Bayarcash

Compliance Policy

Version 1.0
Effective Date [Insert Date]
Approved By Compliance & Risk Committee
Next Review Date [Insert Date]

1. Purpose

The purpose of this policy is to establish the framework by which Bayarcash will:

  • Meet and maintain compliance with applicable laws, regulations and industry standards (in particular BNM’s regulatory expectations for money-services or e-wallet and payment service providers, PCI DSS for card-holder data, and AMLA obligations).
  • Protect the integrity, confidentiality and availability of customer and payment data.
  • Mitigate financial crime risks (money-laundering, terrorism financing, proliferation financing, sanctions evasion).
  • Ensure that the Company operates in a secure, sound, ethical and fully accountable manner.
  • Preserve the reputation and trust of Bayarcash.

2. Scope

This policy applies to:

  • All employees, contractors, agents, board members, outsourced service providers and third-party vendors of Bayarcash.
  • All business units, processes, systems, applications and data handling activities of Bayarcash within Malaysia and globally.
  • All card-holder data environments (CDE), wallet/payment systems, customer onboarding, transaction monitoring, compliance monitoring, reporting and audit functions.

3. Regulatory & Standard Requirements

3.1 BNM & Malaysian Regulatory Expectations

  • Bayarcash must comply with BNM’s policy documents relating to governance, risk management, operations for money-services business (if applicable) and other relevant frameworks. For example, the revision of the “Policy Document on Governance, Risk Management and Operations for Money Services Business” took effect 9 April 2025.
  • BNM has demonstrated enforcement of non-compliance (e.g., administrative monetary penalties for failures in sanctions screening, service disruptions, data submissions) indicating the importance of robust compliance.
  • Bayarcash must adopt strong internal controls, board oversight, adequate resources (people, systems, training) and a culture of compliance.

3.2 PCI DSS

  • If Bayarcash stores, processes or transmits payment card data (card-holder data, CHD), then PCI DSS requirements apply.
  • The standard requires documented policies, operational procedures, and periodic assessments. For example: “All security policies and operational procedures must be documented, kept up-to-date, in use, and known to all affected parties”.
  • Bayarcash must establish a card-holder data environment (CDE) scope, secure it, restrict access, monitor, test vulnerabilities and maintain compliance year-on-year.

3.3 AMLA / AML-CFT / TFS

  • Under AMLA, Bayarcash (if a reporting institution or as otherwise required) must implement an AML/CTF programme, Customer Due Diligence (CDD), Enhanced Due Diligence (EDD), transaction monitoring, record-keeping, screening (including sanctions), suspicious transaction/reporting obligations.
  • BNM policy documents (AML/CFT & TFS for Financial Institutions / DNFBPs) set minimum requirements for sanctions screening, CDD, risk assessment, training, etc.
  • Non-compliance can lead to severe penalties, personal liability of directors and officers.

4. Governance & Oversight

  • The Board of Bayarcash has ultimate responsibility for compliance oversight and must ensure the compliance function is sufficiently resourced and independent.
  • A designated Chief Compliance Officer (CCO) or equivalent will report to the Board (or Audit/Compliance Committee) and have responsibility for the compliance programme across BNM, PCI DSS and AMLA domains.
  • The CCO will ensure that:
    • Policies and procedures are established, maintained, reviewed and updated;
    • Compliance monitoring and testing (internal audit, external assessments) are conducted;
    • Compliance risk assessments are performed periodically and whenever business changes or new products/services are introduced;
    • Management receives regular reporting of compliance status, incidents, remediation, trends and key risk indicators;
    • Training and awareness programmes are in place for all staff.
  • Outsourced service providers and third parties must be managed via contract, oversight, monitoring and due-diligence to ensure they comply with these requirements.

5. Risk Assessment & Control Environment

  • Bayarcash shall maintain a compliance risk assessment framework covering: product/service risk, geographic risk, customer risk, transaction risk, payment instrument risk, third-party/vendor risk, technology/IT risk (for PCI and broader controls), and financial crime risk.
  • Based on risk assessment, Bayarcash shall implement appropriate controls such as: segregation of duties; role-based access; encryption of CHD; network segmentation; monitoring and logging; sanctions screening; transaction monitoring; CDD/EDD; timely reporting; incident management; change management; business continuity and disaster recovery.
  • For PCI DSS, scope must be defined, segmentation controls applied, inventory of systems and networks kept, and periodic vulnerability scans and penetration tests performed.
  • For AML/CTF, Bayarcash will adopt risk-based CDD/EDD, monitor transactions for unusual activity, maintain audit trails, periodically test the AML programme, perform sanctions screening (including UN and domestic lists) of customers and beneficial owners.

6. Customer Due Diligence & Onboarding

  • Bayarcash shall adopt documented procedures for onboarding customers (individuals/corporates) which include verifying identity, beneficial ownership (where applicable), understanding customer’s business/purpose, risk classification, source of funds (where required), screening against sanctions lists, establishing and documenting the expected transaction behaviour.
  • Enhanced Due Diligence shall apply to higher-risk customers (PEPs, high-risk jurisdictions, unusual business models, large value transactions).
  • Ongoing monitoring of customer transactions to detect and review unusual or suspicious behaviour; refresher/update due diligence when risk profile changes.
  • Records of CDD/EDD shall be retained for the statutory period (as required by AMLA/regulations).
  • If Bayarcash suspects money-laundering or terrorism-financing, it shall file a Suspicious Transaction Report (STR) with the designated authority (for Malaysia, e.g., Financial Intelligence and Enforcement Department (FIED) of BNM) or other competent authority.
  • When onboarding card services or payment instruments, the cardinal principle: only valid, verified customers using transparent, legitimate funds.

7. Data Security & PCI DSS Controls

  • Bayarcash will implement and maintain appropriate technical and procedural controls to protect card-holder data in accordance with PCI DSS. Key requirements include:
    • Define and document scope of the Card-holder Data Environment (CDE).
    • Install and maintain network firewall and segmentation around CDE; disable default accounts; restrict access to need-to-know; enforce unique IDs and strong authentication.
    • Protect stored CHD using encryption, hashing or truncation; protect data in transit.
    • Develop, maintain and apply secure systems and applications (patch management, hardening).
    • Restrict physical access to CHD and CDE infrastructure; maintain logs and monitoring of access.
    • Track and monitor all access to network resources and CHD; retain logs for a defined period; regularly review logs and respond to anomalies.
    • Maintain a program of vulnerability scanning and penetration testing; conduct internal/external assessments yearly or as required.
    • Security policy addressing roles & responsibilities, data retention/destruction, vendor/third-party management (service providers), incident response, change management.
  • Bayarcash will perform annual or periodic PCI-compliance assessments (by a Qualified Security Assessor or internal assessor, as applicable) and maintain documentation and reporting evidencing compliance.
  • Third-party service providers who handle CHD or access the CDE must contractually agree to maintain PCI DSS compliance and provide attestations or reports of compliance.

8. Monitoring, Testing & Reporting

  • Bayarcash shall monitor and test internal controls and compliance with this policy through:
    • Periodic self-assessments and internal audits.
    • External audits or independent validations (e.g., PCI DSS assessment, AML/CFT programme review).
    • Ongoing monitoring of key risk indicators, incidents, exceptions, change in regulatory environment.
    • Management reporting, board/committee reporting of compliance status, remediation status, major issues, trends, root-cause analysis.
    • Escalation procedures for non-compliance, incidents or exceptions.
  • A formal incident & issue management process shall capture, analyse, remediate, document, communicate and learn from compliance or security incidents (including data breaches, cardholder data exposures, money-laundering suspicious activity, sanctions hits, operational disruptions).
  • Bayarcash shall document corrective actions and track remediation until closure, and conduct post-incident reviews to enhance controls.

9. Training & Awareness

  • All employees, contractors and third-party staff shall receive regular training relevant to their role on compliance obligations: AML/CFT & TFS, sanctions screening, PCI DSS requirements (for those in scope), fraud prevention, information security, data privacy.
  • Specialized training for compliance, audit, risk, IT/security and senior management.
  • Training records shall be maintained, and training must be refreshed at least annually or upon substantial change in regulation or business operations.
  • Bayarcash shall promote a “know your obligations” culture: awareness campaigns, periodic messaging, refresher sessions, testing or quizzes, and tracking of training completion.

10. Vendor & Third-Party Management

  • All third-party vendors or service providers that handle Bayarcash data, processes, or systems (especially CHD or payment infrastructure) must be assessed for regulatory and security risk, contracted with appropriate terms (including confidentiality, data protection, compliance obligations, PCI DSS, AML/CFT) and subject to ongoing monitoring and review.
  • Contracts must include right to audit, compliance attestations, notification of breaches, remediation obligations, termination rights for non-compliance.
  • Periodic vendor risk assessments must be conducted; vendor performance and compliance status shall be reported and tracked.

11. Record Keeping & Retention

  • Bayarcash will maintain records of all relevant compliance activities, including: CDD/EDD documentation, sanctions screening results, transaction monitoring alerts and investigations, STR filings, PCI DSS assessment reports, vulnerability/penetration test results, access logs, audit/self-assessment reports, training records, vendor compliance records, management/board reports.
  • Retention periods shall comply with applicable law or regulation (e.g., AMLA retention period, payment card industry retention requirements) and internal policy.
  • After the retention period, records shall be securely destroyed or anonymised in accordance with internal policy and regulatory requirements.

12. Reporting to Regulators & Cooperation

  • Bayarcash shall cooperate fully with regulatory inspections, audits and requests by BNM or other competent authorities. Non-cooperation is subject to legal penalty (under AMLA amendments, directors/officers may be personally liable).
  • Bayarcash shall notify the regulator/competent authority as required: for example, in the event of significant compliance breaches, data breaches, payment card-holder data compromise, large suspicious transactions, sanctions hits, or other unusual activities.
  • Where required, Bayarcash shall submit reports (e.g., STRs under AMLA), statistical data (if required under BNM policy), incident reports, etc.
  • Bayarcash shall maintain a register of all regulatory communications, filings and responses.

13. Enforcement & Discipline

  • Non-compliance with this policy (or underlying laws/standards) by employees, contractors or third parties will be subject to disciplinary action up to and including termination.
  • The CCO and senior management shall review material breaches and propose remediation, and the Board shall review trends and decide on any major corrective actions.
  • Bayarcash will treat compliance breaches seriously: depending on severity, may require escalation to the Board, notifying regulator, independent review and root-cause analysis.
  • Directors and senior officers must ensure they understand their responsibilities; under AMLA amendments, personal liability may arise for compliance failures.

14. Review & Update of Policy

  • This Policy shall be reviewed at least annually (or more frequently if there are major regulatory changes, business changes, or material incidents) by the Compliance function and approved by the Board.
  • Any updates to policy must be communicated to all employees, contractors and relevant third parties; training must be refreshed when necessary.

15. Definitions

TermDefinition
Card-holder Data (CHD)Full primary account number (PAN) plus any of the following: cardholder name, expiration date, service code.
Card-holder Data Environment (CDE)The people, processes and technologies that store, process or transmit CHD or have access to CHD.
Customer Due Diligence (CDD)The process of identifying and verifying the identity of the customer and understanding the purpose and nature of the business relationship.
Enhanced Due Diligence (EDD)Additional due diligence for higher-risk customers, transactions or jurisdictions.
Politically Exposed Person (PEP)An individual who is or has been entrusted with prominent public functions, including their family or close associates.
Sanctions ScreeningMatching customer, beneficial owner, or transaction counterparties against sanctions lists and watch-lists (UN, domestic, etc).
Suspicious Transaction Report (STR)A report filed to the competent authority when a transaction raises suspicion of money laundering or terrorism financing.

16. Responsibilities Summary

RoleKey Responsibilities
Board / Audit & Compliance CommitteeUltimate oversight of compliance programme; review major compliance risks, approve policy, review reports from CCO.
Chief Compliance Officer (CCO)Day-to-day oversight of compliance, develop/maintain policy & procedures, reporting, training, monitoring, vendor oversight.
Senior ManagementIncorporate compliance into business planning, ensure funds and resources are allocated, enforce controls, escalate issues.
Business Units / IT / Operations / Payment ServicesImplement controls, follow procedures, identify and escalate issues, maintain documentation, cooperate with audits & assessments.
Employees / ContractorsBe aware of compliance obligations, complete training, report issues, follow procedures and internal controls.
Vendors / Third-partiesContractually comply with Bayarcash’s compliance requirements, submit to monitoring and audit, notify of issues.

17. Policy Exceptions & Waivers

  • Any exception to this Policy must be approved in writing by the CCO and senior management, be time-bound, documented, include compensating controls and be reviewed periodically.
  • No exception may contravene applicable law, BNM policy, PCI DSS requirement or AMLA obligations.

18. Sanctions for Non-Compliance

  • Failure to follow this Policy or underlying compliance obligations may lead to regulatory penalty (including by BNM), reputational damage, legal liability (including personal liability for officers under AMLA), and loss of licence/authorisation. For example: BNM has imposed multi-million ringgit penalties on institutions for breaches of sanctions screening and service disruption. Malay Mail
  • Internally, disciplinary action (including termination) may be taken against individuals responsible for breaches or negligent compliance failures.