Operating from Kuala Lumpur · Built for Malaysia. Designed for ASEAN.

Bolehlah — Malay for “sure can.” Proof is in the platform.

Malaysia's cooperatives and licensed lenders run on workflows designed for a different era. Bolehlah changes that. AI-powered underwriting, real-time bureau integration, and full policy automation — purpose-built for institutions serious about growth. Starting in Malaysia. Built for ASEAN.

Start a pilot →Read the company brief →

Founding 50 lenders receive lifetime 50% off all tiers.

Pilot cohort
Lenders onboarding: < 90 s
Median decision time: ASEAN
Operating region: 3 bureaux
CCRIS · CTOS · SPeKAR

The problem

Cooperative and regulated lenders in ASEAN run on paper, WhatsApp, and spreadsheets. Their borrowers wait days for decisions that should take minutes. Their underwriters work nights to clear queues that should clear themselves.

Their regulators, when they ask a question, expect an answer that nobody in the building can produce in real time.

None of this is the operator's fault. The category was built before the tools to do it well existed. We build those tools.

On the floor

What every lender's day actually looks like.

An underwriter clears sixty applications before lunch. By 5pm her eyes burn and she is still on yesterday's queue.

A compliance officer is asked for a single decision trail from fourteen months ago. He spends two weeks reconstructing it from paper, email threads, and a spreadsheet that has changed hands four times.

A regulator updates the AKAD form. Twelve lenders push paper updates to their branches. Bolehlah pushes a deployment.

The infrastructure

Three layers. One platform. Zero manual steps.

Underwriting

A decisioning layer that combines bureau-grade credit data with behavioural signal and policy logic specific to each lender. Approval lift measured in weeks, not months.

Compliance & audit

Every action — every consent, every signed AKAD, every disbursement instruction — written to an evidence trail a regulator can read without our help. PDPA, BNM AMLA, Shariah AKAD posture by default.

Disbursement & servicing

Money moves through the lender's licensed rail (CIMB OctoSync, Bank Rakyat batch, others). Servicing — reminders, restructure, collection — runs on the borrower's preferred channel, typically WhatsApp.

Inside the system

How one application moves through the platform.

Lender portal

Underwriting decisions with confidence score, audit timestamp, and the same three-tier scorecard the regulator expects.

Borrower experience

Onboarding, approval, disbursement, and servicing — all on the channel borrowers already use.

Operations

Real-time alerts on disbursement, scorecard outcomes, and portfolio drift — directly to the team on Telegram.

Every step explainable. Every output reproducible. Every action regulator-readable.

Where to find B

Three surfaces. One audited environment.

WhatsApp and Telegram are convenient — but they touch the surface. Many procedures need to redirect you to the app. Chatting inside the Bolehlah app is a wholistic experience: secured environment, eKYC, statements, approvals — all by talking to B.

Surface · Quick

Quick check-ins

Ask balance, repayment status, or upload one document — directly in WhatsApp or Telegram. Familiar. Convenient. For everything more involved, B will hand you off.

Wholistic · Secured

Your full account in one app

Talk to B inside the Bolehlah app and the experience is end-to-end: run eKYC, view statements, approve disbursements, sign AKAD — without leaving the chat. Encrypted environment, biometric unlock.

Coming soon · App Store + Google Play

Wholistic · Browser

Full account on bolehlah.com

Everything the app does, on any browser. Sign in once with Google or your passkey. Step-up auth on sensitive actions.

The flywheel

The longer this runs, the harder it is to replicate.

Borrowers engage with Bolehlah — typically WhatsApp. Their behaviour, repayment cadence, and channel choice become signal. That signal sharpens the underwriting models running inside Bolehlah. Sharper models give lenders better approval precision. Better approval brings more lenders. More lenders mean more borrowers. More borrowers mean more behavioural data. The model improves again. The flywheel was the point.

Borrower engagement
Behavioural signal captured
Underwriting refinement
Portfolio optimization · lender
Better approval precision
More lender adoption
More borrower data
Stronger system intelligence

AI is the amplifier in this loop. The loop itself is the moat.

Why this becomes infrastructure

The defensibility is local, regulatory, and patient.

Cooperative & salary-deduction distribution

Bolehlah was designed against the realities of koperasi and Bank Rakyat-anchored lending. Salary-deduction (ANGKASA), batch disbursement, and the day-to-day of supervised credit — handled by default, not retro-fitted.

Local underwriting datasets

CCRIS, CTOS, SPeKAR — and the experience of stitching them together for lenders who can't justify a separate integration each. Lenders inherit our work instead of repeating it.

ASEAN regulatory posture

Akta Pemberi Pinjam Wang 1951, BNM AMLA, PDPA 2010, Shariah AKAD. Compliance is written into the platform's spine, not bolted on later when a regulator asks.

Behavioural signal

WhatsApp engagement, response cadence, repayment rhythm — the credit signal that paper-based competitors don't capture. Used to widen safe approval, not to widen who borrows.

Start a pilot

Hyper-automation

The platform runs itself. You supervise.

Master B and the eight virtual staff personas turn what used to be three full-time hires per lender — operations, compliance, collections — into a watched-over, audited, self-driving floor. Routine actions execute automatically within policy. Edge cases queue for a human. Every action is signed, reversible, and visible in the activity feed.

Every autonomous action is signed into the audit chain you see at the top of the operator dashboard — same hash-chain primitive that backs Shariah AKAD signatures. Hyper-automation here means hyper-accountability, not hidden behaviour.

See the full automation model on /products →

Tier 1 starts at RM 1,500/month. Tier 5 is enterprise-only.

See the full 5-tier model →

Trust & credentials

Built for the regulated environment.

MDEC: Engaged with MDEC on Malaysia's digital economy acceleration programmes.
ISO 27001: Information security management — certification in progress.
eKYC · Innov8tif EMAS: ISO/IEC 30107-3 PAD (iBeta-tested) · NIST FRVT face-match · 3 granted patents on MyKad anti-counterfeit.
Shariah Tawarruq · Shoraka Al-Amin: Same DMCC TradeFlow-evidenced wholesale rails as 14 Malaysian Islamic banks and 70+ koperasi. ISRA Consulting-endorsed AKAD structure.
PDPA 2010 · BNM TRMG: Data privacy and technology risk management posture built into the platform's core, not retrofitted.
Shariah AKAD-aware: Akta Pemberi Pinjam Wang 1951 · BNM AMLA · Akta Koperasi 1993 — compliance by default.

Security

Institution-grade security, built into the foundation — not bolted on.

Credit data is sacred. Identity, data, device, and network are each defended in depth, recorded on a tamper-evident trail, and aligned with BNM expectations and the PDPA.

Protected Mode step-up

Every privileged action takes a second factor — TOTP or Face ID. Elevated sessions step back down on their own when idle.

Encrypted at rest

Sensitive fields are sealed with AES-256-GCM, with rotatable keys — so a database alone reveals nothing.

Tamper-evident audit

A hash-chained, append-only record — replicated off-site — so what happened can be proven and can't be quietly altered.

Per-institution isolation

Each lender's data is designed to be sealed off from every other at the database layer with row-level security.

Always-on platform shield

A managed firewall, bot defence, rate-limiting, and automatic lockout absorb abuse before it ever reaches your data.

Hardened mobile

Production apps are certificate-pinned with jailbreak and tamper detection; secrets stay in the device's secure enclave, never in the bundle.

BNM-aligned controls · PDPA-conscious data handling · Shariah trading rails · security-reviewed against its threat model.

See our full security posture

Lenders on the platform

Pilot cohort onboarding.

Names announced with each lender's consent. If you are a cooperative, licensed money lender, or regulated credit institution in Malaysia or ASEAN, reach out.

Shariah-flagged loans on Bolehlah ride the same wholesale Tawarruq rails as 14 Malaysian Islamic banks and 70+ koperasi — Shoraka Al-Amin, ISRA Consulting-endorsed, DMCC TradeFlow-evidenced.

Lenders · Borrowers · Investors

Lenders

Cooperatives, licensed money lenders, and supervised credit institutions. The full origination, underwriting, and servicing workflow.

Borrowers

Members who apply, sign AKAD, and manage their loan — via WhatsApp, web, or both. eKYC-verified, PDPA-protected.

Investors

Capital intelligence for those funding the loan book — portfolio performance, loan-book exposure, distributions, and compliance posture.

Open the CI portal →

FAQ

Frequently asked questions.

What's the difference between Bolehlah and other CRM or loan-management systems?

Bolehlah doesn't replace your existing system — it plugs into it. The AI sits as a translation layer between your loan officers, your borrowers, and the data already in your loan-management platform. No migration, no rip-and-replace.

Where does my data live?

Lender data stays in the lender's own database. Bolehlah does not custody borrower personal data. An optional relay tier on our side caches operational metadata encrypted at rest with rotating keys, scoped per lender and isolated by tenant.

Do I need BNM approval to use Bolehlah?

No. Bolehlah is a SaaS tool, not a regulated lender. The lender remains the regulated entity — BNM, KPDN, SKM, and AKPK reporting obligations flow through the lender's licence as they always have. Bolehlah keeps the audit chain that makes those obligations easier to meet.

How long does it take to get up and running?

Typically two to five business days from BD sign-off to lender staff talking to their own data. Most of that window is data-source connection and policy calibration; the AI itself is configured the first day.

How does PDPA work?

Under the PDPA 2010 framework, Lunar Flame Sdn Bhd acts as the data processor; the lender is the data controller. We sign a written Data Processing Agreement and maintain a tamper-evident audit chain on every read and write. Borrowers consent through the lender's standard onboarding flow.

Do you support Shariah-compliant lending?

Yes. The loan-application journey is AKAD-aware: itemised cost disclosure, separation of profit and principal, explicit aqad e-signature step, and Shariah-board-reviewable audit trail. Conventional and Shariah books can run side by side under one tenant.

What channels does Bolehlah B work on?

WhatsApp, Telegram, the web CMS, our iOS app (shipping), and an HTTPS API for custom integrations. Channels share a single conversation history per borrower — the lender's officer always sees the full thread regardless of where the borrower started.

How is pricing set?

Five tiers — see the Products page. Founding 50 lenders get lifetime 50% off bundle pricing as a thank-you for partnering early.

Will there be a Bolehlah mobile app?

Yes — iOS and Android apps are in build. Two apps: one for lender staff, one for borrowers. Apple Developer enrollment is in flight; Play Console submission follows. Until they ship, WhatsApp/Telegram plus the web portal cover the same surface.

What's the difference between chatting on WhatsApp versus the Bolehlah app?

WhatsApp and Telegram chat with B is convenient for quick check-ins — balance, repayment dates, document uploads. Sensitive flows (eKYC, statement review, AKAD signing, approvals) need a more secured environment; the Bolehlah app and bolehlah.com both provide that. B can pivot you mid-conversation: just tap the deep-link B sends you.