Bank Negara Malaysia issues New Policy Document on Managing Customer Information

Bank Negara Malaysia (‘BNM’) issued the Policy Document on Management of Customer Information and Permitted Disclosures on 12 October 2021 (‘New Policy Document’).
The New Policy Document came into effect on 12 October 2021 and supersedes the policy document by the same name issued by BNM on 17 October 2017 (‘Superseded Policy Document’).
As in the case of the Superseded Policy Document, the New Policy Document, inter alia, sets out BNM’s requirements and expectations on the following:
  • the measures and controls implemented by financial service providers in handling customer information throughout the information lifecycle; and

  • the conditions specified by BNM with regard to disclosure of customer information under Schedule 11 of the Financial Services Act 2013 (‘FSA’), Schedule 11 of the Islamic Financial Services Act 2013 (‘IFSA’) and Schedule 4 of the Development Financial Institutions Act 2002 (‘DFIA’).
The New Policy Document, like its predecessor, applies as follows:
  • the Policy Requirements in Part B apply to all financial service providers (‘FSPs’) as defined in paragraph 5.2 of the New Policy Document, namely:
  1. a licensed bank;
  2. a licensed investment bank;
  3. a licensed Islamic bank;
  4. a licensed international Islamic bank;
  5. a licensed insurer (including a professional reinsurer);
  6. a licensed takaful operator;
  7. a licensed international takaful operator (including a professional retakaful operator);
  8. a prescribed institution;
  9. an approved insurance broker;
  10. an approved takaful broker;
  11. an approved financial adviser;
  12. an approved Islamic financial adviser;
  13. an approved money broker;
  14. an approved issuer of a designated payment instrument;
  15. an approved issuer of a designated Islamic payment instrument;
  16. an approved operator of a payment system;
  17. a registered operator of a payment system; and
  18. a registered adjuster;
  • the Specific Requirements on Permitted Disclosure in Part C apply only to financial institutions (‘FIs’) as defined in paragraph 5.2 of the New Policy Document, namely:
  1. financial institution as defined under section 131 of the FSA;
  2. an Islamic financial institution as defined under section 143 of the IFSA; and
  3. a prescribed institution as defined under section 3(1) of the DFIA.
It should be noted that the requirements in Parts B and C also apply to the directors and officers of FSPs and FIs respectively.
Key amendments
The New Policy Document is substantially the same as the Superseded Policy Document. The key amendments introduced under the New Policy Document are set out below.
Part B
  1. It has been made clear that Part B also applies to a professional reinsurer and a professional retakaful operator.

  2. FSPs that are non-bank approved issuers of designated payment instruments and designated Islamic payment instruments and approved and registered operators of payment systems are required to submit their investigation reports on customer information breach to the Director of the Payment Services Oversight Department, instead of the Director of Consumer and Market Conduct Department.
Part C
  1. Orders and requests relating to permitted disclosures of customer information by the Royal Malaysian Police (‘PDRM’) to FIs may now be submitted through a new medium, namely the eFSA, a secured digital platform developed and administered by the Commercial Crime Investigation Department (CCID) of the PDRM that allows the online submission of a request for customer information to financial institutions for the purposes of an investigation or prosecution of an offence under any written law.

  2. The right of the Inland Revenue Board of Malaysia to request for disclosure of customer information by FIs is now extended to include information necessary for facilitating  exchange of information pursuant to taxation arrangements under section 132B (mutual administrative assistance arrangements relating to tax matters with other countries) of the Income Tax Act 1967.
Alert by Lee Ai Hsian (Partner) in the Banking and Finance Practice and Kok Chee Kheong (Partner) in the Corporate Practice of Skrine.

This alert contains general information only. It does not constitute legal advice nor an expression of legal opinion and should not be relied upon as such. For further information, kindly contact