Key Takeaways
- Application window is open now: DITO licence applications are accepted by BNM from 2 January 2025 to 31 December 2026 — the deadline is firm.
- No licence cap: Unlike digital banking (limited to 5 licences), BNM will grant a DITO licence to every applicant that meets the framework's requirements.
- Foundational phase: Approved DITOs enter a 3–7 year foundational phase with proportionate (lower) capital requirements before graduating to full regulatory obligations including a minimum RM 100 million paid-up capital.
- End-to-end digital operations required: DITOs must conduct all critical functions — onboarding, underwriting, distribution, claims, payments — wholly or almost wholly through digital or electronic means.
- Three core value propositions: Every application must credibly address inclusion, competition, and efficiency — backed by data and market research.
- Foreign companies are welcome but must satisfy BNM's fit-and-proper test for shareholders and demonstrate genuine value-add to Malaysia's market.
Why BNM Created the DITO Framework: The Protection Gap Opportunity
To understand the DITO licence, you must first understand the problem it is designed to solve. Malaysia's life insurance penetration rate stood at roughly 3.7% of GDP as of 2022, placing it well behind peer markets like Singapore. Meanwhile, BNM's own Financial Sector Blueprint 2022–2026 — the central bank's strategic roadmap — explicitly identifies "closing protection gaps" and "advancing the digitalisation of the financial sector" as twin priorities.
Traditional insurers have struggled to serve the self-employed, gig workers, micro-businesses and rural communities cost-effectively. Their brick-and-mortar distribution models create high unit costs for small-ticket policies. The DITO framework is BNM's structural response: purpose-built digital licences for companies that can design, price, distribute and service insurance entirely through technology — reaching customers that conventional insurers cannot serve profitably.
For foreign companies, this framing matters enormously. BNM is not handing out a generic financial licence; it is seeking operators with a compelling, data-backed story about how their technology and business model will genuinely improve protection outcomes for Malaysian consumers. Applications that read as generic licence-gathering exercises will not succeed. Applicants that can point to proven platforms in comparable markets — including mainland China's vast mobile insurance ecosystem, Taiwan's insurtech experience, or Hong Kong's parametric insurance innovation — have a genuinely differentiated case to make.
The DITO Framework at a Glance: What Kind of Business Does This Cover?
A Digital Insurer and Takaful Operator is defined by BNM as an entity that conducts insurance or takaful business wholly or almost wholly through digital or electronic means. This is a structural requirement, not a marketing aspiration. Every critical function must be digital-native:
- Customer onboarding — including e-KYC (electronic Know Your Customer) verification
- Underwriting — risk assessment conducted through data and algorithms, not manual underwriting teams
- Product distribution — via apps, APIs, embedded finance partnerships, or digital platforms
- Policy servicing — renewals, endorsements, and queries handled digitally
- Claims processing and payments — end-to-end digital, without mandatory physical touchpoints
There are two broad licence categories under the DITO framework, mirroring the conventional insurance structure:
- Digital General Insurance / Digital General Takaful: covering motor, property, travel, SME business interruption, event insurance, parametric products, etc.
- Digital Life Insurance / Digital Family Takaful: covering life protection, critical illness, micro-life, investment-linked products, etc.
Crucially, if an applicant wishes to carry on both general and life/family business, they must apply for separate licences through separate corporate entities. A single DITO licence cannot cover both classes. This is a planning consideration that foreign groups must factor in at the structuring stage.
Takaful is the Shariah-compliant equivalent of insurance and is regulated under the Islamic Financial Services Act 2013 (IFSA). Conventional digital insurance is regulated under the Financial Services Act 2013 (FSA). Given Malaysia's Muslim-majority population, offering takaful can meaningfully expand your addressable market. However, a takaful licence carries additional Shariah governance obligations, including the appointment of a Shariah Committee. Foreign applicants from non-Muslim-majority markets should assess early whether a conventional, takaful, or dual approach best fits their operational capabilities.
Eligibility and Entry Requirements: What BNM Is Looking For
The DITO Policy Document sets out a multi-dimensional assessment framework. BNM evaluates applications across several dimensions simultaneously — there is no single pass/fail metric. Understanding what BNM is actually weighing is essential for a credible application.
The Three Core Value Propositions
Every DITO applicant must articulate how their business addresses all three of the following value propositions:
- Inclusion: Serving segments that are currently unserved or underserved by existing insurers — including low-income individuals, gig workers, SMEs, and rural communities. The identification of specific protection gaps must be supported by credible data and relevant market research, not assertions.
- Competition: Introducing innovative insurance/takaful products that diversify the Malaysian market and create genuine competitive pressure on incumbents — such as usage-based insurance, embedded micro-insurance, parametric triggers, or AI-driven personalisation.
- Efficiency: Delivering a more convenient and seamless consumer experience, with lower operational costs that can be passed on as more affordable premiums or faster claims settlements.
Fit-and-Proper Requirements for Shareholders and Directors
BNM applies rigorous fit-and-proper assessments to all shareholders, directors, the Chief Executive Officer, the appointed actuary, and — for takaful operators — Shariah Committee members. For foreign-headquartered groups, this means BNM will assess the group's global track record, financial soundness, regulatory history, and governance standards in its home jurisdiction. Any adverse regulatory history in another market must be disclosed proactively.
No Malaysian Ownership Quota — But Local Insight Is Critical
The DITO framework does not impose a mandatory local-shareholding percentage akin to some other regulated sectors in Malaysia. Foreign companies can, in principle, hold a majority or even 100% stake in a DITO. However, BNM expects applicants to demonstrate deep understanding of Malaysia's consumer landscape, regulatory environment, and market dynamics. In practice, many successful foreign market entrants partner with a Malaysian co-shareholder or strategic investor who provides local distribution networks, consumer insight, and regulatory familiarity.
Capital Requirements: Foundational Phase vs Full Operations
One of the DITO framework's deliberate design features is its proportionate capital structure. BNM recognises that requiring a full-scale insurer's capital from day one would price out the very innovators the framework is meant to attract.
| Phase | Duration | Capital Requirement | Key Milestone |
|---|---|---|---|
| Foundational Phase | 3–7 years from licence commencement | Lower minimum (scaled to early-stage operations; exact figure per Policy Document by licence type) | Demonstrate viability, build underwriting capacity, prove operational soundness |
| Full Operations | After BNM approves graduation from foundational phase | Minimum RM 100 million paid-up capital (must be achieved and maintained) | Meet all six graduation criteria set by BNM |
At the end of the foundational phase, a DITO must demonstrate to BNM that it has: (a) complied with all applicable regulatory requirements; (b) built sufficient underwriting capacity and risk retention levels; (c) established all critical systems, processes, and resources for effective risk management; (d) achieved and is maintaining a minimum paid-up capital of RM 100 million; (e) met BNM's long-term viability indicators; and (f) achieved satisfactory progress on the value propositions outlined in its original business plan. All six criteria must be met — failure on any single criterion can delay graduation or result in regulatory intervention.
Step-by-Step: How to Apply for a DITO Licence
The DITO application process is not a simple form submission. It is a comprehensive regulatory engagement process that typically takes 12–18 months from initial preparation to licence grant. Foreign companies should plan accordingly and engage professional advisers early. Here is the process in practical terms:
Step 1: Pre-Application Preparation (Months 1–6)
- Market research and gap analysis: Commission or compile credible data on the specific Malaysian consumer protection gaps your DITO will address. BNM expects this to be grounded in actual Malaysian market data, not imported assumptions from your home market.
- Business plan development: Prepare a detailed 5–10 year financial model, technology architecture overview, product roadmap, distribution strategy, and capital injection schedule.
- Corporate structuring: Determine whether you need one or two DITO entities (general vs life). Decide on the shareholding structure and identify your Malaysian registered office.
- Shareholders' application: Each significant shareholder (typically those holding 5% or more) must submit a separate shareholders' application to BNM alongside the company's formal application.
- Key personnel identification: Identify your proposed Board of Directors, CEO, appointed actuary, and (if applicable) Shariah Committee members. All must be submitted for BNM's prior approval.
Step 2: Formal Application Submission (Before 31 December 2026)
- Submit the formal DITO licence application AND the shareholders' application to BNM simultaneously. Both must be received by 31 December 2026 — this deadline is non-negotiable.
- Applications are submitted to BNM's Insurance and Takaful department. BNM may request additional information or clarification at any stage of assessment.
- BNM's assessment is comprehensive and typically involves interviews with key personnel, review of group-level financials, and technology/cybersecurity due diligence.
Step 3: Operational Readiness Review
- After a licence is granted, the DITO cannot commence operations until BNM completes an operational readiness review and issues written approval.
- This review covers: organisational structure, policies and procedures, compliance management framework, IT and accounting systems, business continuity plan, and all critical operational systems.
- Only after receiving written confirmation from BNM may the DITO begin serving customers.
Step 4: Foundational Phase Operations (3–7 Years)
- During the foundational phase, the DITO operates under proportionate regulatory oversight — with closer BNM monitoring than a full-scale insurer, but with more operational flexibility to iterate and grow.
- DITOs may apply to BNM for targeted and temporary regulatory flexibilities during this phase, particularly where there is more than one DITO licence within a financial group.
- Regular reporting, actuarial reviews, and compliance submissions are required throughout.
A DITO must establish a registered office in Malaysia. However, any additional physical office beyond the registered office requires BNM's prior approval. This is by design — BNM wants DITOs to remain genuinely digital, not to use the licence as a backdoor to establish a conventional insurer with a digital veneer. Foreign companies should not assume that leasing a commercial office floor is a straightforward step; it requires a formal approval request to BNM.
Regulatory Landscape: How DITO Fits Into Malaysia's Broader Fintech Architecture
The DITO framework does not exist in isolation. Foreign companies should understand the broader regulatory environment into which a DITO will operate:
| Regulatory Area | Applicable Framework / Act | Relevance to a DITO |
|---|---|---|
| Digital insurance licensing | DITO Policy Document (9 July 2024) under FSA 2013 / IFSA 2013 | Primary licensing framework |
| AML/CFT compliance | BNM AML/CFT Policy (revised, effective January 2025) | Mandatory — governs customer due diligence, sanctions screening, transaction monitoring |
| Technology risk | Risk Management in Technology (RMiT) Policy Document | Applies to IT governance, cybersecurity, cloud use, and third-party technology risk |
| Data protection | Personal Data Protection Act 2010 (PDPA) | Governs collection, processing, and storage of customer data |
| Foreign exchange | BNM Foreign Exchange Policy Notices (FSA/IFSA) | Governs repatriation of profits, cross-border payments, premium collection in foreign currency |
| Open Finance | BNM Open Finance Framework (Exposure Draft, November 2025) | Future-facing: may create data-sharing obligations and API connectivity requirements for DITOs |
Of particular note for foreign companies is the AML/CFT regime. BNM's revised AML/CFT policy for financial institutions — effective January 2025 — significantly raises compliance obligations. A RM 600,000 enforcement action against a major e-wallet operator for sanctions screening failures has demonstrated that BNM is actively and publicly enforcing these rules. Any DITO must build a robust, technology-driven AML/CFT compliance infrastructure before it opens its first policy — not as an afterthought.
Worked Example: A Chinese Insurtech Group Applying for a DITO Licence
To make the framework concrete, consider the following scenario. A Chinese insurtech group ("ChinaInsurTech Co.") has built a successful micro-insurance platform on WeChat in China, offering affordable parametric health and accident cover to gig economy workers. It wants to enter Malaysia as a stepping-stone to the broader ASEAN market.
Year 1 (2025–2026): Application Phase
ChinaInsurTech Co. incorporates a Malaysia Sdn Bhd subsidiary. It commissions a Malaysian market research firm to quantify the protection gap among Malaysia's estimated 1.5 million registered gig economy workers. It identifies a compelling inclusion story: fewer than 15% of Malaysian food delivery and ride-hailing workers have any form of income-replacement insurance. It builds its DITO application around a parametric accident and income-replacement product, distributable via the same super-app integrations it uses in China — adapted for Malaysian platforms like Grab and Touch 'n Go. It partners with a Malaysian venture capital firm as a 30% co-shareholder, providing local regulatory navigation and consumer trust. The formal application is submitted to BNM by October 2026, comfortably ahead of the 31 December 2026 deadline.
Year 2–3 (2027–2028): Licence Grant and Operational Readiness
BNM grants the DITO licence after its assessment. ChinaInsurTech Co.'s Malaysia entity undergoes BNM's operational readiness review — passing its IT systems audit, compliance framework review, and key personnel approvals. It receives written authorisation to commence operations and launches its platform in Malaysia.
Years 3–7 (2028–2032): Foundational Phase
Operating under the lower foundational-phase capital requirement, the company grows its policyholder base, iterates on product design, and builds its actuarial track record in Malaysia. By Year 5, it has grown premiums substantially and begins planning its capital injection roadmap toward the RM 100 million threshold required for graduation to full operating status — and potential ASEAN expansion from its Malaysian regulatory base.
Common Pitfalls That Sink DITO Applications
Based on BNM's publicly stated expectations and the lessons from the digital banking licensing round, foreign companies should be alert to the following common failure modes:
- Generic value propositions: Applications that describe inclusion, competition and efficiency in abstract terms — without specific Malaysian data, identified protection gaps, and a credible plan to close them — will not satisfy BNM's assessment criteria. The bar is materially higher than a standard business plan.
- Underestimating the operational readiness review: Some applicants treat the post-licence operational readiness phase as a formality. It is not. BNM will conduct a detailed audit of your IT systems, cybersecurity controls, compliance framework, and business continuity plan before allowing you to accept your first customer.
- Ignoring the separate-licence rule for life vs general: A foreign group that wants to offer both general and life digital insurance products in Malaysia must apply for two separate licences through two separate corporate entities. Discovering this at the structuring stage — rather than the filing stage — saves significant time and cost.
- Underinvesting in AML/CFT infrastructure: BNM's active enforcement posture on AML/CFT means that an e-KYC system and a basic sanctions list are not sufficient. Your DITO's compliance programme must include real-time transaction monitoring, documented risk appetite, board-level AML oversight, and a qualified compliance officer — all in place before launch.
- Missing the 31 December 2026 deadline: The application window closes on 31 December 2026. There is currently no indication BNM will extend it. A company that has completed 90% of its preparation but misses the deadline will need to wait for any future licensing round — which may not materialise on a comparable timeline.
- Neglecting the takaful governance requirements: Foreign groups that apply for a takaful licence must be prepared to appoint and operate a Shariah Committee. This is not a box-ticking exercise — BNM expects the Shariah Committee to play a genuine governance role. Appointing a token committee that meets annually will not pass BNM's scrutiny.
What to Do Next: ONEKEY BIZ Can Help You Navigate the DITO Application
The DITO application process demands simultaneous expertise in Malaysian corporate law, BNM regulatory procedure, insurance actuarial requirements, AML/CFT compliance, and technology governance. Most foreign insurtech companies — however sophisticated in their home markets — lack all of these competencies locally in Malaysia. The risk of a failed or delayed application is not just a missed business opportunity; it is a missed window that may not reopen for years.
ONEKEY BIZ works with foreign companies at every stage of Malaysian market entry. Our team can help you:
- Assess whether your existing business model and technology platform are a good fit for the DITO framework
- Structure your Malaysian corporate entity and shareholding arrangement to satisfy BNM's requirements
- Commission or coordinate the Malaysian market research needed to build a compelling value proposition narrative
- Prepare and review the formal application and shareholders' application packages
- Coordinate with legal and actuarial advisers for the operational readiness phase
- Advise on AML/CFT compliance infrastructure, technology governance, and ongoing regulatory reporting
With the application deadline on 31 December 2026, preparation must begin now. A robust DITO application typically requires 9–12 months of preparation time — meaning the practical window for new applicants is narrowing. Contact ONEKEY BIZ today to discuss your Malaysia market entry strategy, or visit our services page to learn more about our full suite of Malaysia incorporation, compliance, and licensing support.
]]>Frequently asked questions
Is there a cap on the number of DITO licences BNM will issue?
No. Unlike the digital banking round — which was capped at five licences — BNM has explicitly removed any numerical limit for DITOs. Licences will be granted to every applicant that satisfactorily meets the framework's requirements, making this one of the most open fintech licensing rounds Malaysia has ever run.
Can a 100% foreign-owned company apply for a DITO licence in Malaysia?
Yes, in principle. The DITO framework does not impose a Malaysian-ownership requirement equivalent to some other regulated sectors. However, foreign shareholders must still satisfy BNM's fit-and-proper assessment, provide detailed group-level financial information, and demonstrate how their participation adds value to the Malaysian market. In practice, having a local co-shareholder who understands the regulatory environment is strongly advisable.
What is the minimum paid-up capital required for a DITO during its foundational phase?
BNM grants DITOs a lower minimum paid-up capital during the foundational phase, scaled to the early-stage nature of the business. By the end of the foundational phase (which lasts between 3 and 7 years), the DITO must have achieved and be maintaining a minimum paid-up capital of RM 100 million. The exact foundational-phase minimum is stipulated in the Policy Document and varies by licence type.
What happens if a DITO fails to meet BNM's requirements at the end of its foundational phase?
BNM may refuse to graduate the DITO to full operational status and may impose additional conditions, restrict business activities, or — in the most serious cases — revoke the licence. This makes robust business planning and early engagement with BNM's supervisory team absolutely critical.
Sources & references
This article is general information only, not legal, tax or immigration advice. Policies, thresholds and official fees are set by the relevant Malaysian authorities and may change. Talk to our consultants about your specific situation.