BNM issues Policy Document on Management of Customer Information and Permitted Disclosures
30 May 2023
On 3 April 2023, Bank Negara Malaysia (“BNM”) issued a new Policy Document on Management of Customer Information and Permitted Disclosures (“Policy Document”) which sets out BNM’s updated requirements regarding measures and controls that a financial service provider (“FSP”) must implement when handling customer information. Such measures and controls include the following:
- FSPs should only upload customer information onto the eFSA portal, a secure reporting platform hosted by the Commercial Crime Investigation Department of the Royal Malaysia Police, and not other sites. This should be done upon request from an authorised investigating officer, after performing proper validation and verification procedures;
- Before disclosing customer information to an investigating officer, FSPs must verify the officer's identity and authority. This includes checking identification and authorisation documents;
- FSPs must adhere to all relevant requirements related to outsourcing arrangements as specified by BNM. An outsourcing arrangement refers to an arrangement where a service provider performs an activity on behalf of a FSP on a continuing basis; and
- From 1 January 2024, when seeking consent from the customer, executor, administrator or legal personal representative of the customer for the disclosure of their information to third parties, the financial institution must comply with, among other things, the following conditions:
- Specific disclosure terms: The terms seeking a customer’s consent must specify the recipient of the disclosure, the purpose of such disclosure and the information that will be disclosed.
- No coercion: Financial institutions are prohibited from coercing customers into giving their consent for the disclosure of their information to third parties. Consent cannot be obtained by combining the agreement for disclosure with other matters in a single statement of consent.
- Explicit consent: Silence or inaction on the part of the customer does not constitute explicit and deliberate consent. Customers must actively provide their consent.
- Withdrawal of consent: Customers have the right to withdraw or revoke their consent for the disclosure of the information at any time, unless the disclosure is necessary for the financial institution’s legal or contractual compliance.
This Policy Document supersedes the policy document of the same name which was issued by BNM on 12 October 2021.