Merchant Acquiring License Malaysia: BNM Registration, Section 17 FSA (2026)

Any entity that wants to onboard merchants and process card or electronic payment transactions in Malaysia must hold a merchant acquiring license Malaysia, technically a registration under Section 17 of the Financial Services Act 2013 (FSA) with Bank Negara Malaysia (BNM). The regulatory framework centres on BNM’s Policy Document on Merchant Acquiring Services, issued on 15 September 2021, which sets binding standards for governance, capital adequacy, IT security and anti-money-laundering controls. With BNM continuing to approve non-bank acquirers through 2024–2026 and actively enforcing policy expectations, the window for new entrants is open but tightly regulated.

This guide provides the step-by-step compliance roadmap, covering documents, thresholds, timelines and common pitfalls, that founders, compliance officers and legal teams need to move from concept to registered acquirer status.

What Is a Merchant Acquiring Service?, Legal Definition and Scope

A merchant acquiring service, as defined in BNM’s Policy Document on Merchant Acquiring Services, is the service of enabling a merchant to accept electronic payment instruments, debit cards, credit cards, e-wallets or other designated instruments, by providing the merchant with the necessary infrastructure, settlement and transaction-processing capability. The acquirer sits between the merchant and the card scheme or payment network: it underwrites the merchant’s payment risk, routes authorisation requests, clears transactions and settles funds into the merchant’s account.

It is important to distinguish merchant acquiring from two adjacent activities. A payment gateway provides the technical interface that connects a merchant’s checkout to one or more acquirers but does not itself bear settlement or underwriting risk. A payment service provider (PSP) or e-money issuer (EMI) may facilitate funds transfers or stored-value accounts but is licensed under different BNM frameworks. Whether a business requires registration as a merchant acquirer depends on whether it performs the core acquiring function, accepting payment instruments on behalf of merchants, settling those transactions and bearing the associated risk.

When a Business Must Register Under Section 17 FSA

Section 17 of the Financial Services Act 2013 prohibits any person from carrying on a “registered business”, which includes merchant acquiring services, unless that person is registered with BNM or is an institution already licensed under the FSA (such as a commercial bank). In practice, this means every non-bank entity that intends to offer merchant acquiring services in Malaysia must submit an application for registration to BNM before commencing operations. Operating without registration constitutes a criminal offence under the FSA.

BNM Framework: Section 17 (FSA 2013) and the 2021 Policy Document on Merchant Acquiring Services

The regulatory architecture for a merchant acquiring license Malaysia rests on two pillars: the statutory registration requirement in the FSA and the detailed operational standards in the Policy Document.

Section 17(1) of the FSA establishes that no person shall carry on any registered business unless registered with BNM. Merchant acquiring is expressly designated as a registered business. Section 18 supplements this by empowering BNM to impose conditions on the registration. Together, these provisions give BNM broad authority to set, and enforce, the rules that govern how acquirers operate.

The Policy Document on Merchant Acquiring Services, effective 15 September 2021, translates that statutory power into concrete obligations. It applies to all entities registered as merchant acquirers pursuant to sections 17(1) and 18 of the FSA. The Policy Document covers five main domains: corporate governance, minimum capital funds, operational risk management and IT security, anti-money-laundering and counter-financing-of-terrorism (AML/CFT) controls, and merchant due diligence.

Applicable Provisions and Immediate Compliance Triggers

Compliance obligations under the Policy Document are triggered the moment a registered acquirer begins onboarding merchants or processing transactions. There is no grace period: the registrant must have all governance structures, IT systems and AML programmes operational at the point of registration. The table below summarises the key BNM documents and their core requirements.

How to Register as a Merchant Acquirer with BNM, Step-by-Step Checklist

Securing a merchant acquiring license Malaysia follows a structured process that can be divided into three phases: pre-application preparation, formal submission and post-submission review. The checklist below reflects the requirements set out in BNM’s application page and the MAS Application Form.

Phase 1, Pre-Application Preparation

1. Establish the corporate vehicle. Incorporate a Malaysian company (Sdn Bhd) or confirm that an existing licensed institution will apply under its current licence. Prepare the Memorandum and Articles of Association, certificate of incorporation, and latest audited financial statements.
2. Draft the business plan. BNM expects a detailed plan covering target merchant segments, projected transaction volumes, revenue model, technology stack and a three-to-five-year financial forecast.
3. Appoint qualified directors and key personnel. Board members must meet BNM’s fit-and-proper criteria. Designate a Chief Compliance Officer and a Chief Information Security Officer (or equivalent).
4. Build the AML/CFT programme. Develop written policies for customer due diligence (CDD), merchant risk scoring, transaction monitoring, suspicious transaction reporting and sanctions screening, all before submission.
5. Prepare the IT and security framework. Document your system architecture, data-flow diagrams, encryption standards, PCI DSS compliance roadmap, penetration-testing schedule and business continuity/disaster recovery plan.
6. Secure card scheme relationships. If you intend to process Visa, Mastercard or other scheme transactions, obtain a letter of intent or provisional membership agreement. Alternatively, document your arrangement with an existing principal member or sponsoring bank.
7. Arrange pre-application engagement with BNM. Industry observers recommend requesting a pre-application meeting with BNM’s Payments Oversight department to clarify any ambiguities in the Policy Document before formal filing.

Phase 2, Formal Submission

1. Complete the MAS Application Form. Fill in every section of BNM’s prescribed form, including corporate particulars, ownership structure, business plan summary, risk management framework and declarations.
2. Compile supporting documents. Attach all items from Phase 1, financial statements, AML policies, IT architecture documentation, board resolutions authorising the application, and fit-and-proper declarations for directors and key personnel.
3. Submit to BNM. File the complete application pack with BNM’s Payment and Financial Inclusion Department.

Phase 3, Post-Submission Review

1. Respond to BNM queries. BNM may issue one or more rounds of clarification questions. Prepare detailed, document-backed responses within the timelines BNM sets.
2. On-site readiness assessment. BNM may conduct an on-site visit to verify IT infrastructure, physical security and operational readiness.
3. Registration and conditions. Upon approval, BNM issues the registration certificate, potentially with conditions under Section 18 of the FSA. These conditions become binding and enforceable.

Example Timetable from Pre-Application to Registration

Note: Timelines are indicative. BNM does not publish fixed processing windows, and the actual duration depends on application quality and the complexity of the applicant’s business model.

Merchant Acquiring License Malaysia 2026 Requirements: Capital, Financial and Legal Thresholds

The Policy Document on Merchant Acquiring Services sets minimum capital funds requirements for non-bank merchant acquirers. According to legal analysis published by Skrine, one of Malaysia’s leading law firms, non-bank acquirers are required to maintain minimum capital funds of RM300,000 as a baseline. This amount must be fully paid up and maintained at all times, it is not a one-time deposit that can later be drawn down.

BNM may impose higher capital requirements on individual applicants based on the scale and risk profile of their proposed operations. Applicants processing high volumes or operating in higher-risk merchant categories should anticipate the possibility of elevated thresholds. Capital funds must be evidenced through audited financial statements submitted both at application and on an ongoing basis.

Applicants should also be aware that BNM’s AML framework requires reporting of transactions that meet certain thresholds. While specific monetary thresholds for suspicious transaction reporting are set by regulation and internal policy rather than a single published figure, all registered acquirers must implement systems capable of detecting and reporting unusual or suspicious activity regardless of transaction size.

IT, Cybersecurity, PCI DSS and Operational Controls for a Merchant Acquiring License Malaysia

The Policy Document dedicates significant attention to information technology and operational resilience. BNM expects registered acquirers to implement a risk-based IT governance framework that covers the full transaction lifecycle, from payment initiation through authorisation, clearing and settlement.

Key expectations include end-to-end encryption of cardholder data, implementation of tokenisation where feasible, maintenance of hardware security modules (HSMs) for cryptographic key management, and adoption of PCI DSS standards. While BNM does not mandate a specific PCI DSS certification level in the Policy Document, the practical reality is that card schemes (Visa, Mastercard) require acquirers to be PCI DSS Level 1 compliant before granting membership, making it a de facto requirement.

Minimum IT Evidence BNM Will Expect

• Network architecture diagrams showing all components of the payment processing environment, including firewalls, intrusion detection systems and data storage locations.
• SOC 2 Type II reports (or equivalent independent assurance reports) covering the security, availability and processing integrity of systems.
• Penetration test reports conducted by an independent, qualified assessor within the twelve months preceding application.
• Business continuity and disaster recovery plans with documented recovery time objectives (RTO) and recovery point objectives (RPO), plus evidence of at least one successful test exercise.
• Incident response procedures covering data breaches, system outages and fraud events, including escalation paths and BNM notification timelines.

Recommended Vendor Architecture and Responsibility Mapping

Industry observers note that BNM increasingly expects applicants to clearly map responsibilities across the payment value chain. A typical architecture separates merchant-side integration (point-of-sale terminal or online checkout), gateway processing (routing and protocol conversion), acquirer processing (authorisation, clearing, settlement) and card scheme interfaces. Each layer must have documented ownership, SLA commitments and fallback procedures. Outsourced components remain the acquirer’s regulatory responsibility, BNM holds the registered entity accountable regardless of third-party arrangements.

AML/CFT, Transaction Monitoring and Merchant Due Diligence

BNM’s merchant acquiring services BNM framework requires acquirers to implement a comprehensive AML/CFT programme that addresses the specific risks of the acquiring business. Unlike traditional banking AML, which focuses on customer accounts, acquiring AML centres on merchant due diligence: understanding who the merchant is, what it sells, how it processes payments and whether its transaction patterns are consistent with its stated business.

The Policy Document requires acquirers to conduct risk-based customer due diligence (CDD) on every merchant before onboarding. This includes verifying the merchant’s legal identity, beneficial ownership, business activity, regulatory status (where applicable) and financial standing. Ongoing monitoring must detect anomalies such as sudden volume spikes, unusual chargeback ratios, transactions inconsistent with the merchant’s stated product or service, and patterns indicative of money laundering or terrorism financing.

AML Checklist for Merchant Acquirers

• Written AML/CFT policy approved by the board and reviewed at least annually.
• Merchant risk-scoring model categorising merchants by industry, geography, transaction type and volume.
• Enhanced due diligence procedures for high-risk merchant categories (e.g., gaming, travel, cryptocurrency-related services).
• Automated transaction monitoring system with configurable rules and alert-management workflows.
• Suspicious transaction reporting (STR) procedures including timelines for filing with BNM’s Financial Intelligence and Enforcement Department.
• Sanctions screening against OFAC, UN, and Malaysian domestic sanctions lists at onboarding and on an ongoing basis.
• Record retention, all CDD records and transaction data must be retained for at least six years.
• Staff training programme covering AML obligations, red-flag indicators and reporting procedures.

Card Scheme and Acquiring Relationships

A registered merchant acquirer does not operate in isolation. To process Visa or Mastercard transactions, the acquirer must either hold direct principal membership with the card scheme or operate under a sponsorship arrangement with a principal member (typically a licensed bank). Direct membership carries higher entry requirements, including scheme-specific capital, processing certifications and operational audits, but gives the acquirer full control over interchange economics, settlement timing and chargeback management.

Settlement flows in Malaysia typically follow a T+1 or T+2 cycle: the card scheme settles net amounts to the acquirer, which then credits the merchant’s account after deducting the merchant discount rate (MDR). The acquirer bears liability for chargebacks and must maintain reserves or holdback mechanisms to manage chargeback exposure, particularly for merchants in high-risk industries.

When You Need Direct Membership vs Partnering with a Bank

Early-stage acquirers and smaller non-bank entities often begin under a bank sponsorship model, which reduces upfront capital and scheme certification costs. As transaction volumes grow and the acquirer builds an operational track record, transitioning to direct membership becomes economically attractive. The decision hinges on volume thresholds set by card schemes, internal risk appetite and the acquirer’s ability to meet scheme audit requirements independently.

Payment Gateway vs Merchant Acquirer: Key Differences

One of the most common points of confusion for businesses seeking a payment gateway license Malaysia or merchant acquiring registration is where the regulatory boundary falls. The table below clarifies the distinctions.

Businesses that only route transactions through a technical interface without bearing settlement or underwriting risk may not need merchant acquirer registration, but should confirm this with BNM, as the line between gateway and acquirer is fact-specific.

Enforcement, Recent Approvals and Lessons from 2024–2026

BNM’s approach to merchant acquiring regulation has moved beyond framework-setting into active enforcement and selective approval of non-bank applicants. A notable example is CHIP IN, which received BNM approval as a non-bank merchant acquirer, as reported by Fintech News Malaysia. The approval signalled that BNM is willing to register well-prepared non-bank entities provided they demonstrate robust governance, adequate capitalisation and mature IT and AML systems.

Early indications from the 2024–2026 approval cycle suggest that BNM prioritises three factors above all: a clearly articulated risk management framework, evidence of operational readiness (not just plans, but deployed systems) and transparent beneficial ownership structures. Applicants that can demonstrate live system testing, completed penetration assessments and board-level risk oversight are more likely to navigate the review process efficiently.

Common Application Pitfalls and How to Avoid Them

Drawing on publicly available regulatory guidance and industry commentary, the following pitfalls account for the majority of delays and rejections in the merchant acquiring license Malaysia application process.

• Weak governance structure. Boards without independent directors or without documented risk-oversight committees. Fix: Appoint at least one independent director with payments or financial-services experience before filing.
• Inadequate IT documentation. Missing network diagrams, no penetration test reports or outdated business continuity plans. Fix: Commission independent assessments at least three months before submission.
• Boilerplate AML policies. Generic policies not tailored to acquiring-specific risks. Fix: Build merchant risk-scoring models and transaction-monitoring rules that reflect your actual merchant base.
• Undercapitalisation. Applying with capital below the RM300,000 minimum or failing to demonstrate ongoing capital maintenance. Fix: Ensure capital is fully paid up and evidenced in audited accounts at filing.
• Incomplete corporate documents. Missing board resolutions, unsigned declarations, or outdated financial statements. Fix: Use a pre-submission checklist aligned to every field in the MAS Application Form.
• Unclear settlement flows. Failing to explain how funds move from card scheme to acquirer to merchant. Fix: Provide end-to-end settlement diagrams with T+n timelines and reconciliation procedures.
• No card scheme relationship. Submitting without a letter of intent or sponsorship agreement from a card scheme or principal member. Fix: Engage Visa/Mastercard early, provisional agreements are acceptable at application stage.
• Ignoring pre-application engagement. Filing without any prior contact with BNM’s Payments Oversight team. Fix: Request a pre-application meeting to surface potential issues before committing resources to the full application pack.

Conclusion: Securing Your Merchant Acquiring License Malaysia

The path to becoming a BNM registered merchant acquirer is demanding but navigable. The core requirements, Section 17 FSA registration, compliance with the 2021 Policy Document, minimum RM300,000 capital, robust IT and AML frameworks, and card scheme relationships, form a clear checklist that applicants can work through systematically. With BNM continuing to approve non-bank acquirers, the market is open to well-prepared entrants.

Businesses considering a merchant acquiring license Malaysia should begin with a gap analysis against the Policy Document, engage BNM early through a pre-application meeting and ensure that all governance, IT and AML systems are operational, not just planned, before formal submission. For tailored pre-application reviews, document preparation and regulatory strategy, contact a qualified FinTech licensing specialist through the Global Law Experts Malaysia lawyer directory.

This article provides general guidance on the merchant acquiring registration process in Malaysia. It is not a substitute for tailored legal advice. Regulatory requirements may change; readers should verify current BNM expectations directly. Last reviewed: 14 June 2026.

Sources

1. Bank Negara Malaysia, FSP / Registered Merchant Acquirer Directory
2. Bank Negara Malaysia, Policy Document on Merchant Acquiring Services (PDF)
3. Bank Negara Malaysia, Application for Approval and Registration (Section 17)
4. Bank Negara Malaysia, MAS Application Form 2023
5. Skrine, Minimum Capital Funds Requirement for Merchant Acquirers
6. Rahmat Lim & Partners, BNM Policy Document on Merchant Acquiring Services
7. Fintech News Malaysia, CHIP IN Approved by BNM as Non-Bank Merchant Acquirer
8. Zitadelle AG, Malaysia Merchant Acquiring License Regulatory Guide
9. PayNet, Eligibility for Digital Registration
10. DECTA, Card Acquiring vs Payment Institution License