Banking Secrecy: Disclosure Limits & Effective Consents

1.Banking Secrecy

The Financial Services Act 2013 (FSA) and the Islamic Financial Services Act 2013 (IFSA) introduced a modernized regulatory framework governing Malaysia’s financial institutions, consolidating previous laws like the Banking and Financial Institutions Act 1989 and the Islamic Banking Act 1983. A core component of the FSA and IFSA is the protection of customer data, with strict provisions against unauthorized disclosure, as set out in Section 133(1) of the FSA and Section 145(1) of the IFSA. These sections prohibit anyone with access to customer information from disclosing it without proper authorization, with severe penalties for violations, including fines and imprisonment. Despite this, certain exceptions exist, allowing for disclosures under specific conditions set by Bank Negara Malaysia (BNM) as provided in Schedule 11 of the FSA and Section 134 of the FSA.

2. Permitted Disclosures under Schedule 11 of the FSA

Schedule 11 of the FSA provides a comprehensive list of exceptions under which customer information may be disclosed without breaching banking secrecy laws. One key provision allows financial institutions to disclose customer information when written permission is provided by the customer or their legal representative. This could be the executor or administrator in cases involving a deceased customer, or any other legal personal representative if the customer is incapacitated.

?

Disclosures are also permitted for legal and administrative purposes, such as applications for a Faraid certificate or letters of administration in relation to a deceased customer’s estate. Similarly, customer information may be disclosed in cases of bankruptcy or winding up processes, both within Malaysia and internationally. Information can also be shared in connection with legal proceedings, whether criminal or civil. For instance, disclosure may be necessary when financial institutions are involved in disputes over customer funds or when complying with a garnishee order. In these situations, the information may be disclosed to all parties required for the purpose of the proceedings. Another important exception under Schedule 11 involves disclosures made in response to orders from enforcement agencies regulatory and supervisory purposes. For example, institutions may share information with entities such as the Securities Commission, the Inland Revenue Board of Malaysia, or relevant authorities abroad to facilitate compliance with both domestic and international legal requirements.

?

Even with these exceptions, financial institutions are required to ensure that disclosures are made prudently and only to the extent necessary.

3. Policy Document on Management of Customer Information and Permitted Disclosures

In 2023, BNM issued the Policy Document on Management of Customer Information and Permitted Disclosures (MCIPD) to provide further clarity and detailed guidance on handling customer information. The MCIPD is divided into three parts. Part A offers an overview, while Part B (Policy Requirements) applies to all financial service providers (FSPs), which is defined to include licensed banks, insurers, and takaful operators, approved / registered operators of payment instruments, among others. The definition also extends to their directors and officers.

?

One significant introduction of the MCIPD is its detailed conditions to the permitted disclosures under Schedule 11 of the FSA, specifically stated in Part C (Specific Requirements on Permitted Disclosure), on how financial institutions should manage disclosures. This means that, even when disclosures are allowed under Schedule 11 of the FSA, they must still adhere to the guidelines set out by the MCIPD. Part C of the MCIPD applies specifically to financial institutions as defined under Section 131 of the FSA, Section 143 of IFSA and Section 3(1) of the Development Financial Institutions Act (DFIA).

?

The MCIPD provides a comprehensive definition of “customer information” as any data related to a customer, regardless of its form. Additionally, it outlines what constitutes a breach of customer information, encompassing any instance where customer data is compromised through theft, loss, misuse, unauthorized access, modification, or disclosure. This broad definition ensures that even if a FSP cannot immediately identify the specific customers affected by a breach, the incident must still be investigated and reported to the BNM. The FSP is required to assess the breach’s nature and sensitivity and estimate the number of impacted customers. This approach guarantees that no breach goes unaddressed, even when the full extent of the compromised data is difficult to ascertain.

?

Another significant aspect of the MCIPD is its focus on unauthorized access within organizations. It specifies that if customer information is accessed by employees who do not require it for their roles, it constitutes a breach. The document mandates that each job function within a FSP must have a clearly defined role profile detailing access rights to customer information. Access controls must be rigorous, with necessary adjustments made when staff roles change or when employees leave.

?

4. Is Your Customer Consent Sufficient?

On the other hand, Part C of the MCIPD introduces stringent requirements for obtaining and managing customer consent, effective 1 January 2024. Financial institutions must ensure that consent meets four key conditions: specificity, voluntariness, explicitness, and revocability.

a) Specific

Consent forms must be clear and specific, with plain language used and legal jargon avoided. Financial institutions must clearly identify the recipients of the information, such as “business partners for promoting financial products,” and detail the purpose and types of information being shared. Vague terms like “as the financial institution deems fit” must be avoided.

b) Voluntary

Consent must be given freely, without any form of coercion. Separate consent requests for different purposes should be given to the customers, such as marketing or service provision, to allow customers to choose each option independently. For instance, pre-ticked boxes should be avoided and instead, an active opt-in approach should be applied.

c) Explicit and Deliberate

Consent must be obtained through explicit and deliberate actions. Financial institution is required to provide clear options for customers to either consent to or decline data sharing. For example, passive methods, such as pre-ticked boxes or assuming consent through inaction, are not permitted.

d) Revocable

Customers must be given the right to withdraw their consent at any time, and financial institution must facilitate this process, by clearly informing customers of their right to revoke consent and ensuring that any disclosures based on withdrawn consent are stopped as soon as possible, ideally within 7 days. It is also crucial to maintain comprehensive records of the consent process and any revocations to ensure compliance.

?

5. Insights from Cases

In My Home Budget Hotel Sdn Bhd v CIMB Bank Bhd [2021] MLJU 2780 (HC), the Plaintiff, a CIMB Bank customer, sued the bank’s Assistant Manager for disclosing bank statements to the claimant’s solicitors without consent. The disclosure was made under subpoena to ascertain whether the Plaintiff’s account had sufficient funds for issued cheques. The Court ruled that while confidentiality under the FSA, the Bankers’ Books Evidence Act 1949 (BBEA), and the Personal Data Protection Act (PDPA) is crucial, it must be balanced with the court’s need for evidence. The Assistant Manager’s duty of secrecy was found to be outweighed by the requirement to provide evidence under Section 132 of the Evidence Act 1950. Similarly, Protasco Bhd v. Tey Por Yee & Anor and Other Appeals [2021] 6 MLJ 1 (FC) illustrates that despite the importance of banking secrecy, it is not absolute. The Federal Court affirmed that banking documents relevant to legal proceedings can be disclosed, as Section 7 of the BBEA allows direct inspection of banking records without the procedural constraints of Order 24 of the Rules of Court 2012 (ROC). This ruling highlights that legal transparency may sometimes take precedence over confidentiality.

?

In contrast, OCBC Bank (M) Bhd v Prolink Marketing Sdn Bhd [2023] 2 MLJ 851 (COA) upholds the protection of customer confidentiality. The court ruled that OCBC Bank was prohibited from disclosing information about the respondent’s financial facilities without proper authorization, adhering to Section 133(4) of the FSA 2013. This case emphasizes the importance of maintaining confidentiality even when third-party inquiries arise, especially when these inquiries do not fall within any of the categories set out under Schedule 11 of the FSA and/or Part C of the MCIPD.

?

Finally, the case of National Feedlot Corporation Sdn Bhd & Ors v. Public Bank Bhd [2023] 10 CLJ 430 (COA) serves as a critical illustration of the consequences arising from unauthorized access to customer information. The plaintiffs alleged that their confidential banking information was improperly disclosed by a bank employee, leading to a legal battle over the breach of confidentiality. The central issue revolved around a clerk, Johari, who used an authorized officer’s user ID to print the plaintiffs’ Customer Profile and Banking Statements (CP-BS) from his computer. It was determined that Johari’s unauthorized use of the officer’s computer facilitated the breach, resulting in the Court of Appeal overturning the High Court’s judgment and ruling in favor of the plaintiffs. The bank was found liable for breaching its duty of confidentiality, and the plaintiffs were awarded nominal damages along with RM500,000 in costs.

?

The case highlights the consequences of unauthorized access to customer information, a line discussed earlier in this article which mandate that customer information be accessed solely by employees with a legitimate need based on their job roles under the MCIPD provisions. The case also emphasizes the necessity for financial institutions and their staffs to remain vigilant and compliant with MCIPD provisions. For financial institutions, this means implementing strict and stringent access controls and ensuring staff awareness of their responsibilities regarding customer data. For employees, it is crucial to understand and adhere to these access guidelines to avoid unintentional breaches.

?

6. Conclusion

It is crucial for financial institutions and their employees to be fully aware of their rights and obligations under the laws and regulations. The National Feedlot Corporation case is particularly notable for reinforcing common law principles as established in Tournier v. National Provincial and Union Bank of England [1924] 1 KB 461 that outlined an implied duty of confidentiality within the banker-customer relationship, setting a precedent that is still relevant today. Financial institutions shall enforce strict policies and provide comprehensive trainings to their employees to ensure compliance with the MCIPD and FSA/IFSA provisions, while employees must clearly understand their roles and responsibilities in managing and disclosing customer information. Such vigilance in adherence to regulatory requirement is crucial in maintaining trust relationship between clients and bankers, and in safeguarding the integrity of the financial system.

About the Author

Noelle Low Pui Voon is a Partner at Halim Hong & Quek, a member firm of Andersen Global specialising in Real Estate and Banking & Finance.

Want more insights from HHQ? Subscribe to our email newsletters here .