Malaysia Crypto Licence. SC DAX, IEO & DAC

Overview

Malaysia regulates crypto through the Securities Commission Malaysia (SC). The Capital Markets and Services (Prescription of Securities) (Digital Currency and Digital Token) Order 2019, gazetted on 15 January 2019, prescribes digital currencies and tokens that meet the order's conditions as securities under the Capital Markets and Services Act 2007 (CMSA). The SC therefore licenses three categories: Digital Asset Exchange (DAX) under the RMO Guidelines Part 5, IEO Operator under the Guidelines on Digital Assets, and Digital Asset Custodian (DAC) under the same guidelines and the DAC framework.

The current paid-up capital is MYR 5,000,000 for a standard DAX. The SC opened Public Consultation Paper 3/2025 in mid-2025 proposing an uplift to MYR 15M plus a higher shareholders' funds floor, but as of April 2026 the final revised guidelines have not been gazetted, the SC has indicated 1H 2026 for issuance.

The regulator. Securities Commission Malaysia

The Securities Commission Malaysia is the statutory body that regulates Malaysian capital markets, including digital assets prescribed as securities. The relevant divisions are Digital Strategy & Innovation (policy and registration) and Market & Corporate Supervision (ongoing oversight). Registered DAX operators are listed on the SC public register, six as of December 2025, including Luno Malaysia, SINEGY DAX, Tokenize Technology, MX Global and HATA Digital. The Digital Asset Custodian register lists three SC-regulated custodians. CoKeeps Sdn Bhd, Gambit Custody Sdn Bhd and Jada Platform Sdn Bhd. Shariah-compliance of digital assets for Malaysian Muslim investors is determined by the SC Shariah Advisory Council (SAC). Parallel AML supervision sits with Bank Negara Malaysia under the AMLA regime, and the underlying Capital Markets and Services Act 2007 is the primary statute. SC publishes its Digital Asset Guidelines and RMO framework on its regulation page.

Track 1. DAX (Recognized Market Operator)

A Digital Asset Exchange is registered as a Recognized Market Operator (RMO) under Part 5 of the SC RMO Guidelines. The licence permits operation of a marketplace for the trading of prescribed digital assets, an order-book venue matching buyers and sellers under SC rulebook discipline. The RMO category is the common wrapper for alternative market venues in Malaysia; Part 5 carves out the digital-asset segment, so a DAX is first an RMO and second a digital-asset venue. That layering matters for applicants: the core RMO obligations (market integrity, surveillance, complaints handling) apply in addition to the digital-asset-specific controls under the Guidelines on Digital Assets.

Permitted activities under a registered DAX include the trading of prescribed digital assets against fiat and against other prescribed digital assets, custody of client balances incidental to the venue (or outsourced to a registered DAC), order-matching, settlement and basic on-ramp/off-ramp flows with a licensed banking counterparty. Non-permitted activities, derivatives on digital assets, margin and leveraged products, and token issuance to Malaysian investors, fall outside Part 5 and require separate SC approvals or are not available in the current framework.

Capital. DAX vs Digital Broker variant

The Digital Broker variant is the path for venues that intermediate client orders rather than operate a pure matched-book. The extra MYR 5M shareholders' funds floor is designed to absorb market-risk and operational-risk losses during stressed conditions without consuming paid-up capital. The standard DAX scope is narrower, matching within a closed pool of prescribed assets, but still requires the same AML, custody and technology-risk frameworks as the Broker variant.

Track 2. IEO Operators and Digital Asset Custodians

The Guidelines on Digital Assets set the framework for two adjacent licences. IEO Operators run platforms for token offerings under SC oversight, limited primary issuance, mandatory due diligence, suitability assessment for retail investors; minimum paid-up capital is MYR 5,000,000. Digital Asset Custodians (DACs) provide qualified custody services for prescribed digital assets with a lower threshold, MYR 500,000 paid-up plus MYR 500,000 shareholders' funds maintained at all times, cold-storage architecture, segregation from the operator's own balance sheet and audit obligations modelled on capital-markets custody. The DAC register currently lists CoKeeps, Gambit Custody and Jada Platform.

IEO issuance process under the SC framework

An Initial Exchange Offering in Malaysia is not a direct issuer-to-public sale. Issuers must route through an SC-registered IEO Operator under the Guidelines on Digital Assets. The Operator, holding MYR 5M paid-up capital, is the regulated gatekeeper and is accountable to SC for issuer diligence, token assessment and investor protection. The end-to-end flow has five stages. First, issuer onboarding and fit-and-proper screening of the issuer entity and its promoters. Second, token assessment, the Operator reviews the whitepaper, rights attached to the token, utility, economic model, smart-contract security and the value proposition; tokens prescribed as securities under the 2019 Order fall within the IEO regime. Third, suitability and disclosure, retail investors receive mandated risk disclosures and the Operator applies suitability controls. Fourth, offer, the primary sale runs on the Operator's platform with hard caps per investor category and overall raise caps as set by SC. Fifth, post-issuance conduct, the Operator maintains an ongoing obligation to monitor the issuer's compliance with continuous disclosure undertakings.

For founders the practical implication is that the SC registration target is the IEO Operator, not the project. Choice of Operator, legal structure of the issuing entity (typically a Malaysian Sdn Bhd with a ring-fenced treasury), and pre-submission alignment with the Operator's listing committee materially shape timeline and outcome.

Custody and cold-storage requirements

Client digital-asset custody sits at the centre of SC supervision. The baseline, operative today under the Guidelines on Digital Assets and the RMO Guidelines Part 5, is segregation of client assets from the operator's balance sheet, a documented key-management policy, role-based access, hardware security module support for signing keys, and an audited custody controls framework. A DAX can either custody internally or route to a registered Digital Asset Custodian (DAC), CoKeeps, Gambit Custody or Jada Platform as of the current SC register.

The PCP 3/2025 proposal tightens this substantially. Once the revised guidelines are gazetted, at least 90% of client digital assets must sit in cold or offline wallets, leaving at most 10% in hot-wallet float for operational settlement. The 90% floor applies by asset class and by value. It forces a redesign of the custody stack for most existing DAXs: multi-signature or multi-party-computation cold vaults with geographically distributed key shards, signed-ceremony procedures for any withdrawal from cold, and real-time hot-wallet exposure dashboards that tie back into board-level risk reporting. Custody insurance, while not a hard minimum under the current text, is expected as part of the custody-risk narrative; SC reviews coverage scope (theft, insider fraud, key loss), insurer rating and policy exclusions during the registration review.

The DAC track is designed for pure custody providers. Minimum paid-up capital is MYR 500,000 plus MYR 500,000 shareholders' funds maintained at all times, an order of magnitude below the DAX capital floor, reflecting the narrower scope.

Compliance staffing and governance

SC expects a resident, operational compliance function, not a shell arrangement. The mandatory governance footprint of a DAX comprises a locally incorporated Sdn Bhd with at least one Malaysian-resident director, a board supported by a Chief Executive Officer, a Chief Technology Officer, a Compliance Officer (the de facto Money Laundering Reporting Officer for BNM/AMLA reporting) and a Risk Officer. All key responsible persons and substantial shareholders (typically ≥ 10%) must pass SC's fit-and-proper assessment, a combination of integrity, competence, financial soundness and regulatory track-record checks documented via SC form submissions.

Beyond the named officers, market-facing venues are expected to resource market surveillance, a technology-risk or information-security lead (the Chief Information Security Officer function in larger setups), and an internal audit team with direct access to the board. The Compliance Officer owns the AML/CFT programme, Travel Rule operations, sanctions screening and STR reporting; the Risk Officer owns enterprise risk, capital adequacy monitoring and the ICAAP-equivalent capital plan. SC explicitly disfavours outsourcing the compliance head to a non-resident; the function must have day-to-day effective presence in Malaysia, with reporting lines that do not dilute independence from the CEO.

Under the 2019 Prescription Order, senior management accountability attaches personally. SC can take action against named officers for market-abuse and conduct failings, not only the licensed entity.

Shariah-compliant digital assets

Malaysia is a major Islamic-finance hub and the SC runs a parallel Shariah pathway for digital assets. The Shariah Advisory Council (SAC) of the SC, the apex authority under Section 316B of the CMSA, assesses whether a prescribed digital asset is Shariah-compliant for Muslim investors. A DAX can list a Shariah-compliant panel alongside conventional tokens, broadening addressable market across domestic retail and GCC-linked institutional flows. Practical implications for applicants: a Shariah governance framework, a Shariah adviser for the listing committee, and screening of revenue streams from listed tokens against SAC resolutions. Legitimate Shariah status is a distinct listing gate, it does not replace the SC admissibility assessment under the RMO Guidelines.

AML/CFT and the FATF Travel Rule

A Malaysia DAX is a reporting institution under the Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001 (AMLA), supervised in parallel by Bank Negara Malaysia. The programme must cover customer due diligence at onboarding, ongoing transaction monitoring, sanctions and PEP screening, suspicious-transaction reporting to the Financial Intelligence and Enforcement Department of BNM, and record retention of at least seven years. Enhanced due diligence applies to high-risk customers and jurisdictions.

The FATF Travel Rule (Recommendation 16) is operative for Malaysian virtual-asset service providers. The originating DAX must transmit originator and beneficiary information with the value transfer; the receiving counterpart must verify and screen the same data set. Threshold, data fields and counterparty-discovery rails (e.g. Sumsub, Notabene, TRP protocols) should be wired into the onboarding and settlement stack before registration, because SC and BNM inspect Travel Rule controls as part of the ongoing AML review cycle. Correspondent arrangements with unlicensed offshore venues require an explicit risk acceptance from the board.

Cross-border serving. Singapore and regional clients

A Malaysia-registered DAX is authorised to serve Malaysian residents. Extending to foreign clients requires careful triage. Singapore residents are the most commonly asked-about cohort: under the MAS perimeter, any service constituting a regulated digital payment token service provided to persons in Singapore requires MAS authorisation, typically a Payment Services Act licence or, for cross-border-only activity out of a Singapore entity, the Part 9 DTSP regime of the Financial Services and Markets Act 2022. A Malaysia DAX cannot solicit or onboard Singapore retail from Malaysia without triggering the MAS perimeter.

The practical cross-border structures our team builds are two. First, reverse solicitation documented at platform-terms level for sophisticated clients who seek out the venue without Malaysian marketing, narrow and legally fragile, acceptable only for institutional flows with written confirmations. Second, a sister entity in the target jurisdiction, a MAS-licensed Singapore entity or a Labuan offshore vehicle for non-Malaysian clients, with operational shared-services into the Malaysia Sdn Bhd under a documented outsourcing policy that satisfies SC's outsourcing expectations. For Indonesian, Thai, Philippine and Australian clients, similar triage applies jurisdiction by jurisdiction; our APAC crypto licence comparison sets out the perimeter rules side by side.

Public Consultation Paper 3/2025, proposed uplift

SC opened PCP 3/2025 from 30 June 2025 to 11 August 2025. Proposed enhancements include:

• Paid-up capital uplift to MYR 15 million (from MYR 5M).
• Shareholders' funds: higher of MYR 5M (MYR 7M for Digital Broker) or 25% of operating expenses.
• Asset segregation: at least 90% of client digital assets in cold/offline wallets.
• Removal of SC direct concurrence for certain listings, faster time-to-market under DAX operator accountability.
• One-year transition for existing DAXs to meet new financial thresholds after final issuance.

High-level checklist (DAX)

1. Locally incorporated Malaysian company (Sdn Bhd) with at least one resident director, registered with the Companies Commission of Malaysia (SSM).
2. Paid-up capital of MYR 5M (current); plan for MYR 15M post-PCP transition.
3. Fit-and-proper directors, key management and substantial shareholders.
4. AML/CFT programme aligned with SC and BNM AML/CFT/CPF guidelines.
5. Custody architecture: cold-storage segregation, key-management controls, insurance.
6. Token-listing committee and admission policy aligned with SC concurrence (current) or DAX operator accountability (post-PCP).
7. Technology-risk framework and operational resilience plan.
8. Three-year business plan, financial projections and capital plan.
9. SC application via the Digital Strategy & Innovation team; respond to clarification rounds.
10. Post-registration: ongoing reporting, periodic SC inspections, RMO annual return.

Process and timeline

No statutory SLA. Timing scales with submission completeness and SC clarification rounds.

Taxation, corporate, SST and trading income

• Corporate tax: standard rate 24%, applied to chargeable income of the Sdn Bhd. Malaysia operates a single-tier system, dividends are not re-taxed at the shareholder level.
• No bespoke digital-asset tax regime. Active trading gains of an operating DAX (commissions, spreads, listing fees, market-making P&L) are business income subject to corporate tax in the hands of the Sdn Bhd. Holdings on the operator's own balance sheet are assessed against the badges-of-trade test, frequency, holding period, motive, financing pattern, by the Inland Revenue Board of Malaysia (LHDN).
• No capital-gains tax. Malaysia generally does not levy CGT; occasional non-trade disposals of digital assets should fall outside the CGT net, but the badges-of-trade assessment can reclassify gains as business income.
• Service Tax (SST): 8% on taxable services from March 2024. Crypto-exchange fees fall within the SST net where the service classification applies; cross-border B2B exports of digital services may be zero-rated subject to the LHDN/Customs position. Note that Malaysia abolished GST in 2018 and replaced it with SST; any legacy reference to "GST on crypto" reflects pre-2018 law and is no longer operative.
• Employee taxation: individual income tax on resident employees follows scale rates to 30% at the top bracket; EPF and SOCSO contributions apply.

Penalties and SC enforcement

Operating a Digital Asset Exchange, an IEO platform or a Digital Asset Custodian without SC registration, or dealing in prescribed digital assets outside the 2019 Prescription Order perimeter, breaches the Capital Markets and Services Act 2007. Principal offences under the CMSA carry fines and imprisonment for individuals and regulatory sanctions for the entity; specific penalty amounts are set in the CMSA sections applicable to each breach. Separately, AMLA breaches carry their own penalty schedule under BNM supervision.

SC's enforcement posture against unregistered platforms is active. The regulator publishes investor alerts and cease-and-desist notices on its website naming unregistered platforms that target Malaysian residents, and coordinates with BNM on payments-rail restrictions. Directors, CEOs and substantial shareholders of non-compliant entities can be personally sanctioned, barred from holding capital-markets positions and prosecuted. Licensed DAXs also face the risk of registration suspension or revocation for breaches of the RMO Guidelines, Guidelines on Digital Assets, AML/CFT obligations or market-misconduct rules.

Practically: any Malaysia-market-facing crypto business should close the licensing question before scaling marketing spend, the investor-alert consequence, not just the penalty, is often the commercially terminal outcome. Cross-border inbound operators relying on "no-Malaysian-solicitation" carve-outs must evidence that geoblocking, KYC jurisdiction screening and onboarding denials for Malaysian IPs/IDs are operational and documented.

FAQ