Stability by Design -
A Regulatory Analysis of QR Payments in Malaysia
By Rezan Patel
Malaysia’s digital payment ecosystem has evolved with remarkable discipline, clarity, and regulatory foresight. As QR payments become embedded in everyday commerce—from micro-merchants to large retail chains—the underlying governance framework that sustains this ecosystem has grown equally significant.
Stability by Design is not a promotional narrative about digital payments. It is a structured, fact-based regulatory examination of Malaysia’s point-of-service (POS) QR payment architecture—particularly under the DuitNow QR framework. The eBook explores how interoperability, regulatory oversight, operational resilience, and compliance discipline collectively shape one of Southeast Asia’s most mature payment systems.
Written for regulators, compliance professionals, financial institutions, merchant acquirers, fintech operators, legal practitioners, and informed market participants, this eBook offers a disciplined perspective on how innovation must coexist with accountability.
At its core, Stability by Design advances a central conviction:
Payment system maturity is measured not only by adoption or technological advancement—but by regulatory clarity, operational resilience, and enforceable accountability.
As QR payments continue to scale domestically and regionally, understanding the architecture beneath the convenience becomes essential. This work aims to contribute to that understanding.
WHY THIS EBOOK WAS NECESSARY
I have spent much of my professional life observing how payment systems evolve, often quietly, sometimes abruptly, and almost always with consequences that extend far beyond the transaction itself. In Malaysia today, we are no longer witnessing a payments transition in progress; we are living within the outcomes of that transition. The shift from cash to digital payments is no longer a question of future readiness or policy intent. It has already occurred, and its effects are now embedded in the daily rhythm of commerce, from informal micro- merchants to large national retailers.
At the centre of this transformation sits the point-of-service QR payment. It is easy to underestimate its importance precisely because of how ordinary it has become. A QR code displayed on a counter, scanned in seconds, settling funds almost immediately – this interaction feels simple, intuitive, and unremarkable. Yet that simplicity is misleading. What appears effortless on the surface is supported by a layered infrastructure of institutions, technologies, legal frameworks, and regulatory controls. Every successful QR transaction is, in reality, a coordinated outcome produced by a system that has been deliberately designed, governed, and enforced.
This eBook was conceived because I increasingly felt that this underlying system, particularly its obligations and constraints, was not being sufficiently examined, documented, or understood.
From my position within financial services, what has struck me most over the past decade is not merely how quickly QR payments have been adopted, but how effectively complexity has been hidden from view. Consumers have been shielded from friction, which is a sign of success from a usability perspective. However, the cost of that convenience is borne elsewhere in the ecosystem. Each QR transaction activates merchant acquirers, payment service providers, settlement banks, and switching infrastructures, all operating under the supervisory oversight of Bank Negara Malaysia. Compliance requirements, contractual duties, and operational risks do not disappear simply because the consumer experience is seamless. They intensify as volume and scale increase.
As QR payments have moved from novelty to necessity, the role of merchant acquirers has fundamentally changed. I no longer view acquirers as passive intermediaries or technical enablers. In practice, they have become custodians of access to the national payment system. They decide who may participate, under what conditions, and with what controls in place. This role carries weight. It places acquirers at the intersection of anti-money laundering and counter- terrorism financing obligations, consumer protection expectations, operational resilience standards, data governance requirements, and ongoing regulatory accountability.
At the same time, merchants, many of whom do not perceive themselves as participants in a regulated ecosystem, are being drawn into this framework through contractual mechanisms. While merchants are not licensed or directly supervised by the central bank, they are increasingly required to comply with obligations that replicate regulatory outcomes. Know-your-customer processes, transaction monitoring thresholds, dispute resolution standards, pricing transparency requirements, and data handling expectations are now embedded in merchant agreements. In effect, regulation has extended itself through private contracts, reshaping commercial behaviour without always being explicitly recognised as such.
What concerned me was not the existence of these obligations, but the absence of a coherent narrative explaining them.
Much of the existing discussion around QR payments in Malaysia focuses on growth statistics, financial inclusion objectives, or consumer convenience. These narratives are not incorrect, but they are incomplete. They rarely address how regulatory frameworks are operationalised on the ground, how compliance responsibilities are distributed across entities, or how legal accountability is ultimately enforced when failures occur. There is little sustained examination of how Bank Negara Malaysia’s policies translate into daily decision-making by acquirers and merchants, or how commercial incentives interact with regulatory expectations.
This eBook was therefore written to fill that analytical void.
I did not intend for this work to function as advocacy for digital payments, nor as a technical guide for implementation. Instead, my objective was to create a structured and rigorous examination of the legal, regulatory, and operational foundations of point- of-service QR payments in Malaysia. Every chapter is anchored in existing laws, policy documents, regulatory guidelines, and supervisory signals. Where interpretation is required, it is approached cautiously and with respect for regulatory intent. Where operational realities diverge from theory, those divergences are examined rather than ignored.
The choice to adopt a long-form, chapterised structure was deliberate. Payment systems do not operate in silos, and neither should their analysis. Transaction flows influence settlement risk. Settlement design affects liquidity exposure. AML and CFT controls shape onboarding practices. Data protection obligations constrain system architecture. Pricing structures raise competition and consumer fairness questions. Dispute resolution mechanisms test governance arrangements and institutional accountability. To isolate any one of these elements is to misunderstand the system as a whole.
I am also mindful that Malaysia’s QR payments framework does not exist in isolation. As regional interoperability initiatives gain momentum across ASEAN, domestic practices will increasingly be scrutinised beyond our borders. Cross- border trust is not built solely on technology; it is built on confidence in governance, compliance discipline, and regulatory consistency. The way we implement obligations internally will influence how Malaysian payment rails are perceived, relied upon, and integrated regionally.
At its core, this eBook reflects a conviction I have developed over years of engagement with financial systems: maturity in payments is not measured only by adoption rates or transaction volumes. It is measured by the strength of controls, the clarity of accountability, and the willingness to confront complexity rather than conceal it. Convenience, if left unchecked, can obscure risk. Innovation, if not governed, can outpace responsibility.
By articulating these obligations clearly and comprehensively, my hope is that this work supports more informed decision-making across the ecosystem – by acquirers who must balance growth with compliance, by merchants who increasingly carry regulatory-like responsibilities, by policymakers refining supervisory frameworks, and by industry participants who understand that sustainable progress in digital payments depends as much on discipline as it does on technological advancement.
REZAN PATEL
DIRECTOR OF RESEARCH AND MARKETING
INTRODUCTION
Malaysia’s payment landscape has undergone a steady and deliberate transformation over the past several decades, evolving from a predominantly cash- based economy into one of Southeast Asia’s most interoperable and digitally mature payment ecosystems.
Prior to the year 2000, cash and cheques dominated retail and commercial transactions. Automated Teller Machines (ATMs) were primarily used for cash withdrawals, while electronic payments were largely limited to corporate banking and interbank settlements. Consumer exposure to electronic payments at the point of sale remained minimal, constrained by infrastructure limitations and limited acceptance.
The early 2000s marked the first structural shift. Enhancements in banking infrastructure, coupled with policy initiatives by Bank Negara Malaysia (BNM), encouraged broader adoption of electronic payment instruments. The introduction and expansion of Interbank GIRO (IBG) enabled non-urgent fund transfers, while growing ATM networks and debit card issuance laid the groundwork for reduced reliance on cash.
Between 2005 and 2015, the digital transition accelerated significantly. Internet banking platforms became mainstream, enabling consumers to manage accounts, transfer funds, and make payments remotely. Innovations such as FPX facilitated online merchant payments directly from bank accounts, while JomPAY simplified bill payments using standardized billing codes. During this period, electronic payments moved from optional convenience to everyday utility.
A decisive inflection point occurred in 2017–2018 with the establishment of Payments Network Malaysia Sdn Bhd (PayNet) through the consolidation of national payment infrastructure. PayNet’s mandate was clear: to operate shared payment rails that were interoperable, resilient, and nationally inclusive. This culminated in the launch of DuitNow, a real-time retail payment platform enabling account-to-account transfers using simple identifiers such as mobile numbers and national identification numbers.
The introduction of DuitNow QR in 2019 represented the next evolutionary leap. By standardising QR codes across banks and e-wallets, DuitNow QR eliminated fragmentation at the merchant level. Instead of displaying multiple proprietary QR codes, merchants could accept payments from virtually all participating banks and wallets using a single, interoperable code.
From 2020 onwards, adoption accelerated sharply. Government initiatives promoting cashless payments, combined with changing consumer behaviour and SME digitisation, led to widespread acceptance of QR payments at physical points of sale. Today, QR payments are not only ubiquitous domestically but are increasingly linked cross-border, particularly within ASEAN, enabling Malaysian consumers to pay seamlessly in neighbouring jurisdictions.
Against this backdrop, POS QR payments have become systemically important, necessitating robust regulatory oversight, clearly defined roles, and enforceable obligations. This eBook examines those obligations in depth.
CHAPTER ONE - BUILDING TRUST THROUGH REGULATION IN MALAYSIA’S QR ECONOMY
Malaysia’s approach to governing its payment systems begins from a fundamental premise: payment mechanisms are not simply tools of convenience or channels for private commerce, but core components of the nation’s financial infrastructure. Much like banking networks, clearing systems, or settlement rails, payment systems form the connective tissue of the economy, enabling value to move reliably between individuals, businesses, and institutions. Their uninterrupted operation is therefore essential to the daily functioning of markets and to the broader confidence that underpins economic exchange.
When payment systems operate as intended, they quietly support efficiency across the economy. Transactions are executed smoothly, businesses manage cash flows predictably, consumers trust that their payments will be completed accurately, and financial institutions can assess and manage risk with confidence. This operational reliability contributes directly to financial stability by reducing settlement risk, liquidity stress, and operational uncertainty. Just as importantly, it reinforces public trust in the financial system, as users come to expect that payments will be processed securely, consistently, and without undue friction.
When payment systems fail, are disrupted, or are misused, the consequences can escalate rapidly. A technical outage, governance breakdown, or abuse of payment channels can interrupt commerce, undermine consumer confidence, and trigger reputational damage that extends beyond the immediate parties involved. In more severe cases, weaknesses in payment systems can be exploited for illicit activity, amplifying risks related to fraud, money laundering, or terrorism financing. These effects rarely remain contained within a single institution or user group. Instead, they tend to ripple outward, affecting counterparties, merchants, financial institutions, and ultimately the broader economy.
It is this capacity for systemic impact that distinguishes payment systems from ordinary commercial products or services. While individual transactions may be small in value, the aggregate volume, velocity, and interconnectedness of modern payment systems mean that weaknesses at any point in the chain can have far-reaching implications. As adoption deepens and reliance grows, payment systems become embedded in everyday economic life, making their resilience and integrity matters of collective concern.
For these reasons, Malaysia treats payment systems as a matter of public interest rather than leaving their development and oversight solely to market forces. Regulation is not driven by a desire to inhibit innovation or competition, but by the recognition that trust in payments is a shared good. Safeguarding that trust requires clear rules, accountable institutions, and active oversight. By anchoring payment system governance in this understanding, Malaysia’s regulatory framework reflects a deliberate choice to prioritise stability, confidence, and long-term sustainability alongside efficiency and innovation.
At the centre of this framework stands Bank Negara Malaysia, which serves as the primary regulator and overseer of the nation’s payment systems. While the central bank is widely associated with monetary policy, its mandate extends decisively into the oversight of payment mechanisms used by the public. This oversight encompasses safety, efficiency, reliability, and integrity, and is exercised through a combination of statutory powers, policy instruments, licensing regimes, and continuous supervisory engagement with regulated entities. In this respect, payment system regulation in Malaysia is neither passive nor reactive. It is structured, anticipatory, and grounded in the belief that strong governance is a prerequisite for sustainable innovation.
Malaysia’s regulatory posture differs from jurisdictions where payment innovation is left largely to market forces, with regulatory intervention occurring only after risks materialise. Instead, the Malaysian approach can be characterised as interventionist but enabling. Innovation is actively encouraged, but within parameters that are clearly defined and consistently enforced. These parameters are designed to ensure interoperability across providers, effective risk management practices, and robust consumer protection. The objective is not to slow innovation, but to ensure that innovation develops within a stable and trustworthy ecosystem.
This regulatory architecture is anchored in several key legislative instruments that collectively define the perimeter within which point-of-service QR payments operate. The Financial Services Act 2013 establishes the prudential and conduct framework applicable to licensed financial institutions. Under Section 72 of the Act, Bank Negara Malaysia is empowered to impose requirements on institutions involved in payment services, including obligations relating to governance structures, risk management frameworks, and compliance systems. This provision provides the legal foundation for the central bank’s ability to shape how payment services are organised and controlled within regulated institutions.
Complementing the Financial Services Act is the Payment Systems Act 2003, which is specifically directed at payment systems and payment instruments. This legislation grants Bank Negara Malaysia the authority to designate payment systems that are deemed systemically important and to regulate them accordingly. Through this designation power, the central bank is able to impose standards and controls aimed at ensuring both the safety and efficiency of systems whose failure could have widespread consequences. For QR-based payment arrangements that achieve scale and broad adoption, this statute is particularly significant.
The regulatory architecture does not rest merely upon prudential oversight or transactional discipline. It finds formidable reinforcement in the Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001, a statute conceived not as a peripheral compliance instrument but as a central pillar of financial probity. This legislation casts a deliberately wide net, binding reporting institutions, merchant acquirers among them, to a regime of vigilance that is continuous, structured and unforgiving of complacency.
Under its mandate, customer due diligence is not a ceremonial formality undertaken at onboarding alone. It is a living obligation. Institutions must identify, verify and understand the commercial rationale of their customers, trace beneficial ownership where applicable, and calibrate risk profiles with discernment. Transaction monitoring, in turn, is not episodic scrutiny but sustained observation. Patterns are to be mapped, anomalies detected, behavioural deviations interrogated. Suspicious transaction reporting is elevated from discretionary caution to statutory duty, ensuring that the informational arteries of the financial system remain connected to enforcement authorities.
In the realm of QR payments, the Act assumes particular significance. QR ecosystems are characterised by velocity, scale and ubiquity. Transactions are often of modest individual value, executed within seconds, and multiplied across millions of endpoints daily. It is precisely within such environments that illicit financial flows may attempt concealment, fragmenting larger sums into micro-payments or exploiting the perceived anonymity of rapid retail interactions. AMLATFA recognises this structural vulnerability. It compels institutions to invest in intelligent monitoring systems capable of discerning patterns across high-volume, low-value transactions, thereby preventing the dilution of oversight in the name of innovation.
The statute also recalibrates enforcement expectations. Regulators and investigative agencies do not view digital payment channels as regulatory grey zones merely because they are technologically novel. On the contrary, the law affirms that technological efficiency must be matched by compliance sophistication. The swiftness of QR settlements cannot be permitted to outpace accountability. Convenience cannot eclipse traceability. Growth cannot supplant governance.
AMLATFA functions as a constitutional conscience within the digital payments landscape. It reassures markets and citizens alike that financial inclusion and technological progress are to proceed within a disciplined framework of transparency and responsibility. In doing so, it preserves a foundational principle: that the integrity of the financial system is not negotiable, even in an age defined by instantaneous exchange.
In parallel, the Personal Data Protection Act 2010 governs how personal and transactional data generated through QR payments is handled. As QR transactions necessarily involve the collection, processing, and storage of data relating to individuals and businesses, obligations under the PDPA apply to both acquirers and merchants. These obligations influence how data is collected, how long it may be retained, how it is secured, and the circumstances under which it may be disclosed. Data governance, therefore, is not ancillary to QR payments but an integral component of their regulatory environment.
Beyond the text of primary legislation lies an equally potent instrument of regulatory governance: the policy document. Bank Negara Malaysia deploys these documents not as explanatory pamphlets or aspirational guidelines, but as structured regulatory instruments designed to give operational life to statutory command. If legislation establishes the constitutional architecture of financial oversight, policy documents furnish its internal wiring, circuitry and safeguards.
They serve a deliberate and indispensable function. Statutes, by design, articulate principles in broad strokes. They define obligations, allocate powers and frame prohibitions. Policy documents, however, descend into the granular. They translate abstract legal mandates into measurable standards, timelines, documentation requirements and supervisory benchmarks. In doing so, they eliminate ambiguity and reduce interpretive latitude, ensuring that compliance is neither symbolic nor selectively observed.
Though they do not bear the formal designation of Acts or Regulations, their authority is unmistakable. They derive force from the statutory powers conferred upon the central bank and are issued pursuant to that mandate. Market participants understand that these documents are binding in both letter and spirit. Non-compliance does not invite casual reprimand; it exposes institutions to supervisory intervention, remedial directives, and, where warranted, enforcement action. The distinction between legislation and policy instrument is therefore formal, not substantive in effect.
Through these documents, Bank Negara Malaysia articulates a detailed supervisory philosophy. Governance expectations are defined with precision: boards must demonstrate effective oversight, risk appetite statements must be documented and aligned with operational realities, and senior management accountability cannot be diffused across organisational hierarchies. Operational controls are framed not as optional best practices but as mandatory safeguards embedded within daily processes.
Outsourcing arrangements, often a source of systemic vulnerability in digitised financial ecosystems, are subject to clear conditions. Institutions are required to conduct due diligence on service providers, maintain oversight over outsourced functions, and ensure that critical operations remain auditable and recoverable. The policy framework makes clear that delegation of function does not constitute delegation of responsibility.
Risk management standards are similarly codified. Institutions must identify, measure, monitor and mitigate risks across credit, operational, technological and reputational dimensions. Documentation, stress testing, incident reporting and internal audit functions are expected to operate within structured parameters. Accountability mechanisms ensure that risk ownership is assigned, traceable and enforceable.
These policy documents operate as the living grammar of Malaysia’s financial regulatory system. They bridge the distance between legislative intent and institutional conduct. They ensure that innovation unfolds within guardrails, that discretion is bounded by discipline, and that systemic resilience is not left to voluntary prudence. Through them, the central bank transforms principle into practice, and oversight into structured, enforceable reality.
Among the most relevant policy instruments for point-of-service QR payments are the Policy Document on Payment System Operator issued in 2022, the Policy Document on Merchant Acquiring Services issued in 2021, and the Interoperable Credit Transfer Framework. Collectively, these instruments define the roles and responsibilities of payment system operators, acquirers, and participating institutions. They also establish the conditions for participation in national payment schemes such as DuitNow QR. Failure to comply with these requirements may result in supervisory action, sanctions, suspension, or exclusion from the payment ecosystem altogether.
A defining characteristic of Malaysia’s payment system regulation is its unambiguous commitment to interoperability as a matter of public policy rather than mere technical preference. Bank Negara Malaysia has not treated connectivity between payment systems as an incidental by-product of market evolution. It has elevated interoperability into a structural imperative, recognising that the architecture of digital payments determines, in subtle but powerful ways, the distribution of opportunity, competition and systemic resilience.
In many jurisdictions, payment innovation has proceeded along fragmented lines. Proprietary QR codes, closed-loop wallets and platform-specific acceptance infrastructures have created islands of functionality. Consumers are required to download multiple applications. Merchants must display an array of codes at their counters. Market power accrues to early movers who leverage network effects to entrench dominance. The result is not innovation alone, but segmentation, duplication of infrastructure and, ultimately, barriers to entry.
Bank Negara Malaysia has consciously resisted this trajectory. Interoperability is treated not as a voluntary collaboration among industry players, but as a regulatory objective in its own right. The central bank’s supervisory philosophy recognises that payments are a public utility function embedded within a competitive marketplace. Where network effects are powerful, neutrality of access becomes essential to preserving competition. By mandating connectivity, the regulator prevents the digital payments ecosystem from hardening into exclusive silos.
This philosophy finds its clearest expression in the implementation of DuitNow QR. Rather than permitting each financial institution or e-wallet provider to promulgate its own QR format, the central bank endorsed a single national QR standard. Under this framework, one code at a merchant’s premises is capable of accepting payments from multiple participating banks and e-money issuers. The consumer’s choice of payment provider does not constrain the merchant’s acceptance capability, and vice versa. The technical standard becomes a shared language spoken across the ecosystem.
The implications are profound. For merchants, interoperability reduces operational friction and infrastructure costs. A hawker, retailer or small enterprise need not negotiate separate arrangements or display multiple codes. For consumers, the experience is simplified and frictionless. The application they prefer functions seamlessly across a national acceptance network. For smaller or newer market entrants, the barrier to scaling acceptance is lowered. They connect to an existing interoperable framework rather than constructing parallel networks.
From a competition law perspective, this model mitigates the risk of network lock-in. Dominant players cannot easily leverage proprietary acceptance infrastructures to foreclose rivals. Interoperability dilutes the gravitational pull of market concentration by ensuring that access to the payment rails is not contingent upon exclusive arrangements. So, the QR standard operates as both a technological specification and a competition safeguard.
Equally significant is the systemic dimension.
A harmonised standard enhances transparency, monitoring and resilience. It allows regulators to supervise transaction flows within a unified framework rather than across fragmented, opaque systems. Operational upgrades, security enhancements and risk controls can be implemented consistently across the network. Interoperability thus strengthens not only convenience and competition, but supervisory effectiveness.
Malaysia’s approach signals a deliberate recalibration of regulatory posture in the digital age. Instead of allowing market fragmentation to define the payments landscape and then intervening reactively, Bank Negara Malaysia has shaped the infrastructure at its inception.
By mandating a single national QR standard, it has embedded openness within the DNA of the system. The message is clear: innovation is to be encouraged, but not at the cost of cohesion. In Malaysia’s payment ecosystem, connectivity is not optional. It is foundational.
By enforcing a unified QR framework, regulators have ensured equal access for banks and non-bank e-money issuers, reduced friction for merchants who would otherwise need to manage multiple QR codes, and enhanced competition based on service quality rather than proprietary reach. The result is a payment system that is more efficient, scalable, and inclusive. Importantly, interoperability in this context is not merely a technical specification. It represents regulatory intent translated directly into infrastructure design.
As point-of-service QR payments continue to scale, their role within the payment ecosystem evolves. What begins as a convenient alternative to cash increasingly becomes systemically relevant as transaction volumes grow, merchant acceptance becomes ubiquitous, and integration with everyday commerce deepens. At this stage, the consequences of disruption, operational failure, or misuse extend beyond individual participants and carry potential economy-wide implications.
In recognition of this growing systemic importance, merchant acquirers and payment system operators are subject to progressively heightened expectations relating to governance, operational resilience, and compliance. These expectations intensify alongside adoption, reflecting the principle that increased reliance on a payment instrument must be matched by stronger controls and oversight. QR payments, therefore, are not regulated lightly simply because individual transactions may be small in value. Their aggregate impact is what drives regulatory scrutiny.
This regulatory foundation establishes a payment ecosystem that is regulator- led and firmly anchored in statute, built on interoperability as a core principle, governed through layered legislation and binding policy documents, and treated as critical financial infrastructure. As the ecosystem grows in scale and importance, the obligations imposed on participants correspondingly increase.
CHAPTER TWO - INCLUSIVITY, ACCOUNTABILITY AND THE EVOLUTION OF DUITNOW QR
DuitNow QR emerged in March 2019 at a moment when Malaysia’s QR payment landscape was becoming increasingly fragmented. Prior to its introduction, merchants frequently displayed multiple QR codes at their counters, each corresponding to a different bank or e-wallet provider. While this reflected a growing appetite for digital payments, it also introduced inefficiencies that were difficult to ignore. Merchants faced higher onboarding and operational costs, consumers were constrained by which applications they held, and competition began to hinge more on network reach than on service quality. Left unchecked, this fragmentation risked undermining both efficiency and inclusivity in retail payments.
The introduction of DuitNow QR under Bank Negara Malaysia’s Interoperable Credit Transfer Framework was therefore not intended as the launch of yet another payment option, but as a structural intervention. The regulatory objective was to create a single, national QR payment standard that would function as shared financial infrastructure. By mandating interoperability across participating banks and approved e-money issuers, the framework sought to level the playing field, lower barriers to entry, and encourage competition based on pricing, reliability, and user experience rather than proprietary lock-in. In doing so, it also aimed to simplify acceptance for merchants and expand choice for consumers.
Payments Network Malaysia Sdn Bhd, or PayNet, was designated as the operator responsible for implementing and maintaining DuitNow QR. As a shared payment rail, DuitNow QR allows consumers to initiate payments using their preferred mobile banking or e-wallet applications while merchants accept payments through a single, unified QR code. This separation between the consumer interface and the acceptance infrastructure is a defining feature of the system. It enables innovation at the application level without compromising interoperability at the network level, ensuring that the underlying payment rail remains neutral, consistent, and scalable.
The legal and regulatory foundation supporting DuitNow QR rests on several interlinked instruments that together define both authority and accountability. The Financial Services Act 2013 provides Bank Negara Malaysia with the power to regulate payment services and their participants, while the Payment Systems Act 2003 governs the designation and oversight of payment systems deemed important to the economy. These statutory powers are operationalised through the Interoperable Credit Transfer Framework, which sets out standards for retail payment interoperability, and through policy documents issued by the central bank governing payment system operators and merchant acquiring services. Participation in DuitNow QR is therefore conditional, not voluntary. Institutions must comply with operational, governance, and risk management standards imposed by the regulator and enforced through PayNet’s scheme rules.
Functionally, DuitNow QR operates as an account-to-account payment mechanism. Funds move directly from the payer’s bank account or e-wallet to the merchant’s account, without the involvement of card networks. This structure underpins several of its defining characteristics. A single QR code can be accepted by multiple issuers, real-time authorisation provides immediate confirmation of payment status, and settlement is conducted on a near real- time basis through PayNet’s infrastructure. For merchants, the system requires minimal hardware investment, making it accessible across a wide spectrum of business sizes. These attributes collectively make DuitNow QR particularly well suited to physical point-of-sale environments, from roadside stalls to large retail chains.
The inclusion of both static and dynamic QR codes within the framework reflects a deliberate regulatory sensitivity to the wide spectrum of merchant capabilities and operating environments that exist across the Malaysian economy. Not all merchants transact in the same way, possess the same level of digital infrastructure, or face identical cost constraints. By permitting multiple QR formats, the framework avoids imposing a one-size-fits-all model that could inadvertently exclude smaller or less technologically equipped businesses from participating in digital payments.
Static QR codes are the most basic expression of this flexibility. They contain fixed merchant identifiers and rely on the consumer to manually enter the transaction amount at the point of payment. This simplicity is precisely what makes them attractive to micro-merchants, hawkers, and small retailers who may operate with minimal hardware, limited connectivity, or irregular transaction volumes. A printed QR code displayed at a stall or counter is often sufficient to begin accepting digital payments, significantly lowering barriers to entry and supporting financial inclusion objectives.
However, this simplicity also introduces inherent risks. Manual input increases the possibility of human error, whether through incorrect amounts, accidental duplication, or deliberate manipulation. It may also complicate transaction reconciliation for merchants and acquirers alike, particularly when volumes increase. From a fraud and dispute perspective, the absence of transaction- specific data embedded in the QR code means that certain controls must be implemented elsewhere in the transaction flow to compensate for these limitations.
Dynamic QR codes represent a more advanced configuration, typically integrated directly into point-of-sale systems. Each code is generated uniquely for a specific transaction and includes key details such as the payment amount and a merchant reference. By embedding this information at source, dynamic QR codes reduce reliance on manual input, streamline the payment process for consumers, and improve the accuracy of transaction records. This structure also enhances fraud mitigation by limiting the scope for amount tampering and improving traceability within the payment system. For larger merchants, high- volume retailers, and businesses with existing POS infrastructure, dynamic QR codes offer a more controlled and efficient solution.
From a regulatory perspective, the permissibility of both static and dynamic QR codes does not imply equal risk. Instead, it reflects an expectation that risk is managed proportionately. The responsibility for ensuring appropriate safeguards rests primarily with merchant acquirers, who must assess how each QR format is deployed and apply controls accordingly. Where static QR codes are used, acquirers are expected to implement additional monitoring, transaction limits, anomaly detection, and merchant education to mitigate the higher exposure to errors or misuse. In environments where dynamic QR codes are deployed, the focus shifts toward system integrity, POS integration security, and operational resilience.
In practical terms, this balance between inclusivity and discipline reflects a conscious regulatory trade-off rather than a compromise of standards. The framework acknowledges that broad participation in digital payments cannot be achieved if only the most technologically advanced or well-capitalised merchants are able to comply. At the same time, it recognises that expanding access without clear lines of responsibility would expose the payment ecosystem to unacceptable levels of operational, financial, and reputational risk. Inclusivity, therefore, is pursued alongside, not at the expense of, control.
By allowing merchants to adopt QR-based payments in forms that align with their operational realities, the framework accommodates diversity in business models, transaction volumes, and technological readiness. A street vendor, a small family-run shop, and a large retail chain all interact with customers differently, and the framework permits each to participate without imposing uniform infrastructure requirements that would be economically inefficient or exclusionary. This flexibility supports the formalisation of commerce and encourages digital adoption across segments that might otherwise remain cash-dependent.
However, flexibility at the merchant level is matched by heightened accountability at the acquirer level. Acquirers act as the principal interface between merchants and the regulated payment system, and it is through them that regulatory discipline is enforced. They are expected to assess the risks associated with each merchant configuration, determine whether static or dynamic QR codes are appropriate, and implement proportionate controls that address the specific vulnerabilities arising from that choice. This includes setting transaction limits, monitoring unusual patterns, managing dispute resolution processes, and ensuring that merchants understand their obligations and usage boundaries.
Accountability does not dissipate simply because a merchant operates at a smaller scale or uses simpler technology. The framework makes clear that the safety, reliability, and integrity of the payment system are collective outcomes, and weaknesses at the margins can, over time, erode trust across the system as a whole. Acquirers are therefore expected to continuously monitor merchant behaviour, reassess risk profiles as transaction volumes grow, and intervene when usage patterns indicate heightened exposure to error, fraud, or misuse.
In this structure, inclusivity becomes a managed process rather than an open- ended objective. Merchants are brought into the digital payments ecosystem in a way that reflects their capabilities, but they do not operate outside the discipline of the system. Acquirers, in turn, are not merely facilitators of acceptance but custodians of systemic integrity, responsible for ensuring that operational convenience does not translate into regulatory weakness. The framework’s effectiveness ultimately depends on this alignment, where broad participation and robust governance reinforce rather than undermine each other.
Financial inclusion has been a central policy objective underlying the rollout of DuitNow QR. By removing the need for costly point-of-sale terminals and simplifying onboarding, QR payments have enabled participation by small traders, informal businesses transitioning into the formal economy, and merchants operating in rural or semi-urban areas. This expansion of access supports broader economic participation and aligns with national inclusion goals. At the same time, it introduces heightened expectations for oversight. Regulators recognise that inclusion must be balanced against financial integrity, making acquirer monitoring, transaction surveillance, and customer due diligence essential components of the ecosystem.
Pricing dynamics further reinforce DuitNow QR’s appeal to merchants. Transactions conducted through the system typically attract lower Merchant Discount Rates compared to card payments, reflecting the reduced infrastructure and network costs associated with account-to-account transfers. Regulatory oversight plays an important role in ensuring that pricing remains transparent and non-discriminatory. Merchants are prohibited from imposing surcharges on consumers for using QR payments, reinforcing fairness and consistency at the point of sale and preserving consumer confidence in the system.
Beyond domestic use, DuitNow QR has increasingly become a foundation for cross-border QR payment linkages, particularly within the ASEAN region. Through bilateral and multilateral arrangements, Malaysian consumers can use their domestic banking or e-wallet applications to make payments abroad, while foreign visitors can transact locally using their home systems. This expansion introduces additional layers of complexity, including currency conversion mechanics, settlement risk management, coordination between central banks, and cross-border AML and CFT information sharing. As these linkages deepen, the oversight role of both PayNet and Bank Negara Malaysia becomes even more critical.
DuitNow QR stands as a regulator-mandated national standard designed to promote interoperability and competition, act as a catalyst for financial inclusion, and serve as a systemically relevant retail payment rail. It also functions as a platform for regional payment integration. The success of this framework does not rest on technology alone, but on disciplined governance, responsible participation by acquirers and issuers, and strict adherence to regulatory and scheme requirements across the ecosystem.
CHAPTER THREE - FROM TRANSACTION TO FINALITY WITHIN MALAYSIA’S PAYMENT ARCHITECTURE
Payment system operators occupy a foundational and infrastructural role within Malaysia’s payment ecosystem. They are not merely participants in the market; they are its structural engineers. As the entities that own, manage and operate the platforms through which transactions are processed, cleared and settled among participating institutions, they provide the connective tissue that binds the financial system into a coherent whole.
Every electronic transfer, whether initiated at a retail counter through a QR scan or executed in the wholesale market between financial institutions, ultimately traverses infrastructure maintained by these operators. They design and maintain the systems that authenticate instructions, route payment messages, calculate net positions, and effect final settlement. In doing so, they transform individual payment instructions into legally effective transfers of value.
Their role extends beyond mechanical processing. Payment system operators embed within their platforms the rules, standards and technical protocols that govern participation. Access criteria, message formats, security requirements, dispute resolution frameworks and settlement timelines are structured within the architecture they administer. This ensures that transactions are not only executed swiftly but also within a predictable and secure operational environment.
In retail contexts, their infrastructure enables high-volume, low-value transactions to flow seamlessly across banks and e-money issuers. Consumers may perceive only the immediacy of a successful payment confirmation, yet beneath that instant response lies a layered system of clearing arrangements, liquidity management mechanisms and risk controls. In wholesale settings, where transaction values are significantly larger and systemic risk correspondingly higher, operators ensure finality of settlement and safeguard against contagion through carefully designed settlement processes.
Security and resilience are intrinsic to their mandate. Payment system operators must maintain robust technological frameworks capable of withstanding cyber threats, operational disruptions and surges in transaction volumes. Business continuity arrangements, redundancy systems and real-time monitoring capabilities are not ancillary features but essential safeguards. A disruption at the level of a system operator can reverberate across the entire financial ecosystem, underscoring the systemic importance of their function.
These operators provide the rails upon which Malaysia’s digital and conventional payments travel. Banks, e-money issuers and merchants may design customer-facing services and innovate at the product level, but without the stable and interoperable infrastructure maintained by payment system operators, such services would remain isolated and unsustainable. The scalability, efficiency and integrity of the payment landscape depend upon this underlying backbone. Their presence ensures that value can move across institutions with certainty, speed and trust, anchoring the broader financial architecture in operational coherence.
Under Bank Negara Malaysia’s regulatory framework, the role of a payment system operator is conceived as far more expansive than the upkeep of technology or the smooth running of platforms. PSOs are positioned as institutional architects of the payment ecosystem, entrusted with establishing the system rules that govern participation and set the terms on which institutions may enter, operate, or be excluded. In doing so, they define eligibility criteria that determine who may access the system and on what basis, shaping the contours of inclusion within the payments landscape.
Beyond access, PSOs determine the messaging and technical standards that allow diverse participants to interact seamlessly with one another. These standards are critical to interoperability, ensuring that transactions can flow across institutions without friction, misinterpretation, or technical incompatibility. At the transactional core, PSOs design and operate the clearing and settlement arrangements that give payments their finality, translating instructions into irrevocable outcomes that participants can rely upon with confidence.
Their responsibilities also extend to setting and enforcing operational resilience requirements, embedding expectations around continuity, reliability, and recovery into the system’s day-to-day functioning. Because each of these decisions influences how risk is allocated, absorbed, and mitigated across participants, PSOs wield substantial influence over both stability and fairness within the payment ecosystem. In this framework, their role is not merely operational but systemic, shaping the balance between efficiency, risk management, and equitable participation.
Given the critical nature of their functions, PSOs are subject to direct and intensive regulatory oversight. Bank Negara Malaysia’s Policy Document on Payment System Operator issued in 2022 formally defines PSOs and delineates their regulatory perimeter. Entities operating as PSOs must be licensed or approved by the central bank, are subject to ongoing supervision, and are required to meet stringent governance, risk management, and operational resilience standards. These obligations are not static. They evolve in line with system complexity, transaction volumes, and emerging risk profiles. Failure to comply with regulatory requirements can trigger enforcement action, including the suspension or revocation of approval, reflecting the seriousness with which PSO obligations are treated.
Within Malaysia, Payments Network Malaysia Sdn Bhd plays the role of the designated national payment system operator for several systemically important payment systems. These include DuitNow and DuitNow QR, the Interbank GIRO system, and shared ATM networks. In this capacity, PayNet’s responsibilities extend beyond the provision of technical infrastructure. It also functions as a scheme operator, setting participation rules, managing settlement processes, and enforcing compliance with scheme requirements. Importantly, PayNet acts as a conduit between policy intent and operational reality, working closely with Bank Negara Malaysia to implement regulatory objectives consistently across the ecosystem.
The governance obligations imposed on Payment System Operators are a direct reflection of their systemic importance within the financial framework. They are required to maintain robust governance arrangements that are not merely procedural but purposive, capable of supporting independent oversight and genuinely informed decision-making. Such frameworks are intended to ensure that authority is exercised with deliberation and that critical judgments are subject to scrutiny rather than concentration.
At a structural level, this obligation translates into the maintenance of appropriately constituted boards, designed to balance expertise with independence and to provide effective supervision of management. Equally central is a clear segregation of duties between operational functions and control functions, a separation that prevents execution from eclipsing oversight and embeds checks and balances into the organisational fabric. Dedicated risk management committees further reinforce this architecture, providing a focused forum for the identification, evaluation, and mitigation of risks that could have systemic consequences.
These arrangements are complemented by formal incident escalation protocols, which impose clarity and discipline on how issues are surfaced, assessed, and resolved. By specifying responsibilities and timelines, such protocols ensure that emerging problems are neither overlooked nor deferred, but addressed with the urgency they demand.
These governance structures are designed to prevent conflicts of interest, anchor accountability within identifiable decision-makers, and act as a safeguard against choices that could undermine system stability or restrict equitable access. In effect, they recognise that for entities of such consequence, sound governance is itself a cornerstone of systemic resilience.
Operational resilience represents one of the most critical regulatory expectations placed on PSOs. Given the scale and interconnectedness of the systems they operate, even short disruptions can have cascading effects across financial institutions, merchants, and consumers. As such, PSOs must demonstrate high levels of system availability supported by redundancy and failover capabilities. They are expected to maintain strong cybersecurity defences, reflecting the increasing sophistication of cyber threats targeting payment infrastructure. Business continuity and disaster recovery plans must not only exist on paper but be regularly tested to ensure that systems can be restored swiftly and reliably in the event of disruption.
Another core responsibility borne by Payment System Operators lies in the management of clearing and settlement processes, an area where operational design and financial risk are inseparably intertwined. By their very nature, these processes expose participants to settlement risk, as obligations are accumulated and discharged across institutions that depend on one another’s timely performance. Regulatory expectations therefore require PSOs to structure these arrangements so that settlement takes place in a timely and final manner, thereby limiting the build-up of credit and liquidity exposures between participants.
Integral to this responsibility is the formulation of settlement rules that are transparent, precise, and consistently understood by all who participate in the system. Such clarity reduces uncertainty, curtails the scope for interpretative disagreement, and helps prevent disputes that could otherwise erode trust in the system. When participants can anticipate outcomes with confidence, the clearing and settlement process becomes a source of stability rather than vulnerability.
These safeguards operate as calibrated protective layers embedded within the clearing and settlement architecture. They are not decorative compliance features but structural defences designed to preserve the integrity of every transaction that passes through the system. By embedding validation checks, prefunding requirements where applicable, liquidity controls and clearly defined settlement cycles, they ensure that payment obligations are discharged in a manner that is both orderly and definitive.
At the level of the individual participant, these mechanisms serve as a shield against counterparty risk. A bank, e-money issuer or financial institution entering into a transaction must have confidence that once the system confirms settlement, the obligation is legally and operationally complete. The architecture minimises the possibility that a participant’s failure, delay or liquidity shortfall will cascade into unresolved exposures for others. Through netting arrangements, settlement guarantees and clearly demarcated points of finality, the system converts bilateral uncertainty into structured multilateral assurance.
The importance of these safeguards becomes particularly apparent during periods of stress. In moments of heightened volatility or operational disruption, confidence in settlement processes can falter quickly if mechanisms are ambiguous or fragile. By contrast, a robust clearing and settlement framework acts as a stabiliser. It contains risk within defined boundaries and prevents isolated disturbances from metastasising into systemic instability. The predictability of settlement outcomes tempers panic and reinforces orderly functioning.
Beyond protecting individual participants, these safeguards perform a broader systemic function. Financial systems rely fundamentally on trust. That trust is anchored not merely in the solvency of institutions but in the certainty that transactions, once effected, cannot be unwound arbitrarily. Transactional finality underpins credit decisions, liquidity management and inter-institutional exposure calculations. If finality were uncertain, every payment would carry residual doubt, and systemic confidence would erode.
Clearing and settlement transcend operational efficiency. They are instruments of systemic assurance. By conclusively extinguishing obligations at defined moments, they create a stable platform upon which financial relationships can be constructed and expanded. Markets can function dynamically precisely because the infrastructure beneath them is static in its reliability.
The clearing and settlement function of payment system operators therefore embodies more than technical competence. It institutionalises certainty. It transforms the abstract promise of payment into an irrevocable transfer of value. Through layered safeguards and disciplined processes, it anchors the broader financial ecosystem in predictability and resilience, reinforcing stability not through rhetoric but through design.
Oversight by Bank Negara Malaysia underpins all aspects of PSO operations. This oversight is exercised through licensing and approval conditions, periodic supervisory reviews, and ongoing reporting and disclosure requirements. The central bank also retains the power to issue directions and impose sanctions where necessary. Through these mechanisms, Bank Negara Malaysia ensures that PSOs remain aligned with national policy objectives and respond appropriately to evolving risks.
This framework makes clear that payment system operators are central to the integrity of Malaysia’s payment systems. They operate under direct and intensive regulation, carry heightened governance and resilience obligations, and act as custodians of infrastructure that is essential to public confidence and economic activity. The effectiveness with which PSOs discharge these responsibilities directly influences the reliability and credibility of point-of-service QR payments and the wider payment ecosystem that depends upon them.
CHAPTER FOUR - THE GATEKEEPING FUNCTION IN MALAYSIA’S NATIONAL QR RAIL
Merchant acquirers occupy a central and highly influential role within Malaysia’s QR payment ecosystem, serving as the regulated intermediaries that connect merchants to the broader digital payments infrastructure. In the context of DuitNow QR, the acquirer functions as the indispensable gateway linking individual merchants to the national payment system. While consumers experience the ecosystem through intuitive front-end interfaces— whether mobile banking applications, e-wallets, or point-of-sale terminals—it is the acquirer working behind the scenes who ensures that merchants are seamlessly integrated, capable of accepting payments, and able to receive funds securely and efficiently. Without this connection, the smooth, near- instantaneous experience familiar to users would be impossible.
The responsibilities of the acquirer extend across both commercial facilitation and regulatory oversight, creating a dual mandate that is both operationally complex and strategically vital. On the commercial front, acquirers are responsible for onboarding merchants, establishing and maintaining accounts, enabling QR payment acceptance, and ensuring that transaction proceeds are settled accurately and on time. This requires a combination of technical infrastructure, customer service, and operational reliability to meet the expectations of high-volume, real-time retail environments.
At the same time, acquirers serve a critical regulatory function. They monitor transactions for compliance with anti-money laundering, counter-terrorism financing, and fraud prevention requirements, manage the secure flow of sensitive data, and fulfill reporting obligations mandated by regulators. This oversight extends from the moment a merchant is onboarded through the ongoing lifecycle of transactions, positioning acquirers as one of the most significant control points in the ecosystem. In this capacity, they must strike a careful balance between operational convenience—ensuring that payments are fast, reliable, and user-friendly—and regulatory discipline, which protects the integrity, security, and resilience of the entire QR payment system.
Ultimately, the acquirer is the linchpin that transforms the technical architecture of DuitNow QR into a practical, trusted, and widely usable system. Their role is both enabling and safeguarding, bridging the gap between merchants, consumers, and national payment infrastructure while ensuring that every transaction meets the twin imperatives of efficiency and compliance.
Merchant acquiring is a tightly regulated activity within Malaysia’s payment services framework, reflecting the critical role acquirers play in connecting merchants to the national payment infrastructure. Any entity that seeks to offer acquiring services must be licensed or approved by Bank Negara Malaysia as a payment service provider, must participate in PayNet’s DuitNow QR scheme, and remains subject to ongoing supervisory oversight. This regulatory stance is purposeful and precise: acquirers control the gateway through which merchants access the national payment rails, and if this access is poorly governed, it can be exploited to facilitate fraud, money laundering, or broader systemic abuse. By regulating acquirers directly, authorities establish a first line of defence, safeguarding both the integrity of the payment system and public trust.
The pathway to becoming an acquirer is deliberately rigorous, designed to ensure that only entities capable of managing operational, financial, and regulatory risks are permitted to participate. Licensed banks, approved non- bank payment service providers, and e-money issuers may offer acquiring services, but only after securing specific approval to undertake such activities. The assessment process goes far beyond evaluating commercial ambition or technological capability. Applicants must demonstrate sufficient capital and financial soundness, while their management teams are evaluated for fitness and propriety. Robust risk management frameworks are required, and operational and technological readiness is subjected to detailed scrutiny.
Bank Negara Malaysia’s evaluation also examines the applicant’s overall compliance culture and capacity to maintain system integrity. The underlying principle is clear: innovation and efficiency in payment services are valuable only when paired with disciplined governance. Without careful oversight, even the most advanced technology can become a conduit for misuse, eroding public confidence in the payment ecosystem.
By enforcing rigorous entry standards, regulators ensure that acquirers are not only commercially capable but also fully equipped to uphold the safety, resilience, and credibility of Malaysia’s QR payment infrastructure.
Once licensed or approved, acquirers must comply with the scheme participation obligations imposed by PayNet as the operator of DuitNow QR. These scheme rules govern uniform acceptance standards, technical compliance with QR specifications, settlement and reconciliation discipline, dispute resolution mechanisms, and detailed data reporting requirements. Acquirers operate within both contractual and regulatory constraints, limiting their ability to deviate unilaterally from established norms. This ensures consistency across the ecosystem and prevents fragmentation or preferential practices that could distort competition or compromise system reliability.
Within the QR payment ecosystem, acquirers serve as critical risk gatekeepers, occupying a central role in preserving both operational integrity and regulatory compliance. From the outset, they are tasked with rigorously vetting the legitimacy of merchants during onboarding, carefully assessing business models to identify potential exposure to prohibited, high-risk, or non-compliant activities, and ensuring that merchant operations conform to both regulatory standards and scheme requirements. This initial assessment establishes the baseline against which all future activity is evaluated, shaping the risk profile of the merchant and, by extension, the broader payment ecosystem.
The responsibilities of acquirers do not conclude once a merchant is onboarded. On the contrary, they must engage in continuous monitoring of transaction patterns, actively identifying anomalies, irregularities, or behaviours that deviate from expected norms. This ongoing oversight allows acquirers to detect early signs of potential fraud, money laundering, or other forms of misuse, and to take timely corrective or preventive action. Failure to execute these duties effectively does not merely expose the acquirer to regulatory sanctions or reputational consequences; it can create systemic vulnerabilities that ripple through the payment network, impacting other participants and eroding consumer and merchant confidence alike.
In this way, acquirers operate at the intersection of convenience, commerce, and compliance. They enable merchants to participate in a fast, efficient, and widely accessible payment system, while simultaneously ensuring that the ecosystem remains resilient, trustworthy, and safeguarded against misuse. Their gatekeeping role is therefore foundational, balancing the demands of operational efficiency with the imperatives of risk management and regulatory adherence.
A particularly critical dimension of the acquirer’s responsibilities lies in its obligations under Malaysia’s anti-money laundering (AML) and counter- terrorism financing (CFT) framework. As designated reporting institutions, merchant acquirers are legally required to conduct thorough customer due diligence on each merchant, monitor transaction activity on an ongoing basis, file suspicious transaction reports where warranted, and maintain records in strict accordance with statutory mandates. These obligations are continuous and extend across the full lifecycle of the merchant relationship; they are not fulfilled by the initial onboarding process alone.
As merchants’ transaction volumes expand or business models evolve, acquirers are expected to reassess associated risks and recalibrate controls accordingly. This dynamic approach ensures that AML and CFT safeguards remain effective in the face of changing operational patterns, transactional behaviour, and potential exposure to illicit activity. By embedding vigilance, adaptability, and compliance throughout the merchant relationship, acquirers uphold both regulatory requirements and the overall integrity of the QR payment ecosystem.
Acquirers occupy a critical supervisory role that extends well beyond simply enabling merchants to accept QR payments; they are central to maintaining both consumer protection and proper merchant conduct within the ecosystem. Their responsibilities encompass a broad range of obligations designed to ensure that merchants operate transparently and fairly. For instance, acquirers must ensure that merchants provide clear and accurate pricing disclosures so that consumers are fully informed before authorising a payment. They must also enforce the prohibition against surcharging, guaranteeing that consumers are not penalised for choosing QR payments as a method of transaction.
Equally important is the requirement for merchants to handle refunds and disputes appropriately, providing consumers with clear avenues for recourse, and to maintain accurate and transparent transaction records that can be audited or reviewed as necessary. By rigorously applying these standards, acquirers serve as a key line of defence in fostering consumer trust, ensuring that the QR payment experience remains consistent, fair, and predictable across diverse merchant categories and retail environments.
The regulatory consequences for failing to uphold these responsibilities are deliberately stringent, reflecting the critical role acquirers play in preserving system integrity. Bank Negara Malaysia and PayNet have the authority to take a range of enforcement actions, depending on the severity of non-compliance. These may include monetary penalties to signal the seriousness of the breach, restrictions on the acquirer’s ability to onboard new merchants, or temporary suspension of participation in the DuitNow QR scheme.
In extreme cases, licences or approvals can be revoked entirely, removing the acquirer from the payment ecosystem. Such measures are not merely punitive; they are carefully calibrated tools to reinforce discipline, deter misconduct, and protect the wider payment network. By holding acquirers accountable for the conduct of the merchants they onboard and supervise, regulators ensure that both consumer confidence and the stability of the national QR payment system are maintained.
Acquirers act as both enablers and custodians. They facilitate seamless, convenient, and secure payments for millions of consumers, while simultaneously embedding oversight, risk management, and compliance into the very fabric of the system. Their supervisory function ensures that day-to-day transactions are conducted within clear rules and expectations, mitigating the risk that operational shortcuts or lapses in merchant behaviour could erode trust or introduce systemic vulnerabilities. In this dual capacity, acquirers reinforce the integrity, reliability, and resilience of Malaysia’s QR payment ecosystem, ensuring that convenience for users is never achieved at the expense of fairness, transparency, or regulatory compliance.
This framework establishes merchant acquirers as regulated intermediaries with responsibilities that extend far beyond transaction processing. They act as gatekeepers of access to payment systems, custodians of AML and CFT compliance, and enforcers of scheme discipline. The quality of their governance, controls, and supervision has a direct bearing on the credibility, safety, and resilience of DuitNow QR and the wider digital payments ecosystem in Malaysia.
CHAPTER FIVE - MERCHANT ACQUIRERS AND THE DISCIPLINE OF DIGITAL PAYMENTS
Merchant onboarding constitutes the earliest and most consequential point at which risks within the QR payment ecosystem can be identified, evaluated, and mitigated. Decisions made at this stage do far more than determine whether a merchant may access the system; they shape the long-term risk profile of the entire payment network well beyond the processing of the first transaction. When onboarding controls are weak, superficial, or applied inconsistently, vulnerabilities are introduced that can later manifest as fraud, money laundering, misuse of payment rails, or reputational harm affecting both the acquirer and the broader ecosystem.
Recognising the systemic significance of this stage, Bank Negara Malaysia places substantial emphasis on robust onboarding standards. These standards are treated not as a routine administrative requirement, but as a fundamental determinant of overall payment system integrity and resilience. By enforcing rigorous due diligence, thorough verification of merchant identity and business operations, and a clear understanding of expected transaction behaviour, regulators and acquirers together ensure that the foundation of the QR payment ecosystem is secure, trustworthy, and capable of supporting safe, scalable, and reliable digital transactions over time.
At the core of merchant onboarding lies the know-your-customer (KYC) framework, which serves as the foundation for risk management within the QR payment ecosystem. For merchants, KYC obligations extend far beyond simple identity verification. Acquirers are required to establish and confirm the legal identity of the entity or individual seeking to accept payments, while also clarifying the structure of beneficial ownership to determine who ultimately controls or benefits from the business.
Equally important is developing a comprehensive understanding of the nature and purpose of the merchant’s operations. This includes not only the types of goods or services offered, but also the business model, customer base, and operational practices. Acquirers must also form an informed expectation of transaction behaviour—encompassing typical transaction sizes, volumes, frequency, and customer profiles. These insights establish the baseline against which future activity can be assessed, enabling acquirers to detect anomalies, identify potential risks, and intervene when deviations suggest misuse or non- compliance. In this way, KYC at onboarding is not merely a procedural step, but a strategic control that safeguards the integrity and stability of the payment system from the very first interaction.
Regulatory expectations emphasise that merchant risk is not uniform, and that the depth and intensity of KYC procedures must be proportionate to the assessed risk profile of each merchant. A one-size-fits-all approach is neither effective nor consistent with sound risk management; instead, onboarding processes must be calibrated to reflect the distinct characteristics and exposures of different merchant types.
Within the QR payment ecosystem, merchants can generally be grouped into several broad categories, each carrying its own risk considerations. Micro and informal merchants, for example, may lack comprehensive formal documentation, yet they typically operate at low transaction volumes and present limited systemic exposure. Small and medium enterprises, by contrast, often maintain more structured operations, but their higher transaction volumes and more complex business models increase their potential risk footprint. Large corporates and retail chains, while benefiting from established governance frameworks, may handle high-value transactions that amplify exposure in the event of misuse. Online and platform-based merchants introduce further intricacies, including digital delivery channels, cross-border payment flows, and a higher degree of customer anonymity, all of which can complicate monitoring and oversight.
Effective onboarding, therefore, requires acquirers to recognise and differentiate among these categories. Controls must be tailored to reflect the actual risk presented, rather than applying uniform standards that may either understate risk in higher-exposure merchants or impose unnecessary burdens on lower-risk participants. By adopting a proportionate and nuanced approach, acquirers ensure that KYC serves as a meaningful, risk-sensitive safeguard that strengthens the integrity of the entire QR payment ecosystem.
Regulatory policy firmly mandates a risk-based approach to merchant onboarding, recognising that the QR payment ecosystem encompasses a diverse array of participants, each presenting different levels of exposure. Acquirers are therefore expected to calibrate the depth and intensity of their due diligence in accordance with a merchant’s specific characteristics, including the nature of its business activities, anticipated transaction volumes, customer base, geographic reach, and delivery channels. This nuanced approach ensures that regulatory oversight is both effective and proportionate, focusing attention where risks are greatest while avoiding unnecessary burdens on low-risk participants.
Merchants identified as higher risk—whether due to the type of goods or services they provide, the scale or frequency of their transactions, or the complexity and breadth of their operational footprint—must be subjected to enhanced due diligence. Such measures can include the collection of more detailed documentation, rigorous verification of ownership and control structures, and a thorough understanding of underlying business relationships. Acquirers may also implement heightened monitoring and follow-up procedures, ensuring that any anomalies or deviations from expected transaction behaviour are detected and addressed promptly.
Conversely, merchants assessed as presenting lower risk can benefit from streamlined onboarding procedures that maintain efficiency while still upholding regulatory objectives. Simplified due diligence measures may suffice for small, low-volume merchants or those with straightforward operational models, allowing onboarding to proceed quickly without compromising the integrity of the payment system. By tailoring due diligence according to risk, acquirers not only comply with regulatory requirements but also reinforce the resilience and reliability of the QR payment ecosystem, balancing operational efficiency with robust safeguards against fraud, money laundering, and other forms of abuse.
Certain activities are explicitly prohibited or subject to restriction under both scheme rules and regulatory policy. These include, but are not limited to, illegal gambling operations, unlicensed financial services, high-risk digital asset schemes, and any activities that contravene public policy or legal requirements. Acquirers carry the responsibility of screening prospective merchants against these categories during onboarding, ensuring that access is either denied or appropriately restricted where necessary. Neglecting this obligation exposes not only the acquirer but also the wider payment ecosystem to significant legal, operational, and reputational risks.
Technology has become an indispensable enabler of modern onboarding processes. Digital tools allow acquirers to conduct remote identity verification, automate document validation, and apply algorithm-driven risk scoring to assess merchant profiles efficiently. Real-time screening against sanctions lists, watchlists, and other regulatory databases further enhances the ability to detect potential risks at the point of onboarding. These technological capabilities not only improve the speed and scalability of merchant onboarding—particularly in environments with high volumes of applicants—but also strengthen the robustness and consistency of compliance, helping ensure that regulatory and scheme requirements are met without compromising operational efficiency.
However, regulatory expectations are clear that automation does not absolve acquirers of accountability. Technology is intended to support decision-making, not replace it. Human oversight remains essential, particularly in interpreting complex cases, resolving anomalies, and exercising judgement where automated outputs are inconclusive or contradictory.
Onboarding, moreover, is not a one-time event. Regulatory expectations require acquirers to engage in ongoing due diligence throughout the merchant relationship. This includes periodic reviews at defined intervals, trigger-based reassessments prompted by changes in transaction patterns or business models, and continuous transaction monitoring. When merchant behaviour deviates materially from the original risk profile, acquirers are expected to reassess classification, update due diligence, and adjust controls accordingly. Static risk assessments are insufficient in a dynamic payment environment.
Underlying these regulatory requirements is an enduring policy tension between two equally important objectives: promoting financial inclusion and containing systemic risk. QR payments are intended to broaden access to digital financial services, particularly for small, micro, or informal merchants who may have been excluded from traditional banking channels. Overly rigid or inflexible onboarding standards, however, risk shutting out these legitimate participants, undermining the inclusive potential of the payment system. At the same time, controls that are too lax compromise the integrity of the ecosystem, leaving it vulnerable to fraud, money laundering, or other forms of abuse.
Regulators therefore expect acquirers to navigate this delicate balance with discipline, judgement, and a clear focus on proportionality. Controls must be tailored to the risk profile of each merchant, allowing safe and legitimate access while ensuring that trust in the payment system is never compromised. The application of KYC, risk profiling, and ongoing monitoring is not a matter of procedural formality; it is a regulatory imperative that directly shapes the resilience and credibility of the QR payment ecosystem. By embedding these principles into onboarding practices, acquirers help sustain a system that is both inclusive and secure, supporting confidence, operational reliability, and long-term stability for all participants.
Acquirers bear ongoing responsibility for the merchants they onboard, and technology must be deployed as a complement to, not a substitute for, sound governance. Strong onboarding practices do not merely protect individual institutions; they safeguard the integrity of the national payment infrastructure as a whole.
CHAPTER SIX - SWITCHING, CLEARING AND SETTLEMENT WITHIN MALAYSIA’S QR FRAMEWORK
Point-of-service QR payments are engineered to appear seamless and almost effortless from the user’s perspective. For the consumer, the experience is immediate and intuitive: a quick scan of a QR code, authorisation on a mobile device, and an almost instantaneous confirmation of payment. Yet behind this veneer of simplicity lies a sophisticated and multi-layered transaction architecture, one that depends on tightly coordinated interactions among multiple regulated entities, complex data exchanges, and meticulously structured clearing and settlement processes.
Understanding how these components interlock is essential to appreciating the logic of regulatory design. The payment ecosystem is not a monolith. It is a layered structure in which issuers, merchant acquirers and payment system operators perform differentiated but complementary roles. The law recognises this division of function and calibrates obligations accordingly. Responsibility is neither duplicated unnecessarily nor left ambiguously shared. It is allocated with precision.
Issuers stand at the interface with the customer. They are entrusted with onboarding, customer due diligence, safeguarding user funds and authenticating payment instructions. Their responsibilities centre on identity, authorisation and consumer protection.
Merchant acquirers, by contrast, anchor the merchant-facing dimension of the ecosystem. They are responsible for onboarding merchants, monitoring transactional behaviour, ensuring adherence to operational standards and mitigating misuse of acceptance infrastructure. Payment system operators occupy the infrastructural tier, maintaining the rails over which instructions travel, enforcing participation rules and ensuring that clearing and settlement occur with finality.
Each layer depends upon the other, yet each remains independently accountable. The issuer must verify that a customer is authorised to initiate payment. The acquirer must ensure that the merchant is legitimate and that the acceptance point is secure. The operator must guarantee that once the instruction is transmitted, it is processed, cleared and settled in accordance with defined rules. The regulatory framework reflects this choreography. It assigns obligations where risk originates and oversight where systemic exposure resides.
The apparent simplicity of a QR payment conceals an architecture of remarkable sophistication. What presents itself to the consumer as a swift, almost casual gesture is in fact the visible tip of a deeply engineered system. From the user’s perspective, the experience unfolds in seconds. A code is scanned. The amount is reviewed and confirmed. A notification signals success. The exchange feels instantaneous, effortless and intuitive.
Beneath that seamless interaction, however, a layered sequence of technical, operational and legal processes is set into motion. Identity credentials are authenticated through secure protocols designed to verify that the person initiating the payment is duly authorised. Multi-factor authentication mechanisms, device recognition systems and encrypted tokens may operate within that brief window, invisible to the end user yet essential to the integrity of the transaction.
Simultaneously, transaction messages are encrypted and transmitted across secure networks. These messages must conform to prescribed formats and technical standards to ensure compatibility across institutions. They are routed through payment infrastructure maintained by system operators, where further validation checks occur. The architecture is engineered to prevent interception, alteration or duplication, thereby safeguarding both confidentiality and authenticity.
At the same time, fraud monitoring systems analyse the transaction in real time. Algorithms evaluate behavioural patterns, transaction history, geolocation data and velocity indicators. Deviations from established norms may trigger alerts, step-up authentication or temporary holds. The system does not merely process payments. It scrutinises them continuously, balancing speed with vigilance.
Parallel to these operational safeguards, compliance frameworks operate with equal precision. Transactions are assessed against anti-money laundering parameters and risk-based monitoring rules. Thresholds, pattern recognition tools and reporting mechanisms ensure that suspicious activities can be identified and escalated where necessary. Regulatory obligations are embedded directly into the technological flow of the payment process.
Finally, settlement calculations determine the precise allocation of funds among participating institutions. Clearing mechanisms compute net positions where applicable, while settlement systems ensure that obligations are discharged conclusively. Liquidity management tools operate to prevent bottlenecks and ensure that transfers are final and irrevocable in accordance with established rules.
Each of these stages is governed by legal standards and operational protocols that function quietly but decisively. The law defines the moment of finality. Regulatory guidance prescribes security expectations. Institutional agreements allocate risk and responsibility. Together, they create a structured environment within which transactions can be executed at scale without sacrificing reliability.
What appears to be a simple scan is therefore the culmination of coordinated processes spanning authentication, encryption, risk management, compliance oversight and settlement assurance. The elegance of the user experience is achieved not by reducing complexity, but by organising it meticulously behind the scenes. Speed and simplicity are the outcome of disciplined design, sustained oversight and carefully engineered interdependence.
Operational checks prevent errors from cascading. Compliance safeguards deter misuse and detect irregularities. Legal frameworks define rights, obligations and recourse in the event of dispute or failure. These elements do not operate in isolation. They function in concert, forming a coordinated system designed to sustain confidence in everyday commerce.
Trust in digital payments is not derived from speed alone. It is sustained by predictability, accountability and enforceable rules. The ecosystem’s stability depends upon clearly demarcated responsibilities and the disciplined interaction of its constituent actors. When these components interlock as intended, transactions are executed not only efficiently, but with integrity. The ease experienced by the end user is therefore not accidental. It is the visible outcome of a carefully structured and continuously supervised regulatory design.
A typical DuitNow QR transaction brings together a defined set of participants, each with a role aligned to its regulatory status. The payer initiates the transaction using a mobile banking application or e-wallet provided by an issuer. The merchant presents a QR code at the point of sale, while the merchant acquirer facilitates acceptance and acts as the merchant’s interface with the payment system.
PayNet operates the central switching and clearing infrastructure that connects issuers and acquirers, and designated settlement banks ultimately effect the movement of funds. Each participant’s responsibilities are clearly delineated to ensure accountability, efficiency, and risk containment across the transaction lifecycle.
The transaction itself may be initiated using either a static or a dynamic QR code. With static QR codes, the merchant’s identifier is fixed and the payer manually enters the transaction amount. Dynamic QR codes generate transaction-specific details in real time, including the payment amount and merchant reference. While dynamic QR codes require greater technological capability from both merchants and acquirers, they offer superior security, improved reconciliation accuracy, and reduced scope for input errors. The framework permits both formats, reflecting different merchant capabilities, while expecting acquirers to manage the associated risks appropriately.
Once the payer scans the QR code, the transaction flow begins within the payer’s application. The application decodes the embedded merchant information, prompts the payer to authorise the payment, and transmits the payment instruction to the issuer. The issuer then conducts a series of checks before approving the transaction. These checks typically include verification of available account balance or e-wallet funds, validation against transaction limits, and fraud risk assessments based on behavioural and contextual indicators. Only if these checks are successfully completed does the transaction proceed further through the system.
Following authorisation, the transaction is routed through PayNet’s switching infrastructure. PayNet validates the credentials of the participating issuer and acquirer, ensures that the transaction conforms to scheme rules, and routes the transaction data between the relevant parties.
At the same time, transaction details are recorded for subsequent clearing. This centralised switching model is a cornerstone of the DuitNow QR framework, enabling interoperability across institutions and ensuring that payments can flow seamlessly regardless of which issuer or acquirer is involved.
Once the switching process is completed, confirmation is transmitted almost instantaneously to both parties involved in the transaction. The acquirer informs the merchant that the payment has been successfully processed, while the payer receives a corresponding notification through their mobile application. This rapid feedback loop is not merely a convenience; it is a critical element in sustaining merchant confidence and ensuring a positive customer experience.
In high-volume retail settings, where transactions occur continuously and operational efficiency is paramount, even minor delays or uncertainty can disrupt business processes, create queues, and undermine trust in the payment system. The near-instantaneous confirmation inherent in QR payments reassures both merchants and consumers that funds have been successfully transferred, reinforcing the perception of reliability and efficiency that is essential for widespread adoption and sustained use.
Although authorisation and confirmation of QR payments occur in real time, the actual settlement of funds is generally deferred. Behind the scenes, PayNet conducts clearing processes that calculate net obligations between participants, aggregating individual transactions over a specified period to determine the amounts owed by and to each party. Once these net positions are established, settlement is executed through designated settlement banks, often on a next- business-day basis.
This deferred settlement model inherently introduces settlement risk, as the financial obligations between participants remain outstanding until the transfer of funds is completed. To manage and mitigate this risk, the system is underpinned by a combination of safeguards. Participant eligibility requirements ensure that only financially sound and operationally capable entities are permitted to access the settlement system. Settlement guarantees provide a protective backstop, ensuring that obligations will be honoured even if a participant encounters temporary difficulty. Operational controls, including monitoring, reconciliation, and contingency procedures, further reinforce the system’s resilience. Together, these measures create a robust framework that preserves confidence in the payment system, balancing the convenience of real- time authorisation with the prudence of deferred settlement.
Settlement finality constitutes a cornerstone of the QR payment architecture, underpinning both operational reliability and financial stability. Once a settlement is executed, the obligations between participants are irrevocably discharged, and the transferred funds become immediately available to merchants without leaving residual counterparty risk.
This certainty transforms what might otherwise be a provisional or conditional transfer into a definitive transaction, giving participants confidence that payments will not be reversed or disputed once finalised.
Legal clarity around settlement finality is especially important in safeguarding the broader financial system. In the event of insolvency or financial distress affecting any participant, completed transactions remain insulated from retroactive unwinding, preventing the ripple effects of failure from cascading through the network. By ensuring that funds move with finality and predictability, the payment system protects individual participants and preserves systemic stability, allowing merchants, acquirers, and intermediaries to operate with assurance that the economic obligations embedded in each transaction are secure and legally binding.
After settlement, acquirers are responsible for reconciling merchant accounts accurately and providing timely transaction reports to merchants. Any discrepancies must be investigated and resolved promptly. Failures in reconciliation undermine merchant trust, complicate cash flow management, and can lead to disputes that strain both commercial relationships and system credibility.
Overlaying the entire transaction flow are regulatory expectations relating to operational resilience. Bank Negara Malaysia requires acquirers and other participants to maintain robust business continuity plans, redundancy in critical systems, and well-defined incident response frameworks. Disruptions in QR payment services can have immediate and tangible consequences, particularly for merchants who rely heavily on cashless transactions for daily operations.
The architecture of point-of-service QR payments embodies a carefully coordinated, multi-party infrastructure, where each participant—from the consumer and merchant to the acquirer and central switching system—plays a defined and interdependent role. This ecosystem is supported by resilient switching and settlement mechanisms that ensure funds move efficiently and accurately, while operational responsibilities are clearly allocated to prevent ambiguity or lapses in control.
Regulatory oversight reinforces this structure, ensuring that the speed and convenience experienced by users in routine transactions are not achieved at the expense of stability or integrity. By embedding disciplined processes, robust monitoring, and clear accountability throughout the payment chain, authorities create a system capable of absorbing operational disruptions, mitigating fraud, and managing risk effectively. In this way, the seemingly effortless experience of scanning a QR code and completing a payment rests on a foundation of meticulous design and vigilant governance, preventing systemic fragility from taking root beneath the surface of everyday commerce.
CHAPTER SEVEN - MANAGING FRAUD RISK IN INTEROPERABLE QR SYSTEMS
The rapid adoption of QR payments has fundamentally reshaped the fraud risk landscape within retail payments. While QR-based transactions reduce certain risks traditionally associated with cash, such as theft and physical loss, they simultaneously expand the digital attack surface available to fraudsters. The combination of high transaction volumes, widespread merchant acceptance, and user reliance on mobile interfaces creates new opportunities for abuse.
Bank Negara Malaysia recognises fraud risk management in this context as a core supervisory concern, reflecting the understanding that trust in payment systems is easily eroded when fraud is perceived as pervasive or inadequately addressed.
One of the most conspicuous and enduring risks in the QR payment ecosystem lies not in sophisticated cyber intrusion, but in something deceptively simple: the tampering or substitution of QR codes at the physical point of sale. The very openness and visibility that make QR codes convenient also render them vulnerable. A printed square affixed to a counter, a table, or a wall can be quietly removed, overlaid, or replaced with alarming ease.
In physical retail or service environments, a legitimate QR code displayed by a merchant may be illicitly substituted with a fraudulent code engineered to redirect payments to accounts controlled by unauthorised actors. The deception requires neither advanced hacking tools nor technical infiltration of banking systems. It may involve nothing more than a printed sticker carefully positioned over the original code. The infrastructure behind the payment system may remain secure, yet the entry point is compromised.
These manipulations exploit the behavioural realities of everyday commerce. Retail spaces are often crowded. Transactions occur rapidly. Staff attention is divided between multiple customers. In such environments, visual verification of a QR code’s authenticity is rarely undertaken with scrutiny. Consumers typically assume that a code displayed prominently at a counter is legitimate. The familiarity of the environment fosters trust. That trust, in turn, becomes the vulnerability.
Fraudsters capitalise on this presumption of authenticity. They rely on the consumer’s focus being directed toward completing the purchase rather than interrogating the source of the payment instruction. Once scanned, the fraudulent code may populate a payment interface that appears routine, particularly if the displayed merchant name is generic or insufficiently distinctive. In the haste of a queue or the noise of a busy market, discrepancies may go unnoticed.
The risk is compounded by the nature of digital payments. Funds may be transferred instantly. Settlement processes, designed for efficiency and finality, leave little room for reversal once the transaction is executed. By the time a merchant discovers a discrepancy between goods delivered and funds received, the payment may already have reached an unauthorised account.
This vulnerability illustrates a broader principle within the QR ecosystem: technological robustness does not eliminate environmental risk. Even where encryption, authentication and settlement safeguards function flawlessly, the physical interface between system and user remains exposed to manipulation. The threat arises not from systemic weakness in digital rails, but from the tangible realities of how codes are displayed, accessed and trusted.
Addressing this risk therefore requires more than backend security. It demands vigilance at the merchant level, consumer awareness, secure display practices and responsive monitoring mechanisms capable of detecting anomalies in payment flows. The substitution of a QR code may appear mundane, yet its implications are significant. It represents a convergence of human assumption and opportunistic interference, reminding stakeholders that in digital commerce, the smallest physical alteration can trigger consequential financial diversion.
The risk is compounded by the very nature of QR payments themselves. Scanning a QR code is a rapid, almost automatic action, often carried out without a second thought by consumers accustomed to the convenience and speed of cashless transactions. This habitual behaviour can allow substituted codes to operate undetected over time, resulting in repeated misdirected payments. Each individual transaction may appear innocuous, but collectively they can produce significant financial loss before the fraud is discovered.
Because these attacks leverage both human behaviour and physical opportunity, they highlight the need for layered safeguards—ranging from consumer awareness and merchant diligence to acquirer monitoring and prompt corrective measures. In the interconnected QR ecosystem, even a single compromised code can generate cascading consequences, underlining why vigilance at every stage of the transaction process is essential for maintaining consumer trust and system integrity.
Beyond physical manipulation, social engineering plays a significant role in QR payment fraud. Fraudsters may create fake merchant setups or present deceptive narratives designed to induce consumers to make QR payments under false pretences. Impersonation of legitimate businesses, charities, or service providers is common, with urgency and emotional appeal used to override consumer caution. These schemes rely less on technical sophistication and more on exploiting human trust and behavioural biases, making them difficult to counter through technology alone.
Fraud risks within the QR payment ecosystem are not solely the domain of external actors; they can also originate from the merchants themselves. In certain instances, merchants may engage in practices that are deliberately abusive or deceptive, exploiting the convenience and speed of QR payments for illicit purposes. Such behaviour can take multiple forms: QR transactions may be used to obscure illegal activities, transaction flows may be deliberately structured to circumvent monitoring thresholds, or merchants may serve as conduits for mule accounts that channel funds derived from unlawful sources.
These possibilities underscore a critical regulatory and operational truth: initial verification and onboarding alone are insufficient to ensure long-term integrity. A merchant who appears legitimate at the point of entry may, over time, develop patterns of behaviour that contravene AML/CFT expectations. This reality places a premium on continuous oversight, including transaction monitoring, anomaly detection, and periodic reassessment of merchant risk profiles. The ability to identify and respond to suspicious patterns promptly is essential, not only to protect individual consumers but also to safeguard the broader payment ecosystem from systemic abuse. Robust due diligence, therefore, must be an ongoing, dynamic process rather than a one-off procedural step, ensuring that trust established at onboarding is maintained throughout the lifecycle of the merchant relationship.
Closely intertwined with merchant-originated fraud is the risk of transaction laundering, a form of abuse in which a merchant processes payments for activities that were neither disclosed nor approved during onboarding. The very features that make QR payments attractive—their speed, simplicity, and operational flexibility—can also be exploited to facilitate such misuse. A merchant may appear legitimate on paper, yet use the QR channel to accept payments on behalf of unrelated businesses, higher-risk enterprises, or activities that fall outside the scope of the approved business model.
Detecting transaction laundering requires acquirers to move beyond static documentation and engage in active, ongoing oversight. This involves continuously comparing actual transaction patterns against the merchant’s declared business activities, looking for anomalies such as unusually high volumes, atypical payment destinations, or sudden shifts in transaction profiles. Inconsistencies between expected and observed behaviour can serve as early warning signals, prompting further investigation or corrective measures. Without such scrutiny, the speed and convenience of QR payments—normally a strength—can become a vulnerability, allowing unauthorised flows of funds to occur unchecked and potentially compromising the integrity of the broader payment ecosystem.
Velocity and pattern-based fraud introduce another layer of complexity to the QR payments landscape, demanding vigilant and sophisticated monitoring. Unlike straightforward single-transaction fraud, these risks emerge from the rhythm, frequency, and scale of activity over time. Fraud detection systems must therefore be designed to identify unusual patterns, whether in transaction frequency, amounts, or deviations from a merchant’s typical behaviour, that could signal malicious intent.
Rapid, repeated QR payments within compressed timeframes or sudden spikes in activity that diverge sharply from historical trends can indicate automation, coordinated schemes, or deliberate attempts to move funds quickly before controls can respond. Such patterns are often subtle, requiring a nuanced understanding of normal operational variability so that genuine activity is not mistaken for fraud, while genuine threats are not overlooked.
Effective monitoring in this context relies on the careful calibration of detection thresholds, combined with contextual interpretation of anomalies. Systems must balance sensitivity and specificity, ensuring that alerts are meaningful and actionable. By analysing transactional velocity and behavioural patterns in real time, acquirers can identify and respond to potential abuse proactively, reducing both consumer exposure and systemic risk while preserving confidence in the reliability and integrity of the QR payment ecosystem.
Within this environment, acquirers play a central role in fraud mitigation. Regulatory expectations require them to implement real-time monitoring tools, conduct ongoing analysis of merchant behaviour, and respond promptly to red flags. Delays in intervention can amplify financial losses, allow fraudulent schemes to scale, and expose acquirers to regulatory consequences. Timely action, including transaction blocking, merchant suspension, or escalation to authorities, is essential to containing harm.
Consumer protection considerations further shape the response to fraud. Clear rules govern the allocation of losses, refund obligations, and dispute resolution timelines. Acquirers must ensure that merchants cooperate fully in investigations, provide necessary records, and participate in remediation processes. Consistent handling of disputes is critical to maintaining consumer confidence in QR payments, particularly in cases where fault is contested or difficult to determine.
Effective fraud mitigation in the QR payment ecosystem ultimately depends on collaboration and information sharing. Issuers, acquirers, PayNet, and regulators each hold pieces of information that, when combined, provide a more complete view of emerging threats. Structured information sharing enhances collective resilience, enabling faster identification of new fraud typologies and more coordinated responses.
The risks associated with QR payments are multifaceted and continually evolving. Technology alone cannot address these challenges. Strong governance frameworks, sustained vigilance, and coordinated action across the ecosystem are essential. Fraud risk management in QR payments is not an episodic exercise triggered by incidents, but an ongoing discipline that must adapt as usage patterns and threat vectors change.
CHAPTER EIGHT - PRESERVING FINANCIAL INTEGRITY IN LOW-FRICTION PAYMENT SYSTEMS
As Malaysia’s payment ecosystem continues its shift toward real-time, low- friction digital payments, regulators have placed increasing emphasis on ensuring that anti-money laundering and counter-terrorism financing controls are deeply embedded within payment infrastructures themselves, rather than treated as peripheral compliance exercises. POS QR payments such as DuitNow QR exemplify this tension. Their speed, accessibility, and scalability support financial inclusion and everyday convenience, yet those same attributes can be exploited for illicit purposes if safeguards are weak or inconsistently applied.
Under Malaysian law, obligations relating to anti-money laundering and countering the financing of terrorism are grounded primarily in the Anti- Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001. AMLA establishes a clear statutory framework that imposes duties on entities designated as reporting institutions to identify, deter, and report suspicious activities that may be linked to illicit funds or unlawful conduct. These duties are not abstract compliance ideals. They are enforceable legal obligations designed to protect the integrity of the financial system.
Within the QR payment ecosystem, merchant acquirers fall squarely within the definition of reporting institutions under AMLA. This classification reflects the gatekeeping function they perform. Acquirers determine which merchants are permitted to connect to the payment system and under what conditions that access is maintained. As a result, they occupy a strategic position at the system’s entry point, where risks can be identified and mitigated before misuse becomes embedded or widespread. Their role extends beyond transaction processing to include merchant onboarding, monitoring, and, where necessary, intervention.
Although merchants themselves are not directly designated as reporting institutions under AMLA, AML and CFT expectations are not absent at the merchant level. Instead, these expectations are operationalised through contractual obligations embedded within acquiring arrangements. Acquirers are expected to translate statutory requirements into practical controls, ensuring that merchants are aware of relevant risk indicators, prohibited activities, and behavioural red flags. In effect, merchants become an extension of the acquirer’s control framework, even though formal regulatory accountability remains with the acquirer.
In practice, this structure places a significant responsibility on acquirers to ensure that AML and CFT controls are not merely documented but understood and applied across the merchant base. Acquirers must exercise oversight, provide guidance, and take corrective action where necessary, recognising that failures at the merchant level ultimately accrue to the acquirer from a regulatory perspective. This allocation of responsibility reinforces the principle that effective AML and CFT compliance in QR payments depends not only on legal designation, but on the disciplined management of relationships and controls throughout the payment chain.
Bank Negara Malaysia requires acquirers to adopt a risk-based approach to AML/CFT compliance, rejecting any notion of a uniform, one-size-fits-all model. Different merchants present materially different risk profiles. A small neighbourhood retailer selling everyday consumer goods does not pose the same inherent risk as a merchant offering digital services, cross-border products, or high-value items. Acquirers are therefore expected to assess inherent risks by merchant type, apply enhanced due diligence where risks are higher, and continuously review and adjust risk classifications as business models or transaction patterns evolve. This dynamic approach recognises that risk is not static and that compliance frameworks must adapt to changing realities.
Merchant onboarding represents the first and most consequential line of defence within the AML and CFT control framework, particularly in the context of QR-based, real-time payment systems. It is at this initial point of entry that acquirers have the greatest opportunity to assess risk, establish expectations, and determine whether a prospective merchant should be granted access to the payment ecosystem at all. As such, onboarding is not a procedural formality, but a substantive risk assessment exercise that sets the tone for the entire lifecycle of the merchant relationship.
Acquirers are expected to conduct meaningful customer due diligence that goes well beyond the mechanical collection of documents. This includes verifying the merchant’s legal identity and registration particulars, confirming that the business exists as represented and is authorised to operate. Equally important is developing a clear understanding of the nature of the merchant’s business activities and operating model, including how QR payments will be used in practice. Ownership and control structures must be identified with sufficient clarity to reveal who ultimately benefits from, and exercises influence over, the business. Alongside this, acquirers are expected to form a reasonable and informed expectation of transaction volumes, payment patterns, and behavioural norms against which future activity can be assessed.
When onboarding degenerates into a superficial or checklist-driven exercise, the consequences extend far beyond individual compliance lapses. Weaknesses introduced at this stage tend to persist and compound over time. Once a merchant has been granted access to the payment system, those initial gaps can be exploited repeatedly and at scale, particularly in a real-time environment where transactions are processed instantly and continuously. In such settings, the cost of remediation is significantly higher than the cost of prevention. Robust onboarding therefore serves not only as a regulatory expectation, but as a structural safeguard that preserves the integrity and credibility of the entire payment ecosystem.
AML/CFT obligations do not end once a merchant is approved. Continuous transaction monitoring is essential, especially for QR payments that operate at speed and often involve high transaction volumes. Acquirers must monitor for unusual transaction sizes, abnormal frequencies, geographic inconsistencies, and behaviour that deviates from a merchant’s stated profile. Because QR payments are processed in real time, monitoring systems must be capable of near-real-time analysis, allowing suspicious patterns to be detected and acted upon before misuse escalates.
When suspicious activity is identified, acquirers have a legal obligation to submit Suspicious Transaction Reports to Bank Negara Malaysia’s Financial Intelligence and Enforcement Department. Crucially, the obligation to report is triggered by suspicion rather than conclusive proof. Waiting for certainty or delaying reports in the hope that anomalies resolve themselves exposes acquirers to regulatory enforcement action. Timely reporting is a cornerstone of the national AML/CFT framework and a key mechanism through which authorities identify broader criminal networks and emerging threats.
One particular risk in the QR payment context is structuring, sometimes referred to as smurfing, where transactions are deliberately broken into smaller amounts to avoid detection thresholds. The low-value, high-frequency nature of QR payments makes them especially susceptible to such tactics. Acquirers are therefore expected to deploy monitoring logic that aggregates transactions over time and, where relevant, across multiple merchant locations, rather than relying solely on single-transaction thresholds.
Although QR payments are most commonly associated with low-value, everyday transactions, this characteristic does not render them immune to terrorism financing risks. The regulatory concern is not limited to the size of individual payments, but extends to the cumulative effect of repeated transactions over time. Small amounts, when structured deliberately and aggregated systematically, can be used to channel funds toward illicit activities without immediately attracting attention. This makes high-volume, low-value payment channels a potential vehicle for abuse if vigilance is relaxed.
Bank Negara Malaysia therefore expects acquirers to maintain an alert and informed approach to detecting patterns that may be indicative of terrorism financing. This involves looking beyond isolated transactions and focusing instead on behavioural trends and anomalies. Transactions connected to high- risk jurisdictions or involving sanctioned persons or entities warrant particular scrutiny, as do payment flows that deviate from what would reasonably be expected given a merchant’s stated business model and customer profile. Unusual frequency, routing, or structuring of payments that lack a clear commercial rationale can signal attempts to misuse the system.
Effective monitoring is less about reacting to single red flags and more about sustaining a coherent view of transactional behaviour over time. Acquirers are expected to calibrate their systems and oversight processes to identify such patterns early, recognising that the speed and scale of QR payments can amplify risks just as easily as they deliver convenience. By maintaining this level of vigilance, acquirers help ensure that the accessibility of QR payments does not inadvertently create blind spots within the broader AML and CFT framework.
Accountability remains firmly with the acquirer even where AML/CFT functions are outsourced to third-party service providers. Regulatory responsibility cannot be delegated. This principle ensures that outsourcing arrangements do not dilute compliance standards or create gaps in oversight. Acquirers must retain sufficient oversight, governance, and control to ensure that outsourced functions meet regulatory expectations at all times.
AML/CFT controls are not an optional overlay on QR payment systems; they are integral to their safe operation. Acquirers act as regulatory gatekeepers, balancing the promotion of digital payments with the responsibility to protect the financial system from abuse. Continuous monitoring is as critical as robust onboarding, and together these controls preserve public confidence and trust in Malaysia’s rapidly evolving digital payment ecosystem.
CHAPTER NINE - CYBERSECURITY AND OPERATIONAL RESILIENCE IN DIGITAL PAYMENTS
POS QR payments are fundamentally data-driven. Every transaction depends on the collection, transmission, and storage of multiple data elements, including information relating to the payer, the merchant, the transaction amount and timing, and, in many cases, device and location indicators. This data is essential for authorisation, clearing, settlement, reconciliation, and dispute resolution. At the same time, much of it is sensitive, and its misuse, loss, or compromise can have consequences that extend beyond individual transactions to undermine trust in the payment system as a whole.
In Malaysia, the protection of personal data within digital payment ecosystems is anchored in the Personal Data Protection Act 2010, which provides the primary legal framework governing how personal information may be collected, used, stored, and safeguarded. As QR-based payments become an everyday feature of commercial transactions, both merchant acquirers and merchants routinely handle personal data in the course of processing these payments. This places them squarely within the scope of the PDPA and subjects their operations to its core regulatory principles.
At the heart of the PDPA is the requirement that personal data be processed lawfully and responsibly, with a clear connection to defined and legitimate purposes. Data collection must not be indiscriminate or speculative. Only information that is necessary to facilitate the QR payment or meet associated operational and regulatory needs may be collected, and it must not be repurposed in ways that fall outside the consumer’s reasonable expectations. These limitations are designed to prevent function creep, where data gathered for transactional efficiency is later exploited for unrelated or intrusive uses.
Equally central to the PDPA framework is the obligation to protect personal data through appropriate security safeguards. Given the digital nature of QR payments, this extends beyond physical controls to encompass technical and organisational measures that reduce the risk of unauthorised access, misuse, or loss. Effective data protection in this context is not a one-time compliance exercise, but an ongoing discipline that must evolve alongside technological changes and emerging threats.
In practical terms, these statutory obligations are given operational force through merchant agreements. Acquirers typically embed PDPA requirements directly into their contractual arrangements with merchants, converting abstract legal principles into concrete expectations around data handling, access controls, retention practices, and incident management. By doing so, acquirers act as conduits between the legislative framework and day-to-day commercial operations, ensuring that personal data protection is not treated as a peripheral legal formality but as an integral component of trust and accountability within Malaysia’s QR payment ecosystem.
Confidentiality obligations are a central feature of these contractual arrangements. Merchant agreements impose duties on merchants to protect customer information, transaction data, and the acquirer’s proprietary information. These obligations do not end when the commercial relationship is terminated; they continue thereafter, reflecting the enduring sensitivity of payment data. Breaches of confidentiality, whether intentional or negligent, can expose both merchants and acquirers to legal liability and regulatory action.
The reliance on digital infrastructure also exposes POS QR payments to a range of cybersecurity risks. Threats may take the form of malware infecting merchant devices used to accept QR payments, phishing attacks aimed at deceiving consumers into disclosing credentials or authorising fraudulent transactions, or system intrusions that compromise acquirers or other intermediaries. QR codes themselves are data carriers and, if not properly controlled, can be manipulated or substituted in ways that redirect payments or harvest information. These risks highlight that cybersecurity is not an abstract concern but a practical, day-to-day operational challenge.
Against this backdrop, acquirers carry significant responsibility for system security. Regulatory expectations require them to implement secure system architectures, encrypt sensitive data both in transit and at rest, and enforce robust access controls and authentication mechanisms. Regular security testing and independent audits are essential to identifying vulnerabilities before they are exploited. Failures in this area can trigger regulatory scrutiny, financial losses, and lasting reputational damage that erodes confidence among merchants and consumers alike.
Merchants occupy a critical position on the front line of data and system protection within the QR payments ecosystem. While regulatory frameworks and acquirer oversight establish the overarching standards, it is at the merchant level that many of these safeguards are either upheld or inadvertently compromised. Merchants are therefore expected to take active responsibility for securing the devices used to accept QR payments, ensuring that terminals, smartphones, and associated applications are protected against tampering, malware, and unauthorised access. This responsibility extends to the transaction data that flows through these devices, which must be shielded from exposure or misuse at every stage of the payment process.
Preventing unauthorised access is as much an organisational challenge as it is a technical one. Merchants are expected to implement basic but essential controls, such as restricting access to payment systems to authorised personnel and managing credentials in a disciplined manner. Equally important is the human element.
Staff who handle QR payments or have access to transaction systems must be properly trained in data handling practices and cybersecurity hygiene, with a clear understanding of how everyday actions can either strengthen or weaken security. Awareness of phishing risks, password discipline, and proper device usage forms part of this baseline expectation.
Seemingly minor lapses can have disproportionate consequences. The use of unsecured or shared devices, casual sharing of login credentials, or neglecting routine software updates can create vulnerabilities that compromise not just a single merchant, but the integrity of the broader payment chain. QR payment ecosystems are highly interconnected by design, linking consumers, merchants, acquirers, and system operators in real time. In such an environment, security is only as strong as its weakest point. A failure at one node can propagate risk across the entire network, exposing all participants to potential data breaches, fraud, and loss of confidence.
Regulators place strong emphasis on preparedness for incidents. Bank Negara Malaysia expects regulated entities to maintain well-defined incident response frameworks. When a data breach or cyber incident occurs, immediate containment is required to limit damage. Where applicable, affected parties must be notified, and a thorough root cause analysis must be conducted to prevent recurrence. Transparent and timely incident management is essential to maintaining public and market confidence, particularly in systems that are relied upon for everyday transactions.
As QR payments increasingly support cross-border use cases, data governance challenges become more complex. Transaction data may flow across jurisdictions, raising questions about compliance with PDPA requirements on cross-border data transfers. Acquirers must ensure that appropriate safeguards are in place and that overseas processing does not dilute the level of protection afforded to personal data under Malaysian law.
Cybersecurity incidents do not confine their impact to data compromise alone. They can directly impair the availability of payment services, transforming what might initially appear as a technical malfunction into a wider operational disruption. In a digital payments environment that operates in real time and at scale, even brief outages can cascade into significant consequences for merchants and consumers alike, interrupting transactions, delaying settlements, and eroding confidence in the reliability of the payment channel.
For this reason, acquirers are expected to go beyond preventive cybersecurity controls and maintain robust business continuity and disaster recovery arrangements. These plans are designed to ensure that payment services can be restored within acceptable timeframes following an incident, whether the trigger is a cyberattack, system failure, or external disruption. Importantly, such arrangements must not exist only on paper. Regular testing is essential to validate assumptions, identify weaknesses, and ensure that personnel understand their roles during a disruption. Without testing, contingency plans risk offering false reassurance rather than genuine resilience.
The regulatory emphasis on continuity reflects a broader understanding that payment system availability is not merely a commercial consideration to be weighed against cost or convenience. As cashless payments become deeply embedded in daily economic activity, the ability to pay for goods and services reliably takes on characteristics of a public utility. Prolonged or repeated outages can affect livelihoods, disrupt commerce, and undermine public trust in the financial system. In this context, ensuring the continuous availability of payment services is a matter of public interest, reinforcing the expectation that acquirers treat operational resilience as a core obligation rather than a peripheral risk management exercise.
Data governance, privacy, and cybersecurity are inseparable from the integrity of POS QR payment systems. Regulatory priorities in this area reflect the understanding that trust is built not only on convenience and speed, but on confidence that data is handled responsibly and systems are resilient. Both acquirers and merchants bear responsibility for upholding these standards, and strong data protection practices are essential to sustaining trust in Malaysia’s QR payment ecosystem.
CHAPTER TEN - THE ARCHITECTURE OF CONSUMER PROTECTION IN DIGITAL COMMERCE
Consumer protection occupies a central and non-negotiable place within Malaysia’s payment system regulation, reflecting a regulatory understanding that trust is the invisible infrastructure upon which digital payments are built. As cash steadily recedes from the point of sale and QR-based payments become embedded in everyday commerce, consumers increasingly depend on electronic systems to complete routine, low-value transactions that were once regarded as immediate, uncomplicated, and conclusively settled.
This behavioural shift transforms the nature of consumer expectations. Digital convenience is no longer sufficient on its own. What users now expect is a payments environment that operates fairly, communicates clearly, and offers dependable avenues for redress when transactions do not unfold as intended.
Within this framework, Bank Negara Malaysia does not treat consumer protection as an adjunct to technological innovation or market efficiency. It is positioned as a foundational element of payment system stability itself. The logic is straightforward and systemic in nature. Confidence underpins participation. When consumers believe that errors will be addressed, losses investigated, and disputes resolved in a consistent and transparent manner, they are more willing to adopt and regularly use digital payment instruments.
When confidence is shaken, the effects ripple outward. Adoption rates stall, transaction volumes soften, and usage patterns become more cautious or fragmented. In such an environment, even well-designed national initiatives such as DuitNow QR risk underperforming, not because of technical inadequacy, but because trust has been diluted.
POS QR payments, in particular, introduce a set of consumer risks that differ in meaningful ways from those historically associated with cash transactions. Cash errors are typically visible and immediately correctable. Digital errors, by contrast, can be abstract, delayed, and difficult for consumers to diagnose. In static QR environments, for instance, transaction amounts are often manually entered by the payer, creating scope for inadvertent input errors that may only be noticed after settlement has occurred.
The reliance on machine-readable codes also creates the possibility of payments being directed to unintended recipients, whether through misreading, code substitution, or deliberate tampering. Technical disruptions add another layer of complexity. System glitches or connectivity failures can result in duplicate debits or transactions that appear incomplete from the consumer’s perspective, even though funds have been irrevocably transferred.
Beyond operational errors, the digital channel also exposes consumers to risks that have no true analogue in cash-based commerce. Fraud and unauthorised transactions, facilitated by compromised devices, social engineering, or malicious manipulation of QR codes, represent an ever- present concern. Importantly, the existence of these risks does not, in itself, signal fragility within the payment system. Rather, it reflects the realities of operating at scale in a digitally networked environment. What matters from a regulatory standpoint is how these risks are managed once they materialise.
This is where structured and predictable dispute resolution mechanisms assume critical importance. Consumers must not be left navigating opaque processes or absorbing losses arising from failures that lie beyond their reasonable control. Clear rules governing liability, well-defined timelines for investigation, and accessible channels for lodging complaints are essential in ensuring that individual grievances do not metastasise into systemic distrust.
By embedding such safeguards within the regulatory architecture of POS QR payments, Bank Negara Malaysia reinforces the principle that consumer protection is not merely about addressing isolated disputes. It is about preserving confidence in transactional finality, sustaining usage at scale, and ensuring that the transition from cash to digital payments strengthens, rather than undermines, the resilience of the national payment ecosystem.
Protection is achieved through a deliberate allocation of responsibility across issuers, acquirers, and merchants. Issuers are typically the first point of contact for consumers and handle initial complaints, account-level investigations, and customer communication. Acquirers play a coordinating role, working with merchants to verify transaction legitimacy, retrieve transaction data, and support investigations. Merchants are expected to cooperate fully in the resolution of disputes, including processing refunds where appropriate. This multi-party framework recognises the complexity of QR payment transactions and ensures that consumers are not denied recourse simply because multiple intermediaries are involved.
Transaction errors are among the most common issues faced by consumers. These may arise from incorrect amounts being entered, duplicate payments being processed, or payments occurring around system interruptions. Merchant agreements usually set out detailed procedures for handling refunds, including documentation requirements and timelines. Acquirers are expected to ensure that merchants comply with these procedures consistently. Failure to do so can result in prolonged consumer detriment and undermine confidence in the payment channel.
Where a consumer alleges that a QR payment was unauthorised or fraudulent, issuers are expected to investigate promptly. Acquirers must support this process by providing transaction logs, merchant details, and any other relevant information needed to establish the facts. Bank Negara Malaysia places strong emphasis on swift resolution in such cases. Delays not only increase consumer frustration but also amplify the perceived risk of electronic payments, even where actual losses may be limited.
Transparency at the point of payment is a cornerstone of effective consumer protection in a digital payments environment, particularly where speed and convenience can otherwise obscure clarity. The moment of authorisation is the point at which legal, financial, and behavioural expectations converge, and it is therefore essential that consumers are given a clear and accurate picture of what they are consenting to before a transaction is finalised.
Merchants are required to disclose the final transaction amount in an unambiguous manner, ensuring that consumers can verify the sum to be debited before confirming payment. This obligation is not limited to the headline price alone. Where refund policies, cancellation conditions, or other material terms apply, these must be communicated in language and formats that are easily understood, without reliance on fine print or implicit assumptions.
The regulatory emphasis on transparency reflects an understanding that digital payments, by their nature, compress decision-making into a matter of seconds. In such conditions, even minor ambiguities can result in consumers authorising transactions they did not fully intend or understand. Consumers should not be placed in situations where they feel rushed into confirming payment, misled by incomplete information, or surprised by amounts or conditions that only become apparent after settlement has occurred. The integrity of the payment process depends on informed consent, and informed consent is only possible when information is presented clearly, consistently, and at the appropriate moment.
Acquirers play a pivotal role in translating these principles into operational reality. They are not passive intermediaries, but active enforcers of transparency standards within the merchant ecosystem. Through merchant agreements, acquirers are expected to embed clear obligations relating to price disclosure, presentation of terms, and customer communication at the point of sale. These contractual requirements must be reinforced by ongoing monitoring, whether through transaction reviews, merchant audits, or customer feedback mechanisms. Where breaches are identified, acquirers are expected to take timely corrective action, ranging from remedial guidance to enforcement measures where non-compliance persists.
Transparency at the point of payment functions as more than a consumer- facing safeguard. It operates as a systemic control that reinforces trust in digital payment instruments, reduces the incidence of disputes, and supports the broader objective of maintaining confidence in Malaysia’s evolving cashless ecosystem.
Merchant agreements also typically prohibit surcharging or differential pricing based on payment method. Consumers must not be penalised for choosing to pay via QR rather than cash. Bank Negara Malaysia views surcharging practices as detrimental to consumer confidence and inconsistent with fair payment practices, particularly in the context of national efforts to promote digital payments.
Effective consumer protection depends on well-designed dispute resolution frameworks. These include clear complaint handling processes, defined response timelines, and escalation mechanisms when issues are not resolved at the first level. Acquirers must ensure that merchants understand and comply with these obligations. Persistent failure by a merchant to resolve disputes appropriately may justify suspension or termination of acquiring services, reflecting the seriousness with which consumer outcomes are treated.
Regulatory expectations extend beyond policy design to actual outcomes. Bank Negara Malaysia monitors how regulated entities handle consumer complaints and disputes, and poor practices may attract supervisory intervention or enforcement action. The quality of complaint handling is therefore a key indicator of compliance effectiveness, not merely an operational detail.
Consumer protection underpins trust in POS QR payments. Dispute resolution is a shared responsibility across the ecosystem, and transparency and fairness are non-negotiable standards. A payment system that fails to protect consumers ultimately fails its broader policy objectives, regardless of how efficient or innovative it may appear on the surface.
CHAPTER ELEVEN - PRICING, MERCHANT DISCOUNT RATES, AND TRANSPARENCY OBLIGATIONS
Pricing sits at the quiet centre of every payment system, exerting influence long before users consciously register its presence. It does not flash across screens like a new interface upgrade, nor does it announce itself with the rhetoric of disruption or innovation. Its power is more discreet. It operates through incentives, thresholds and marginal costs, shaping decisions in increments rather than proclamations.
A payment instrument may be technologically superior. It may be faster, safer and more convenient than its predecessors. Policy may actively promote its adoption through regulatory endorsement or infrastructural support. Yet none of these forces guarantees habitual use. The decisive factor often lies in how costs are distributed across participants. A fraction of a percentage point in merchant discount rates, a small transaction fee, or the absence of one altogether can alter behaviour across millions of transactions.
For consumers, pricing influences perception. A payment method that attracts visible surcharges or hidden costs is likely to be weighed against alternatives, however efficient it may be. Even nominal fees can create psychological friction. By contrast, a pricing structure that renders transactions effectively costless to the user encourages repetition. Repetition breeds familiarity. Familiarity fosters trust. Over time, the instrument ceases to feel novel and becomes embedded in daily routine.
Merchants respond with equal sensitivity. For a small retailer operating on narrow margins, transaction costs are not abstract considerations. They directly affect profitability. If fees are predictable and proportionate, digital acceptance becomes an operational norm. If they are opaque or perceived as burdensome, resistance may surface in subtle forms. A merchant may prefer cash. A minimum transaction threshold may be imposed. The digital option may be offered without enthusiasm.
Pricing also signals value. It communicates how risks and responsibilities are allocated within the ecosystem. If issuers, acquirers and system operators structure fees in a manner that appears equitable, confidence in the system deepens. If costs seem unevenly imposed or poorly explained, dissatisfaction accumulates quietly. Unlike technological glitches, pricing grievances rarely generate headlines. They surface instead in gradual shifts of behaviour.
Over time, cumulative pricing effects reshape entire payment landscapes. Instruments that begin as supplementary can become dominant if cost structures align with user incentives. Conversely, well-designed systems can languish if pricing discourages consistent engagement. Adoption curves are rarely dictated by capability alone. They are shaped by affordability, predictability and perceived fairness.
Pricing performs a formative function. It converts infrastructure into practice. It translates regulatory aspiration into lived behaviour. While innovation captures imagination and policy frames ambition, pricing determines endurance. It is the mechanism through which a payment method either integrates seamlessly into commerce or remains peripheral, negotiated at the counter and reconsidered at every transaction.
Quiet though it may be, pricing governs habit. And habit, once formed, defines the true architecture of a payment system.
In everyday commerce, pricing operates as a silent language. It communicates value without proclamation, fairness without ceremony, and predictability without fanfare. Before a transaction is completed, before a receipt is printed or a notification appears, pricing has already shaped the conditions under which exchange occurs. It determines whether participation feels sustainable, equitable and routine, or burdensome and contested.
For merchants, pricing is not an abstract percentage embedded in contractual fine print. It is a direct input into survival. In sectors where margins are slender and volatility is constant, even marginal adjustments in transaction costs can influence operational decisions. A payment acceptance fee is assessed not merely as a service charge but as a cost of entry into a digital marketplace.
It must justify itself through increased sales, faster turnover, improved reconciliation or reduced cash-handling risks. Where pricing is proportionate and transparent, digital participation becomes a rational extension of business practice. Where it is perceived as excessive or unpredictable, caution creeps in. Merchants may impose informal thresholds, prefer certain payment modes, or quietly nudge customers toward alternatives.
Consumers encounter pricing less directly but no less meaningfully. They may not see the interchange structure or the settlement mechanics, yet they sense its effects. Prices displayed at the counter reflect embedded costs. Acceptance attitudes convey subtle cues. A merchant who welcomes digital payment without hesitation reinforces confidence. One who signals reluctance, adds surcharges or differentiates between instruments transmits a different message. Friction at the point of sale, whether in the form of additional steps, minimum spend requirements or visible fee notices, shapes perception.
When pricing aligns with expectations, it recedes into the background. Transactions unfold without deliberation. The payment method becomes an unremarkable extension of commerce. The absence of friction fosters repetition, and repetition cements habit. Trust grows not because pricing is celebrated, but because it is unremarkable.
When pricing feels opaque, inconsistently applied or disproportionate, it surfaces abruptly. Consumers hesitate. Merchants reassess. Questions arise about fairness and transparency. Even where the underlying technology is efficient, unease at the level of cost can erode goodwill. Mistrust does not require dramatic failure. It can germinate in small irritations repeated across transactions.
Pricing therefore performs a balancing function within the payment ecosystem. It must sustain infrastructure, compensate risk and reward participation, yet it must do so without imposing visible strain on everyday exchange. Its success lies in equilibrium. When calibrated thoughtfully, it supports a cycle of acceptance and confidence. When misaligned, it becomes a point of quiet resistance.
In the cadence of daily commerce, pricing is rarely applauded. It is judged instead by its invisibility. The more seamlessly it integrates into expectations of fairness and predictability, the more effectively it underwrites trust in the system as a whole.
Within Malaysia’s point-of-service QR payment ecosystem, the Merchant Discount Rate, or MDR, is the focal point where these dynamics converge. MDR is not merely a fee; it is the practical expression of how costs, risks, and responsibilities are allocated across the system.
It reflects the commercial realities faced by acquirers in maintaining infrastructure, managing settlement and liquidity, investing in security, and absorbing operational and compliance risks. At the same time, it embodies regulatory intent, signalling expectations around affordability, fairness, and broad-based participation.
MDR operates as a balancing mechanism. Set too high, it risks discouraging merchants, particularly smaller businesses, from embracing digital payments, slowing adoption and undermining inclusion objectives. Set without transparency or consistency, it erodes trust and invites behavioural workarounds that weaken the integrity of the system. Yet set too low, without regard to sustainability, it can compromise the resilience and reliability of the payment infrastructure itself.
It is precisely because MDR sits at this intersection, between commercial sustainability and public policy, that it warrants careful scrutiny. In the QR payments context, pricing is not an ancillary consideration; it is a structural determinant of whether the system functions as intended. How MDR is designed, disclosed, and enforced ultimately shapes whether QR payments are perceived as a natural part of daily commerce or as a conditional convenience, accepted only when circumstances allow.
At its most basic level, the Merchant Discount Rate represents the fee charged to a merchant for accepting an electronic payment. In QR payment arrangements, MDR compensates acquirers and other participants for the provision of payment acceptance infrastructure, settlement services, system maintenance, customer support, and risk management. These costs are real and unavoidable. Without sustainable pricing, the ecosystem itself cannot function reliably.
At the same time, MDR cannot be viewed purely through a commercial lens. QR payments have been positioned as a mass-market payment instrument, one intended to be accessible not only to large retailers, but to micro-merchants, small businesses, and informal traders. As a result, MDR structures must strike a careful balance. They must support the economic viability of acquirers while remaining affordable enough not to discourage merchant participation. Pricing, in this sense, becomes a policy lever as much as a commercial one.
Bank Negara Malaysia does not generally prescribe fixed MDR levels across all payment instruments, and this flexibility reflects an appreciation of market dynamics and cost diversity. However, the absence of price controls does not equate to an absence of expectations. The regulatory emphasis is clear: pricing must be transparent, fair, and non-abusive. Excessive fees, opaque pricing structures, or practices that obscure the true cost of acceptance can undermine adoption and run counter to national payment objectives. When merchants perceive digital payments as disproportionately expensive or unpredictable, behavioural resistance inevitably follows.
Within merchant agreements, the allocation of MDR costs is typically straightforward. The MDR is borne by the merchant as part of the cost of accepting electronic payments. Merchants may choose to absorb this cost entirely, treating it as an ordinary business expense, or they may factor it into their overall pricing strategy alongside rent, labour, and inventory costs. What merchants are generally not permitted to do, however, is impose explicit surcharges on customers for choosing to pay electronically. This prohibition is central to preserving payment neutrality and protecting consumer trust.
Transparency obligations flow directly from this principle. Consumers must be able to rely on the assumption that the price displayed is the price paid, regardless of whether payment is made in cash, by card, or via QR code. Any variation in pricing must not be explicitly linked to the choice of electronic payment. Hidden surcharges whether imposed overtly or indirectly erode confidence and distort consumer behaviour.
Acquirers play a critical role in upholding these standards. Their responsibility does not end at onboarding or contract execution. They are expected to monitor merchant pricing practices actively and to identify instances where merchants may be engaging in prohibited surcharging or inconsistent pricing. In this way, transparency obligations are enforced not only through regulation, but through contractual oversight and ongoing supervision within the payment ecosystem.
Differential treatment between payment methods presents a further risk. When consumers are penalised, financially or otherwise, for choosing one payment method over another, genuine choice is compromised. Such practices can distort competition, undermine interoperability goals, and slow the transition toward digital payments. Bank Negara Malaysia has consistently encouraged payment neutrality, where consumers are free to select their preferred payment method without encountering hidden costs or behavioural nudges driven by pricing asymmetry.
Recognising that cost sensitivity remains a real barrier, particularly for smaller merchants, Malaysia has implemented targeted initiatives to subsidise or cap MDR for specific merchant segments, especially small and medium enterprises. These programmes are designed to accelerate adoption by lowering entry barriers and reducing early-stage cost concerns. Acquirers that participate in such initiatives are required to comply with programme- specific conditions, reporting requirements, and eligibility criteria. The subsidies do not eliminate obligations; they simply recalibrate incentives.
Pricing structures, whether subsidised or market-based, have a measurable influence on merchant behaviour. They shape decisions about whether to accept QR payments at all, whether to promote digital payments over cash, and whether to invest in compatible infrastructure and systems. Regulators monitor these behavioural outcomes closely, not only to assess compliance, but to evaluate whether pricing policies are achieving their intended objectives or producing unintended consequences.
Where pricing obligations are breached, enforcement mechanisms must be credible. Acquirers are expected to address issues through merchant education, contractual remedies, and, where necessary, suspension or termination of services. Failure to respond adequately to pricing abuses may expose acquirers themselves to regulatory scrutiny. Accountability, once again, is not transferable.
Pricing transparency serves a purpose larger than cost recovery or fairness between contracting parties. It underpins consumer confidence. When consumers trust that electronic payments do not carry hidden charges or inconsistent pricing, adoption becomes habitual rather than conditional. Confidence compounds. Usage increases. And the payment ecosystem strengthens organically.
Fair and transparent pricing is not peripheral to QR payment adoption; it is central to its sustainability. Merchant Discount Rate obligations must be clearly communicated, consistently enforced, and aligned with regulatory expectations. Transparency benefits merchants by fostering trust, benefits consumers by protecting choice, and benefits the ecosystem by reinforcing long-term resilience.
Pricing is not merely about numbers. It is about credibility and credibility, once established, is one of the most valuable assets a payment system can possess.
CHAPTER TWELVE - GOVERNANCE, ACCOUNTABILITY, AND REGULATORY ENFORCEMENT
Payment systems do not succeed or fail on the strength of technology alone, no matter how advanced or elegantly designed that technology may be. Infrastructure can deliver speed, efficiency, and scale, but it cannot, by itself, determine how those capabilities are exercised. It is governance that decides whether technological power is applied safely, responsibly, and consistently over time. Without governance, even the most sophisticated payment infrastructure becomes fragile – vulnerable not to system failure, but to human judgement, misaligned incentives, and unmanaged risk.
Governance is the backbone of payment system integrity because it provides the structure through which complexity is controlled. It defines how risks are identified before they crystallise, how responsibilities are assigned rather than assumed, and how decisions are made when conditions deviate from the expected. It determines whether warning signals are acted upon or ignored, whether incidents are escalated promptly or rationalised away, and whether accountability is clear when outcomes fall short of expectations. In moments of stress, when systems are under pressure, volumes surge, or failures occur, it is governance, not technology, that ultimately dictates the quality of the response.
In the context of Malaysia’s point-of-service QR payment ecosystem, these governance expectations are neither theoretical nor discretionary. They are embedded directly into the regulatory architecture and applied through ongoing supervision. Bank Negara Malaysia’s approach reflects a clear recognition that payment systems are critical national infrastructure. As such, they must be governed with the same seriousness afforded to institutions whose failure could undermine public confidence or systemic stability.
The supervisory philosophy places accountability, transparency and resilience at the centre of regulatory expectation, not as aspirational virtues, but as daily operating requirements embedded within institutional conduct. These are not rhetorical commitments to good governance. They are structural demands that shape how payment institutions organise authority, disclose information and design their systems.
Accountability begins with clarity of ownership. In complex payment ecosystems, where functions are distributed across technology providers, outsourcing partners and layered management hierarchies, responsibility can easily become diffused. The supervisory approach resists that diffusion. It insists that identifiable decision-makers bear responsibility for strategic direction, risk tolerance and operational outcomes.
Boards are expected to exercise meaningful oversight. Senior management must demonstrate active control rather than passive reliance on third-party assurances. When incidents occur, the question is not merely what failed, but who was responsible for anticipating, mitigating and responding to the risk. Accountability ensures that governance remains anchored in human judgment and traceable authority.
Transparency operates as the indispensable companion to accountability. If accountability answers the question of who is responsible, transparency answers how that responsibility is exercised. It rejects the notion that complexity justifies obscurity. In modern payment systems, where technological sophistication can easily conceal decision-making processes and risk exposures, transparency functions as a deliberate corrective.
Risks must not remain buried within proprietary algorithms or shielded by technical opacity. Institutions may innovate, but innovation cannot become a veil behind which vulnerabilities accumulate unseen. Pricing structures must be intelligible, not merely contractually disclosed but comprehensible in their practical effect. Incident reporting mechanisms must be structured, timely and candid. Risk exposures, whether operational, liquidity-related or cyber in nature, must be identifiable within governance frameworks rather than dispersed across fragmented systems.
For regulators, transparency provides the visibility necessary for precise supervision. It allows assessment of institutional health based on evidence rather than assumption. Supervisory engagement becomes calibrated and informed. Patterns of vulnerability can be detected early. Remedial measures can be imposed proportionately. Without transparency, oversight is reduced to inference. With it, oversight becomes disciplined and data-driven.
Market participants benefit equally from this openness. Clear pricing allows merchants to evaluate cost structures rationally. It reduces suspicion of arbitrary charges or undisclosed mark-ups. Consistent disclosure of risk management practices reassures counterparties that controls are deliberate and structured. Transparency thus reduces informational asymmetry, fostering a competitive environment in which trust is grounded in verifiable practice rather than marketing assurance.
Consumers, too, derive confidence from visible clarity. When incidents occur, prompt and accurate disclosure tempers uncertainty. Silence breeds speculation. Candour, even in adversity, signals institutional maturity. Transparent communication demonstrates that systems are monitored, breaches are investigated and corrective actions are implemented. Trust is reinforced not by the absence of problems, but by the visible competence with which they are managed.
Transparent controls also dispel the perception that risk management is reactive or improvised. Documented frameworks, published standards and clearly articulated procedures indicate that safeguards are embedded by design. They show that institutions operate within structured parameters rather than relying on ad hoc responses. Predictability in governance cultivates predictability in outcomes.
Transparency strengthens the entire payment ecosystem. It aligns regulatory scrutiny, market discipline and consumer confidence within a shared field of visibility. By illuminating pricing, risks and controls, it ensures that stability is not presumed but demonstrated. Openness becomes more than disclosure. It becomes a structural condition for trust.
Resilience completes this triad. Payment systems function as critical infrastructure. They cannot afford fragility. Systemic resilience demands that institutions anticipate disruption rather than merely react to it. Operational continuity plans, redundancy mechanisms, cyber defence frameworks and liquidity safeguards must be built into the architecture.
Stress scenarios are not hypothetical exercises but preparation for plausible shocks. Whether confronted by technological failure, cyber intrusion, sudden transaction surges or external crises, payment systems must continue to operate with minimal interruption.
Resilience also encompasses adaptability. As payment technologies evolve and threat landscapes shift, institutions must recalibrate controls and upgrade infrastructure. Static compliance is insufficient. Supervisory expectations require dynamic responsiveness, ensuring that systems remain robust even as complexity increases.
Together, accountability, transparency and resilience form an integrated architecture of discipline within the payment ecosystem. They are not parallel virtues operating independently, but interdependent forces that reinforce one another. Accountability anchors responsibility in named offices and identifiable decision-makers. Transparency casts light upon processes, pricing and risk exposures. Resilience fortifies the system against shock, ensuring continuity under strain. Each principle corrects the excess or absence of the others.
Accountability without transparency risks becoming opaque authority. Transparency without accountability can devolve into information without ownership. Resilience without either may harden systems technically while leaving governance fragile. When coherently operationalised, however, these principles align institutional behaviour with systemic stability. They ensure that oversight is not episodic or crisis-driven, but embedded in the daily functioning of institutions.
Supervision, under this triad, evolves in character. It shifts from reactive intervention after failure to proactive assurance before disruption. Regulators do not merely investigate breakdowns. They examine governance structures, interrogate reporting lines, review stress scenarios and assess disclosure practices in advance. Institutions are expected to demonstrate readiness rather than simply respond to scrutiny. Assurance becomes continuous rather than corrective.
Within such a framework, the payment system is not left to operate on implicit trust. It functions with identifiable stewardship, where decision-makers are visible and accountable. It operates with observable integrity, where controls, pricing and risk management frameworks withstand examination. It sustains continuity through structured preparedness, absorbing operational or external shocks without systemic paralysis.
Public confidence, in turn, rests upon this visible discipline. Trust is not sustained by technological speed alone. It is maintained because users perceive that the system is governed, monitored and capable of endurance. Transactions proceed with assurance because the architecture beneath them is resilient and responsibly managed.
Accountability, transparency and resilience transform the payment ecosystem into more than a network of transactions. They shape it into a stable civic infrastructure, one that continues to function reliably even when tested. The system does not merely process payments. It embodies structured stewardship, disciplined governance and the capacity to withstand disruption without surrendering confidence.
These expectations form a governance framework that recognises a simple truth: trust in payment systems is not created by technology alone. It is sustained by institutions that are well-governed, clearly accountable, and consistently supervised. In Malaysia’s QR payment ecosystem, governance is not a background consideration. It is the condition that allows speed, scale, and innovation to exist without compromising stability or public confidence.
For merchant acquirers, governance obligations flow not from choice but from status. As regulated entities, they operate what is, in practical terms, critical financial infrastructure, systems that mediate millions of low-value but high- frequency transactions and collectively sustain public confidence in digital payments.
QR payment services, therefore, are not viewed by regulators as ancillary or experimental product lines. They are integral components of the national payments architecture, and as such, they attract the same expectations of robustness, accountability, and resilience that apply to any system of systemic relevance.
These obligations are neither abstract nor implied. They are concretely expressed through licensing conditions, binding policy instruments, operational guidelines, and continuous supervisory engagement. Regulators expect merchant acquirers to demonstrate clear internal ownership of QR payment operations, well-defined lines of responsibility, and governance structures capable of identifying, escalating, and addressing risks before they crystallise into systemic failures. Compliance is measured not only by adherence to prescribed rules, but by the quality of judgment exercised in operational decision-making.
Governance in this domain is not a one-time threshold crossed at the moment of authorisation. It is a living discipline. As transaction volumes expand, merchant networks diversify, and use cases evolve, the governance framework must adapt in tandem. Controls that were proportionate at an early stage may become inadequate at scale. New risks, whether technological, operational, or behavioural, demand recalibration of oversight mechanisms. In this sense, governance is both a regulatory expectation and a strategic obligation, requiring merchant acquirers to continuously align their internal controls with the growing complexity and risk profile of the payment ecosystem they support.
At the heart of this framework lies the responsibility of boards and senior management. Bank Negara Malaysia expects leadership at the highest level of acquirers to exercise effective and informed oversight over payment activities, including QR payment services. This responsibility cannot be delegated downward without consequence. Boards are expected to approve and periodically review risk appetite statements that explicitly encompass payment system activities.
Senior management must ensure that compliance and risk management functions are adequately resourced, independent, and empowered. Outsourcing arrangements must be scrutinised not only for efficiency, but for risk transfer and control integrity. Incident reports, audit findings, and regulatory observations must be reviewed with seriousness and followed through with corrective action.
Experience across financial systems consistently demonstrates that governance failures at the top rarely remain contained. Weak oversight, ambiguous accountability, or tolerance of control gaps at senior levels almost inevitably translate into operational weaknesses at the execution layer. In payment systems, these weaknesses manifest as delayed incident response, inconsistent merchant controls, poor escalation of risks, and ultimately, erosion of trust.
To support effective governance, many acquirers adopt a three lines of defence model. Under this framework, business units carry responsibility for day-to-day operations and first-line controls. Risk management and compliance functions provide independent oversight, challenge assumptions, and monitor adherence to policies and regulatory expectations.
Internal audit serves as the final line, offering independent assurance that governance structures and controls are functioning as intended. Bank Negara Malaysia expects these lines to operate independently, yet cohesively. Overlap without clarity, or separation without coordination, undermines the effectiveness of the model.
Outsourcing introduces additional complexity into this governance landscape. Acquirers frequently rely on third parties for functions such as merchant onboarding, technology platforms, customer support, or transaction monitoring. While outsourcing may offer scalability and efficiency, it does not dilute regulatory accountability. Bank Negara Malaysia has consistently reinforced the principle that responsibility remains firmly with the licensed entity. Acquirers must therefore ensure that third-party service providers operate to standards equivalent to those applied internally, and that oversight mechanisms are sufficiently robust to detect and address deficiencies promptly.
Supervisory engagement is the mechanism through which these governance expectations are tested. Bank Negara Malaysia conducts a range of supervisory activities, including thematic reviews, on-site examinations, off- site monitoring, and detailed reviews of data submissions and incident reports. QR payment activities may be examined as part of broader payment system supervision or through targeted reviews focusing on specific risk areas. These engagements are not merely compliance exercises; they are intended to assess whether governance frameworks are effective in practice, not just in policy.
Where deficiencies are identified, the regulator has a suite of enforcement tools at its disposal. These may include supervisory directives requiring remedial action, administrative penalties, restrictions on business activities, or suspension from participation in payment schemes. Enforcement actions are applied proportionately, taking into account severity, impact, and responsiveness. However, firmness is a defining characteristic. Payment systems are systemically important, and regulatory tolerance for governance failures that threaten stability or public confidence is necessarily limited.
Governance is not an administrative overlay; it is the mechanism through which operational integrity is sustained. Accountability cannot be outsourced, automated, or diffused. Regulatory enforcement exists not as a deterrent of last resort, but as a safeguard of public trust. Strong governance, in the context of Malaysia’s QR payment ecosystem, is not optional. It is foundational.
CHAPTER THIRTEEN - TRUST IN A BORDERLESS PAYMENT LANDSCAPE
The trajectory of Malaysia’s QR payment ecosystem no longer stops at the nation’s borders. What began as a modest, utilitarian solution for everyday domestic transactions has steadily evolved into a system with regional ambitions, carried forward by the restless circulation of people, commerce, and capital across Southeast Asia. Markets today are not confined by geography alone. A traveller moves from Kuala Lumpur to Bangkok or Jakarta with the same expectations of ease, immediacy, and familiarity that define life at home, and payment systems are increasingly expected to keep pace with that mobility.
As regional travel regained momentum and trade routes, formal and informal alike, resumed their quiet choreography across borders, the constraints of nationally bounded payment infrastructures came sharply into view. Movement had returned. People crossed frontiers for business, leisure, study and family. Small traders revived cross-border exchanges that had long predated digital finance. Supply chains reactivated with renewed urgency. Yet payments, the lifeblood of all such activity, often remained confined within domestic architectures.
Cash, once the universal fallback, began to feel increasingly impractical. It required exchange counters, exposed travellers to fluctuating rates and imposed the persistent inconvenience of physical handling. Cards, though widely recognised, were not universally accepted, particularly in smaller establishments or informal markets. Fees and foreign transaction charges introduced additional uncertainty. Meanwhile, local digital payment applications, tailored to domestic ecosystems, presented their own barriers. A visitor confronted with an unfamiliar interface, language or onboarding requirement experienced friction at precisely the moment when simplicity was expected.
The friction was not technological incapacity. Digital payment systems had already demonstrated speed, scalability and reliability within national borders. The challenge lay in interoperability beyond those borders. Each jurisdiction had cultivated its own standards, authentication protocols and settlement frameworks. These were rational within domestic contexts, yet collectively they formed a patchwork that required adaptation at every crossing.
For users, habits are powerful. A payment method that feels intuitive at home becomes part of routine life. When that habit must be suspended abroad, uncertainty replaces confidence. Relearning procedures, navigating new verification steps or questioning the safety of unfamiliar platforms erodes the seamlessness that digital payments promise. Trust, once established domestically, cannot be assumed to transfer automatically across jurisdictions.
The central question therefore evolved. It was no longer whether digital payments possessed the technical capacity to operate internationally. The infrastructure existed. The issue was whether cross-border functionality could preserve behavioural continuity. Could a traveller use the same application, the same scanning gesture, the same authentication method, without recalibrating expectations at every frontier? Could small merchants in neighbouring countries accept payments without installing parallel systems or renegotiating cost structures? Could trust travel as fluidly as people and goods?
Addressing these questions required more than bilateral agreements or incremental linkages. It required reimagining payment rails as connective corridors rather than enclosed circuits. It required alignment of standards, harmonisation of compliance frameworks and reciprocal recognition of safeguards. Only then could digital payments transcend their domestic origins and accompany regional integration in a manner that felt natural rather than negotiated.
In an era where mobility defines commerce, the payment experience must mirror that mobility. The aspiration is not merely cross-border operability. It is continuity without compromise. A system in which users need not surrender familiarity or question reliability when they step beyond national boundaries. A system where digital trust is portable, and where the act of payment remains as instinctive abroad as it is at home.
In this environment, QR payments offered a compelling answer. Already woven into the routines of daily life in Malaysia, from roadside stalls to urban retail chains, QR codes had become symbols of effortless exchange. Their simplicity concealed a sophisticated network of rules, settlement processes, and safeguards that had proven resilient at scale. Extending this familiarity beyond national boundaries was therefore less an act of reinvention and more an exercise in translation, adapting an existing domestic success to the rhythms of regional movement.
This expansion was not driven solely by technology, but by lived behaviour. Travellers wanted continuity rather than novelty. Merchants wanted access to regional customers without the burden of managing multiple payment systems. Regulators sought integration without erosion of oversight. In responding to these converging needs, Malaysia’s QR ecosystem began to stretch outward, transforming from a local convenience into a regional connector, capable of moving as fluidly as the people and commerce it was designed to serve.
Cross-border interoperability initiatives emerged from this recognition, shaped as much by practical necessity as by strategic foresight. At the most immediate level, they respond to a simple expectation shared by modern travellers and merchants alike: that paying across borders should feel no more complicated than paying at home. The objective is to allow a user to stand in a foreign marketplace, scan a QR code, and complete a transaction through a familiar domestic application, without pausing to question compatibility, settlement, or acceptance. For merchants, the promise is equally direct. A single QR display can serve customers from multiple jurisdictions, reducing dependence on cash or fragmented payment arrangements.
The ambition of these initiatives runs deeper than transactional convenience. Beneath the surface lies a deliberate effort to smooth the rough edges of regional payments, addressing inefficiencies that have long accompanied cross- border commerce. Rather than compelling users and businesses to adopt new platforms, register for foreign wallets, or navigate unfamiliar financial ecosystems, interoperability seeks to preserve existing habits while quietly extending their reach. It is an approach rooted in continuity rather than disruption, one that respects the investments already made in domestic payment systems.
The QR code assumes a role far greater than its modest appearance suggests. Simple in form, easily recognisable, and universally scannable, it becomes the common language through which disparate national infrastructures communicate. Each scan triggers a coordinated sequence of authorisation, conversion, and settlement that spans jurisdictions while remaining invisible to the user. In doing so, the QR code functions as a bridge, linking sovereign payment systems without erasing their boundaries, and enabling regional connectivity without demanding uniformity.
Within ASEAN, these cross-border QR linkages align with long-standing aspirations of financial integration. Malaysia’s arrangements with neighbouring countries reflect a collective effort to ensure that national payment systems do not operate as isolated silos. Instead, they are designed to interconnect, allowing users to scan and pay abroad while remaining anchored to their home financial ecosystem. For the consumer, the experience is intentionally uneventful, almost invisible. For regulators and system operators, it is the result of sustained coordination and mutual trust.
That coordination is not without its challenges, and the promise of seamless cross-border payments is accompanied by a dense undergrowth of regulatory considerations. Unlike domestic payment systems, which operate within a single legal and supervisory framework, cross-border arrangements must navigate multiple regimes simultaneously, each shaped by its own risk assessments, policy priorities, and institutional histories. What appears to the user as a single, effortless transaction is, in reality, a carefully balanced interaction between regulators who do not always speak the same regulatory language.
Approaches to anti-money laundering and counter-terrorism financing differ across jurisdictions, reflecting variations in threat perceptions and enforcement practices. Aligning these regimes is essential to ensure that interoperability does not become a conduit for regulatory arbitrage or weaken existing safeguards. Standards must be sufficiently harmonised to allow transactions to flow, yet robust enough to preserve the integrity of each participating system. This balancing act requires constant calibration rather than static rule-making.
Data protection adds another layer of complexity. Cross-border QR payments raise fundamental questions about where transaction data travels, how long it is retained, and which authority ultimately bears responsibility for its security. Divergent national laws governing privacy and data sovereignty mean that even routine transactions can trigger intricate compliance obligations. Ensuring that data flows support interoperability without compromising confidentiality or regulatory mandates demands careful design and sustained oversight.
Consumer protection further complicates the picture. Expectations regarding transparency, error resolution, and redress vary from one jurisdiction to another. When a transaction crosses borders, determining which rules apply, and which authority is responsible for resolving disputes, becomes less straightforward. Clear frameworks are therefore necessary to protect users while providing certainty to service providers and merchants.
Managing these differences cannot be achieved through one-time agreements or static memoranda of understanding. It requires continuous engagement, information sharing, and trust among participating regulators. As payment ecosystems evolve and risks shift, so too must the cooperative mechanisms that support cross-border interoperability, ensuring that convenience is matched by accountability at every stage.
Within this landscape, PayNet occupies a central role as the operator of DuitNow QR. Its responsibilities extend beyond maintaining a domestic payment network. In cross-border arrangements, PayNet is involved in the technical integration that allows systems to communicate, the harmonisation of rules that govern participation and conduct, and the coordination of settlement processes across jurisdictions. Each of these functions carries governance implications, particularly where risks originating in one market can have effects in another. Effective oversight becomes essential to ensure that interoperability enhances access without compromising resilience.
For acquirers and merchants, the evolution toward cross-border QR payments opens a corridor of commercial possibility, but it also ushers in a more layered regulatory landscape. What was once a domestically contained transaction now acquires international dimensions. A single scan may involve currency conversion, cross-jurisdictional clearing arrangements and regulatory touchpoints in more than one country. The opportunity is tangible. So too is the responsibility.
For merchants, particularly those operating in travel-intensive environments such as airports, hospitality clusters, retail districts and tourist hubs, access to foreign users can meaningfully expand customer reach. The ability to accept payment from a visitor using a familiar QR application eliminates hesitation at the point of sale. Transactions that might otherwise be deferred or abandoned proceed seamlessly. Increased acceptance translates into higher transaction volumes and potentially stronger revenue flows. The merchant’s storefront, physical or digital, becomes accessible to a broader regional audience.
Acquirers stand at the centre of this expansion. They enable connectivity between local merchants and foreign payment ecosystems. Their technical integrations allow cross-border QR codes to be recognised, authenticated and settled across jurisdictions. In doing so, they transform what might appear to be a simple consumer gesture into a coordinated international transaction.
Yet with this opportunity comes heightened complexity. Foreign exchange considerations enter transactions that were previously settled in a single domestic currency. Exchange rate transparency, conversion margins and disclosure obligations must be clearly managed. Merchants must understand how pricing is displayed and how settlement amounts are calculated. Even small discrepancies can affect margins or create misunderstandings if not explained transparently.
Regulatory expectations, too, become layered. Anti-money laundering controls, consumer protection standards and data governance requirements may differ between jurisdictions. Reporting thresholds and transaction monitoring frameworks may require calibration. What is permissible in one regulatory environment may require additional safeguards in another. The cross-border dimension therefore multiplies compliance touchpoints.
Acquirers assume a critical stewardship role in this environment. They are not merely transaction facilitators. They act as guides and interpreters of regulatory obligation. They must ensure that merchants are informed of foreign exchange mechanics, settlement timelines and disclosure standards. They must embed appropriate controls within their systems to manage cross-border risk exposures. Where regulatory expectations intersect, acquirers must reconcile them through coherent operational processes.
The objective is to ensure that participation in cross-border QR arrangements enhances commercial reach without exposing merchants to unintended risk. Operational resilience, pricing transparency and regulatory alignment must be woven into the integration process. Merchants should experience expansion, not confusion. Compliance should operate in the background, structured and systematic rather than reactive.
Cross-border QR payments therefore represent more than an incremental feature. They signify a transition from domestic digital ecosystems to interconnected regional networks. Acquirers and merchants who navigate this transition effectively can harness its commercial benefits while maintaining disciplined governance. Opportunity and obligation travel together. The strength of the ecosystem depends on recognising both.
These developments underscore a central theme. Cross-border QR payments significantly enhance convenience and support regional connectivity, but they do so only when supported by robust regulatory coordination and careful governance. Interoperability, while desirable, cannot come at the expense of safety, reliability, or trust. The success of Malaysia’s cross-border QR initiatives ultimately depends on maintaining this balance as the ecosystem continues to expand beyond national lines.
CHAPTER FOURTEEN - STRENGTHENING THE FOUNDATIONS OF QR PAYMENTS
The future of QR payments in Malaysia unfolds against the backdrop of a nation that has made a deliberate and sustained commitment to digital inclusion. What was once framed as an efficiency-enhancing alternative to cash has, over the years, matured into a central pillar of everyday economic exchange. QR payments today are no longer confined to specific demographics or urban enclaves. They are used across income groups, geographies, and business sizes, from metropolitan retail chains to small traders operating at the margins of formality. This breadth of adoption is not accidental. It is the outcome of consistent policy signalling, institutional coordination, and a conscious effort to embed digital payments into the rhythms of daily life rather than positioning them as niche innovations.
As Malaysia continues its transition toward a digitally inclusive economy, QR payments are expected to grow not merely in volume, but in significance. Their role is evolving from that of a convenient payment option to a default mode of transaction in many contexts. Consumer familiarity has reached a stage where scanning a code feels instinctive rather than experimental. Merchants increasingly view QR acceptance as a basic requirement rather than a competitive differentiator. This normalisation creates a reinforcing cycle. As usage becomes habitual, resistance diminishes, network effects strengthen, and digital payments further entrench themselves within the economic mainstream.
Policy support remains a critical driver of this momentum. Regulatory frameworks have consistently signalled endorsement of interoperable, low-cost payment instruments that broaden access without imposing undue barriers. Technological innovation has complemented this policy direction, enabling faster processing, better user interfaces, and integration with broader financial services such as budgeting tools, loyalty programmes, and micro-credit offerings. Together, these elements suggest that QR payments will continue to expand, both in reach and in functional sophistication, as Malaysia deepens its digital transformation.
Growth of this nature is rarely linear or without consequence. As QR payments scale, they introduce a different set of risks, some of which are not immediately visible during early adoption phases. One such concern lies in the increasing concentration of payment flows within a limited number of infrastructures. Interoperability may create the appearance of diversity, but behind the user interface, transaction volumes can become heavily reliant on a small number of systems, operators, or clearing arrangements. This concentration amplifies systemic importance. Any disruption, whether technical or operational, can have cascading effects across the broader economy.
Alongside concentration risk, the sophistication of fraud techniques continues to evolve. Digital payment systems, by their very success, become attractive targets. Fraud no longer relies solely on rudimentary social engineering or isolated exploits. It increasingly leverages data analytics, automation, and coordinated attacks that operate at scale. QR payments, which prioritise speed and convenience, must therefore constantly recalibrate their defences to ensure that security measures do not lag behind emerging threats. The challenge lies in doing so without eroding the user experience that has driven adoption in the first place.
Operational dependency on digital platforms introduces further complexity. As businesses and consumers grow accustomed to always-on payment systems, tolerance for downtime diminishes sharply. Even brief disruptions can undermine confidence, particularly when QR payments are used for essential, everyday transactions. This dependency elevates the importance of resilience, redundancy, and crisis preparedness. It also raises questions about how risks are distributed across the ecosystem, and whether smaller participants fully appreciate their exposure to failures that may originate far upstream.
These evolving risks place a premium on regulatory vigilance. Policymaking in this context cannot rely solely on frameworks designed for earlier stages of digitalisation. It must remain adaptive, capable of responding to new patterns of behaviour and new forms of vulnerability as they emerge. This does not imply a reactive posture alone, but a forward-looking one that anticipates second-order effects of scale, interoperability, and innovation. The challenge is compounded by the pace at which technology evolves, often outstripping the speed of formal regulatory processes.
Within this environment, regulators face an enduring tension between encouraging innovation and preserving systemic stability. Innovation is indispensable. It enhances efficiency, lowers costs, and expands access, particularly for populations historically underserved by traditional banking channels. QR payments themselves are a product of such innovation, having transformed smartphones into functional payment instruments with minimal infrastructure requirements. However, innovation pursued without sufficient restraint can introduce fragilities that remain latent until they are stress-tested by crises, whether technological, economic, or geopolitical.
The regulatory philosophy adopted by Bank Negara Malaysia reflects an awareness of this delicate balance. Rather than embracing laissez-faire liberalisation, which places faith in market forces alone, the approach has been one of cautious enablement. Innovation is permitted and, in many cases, actively supported, but within a framework that emphasises prudence, accountability, and systemic coherence. Guardrails are not viewed as impediments to progress, but as stabilising structures that allow innovation to mature sustainably.
This philosophy acknowledges that payment systems occupy a unique position within the economy. They are not merely commercial products, but critical infrastructure. Their failure has implications that extend far beyond individual users or firms. As such, experimentation must be tempered by an appreciation of interconnectedness and scale. Regulatory oversight, in this sense, functions as a counterweight to the natural exuberance of technological advancement, ensuring that efficiency gains do not come at the expense of resilience.
However, the long-term sustainability of QR payments cannot rest on regulation alone. Industry discipline plays an equally important role. Acquirers, payment service providers, and merchants are not passive recipients of regulatory directives. They are active participants in shaping the ecosystem’s integrity. When compliance is treated as a minimal obligation, addressed only to satisfy supervisory requirements, vulnerabilities tend to accumulate quietly. By contrast, when compliance is internalised as a core business imperative, it becomes a source of strength rather than friction.
For acquirers, this means investing in robust onboarding processes, transaction monitoring, and merchant education. It involves recognising that the quality of the ecosystem is only as strong as its weakest link. Merchants, particularly smaller ones, must also appreciate that participation in digital payments carries responsibilities alongside benefits. Safeguarding credentials, understanding dispute processes, and adhering to prescribed standards are not abstract regulatory concerns, but practical measures that protect their own businesses and customers.
Industry discipline also extends to how innovation is pursued. The temptation to prioritise speed-to-market can be strong, particularly in competitive environments. Yet the long-term costs of inadequately tested systems, poorly designed user flows, or weak security architectures often outweigh short-term gains. Sustainable growth requires patience, investment, and a willingness to align commercial incentives with systemic well-being.
Looking ahead, QR payments are likely to remain central to Malaysia’s payment ecosystem, not simply because they are convenient, but because they align with broader economic and social objectives. They support financial inclusion by lowering entry barriers. They enhance transparency by creating digital transaction trails. They enable efficiency by reducing reliance on physical cash handling. These attributes ensure their continued relevance even as new payment technologies emerge.
At the same time, the nature of risk will continue to evolve alongside innovation. New use cases will introduce new exposure points. Greater integration with other financial services will deepen interdependencies. Cross- border linkages will add layers of complexity that transcend national regulatory boundaries. Each stage of growth will test existing assumptions and require recalibration of oversight mechanisms.
Strong governance will therefore remain indispensable. Governance, in this context, is not limited to formal rules and supervisory actions. It encompasses institutional coordination, industry standards, crisis management frameworks, and a shared understanding of systemic responsibility. It requires clarity of roles and accountability, particularly as ecosystems become more complex and interconnected.
The sustainability of Malaysia’s QR payment ecosystem will depend on the collective choices made by regulators, operators, acquirers, merchants, and users. Convenience alone is not sufficient to sustain trust. Trust is earned through reliability, transparency, and demonstrated resilience over time. As QR payments continue to shape the way economic value is exchanged, the challenge will be to ensure that growth remains anchored in these principles, allowing innovation to flourish without undermining the stability upon which the system depends.
CONCLUSION
POS QR payments have become a cornerstone of Malaysia’s cashless ecosystem. Their success rests on more than technological convenience; it depends on robust regulatory frameworks, disciplined acquirers, compliant merchants, and informed consumers.
Through clearly defined obligations, effective oversight, and collaborative governance, Malaysia has built a payment ecosystem that balances accessibility with integrity. As adoption continues to expand domestically and regionally, adherence to these principles will determine the long-term resilience of the system.
REFLECTIONS ON DISCIPLINE, TRUST, AND THE ROAD AHEAD
As I bring this work to a close, I find myself reflecting not only on the mechanics of point-of-service QR payments, but on what their rise ultimately signifies about the stage Malaysia’s financial system has reached. Payment instruments, after all, are never just technical solutions. They are expressions of institutional maturity, regulatory confidence, and collective trust. The widespread adoption of QR payments tells us that Malaysia has crossed an important threshold: digital transactions are no longer supplementary to economic life, they are integral to it.
This evolution did not occur by accident. It is the product of deliberate policy choices, sustained investment in shared infrastructure, and a consistent commitment to interoperability and inclusion. Throughout this eBook, I have sought to emphasise that progress of this kind inevitably carries responsibility. Scale amplifies impact. Speed compresses error. And ubiquity magnifies consequence. As QR payments have become embedded in everyday commerce, the margin for complacency has narrowed considerably.
One of the most persistent misconceptions I encounter is the assumption that ease of use implies simplicity of obligation. In reality, the opposite is true. The more seamless a payment experience becomes, the greater the discipline required of those who design, operate, and govern the system behind it. When a consumer completes a transaction with a single scan and minimal cognitive effort, they are implicitly placing trust in an unseen architecture of controls, safeguards, and institutional judgement. That trust must be earned continuously, not assumed.
For merchant acquirers, this reality defines their modern role. I no longer view acquirers as intermediaries operating at arm’s length from regulatory responsibility. In practice, they have become custodians of access to the payment system and arbiters of acceptable participation. This role demands more than procedural compliance. It requires informed judgement, contextual understanding of merchant activity, and the willingness to act when commercial incentives collide with risk considerations. Outsourcing arrangements, platform scale, or reliance on automated systems do not absolve accountability; they intensify the need for oversight. In effect, acquirers have become operational extensions of regulatory intent.
For merchants, the implications are equally significant. Participation in digital payment ecosystems brings undeniable commercial benefits, but it also carries expectations that are often underestimated. Compliance with lawful usage requirements, fair and transparent pricing, responsible data handling, and cooperation in dispute resolution is not ancillary to business operations, it is foundational. As QR payments become the default mode of transaction for many consumers, merchant behaviour increasingly shapes public perception of the system as a whole. Trust is no longer mediated solely through banks or regulators; it is experienced directly at the point of sale.
From a broader systemic perspective, I have come to appreciate the careful calibration evident in Bank Negara Malaysia’s regulatory approach. The framework neither romanticises innovation nor fears it. Instead, it recognises payment systems as a form of national infrastructure – commercial in operation, but public in consequence. The emphasis on risk-based supervision, governance accountability, and outcome-oriented regulation reflects an understanding that rules alone do not produce stability. Stability emerges when institutions internalise responsibility and when enforcement is credible, proportionate, and consistent.
As we look forward, it is clear that the QR payments landscape will continue to evolve. Transaction volumes will increase. Use cases will expand. Cross-border interoperability will deepen regional integration while introducing new layers of legal, operational, and supervisory complexity. Fraud risks will adapt to system design. Data governance challenges will intensify as information flows become more interconnected. Operational resilience will be tested not by isolated failures, but by systemic dependencies on digital infrastructure that must function continuously and reliably.
In such an environment, resilience will not be determined by novelty or speed to market. It will be determined by consistency. Consistency in how merchants are onboarded and reviewed. Consistency in transaction monitoring and risk escalation. Consistency in enforcing contractual and regulatory obligations. And consistency in holding regulated entities accountable when standards are not met. History has shown that payment systems rarely fail because of a single innovation; they fail when discipline erodes gradually and unnoticed.
This eBook does not attempt to offer forecasts, endorsements, or reform agendas beyond what existing regulatory frameworks already signal. Its ambition has been more restrained, but also more foundational. I have sought to document, in one coherent narrative, the factual obligations, institutional roles, and governance structures that currently underpin point-of-service QR payments in Malaysia. In doing so, I hope to contribute to a clearer understanding of how policy intent is translated into operational reality.
If there is one lesson that emerges most clearly from this analysis, it is that trust in payment systems is cumulative and fragile. It is built incrementally through countless routine transactions that function exactly as expected. When systems work well, trust becomes invisible. When they fail, its absence is immediately felt. Preserving that trust requires continuous attention to fundamentals, even as technology recedes into the background and convenience becomes habitual.
As Malaysia continues its transition toward a digitally embedded economy, the discipline with which these fundamentals are upheld will shape far more than the success of QR payments. It will influence the credibility of our financial institutions, the confidence of consumers and merchants, and the integrity of the broader financial ecosystem that supports economic growth. In the end, the true measure of progress will not be how quickly we adopt new payment technologies, but how responsibly we sustain them.
REZAN PATEL
DIRECTOR OF RESEARCH AND MARKETING
Let’s discuss about how we can help make your business better