Bayarcash

Malaysian Fintech Compliance Summary

Version 1.0
Effective Date 01 March 2026
Approved By Compliance & Risk Committee
Next Review Date 01 March 2027

1. Purpose

This document provides a consolidated reference of the regulatory compliance obligations applicable to Bayarcash Sdn. Bhd. as a licensed payment service provider operating in Malaysia. It serves as a regulatory landscape map to guide policy development, gap analysis, and compliance planning.

2. Regulatory Framework Overview

Bayarcash operates under multiple overlapping regulatory frameworks:

Regulator / StandardScopeKey Legislation / Document
Bank Negara Malaysia (BNM)Payment system licensing, governance, operationsFinancial Services Act 2013 (FSA), Islamic Financial Services Act 2013 (IFSA)
BNM — RMiTTechnology risk management, cybersecurityRisk Management in Technology (RMiT) policy, updated 28 November 2025
BNM — AML/CFTAnti-money laundering, counter-terrorism financingAnti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001 (AMLA)
PDPD (JPDP)Personal data protectionPersonal Data Protection Act 2010, amended by PDPA Amendment Act 2024
PCI SSCCard payment data securityPCI DSS v4.0
PayNetFPX, Direct Debit, DuitNow operational rulesPayNet operational guidelines and technical standards

3. BNM Licensing & Approval

Any payment system operator must obtain BNM approval under Section 11 of the Financial Services Act 2013 before commencing operations.

3.1 Approval Requirements

CategoryRequirement
Payment System OperatorSection 11 FSA approval
Merchant Acquiring ServicesRegistration with BNM
Designated Payment InstrumentsSeparate approval for debit/credit/charge/e-money (if applicable)

3.2 Enforcement Precedent

BNM actively enforces compliance. Example: Alipay Malaysia was fined RM340,000 for failing to update its sanctions database, which disrupted screening of customer accounts and delayed the freezing of funds linked to a listed entity.

4. Personal Data Protection Act 2010 (PDPA) & 2024 Amendments

The Personal Data Protection (Amendment) Act 2024 introduced significant changes, rolled out in three phases:

4.1 Implementation Timeline

PhaseEffective DateKey Changes
Phase 11 January 2025Administrative changes
Phase 21 April 2025”Data controller” term introduced; biometric data classified as sensitive personal data; stricter cross-border data transfer rules
Phase 31 June 2025Mandatory DPO appointment; 72-hour data breach notification; data portability rights

4.2 Key Requirements for Bayarcash

Mandatory Data Protection Officer (DPO): Data controllers and data processors must appoint at least one DPO. This is mandatory since 1 June 2025.

72-Hour Breach Notification: Data controllers who have reason to believe a data breach has occurred must notify the Personal Data Protection Commissioner and affected data subjects “as soon as practicable” and within 72 hours if the breach causes or is likely to cause significant harm.

Biometric Data: Biometric data (physical, physiological, or behavioural characteristics from technical processing) is now categorised as sensitive personal data. Relevant for KENAL (identity verification) if biometric processing is involved.

Data Portability: Individuals can request their data in a machine-readable format for transfer to another service provider.

Right to Erasure: Clearer right to be forgotten, allowing individuals to request deletion of their personal data.

Enhanced Penalties: Maximum fines up to RM1 million and imprisonment up to 3 years — a five-fold increase from previous penalty structures.

Vendor Accountability: Vendors processing customer data on behalf of a client can now be directly fined under PDPA. All vendor contracts must include proper data processing agreements.

Cross-Border Data Transfers: Stricter controls requiring data controllers to undertake rigorous assessment of the receiving country’s data protection framework before transferring personal data outside Malaysia.

5. AML/CFT & Sanctions Compliance

5.1 Core Obligations

RequirementDetail
Sanctions screeningEvery new customer screened against Domestic List and UN sanctions lists
PEP screeningPolitically Exposed Persons screening mandatory
Ongoing transaction monitoringContinuous monitoring for suspicious patterns or inconsistencies
Suspicious Transaction Reports (STR)Filed with BNM’s Financial Intelligence and Enforcement Department (FIED)
Customer Due Diligence (CDD)Identity verification, beneficial ownership, source of funds
Enhanced Due Diligence (EDD)For high-risk customers, PEPs, high-risk jurisdictions
Record keepingMinimum 6-7 years depending on specific regulation

6. Risk Management in Technology (RMiT)

The latest RMiT policy revision took effect on 28 November 2025. It is being extended to non-bank merchant acquirers, making it directly applicable to Bayarcash.

6.1 Key Requirements

AreaRequirement
Security Operations Centre (SOC)24/7 monitoring capability for anomalous activities and potential breaches
Cyber drillsAnnual exercises demonstrating incident response readiness
Third-party risk managementComprehensive cybersecurity, data protection, and business continuity assessments before onboarding external partners
Cloud risk managementSpecific controls for cloud deployments
Technology auditRegular internal audits of technology systems
Business continuityTested and documented BCP/DR plans
GovernanceBoard-level oversight of technology risk
TrainingStaff awareness and competency in technology risk

6.2 Scope Extension

The November 2024 Exposure Draft extends key RMiT standards from large financial institutions to smaller FIs and other market participants including non-bank merchant acquirers — covering governance, cybersecurity monitoring, and broader technology risk areas.

7. PCI-DSS

Relevant for Bayarcash due to card payment processing integration with Infinitium Infuture Sdn. Bhd.

7.1 Compliance Levels

LevelAnnual TransactionsRequirement
Level 1>6 millionOn-site audit by Qualified Security Assessor (QSA)
Level 21-6 millionSelf-Assessment Questionnaire (SAQ)
Level 320,000-1 millionSAQ
Level 4<20,000SAQ

7.2 Scope Reduction Strategy

Since Infinitium handles actual card data processing, Bayarcash can reduce PCI scope by:

  • Never storing, processing, or transmitting raw cardholder data
  • Using tokenization and redirect-based payment flows
  • Targeting SAQ-A or SAQ-A-EP compliance level
  • Ensuring Infinitium maintains and provides PCI-DSS compliance attestation

8. PayNet Operational Rules

For FPX and Direct Debit channel operations:

  • Settlement rules and timelines
  • Dispute resolution procedures
  • Technical connectivity standards
  • Uptime and availability requirements
  • Compliance with PayNet operational guidelines

9. Compliance Action Matrix

AreaAction RequiredPriorityStatus
PDPA — Appoint DPOMandatory since Jun 2025CriticalTo verify
PDPA — Breach notification procedureDocument 72-hour response processCriticalTo implement
PDPA — Data processing agreementsUpdate all vendor contractsHighTo review
PDPA — Cross-border assessmentAudit international data flowsHighTo implement
PDPA — Data portability mechanismEnable machine-readable data exportMediumTo implement
PDPA — Biometric data handlingAssess KENAL biometric processingMediumTo assess
AML/CFT — Sanctions screeningVerify automated screening in placeCriticalTo verify
AML/CFT — Transaction monitoringVerify automated suspicious pattern detectionCriticalTo verify
RMiT — SOC capabilityEstablish or outsource 24/7 monitoringHighTo assess
RMiT — Annual cyber drillsSchedule annual simulation exercisesHighTo plan
RMiT — Vendor risk assessmentsDocument assessment for all tech vendorsHighTo implement
PCI-DSS — SAQ determinationDetermine SAQ level based on Infinitium integrationMediumTo assess
PCI-DSS — Infinitium attestationObtain PCI-DSS compliance attestation from InfinitiumMediumTo request

10. Document Update Requirements

The following internal policy documents require updates to reflect current regulatory requirements:

10.1 Data Protection & Privacy Policy

  • Replace incorrect Philippines Data Privacy Act 2012 reference with Malaysian PDPA 2010
  • Add PDPA 2024 Amendment Act provisions (DPO, breach notification, biometric data, data portability, right to erasure)
  • Update penalties to RM1 million / 3 years
  • Add vendor accountability provisions
  • Add cross-border transfer assessment requirements

10.2 Cybersecurity Policy

  • Replace generic GDPR/HIPAA/ISO 27001/NIST references with BNM RMiT
  • Add SOC 24/7 monitoring requirement
  • Add annual cyber drill requirement
  • Add third-party vendor cybersecurity assessment
  • Add cloud risk management controls
  • Fill placeholder dates and values

10.3 Incident Response Policy

  • Replace “72 hours under GDPR” with PDPA 2024 Amendment breach notification requirement
  • Add BNM reporting requirements for significant incidents
  • Add PDPA Commissioner notification procedures
  • Fill placeholder contact details
  • Specify Malaysian regulatory reporting timelines

10.4 Legal Site — PDPA Notice (legal.bayarcash.com)

  • Add new data subject rights from 2024 amendments (right to erasure, data portability)
  • Add DPO information and contact
  • Add breach notification commitment
  • Add biometric data processing disclosure (if applicable)
  • Update version from 1.0

10.5 Legal Site — Privacy Policy (legal.bayarcash.com)

  • Add PDPA 2024 amendment compliance language
  • Add data portability provisions
  • Add right to erasure provisions
  • Add DPO contact information
  • Add cross-border data transfer details
  • Add vendor/data processor accountability language

11. References