Executive Summary

The Mutual Evaluation Report (MER) of Malaysia 2025, published by the Financial Action Task Force (FATF) in December 2025, assesses the effectiveness of the country’s anti-money laundering, countering the financing of terrorism, and countering the financing of proliferation (AML/CFT/CPF) measures. The evaluation recognises Malaysia’s significant progress since its 2015 MER, including strengthened legal frameworks, enhanced supervision, and improved risk understanding across sectors.

However, the MER identifies key areas requiring further improvement, particularly in the effectiveness of preventive measures among Designated Non-Financial Businesses and Professions (DNFBPs), including company secretaries.

The FATF ranks the transparency of legal persons and arrangements among Malaysia’s highest priority gaps. Enforcement of the accuracy of beneficial ownership (BO) information remains limited. The FATF also highlighted a weak suspicious transaction reporting (STR) culture among DNFBPs, and the rare use of proportionate sanctions for significant failures has been identified in the MER.

These gaps present both risks and opportunities. Company secretaries may continue to take compliance as a checkbox exercise and risk facilitating financial crime by not verifying BO information and hesitating to submit STRs for fear of client relationship impact, or be proactive in implementing robust, risk-based AML/CFT/CPF frameworks that can enhance professional credibility and contribute to Malaysia’s corporate integrity.

Company Secretaries at the Heart of Corporate Transparency

Regulators increasingly see DNFBPs as essential partners – not peripheral players – in national AML/CFT/CPF effectiveness. Company secretaries, as one of the DNFBPs and Reporting Institutions under AMLA, play a pivotal frontline role in preventing money laundering (ML), terrorism financing (TF), and proliferation financing (PF) through company formation, BO maintenance, and corporate governance.

The MER identifies company secretaries as medium-high ML risk, often linked to fraud and corruption vulnerabilities, with smaller practices showing limited risk awareness compared to larger financial institutions.

Key MER findings relevant to company secretaries include:

Challenges in verifying BO accuracy, particularly for foreign or layered ownership (around 30% inaccuracies noted in inspections).
Low STR submissions across DNFBPs underscore the need for a stronger reporting culture.
Supervision continues to lag, with enforcement actions remaining rare despite the identification of serious deficiencies. There is heavy reliance on supervisory letters rather than dissuasive sanctions.

With FATF now emphasising operational effectiveness over technical compliance, company secretaries must shift from routine administrative filings to demonstrating active risk mitigation in corporate structures.

Key Risk Drivers for Company Secretaries

i. Beneficial Ownership Verification – Beyond Form Filing

The MER acknowledges Malaysia’s strong corporate framework for BO transparency. Nonetheless, it highlights persistent difficulties for reporting institutions in penetrating opaque structures, especially those involving foreign owners or complex structures. DNFBPs’ reliance on client-provided statutory documents, limited external data sources, and self-declarations often falls short in verifying ultimate natural owners. While complex structures represent a minority of cases over the past years, the FATF anticipates an increasing number of cases and vulnerabilities as global illicit finance trends evolve.

The MER also stresses that enforcement focuses on late or missing submissions of BO information rather than inaccuracies or false declarations. This creates a compliance illusion: forms may be filed, but the data inside can obscure rather than reveal the true owners of legal entities. Company secretaries, therefore carry frontline responsibility for ensuring substantive verification – not just administrative submission – of BO details.

Best practice entails verifying ownership and control through documentary evidence such as share registers, resolutions, or, where foreign ownership exists, official overseas records. Where BO is layered through multiple entities, company secretaries must trace control chains to the ultimate natural person.

ii. Suspicious Transaction Reports (STRs) – Building a Proactive Reporting Culture

A prominent MER observation is the stark disparity in STR filings. Since 2019, Malaysia’s Financial Intelligence Unit (FIU) received approximately RM 1.39 million STRs from financial institutions (FIs) and DNFBPs, with around 93% originating from the banking sector. In contrast, the company secretary sector – although classified as medium-high risk – filed only 183 STRs over the six years. This low volume, given the sector’s exposure to risks like complex ownership setups and high-risk entity incorporations, indicates gaps in detection and reporting effectiveness among DNFBPs.

This disparity reflects an underdeveloped reporting culture, driven by several factors:

a. Misunderstanding of the Threshold
Practitioners frequently delay or withhold STRs awaiting “absolute” evidence. Under Section 14 of the Anti- Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001 (AMLA), however, reporting is triggered by reasonable suspicion – not concrete proof. Delays also risk offences for tipping off if client inquiries become intrusive.

b. Viewing STRs as Adversarial
STR filings should be reframed as a core risk management tool and evidence of diligence. A documented STR demonstrates fulfilment of obligations and provides a strong defence if a client is later linked to financial crime.

c. Sector-specific Red Flags Overlooked
Unlike banks’ focus on cash flows, company secretaries encounter subtler corporate indicators. Company secretaries should identify sector-specific red flags, such as:

Multi-layered or opaque ownership involving high-risk jurisdictions.
Mismatches between declared business nature/activities and actual operations.
Nominee shareholders/directors without a legitimate purpose.
Requests for rapid incorporation or frequent beneficial ownership changes lacking rationale.

Viewing the STR mechanism not as a threat to client relationships but as an essential safeguard for the integrity of the corporate ecosystem, automating record maintenance and STR submission, and training employees to recognise AML/CFT/CPF typologies, will help translate awareness into action, aligning practices with both international expectations and domestic regulatory priorities in 2026 and beyond.

From Detection to Enforcement: Malaysia’s Next Challenge

The MER reported that Malaysia’s supervisors are increasingly capable of detecting AML deficiencies, but enforcement remains weak. Supervisory letters – requests for self-remediation – are still the standard regulatory response, while compounds or prosecutions for substantive AML/CFT/CPF failures are rare.

This “remediation-first” approach, while supportive in the early years of AMLA implementation, has inadvertently created an uneven playing field. Diligent firms that invest in robust screening and training absorb significant costs, while their less rigorous competitors face few tangible consequences for cutting corners.

Change, however, is imminent. Among the FATF’s Key Recommended Actions is a call for “proportionate and dissuasive sanctions” for DNFBP breaches. As Malaysia operationalises this, company secretaries can expect sharper enforcement where deficiencies persist and stricter review of compliance gaps.

For proactive firms, the message is clear: raise your internal bar now, while enforcement remains largely remediation-based.

Building Effective Compliance Frameworks

Firms must first recognise that risk exposure varies by business model and client base. A company secretary managing multiple offshore shareholders poses a higher risk than one serving domestic SMEs.

Effective frameworks start with risk assessment – classifying clients and transactions by likelihood and impact of misuse. This enables proportionate controls rather than one-size-fits-all documentation.

i. Strengthen Customer Due Diligence (CDD)

Key elements include:

Collecting reliable identification and verifying sources of wealth and funds.
Screening clients and connected parties against sanctions and politically exposed persons (PEP) lists in real time.
Updating CDD periodically, especially when ownership structures change.

Where high-risk indicators exist – complex offshore ownership, use of nominees, or transactions inconsistent with stated business purpose – enhanced due diligence must apply.

ii. Record-Keeping and Reporting Discipline

The FATF evaluation highlighted weak STR culture among DNFBPs. Many professionals hesitate to report for fear of client relationship impact or misunderstanding threshold triggers.

Yet an STR is not an accusation; it is a regulatory safeguard. Automating record maintenance and STR submission, and training employees to recognise typologies, helps translate awareness into action.

iii. Leverage Technology

Manual compliance processes no longer suffice. Using data analytics to identify anomalies – unusual corporate linkages, repeated use of certain addresses, transactional round-tripping – reflects a shift towards intelligence-driven supervision. Firms adopting compliance technology demonstrate forward alignment with Malaysia’s evolving supervisory expectations.

vi. Institutionalise Compliance Culture

A risk-aware culture cannot depend solely on one compliance officer. Governance functions – boards, partners, and managing directors – must understand their accountability. This cultural embedding transforms AML/CFT/CPF from a regulatory cost into a governance discipline, reinforcing ethical identity and long-term trust.

Beyond Compliance: Competitive Differentiation

Progressive company secretaries increasingly recognise that compliance capability can create business advantages. As enforcement intensifies, clients – especially banks and multinational corporations- will prefer working with firms that demonstrate robust AML/CFT/ CPF systems.

Four differentiators are emerging:

Trust and Reputation – Firms with transparent operations, documented CDD, and timely STRs gain credibility with regulators and clients alike.
Operational Efficiency – Automated verification and reporting systems streamline customer onboarding and reduce human error.
Market Access – Bank accounts and professional partnerships increasingly require counterparties to meet AML/CFT/ CPF standards.
Investor Confidence – For corporate services providers, demonstrable compliance gives foreign investors greater confidence when navigating Malaysia’s regulatory landscape.

Conclusion

Malaysia’s AML/CFT/CPF landscape is entering a new phase – one where compliance is not only about fulfilling obligations but proving effectiveness. In that transformation, DNFBPs stand as both potential vulnerabilities and vital guardians of integrity.

The “Enforcement Era” has arrived. Reporting institutions and the company secretarial profession should move beyond administrative box-ticking and embrace a genuine risk-based approach and proactive action. By strengthening due diligence, embracing technology, and embedding compliance into governance practice, professional firms can demonstrate that Malaysia’s fight against financial crime extends beyond banks to the very fabric of corporate trust.

This shift will fortify Malaysia’s AML/CFT/CPF regime, protect corporate integrity, and meet evolving international standards. Reporting institutions that act decisively will not only mitigate regulatory risks but also contribute meaningfully to national security and economic resilience.

This article was published in the January–March 2026 edition of Corporate Vo!ce, the official journal of the Malaysian Institute of Chartered Secretaries and Administrators (MAICSA). Reprinted with permission.

Reference:

[1] Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001 (AMLA), https://amlcft.bnm.gov.my/the-amla

Bank Negara Malaysia (2024), Anti-Money Laundering, Countering Financing of Terrorism, Countering Proliferation Financing and Targeted Financial Sanctions for Designated Non-Financial Businesses and Professions (DNFBPs) and Non-Bank Financial Institutions (NBFIs) (AML/CFT/CPF and TFS for DNFBPs and NBFIs), https://www.bnm.gov.my/documents/20124/13380097/pd-AMLCFTCPF-TFS-DNFBI-NBFI-Feb2024.pdf

FATF (2025), Mutual Evaluation Report of Malaysia, FATF, Paris and APG, Sydney, https://www.fatf-gafi.org/content/fatf-gafi/en/publications/Mutualevaluations/mer-malaysia-2025.html

Recent Posts: