Virtual Asset Risk Assessment (VARA) 2024 Executive Summary

Virtual Asset Risk Assessment (VARA) 2024

Virtual Asset Risk Assessment 2024 1 Overview VARA 2024 is undertaken by theNational Coordination Committee to Counter Money Laundering (NCC). 1 VARA 20242 assess and identifies the risk of money laundering (ML), terrorism financing (TF) and proliferation financing (PF) associated with virtual assets (VAs) and virtual asset service providers (VASPs) in Malaysia for the period between 2020 and 2022. This is following the findings of theNational Risk Assessment (NRA) 2020 which identifies the use of VA as an emerging risk to the ML/TF landscape in Malaysia. Executive Summary 1 Members include regulatory and supervisory authorities such as Bank Negara Malaysia (BNM), Securities Commission Malaysia (SC) and Labuan Financial Services Authority (LFSA), as well as law enforcement agencies such as Royal Malaysia Police (RMP), Malaysian Anti- Corruption Commission and Inland Revenue Board of Malaysia. 2 The Financial Action Task Force’s (FATF) Recommendation 15 require countries to identify and assess the ML/TF/PF risks emerging from VA and VASPs activities or operations of VASPs. 3 Refers to Labuan Money Broker and Labuan Bank. 4 VA is prescribed as securities under the Capital Markets and Services Act 2007 – Capital Markets and Services (Prescription of Securities) (Digital Currency and Digital Token) Order 2019. VA exchanging activities conducted with onshore VASPs are recognised as buying and selling of securities with fiat currency. Key Features of VA and VASP Landscape in Malaysia AML/CFT/CPF Regulations and Guidelines on VA/VASP Year 2020−22 Year 2018−19 Summary of VASPs Regimes in Malaysia In Malaysia… VA is not recognized as legal tender and is not accepted as a mode of payment for purchase of goods and services VA activities are mainly exchanging activities, 4 i.e. exchange between VA and fiat In 2022, 85% of total VASP activities were facilitated by onshore VASPs Onshore VASPs Supervised by SC Registration regime All operating four VASPs are Digital Asset Exchanges Labuan International Business and Financial Centre (IBFC) VASPs Supervised by LFSA Mixed Regime (Licence or Approval) Operating VASPs comprise eight LMB and a LB3 Exchanges AML/CFT/CPF guidelines (including on travel rule) issued by Securities Commission Malaysia (SC) and Labuan Financial Services Authority (LFSA) The inclusion of VA activities in the First Schedule of Anti- Money Laundering, Anti- Terrorism Financing and Proceeds of Unlawful Activities 2001 (AMLA 2001)

Virtual Asset Risk Assessment 2024 2 Executive Summary Methodology Emulates the broad indicators adopted in the NRA 2020 comprising: a. Quantitative data points - Including statistics from the financial intelligence unit, supervisory and law enforcement agencies (LEAs) under the NCC, such as intelligence reports, investigations, mutual legal assistances and independent reports; and b. Qualitative sources - Includes perception survey, open-source materials and focus groups engagements with experts in various fields, including LEAs, VASPs, other financial sectors, as well as cryptocurrency analytic companies to support statistical findings and trends observed. Main Findings VARA 2024 concluded that the materiality of VA illicit activities in Malaysia is negligible but observed a notable upward trend5 due to its increasing association with high-risk ML crimes.6 To-date, there is no case of TF and PF involving VA in the country. Common ML threats identified involve foreign VA activities which indirectly poses some vulnerabilities to Malaysian VASPs as a conduit of illicit funds. Nevertheless, the likelihood of such occurrences is low as case studies by Malaysian LEAs indicate a higher preference towards foreign VASPs due to the added anonymity, as well as complex products and services such as mixers, mining pools, peer-to-peer services, etc.7 5 Size of domestic illicit VA activities for the year 2022 is less than 1% (approx. USD6.29 million) of global illicit VA activities (approximately USD23.8 billion as set out in Chainalysis’ Crypto Crime Report 2023). The size have grown to at least USD34.52 million in 2023 due to a notable case. 6 Refers to the top five (5) high-risk crimes assessed in the NRA 2020, specifically Fraud, Organised Crime, Corruption, Illicit Drug Trafficking and Smuggling. 7 Regulatory authorities are actively monitoring and continuously updating their alert lists (SC ; LFSA ; BNM) to advise the public to avoid dealing or investing with unauthorised entities and individuals (including websites) and exercise due care. Snapshot of Ratings Threat Extent of association to predicate offences Sectoral Characteristics of regulated VASPs and extent of activities Controls Adequacy of AML/CFT/CPF measures in mitigating risks ML: Medium High TF: Low PF: Low ML/TF/PF Onshore: Medium Labuan IBFC: Medium Acceptable Largely effective to mitigate risk Highlights of Threat Key Trend Increasing reports involving ML high-risk crimes related to Fraud and some indications of Drugs Trafficking and Illegal Gambling activities Note: More than 90% of VA cases in Malaysia involves Fraud activities Common Modus Operandi • Investment scams / Darknet activities • Involves cross-border VA platforms to facilitate layering • Abuse of widely accepted VAs such as BTC, ETH and USDT Key Risk Drivers and Facilitators Enhanced Anonymity Borderless Ease of Creation Exchanges Online Marketplaces

Virtual Asset Risk Assessment 2024 3 Executive Summary Case Study: Investment Scam Victim transferred a certain amount of BTC to a criminal wallet under purported investment Victim has the ability to monitor their investment platform, administered by the criminal Victims Investment platform Law Enforcement Agency Overseas VASPs in offshore jurisdiction and gambling sites Criminal VA wallet (Unhosted wallet) FIU in Malaysia FIU in offshore jurisdiction 1 VA transferred outside Malaysia’s jurisdiction to layer illicit proceeds Three accounts belonging to Malaysians, with a total amount approx. USD44 million in VA at the time of identification MLA and court order shared to the offshore jurisdiction later led to the freezing of the assets identified Ongoing domestic investigation against suspect regarding the purported investement 2 Dissemination of information through secured channel on VA owned by the subject Disclosure on VA owned by individual 5 4 Lodge of suspicious transaction report by offshore VASP 3 BTC VA BTC Within Malaysia Cross-border Brief Facts Of Case A foreign Financial Intelligence Unit (FIU) reported suspicious activity involving three Malaysian individuals to the Malaysian FIU. One of the VASPs under their supervision filed the reports, suspecting that the deposited VA in their clients' accounts originated from a Ponzi Scheme. The VASP grew suspicious when one of the suspects had significant transactional ties to a gambling website known for its non-KYC gambling service, amounting to USD 1.6 million. Further investigations revealed the suspect's involvement in a Bitcoin investment scam in Malaysia. Investigations conducted by local authorities also confirmed that the VAs reported by the Malaysian FIU can be linked to the fraudulent activities are associated with a previously operating Ponzi scheme in Malaysia. The Ponzi scheme centered around a Bitcoin investment program that targeted investors through social media, offering a daily return of 1% on their investments. Additionally, investors were enticed with a referral commission of 10% for bringing in new participants to join the investment. Local authorities also received reports regarding the investment scheme, which involved over 20,000 Bitcoins. Local authorities took actions, resulting in the successful confiscation of assets worth RM4.9 million. These assets included bank accounts, cars, and bank drafts. Arising from the information at the FIU, local authorities have extended their actions by submitting a Mutual Legal Assistance (MLA) request, including the Malaysian court order to the foreign jurisdiction to freeze the VA identified under Section 53 of AMLA 2001. This has led to the freezing of VA belonging to the suspects amounting to USD34.52 million in 2023. (Note: These assets were identified and frozen after the assessment period of VARA)

Virtual Asset Risk Assessment 2024 4 Executive Summary Highlights of Sectoral Vulnerabilities Cross-border transfers VA sourced from overseas wallets / exchanges into/from the Malaysian VASPs as part of its services. Likelihood of ML Significant growth in number of suspicious transaction reports by the VASPs indicates some likelihood of abuse, albeit attributed by its detection mechanisms. Materiality Small in market size (less than 1%) when comparing onshore VASPs to onshore capital markets, and Labuan IBFC VASPs to Labuan licensed sectors. Nature of Business • Limited types of products and services e.g. no privacy coins, absence of cash-based transactions and main activities are of lower risk (i.e., exchanging fiat and VA). • Exchanging permitted only with individual’s own Malaysian bank account or approved e-money issuer for onshore VASPs. As for Labuan IBFC VASPs, 82% of activities are with foreign-regulated entities. Risk Drivers Extent of Exposure Recommendations Generally, Malaysia has implemented control measures that are assessed to be largely effective to mitigate the identified ML/TF/PF risks emanating from VA/VASP. Key focus areas moving forward are summarised in the following recommendations. 8 Such offences under the Electricity Supply Act 1990 has been included within the AMLA 2001, effective 15 June 2024. 9 FATF’s wire transfers requirements in the VA context is called the “travel rule” which is a requirement for originating VASPs to obtain, hold and submit required and accurate originator and required beneficiary information (FATF’s Targeted Update on Implementation of FATF’s Standards on VA and VASPs (June 2022)). As of 2023, both SC and LFSA has published guidelines on the travel rule requirements. a. Regulatory Enhance or develop procedures and policy for seizing, confiscating and handling VAs. Inclusion of predicate offences relating to electricity theft into AMLA 2001 as part of addressing VA mining cases.8 b. Enforcement Increase parallel (predicate and ML) investigation for cases involving VA, leading to successful prosecution of offenders and/or confiscation of proceeds and instrumentalities. Intensify or enhance monitoring mechanisms on illegal/ unregulated VASPs. c. Capacity Building Increase outreach to public and participate in trainings with domestic and international counterparts as part of building expertise, among others on VA services that are not available in Malaysia, including the use of analytical/ investigative tools. d. Coordination and Cooperation Continue to utilise compliance working groups amongst the regulated VASPs to increase understanding of typologies, red flags and building capacity of VASPs relating to AML/CFT/CPF requirements. Continue to intensify cooperation with domestic and international counterparts through formal and informal mechanisms via INTERPOL, Egmont Group, IOSCO, UNODC. Risk Outlook ML/TF/PF risk emanating from VA/VASP risk is expected to be at an upward trend with potential in increasing linkages with other higher-risk crimes, other than Fraud. However, its materiality in the overall ML/TF/PF landscape would remain small as it continues to be mainly used as an alternative investment, mitigated by strengthening control measures, including the implementation of the Travel Rule.9 Emerging trends observed in the global context that is applicable to Malaysia includes: Mules Use of bona fide / third party to exchange illegal VA and fiat at regulated VASPs Shift to Stablecoins Variety of VA entails authorities to employ different skills of tracing across multiple blockchains Cyberattacks Cyberattacks demanding VA is anticipated to increase with crimeware services, e.g. crimeware as a service (CaaS) being widely available