Print Friendly, PDF & Email

A Case Study on Regulatory Impact Assessment: The Roles of Independent Non-Executive Directors


Blockchain is a ledger of records organized in ‘blocks’ that are linked together by cryptographic validation which is is neither stored in a centralized location nor managed by any single entity[1]. The block validation system results in new transactions being added irreversibly and old transactions preserved forever for all to see, hence the transparency and resilience of Blockchain[2].

Intended to be a framework for cryptocurrency Bitcoin when it was first created in 2008, Blockchain technology today is fast penetrating into applications beyond the financial sector. Blockchains can be used to perform transactions, secure data, and create decentralised applications (“Dapps”)[3]. With its transformative power, Blockchain is widely seen as a game changer that has the potential to lead digitalisation in almost every sector that involves value transactions. Worldwide, it has been experimented in asset management, intellectual property management, logistics, medical records, supply chain, the sharing economy, and more[4].

Among the characteristics of Blockchains which make it appealing are:

1. Decentralisation: The elimination of third party intermediaries enables a more efficient digital ecosystem through speedier and lower cost execution of transactions and also reduces the security risks which arise due to the existence of a central point of failure under the conventional manner of centralised system.[5] Indeed, the elimination of intermediaries enables cheaper cross-border remittances and lower processing fees for financial services and more transparent and efficient government services. Commerce trading platforms will also be more attractive to Small Medium Enterprises due to lower transaction costs[6].

2. Immutability: Consisting of two facets, one of which is the Immutability of History (‘IoH‘) while the other is the Immutability of Process (‘IoP‘).

With regard to IoH, it warrants the finality of any transaction which has been executed under any blockchain network by ensuring that past consensus reached by users are not amenable to change after the transactions have been completed. This brings an element of finality to blockchain transactions without which there can be no commercial certainty. In relation to IoP, it acts as a safeguard against any undue changes being made to the language script of the network and by doing so IoP plays a crucial role in preventing irregular transactions from being executed[7].

3. Security: Blockchain technology can potentially be used to enhance the levels of systemic security as compared to conventional technology given the application of up-to-date asymmetrical encryption methods referred to as ‘public’ and ‘private’ keys. For example, Bitcoin’s Elliptic Curve Digital Signature Algorithm cryptographic standard uses a combination of private and public keys whereby the private key that works similarly to password is held by the user while the public key is the user addresses within the blockchain mathematically generated from the private key, with the public key structured in such a manner which renders it almost impossible for unscrupulous parties to trace it back to the private key it is associated with[8]. Such cryptographic security will enhance the protection afforded to digital assets transactions as well as the transfer and storage of personal and sensitive information, but still enable the the idea of Internet of Things by providing a mechanism for the tracking and interoperability of data between various devices[9].

4. Pseudonymity/Quasi-Anonymity: Given the way Blockchain operates, absolute anonymity is impossible. For example, although Bitcoin has been described as being anonymous, it is in fact only pseudo-anonymous, given the relation between users and wallets[10] where chain of transactions in and out of wallets, and from wallet to wallet, is visible to all, and can be traced and tracked in public for Bitcoin transactions. Nonetheless, a certain degree of anonymity can be achieved via the taking of appropriate steps[11].



The Malaysian Industry-Government Group for High Technology (MIGHT) has said that Malaysia would be adopting Blockchain by 2025, and Malaysian banks are already taking proactive steps to encourage its development in the country[12]. CIMB and Maybank are two of Malaysian banking groups that are working with FinTech companies[13]. National R&D centre in ICT, MIMOS, has been working on FinTech-related areas such as information security, intelligent informatics, cryptography, artificial intelligence, machine learning and big data analytics[14].

As of 1 March 2018, the Ministry of Science, Technology and Innovation has established a special taskforce to study the implementation of blockchain in the country as well as the shariah compliant component of the technology. The ministry is in talks with various stakeholders on the development of blockchain in the country, and towards the end of the discussion, will develop a Shariah compliant guideline for blockchain technology as it has a lot of potential across various industries, especially the Islamic finance sector[15].


Diagram 1: An Infographic regarding Blockchain. Illustration © PwC.



In Malaysia, “money services business” is defined in the Money Services Business Act 2011 (MSBA) as referring to businesses involved in the changing of one currency to another, the transfer of funds from one destination to another, and/or the trading in foreign currencies[16]. These businesses are subject to licensing by Bank Negara Malaysia (“BNM”). It goes without saying that these businesses can potentially benefit in terms of security and cost efficiency from the utilisation of Blockchain as a platform.

In the case of remittance businesses that use online and mobile channels, BNM has issued a policy document that considers such businesses as being “reporting institutions” and outlines the minimum requirements that must be observed in implementing an electronic know-your customer system[17]. Electronic Know Your Customer (e-KYC) enables a remittance provider to verify the identity of the customer electronically, without having to establish the identity of that customer face to face. This allows customers to remit funds faster and allows remittance providers to work efficiently and at a lower cost since all verifications and procedures are done online[18].

As opposed to the above businesses which deal solely with legal tender (i.e. fiat currency), there also exists businesses that exchange cryptocurrencies with fiat money and other cryptocurrencies (and vice versa), in other words, digital currency exchanges, which are not regulated by BNM as they do not fall into any of the categories under the MSBA 2011 and thus are not subject to the associated licensing under the MSBA 2011. One advantage that these businesses in particular stand to gain from blockchain is that the sender can directly send cryptocurrencies to the recipient if the address of the recipient’s e-wallet is known[19]. This disintermediation cuts down on costs.

Notwithstanding the fact that digital currency exchangers are not licensed or regulated by BNM, nonetheless digital currency exchangers are expected, as matter of recommended best practice, to comply with the requirements to be incorporated or registered under the provisions of the Companies Act 2016. Moreover, digital currency exchanges are considered as “reporting institutions” under the Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001 (AMLA)[20], which means that businesses that are involved in converting cryptocurrencies to fiat money would be required to provide detailed information on buyers and sellers of such currencies[21].

It must be pointed out however that the mere fact that a business entity is registered as a “reporting institution” with BNM under the AMLA does not mean that it is regulated and licensed by BNM; indeed such reporting obligations are aimed at preventing money laundering and terrorism financing as opposed to providing consumer protection[22].



In this part we look at how the massive growth in cryptocurrencies and blockchain technology solutions has created its own set of new legislation and ways of interpreting existing legislation to ‘fit’ these new products. Some countries are writing new legislation with a view to lure cryptocurrencies to open shops in their territories, whilst others are trying to snuff out what they see as an attack on their sovereign currencies. We explore Initial Coin Offering (ICO) and various types of tokens, all of which have different treatments by regulators.

An ICO is an alternative source of funding outside of traditional financial markets. An ICO is a crowdfunding drive akin to an IPO through the issuance of digital tokens to fund a development project of a product or service. The project can be blockchain-related or otherwise. In relation to the former, upon the launch of an ICO, ICO tokens are offered to investors in exchange for other digital tokens such as Bitcoin and ether; only in rare cases is fiat currency accepted. Token holders can use the digital tokens for its specific functions or trade it on the digital token exchanges.

Almost all ICO campaigns are accompanied by a white paper, a document that functions like a prospectus which details the digital tokens being offered particularly their characteristics and functionalities so that investors know their rights as token holders. This is especially relevant in light of the fact that although activities relating to ICOs fall under the purview of the Securities Commission (“the SC”) of Malaysia[23], however some ICO schemes are not regulated[24]. Indeed, the SC of Malaysia has in various press releases warned potential investors of the risks associated with ICOs[25][26].

That being said, it is crucial for issuers, investors and regulators to determine whether a particular digital token qualifies as a particular capital market product in order to ascertain the relevant applicable laws. For example, an ICO and digital token with attributes resembling a Collective Investment Scheme[27] which falls under the statutory definition will need to comply with the legal requirements relevant to Collective Investment Schemes[28]. Even if the digital tokens do not fall under the Collective Investment Scheme definition, caution still needs to be exercised as the ICO and digital tokens that meet the statutory definition of an investment scheme under the Interest Schemes Act 2016 can likely be designated as a “prescribed investment” under Malaysia’s Capital Markets and Services Act 2007 (“CMSA”)[29]. In this regard, it is notable that Section 5 of the CMSA empowers the SC to make a recommendation to the Minister of Finance to “prescribe any instrument or product or class of instruments or products to be securities”, which has the effect of placing such ICO and token under the regulation of the SC. This is relevant because the carrying out of any regulated activities such as fundraising, fund management and dealing in capital market products without obtaining necessary approval or authorisation from the SC may amount to an offense[30].

Alternatively, but not exhaustively, an ICO and digital token may have attributes which are akin to those of shares; depending on the contextual circumstances, such tokens may include the right to vote, to receive dividends etc.[31].

However, taking into consideration that most ICO issuers are set up as foundations[32][33], this means that such tokens issued are not shares per se as recognized by the Companies Act 2016[34]. Of further note would be that Section 43 of the Companies Act 2016 is to the effect that private companies shall not offer shares or debentures to the public.

Thus, any issuance of tokens which have the attributes of shares or debentures by private company ICO issuers would be in contravention of the law.



As Malaysian society stands at the forefront of the FinTech frontier, BNM, ever aware and supportive of FinTech development which can contribute towards the creation of value-added and meaningful innovations that can greatly benefit the Islamic finance industry and the public at large has developed the Regulatory Sandbox to provide a regulatory environment that is conducive for the development of FinTech so that FinTech innovation can be deployed and tested in a live environment within specified parameters and timeframes.

The Regulatory Sandbox is not suitable for proposed products, services, or solutions which are already appropriately addressed under prevailing laws and regulations; indeed, BNM will provide guidance and advice to financial institutions or FinTech companies on the modifications that can be made to align proposed business models or solutions with prevailing laws and regulations. To that effect, BNM has introduced regulatory boo camps every quarter to provide an opportunity for FinTech companies to gain deeper knowledge and understanding before entering the Regulatory Sandbox[36].

That being said, an applicant[37] seeking BNM’s approval to participate in the Regulatory Sandbox must demonstrate that the product, service or solution is genuinely innovative with clear potential to improve accessibility, efficiency, security and quality in the provision of financial services as well as to enhance the efficiency and effectiveness of Malaysian financial institutions’ management of risks.

The applicant must show that an adequate and appropriate assessment has been conducted to demonstrate the usefulness and functionality of the product, service or solution and identified the associated risks. This may include the required resources and expertise to mitigate and control potential risks and losses arising from offering of such products, services or solutions; It is worth pointing out that FinTech companies that collaborate with financial institutions could gain added advantage from the guidance and support of financial institutions with respect to regulatory requirements and risk mitigation in applying to participate in a sandbox. At the same time, FinTech companies with potential to contribute to the creation of high value-added jobs locally will be assessed more favourably by BNM. At the same time, as risk and failure, which may lead to financial loss or other risks to the sandbox participants and their customers, are an integral part of innovation, it is imperative that the Regulatory Sandbox incorporates appropriate safeguards to manage the risks and contain the consequences of failure.

In assessing the risks and evaluating the proposed safeguards, BNM will give due regard to preserve sound financial and business practices consistent with monetary and financial stability and promoting the fair treatment of consumers. The risk of money laundering and counter terrorism financing and protecting the customer’s information is also vital consideration by the regulator. For the Regulatory Sandbox, the initial testing period shall not exceed 12 months from the start date of the test. Nonetheless, a written application to extend the testing period can be submitted by the participant to BNM stating the additional time required as well as clearly explaining reasons for requiring such extension. Upon completion of the testing, BNM will decide whether to allow the introduction of the product, service, or solution to the market on a wider scale. Where allowed, participating FinTech companies intending to carry out regulated businesses will be assed based on the applicable licensing, approval, and registration criteria under the Financial Services Act, Islamic Financial Services Act, and Money Services Business Act, as the case may be.

However, BNM may also prohibit deployment of the product, service or solution in the market upon completion of the testing in the event that the testing was unsuccessful based on agreed test measures, or the product, service or solution has unintended negative consequences for the public and/or financial stability. Only products or services that come under the purview of BNM-regulated businesses under Malaysian laws and regulations should apply to participate in the Regulatory Sandbox. Businesses involved in peer-to-peer lending (P2P) or equity crowdfunding providers (ECF), for example, are classified as the ‘recognised market’ which come under the purview of Securities Commission.[38]



Blockchain is highly appealing in today’s world because of its disintermediation, immutability, security, as well as quasi-anonymity. With many of Malaysia’s government agencies and ministries as well as private companies welcoming the development of FinTech in general, thus there is great potential for the Blockchain in that regard. Indeed, blockchain holds much utility in, among others, the money service business, e-money and e-wallet business, as well as in ICOs, just to name a few. However, as many of these are relatively novel in the Malaysia legal sphere, their regulation is still in its infancy, or in some cases, nonexistent. For now, many of these products are regulated, if at all, based on their attributes; if such attributes are analogous to pre-existing products or services, then the corresponding law is applicable. Be that as it may, government entities such as BNM, never wanting to stifle the development of FinTech, has also developed a Regulatory Sandbox so that novel FinTech products and services which show potential can be developed in a more conducive, but nonetheless live, environment.


  2. Ibid.
  5. Nur Husna Zakara, Dr Sherin Kunhibava & Prof Abu Bakar Munir, Prospects And Challenges: Blockchain Space In Malaysia [2018] 3 Mlj cx, p.cxii.
  6. Ibid, p. cxii.
  7. Ibid, pp. cxiv-cxv.
  8. Ibid, p. cxvii.
  9. Ibid, p. cxvii.
  10. In this context, “wallet” refers to cryptocurrency wallet, which stores the public and private keys which can be used to receive or spend a cryptocurrency.
  11. Ibid, pp. cxx-cxxi.
  13. Ibid.
  14. Ibid.
  16. Nur Husna Zakaria et al. (2018) Malaysian Blockchain Regulatory Report: A Research Report Prepared by the University of Malaya. Kuala Lumpur: University of Malaya Malaysian Centre of Regulatory Studies. As cited in Nur Husna Zakaria et al. (2018)., p. 134.
  17. Anti-Money Laundering and Counter Financing of Terrorism (AML/CFT) – Money Services Business (Sector 3)(Supplementary Document No. 1) As cited in Nur Husna Zakaria et al. (2018), p. 141.
  18. Nur Husna Zakaria et al. (2018). p. 142.
  19. Ibid. p. 135.
  20. Anti-Money Laundering and Counter Financing of Terrorism (AML/CFT) – Digital Currencies(Sector 6)
  21. Nur Husna Zakaria et al. (2018). p. 137.
  27. Guidelines On Unit Trust Funds SC-GL/GUTF-2008(R2-2017) , Chapter 2.
  28. Nur Husna Zakaria et al. (2018), p. 108.
  29. Ibid, p. 108.
  31. Ibid, p. 109.
  32. Ibid, p. 106.
  34. Nur Husna Zakaria et al. (2018), p. 110.
  37. Meaning a financial institution either on its own or in collaboration with a FinTech company or a FinTech company which intends to apply or has applied for the Bank’s approval to participate in the sandbox, as defined in the Financial Technology Regulatory Sandbox Framework


Written by:

Dr. Noorfajri Ismail & Muhammad Azly Haziq (