Change #18

file_content

2 months ago • Guidelines on Electronic Know-Your-Customer (e-KYC) • Test Documents

# Guidelines on Electronic Know-Your-Customer (e-KYC)

**Issuing Authority:** Bank Negara Malaysia
**Document No:** BNM/RH/PD 030-10
**Effective Date:** 1 July 2024
**Version:** 1.2

**Revision Notice:** This version supersedes version 1.1 dated 1 April 2024. Please refer to the revision history at the end of this document.

## 1. Introduction

This document sets out the regulatory expectations for financial institutions implementing electronic Know-Your-Customer (e-KYC) solutions for customer onboarding and ongoing due diligence. These guidelines apply to all licensed banks, Islamic banks, insurers, and prescribed institutions under the purview of Bank Negara Malaysia.

Financial institutions are expected to adopt robust technology solutions that balance customer convenience with the integrity of verification processes. The adoption of e-KYC shall not compromise the quality of customer due diligence conducted by the institution.

## 2. Scope of Application

These guidelines are applicable to the following categories of financial institutions:

1. Licensed banks and licensed Islamic banks
2. Licensed insurers and licensed takaful operators
3. Prescribed institutions under the Development Financial Institutions Act 2002
4. Payment system operators and e-money issuers

## 3. Minimum Requirements for e-KYC Technology

### 3.1 Identity Verification

All e-KYC solutions must incorporate the following minimum capabilities for identity verification:

| Component | Requirement | Standard |
| :--- | :--- | :--- |
| Document Authentication | Verify authenticity of identity documents (MyKad, passport) | ISO/IEC 19794-5 |
| Facial Recognition | Liveness detection with anti-spoofing measures | ISO/IEC 30107-3 Level 1 |
| Data Extraction | Automated extraction of personal data from identity documents | ICAO Doc 9303 |

### 3.2 Risk Assessment

Financial institutions shall implement a risk-based approach to e-KYC. Higher-risk customers or transactions must be subjected to enhanced due diligence measures, which may include additional verification steps or manual review by trained personnel.

### 3.3 Third-Party e-KYC Service Providers

Where financial institutions engage third-party providers to deliver e-KYC functions, they remain fully responsible for compliance with these guidelines. A formal due diligence assessment of the third-party provider must be conducted prior to engagement and reviewed annually thereafter.

## 4. Data Protection and Privacy

All personal data collected through e-KYC processes must be handled in accordance with the Personal Data Protection Act 2010 (PDPA). Financial institutions must ensure:

* Explicit customer consent is obtained prior to data collection
* Data is encrypted both in transit (TLS 1.2 or above) and at rest (AES-256)
* Biometric data is stored for a maximum period of 4 years from account closure
* Regular penetration testing is conducted on e-KYC infrastructure

## 5. Reporting and Compliance

Financial institutions shall submit quarterly reports to the Supervision Department detailing:

| Report Item | Frequency | Submission Deadline |
| :--- | :--- | :--- |
| e-KYC onboarding volume and success rates | Quarterly | 15th of following month |
| Fraud and false positive rates | Quarterly | 15th of following month |
| System downtime and incident reports | Monthly | 5th of following month |

## 6. Revision History

| Version | Date | Summary of Changes |
| :--- | :--- | :--- |
| 1.0 | 1 Jan 2024 | Initial issuance |
| 1.1 | 1 Apr 2024 | Added requirements for third-party e-KYC service providers |
| 1.2 | 1 Jul 2024 | Biometric retention reduced from 5 to 4 years |

© 2024 Bank Negara Malaysia. All rights reserved.
This document is issued pursuant to sections 47(1) and 266 of the Financial Services Act 2013 and sections 57(1) and 277 of the Islamic Financial Services Act 2013.

Executive Summary

The document has been reverted to version 1.1, effectively reversing the biometric data retention policy change introduced in version 1.2. The retention period for biometric data is now set back to 5 years from account closure.

Impact Assessment

medium

Data Privacy and Compliance

The retention period for biometric data has increased by one year, requiring updates to automated data purging schedules in IT systems.

Affected: Section 4

Recommended Actions

Role	Action
Compliance Team	Update internal data retention policies to reflect the 5-year requirement.
Compliance Team	Verify that automated deletion scripts are adjusted to align with the 5-year retention period.

Timeline

Effective Date

1 April 2024

Notes

The document is effective as of 1 April 2024.

Document Details

Field	1.2	1.1	Status
Version	1.2	1.1	CHANGED
Effective Date	1 July 2024	1 April 2024	CHANGED
Copyright	2024 Bank Negara Malaysia. All rights reserved.	2024 Bank Negara Malaysia. All rights reserved.	Unchanged
Document Owner	Bank Negara Malaysia	Bank Negara Malaysia	Unchanged
Total Pages	1	1	Unchanged

1. Document Metadata

Updates to versioning and effective dates.

CHANGED

Effective Date

Effective date reverted to 1 April 2024.

Old: 1 July 2024

New: 1 April 2024

CHANGED

Version

Version number reverted to 1.1.

Old: 1.2

New: 1.1

2. Data Retention Policy

Change in biometric data storage duration.

CHANGED

Biometric data storage period (Section 4)

Increased biometric data retention period from 4 to 5 years post-account closure.

Old: 4 years

New: 5 years

3. Revision History

Updates to the document change log.

REMOVED

Revision 1.2 (Section 5)

Removed entry for version 1.2.

Sections with No Changes

Section	Clauses
Introduction	Section 1
Data Security	Section 4 (excluding biometric retention clause)

Summary of Changes

Category	Count	Detail
CHANGED	3	Updates to document versioning, effective dates, and biometric data retention policy.
REMOVED	1	Removal of the version 1.2 revision history entry.

Added ~~Removed~~

--- old
+++ new
@@ -2,10 +2,10 @@
 
 **Issuing Authority:** Bank Negara Malaysia
 **Document No:** BNM/RH/PD 030-10
-**Effective Date:** 1 July 2024
-**Version:** 1.2
+**Effective Date:** 1 April 2024
+**Version:** 1.1
 
-**Revision Notice:** This version supersedes version 1.1 dated 1 April 2024. Please refer to the revision history at the end of this document.
+**Revision Notice:** This version supersedes version 1.0 dated 1 January 2024. Please refer to the revision history at the end of this document.
 
 ## 1. Introduction
 
@@ -48,7 +48,7 @@
 
 * Explicit customer consent is obtained prior to data collection
 * Data is encrypted both in transit (TLS 1.2 or above) and at rest (AES-256)
-* Biometric data is stored for a maximum period of 4 years from account closure
+* Biometric data is stored for a maximum period of 5 years from account closure
 * Regular penetration testing is conducted on e-KYC infrastructure
 
 ## 5. Reporting and Compliance
@@ -67,7 +67,6 @@
 | :--- | :--- | :--- |
 | 1.0 | 1 Jan 2024 | Initial issuance |
 | 1.1 | 1 Apr 2024 | Added requirements for third-party e-KYC service providers |
-| 1.2 | 1 Jul 2024 | Biometric retention reduced from 5 to 4 years |
 
 © 2024 Bank Negara Malaysia. All rights reserved.
 This document is issued pursuant to sections 47(1) and 266 of the Financial Services Act 2013 and sections 57(1) and 277 of the Islamic Financial Services Act 2013.

Added Removed Changed No matching line