Enterprise Trustee Platform

Trustee Portfolio
Monitoring System

TPMS  /  Full-Stack Enterprise Web Application

A role-based portfolio monitoring and compliance platform built for SC Malaysia-licensed trustee companies. Unified oversight across conventional equity, Islamic Sukuk, and digital asset funds in a single self-hosted system.

Multi-Fund Shariah Compliant Digital Assets Role-Based Access Audit Trail PDF / Excel Reports MFA Self-Hosted
TPMS
Dashboard / Portfolio Overview
LIVE
Portfolio Overview
Total AUM
MYR 247.3M
YTD Return
+6.84%
Active Funds
3
Open Breaches
2
Fund ID Type NAV (MYR) Status
MGF-01 Equity 142.1M Active
SSF-02 Sukuk 83.6M Active
QDET-03 Digital 21.6M Watch
13
Platform Modules
6
User Role Types
3
Asset Classes
7yr
Audit Retention
Platform Modules
Thirteen modules. Complete fund oversight.

Purpose-built for trustee back-office operations, covering daily data entry through regulatory reporting and audit compliance.

01
Core
Dashboard
Aggregate real-time view of all managed funds. AUM, NAV, open breach count, and YTD returns rendered per the user's role and assigned fund scope.
AUM / NAV Summary Breach Alerts Fund Drill-Down Role-Filtered
02
Core
Portfolio Monitoring
Central module for fund management, holdings tracking, and transaction entry. Supports multi-fund switching with cross-tab fund filtering.
Multi-Fund Management Holdings by Asset Class Transaction Entry Cross-Tab Filtering
03
Regulatory
Compliance
Rule-based breach detection against Trust Deed investment limits, concentration caps, and Shariah restrictions. Runs automatically on a daily schedule, plus manual trigger and remediation workflow.
Automated Daily Detection Breach Detection Engine Remediation Workflow Breach History Shariah Rules
04
Asset Class
Fixed Income / Sukuk
Full instrument lifecycle for conventional bonds and Islamic Sukuk. Coupon and profit rate tracking, maturity scheduling, and Shariah-compliant instrument classification.
Sukuk Ijarah / Murabahah Coupon / Profit Tracking Maturity Alerts Accrued Interest
05
Asset Class
Digital Assets
Institutional management of approved digital asset holdings. Multi-wallet support, on-chain transaction tracking, and live price valuation via CoinGecko with fund-level access scoping.
Multi-Wallet Support On-Chain Transactions Live Auto-Pricing Fund-Scoped Access
06
Asset Class
Cash and Deposits
Cash account and fixed deposit management across multiple banks. Tracks interest and Murabahah profit rates, maturity schedules, and deposit roll-over history.
Multi-Bank Accounts Fixed Deposit Tracking Murabahah Profit Roll-Over History
07
Operations
Reconciliation
Match TPMS records against external custodian or fund manager statements. Surfaces discrepancies for review and maintains a full resolution history.
Statement Matching Discrepancy Flagging Resolution Workflow Reconciliation History
08
Reporting
Reports
On-demand server-side report generation in XLSX, CSV, and branded PDF. Covers portfolio summary, holdings, transactions, compliance findings, fixed income, and cash deposits.
XLSX / CSV / PDF Branded PDF Header 6 Report Types Fund Filtered
09
Regulatory
Documents
Secure document repository for Trust Deeds, board resolutions, regulatory filings, and fund documents. Enforces SC Malaysia 7-year retention requirement with fund-level access scoping.
PDF / DOCX / XLSX 50 MB Per File 7-Year Retention Fund-Level Scope
10
Regulatory
Audit Trail
Immutable log of every meaningful system action. Captures user identity, action type, affected entity, and timestamp. Read-only for auditor role. Minimum 7-year SC Malaysia retention enforced.
User + Action + Entity Tamper-Evident 7-Year Retention Filterable Search
11
Admin
Administration
User management, fund scope assignments, system configuration, demo environment, and database backup. All company identity fields are configurable without code changes.
6-Role User Management Fund Assignments MFA Enforcement Backup / Restore
12
Auth
Authentication / MFA
TOTP multi-factor authentication via any RFC 6238 authenticator app. JWT access tokens with 15-minute expiry stored in memory, 7-day httpOnly refresh cookies, and configurable account lockout.
Google Authenticator 15-Min Access Token Account Lockout Forced Password Rotation
13
Operations
Bulk Import
CSV/Excel upload for holdings, transactions, fixed income, cash accounts, and deposits in one step, with row-level validation and error reporting. Eliminates manual re-entry for high-volume funds.
5 Entity Types Row-Level Validation Fund-Scoped Audit Logged
Access Control
Six roles, precisely scoped.

Role-based access enforced at both the API route level and the frontend router. Scoped users query only their assigned funds at the SQL layer, not just the UI.

Role Fund Visibility Portfolio Compliance Fixed Income Digital Assets Cash Reports Documents Audit Trail Admin
Super AdminSystem Administrator All Funds Full Full Full Full Full Full Full Full Full
Trustee ManagerSenior Oversight All Funds Read Read Read Read Read Full Full Read None
Compliance OfficerRegulatory All Funds Read Full Read Read Read Full Full Read None
Operations StaffData Entry Assigned Only Full None Full Full Full Full Full None None
AuditorInternal / External All Funds Read Read Read Read Read Read Read Full None
Report ViewerRead-Only Stakeholder Assigned Only None None None None None Full Full None None
Full - Read and write access Read - View only, no modifications Assigned Only - Fund-scoped at SQL layer None - Route blocked, API guarded
Security and Compliance
Built for regulated environments.

Every security control is designed against SC Malaysia requirements for licensed trustee companies. Enforcement operates at the API layer, not just the user interface.

SC Malaysia Guidelines
7-Year Audit Retention
TOTP Multi-Factor Auth
Shariah Asset Classification
Fund-Level Data Isolation
Multi-Factor Authentication
TOTP-based MFA compatible with Google Authenticator and any RFC 6238 app. QR code setup built in. Admin-enforceable platform-wide via system configuration.
JWT Session Architecture
15-minute access tokens stored in memory only, never localStorage. 7-day httpOnly refresh cookies. Silent token renewal on 401 via axios interceptor. No persistent session exposure.
Fund-Level Data Isolation
Operations staff and report viewers are scoped to assigned funds at the SQL query layer via middleware. Not just UI hiding. Unauthorized fund access returns a 403, not filtered results.
Route-Level RBAC
Every Express route carries requireRole() middleware. Every React route has a <Guard roles> wrapper. Unauthorized URL access redirects to /unauthorized, not a blank screen.
Rate Limiting
Auth endpoints limited to 20 requests per 15-minute window. API endpoints limited to 500 requests per 15-minute window. Account lockout threshold and duration configurable in system settings.
Immutable Audit Log
Every create, update, delete, login, and export action is logged with user identity, action type, affected entity, and timestamp. SC Malaysia minimum 7-year retention enforced at the data layer.
Asset Coverage
Three asset classes. One system.

Conventional equity, Islamic Sukuk, and digital assets are managed through a unified interface with asset-class-specific workflows for each.

Conventional Equity
Listed and unlisted equity holdings, unit trusts, and collective investment schemes. Full transaction lifecycle management with P and L tracking across fund positions.
Instrument Types
Equities Unit Trusts REITs ETFs
Islamic / Sukuk
Shariah-compliant fixed income instruments with profit rate tracking, Shariah structure classification, maturity scheduling, and accrued profit calculation.
Instrument Types
Sukuk Ijarah Murabahah Wakalah GII
Digital Assets
Institutional management of approved digital assets. Multi-wallet tracking, on-chain transaction records, and price-as-of valuation. Fund-scoped wallet access enforced at API level.
Asset Types
Bitcoin Ethereum Digital ETFs Tokenised Assets
Data and Integration
Manual entry, bulk import, and live pricing where it matters.

Most data is entered by the operations team or bulk-uploaded via CSV/Excel, which is standard practice for trustee back-office systems at this scale. Crypto valuations are already auto-priced via a live external feed; equity and banking integrations are phased next steps.

Live
Manual Data Entry
Operations staff enter holdings, transactions, cash balances, and instrument records directly into TPMS. Every entry is logged to the audit trail. Standard operating procedure for trustee back-office at this scale.
Live
Crypto Auto-Pricing
Digital asset valuations (Bitcoin, Ethereum, major stablecoins, tokenised gold) are auto-updated via CoinGecko's public API on a configurable interval, with a manual refresh option and full audit logging. No paid subscription required.
Near-Term
Bursa Malaysia Equity Feed
Auto-price listed equities via a licensed Bursa Malaysia Information Services (BMIS) feed or third-party data vendor. Not restricted to licensed financial institutions, but does require a commercial data licensing agreement before implementation.
Roadmap
Bank and Custodian Feeds
Corporate banking APIs via BNM open banking initiative (Maybank, CIMB, RHB) for automated cash balance sync. Custodian position and settlement feeds via SWIFT MT535/MT940 messaging - the institutional standard at this level. Requires formal agreements with each institution.