Skip to main content
Bolehlah.ai

Trust, evidence, control.

A regulated-lending vendor is judged on what regulators, auditors, and counsel can verify without our help. This page is what they read first.

Custody posture

Bolehlah is not an e-money issuer. We do not hold customer funds.

Disbursement and collection move through the lender's own licensed banking rail at all times — typically CIMB OctoSync, Bank Rakyat batch upload, or an equivalent. Funds never settle into a Bolehlah-owned account on the way to the borrower. Where a lender opts for the pass-through backup rail, the transit is minutes through the lender's nominated custodian under their written standing authority — not Bolehlah's balance sheet.

Audit trail

Every action written to an evidence trail a regulator can read without our help.

Consent capture, AKAD signature, disbursement instruction, eKYC outcome, and any manual override are logged with timestamp, actor, prior state, and resulting state. Records are append-only and tamper-evident. PDPA 2010 retention and subject-access obligations are written into the schema, not bolted on. The expectation: a regulator, internal auditor, or external counsel can reconstruct any decision without contacting us.

Consent architecture

Per-loan consent plus a member-owned catalogue of standing permissions.

Section 8 of the Malaysian koperasi loan form captures per-loan consent at AKAD signing — a binding, snapshot-encrypted record of exactly what the member agreed to, for that loan. A separate standing catalogue at /member/profile/consents lets the borrower see and revoke ongoing permissions (ANGKASA monthly monitoring, research retention, channel preferences). Any non-AKAD pull from a credit bureau or salary-deduction registry requires explicit, logged consent.

Identity & access

Two-tier authentication, uniform across every lender.

Tier-1 is .com SSO — Google, Facebook, Apple, MyDigitalID — bound to a verified NRIC. Tier-2 is dashboard step-up — password plus TOTP — required for any Member granted /client/* or /admin/* access, with no per-lender opt-out. NRIC is stored encrypted at rest. Member and User remain separate data models, linked only by foreign key, so a borrower's identity is never co-mingled with operator credentials.

Regulatory posture

Compliance is written into the platform's spine, not bolted on after the fact.

The platform was designed against Akta Pemberi Pinjam Wang 1951, BNM AMLA, PDPA 2010, Akta Koperasi 1993, and Shariah AKAD requirements — not adapted to them later. Bolehlah is operated by Lunar Flame Sdn Bhd, a Malaysian incorporated company. The product is currently in founder-led pilot stage; we do not list reference customers we have not earned. Due-diligence packs are available on request.

Shariah trading rails

Every Shariah-flagged loan rides the same DMCC TradeFlow Tawarruq rails used by 14 Malaysian Islamic banks.

When a loan is structured as Tawarruq, Bolehlah submits a commodity-trade order to Shoraka Al-Amin (SAA) — a Shariah-compliant commodity-trading platform operated by Shoraka Global Resources Sdn Bhd (Reg. 201501030089), endorsed by ISRA International Consulting, and used by the country's leading Islamic banks (CIMB Islamic, Maybank Islamic, RHB Islamic, Public Islamic, Affin Islamic, MBSB, Kuwait Finance House, Bank Pembangunan, Bank Kerjasama Rakyat, Agrobank, MIDF Amanah, Kenanga, Exim, Co-opBank Pertama) plus 70+ cooperatives. Every Tawarruq AKAD produces three e-certificates (Purchase · Murabahah · Sale) evidenced on DMCC TradeFlow, attached verbatim to the loan's hash-chained audit trail. Borrowers and regulators get the same paper trail an Affin or Maybank Islamic customer would receive.

Due-diligence requests

Investor access

Access to Bolehlah's investor materials

Behind this gate sits a one-page briefing book and a short product walkthrough deck. Requests are reviewed manually. We respond within one business day, Kuala Lumpur time.