How to Obtain a VASP Licence in Malaysia in 2026, Step‑by‑step Guide for Founders & Compliance Teams

Last reviewed: 29 April 2026

Malaysia’s digital‑asset sector is entering a decisive regulatory phase. Founders seeking a VASP license Malaysia 2026 must navigate an increasingly detailed approval framework administered by the Securities Commission Malaysia (SC) and Bank Negara Malaysia (BNM), both of which have tightened their expectations around governance, custody safeguards, and anti‑money‑laundering controls over the past twelve months. The SC’s Recognized Market Operator (RMO) regime remains the primary gateway for any platform that wishes to operate a digital asset exchange (DAX) or provide broking services onshore, while BNM’s targeted update on virtual assets and VASPs has sharpened AML/CFT obligations in line with FATF Recommendations.

This guide distils the entire licensing journey, from initial eligibility screening to post‑approval operating obligations, into a practical playbook that compliance officers, general counsel and product leads can execute against.

Executive Summary & Decision Checklist, Do You Need a VASP Licence?

Yes. Any entity that operates a digital asset exchange, provides custody (safekeeping) services, or brokers trades in digital tokens for Malaysian customers requires registration as a Recognized Market Operator under the SC’s Capital Markets and Services Act framework. Operating without approval is an offence carrying significant penalties, including criminal prosecution.

Before engaging advisers or drafting documentation, run through the following six‑point decision checklist:

• Service type. Will you operate an order‑matching exchange, provide custodial wallets, broker OTC trades, or issue tokens? Each activity triggers a distinct licensing obligation under SC guidelines.
• Customer location. If any end‑user is located in Malaysia, even if your servers are offshore, the SC treats the service as falling within its jurisdiction.
• Custody of client assets. Holding private keys or controlling client digital assets on‑chain creates custody obligations and additional capital, audit and segregation requirements.
• Stablecoin exposure. Platforms that list, trade or issue stablecoins face additional scrutiny from both SC and BNM, particularly regarding reserve adequacy and disclosure.
• Fiat on/off ramps. Integration with the Malaysian ringgit (MYR) banking system requires coordination with BNM and will form part of the SC’s assessment of your business plan.
• AML/CFT exposure. BNM expects every VASP to maintain a risk‑based AML/CFT programme that meets FATF standards, including Travel Rule compliance.

If any of these points apply, you need to proceed through the full licensing process outlined below.

Quick Regulator Map: Who Does What in VASP Licensing

Understanding the division of responsibilities between Malaysian regulators is the essential first step to avoiding duplicated effort and costly missteps when applying for a VASP licence in Malaysia.

Securities Commission Malaysia, DAX and Recognized Market Operator Registration

The SC is the primary gatekeeper. Under the Capital Markets and Services Act 2007 (CMSA) and the Guidelines on Digital Assets, any platform wishing to operate as a digital asset exchange must be registered as a Recognized Market Operator. The SC maintains a public list of registered digital asset exchanges, which currently includes a limited number of approved operators. The SC assesses governance arrangements, technology infrastructure, financial resources, custody protocols and the applicant’s AML/CFT framework before granting registration. It also has the power to revoke or suspend registration and to take enforcement action against unregistered operators.

Bank Negara Malaysia, AML/CFT Supervisory Guidance for Virtual Assets

BNM does not issue the VASP licence itself, but it sets and enforces the anti‑money‑laundering and counter‑financing‑of‑terrorism standards that every licensed operator must meet. BNM’s 2025 Targeted Update on VA/VASP specifies customer due diligence thresholds, suspicious transaction reporting (STR) procedures, Travel Rule expectations and record‑keeping obligations. Applicants should treat BNM’s guidance as a binding operational standard that the SC will verify during its review.

Labuan Financial Services Authority, Alternative Offshore Regime

The Labuan Financial Services Authority (Labuan FSA) offers a separate licensing regime under the Labuan Financial Services and Securities Act. Industry observers note that the Labuan route may suit businesses serving exclusively non‑Malaysian clients, but it does not provide a right to serve onshore retail customers. Most applicants targeting the domestic market will therefore need the SC pathway.

Scope: Which Services Qualify as VASP in Malaysia?

Exchanges, Custody, Broking, Token Issuance and Stablecoin Operations

The SC’s regulatory perimeter captures a broad range of crypto exchange licence Malaysia activities. The following services require registration or approval:

• Exchange operation. Matching buy and sell orders for digital assets, whether through a central limit order book or an automated market‑maker model.
• Custody / safekeeping. Holding private keys or otherwise controlling digital assets on behalf of clients.
• Broking. Arranging or facilitating digital asset transactions between counterparties, as clarified by the SC in its February 2026 clarification on digital asset broking.
• Token issuance (IEO). Issuing or facilitating the issuance of digital tokens through an initial exchange offering.
• Stablecoin operations. Issuing, listing or trading stablecoins, subject to additional reserve and disclosure obligations from both SC and BNM.

Exemptions and Borderline Services

Non‑custodial wallet providers that never hold or control users’ private keys generally fall outside the RMO licensing requirement, although they may still be subject to BNM’s AML/CFT obligations if they facilitate transactions. Pure information aggregators, price‑feed providers and blockchain analytics firms are not currently captured. However, the line is fact‑specific: if an information service also enables order routing or custody, it will be reclassified. When in doubt, a formal pre‑application consultation with the SC is strongly recommended.

Eligibility, Entity Structure & Corporate Prerequisites for a VASP Licence Malaysia

The SC expects applicants to demonstrate institutional‑grade governance from day one. The following corporate prerequisites form the baseline for how to register VASP Malaysia operations:

• Local incorporation. The applicant must be a company incorporated in Malaysia under the Companies Act 2016, or, for the Labuan route, under Labuan legislation.
• Minimum paid‑up capital. The SC has historically set a minimum paid‑up capital threshold for DAX operators. Applicants should confirm the current figure directly with the SC, as the amount has been subject to periodic review.
• Foreign ownership. There is no blanket prohibition on foreign shareholding, but the SC scrutinises the ultimate beneficial owners of the applicant. Fit‑and‑proper assessments apply to all substantial shareholders and directors.
• Fit‑and‑proper directors. Directors and key officers must meet the SC’s fit‑and‑proper criteria, including absence of criminal convictions, bankruptcy and regulatory sanctions.
• Tax registration. Full registration with the Inland Revenue Board of Malaysia (LHDN) and, where applicable, the Royal Malaysian Customs Department for goods and services tax purposes.

Recommended Company Structure and Required Board/GRC Roles

Industry best practice, and the practical effect of SC and BNM expectations, requires the appointment of at least four distinct governance roles:

• Chief Risk Officer (CRO). Oversees enterprise risk, including market, operational and technology risk.
• Money Laundering Reporting Officer (MLRO). The designated compliance gatekeeper for STRs and all AML/CFT matters under BNM guidance.
• Chief Technology Officer (CTO). Responsible for platform security, custody architecture and disaster recovery.
• Compliance Officer. Maintains the SC compliance programme, manages regulatory reporting and liaises with supervisors.

Smaller start‑ups sometimes combine the CRO and Compliance Officer functions, but the MLRO role must be held by a separately designated individual as required by BNM.

AML/CFT & KYC Requirements for VASP Malaysia, Practical Controls

The AML/CFT requirements VASP Malaysia operators must satisfy are among the most scrutinised elements of the application. BNM’s targeted update aligns Malaysia with FATF Recommendation 15 and its interpretive notes on virtual assets. Below is a control‑by‑control breakdown, including the evidence the SC and BNM expect to see in your submission.

A robust AML/CFT programme is not a one‑time submission. BNM expects ongoing independent audits, typically annual, and the SC may conduct on‑site inspections. For a deeper dive into designing these programmes, see our detailed guide on why you need a crypto licence and how to get it right.

Application Process: Required Documents, Submission and Typical Timeline for VASP License Malaysia 2026

The application to register as a Recognized Market Operator is submitted directly to the Securities Commission Malaysia. The process is document‑intensive and typically involves several rounds of queries from SC officers. The following step‑by‑step walkthrough reflects the practical experience of applicants through the current cycle.

Step‑by‑Step Application Checklist

• Pre‑application consultation. Engage informally with the SC’s FinTech Group to confirm the scope of your proposed activities and receive preliminary guidance on documentation expectations.
• Corporate formation and structuring. Incorporate the Malaysian entity, appoint directors, establish governance committees and open a temporary corporate bank account.
• AML/CFT programme drafting. Prepare the full suite of AML/CFT policies, procedures and controls mapped to BNM’s targeted update and FATF standards.
• Technology and custody documentation. Complete the technology architecture document, penetration test reports, custody model description and disaster recovery plan.
• Business plan submission. Draft a comprehensive business plan covering target market, projected volumes, revenue model, capital adequacy, staffing plan and risk appetite.
• Formal application lodgement. Submit the full application package to the SC, including all supporting documents, declarations and fees.
• SC review and queries. Respond to the SC’s written queries, attend meetings and provide supplementary evidence as requested.
• Conditional approval. If satisfied, the SC issues a conditional registration, typically subject to completion of final technology tests and banking arrangements.
• Go‑live. Satisfy all conditions, notify the SC and commence operations.

Realistic Timeline

End‑to‑end, early indications suggest founders should budget 12 to 18 months from initial engagement to operational launch. The SC’s review phase is the most variable, complex applications or those with incomplete documentation may take significantly longer.

Common Document Templates the SC Expects

• Board resolution authorising the application and appointing key officers.
• Memorandum and articles of association reflecting the digital‑asset business purpose.
• Governance charter covering risk, audit and compliance committee mandates.
• AML/CFT policy manual (aligned to BNM requirements).
• Technology architecture and security assessment report (including penetration test results).
• Custody operations manual describing key management, segregation and insurance arrangements.
• Business continuity and disaster recovery plan.
• Audited financial projections for at least three years.

Fees and Application Mechanics

The SC charges application and annual registration fees for Recognized Market Operators. The precise fee schedule is subject to periodic revision and is not always published in consolidated form. Applicants should request the current fee table directly from the SC’s FinTech Group at the pre‑application stage. Budget separately for professional fees (legal, audit, technology) which typically represent the largest cost component.

Technology, Custody and Security Requirements

The SC places significant weight on the robustness of the applicant’s technology stack and custody model. The following checklist summarises the technical attachments the SC will expect when evaluating your crypto exchange licence Malaysia application:

• Custody model. Describe whether you will use hot wallets, cold storage, multi‑signature arrangements, hardware security modules (HSMs) or a combination. If using a third‑party custodian, provide the custodian’s regulatory status, audit reports and contractual terms.
• Segregation of client assets. Client digital assets must be segregated from the operator’s own holdings at all times. Provide wallet address schedules and reconciliation procedures.
• Penetration testing and vulnerability assessments. Submit the most recent third‑party penetration test report (conducted by a reputable cybersecurity firm). The SC expects at least annual testing, with remediation evidence for any critical findings.
• SOC 2 or equivalent assurance. While not explicitly mandated in every case, a SOC 2 Type II report covering security, availability and processing integrity substantially strengthens the application.
• Disaster recovery and business continuity. Document recovery time objectives (RTO), recovery point objectives (RPO), failover architecture and the results of the most recent DR drill.
• Incident response plan. Detail escalation procedures, regulator notification timelines and client communication protocols in the event of a security breach.

For related guidance on how custody standards intersect with crypto custody licensing in other jurisdictions, see our dedicated regulatory guide.

Banking & Payments: Securing Rails Post‑Licence

Obtaining the SC’s registration is only half the battle. Without a functioning Malaysian ringgit banking relationship, a licensed VASP cannot offer fiat on/off ramps, the feature most retail users demand. Practical steps to secure banking access include:

• Pre‑engagement with banks. Begin informal conversations with prospective banking partners during the application phase, not after approval. Malaysian commercial banks increasingly have dedicated FinTech or digital‑asset relationship teams.
• Compliance evidence pack. Prepare a bank‑ready compliance dossier: the AML/CFT programme, SC registration (or conditional approval letter), audited financials, beneficial ownership disclosures and a summary of transaction monitoring controls.
• Local payment rails. Integrate with FPX (Financial Process Exchange) or DuitNow for real‑time ringgit transfers. Banks will assess the robustness of your payment integration before onboarding.
• Ongoing relationship management. Expect periodic enhanced due diligence reviews from your banking partner. Maintaining transparent communication and providing quarterly compliance reports reduces the risk of de‑banking.

Stablecoin Regulation Malaysia: Special Considerations in 2026

Stablecoin regulation Malaysia has moved rapidly up the regulatory agenda. Both the SC and BNM have issued public commentary signalling a more prescriptive approach to stablecoins, particularly those pegged to the ringgit or used as payment instruments within Malaysia. Industry observers expect the likely practical effect to include reserve adequacy requirements (potentially mirroring elements of the EU’s MiCA framework), mandatory disclosure of reserve composition, and restrictions on the types of assets that may back a stablecoin.

Operators planning to list or issue stablecoins should monitor SC and BNM publications closely and, where possible, engage with regulators through the consultation process. The comparison with MiCA’s stablecoin (EMT/ART) framework is instructive: MiCA mandates segregated reserves, redemption rights and prudential capital buffers, standards that Malaysia may adopt in adapted form.

Cross‑Border Operation, MiCA Pathway & Passporting Options

Malaysian VASP operators with ambitions beyond Southeast Asia often ask whether a Malaysian licence provides any form of passporting, and whether pursuing a parallel CASP Malaysia or EU authorisation under MiCA makes strategic sense. The short answer is that a Malaysian SC registration does not confer automatic rights to operate in any other jurisdiction. Conversely, a MiCA CASP authorisation granted by an EU national competent authority enables passporting across all 27 EU member states.

For firms planning dual registration, comparative licensing frameworks in other jurisdictions, such as Canada’s MSB registration, offer useful structural parallels. A coordinated multi‑jurisdiction compliance strategy can reduce duplication and cost.

Common Pitfalls and Enforcement Risks

Drawing on observed patterns in SC and BNM supervisory actions, the following are the most frequent reasons applications stall or licences are placed at risk post‑approval:

• Weak AML/CFT programme. Generic, template‑based policies that do not reflect the operator’s actual risk profile and transaction typologies.
• Incomplete governance. Failure to appoint a dedicated MLRO or to establish functioning risk and audit committees before submission.
• Unsupported custody proofs. Claiming cold‑storage arrangements without providing wallet address schedules, audit trails or third‑party verification.
• No banking plan. Submitting an application without having initiated banking conversations, leading to a post‑approval operational deadlock.
• Poor vendor due diligence. Relying on third‑party KYC or custody providers without documenting their regulatory status, financial stability and contractual obligations.
• Unclear stablecoin reserves. Listing stablecoins without being able to demonstrate how the reserve is held, audited and disclosed to users.
• Missing Travel Rule compliance. Failing to implement an originator/beneficiary data transmission protocol before go‑live.
• Poor incident response. Not having, or not testing, a documented cyber‑incident response plan, which the SC increasingly treats as a fundamental operational requirement.

Practical Post‑Approval Checklist & Operating Calendar

Receiving the SC’s registration is the beginning, not the end, of the compliance journey. Licensed operators should build the following into their annual operating calendar:

• Quarterly AML/CFT reporting to BNM (STR volumes, screening statistics, risk‑assessment updates).
• Annual independent AML/CFT audit conducted by an external firm and reported to both the SC and the board.
• Annual penetration test and vulnerability assessment with remediation evidence filed with the SC.
• Board oversight meetings (minimum quarterly) with documented minutes covering risk appetite, compliance status and incident reports.
• Change notifications to the SC for any material change in directors, shareholders, technology providers, custody arrangements or business model.
• Annual financial audit and submission of audited accounts to the SC within the prescribed deadline.

Costs, Resourcing & Realistic Budgetary Expectations

Budgeting for a VASP licence in Malaysia requires planning across several cost categories. Where fixed regulatory fees are not publicly consolidated, the figures below represent ranges based on industry commentary from advisers such as Prifinance and LegalBison, and should be confirmed directly with the SC:

• SC application and annual registration fees. Confirm with the SC FinTech Group, subject to periodic revision.
• Legal and advisory fees. Preparation of governance documents, AML/CFT programme, business plan and application pack, typically a significant component of overall cost.
• Technology build and audit. Platform development or customisation, penetration testing, SOC 2 assurance and custody infrastructure.
• Internal headcount. At minimum, budget for an MLRO, Compliance Officer, CTO and support staff from pre‑application through to go‑live.
• Ongoing compliance. Annual AML audit, penetration testing, regulatory reporting and board governance support.

As a rough planning benchmark, industry observers estimate total first‑year costs (inclusive of regulatory fees, professional services and technology) for a mid‑sized DAX operator in Malaysia to run into the low‑to‑mid six figures (USD), with ongoing annual compliance costs representing a meaningful recurring commitment. Specific figures depend heavily on scope, complexity and choice of technology partners.

Next Steps

Securing a VASP license Malaysia 2026 is achievable, but the margin for error is narrow. Applicants who invest in rigorous pre‑application preparation, particularly around AML/CFT programme design, custody architecture and banking relationships, consistently experience shorter review timelines and fewer rounds of SC queries. For founders and compliance teams ready to begin the process, Global Law Experts maintains a network of specialist FinTech and crypto lawyers in Malaysia who can guide you from initial structuring through to operational launch. A jurisdiction comparison with frameworks such as Comoros crypto licensing may also help benchmark your strategy.