Malaysia 2026, Practical Guide to Fintech Licensing: VASP, CASP, PSP & EMI Compliance Checklist

FinTech licensing in Malaysia sits at a pivotal juncture in 2026, shaped by accelerated guidance from both Bank Negara Malaysia (BNM) and the Securities Commission Malaysia (SC) across digital assets, payments and capital-market tokenisation. Yes, FinTech is legal and actively regulated in Malaysia, founders, compliance officers and general counsels can pursue clearly defined licensing pathways for virtual asset service providers (VASPs), crypto-asset service providers (CASPs), payment service providers (PSPs) and electronic money issuers (EMIs). The dual-regulator model means the correct licence depends on whether your product touches payment functions (BNM) or capital-market instruments (SC), and the expanding regulatory sandbox framework gives early-stage ventures a structured route to test before committing to a full application.

This guide consolidates every pathway, checklist and timeline a market-entry team needs in a single reference.

Specifically, this article covers:

• Which regulator oversees which activity, a concise mapping of BNM, SC and Labuan FSA responsibilities.
• Licence-by-licence application playbook, step-by-step procedures, document checklists, capital thresholds and realistic timelines for VASP, CASP, PSP and EMI authorisations.
• AML/KYC, custody and operational compliance, the baseline obligations every licensee must satisfy from day one, including the evolving position on stablecoin regulation in Malaysia.

Who Regulates FinTech in Malaysia, BNM, SC and Labuan FSA

Three regulators govern FinTech licensing in Malaysia. The division of authority is functional: BNM supervises payments, banking, money services and AML/CFT enforcement; SC supervises capital-market activity including digital-asset exchanges and tokenised securities; and Labuan FSA provides an offshore alternative for certain digital financial services. Understanding this split is the first decision point for any licensing strategy.

Bank Negara Malaysia, Payments, PSP, EMI and AML Oversight

Bank Negara Malaysia fintech oversight covers all payment instruments, e-wallets, remittance services and electronic money issuance under the Financial Services Act 2013 (FSA) and the Money Services Business Act 2011 (MSBA). BNM also administers the Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001 (AMLA), which sets the AML/CFT baseline for every financial institution and reporting entity in the country. BNM’s Regulatory Sandbox, available via the official BNM sandbox portal, provides a structured environment for FinTech firms to test innovative products under relaxed regulatory parameters before committing to a full licence application.

BNM’s Policy Document on Digital Currencies confirms that digital currencies are not legal tender in Malaysia but may be used as a medium of exchange subject to AML/CFT compliance. In 2026, BNM has signalled heightened focus on data-sharing frameworks and consumer-credit oversight, areas that directly affect buy-now-pay-later (BNPL) providers and open-banking platforms entering the market.

Securities Commission Malaysia, Capital Markets, Digital Assets and CASP

The Securities Commission Malaysia fintech mandate extends to any activity that constitutes dealing in securities, fund management or the operation of a recognised market, including digital asset exchanges (DAX) and initial exchange offerings (IEOs). Under its Capital Markets and Services Act 2007 (CMSA) and the Guidelines on Digital Assets, the SC registers and supervises digital-asset exchanges and token issuers. Its aFINIty digital development programme, accessible at the SC digital development portal, coordinates innovation labs, public consultations and masterplan initiatives that have intensified through 2025 and into 2026. Industry observers expect the SC’s ongoing consultations to refine disclosure requirements for tokenised securities and expand the recognised CASP framework.

Labuan FSA, Offshore Digital Financial Services

The Labuan Financial Services Authority regulates financial services conducted from the Labuan International Business and Financial Centre. Labuan FSA’s digital financial services licensing, detailed on its official digital financial services page, offers a route for entities whose clients are predominantly non-Malaysian or whose operations have a cross-border focus. A Labuan licence does not automatically permit solicitation of Malaysian residents, firms targeting the domestic market should apply to BNM or SC directly.

FinTech Licensing in Malaysia: Which Licence Do You Need, VASP, CASP, PSP or EMI?

Choosing the correct licence starts with mapping your product to a regulatory category. A crypto exchange serving retail investors follows a different path from a payment gateway processing merchant settlements or an issuer of fiat-pegged stablecoins. The four core pathways are set out below with the practical steps, document requirements and indicative timelines each entails.

VASP Licence Malaysia, Virtual Asset Service Providers

A VASP license in Malaysia is required for entities that facilitate the exchange, transfer or custody of virtual assets. Where those virtual assets are classified as securities or derivatives, the SC exercises primary jurisdiction under the CMSA and the Guidelines on Digital Assets. Where the VASP’s activity falls squarely into payment or money-services territory, for example, a crypto-to-fiat remittance corridor, BNM may assert jurisdiction instead. In practice, most exchange and custody operations will engage the SC’s registration framework as a recognised digital-asset exchange (DAX).

Step-by-step application flow:

1. Pre-application engagement. Submit a preliminary enquiry to the SC’s Innovation and Digital division outlining the proposed business model, target customers, token types and custody architecture. Industry observers expect this stage to take two to six weeks.
2. Formal application submission. File the complete application pack including all documents listed in the checklist below. Allow one to three weeks for administrative completeness checks.
3. Regulator review. The SC evaluates the business plan, technology stack, AML/CFT framework and fit-and-proper status of directors and key persons. The review typically spans three to six months, though complex applications may extend further.
4. Additional information requests. Most applicants receive at least one round of supplementary queries from the examiner, prepare for two to twelve additional weeks in this phase.
5. Approval and conditions. Successful applicants receive conditional registration with operational milestones (e.g., cybersecurity audit, custody testing) that must be met before the platform can go live.

Key documents checklist:

• Certificate of incorporation and memorandum/articles of association of a Malaysian-incorporated company.
• Detailed business plan covering revenue model, target market, projected volumes, and a three-year financial forecast.
• AML/CFT policy compliant with AMLA and BNM’s sector-specific guidance, including customer due diligence procedures, transaction monitoring protocols and suspicious activity reporting workflows.
• Custody architecture document, description of hot-wallet and cold-wallet infrastructure, key management, multi-signature controls and disaster recovery.
• Proof of paid-up capital, the SC determines minimum thresholds on a case-by-case basis; industry practice reported by secondary sources suggests amounts in the range of RM 5 million for DAX operators.
• Senior management CVs and fit-and-proper declarations for all directors, CEOs, compliance officers and key persons.
• Local office arrangements, evidence of a physical presence in Malaysia with locally resident responsible officers.

CASP Licence Malaysia, Capital-Market Crypto-Asset Service Providers

Where a digital asset qualifies as a security or a derivative under the CMSA, the operator must obtain a CASP licence from the Securities Commission Malaysia. This applies to platforms conducting IEOs, operating secondary markets for tokenised securities, or providing fund-management services involving digital assets. The SC distinguishes between registration (for recognised markets) and approval (for individual product offerings such as IEOs), and the capital and disclosure thresholds are correspondingly higher than for a standard VASP.

The SC’s Guidelines on Digital Assets require CASP applicants to demonstrate robust investor-protection mechanisms, including segregation of client assets, independent custody arrangements and comprehensive disclosure documents. Tokenised security issuers must prepare a prospectus or whitepaper that meets SC content standards, covering risk factors, use of proceeds, issuer governance and token economics.

Key documents checklist:

• Prospectus or whitepaper meeting SC content and disclosure standards.
• Audited financial statements of the issuer or platform operator for the most recent financial year.
• Custody and segregation policy, independent custodian appointment, proof-of-reserves methodology and reconciliation procedures.
• Technology and cybersecurity audit report from an independent assessor.
• Investor complaint-handling framework and redress mechanism.

Payment Service Provider Licence Malaysia, PSP

A payment service provider licence in Malaysia is issued by BNM under the FSA or the MSBA, depending on the exact activity. E-wallet operators, merchant acquirers, cross-border remitters and payment gateway providers all fall within BNM’s licensing perimeter. BNM published guidance affirming its continued acceptance of sandbox applications from payments FinTechs, and SunRate’s Bank Negara licence approval reported on 28 April 2026 illustrates that the regulator remains actively processing new entrants in the remittance space.

Key documents checklist:

• Licence application form specifying the payment function (e-money, remittance, payment initiation, merchant acquiring).
• Sandbox participation confirmation (if applicable) with test results and regulator feedback.
• Settlement and reconciliation procedures, description of clearing cycles, float management and partner-bank arrangements.
• Consumer-protection policy, complaint handling, refund procedures and dispute resolution.
• Capital adequacy evidence, BNM sets minimum capital and safeguarding requirements on a case-by-case basis; applicants should expect to demonstrate sufficient liquid reserves to cover outstanding e-money obligations and operational costs.

EMI Licence Malaysia, Electronic Money Issuers

An EMI licence in Malaysia authorises the issuance of electronic money, stored monetary value accepted as a payment instrument by parties other than the issuer. BNM is the primary regulator. EMIs occupy a distinct category from PSPs because the issuance of electronic money triggers specific safeguarding obligations: customer funds must be ring-fenced, placed in trust accounts with licensed banks, and reported separately from the issuer’s operational capital. Where the EMI’s operations are predominantly cross-border and do not target Malaysian residents, a Labuan FSA digital financial services licence may be an alternative route.

Key documents checklist:

• E-money float management policy, trust account structure, daily reconciliation, and maximum float-to-capital ratio.
• Safeguarding of customer funds, appointment of a licensed trust account bank, segregation methodology and auditor oversight.
• Capital and reserve adequacy, BNM expects EMIs to maintain operational liquidity above and beyond the safeguarded float.
• Periodic reporting template, monthly or quarterly returns on float balances, transaction volumes and AML/CFT metrics.

Licensing Application, Step-by-Step Procedural Checklist and Timeline

Regardless of the specific licence type, every fintech licensing Malaysia application follows a broadly similar procedural arc. The timeline and intensity of regulator interaction vary by licence category, but the five-stage framework below applies to VASP, CASP, PSP and EMI applications alike.

Stage 1, Pre-Application Engagement

Early and structured dialogue with the relevant regulator is critical. For BNM-supervised activities, this means contacting the Financial Technology Enabler Group or the relevant licensing department. For SC-supervised activities, the Innovation and Digital division handles preliminary discussions. At this stage, the regulator assesses the novelty, risk profile and regulatory fit of the proposal. Aim to provide a concise one-page summary of the business model, the regulatory framework you believe applies and any sandbox intentions. This stage typically takes two to six weeks.

Stage 2, Sandbox Testing (Optional but Recommended)

BNM’s Regulatory Sandbox, governed by the framework published on its official sandbox page, allows applicants to test products with real customers under relaxed regulatory conditions. Sandbox periods typically last six to twelve months, and BNM may extend or shorten the test depending on product complexity and consumer risk. Early indications suggest that applications which enter the market via the sandbox receive faster full-licence approvals because the regulator already has operational data and compliance track records to evaluate.

Stage 3, Formal Application Submission

Submit the complete application pack with all documents from the relevant checklist above. Administrative completeness checks usually take one to three weeks. Incomplete submissions are the single most common cause of delay, missing AML policies, unsigned fit-and-proper declarations and insufficiently detailed custody architecture documents are frequent deficiencies flagged by examiners.

Stage 4, Post-Submission Review, Audit and Inspection

During the substantive review phase, the regulator evaluates the business plan, technology infrastructure, AML/CFT readiness and governance structure. Expect on-site inspections or virtual walkthroughs of key systems. Most applicants receive at least one round of additional information requests. The review phase typically lasts three to six months for straightforward applications, with an additional two to twelve weeks for supplementary information rounds.

Stage 5, Approval and Post-Approval Operational Milestones

Successful applicants receive conditional approval with specific operational milestones, completing a cybersecurity penetration test, finalising custodian agreements, appointing a compliance officer with a local presence, or conducting a live trial with a limited user base. Only once these conditions are satisfied does the licence become fully effective.

AML/KYC, Capital and Fit-and-Proper Requirements

Every fintech licensing Malaysia pathway imposes a baseline of anti-money laundering, capital adequacy and governance obligations. Failing to meet these from the outset is the fastest route to application rejection or post-licence enforcement action.

AML/CFT Baseline, AMLA and BNM Expectations

The Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001 (AMLA) is the statutory backbone. Every reporting institution, whether a VASP, PSP or EMI, must implement customer due diligence (CDD) procedures including identity verification, beneficial-ownership identification and risk-based ongoing monitoring. Enhanced due diligence (EDD) applies to politically exposed persons, high-risk jurisdictions and unusually large or complex transactions. Licensees must establish transaction-monitoring systems capable of generating and filing Suspicious Transaction Reports (STRs) with BNM’s Financial Intelligence and Enforcement Department. BNM’s Policy Document on Anti-Money Laundering and Counter Financing of Terrorism, supplemented by sector-specific guidance including its Digital Currency policy document, sets detailed expectations for record-keeping (minimum five years), staff training frequency and internal audit obligations.

Capital and Financial Sustainability

Capital requirements are not set at a single statutory figure across all licence types. Instead, BNM and SC each exercise discretion based on the applicant’s risk profile, projected transaction volumes and operational model. Industry practice reported by secondary advisory sources suggests paid-up capital thresholds in the range of RM 5 million for digital-asset exchange operators under the SC’s framework, with PSP and EMI capital requirements varying according to the scale of e-money issuance and float management obligations. Applicants should prepare a detailed three-year financial projection demonstrating that the business can sustain operational costs, absorb potential losses and maintain the required capital buffer throughout the licence period.

Fit-and-Proper Requirements, Management and Board

Both BNM and SC require directors, CEOs, compliance officers and key operational persons to satisfy fit-and-proper criteria. This includes criminal-background checks, bankruptcy searches, regulatory-history disclosures and competency assessments. The likely practical effect of recent regulator signals is an increasing expectation that at least one senior officer, typically the compliance officer or a responsible director, holds Malaysian residency or permanent-resident status and is physically present in-country. Board diversity, independence and relevant sector experience are also assessed, and the regulator may request replacement of individuals who do not meet the threshold before granting approval.

Operational and Technical Considerations, Custody, Stablecoins and Data Sharing

Custody Architecture, Hot/Cold Segregation and Proof of Reserves

Licensed VASPs and CASPs must implement custody arrangements that segregate client assets from operational assets at all times. The SC expects a clear split between hot-wallet balances (used for active trading and withdrawals) and cold-wallet reserves (held offline with multi-signature controls). Proof-of-reserves reporting, either via periodic third-party attestations or on-chain transparency mechanisms, is increasingly expected as market best practice, and early indications suggest that the SC views this favourably during application reviews. Disaster recovery, key management and incident-response protocols must be documented and tested before go-live.

Stablecoin Regulation Malaysia, 2026 Regulatory Posture

Stablecoin regulation in Malaysia remains in active development. BNM’s Policy Document on Digital Currencies confirms that digital currencies, including stablecoins, are not legal tender. However, they may be used as a medium of exchange and are subject to AML/CFT requirements under AMLA. Where a stablecoin constitutes a security or a derivative, the SC’s digital-asset framework applies. In practice, issuers of fiat-pegged stablecoins targeting Malaysian users should expect to demonstrate full reserve backing (typically one-to-one with high-quality liquid assets), transparent and frequent reserve attestation, and robust redemption mechanisms. The SC’s ongoing public consultations through its aFINIty programme are expected to provide further clarity on the supervisory treatment of stablecoins and tokenised deposits.

Data Sharing, Privacy and Consumer Credit

BNM’s 2026 signals on data-sharing frameworks carry direct implications for open-banking, BNPL and credit-scoring FinTechs. Firms that aggregate or share customer financial data must comply with the Personal Data Protection Act 2010 (PDPA) and any BNM-specific data-handling directives. Industry observers expect new guidance on consumer-credit data sharing to emerge during the second half of 2026.

Quick Comparative Table and Decision Checklist

Use the table below as a rapid reference when determining reporting cadence and primary compliance contacts for each licence type under fintech licensing Malaysia rules.

Decision checklist, before you apply:

• Have you classified your product under the correct regulatory category (payments vs capital markets vs e-money)?
• Is your entity incorporated in Malaysia (or Labuan, if offshore route)?
• Do you have a locally resident compliance officer and at least one fit-and-proper director?
• Is your AML/CFT policy drafted, approved by the board, and operationally ready (CDD, monitoring, STR filing)?
• Can you demonstrate adequate paid-up capital and a credible three-year financial forecast?
• Is your custody architecture documented, tested, and ready for regulator inspection?

Conclusion, Practical Next Steps for FinTech Licensing in Malaysia

Malaysia’s fintech licensing framework in 2026 offers structured, regulator-supported pathways for VASPs, CASPs, PSPs and EMIs, but the margin for application error is narrow and timelines are unforgiving for unprepared applicants. The practical next steps for any team evaluating market entry are straightforward:

1. Classify your product accurately, determine whether BNM, SC or Labuan FSA holds jurisdiction before drafting any application materials.
2. Engage the regulator early, pre-application dialogue de-risks the formal submission and surfaces classification issues before they become delays.
3. Assemble your application pack in full, use the checklists above to ensure every document (AML policy, custody architecture, capital evidence, fit-and-proper declarations) is complete, signed and board-approved.
4. Build AML/CFT readiness from day one, AMLA compliance is non-negotiable, and regulator examiners test it thoroughly during review.
5. Consider the sandbox, for novel products, the BNM Regulatory Sandbox remains the recommended pre-licence testing route.

For readers seeking to connect with experienced FinTech licensing practitioners in Malaysia, Global Law Experts maintains a curated directory of specialists across VASP, CASP, PSP and EMI authorisations. Bookmark this guide and revisit it as BNM and SC publish updated guidance through the remainder of 2026.

Sources

1. Bank Negara Malaysia, Regulatory Sandbox
2. Bank Negara Malaysia, Policy Document on Digital Currency
3. Securities Commission Malaysia, Digital / Development (aFINIty)
4. Labuan Financial Services Authority, Digital Financial Services
5. Fintech News Malaysia, SunRate Bank Negara Licence (April 28, 2026)
6. Sumsub, Crypto Regulations in Malaysia Guide
7. LegalBison, Crypto License Malaysia
8. Prifinance, Cryptocurrency License Malaysia