Things To Consider For Offering Of Broking Services For Digital Assets – Criteria & Requirements

Introduction

Digital asset broking in Malaysia operates within a regulated capital markets framework overseen by the Securities Commission Malaysia (“SC”). Digital tokens prescribed as securities are regulated under the Capital Markets and Services Act 2007 (“CMSA”) and related SC guidelines. Entities intending to offer broking services for digital assets must obtain the appropriate Capital Markets Services Licence (“CMSL”) issued by the SC pursuant to sections 58 and 59 of the CMSA.

Firms offering digital asset broking services in Malaysia must first determine whether their business model constitutes a regulated activity under the CMSA and must comply with licensing conditions, including capital adequacy, fit and proper requirements, and ongoing reporting obligations. In addition, CMSL licensees are expected to implement robust operational and compliance controls, including governance, risk management, cybersecurity, and custody measures. Strong Anti-Money Laundering / Countering the Financing of Terrorism (“AML/CFT”) procedures, thorough client onboarding and suitability assessments, and proper record-keeping are also essential to ensure regulatory compliance and protect investors.

A. Licensing & Regulatory Authorisation

Digital asset broking falls within regulated activities under the CMSA by virtue of the Capital Markets and Services (Prescription of Securities) (Digital Currency and Digital Token) Order 2019 (“Prescription Order 2019”), which prescribes specified digital currencies and digital tokens as securities. Accordingly, any person dealing in such digital assets by way of business must be licensed by the SC.

The CMSL holder must comply with all conditions imposed on its licence and conduct its regulated activities in accordance with securities laws, including sections 58 and 354 of the CMSA.

A1.     Eligibility Requirements

An applicant seeking a CMSL for digital asset broking must:

1. be locally incorporated under the Companies Act 2016;
2. satisfy the minimum financial requirements prescribed by the SC for dealing in securities (including capital adequacy and shareholders’ funds requirements, as applicable to the specific licence category);
3. establish that it can conduct its business in a fit and proper manner, including demonstrating that its directors, senior management, compliance officer and controllers are fit and proper persons;
4. have in place adequate governance arrangements, internal controls and compliance frameworks;
5. demonstrate the ability to manage conflicts of interest;
6. maintain proper records and systems in compliance with section 354 CMSA;
7. establish appropriate risk management systems, including business continuity and disaster recovery planning; and
8. ensure that all information submitted to the SC is true, accurate and complete. [1]

The SC retains discretion to impose additional financial requirements or other terms and conditions on a CMSL holder as it deems appropriate.

A2. Permitted Scope of Services

A licensed digital asset broker may carry out permitted activities and is subject to the applicable limitations imposed on CMSL holders in Malaysia under the Practice Note on Offering of Broking Services for Digital Assets (Practice Note 1/2026) issued by the SC:

1. deal in prescribed digital assets by way of broking, including executing client orders and facilitating transactions on behalf of clients through recognised market operators or other approved trading venues;
2. provide ancillary services related to digital asset transactions, including client onboarding, order management, and settlement coordination; and
3. provide market-related information to clients, provided such activities remain within the scope of the CMSL and do not constitute unlicensed regulated activities.[2]

The broker must not operate a trading platform or market unless separately registered or authorised under applicable laws.

A.3   Salient Requirements and Restrictions

The salient requirements and restrictions on CMSL Holders offering digital asset broking services include:

i.         Prior Notification and Declaration to the SC

A CMSL Holder intending to offer broking services for digital assets must notify the SC in advance and submit a declaration that is validated by a third-party auditor registered with the Audit Oversight Board, confirming the readiness of the CMSL Holder’s systems and operations.[3]

ii.         Restrictions on Trading in Digital Assets

A CMSL Holder is subject to the following restrictions:

• Digital assets must have obtained concurrence of the SC, and can only be sourced from a registered digital asset exchange; or an offshore digital asset trading platform or counterparty which is regulated in a jurisdiction that gives effect to the Financial Action Task Force recommendations for virtual asset service providers, and maintains risk‑based AML/CFT/CPF controls supervised by a competent authority
• All transactions with clients are conducted on a cash‑upfront basis
• It cannot provide margin or lending facilities to clients
• It must refrain from exercising discretionary authority over its client’s digital asset trading account.[4]

iii.         Client Asset Protection

There are safeguarding requirements for purposes of client asset protection, and therefore CMSL Holders must maintain a segregation of client assets; ensure that the digital assets are held with a digital asset custodian and any income or benefits from the digital assets must accrue to the client.[5]

iv.         Disclosure

A CMSL holder must make adequate disclosure of relevant material information relating to the digital assets and communicate such information in a clear and easily comprehensible manner to their clients, which, among others, shall include:

1. the key administrative controls and business continuity plans, including appropriate treatment of clients’ digital assets and their respective rights, for distributed ledger technology related events such as hard forks and airdrops; and
2. the custodial arrangement digital assets are held with a digital asset custodian and any income or benefits from the digital assets must accrue to the client.[6]

v.         Risk Management

A CMSL holder must have the necessary manpower and expertise to understand the nature of such a business, especially the risks relating to ownership and technology, and shall manage such risks appropriately.[7]

B. Operational & Compliance Controls on Digital Asset Broking

As prescribed above, digital asset broking conducted in Malaysia is regulated under the statutory framework established by the CMSA and the Prescription Order 2019. By operation of the Prescription Order 2019, specified digital currencies and digital tokens are prescribed as securities for the purposes of the CMSA. Consequently, any CMSL holder dealing in such digital assets by way of business is subject to the licensing, conduct and supervisory regime administered by the SC, particularly in areas concerning anti-money laundering compliance, client asset protection, custody safeguards, and system resilience.

Digital assets pose elevated financial crime and operational risks due to pseudonymity, decentralised infrastructure, cross-border transferability, and the irreversible nature of blockchain transactions. Accordingly, the SC expects digital asset brokers to maintain governance and prudential standards equivalent to traditional securities intermediaries, with additional technology-specific safeguards.

B1. Robust KYC Framework

A risk-based AML/CFT framework must be implemented and utilised when onboarding and servicing clients. Digital asset brokers must:

1. Perform Customer Due Diligence (“CDD”) at onboarding;
2. Conduct Enhanced Due Diligence (“EDD”) for high-risk customers;
3. Screen for Politically Exposed Persons (“PEPs”) where applicable;
4. Implement transaction monitoring systems capable of identifying unusual or suspicious activity;
5. Trace and assess source of funds where necessary; and
6. Submit Suspicious Transaction Reports (“STRs”) to the relevant authorities when required.

Failure to conduct adequate due diligence may expose the intermediary to regulatory action under section 354 CMSA and enforcement measures under Part XV CMSA.

B2. Travel Rule Compliance

Digital asset brokers must comply with the Financial Action Task Force (“FATF”) Recommendation 16 (“Travel Rule”), where applicable. These include:

1. Collecting originator and beneficiary information;
2. Securely transmitting required information when transferring digital assets to other intermediaries; and
3. Ensuring that counterparties are compliant with applicable AML/CFT requirements.

Non-compliance may result in regulatory enforcement, licence suspension, or criminal liability.

B3. Client Asset Segregation

Section 118 CMSA requires licensed persons to maintain a segregated account to hold any client’s assets and maintain proper records and systems to ensure compliance. A CMSL holder must ensure proper safeguarding of clients’ assets[8] which includes:

1. Clear segregation of client assets from proprietary assets;
2. Maintaining accurate and up-to-date records;
3. Ensuring reconciliation procedures are conducted regularly; and
4. Implementing controls to prevent co-mingling and misuse of client assets.

Regulators are particularly sensitive to co-mingling risks in digital asset businesses, given recent global insolvencies involving digital asset intermediaries.

B4. Custody Framework and Cybersecurity

Section 21 CMSA requires licensed digital asset brokers to maintain proper records, systems and internal controls. This obligation carries heightened significance due to the irreversible nature of blockchain transactions and preventive controls are of paramount importance. Examples of said controls include (a) cold storage solutions for the majority of holdings; (b) multi-signature wallet structures; (c) cyber and crime insurance coverage; (d) Multi-Party Computation (MPC) key management; (e) zero-trust security frameworks; (f) encrypted communications; (g) secure Application Programming Interface (API) connections; (h) Distributed Denial of Service (DDoS) protection; (i) clear client communication protocols; and (j) comprehensive crisis management and incident response planning. Where system failures result in client losses, potential civil liability may arise under section 248 of the Capital Markets and Services Act 2007 (CMSA) for contravention of securities laws.

B5.    Digital Asset-Specific Risk Considerations

Digital asset broking activities must also account for events such as forks, token delistings and stablecoin de-pegging. Section 92 CMSA (honesty and fairness) and section 93 CMSA (best interest obligations, where applicable) reinforce the requirement that intermediaries establish transparent policies governing the treatment of such events and communicate them clearly to clients.

B6.    Governance and Oversight Framework

This article will conclude by providing a table of core regulations that licensed CMSL holders offering digital asset broking services need to be aware of in relation to the governance and oversight of their digital asset activities:

Authors:

1. Alina Filza
2. Ow Kai Wing
3. Teh Wei Hong

---

[1]   Chapter 4 of the Securities Commission Handbook

[2]   Section 4 Practice Note on Offering of Broking Services for Digital Assets (Practice Note 1/2026) (“PN 1/2026”)

[3]   Section 6 of the PN 1/2026

[4]   Section 8 of the PN 1/2026

[5]   Sections 12 to 14 of the PN 1/2026

[6]    Section 15 of the PN 1/2026

[7]   Section 16 of the PN 1/2026

[8]   Sections 12 to 14 of PN 1/2016

[9]   Section 354 of the CMSA

[10] Section 354 of the CMSA