Bank Negara Malaysia issues New Policy Document on Managing Customer Information - 2023

Bank Negara Malaysia (‘BNM’) issued the Policy Document on Management of Customer Information and Permitted Disclosures on 3 April 2023 (‘New Policy Document’).
 
The New Policy Document supersedes the policy document by the same name issued by BNM on 12 October 2021 (‘Superseded Policy Document’).
 
As in the case of the Superseded Policy Document, the New Policy Document applies as follows:
(a) the Policy Requirements in Part B apply to all financial service providers (‘FSP’) as defined in paragraph 5.2 of the New Policy Document, namely: 
  • a licensed bank;
  • a licensed investment bank;
  • a licensed Islamic bank;
  • a licensed international Islamic bank;
  • a licensed insurer (including a professional reinsurer);
  • a licensed takaful operator;
  • a licensed international takaful operator (including a professional retakaful operator);
  • a prescribed institution;
  • an approved insurance broker;
  • an approved takaful broker;
  • an approved financial adviser;
  • an approved Islamic financial adviser;
  • an approved money broker;
  • an approved issuer of a designated payment instrument;
  • an approved issuer of a designated Islamic payment instrument;
  • an approved operator of a payment system;
  • a registered operator of a payment system; and
  • a registered adjuster;
(b) the Specific Requirements on Permitted Disclosure in Part C apply only to financial institutions (severally ‘FI’ and collectively ‘FIs’) as defined in paragraph 5.2 of the New Policy Document, namely: 
  • a financial institution as defined under section 131 of the FSA;
  • an Islamic financial institution as defined under section 143 of the IFSA; and
  • a prescribed institution as defined under section 3(1) of the DFIA. 
The provisions in the New Policy Document are identical to Superseded Policy Document except for the following amendments:
 
Definition of ‘customer information’
 
A minor amendment has been made to the definition of ‘customer’ in paragraph 5.2 of the New Policy Document by replacing the reference to ‘the FSP’ with ‘any FSP’.
 
Definition of ‘outsourcing arrangement’
 
The definition of ‘outsourcing arrangement’ in paragraph 5.2 of the New Policy Document has been amended to exclude the activities set out in Appendix 2 of BNM’s Policy Document on Outsourcing dated 23 October 2019 from the scope of outsourcing arrangements. The definition is now aligned with the corresponding definition in the Policy Document on Outsourcing.
 
Clarification of e-FSA
 
Footnote 14 to subparagraph (d)(i) of item 1 of paragraph 13.2 now includes a statement to explain that ‘The e-FSA portal allows the uploading of customer information by FIs to PDRM (the Royal Malaysian Police)’.
 
Additional duty on FIs
 
A new subparagraph (d)(iii) of item 1 of paragraph 13.2 imposes an obligation on FIs to perform adequate validation or verification to ensure that the site is not a phishing site before it uploads customer information into the eFSA portal.
 
Further, the paragraph appearing immediately after subparagraph (d)(iii) of item 1 of paragraph 13.2 has been amended to require FIs who are in doubt to contact PDRM to confirm the validity of the eFSA portal and to report irregularities observed to PDRM for assessment and rectification.
 
Customer’s consent for disclosure to third parties
 
A new item 8 has been added to paragraph 13.2 (‘item 8’) to set out four conditions applicable to FIs seeking their customers’1 consent to disclose the customers’ information to third parties. These conditions are summarised as follows:
(a) Specific: The terms of the consent sought must be specific as to whom the disclosure is to be made, the purpose of such disclosure and the information that will be disclosed;
(b) Voluntary: The FI must not, as a condition of providing a financial product/service, compel or coerce a customer to give consent for the disclosure of his/her information to third parties beyond what is necessary for the provision of the financial product/service or the performance of the contract with the customer;
(c) Explicit and deliberate: A customer must explicitly opt in or deliberately agree to the disclosure of his/her information by the FI to a third party. Hence, silence or inaction on the part of the customer does not constitute an explicit and deliberate consent by the customer. The FI is also prohibited from obtaining a customer’s consent using pre-ticked consent statements; and
(d) Revocable on request: Subject to the requirements of applicable laws and for the provision of the financial product/service to the customer, the customer must be allowed to withdraw or revoke his/her consent for the disclosure of his/her information at any time, unless such disclosure is necessary for the FI to comply with any legal or contractual requirements. The customer must be informed of his/her right to withdraw or revoke the consent and how such withdrawal or revocation is to be effected.2 The FI must cease the disclosure of customer information as soon as practicable after the withdrawal of the consent.3
The provisions in item 8 will take effect on 1 January 2024 (‘relevant date’).
 
The New Policy Document has clarified the following in relation to item 8:
(a) The requirements in item 8 do not apply to other scenarios whereby disclosure of customer information is already permitted under other legislation, e.g. the Financial Services Act 2013, the Islamic Financial Services Act 2013 or the Development Financial Institutions Act 2002;4
(b) As regards the parties to whom disclosure is to be made, it would suffice for the FI to indicate the categories of third parties to whom the customer information will be disclosed subject to controls in place to protect the information. However, it is unacceptable to use descriptions of third parties which are too broad or vague, e.g. disclosure to any third parties as the FI deems fit;5
(c) A FI is prohibited from obtaining a customer’s consent by requesting the customer to indicate consent to a single statement or term that combines the customer’s consent to the disclosure of his/her information with other matters, such as a statement informing the customer that his/her information is collected for the provision of the product/service. In other words, customer consent must be given in a standalone clause or term;6
(d) The four conditions in item 8 do not apply to consent obtained from customers before the relevant date. However a FI must allow existing customers to withdraw consents given before the relevant date unless the withdrawal affects the ability of the FI to comply with any legal or contractual requirement;7 and
(e) The FI is required to maintain records of any customer consent it has relied upon for making disclosures in a manner that is accessible. The FI must be able to produce such evidence upon request by the customer or relevant authorities including BNM.8
 The New Policy Document took effect from 3 April 2023, except for item 8 which will come into effect on 1 January 2024.
 
Comments
 
The main amendments introduced under the New Policy Document, namely the imposition of a duty for FIs to exercise greater diligence against ‘phishing’ when uploading documents to the e-FSA portal, and the conditions to be complied with by FIs seeking customer’s consent to disclose customer information to third parties updates the requirements in the New Policy Document to meet the current challenges in Malaysia in combating on-line scams and ensuring confidential data is accorded greater protection.
 
 
Alert by Lee Ai Hsian (Partner) of the Banking & Finance Practice and Jillian Chia (Partner) of the Privacy & Data Protection Practice of Skrine.
 

1 For the purposes of item 8, a ‘customer’ includes the executor or administrator of the customer, or in the case of a customer who is incapacitated, any other legal personal representative. 
2 The New Policy Document requires the process for withdrawing consent to be as straightforward as possible, e.g. via an online platform.
3 The New Policy Document stipulates that a reasonable time frame would be not more than seven calendar days from the day the FI receives the notice of withdrawal of consent.
4Footnote 19.
5 Footnote 20.
6 Paragraph (b) of item 8 read with footnote 22.
7 Second main paragraph under item 8 read with footnote 18.
8 Third main paragraph under item 8.

This alert contains general information only. It does not constitute legal advice nor an expression of legal opinion and should not be relied upon as such. For further information, kindly contact skrine@skrine.com.