document.
See paragraph 8.6 of the Exposure Draft.
A list of non-exhaustive measures are set out in paragraph 6 of Appendix 3 of the Exposure Draft.