The consumer credit landscape in Malaysia has just entered a very exciting chapter. While the Consumer Credit Act 2025 (“CCA 2025”) has already been in force since early this year, there is no doubt that the key date many industry players have been truly watching is 1 June 2026, as this is the date on which the licensing and registration regime under the CCA 2025 officially came into operation, marking a significant shift in the way consumer credit businesses and consumer credit service businesses are regulated in Malaysia.

Following the full implementation of the CCA 2025, three crucial regulatory standards and guidance documents have also been released. These are:

• i) the Guide to Seeking Authorisation (Licensing and Registration);
• ii) the Authorisation Standard, which was published and came into effect on 5 June 2026; and
• iii) the Conduct Standard, which was published and came into effect on 5 June 2026.

For the purpose of this article, we will focus specifically on the licensing and registration regime administered by the Consumer Credit Commission or Suruhanjaya Kredit Pengguna (“Commission” or “SKP”), and more particularly, the Authorisation Standard.

As a starting point, it is crucial to understand that the Authorisation Standard applies only to persons seeking to carry out the following businesses: (a) credit business, namely: (i) buy now pay later scheme; (ii) factoring; and (iii) leasing, each of which includes its Islamic equivalent; and (b) credit service business, namely: (i) impaired loan or financing acquisition; (ii) debt collection; and (iii) debt counselling and management. However, the Authorisation Standard does not apply to Islamic financing facilities and Islamic pawnbroking, as these are credit businesses licensed by the Registrar.

For the purpose of the Authorisation Standard, the process of applying for the relevant licence or registration is referred to as the authorisation process (“Authorisation Process”). Therefore, against this backdrop, this article aims to set out the top 10 key takeaways that businesses and in-house counsel should pay attention to when preparing for the Authorisation Process, as we will cover key issues including the Authorisation Process, legal requirements, applicable fees, and other key considerations.

 

Key Takeaway 1: The Authorisation Process Is Not Applicable If the Business Does Not Involve a “Credit Consumer”

The first and most important takeaway is that the Authorisation Process is not automatically applicable to every entity carrying on a credit business or credit service business. The Authorisation Process is only relevant where the business involves a “credit consumer”.

Under the Authorisation Standard, a “credit consumer” refers to any of the following:

• i) an individual who obtains, has obtained or intends to obtain credit wholly or predominantly for personal, domestic or household purposes;
• ii) a person who is a micro or small enterprise (“MSE”) who obtains, has obtained or intends to obtain credit, where such credit does not exceed RM300,000;
• iii) any other person or class, category or description of person as may be specified by SKP; and
• iv) an individual who acts as a social guarantor, not for the purpose of making profit, to a credit consumer in respect of a credit agreement to which the CCA 2025 applies.

In practical terms, this means that whether the Authorisation Process applies will depend not only on the nature of the business activity, but also on whether the relevant customers fall within the definition of “credit consumer”. This distinction is actually understandable because the CCA 2025 is, at its core, designed to regulate consumer credit.

Therefore, before a business rushes into preparing a licensing or registration application, the starting point should be to assess whether its credit business or credit service business actually involves a “credit consumer”.

 

 

Key Takeaway 2: If the Business Does Not Involve a “Credit Consumer”, a Declaration May Still Be Required

Where an entity carries on a regulated credit business or credit service business but does not deal with a “credit consumer”, it may not be required to go through the Authorisation Process.

However, this does not necessarily mean that no regulatory step is required.

If an entity provides a credit business or credit service business only to MSEs where all credit facilities exceed RM300,000, such entity would not be required to go through the Authorisation Process, as the credit granted exceeds the amount prescribed for MSEs under the Consumer Credit (Prescription of Credit Amount for Micro or Small Enterprise) Order 2026. However, the entity would still be required to submit a declaration to the Commission regarding its involvement in regulated activities.

Similarly, if an entity provides a credit business or credit service business only to medium enterprises or large corporations, such entity would not be required to go through the Authorisation Process, regardless of the amount of credit granted, as medium enterprises and large corporations do not fall within the definition of “credit consumer” under the CCA 2025. However, where the business falls within the relevant regulated activities, the entity would still be required to submit the relevant declaration to the Commission.

 

Key Takeaway 3: Minimum Financial Thresholds Must Be Satisfied

The third key takeaway concerns financial adequacy. Under the Authorisation Standard, an applicant must satisfy the applicable minimum financial threshold before it can be authorised to carry on the relevant credit business or credit service business.

For credit businesses, the minimum financial threshold is shareholders’ funds or total equity of RM2,000,000. This applies to relevant credit businesses such as: (i) buy now pay later schemes; (ii) factoring; and (iii) leasing, including their Islamic equivalents.

For credit service businesses, the applicable threshold depends on the specific type of activity. For impaired loan or financing acquisition, the minimum financial threshold is shareholders’ funds or total equity of RM2,000,000. In contrast, for: (i) debt collection; and (ii) debt counselling and management, the minimum financial threshold is either: (a) shareholders’ funds or total equity of RM500,000; or (b) shareholders’ funds or total equity of RM250,000 together with professional indemnity insurance coverage of RM250,000.

It is also important to highlight that where an entity is authorised to carry on more than one type of credit business or credit service business, or any combination of them, the entity will be subject to the higher of the applicable financial thresholds.

Therefore, before submitting an application, an applicant should first confirm whether the intended applicant entity has sufficient shareholders’ funds or total equity to meet the relevant threshold, otherwise, the applicant may need to consider whether capitalisation, restructuring, or other corporate steps are required before submission. In many respects, the minimum financial threshold is truly more than a technical requirement, as it is one of the first indicators of whether the applicant is financially prepared to operate in a regulated consumer credit environment.

 

 

Key Takeaway 4: The Applicant Must Be a Malaysian-Incorporated Company

The fourth key takeaway is the local entity requirement. Under the Authorisation Standard, an applicant intending to carry on a credit business or credit service business must be a company incorporated in Malaysia under the Companies Act 2016.

This requirement is significant, particularly for foreign groups, regional fintech platforms, offshore credit providers or multinational businesses that may wish to provide consumer credit-related services into Malaysia. The relevant licence or registration should be held by a Malaysian-incorporated entity, rather than by a foreign entity directly.

In practical terms, this means that foreign businesses intending to enter the Malaysian consumer credit market will need to consider whether they already have a suitable Malaysian entity within their group structure, or whether a new Malaysian entity should be incorporated for the purpose of carrying on the relevant regulated activity.

 

Key Takeaway 5: The Entity and Its Key Persons Must Satisfy Fit and Proper Requirements

The Authorisation Standard requires the applicant to comply with the applicable minimum fit and proper criteria and to demonstrate business viability in carrying on the relevant credit business or credit service business.

The minimum fit and proper criteria include, among other matters, the following:

• i) SKP has no reason to believe that the entity or any of its key persons may not be able to act in the interest of the public, having regard to their reputation, character, financial integrity and reliability;
• ii) SKP is satisfied as to the financial standing of the entity or the manner in which the entity’s business is to be conducted;
• iii) SKP is satisfied as to the record of past performance or expertise of the entity or its key persons, having regard to the nature of the business which the entity may carry on, or the nature of the duties that the key persons may perform;
• iv) SKP is satisfied as to the educational or other qualification, or experience, of the key persons, having regard to the nature of the duties they are to perform; and
• v) SKP has no reason to believe that the entity or any of its key persons will not carry on the business fairly, responsibly or professionally.

The onus is on the applicant to satisfy SKP that both the entity and its key persons are fit and proper, and this should be supported by proper justifications and relevant materials or information in the application.

 

Key Takeaway 6: A Chief Executive Must Be Appointed and Approved

The sixth key takeaway is that the Authorisation Standard requires the entity to appoint a chief executive who is fit and proper, and who is primarily responsible for the management of the entity’s overall operations and resources.

More importantly, the entity must obtain SKP’s approval prior to the appointment of the chief executive. In assessing an application for the appointment of a chief executive, SKP will consider the entity’s rationale for selecting the relevant candidate, particularly in relation to the candidate’s capability and competence to lead the entity. SKP may also engage directly with the proposed candidate during this process.

In practical terms, this means that the appointment of a chief executive should not be approached as a matter of administrative convenience, as the chief executive is expected to be more than a named officeholder, where the expectation from SKP is absolutely clear that the proposed candidate should have sufficient seniority, credibility, experience and understanding of the regulated business to lead the entity effectively. Therefore, applicants should ensure that the proposed chief executive’s profile, experience, responsibilities and reporting structure are properly documented and capable of supporting the application.

 

Key Takeaway 7: A Person Responsible for Compliance Must Be Identified

The seventh key takeaway is that the applicant must at all times have a person responsible for compliance.

The person responsible for compliance is required to ensure compliance with the CCA 2025, regulations, standards or guidelines, and other regulatory requirements applicable to the credit business or credit service business, and this person will also act as the main liaison with SKP.

The person responsible for compliance must be identified from the applicant’s or authorised entity’s senior management, and must be someone other than the chief executive. Where the person responsible for compliance assumes multiple roles, the entity must ensure that the person is capable of performing those multiple roles effectively and that there is no conflict in doing so.

This means that applicants should carefully consider who is best placed to take on this compliance role. Especially in smaller organisations, it may be tempting to assign compliance responsibility to someone who already carries multiple operational functions, while this may be possible, but the applicant should be prepared to explain to SKP why that person has sufficient capacity, competence and independence to perform the compliance role properly.

 

Key Takeaway 8: Policies and Procedures Must Be Prepared Before Submission

The eighth key takeaway is that applicants must have proper policies and procedures in place, and these should be submitted as part of the application for authorisation.

Depending on the nature of the business, the relevant policies and procedures include, among others:

• i) transparency and disclosure;
• ii) complaints handling;
• iii) credit consumer information management;
• iv) technology framework; and
• v) conflict of interest management.

More broadly, applicants should ensure that their policies and procedures are not merely generic documents prepared for submission purposes, as they should reflect the actual operating model, governance structure, consumer-facing processes, technology framework, risk controls and compliance arrangements of the proposed business.

 

Key Takeaway 9: The Application Processing Fee Is RM2,000 for Each Type of Business

The ninth key takeaway concerns application fees. Under the Authorisation Standard, a processing fee of RM2,000 is payable upon submission of an application for authorisation for each type of credit business or credit service business.

Hence, where an applicant intends to apply for more than one type of credit business or credit service business, it should consider the applicable fees and ensure that the application is structured correctly from the outset.

 

Key Takeaway 10: The Review Timeline Is Approximately Three Months, with Three Possible Outcomes

The tenth and final key takeaway concerns the tmeline and possible outcomes of the Authorisation Process.

Upon completion of the submission process, SKP’s review process may take approximately three months. However, the actual timeline may vary depending on several factors, including the quality of the submission, the responsiveness and cooperation of the applicant, the complexity of the business model, and any material changes made to the application.

Upon completion of the Authorisation Process, SKP may convey one of three possible outcomes. First, SKP may approve the application by granting the relevant licence or registration. Second, SKP may grant conditional approval, subject to conditions that the applicant must satisfy within the time frame specified by SKP. Third, SKP may refuse the application, in which case the applicant will be prohibited from reapplying for the same type of business during a cooling-off period of six months.

Based on our regulatory experience in advising on and dealing with numerous fintech-related licensing applications in Malaysia, a well-prepared application is necessary to reduce the risk of avoidable regulatory queries, delays, conditional approval or refusal.

Therefore, before commencing the Authorisation Process, businesses should ensure that they are substantively ready from a regulatory, governance, operational, financial and documentary perspective before making any submission. Given the regulatory nature of the application and the relative novelty of the Authorisation Process under the CCA 2025, companies may wish to obtain legal and regulatory support from counsel with experience in financial regulatory, consumer credit and licensing matters in Malaysia. This would help ensure that the application is properly framed, the relevant policies and procedures are regulator-ready, and the overall submission is positioned in a manner that addresses SKP’s likely areas of focus.

 

Closing Thoughts

Taken together, the commencement of the licensing and registration regime under the CCA 2025 marks a major turning point for Malaysia’s consumer credit industry. It is not merely a new application process, rather, it reflects a broader regulatory shift towards stronger consumer protection as well.

 

 

If you have any questions on the Consumer Credit Act 2025, consumer credit licensing, registration or the Authorisation Process, please feel free to reach out to the partners in our Technology Practice Group, Ong Johnson and Lo Khai Yi, for a consultation. We have extensive experience advising on fintech, financial services, consumer credit, digital platforms and regulatory licensing matters in Malaysia, and would be happy to assist businesses in navigating this new regulatory framework.

 

The Technology Practice Group of Halim Hong & Quek continues to be recognised by leading legal directories and industry benchmarks. Recent accolades include FinTech Law Firm of the Year at the ALB Malaysia Law Awards, Law Firm of the Year for Technology, Media and Telecommunications by the In-House Community, FinTech Law Firm of the Year by the Asia Business Law Journal, a Band 2 ranking for FinTech by Chambers and Partners, and a Tier 3 ranking by Legal 500. The strength of the practice is further reflected in the individual recognition of its partners, including a Band 1 ranking for FinTech by Chambers and Partners within the Technology Practice Group.

---

About the authors

Ong Johnson
Partner
Head of Technology Practice Group
Fintech, Data Protection,
Technology, Media & Telecommunications (“TMT”),
IP and Competition Law
johnson.ong@hhq.com.my

◦

Lo Khai Yi
Partner
Co-Head of Technology Practice Group
Technology, Media & Telecommunications (“TMT”), Technology
Acquisition and Outsourcing, Telecommunication Licensing and
Acquisition, Cybersecurity
ky.lo@hhq.com.my.

---

More of our Tech articles that you should read:

• • Telecommunication Towers M&A: Unpacking the Transaction
• • DPIA, ADMP and DPbD: The 3 New PDPA Guidelines Setting a New Standard for Personal Data Protection in Malaysia
• • Top 10 Key Takeaways on Customer Information Breach Under BNM’s MCIPD: What Every FSP Should Be Paying Attention to