How to Get a VASP Licence in Malaysia (2026): Step‑by‑step Application Checklist for Founders & Compliance Teams

Understanding how to get a VASP license in Malaysia is the single most important regulatory step for any founder or compliance team planning to launch virtual-asset services in the country during 2026. The Securities Commission Malaysia (SC) oversees the registration and licensing of digital-asset operators under the Capital Markets and Services Act 2007 (CMSA) and its supporting guidelines, while Bank Negara Malaysia (BNM) sets overlapping anti-money-laundering and counter-financing-of-terrorism (AML/CFT) obligations under the Anti‑Money Laundering, Anti‑Terrorism Financing and Proceeds of Unlawful Activities Act 2001 (AMLA). With updated SC practice notes on digital-asset broking and fresh DAX registration guidance now in effect, there has never been a more critical, or more complex, time to prepare a clean application.

At a glance, the path to obtaining a VASP licence in Malaysia 2026 follows five core stages:

1. Determine the correct authorisation, VASP, Recognised Market Operator (DAX/RMO), or Capital Markets Services Licence (CMSL).
2. Assemble corporate and governance documents, company formation, shareholding, board composition and fit‑and‑proper evidence.
3. Build your AML/CFT framework, documented policies, KYC/KYB procedures, transaction monitoring and SAR reporting systems.
4. Prepare and submit the full documentation pack to the SC with business-model statements, risk assessments and governance certifications.
5. Navigate the SC review, respond to regulatory queries, clear fit‑and‑proper checks and satisfy any conditions before approval.

The sections below walk through each stage in detail, from initial scoping through to post-approval obligations. Founders seeking FinTech practice area guidance should begin with the decision-tree analysis in Section 1 and work forward sequentially.

1. Who Needs a VASP Licence in Malaysia? Decision Tree and Scope

Under Malaysia’s regulatory framework, any entity that provides virtual-asset services, including exchange, custody, transfer or broking of digital assets, on behalf of third parties must obtain the appropriate authorisation from the SC. The term “virtual asset service provider” aligns broadly with the Financial Action Task Force (FATF) definition and covers a wider range of activities than many founders initially expect.

Before filing any paperwork, you need to determine which authorisation category applies to your specific business model. Malaysia’s digital-asset regulatory architecture uses three primary licence pathways:

• Recognised Market Operator (RMO), DAX. Applies to platforms that operate a digital asset exchange (DAX), matching buy and sell orders between users. The SC maintains an official list of registered DAX operators.
• Capital Markets Services Licence (CMSL), Digital Asset Broking / Fund Management. Applies to entities that carry on regulated activities under the CMSA in relation to digital assets, including dealing, advising or managing funds.
• VASP (broader scope). Covers entities providing custody-as-a-service, wallet infrastructure for third parties, transfer services, or combined models that do not fit neatly into the RMO or CMSL categories.

Examples of Activities That Trigger a VASP Licence Requirement

• Operating a peer-to-peer exchange or order-book platform for digital assets
• Holding private keys or custodial wallets on behalf of clients
• Facilitating fiat-to-crypto or crypto-to-crypto conversions for third parties
• Providing digital-asset broking, advisory or portfolio management services
• Offering staking-as-a-service or yield products that involve managing client assets

If your product or service involves holding, moving or converting virtual assets that belong to someone else, you almost certainly need to apply. Founders operating purely self-custody software, where users maintain sole control of their private keys, generally fall outside the licensing perimeter, but the analysis must be conducted carefully on a case-by-case basis. For a detailed comparison of each authorisation pathway, see the cluster article VASP vs DAX vs CMSL, which authorisation?

2. 2026 Regulatory Update: What Changed for VASP Licence Malaysia Applicants

The regulatory landscape for digital assets in Malaysia has evolved significantly between 2024 and 2026, making it essential for applicants to build their applications against the most current SC guidance rather than older templates.

Key developments that shape how to get a VASP license in Malaysia in 2026 include:

• Updated SC Practice Notes on Digital Asset Broking. The SC has issued revised practice notes that expand the documentation and operational-readiness evidence required from applicants, particularly around technology infrastructure, cybersecurity controls and investor-protection mechanisms.
• Expanded DAX Registration Guidance. The SC’s list of registered digital asset exchanges, published on the SC website, reflects a rigorous gatekeeping standard. The SC has registered a limited number of Recognised Market Operators to establish and operate digital asset exchanges in Malaysia, and new applicants face elevated scrutiny.
• AML/CFT Alignment with FATF Travel Rule. BNM’s AML/CFT guidelines continue to incorporate FATF recommendations, including requirements for virtual-asset transfer information sharing (the “Travel Rule”), which applicants must demonstrate readiness to comply with from day one.
• BNM Digital Asset and Innovation Hub (DAIH) Pilots. Early indications suggest that BNM’s sandbox and pilot frameworks for innovative digital-asset models are creating additional pathways, but also additional due-diligence expectations, for founders exploring novel tokenisation or payment products.

Immediate Implications for Applicants

Industry observers expect these updates to mean longer preparation cycles (budget two to six months before submission), more granular technology documentation, and stricter AML/CFT systems testing at the application stage. Applicants who rely on outdated templates or thin compliance frameworks are likely to face extended review timelines or outright rejection.

3. Pre‑Application Checklist: Corporate and Governance Documents

A clean application starts long before you submit paperwork to the SC. This section provides the detailed pre-application checklist that founders and compliance teams should work through systematically to meet VASP requirements in Malaysia.

Corporate Formation and Structure

• Malaysian Company Registration. The applicant entity must be incorporated in Malaysia (or, for Labuan, registered under the Labuan Companies Act 1990). Prepare the Certificate of Incorporation, Memorandum and Articles of Association, and current SSM extract.
• Shareholding Structure. Provide a complete shareholding chart showing all direct and indirect shareholders down to the ultimate beneficial owner (UBO) level. Where complex holding structures exist, annotated diagrams are strongly recommended.
• Board of Directors. Identify all directors, including at least one Malaysian-resident director with demonstrable competence in financial services, compliance or technology. Provide signed CVs and professional references for each.
• Registered Office and Local Presence. The SC expects meaningful operational presence in Malaysia, not a shell or virtual office. Document the physical address, staffing plan and local operational infrastructure.
• Paid-Up Capital. While minimum capital requirements vary by licence category, applicants should prepare audited financial statements and evidence of sufficient capitalisation to support the proposed business model for at least 12 months.

Fit‑and‑Proper Evidence Required

Fit‑and‑proper assessment is one of the SC’s primary gatekeeping tools. Every director, key officer and substantial shareholder must clear this hurdle. The evidence pack for each individual should include:

• Detailed curriculum vitae covering the past 10 years of professional experience
• Professional and character references (minimum two per individual)
• Source-of-funds declarations for substantial shareholders, supported by audited accounts, bank statements or certified wealth-source documentation
• Police-clearance certificates or statutory declarations confirming no criminal convictions
• Disclosure of any prior regulatory actions, sanctions or disciplinary proceedings in any jurisdiction
• Evidence of relevant qualifications or professional certifications (where applicable)

Incomplete or inconsistent fit‑and‑proper submissions are among the most common causes of application delays. For a deeper analysis of governance structuring, see the supporting article on fit‑and‑proper governance and shareholding structures for VASP applications.

4. AML/CFT Obligations for a VASP Licence in Malaysia: What the SC and BNM Will Check

AML/CFT compliance is the cornerstone of any VASP licence application in Malaysia. Under AMLA and BNM’s AML/CFT guidelines, all virtual-asset service providers are reporting institutions and must implement robust controls before commencing operations, and demonstrate those controls during the application process itself.

The SC and BNM will evaluate your AML/CFT framework across five core pillars:

1. Customer Due Diligence (KYC/KYB)

• Implement risk-based CDD procedures for all customers, with enhanced due diligence (EDD) for higher-risk clients, politically exposed persons (PEPs) and complex corporate structures.
• Collect and verify identity documents, proof of address and source-of-funds information before onboarding.
• For business clients (KYB), verify the company’s registration, UBO structure, board composition and nature of business.

2. Transaction Monitoring

• Deploy automated transaction-monitoring systems capable of flagging unusual patterns, structuring, rapid movement of large volumes and transactions with high-risk jurisdictions.
• Calibrate thresholds to the specific risk profile of your platform and customer base.
• Maintain audit trails of all alerts, investigations and dispositions.

3. Suspicious Activity Reporting (SARs)

• Establish internal escalation procedures for suspicious transactions.
• File Suspicious Transaction Reports (STRs) with the Unit for Intelligence and Financial Analysis (UIF) within the prescribed timeframes under AMLA.
• Ensure that SAR processes are documented and that staff are trained to recognise red-flag indicators.

4. Sanctions Screening

• Screen all customers, counterparties and transactions against Malaysian domestic sanctions lists, United Nations Security Council lists, OFAC and other applicable international sanctions regimes.
• Implement real-time and batch screening at onboarding and on an ongoing basis.

5. AML Program Governance

• Appoint a named Anti-Money Laundering Compliance Officer (AMLCO) at the senior management level.
• Ensure the board of directors has documented oversight responsibility for the AML/CFT program.
• Conduct regular independent audits of AML/CFT systems and controls.
• Deliver mandatory staff training on AML/CFT obligations at onboarding and at least annually thereafter.

Custody service providers face particular scrutiny. While owning and using a personal crypto wallet is legal in Malaysia for investment purposes, any entity that holds private keys or custodial wallets on behalf of clients is considered a virtual asset service provider and must meet all AML/CFT obligations described above. The distinction between self-custody (where the user alone controls the keys) and custodial services (where the provider holds keys on the user’s behalf) is critical to the licensing analysis.

AML/CFT Obligations Comparison: DAX/RMO vs Other VASPs

For sample AML/CFT risk-assessment templates and annotated KYC policy clauses, see the supporting article on the AML/CFT checklist for Malaysian VASPs.

5. Step‑by‑Step Application Process: How to Get a VASP License in Malaysia

Once your corporate structure is finalised, your governance team passes initial fit‑and‑proper review, and your AML/CFT framework is documented, the formal application process begins. This section provides the annotated documentation pack and submission sequence that compliance teams should follow.

Documentation Pack, What to Prepare

1. Application Cover Letter. Addressed to the SC, identifying the applicant entity, the authorisation sought (RMO/DAX, CMSL or VASP registration) and the principal contact person.
2. Business Model Statement. A detailed written description of the proposed business model, including the products and services to be offered, target market, revenue model, technology architecture and competitive positioning. Annotate this with references to how each activity maps to the relevant CMSA regulated activity.
3. Corporate Documents. Certificate of Incorporation, constitutional documents, SSM extract, shareholding chart (annotated to UBO level), board and key officer details with signed CVs.
4. Fit‑and‑Proper Pack. Individual packs for each director, key officer and substantial shareholder (see Section 3 above).
5. AML/CFT Program Documentation. The complete AML/CFT manual, including CDD/EDD procedures, transaction-monitoring rules, SAR escalation workflows, sanctions-screening methodology, training program outline and AMLCO appointment letter.
6. Risk Assessment. A written enterprise risk assessment covering operational, technology, financial-crime, custody, market and regulatory risks, with documented mitigation strategies for each.
7. Technology and Cybersecurity Documentation. System architecture diagrams, penetration-testing reports, business-continuity and disaster-recovery plans, and data-protection policies. The SC’s updated practice notes place particular emphasis on custody-wallet security, hot/cold wallet segregation procedures and incident-response protocols.
8. Financial Statements and Capital Evidence. Audited financial statements (or management accounts for newly incorporated entities), bank statements confirming available capital, and a 12-month financial projection.
9. Governance Certifications. Board resolutions authorising the application, compliance-charter documents, internal-audit terms of reference, and conflict-of-interest policies.
10. Insurance Evidence. Details of professional-indemnity insurance, cyber-insurance or fidelity coverage, where applicable.

Common Application Mistakes and How to Fix Them

Applications fail or stall for predictable reasons. The most frequently observed deficiencies include:

• Incomplete UBO disclosure. Failing to trace shareholding to the ultimate beneficial owner. Fix: use an annotated diagram and include statutory declarations at every layer.
• Generic AML/CFT manuals. Submitting a template policy not customised to the applicant’s specific business model and risk profile. Fix: tailor every section, CDD thresholds, transaction-monitoring rules, risk-appetite statements, to your actual products and customer segments.
• Vague business-model statements. The SC needs to understand exactly how your platform works, how client assets are segregated, and how revenue is generated. Fix: include process-flow diagrams and work through specific transaction examples.
• Missing or inconsistent fit‑and‑proper evidence. Gaps in employment history, undisclosed directorships or unexplained source-of-funds documentation. Fix: pre-screen every individual against the SC’s criteria and resolve discrepancies before submission.
• Inadequate local operational presence. Submitting an application with a virtual-office address and no evidence of local staffing. Fix: establish a genuine office, hire a local compliance officer and document the operational plan.
• Failure to address the Travel Rule. Not demonstrating readiness to share originator and beneficiary information on virtual-asset transfers. Fix: integrate a Travel Rule compliance solution and document the protocol in the AML/CFT manual.

Applicants seeking to find a Malaysia lawyer with VASP licensing experience should engage advisory support well before the submission stage to avoid these common pitfalls.

6. Timeline, Costs and Regulatory Gates: Realistic Expectations

One of the most frequently asked questions about how to get a VASP license in Malaysia is how long the process takes and what it costs. Honest answers require acknowledging that timelines vary significantly based on the complexity of the business model and the completeness of the initial submission.

Estimated Timeline

• Pre-application preparation: 2–6 months. This covers company formation, governance structuring, AML/CFT framework development, technology documentation and fit‑and‑proper evidence assembly.
• Application submission and initial SC acknowledgement: 2–4 weeks after filing.
• SC review, queries and clarification rounds: 6–12 months. The SC typically issues multiple rounds of queries. Response quality and turnaround speed directly affect the total review period.
• Conditional approval and operational readiness checks: 1–3 months. The SC may impose conditions (e.g., additional capital, staffing or systems testing) before granting final approval.
• Total realistic timeline: 9–18 months from project initiation to operational launch.

Indicative Costs

Direct application fees payable to the SC are typically a fraction of the total project cost. The larger budget items include:

• Legal advisory fees for application preparation, AML/CFT framework development and regulatory liaison
• Compliance-team recruitment (AMLCO, compliance manager, risk officer)
• Technology infrastructure, trading/custody platform, transaction-monitoring software, sanctions-screening tools
• Cybersecurity assessments, penetration testing and audit costs
• Professional-indemnity and cyber-insurance premiums
• Ongoing operational capital to fund the business through the review period

Industry observers expect total setup costs for a well-prepared VASP application in Malaysia to range from several hundred thousand to over one million ringgit, depending on the scope and complexity of the proposed operations.

Fast‑Track Scenarios and Likely Delays

Applications that are submitted with complete documentation, a well-tailored AML/CFT manual, clear business-model statements and pre-screened fit‑and‑proper evidence tend to move through the SC review significantly faster. Conversely, applications that trigger fit‑and‑proper rechecks, require capital top-ups or involve novel business models without precedent in Malaysia will likely experience extended timelines.

7. Operational Requirements Post-Approval: Reporting, Audits and Security

Obtaining a VASP licence in Malaysia is not the finish line, it is the starting point for ongoing regulatory compliance. The SC and BNM impose continuing obligations that licensed operators must build into their operational rhythms from day one.

Key Ongoing Obligations

• Periodic regulatory returns. DAX/RMO operators must submit regular market-operator reports to the SC. Other VASPs must file periodic AML/CFT compliance returns.
• Suspicious activity reporting. STRs must be filed with the UIF on an ongoing basis whenever suspicious activity is identified.
• Independent AML/CFT audits. Conduct and submit an independent audit of AML/CFT systems and controls at least annually.
• Technology and cybersecurity testing. Perform regular penetration testing, vulnerability assessments and business-continuity drills. Document results and remediation actions.
• Record retention. Maintain all customer records, transaction data, AML/CFT documentation and correspondence with regulators for the period prescribed under AMLA (typically at least six years from the date of the transaction or the end of the business relationship).
• Incident and breach notifications. Report cybersecurity incidents, data breaches, customer-fund losses or material operational disruptions to the SC within prescribed timeframes.

Sample Compliance Calendar

8. Templates and Annexes: Practical Tools for Your VASP Application

To support founders and compliance teams preparing their submissions, the following template resources have been developed to align with the SC’s current expectations and the VASP requirements in Malaysia:

• Annotated Pre-Application Checklist. A comprehensive, tick-box document list mapped to the corporate, governance and AML/CFT sections above, designed so compliance teams can track document assembly in real time.
• Sample KYC/KYB Policy Excerpt. A template CDD and EDD policy section tailored to digital-asset platforms, including risk-classification criteria, PEP-screening procedures and ongoing-monitoring triggers.
• Sample Board Resolution for Licence Application. A template board-minutes extract authorising the application, appointing the AMLCO and confirming the board’s AML/CFT oversight commitment.
• Sample Business Model Statement. An annotated outline showing the structure, level of detail and regulatory mapping the SC expects in a business-model narrative, including transaction-flow diagrams and fee-schedule examples.
• AMLCO Appointment Letter Template. A draft letter formally appointing the Anti-Money Laundering Compliance Officer with a clear scope-of-responsibilities description aligned to AMLA requirements.

These templates are designed as starting points and must be customised to reflect the specific facts, business model and risk profile of each applicant. Engage qualified legal counsel to review and finalise all submission documents before filing.

Conclusion: Securing Your VASP Licence in Malaysia in 2026

The path to obtaining a VASP license in Malaysia demands meticulous preparation across corporate governance, AML/CFT compliance, technology documentation and regulatory engagement. Founders and compliance teams that invest in a complete, well-tailored application, and avoid the common pitfalls outlined in this guide, position themselves for the fastest possible approval and a sustainable operating licence. With Malaysia’s digital-asset regulatory framework continuing to mature in 2026, early and thorough preparation is the clearest competitive advantage an applicant can secure.

Sources

1. Securities Commission Malaysia, List of Registered Digital Asset Exchanges
2. Securities Commission Malaysia, Guidelines and Practice Notes
3. Bank Negara Malaysia, AML/CFT Guidelines
4. Global Law Experts, VASP Licence Malaysia 2026