The Central Bank of Malaysia, Bank Negara Malaysia ("BNM"), has issued a revised version of the Policy Document on Management of Customer Information and Permitted Disclosures ("Revised MCIPD"), which came into effect on 3 April 2023 (save for provisions related to consent requirements on permitted disclosures to third parties, which will take effect on 1 January 2024).
The Revised MCIPD includes:
- the definition of "outsourcing arrangement", which has been aligned with the Policy Document on Outsourcing issued by BNM;
- clarifications on the usage of the eFSA portal, through which financial institutions ("FI") upload customer information for disclosure to the Royal Malaysian Police. For instance, FIs are now required to verify the authenticity of the eFSA portal before uploading customer information, to ensure that it is not a phishing site; and
- matters concerning customers' consent for disclosures to third parties. FIs must now fulfil four conditions when seeking customer consent for such disclosures: (i) the terms seeking the consent must be specific; (ii) the consent must be voluntary, and FIs must not obtain the customer's consent by combing the consent statements for disclosure of customer information with other matters in a single statement; (iii) the consent must be given explicitly and deliberately by the customers; and (iv) the consent must be revocable upon request except where required by law or contract.
However, the Revised MCIPD clarifies that the requirements in (c) do not apply to scenarios where the disclosure of customer information is already permitted under the Financial Services Act 2013, Islamic Financial Services Act 2013, and Development Financial Institutions Act 2002.
Essentially, the Revised MCIPD enhances the existing regulatory framework for handling customer information by FIs. These amendments are welcomed as they enhance the protection of customer information in the financial services sector.
