Licentium

Licensing Hub

Malaysia

The Securities Commission Malaysia regulates digital assets under the CMSA 2007 and the 2019 Prescription Order, treating qualifying digital tokens and currencies as securities.

Available licences

Digital Asset Exchange (Recognized Market Operator)

SC registration as a Recognized Market Operator to operate a Digital Asset Exchange (DAX). Locally incorporated company with minimum paid-up share capital RM5 million (Digital Broker model also requires shareholders' funds of RM5 million at all times). DAX operators must obtain SC concurrence before offering any new digital asset, maintain delisting policies, operate an orderly/fair/transparent market with real-time surveillance, segregate investor digital assets from own inventory, maintain separate wallets for different trading models, hold investor monies in trust accounts at licensed Malaysian financial institutions (independent registered trustee), and protect digital assets via offline wallet arrangements.

DAX: Digital Broker Model

Under the Digital Broker model, the DAX operator acts as counterparty to the investor for every buy or sell order. Digital Brokers must source digital assets from a FATF-compliant VASP that is supervised, licensed or registered in its jurisdiction, conduct AML/CFT screening and monitoring, and transfer purchased digital assets from the DAX operator wallet to the investor wallet.

Digital Asset Custodian (DAC) Registration

SC registration for safekeeping, storing, holding or maintaining custody of digital assets for another person under section 76A CMSA. Minimum paid-up capital RM500,000 and shareholders' funds RM500,000. Controls cover secure storage, key generation, key management, employee access, recovery, multi-factor authentication, segregation of client assets, transaction records and seven-year record retention. A self-custody technology provider that gives the asset owner full key control and cannot unilaterally transfer client assets may fall outside the DAC perimeter. 2026 application and annual fee RM10,000.

CMSL Digital Asset Broking (Practice Note 1/2026)

CMSL holders for dealing in securities (including those restricted to listed securities) may offer broking services for digital assets meeting the Prescription Order criteria, after SC notification, declaration and third-party validation by an AOB-registered auditor. Digital assets may only be sourced from an SC-registered DAX or a foreign trading platform regulated under FATF VASP recommendations with supervised AML/CFT/PF controls. Trading must be cash-upfront; no margin or lending; no discretionary authority. Client digital assets must be custodised with an SC-registered DAC (foreign DAC requires SC approval); client fiat and digital assets fully segregated; income/yield/benefits accrue to the client unless expressly waived.

Initial Exchange Offering (IEO) Issuer and Platform

Digital token fundraising framework under the Guidelines on Digital Assets. Issuer must be a Malaysian-incorporated company or LLP with main operations in Malaysia, minimum capital RM500,000 and at least two directors with principal or only residence in Malaysia. Project must provide an innovative solution or meaningful digital value proposition for Malaysia; payment-functionality tokens may only be exchangeable for the issuer's goods or services as disclosed. IEO platform operators must be registered under the Guidelines on Digital Assets (DAX registration also required where the IEO platform facilitates trading). The SC's current digital assets page states that IEO platform registration is closed.

SC AML/CFT/CPF Reporting Institution Obligations

Digital asset market participants that are reporting institutions must apply a risk-based approach, identify and assess ML/TF risks (customers, countries, products, services, transactions, delivery channels), assess new products and technology before launch, perform customer due diligence with beneficial-owner identification, refuse anonymous or fictitious accounts and refuse the transaction where identity cannot be verified. Digital asset transfer information (originator and beneficiary name, identification, account/wallet/transaction reference, address or date and place of birth) must be transmitted immediately and securely. Records must be retained at least seven years; suspicious transactions (including attempts) must be reported immediately to the Financial Intelligence and Enforcement Department.

Detailed overview

Malaysia: Securities Commission Digital Asset Regulation

Regulators

Malaysia’s digital asset regime is administered principally by the Securities Commission Malaysia. The SC regulates the trading, issuance and safekeeping of digital assets. Bank Negara Malaysia remains relevant for legal tender, payment instruments, payment systems, money services, foreign exchange and central-bank policy.

Malaysia regulates digital assets through the Capital Markets and Services Act 2007, the Capital Markets and Services (Prescription of Securities) (Digital Currency and Digital Token) Order 2019, the Guidelines on Recognized Markets, the Guidelines on Digital Assets, Practice Note 1/2026 and SC AML/CFT/CPF Guidelines.

Malaysia is not a general “unregulated crypto” jurisdiction. Digital currencies and digital tokens that satisfy the Prescription Order criteria are prescribed as securities, and the SC framework applies to their trading, offering and custody.

Digital currencies and digital tokens

A digital currency is a digital representation of value recorded on a distributed digital ledger, cryptographically secured or otherwise, that functions as a medium of exchange and is interchangeable with money.

A digital token is a digital representation recorded on a distributed digital ledger, cryptographically secured or otherwise, excluding specified traditional securities and interests.

A digital currency is prescribed as a security where it is traded or exchangeable on a place or facility where offers to sell, purchase or exchange are regularly made or accepted, there is an expectation of return from trading, conversion, redemption or appreciation, and it is not issued or guaranteed by a specified governmental or central-bank body.

A digital token is prescribed as a security where it involves a pooled arrangement, token consideration, pooled contributions or returns, expected return or appreciation, no day-to-day investor control and no specified governmental or central-bank guarantee.

Digital Asset Exchanges

A Digital Asset Exchange is regulated as a Recognized Market Operator. A DAX is an electronic platform that facilitates trading of digital assets. A DAX may operate an exchange model or a Digital Broker model.

A DAX operator must be locally incorporated and must have minimum paid-up share capital of RM5 million. A DAX operating the Digital Broker model must also maintain shareholders’ funds of RM5 million at all times. The SC may impose additional financial requirements or conditions.

A DAX operator must establish and implement policies and procedures to assess digital assets before offering them for trading. It must obtain SC concurrence before offering a new digital asset and must submit information on the asset, founders or issuer, rights and benefits, liquidity, distribution, information sufficiency, ledger security, economics and legal-compliance issues.

A DAX operator must have delisting policies and must notify the SC before delisting a digital asset. It must operate an orderly, fair and transparent market, maintain trading, clearing and settlement policies, and conduct real-time market surveillance.

Digital Broker model

Under the Digital Broker model, the DAX operator acts as counterparty to the investor for every buy or sell order on or through the platform.

A Digital Broker must source digital assets from a VASP that is compliant with FATF recommendations and supervised, licensed or registered in its jurisdiction. It must also conduct AML/CFT screening and monitoring and transfer purchased digital assets from the DAX operator wallet to the investor wallet.

Client asset protection

A DAX operator must maintain accurate and up-to-date records of client assets, safeguard client money and digital assets from inappropriate use or conversion, segregate investor digital assets from its own inventory and maintain separate wallets for different trading models.

Investor monies must be held in trust accounts with licensed Malaysian financial institutions and the trust accounts must be administered by an independent registered trustee. A DAX operator must also put in place arrangements to protect digital assets from loss, theft or hacking, including offline wallet arrangements.

Digital Asset Custodians

A person provides Digital Asset Custodian services where it provides safekeeping, storing, holding or maintaining custody of digital assets for the account of another person. These services are specified capital-market services under section 76A CMSA.

A self-custody technology provider may fall outside the DAC perimeter where it merely offers a system that enables the asset owner to hold digital assets, the owner has full control, the owner holds the private keys, and the provider cannot unilaterally transfer the digital assets.

A DAC must generally maintain minimum paid-up capital of RM500,000 and shareholders’ funds of RM500,000. The SC may impose additional financial requirements.

A DAC must implement controls for secure storage, key generation, key management, employee access, recovery, multi-factor authentication, segregation of client assets from its own assets, transaction records and seven-year record retention.

Digital asset broking by CMSL holders

Practice Note 1/2026 permits CMSL holders for dealing in securities and CMSL holders for dealing in securities restricted to listed securities to offer broking services for digital assets that meet the Prescription Order criteria.

A CMSL holder must notify the SC before offering digital asset broking and must submit the required declaration and third-party validation by an Audit Oversight Board-registered auditor.

A CMSL holder may source digital assets only from an SC-registered DAX or from a foreign digital asset trading platform or counterparty that is registered or regulated in a jurisdiction giving effect to FATF VASP recommendations and subject to supervised risk-based AML/CFT/PF controls.

A CMSL holder may facilitate trading only in digital assets that have obtained SC concurrence. Trading must be conducted on a cash-upfront basis. The CMSL holder may not provide margin or lending facilities for digital asset trading and may not exercise discretionary authority over clients’ digital asset trading accounts.

Client fiat and digital assets must be fully segregated from the CMSL holder’s own assets. Client digital assets must be held or custodised with an SC-registered DAC unless SC approves appointment of a foreign DAC. Any income, yield or benefit from client digital assets must accrue to the client unless the client has given express written consent otherwise.

Initial Exchange Offerings

Digital token fundraising is regulated through the IEO framework in the Guidelines on Digital Assets.

An issuer must be a Malaysian-incorporated company or Malaysian LLP, have its main business operations in Malaysia and raise funds only through an IEO. It must meet minimum capital requirements of RM500,000 and must have at least two directors whose principal or only place of residence is Malaysia.

The issuer must submit its application through an IEO operator and must not offer the digital token before the IEO operator’s approval. The project must provide an innovative solution or meaningful digital value proposition for Malaysia.

A digital token that functions as a payment instrument may be exchangeable only for the issuer’s goods or services as disclosed in the approved white paper.

A person seeking to operate an IEO platform must be registered under the Guidelines on Digital Assets. If the IEO platform also facilitates trading of digital assets, it must also be registered as a DAX under the Guidelines on Recognized Markets.

The SC’s current digital assets page states that IEO platform registration is closed.

Offshore platforms

A market outside Malaysia can be considered to operate in Malaysia where the operator or its representative actively targets Malaysian investors. Active targeting can include promotion of the market in Malaysia, advertising in Malaysia, or direct mail or email to Malaysian addresses.

An offshore exchange or broker should not assume it is outside the Malaysian perimeter merely because it is incorporated outside Malaysia. Malaysian marketing, Malaysian investor targeting, Malaysia-directed communications, local payment arrangements or Malaysian representatives can create regulatory exposure.

AML, CFT, CPF and sanctions

Digital asset market participants that are reporting institutions under the SC framework must comply with the SC AML/CFT/CPF Guidelines.

A reporting institution must apply a risk-based approach, identify and assess money-laundering and terrorism-financing risks relating to customers, countries, products, services, transactions and delivery channels, document those assessments and update them. New products and new technology must be assessed before launch.

Customer due diligence must be completed at the start of the relationship. The reporting institution must identify and verify the customer and beneficial owner, understand the nature and purpose of the relationship and must not maintain anonymous or fictitious accounts. Where identity cannot be verified, the reporting institution must not establish the relationship or conduct the transaction.

Digital asset transfers

For domestic or cross-border wire transfers of digital assets, a reporting institution must obtain, hold and maintain required originator and beneficiary information and make it available to regulators and law enforcement authorities.

Required information includes originator name, identification number or passport number, account or wallet information or transaction reference, address or date and place of birth, beneficiary name and beneficiary account, wallet or transaction reference.

The information must be submitted immediately and securely to the beneficiary institution before, simultaneously or concurrently with the transfer, not after the fact.

Reporting institutions must maintain sanctions screening and controls. Where a beneficiary or originator is a designated person, the institution must freeze the property and prohibit the transaction.

Records and suspicious transaction reports

Reporting institutions must keep transaction records, customer identification and verification records, beneficial-owner records, account records, transaction details and digital asset transfer information for at least seven years after account closure or transaction completion. Longer retention may be required for suspicious transactions, investigations or prosecutions.

Reporting institutions must maintain a suspicious transaction reporting mechanism and report suspicious activity immediately to the Financial Intelligence and Enforcement Department. Attempted suspicious transactions are also reportable regardless of amount.

Digital currencies and digital tokens are not recognized as legal tender in Malaysia and are not payment instruments regulated by BNM.

A business should not market digital assets as Malaysian legal tender or as BNM-regulated payment instruments unless a separate BNM-regulated structure applies.

Payment, remittance, e-money, stored-value, foreign-exchange, merchant checkout and stablecoin-like models require separate BNM and payment-law analysis.

Tokenised capital-market products

Tokenised capital-market products are separate from digital currencies and digital tokens already prescribed as securities under the Prescription Order.

The SC’s 2025 consultation distinguishes between digital twin representation tokens and native tokens. A digital twin token represents an existing off-chain capital-market product on a distributed ledger. A native token is issued directly on a distributed ledger and is itself the capital-market product.

The consultation proposes that tokenised capital-market products remain subject to existing requirements for the underlying product. For example, where a share is tokenised, the Companies Act register of members may remain the authoritative ownership record, and transfer of the token alone may not transfer ownership unless the register is updated.

The consultation is not final law. A tokenised share, bond, sukuk, fund unit, structured product, derivative or other capital-market product should be analyzed under the existing capital-market product rules as well as any future tokenisation framework.

Shariah status

The SC’s digital assets page lists tradeable digital assets on regulated exchanges and their Shariah status. The page states that, effective 30 March 2026, DAX operators intending to offer Shariah-compliant digital currencies must obtain endorsement from the SAC in line with the revised Guidelines on Islamic Capital Market Products and Services.

A provider should not market a digital asset or service as Shariah-compliant unless the relevant SAC endorsement and Islamic capital-market requirements are satisfied.

Fees

The Capital Markets and Services (Fees) Regulations 2025 came into operation on 1 January 2026.

The application fee for registration as an RMO is RM20,000 for each type of platform. Annual fees for a DAX operator are 0.3% of gross revenue earned from operating the regulated platform or a minimum amount. The minimum is RM50,000 for certain individually controlled or non-regulated-corporate-controlled DAX operators and RM20,000 for DAX operators owned or controlled by corporations regulated by the SC or an IOSCO-member regulator.

The application fee for registration as a DAC is RM10,000 and the annual fee for a registered DAC is RM10,000.

Regulatory outlook

Malaysia has a functioning SC-regulated digital asset framework for exchanges, custodians, IEOs and digital asset broking by eligible CMSL holders. The key current developments are Practice Note 1/2026 for CMSL digital asset broking, the 2025 amendment to the Prescription Order, the 2025 tokenised capital-market product consultation, the 2026 SC fee structure and the 2026 Shariah endorsement requirement for Shariah-compliant digital currencies.

New entrants should map asset classification, Malaysian investor targeting, DAX or CMSL route, custody model, IEO requirements, SC concurrence for tradable assets, AML/CFT/CPF controls, digital-asset transfer information systems, client-asset segregation, payment-law limits, BNM issues and tokenised-capital-market-product treatment before launch.

Ready to launch legally?

Book a 30-minute consultation. We'll map your licensing path and tell you exactly what's required, in plain language.

Get Started