‘Spring Cleaning’ Part 4: Malaysia RMO Ruling

Guide for Digital Asset Exchanges to be Recognized Market Operators (RMO) Pt. I

by Edwin Lee


On 31 January 2019, the Securities Commission (“SC”) introduced a new legal framework to facilitate trading of cryptocurrencies (in the Guidelines, it is called “Digital Assets”) in Malaysia. Basically, the SC amended the Guidelines on Recognized Markets (“Guidelines”) to provide formal and legal recognition for electronic platforms that facilitate the trading of Digital Assets (in the Guidelines, it is called “Digital Asset Exchange” (DAX)).

If you have been following the FinTech regulations in Malaysia, you would immediately notice that this is the same Guidelines that also applies to Equity Crowdfunding platform (ECF) and Peer-To-Peer financing platform (P2P).

The Guidelines sets out the general requirements (that apply to all electronic platforms such as ECF, P2P and DAX) and specific requirements (chapters 13 (for ECF), 14 (for P2P) and 15 (for DAX)) for registration as a recognized market operator (“RMO”) and ongoing requirements applicable to a RMO.

In this article, we break down the general and specific requirements that apply to a DAX for your easy reading and understanding.

Who does the Guidelines apply to?

If a DAX is operated, provided or maintained in Malaysia OR is located outside Malaysia but actively targets Malaysian investors, then such DAX is subject to the Guidelines and must apply to the SC for approval in order to operate in Malaysia.

How to apply for registration?

Anyone who intends to operate a DAX (“Applicant”) must apply to the SC but application does not guarantee registration. The SC will review whether the Applicant meets all the criteria in assessing whether or not to approve such application.

An Applicant must submit Forms 1, 1A, 1B and 2C to the SC on or before 1 March 2019. There is no indication whether the SC will still entertain application received after the deadline.

What are the criteria for registration?

  • the Applicant must show that it will be able to operate an orderly, fair and transparent market;
  • the Applicant must submit true and not misleading information and document;
  • the Applicant is not in the process of being wound up or dissolved or has not entered into a compromise or scheme of arrangement with its creditors;
  • the Applicant’s directors, CEO and key responsible persons are fit and proper;
  • the Applicant’s business model has a clear or unique value proposition or will contribute to the overall development of the capital market;
  • the Applicant will appoint at least 1 responsible person;
  • the Applicant will come up with a fair and transparent set of rules for its DAX;
  • the Applicant must show that it will be able to take appropriate action against a person who is in breach;
  • the Applicant must show that it will be able to manage risks associated with its business and operation;
  • the Applicant must show that it has sufficient financial, human and other resources for the operation of its DAX; and
  • the Applicant must show that it has put in place appropriate security arrangements pursuant to the Guidelines on Management of Cyber Risk. The SC places strong emphasis on IT security and assurance and requiring the Applicant to show that it has placed adequate IT security measures and has sufficient IT and technical support to operate and maintain the DAX as well as to prevent any loss, theft or hacking.

If the Applicant is a foreign operator, in addition to the above, it must also show to the SC that:

  • it is authorised to operate the similar activity in a foreign country;
  • it comes from a country which has comparable regulatory arrangements on enforcement and supervision like the SC; and
  • it is in the best interest of Malaysia to register such Applicant as a RMO.

Who can be appointed as the directors and responsible person?

An Applicant must only appoint fit and proper persons to be its directors.

How many directors can be appointed?

There is no minimum number specified by the SC. Under the Companies Act 2016, a company can have a minimum of 1 director. However, for purposes of good corporate governance, we would suggest more than 1 director, especially for a platform that deals with investors’ monies and operates in a highly regulated capital market industry.

If there is any new appointment, removal or resignation of director, the RMO must notify the SC as soon as possible.

How many responsible person can be appointed?

The minimum number is one.

The SC prefers the CEO or the main person in charge of operations and financial be appointed as the responsible person. The responsible person is also the main contact person to liaise with the SC. If there is any vacancy of the position of a responsible person, the RMO must fill the replacement within 3 months.

What are the RMO Obligations?

A RMO must:

  • monitor and ensure compliance of its rules;
  • ensure fair treatment of its users;
  • provide fair and accurate disclosures;
  • provide sufficient risk warning statement and obtain and retain self-declared risk acknowledgement forms from its users prior to them investing in a recognized market;
  • ensure that all fees and charges payable are fair, reasonable and transparent;
  • ensure that it does not engage in any business practices appearing to SC to be deceitful, oppressive or improper or reflect discredit on his method of conducting business;
  • carry out continuous awareness and education programmes;
  • put in place AML/KYC framework; and
  • disclose and display prominently on its DAX legally drafted terms and conditions and information regarding investment and fees and charges that the RMO may charge.

What are the RMO’s board’s obligations?

The RMO’s board must:

  • ensure the RMO complies with the Guidelines and any direction issued by the SC from time to time;
  • ensure the responsible person carries out his responsibilities and duties;
  • put in place an effective business continuity plan;
  • put in place policies and procedures on:
  • managing conflict of interest;
  • monitoring trading and other market activity to detect non-compliance with the securities laws;
  • dealing with complaints relating to the operations of its DAX; and
  • compliance with relevant laws including PDPA 2010.
  • Immediately notify the SC of any irregularity or breach of securities and anti-money laundering laws; material change of information submitted to the SC; or if it becomes aware of matter which adversely affects its obligations under the Guidelines.

Can a RMO outsource some of its obligations?

Yes, but the RMO’s board remains responsible for all outsourced functions.

The RMO’s board must put in place an outsourcing policy to monitor the service delivery and performance reliability of the outsourced service provider. The RMO must perform periodic assessment on its service provider. The RMO must also procure a letter of undertaking from the service provider to the SC stating that SC can have access to all information, records and documents relating to the outsourced arrangements. If there is any adverse incident happened, the RMO must notify the SC within 2 weeks from the occurrence of the event.

The outsourcing framework needs to cover the following:

  • details of functions intended to be outsourced and rationale;
  • details of parties that carry out the outsourced functions; and
  • details of monitoring arrangements on outsourced functions’ service levels.

Any other obligations?

A RMO must submit:

  • any proposed rules or amendments to the SC which is subject to amendment if requested by the SC;
  • an annual compliance report to show compliance with SC’s conditions and requirements; and
  • latest audited financial statement within 3 months after the close of financial year.

To view the continuation of this article, click here.

The view expressed in this article is intended to provide a general guide to the subject matter and does not constitute professional advice. You are advised to seek proper advice for your specific situation.

Leave a comment

seventeen − 8 =

This site uses Akismet to reduce spam. Learn how your comment data is processed.