AMLA (Amendment) Act 2025: What Merchant Acquirers and Fintech Payment Companies in Malaysia Need to Know

Malaysia’s Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities (Amendment) Act 2025 introduces a meaningful escalation in the compliance and enforcement landscape. For reporting institutions within the fintech and payments ecosystem, this is a pivotal shift.

For merchant acquirers, payment gateways, and payment facilitators, the message is clear: this is not a routine legislative update. The 2025 amendments, which came into force effectice 1 March 2026, materially increase regulatory exposure, widen enforcement tools, and sharpen accountability at both the institutional and individual levels.

Why the 2025 AMLA Amendments Matter for Fintech

Businesses in the payments space sit at the intersection of high transaction volumes, rapid digital onboarding, and cross-border fund flows. While commercially attractive, these features create heightened AML, sanctions, and financial crime risks.

The real issue for many Malaysian businesses is not whether they have an AML/CFT framework, but whether that framework has kept pace with the operational realities of digital payments and evolving regulatory expectations.

1. Proliferation Financing is Now Specifically Criminalised

One of the most significant changes in the AMLA Amendment Act 2025 is the introduction of a new offence relating to the financing of “restricted activities.”

• The Substance: This brings proliferation financing clearly into the AMLA framework, linked to the Strategic Trade Act 2010. It addresses financial support connected to prohibited goods, services, or parties.

• The Risk for Fintech: A platform does not need to be knowingly involved in traditional money laundering to face risk. If payment flows or merchants are indirectly connected to restricted activity, the consequences are severe.

• The Penalty: Imprisonment of up to 15 years and substantial fines.

Practical Step: Fintech businesses must update screening and escalation protocols to account for trade-related red flags and proliferation-sensitive counterparties.

2. An Expansive Definition of “Transaction”

The amendments expand the statutory definition of “transaction” to expressly include the transmission, transfer, or exchange of funds or currency.

This reflects the reality of modern payment architecture—digital wallets, settlement mechanics, and non-traditional channels. For merchant acquirers, this reduces any residual comfort that older statutory language could be interpreted narrowly. Regulators will now take an expansive view when assessing suspicious transaction reporting (STR) and internal controls.

3. Personal Liability for Directors and Officers

A major governance shift in the 2025 Act is the explicit extension of liability to directors, officers, and employees of reporting institutions.

AML compliance is no longer just an operational matter for the compliance team; it is a boardroom priority. Senior management now faces direct personal exposure where controls are inadequate or legal obligations are breached. Boards must be able to demonstrate documented oversight of:

• Business risk profiles and onboarding controls.

• Monitoring gaps and remediation efforts.

• Suspicious activity reporting.

4. Heightened Customer Due Diligence (CDD) & Record-Keeping

The amendments reinforce the importance of CDD and record retention. While the six-year retention period remains, the framework provides greater clarity on when that period begins—typically when the business relationship ends or the transaction is completed, whichever is later.

Fintechs should revisit their frameworks for:

• High-risk merchant categories and beneficial ownership challenges.

• Complex, layered payment flows.

• Outsourced onboarding arrangements.

5. Stronger Regulatory Enforcement Toolkit

Enforcement risk is no longer confined to criminal prosecution. Regulators now have a wider, more flexible range of intervention tools, including the power to:

• Require formal action plans.

• Impose significant monetary penalties and administrative actions.

• Initiate civil proceedings.

• Publicise enforcement actions (reputational risk).

Implementation Risk: The Gap Between Policy and Practice

For many Malaysian fintech companies, the immediate risk is the gap between the new legal standard and actual "on-the-ground" operations. Many firms still rely on legacy assumptions, such as narrow concepts of transaction risk or insufficient treatment of cross-border flows.

A business may have an AML policy in place, but if it is disconnected from current enforcement expectations or poorly implemented across a scaling merchant base, the exposure remains high.

Checklist: What Should Your Business Do Now?

1. Enterprise-Wide Risk Assessment (EWRA): Is it still fit for purpose under the 2025 amendments?

2. Merchant Due Diligence: Do your procedures adequately address beneficial ownership and high-risk sectors?

3. Transaction Monitoring: Are scenarios calibrated for digital and cross-border patterns?

4. Sanctions Screening: Is your proliferation financing screening robust?

5. Board Reporting: Does the board receive meaningful, documented reporting on compliance gaps?

How We Can Help

At Aravind, Atifah & Rajvin, led by our corporate and compliance partner Rajvin Singh, we advise fintech companies, payment service providers, and merchant acquirers on AML/CFT compliance, regulatory remediation, and risk framework enhancement.

If your business is reviewing its regulatory readiness in light of the AMLA (Amendment) Act 2025, contact us today at rajvin@rajvingill.com to discuss how we can support your compliance journey.

FAQ

What is the main change in the AMLA Amendment Act 2025?

The 2025 Act introduces specific offences for proliferation financing, expands the definition of "transactions" to cover modern digital payments, and increases personal liability for directors and officers.

Does the AMLA 2025 affect directors personally?

Yes. The amendments explicitly extend liability to directors and officers, meaning they can face personal legal consequences for institutional compliance failures.

What is proliferation financing in the Malaysian context?

It refers to providing funds or financial services for the manufacture, acquisition, or export of nuclear, chemical, or biological weapons and their delivery systems, often linked to the Strategic Trade Act 2010.