AEON Credit Approved a Seemingly Ordinary Customer: A Regulatory Oversight That Cost Them RM520,000

During an undisclosed period prior to 6 April 2026, AEON Credit Service (M) Berhad (AEON Credit) received an application from what appeared to be an ordinary potential customer. The financial services provider followed its Standard Operating Procedures (SOPs) and approved the application, onboarding the individual as a customer.

 

However, as it turned out, there was nothing ordinary about this customer. Not only was the individual flagged on the ‘Domestic List’, a list of names and particulars of specified entities declared by the Minister of Home Affairs under the Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001 (AMLA), the customer was also on the list of individuals and organisations sanctioned by the United Nations Security Council (UNSC).

This oversight was identified by Bank Negara Malaysia (BNM) following an on-site supervisory examination of the financial services provider. On 6 April 2026, BNM imposed an Administrative Monetary Penalty (AMP) of RM520,000 on AEON Credit for its “failure to comply with requirements relating to targeted financial sanctions (TFS)”.

So, what exactly transpired, and what legal provisions did BNM use to issue the penalty? Join us as we audit the details below.

Gaps in AEON Credit’s SOPs

According to a statement by BNM, AEON Credit was found to have committed regulatory breaches following the aforementioned on-site supervisory examination. The central bank revealed that AEON Credit had failed to reject the individual listed under the Domestic List despite it being a positive match.

Furthermore, BNM found that there was a delay in freezing the customer’s account upon confirmation that the customer was indeed flagged on the Domestic List and the UNSCR List. The central bank attributed these breaches to a lack of staff oversight and gaps in AEON Credit’s SOPs.

AEON Credit has since taken remedial measures by enhancing its SOPs and conducting refresher training for relevant staff to ensure strict compliance with TFS requirements.

The Financial Services Act 2013

BNM imposed the AMP of over half a million ringgit using the powers vested in the central bank under Section 234(3)(b)(i) of the Financial Services Act 2013 (FSA) below:

This provision empowers BNM to impose a monetary penalty in an amount the central bank considers appropriate for non-compliance with requirements relating to targeted financial sanctions. In the case of a breach committed by a body corporate or unincorporated body, the penalty must not exceed RM5 million. If the breach is committed by an individual, the penalty is capped at RM1 million.

Specifically, the requirements that AEON Credit failed to comply with are outlined under paragraphs 27.6.1 and 27.6.2 of the Anti-Money Laundering, Countering Financing of Terrorism and Targeted Financial Sanctions for Financial Institutions Policy Document (AML/CFT and TFS for FIs PD), read together with Section 48(1)(a) of the FSA below.

As an approved issuer of a designated payment instrument, AEON Credit is classified as a Reporting Institution (RI) under the First Schedule of AMLA below:

For context, an RI may be defined as a financial entity or a Designated Non-Financial Business and Profession (DNFBP) legally obligated by AMLA to implement preventive measures against money laundering and terrorism financing.

The Domestic List and the UNSCR List

The Domestic List comprises names and particulars of specified entities declared by the Minister of Home Affairs under the relevant subsidiary legislation made pursuant to Section 66B(1) of AMLA below:

Meanwhile, the UNSCR List contains names and particulars of persons designated by the United Nations Security Council (UNSC) or its relevant Sanctions Committee pursuant to the relevant UNSCR. These individuals are deemed specified entities by virtue of Section 66C(2) of AMLA below:

BNM’s Enforcement Approach

With the publication of the statement regarding the AMP against AEON Credit, BNM has completed its 6-step enforcement process, which includes the following:

According to the central bank’s document on its enforcement approach, an AMP is one of six types of enforcement actions it deploys to signal its intolerance of breaches that could undermine the stability and integrity of the financial system, or impact public confidence. The other five enforcement actions include instructions to remedy a breach, compounds, civil actions, reprimands, and criminal prosecution.

Moreover, BNM asserted that the seriousness of a breach is a key consideration when determining the appropriate action to be taken. This is determined by assessing the direct impact of the breach across these perspectives:

  • Governance and operational
  • Reputational
  • Financial
  • Safety and security
  • Legal

In AEON Credit’s case, BNM determined the RM520,000 AMP after evaluating the severity of the breaches alongside the financial services provider’s:

  • Lack of reasonable care in ensuring compliance with TFS requirements
  • Past compliance record
  • Post-misconduct behaviour, including the promptness and effectiveness of remedial actions taken to prevent a recurrence

Relevant aggravating and mitigating factors were also weighed, as per the examples given in BNM’s enforcement approach below:

Following the enforcement action, AEON Credit paid the RM520,000 AMP on 16 April 2026. Moving forward, the case serves as a benchmark reminding the market that BNM requires all RIs to ensure compliance with TFS requirements. It stands as a firm precedent that BNM will not hesitate to take appropriate supervisory and/or enforcement actions should any RI fail to meet its legal and/or regulatory requirements.

For more insights into the Malaysian legal system such as this, do make sure to follow us on Facebook and Instagram or visit our official website. You can also read our articles on the popular Malaysian news aggregator app Newswav here.