Navigating Data Regulations in Malaysia’s Financial Sector

I. Introduction

Malaysia’s financial sector is rapidly evolving, with data playing a pivotal role in driving innovation, enhancing customer experiences, and ensuring operational efficiency. However, as financial institutions—such as banks, insurers, and capital market entities—increasingly rely on data, the need for stringent regulatory frameworks to safeguard sensitive information has become paramount. Ensuring compliance with data privacy and security regulations is essential for maintaining public trust and protecting financial stability.

To address these challenges, Malaysia has implemented a comprehensive legal and regulatory framework governing data privacy, security, and governance.  This blog explores Malaysia’s data regulations in the financial sector, highlighting key laws and compliance requirements for organizations.

II. Overview of Regulatory Framework

1. Personal Data Protection Act 2010 (PDPA)

The Personal Data Protection Act 2010 (PDPA) is Malaysia’s primary data privacy legislation regulating the processing of personal data in commercial transactions. It applies to individuals and entities that process or control personal data, including that related to investment, financing, banking and insurance (financial institutions). However, a credit reporting business carried out by a credit reporting agency under the Credit Reporting Agencies Act 2010 is excluded from the scope of PDPA. To that end, financial institutions, excluding credit reporting agencies, must comply with PDPA obligations, including obtaining consent, implementing robust data security measures, and ensuring transparency in data processing.

2. Credit Reporting Agencies Act 2010 (CRAA)

The Credit Reporting Agencies Act 2010 (CRAA) governs credit reporting agencies, ensuring the transparency, accuracy, and accountability of credit data processing. It sets out registration and management requirements, data accuracy obligations, and consumer rights, including access to and correction of credit information. It also mandates compliance with security and confidentiality standards to protect credit data from misuse or unauthorized access.

3. Cybersecurity Act

The Cybersecurity Act (CA) strengthens Malaysia’s cybersecurity framework by establishing the National Cyber Security Committee and defining the roles of key entities such as the National Cyber Security Agency (NACSA). It regulates banking and financial institutions that are designated as National Critical Information Infrastructure Entities (NCCI Entities) on the basis of possessing National Critical Information Infrastructure (NCII). NCCI refers to essential computer or computer systems whose disruption or destruction could impact national security, economic stability, government operations, public safety, and individual privacy. The CA applies to all persons regardless of nationality or citizenship and extends its effect both within and outside Malaysia, allowing offences committed abroad to be prosecuted as if they occurred within Malaysia.

4. Bank Negara Malaysia (BNM)

As Malaysia’s central bank, Bank Negara Malaysia (BNM) enforces stringent data security and governance regulations for financial institutions.  It regulates financial institutions, such as banks, payment system operators, insurers, insurance brokers, financial advisers, money brokers, and adjusters.  It has issued guidelines on topics like the Management of Customer Information and Permitted Disclosure, which require financial service providers to promptly report data breaches that may undermine public confidence or harm their reputation. Additionally, BNM’s Data Management and MIS Framework establishes standards for data quality, security, and governance to ensure institutions maintain robust data protection practices.

5. Securities Commission & Capital Markets and Services Act 2007

The Securities Commission Malaysia (SC) oversees capital market entities with a strong emphasis on cybersecurity and data protection. Its guidelines on the Management of Cyber Risk mandate that financial entities report cyber incidents with adverse impacts on their systems or information assets on the same day. These guidelines stress continuous risk assessments, secure data handling practices, and stringent protection for transmitted financial information, enhancing resilience against data-related threats. The Capital Markets and Services Act 2007 (CMSA) also governs capital markets, focusing on market integrity and risk management.

6. Financial Services Act 2013 (FSA) & Islamic Financial Services Act (IFSA)

The Financial Services Act 2013 (FSA) provides a comprehensive regulatory framework for financial institutions, emphasizing prudent risk management, including data security and governance. It regulates traditional financial activities and institutions, including banking, insurance, payment systems, money services, and financial holding companies. Additionally, it oversees prudential requirements, consumer protection, and anti-money laundering compliance. It also grants the BNM enforcement powers to ensure compliance and impose penalties for violations. Additionally, the Islamic Financial Services Act (IFSA) governs Islamic financial institutions, ensuring Shariah compliance in Islamic banking, takaful, and related financial services.

7. Development Financial Institution Act 2002 (DFIA)

The Development Financial Institution Act 2002 (DFIA) regulates development financial institutions (DFIs), which are specialized financial institutions established to support key sectors of Malaysia’s economy, such as agriculture, infrastructure, small and medium-sized enterprises (SME), and trade. It outlines requirements to safeguard the financial system and promote sustainable economic growth. It also empowers BNM to issue guidelines and enforce compliance measures to uphold the integrity of the financial sector.

8. Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001 (AMLA)

The Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001 (AMLA) mandates that financial institutions implement robust Customer Due Diligence (CDD) and record-keeping practices to prevent money laundering and terrorist financing activities. As per the AMLA, financial institutions must maintain secure records of financial transactions and report suspicious activities to the Financial Intelligence and Enforcement Department (FIED) of BNM. Compliance with AMLA ensures transparency and accountability in financial transactions while safeguarding sensitive customer information.

III. Data Protection in the Financial Sector

As per the relevant regulations, financial institutions in Malaysia are required to adhere to strict data protection principles when collecting, processing, and disclosing personal data. These include the following:

1. Data Collection

Under the PDPA and the CRAA, financial institutions and credit reporting agencies may collect personal information only if it serves a specific, lawful purpose directly related to their activities. The collection must be:

• necessary and directly related to the intended purpose; and
• proportionate, without being excessive.

While the requirement for necessity and proportionality prevents excessive data harvesting, institutions must navigate the fine line between collecting enough data to fulfill their obligations and avoiding regulatory scrutiny

Securiti’s Consent Module automates consent collection, tracking and management.

2. Transparency

In accordance with the FSA, financial institutions must:

• maintain proper accounting records to ensure financial statements are accurate and in compliance with approved accounting standards;
• prepare and publish financial statements periodically, and ensure these statements are audited; and
• provide transparency about their data collection and processing practices, informing data subjects about the purpose, third-party disclosures, retention policies, and their rights to access or correct data.

It’s also important to underscore how maintaining transparency isn’t just about compliance—it's about building consumer confidence in an increasingly data-driven world. Thus, institutions must clearly communicate their data practices, as any failure to do so could lead to regulatory risks and a loss of confidence.

3. Data Processing

As per the PDPA, financial institutions must ensure that:

• explicit consent is obtained from data subjects before processing their personal data; and
• data is processed solely for purposes directly related to the institution's activities, ensuring it is adequate and not excessive.

Moreover, sensitive personal data has more stringent requirements with regard to data processing. According to the PDPA, sensitive personal data includes personal data relating to the data subject’s physical or mental health,  political opinions, religious beliefs, commission or alleged commission of offence, and biometric data. Such data can only be processed under specific circumstances, including:

• explicit consent from the data subject;
• legal obligations related to employment;
• protecting vital interests of the data subject or another individual;
• medical purposes or legal proceedings; and
• administration of justice.

These strict guidelines on sensitive data processing reflect a heightened focus on protecting individuals' privacy. Consequently, financial institutions must be extra cautious when handling such data, as failing to comply could result in significant legal consequences and damage to reputation. While the CRAA does not explicitly mention sensitive credit data, credit reporting agencies should follow best practices by applying more stringent requirements when processing data that is sensitive in nature or poses higher risks if misused.

4. Consent Requirement

Under the PDPA, financial institutions are required to obtain explicit consent from data subjects before processing personal data. This serves as a critical safeguard for individuals' privacy, ensuring that their data is handled with their informed agreement.

However, there are exceptions where processing without explicit consent is permissible. These include situations involving the performance of a contract, compliance with legal obligations, or the protection of vital interests of the data subject or another individual. These exceptions are narrowly defined to ensure that the rights of individuals are still respected in cases where consent cannot be reasonably obtained.

Securiti’s Consent Module automates consent tracking and management.

5. Notice and Choice Principle

As per the PDPA, financial institutions must provide written notice to data subjects detailing the collection and processing of personal data, including:

• the purpose of data collection and processing;
• the right to access and correct personal data;
• the third parties to whom data may be disclosed; and
• the options for limiting data processing.

Under the CRAA, credit reporting agencies must issue a notice when collecting customer credit information. The notice must include:

• the purpose of processing;
• the source of information;
• contact details for inquiries or corrections; and
• any third parties receiving the data.

From a legal standpoint, these notice requirements are essential for ensuring transparency and empowering data subjects with the information needed to make informed decisions about their data. Financial institutions must not only comply with these obligations but also ensure the notices are clear and easily accessible, as failure to do so could lead to regulatory scrutiny and potential penalties.

Securiti’s Privacy Notice Module automates and customizes privacy notices for compliance with global data laws, ensuring transparency and real-time updates.

6. Disclosure of Personal Data

As per the PDPA, personal data may only be disclosed under certain conditions, such as:

• consent from the data subject;
• legal obligations, public interest, or crime prevention; and
• when required or authorized by law or court order.

Similarly, under the CRA and FSA, data can be disclosed under circumstances such as consent, crime prevention, or legal requirements. Disclosure beyond the agreed purpose requires fresh consent. The strict conditions for data disclosure ensure that personal data is only shared when absolutely necessary and within the boundaries set by law. This approach upholds the principle of data minimization while protecting individuals' rights and maintaining trust in financial systems.

7. Assessment & Audit

As per the CA, financial institutions designated as NCII entities are required to:

• conduct cybersecurity risk assessments and audits periodically; and
• submit reports within 30 days of assessment completion.

Appointing an auditor is also mandated by the DFIA. While the PDPA does not mandate assessments, however, financial institutions should conduct them as regular assessments are crucial in identifying vulnerabilities and mitigating potential threats to personal data. Failing to conduct these assessments could expose institutions to significant risks, including regulatory penalties and data breaches. To that end, adopting a proactive approach to cybersecurity is not only a best practice but also a critical element in maintaining compliance with both domestic and international data protection frameworks.

Securiti’s Assessment solution helps organizations evaluate their internal protocols, ensuring the necessary technical and organizational measures are in place to prevent human errors. 

8. Data Retention & Recordkeeping

As per the PDPA, financial institutions must retain personal data only for as long as necessary for its intended purpose and take reasonable steps to delete or anonymize data when it is no longer required. 

Moreover, financial institutions covered by the AMLA must maintain records that include the identity and address of the transacting parties, account details, transaction type (e.g., deposit, withdrawal, exchange), and the reporting institution's identity with transaction details (date, time, amount). Specific requirements include:

• retaining transaction records for at least six years;
• maintaining records that allow reconstruction of any transactions exceeding specified amounts; and
• maintaining records for any transaction involving domestic or foreign currency exceeding specified amounts.

As per the CA, financial entities designated as NCII entities are required to maintain records for each engagement for at least six years. These records should be available for inspection by relevant authorities upon request and include:

• the name and address of the person engaging the service;
• the name of the person providing the service (if applicable);
• the date and time the service was provided;
• details of the type of service rendered, and any other information as specified by the Chief Executive of the National Cyber Security Agency (Chief Executive).

Thus, even though the PDPA lacks a fixed duration, financial institutions would be required to retain records for six years, aligning with the AMLA and CA standards, to fulfill both regulatory and auditing needs.

Moreover, under the IFSA, an Islamic financial institution must maintain accurate accounting records that allow it to prepare its financial statements. These records should be organized in a way that makes it easy and efficient for them to be properly audited.

Securiti’s Sensitive Data Intelligence module uses AI to identify and remove unnecessary data, reducing storage costs and ensuring compliance with retention policies​. It enables organizations to leverage granular insights and discover the security posture of data assets across on-premise, IaaS, SaaS, and data clouds.

9. DSR Rights

As per the PDPA, data subjects have the right to:

• access and correct their personal data (and receive a response within 21 days of making a request);
• prevent processing that may cause damage or distress (and receive a response within 21 days of making a request);
• prevent data processing for direct marketing purposes; and
• access data in a portable format.

As per the CRA, credit reporting agencies must also respond within 21 days to access and correction requests and provide a credit report if available. They may also charge a fee. Moreover, if a credit provider takes an unfavorable action based on a credit report, they must, upon request, inform the customer:

• that the action was based on the credit report; and
• the name of the credit reporting agency used.

It is imperative that financial institutions not only comply with these rights but also establish clear processes to allow data subjects to easily exercise them. They must respond promptly to requests and ensure transparency in their data processing practices. Failing to meet these obligations can result in legal consequences, erode trust with customers, and damage the institution's reputation.

Securiti's Data Subject Request (DSR) Automation simplifies and streamlines the process of managing data subject requests and automates tasks such as access, deletion, and correction requests, ensuring compliance while reducing manual effort and risk.

10. Cross-Border Data Transfers

As per the PDPA’s latest amendments, personal data can be transferred outside Malaysia when the destination country:

• has laws similar to Malaysia's PDPA; and
• provides adequate protection for personal data, comparable to the PDPA.

However, cross-border transfers are permitted if there is consent, for contract performance, legal matters, compliance with PDPA standards, vital interests, or public interest. While this reflects a balanced approach to ensuring personal data protection and facilitating international data flows, institutions must carefully assess whether the destination country meets the required standards for data protection before proceeding with transfers. This precaution is vital to avoid breaches of the PDPA and to mitigate risks associated with data protection violations in jurisdictions with weaker safeguards.

Moreover, as per the CRAA,  a credit reporting agency can only transfer credit information outside Malaysia if the destination is approved by the Minister of Finance. Approval is given if the place has similar laws or ensures adequate protection. However, transfers are allowed in specific cases, such as with customer consent, for contract performance, legal proceedings, or to prevent adverse credit action.

Securiti’s Vendor Risk Management solution automates vendor risk assessments, tracks subcontractor engagements and data breaches, and provides automated alerts, supplier assessments, and security audits for ongoing third-party risk monitoring.

Securiti’s Data Access Governance (DAG) tool allows organizations to oversee and manage access to personal data across different jurisdictions. 

11. Registration Requirements

As per PDPA, financial institutions must:

• register under the PDPA and provide the necessary documents; and
• obtain a certificate of registration.

As per the CA, no financial institution designated as an NCII entity may provide cybersecurity services or advertise as such without holding a valid license. This need for a valid license for entities offering cybersecurity services under the CA also highlights the rising focus on securing critical information infrastructure against evolving cyber threats and ensuring accountability in the realm of cybersecurity and data protection.

IV. Data Security in the Financial Sector

1. Appointment of Data Protection Officer (DPO)

As per the PDPA, financial institutions must appoint one or more Data Protection Officers (DPOs) who are accountable for ensuring compliance with the PDPA.

If personal data processing is carried out by a data processor on behalf of a financial institution, the data processor must also appoint a DPO responsible for ensuring compliance with the PDPA. The need for data processors to appoint their own DPOs reflects the shared responsibility for data protection across all parties involved in processing activities.

The financial institutions must notify the Personal Data Protection Commissioner (Commissioner) of the appointed DPO.

Securiti’s Data Mapping module can equip (DPOs) with tools to uphold stringent data security and governance protocols to catalog and map all data processing activities.

2. Security of Personal Data

As per the PDPA, financial institutions must develop and implement a comprehensive security policy to secure personal data from loss, misuse, unauthorized access, or destruction. This includes:

• implementing practical steps to protect personal data throughout its lifecycle; and
• ensuring that data processors maintain appropriate security standards when processing data on behalf of the financial institution.

As per the CRA,  credit information must be safeguarded from risks such as loss, misuse, unauthorized access, alteration, or destruction. The key security measures include:

• security measures for storage locations, equipment, and personnel access;
• securing transfer methods for credit information;
• ensuring processors provide adequate technical and organizational security guarantees;
• implementing written policies for employees, agents, and service providers;
• introducing access authentication controls (e.g., passwords, digital signatures);
• providing employee training on compliance measures;
• maintaining and reviewing access controls and logs regularly, this includes authentication mechanisms, recording key details such as time, date, identity of the subscriber, and purpose of access, and retaining logs for at least two years;  and
• conducting regular audits.

Moreover, as per the PDPA and the CRA, personal data and credit data must be accurate, complete, and up-to-date for its intended purposes.

These security measures reflect the importance of safeguarding personal and credit data in an increasingly digital and interconnected world. However, the challenge lies in ensuring that not only financial institutions themselves but also their third-party processors meet these stringent standards. This is because any lapse in security at this level can lead to significant regulatory and reputational consequences.

Securiti’s Data Security Posture Management empowers organizations to mitigate data breach risks, safeguard data sharing, and enhance compliance while minimizing the cost and complexity of implementing data controls.

3. Customer Due Diligence

Financial institutions covered by the AMLA must ensure identification and verification. They must:

• not open anonymous or fictitious accounts;
• ensure accounts are in the actual name of the customer; and
• verify the customer’s identity using reliable documents (e.g., ID card, passport).

Moreover, due diligence is required when:

• establishing a business relationship or conducting specified transactions;
• transactions exceed a specified amount or are suspected to be linked to money laundering or terrorism financing; and
• continuous monitoring is required for all accounts, relationships, and transactions.

In addition, as per the BNM’s guidelines, financial service providers must implement a robust set of policies that:

• are approved by the institution’s Board of Directors (BOD);
• include risk assessment, security controls, and incident handling; and
• mandate regular employee training and monitoring.

Financial service providers must ensure third-party service providers comply with security and regulatory standards and conduct periodic reviews. However, financial institutions must balance these obligations with operational efficiency, ensuring that compliance processes do not overly hinder customer experience or slow down transactions.

5. Personal Data Breach Notification

As per the PDPA, a personal data breach refers to any unauthorized access, loss, misuse, or destruction of personal data. The financial institution must notify the following:

• Commissioner as soon as practicable; and
• notify affected individuals without unnecessary delay if the breach is likely to cause significant harm.

As per the CA, there is a duty on financial institutions designated as NCII entities, to notify the occurrence of cybersecurity incidents. Finance institutions must notify the Chief Executive and sector lead about cybersecurity incidents within 6 hours of discovery. The following information must be provided:

• incident type, severity, and discovery method;
• affected infrastructure and threat actors; and
• impact of the incident and actions taken to address it.

Moreover, as per the BNM’s guidelines,  financial service providers must:

• establish and follow clear breach-handling procedures;
• assess breach impact and notify the relevant authorities in severe cases; and
• maintain a breach register and implement lessons learned.

These requirements guarantee transparency and accountability. However, the time-sensitive nature of these notifications puts pressure on institutions to have robust incident detection and reporting systems in place. Financial institutions must also ensure that their breach-handling procedures are not only reactive but proactive, assessing the impact of breaches and implementing lessons learned to strengthen their data protection measures going forward.

Securiti’s Breach Management solution automates breach notifications and compliance actions, ensuring timely reporting of security incidents. 

V. Data Governance Frameworks in the Malaysian Financial Sector

1. Data Management Framework

As per  BNM guidelines for the Development Financial Institutions (DFIs) under the DFIA. These guidelines aim to establish robust data management and Management Information System (MIS) frameworks and include:

• Principle 1-Data Management and MIS Framework: DFIs must create a framework aligned with business and risk strategies. It should ensure oversight of the BOD, while senior management should be responsible for design and updates. Policies for data governance and independent audits are required.
• Principle 2 - Data Governance: DFIs must implement governance structures to ensure accountability, define responsibilities for data management, quality, and security, and address inconsistencies or breaches. Larger DFIs may need a dedicated data stewardship function.
• Principle 3-Data and Systems Architecture: DFIs must create a comprehensive architecture for effective data integration and storage, ensuring compliance with legal requirements, including privacy standards, and supporting business continuity with backup mechanisms.
• Principle 4 - Data Quality: DFIs must ensure data accuracy, completeness, and timeliness by regularly assessing data quality and addressing issues, with BOD oversight for significant risks.
• Principle 5 - Data Security and Privacy: DFIs must implement strong controls to protect data integrity and limit access, classify sensitive data, and secure systems. Compliance with privacy laws and obtaining certifications like MS ISO/IEC 27001:2007 is encouraged.
• Principle 6 - MIS Effectiveness: The MIS must provide timely, accurate, and actionable information for decision-making. Outputs should meet user needs, with regular reviews to adapt to evolving requirements.

2. Risk Management Frameworks

The BNM has outlined the Risk Management in Technology (RMiT) framework to address technology-related risks faced by financial institutions. This includes guidelines for managing cyber risks, ensuring technology resilience, and maintaining the secure operation of critical systems. Key principles include:

• Governance:
  • The BOD must set the institution’s technology risk appetite, aligning it with the overall risk management framework.
  • Senior management is responsible for implementing the Technology Risk Management Framework (TRMF) and the Cyber Resilience Framework (CRF).

• Technology Risk Management:
  • A robust TRM Framework should include risk identification, assessment, and mitigation processes. Institutions must implement a technology risk register to track key risks and ensure that each risk has a designated risk owner.
  • TRMF should address cybersecurity with encryption and access controls.
  • Regular IT audits and staff training on cybersecurity are required.

• Technology Operations Management:
  • Establishing robust controls over technology projects, data centers, and cryptography standards.
  • Ensuring redundancy and physical security for data centers to prevent operational disruptions.

• Cybersecurity Management:
  • Institutions are required to develop a Cyber Resilience Framework (CRF), which includes:
    • multi-layered security controls;
    • regular penetration testing and vulnerability assessments; and
    • a mandatory Security Operations Center (SOC) for continuous monitoring.

• • Institutions are also required to implement a Cyber Security Framework that includes:
    • 24/7 security monitoring; and
    • regular cyber threat intelligence analysis and penetration testing.

• Third-Party Management:
  • Conducting due diligence on third-party service providers, including cloud service providers, to manage risks like data leakage and service disruptions.

• Incident Response:
  • Institutions must have a Cyber Incident Response Plan (CIRP) that includes preparedness protocols and post-incident reviews.
  • Institutions must notify the SC of any major technology-related projects or cyber incidents, ensuring transparent reporting and compliance.

• Risk Management and Internal Controls Framework for Money Service Businesses:
  • Risk framework should have timely reporting, regular risk assessments, and accessible audit reports.
  • Internal policies should cover SOPs, cash management, transaction authorizations, and new product risk assessments.
  • Financial records must comply with Malaysian standards, with qualified auditors and accountability for outsourced accounting. They should be safely maintained, with independent complaints function, and dual controls to prevent fraud.
  • A business continuity plan should include data backups and minimal downtime.
  • CCTV and counterfeit-detection systems must be installed with clear recordings and proper maintenance.

Securiti's Data Governance module automates data discovery, classification, and lifecycle management to ensure compliance and enable efficient data control across environments.

VI. Artificial Intelligence in the Financial Sector

In Malaysia, AI regulations are still evolving. The country has recognized the importance of AI for its economic growth and has initiated frameworks to guide its development and deployment. The Malaysia Digital Economy Blueprint (MyDIGITAL) emphasizes the need for AI adoption in various sectors. The government has also introduced the National Guidelines on AI Governance and Ethics to promote responsible AI and data usage. These frameworks aim to ensure AI is used in a secure, ethical, and transparent manner. Moving forward, ongoing refinement of these guidelines and proper legislation will be necessary to keep pace with rapid technological advancements and emerging ethical concerns.

Securiti's AI Security & Governance module protects AI systems by managing data security, privacy, and compliance, ensuring safe and ethical AI operations.

VII. Conclusion

Thus, protecting data in Malaysia’s financial sector requires robust governance, advanced security frameworks, and strict adherence to regulatory compliance. Financial institutions must continuously adapt to evolving standards and implement comprehensive risk management practices to ensure data privacy and security.

Securiti’s Data Command Center enables organizations to comply with Malaysia’s Personal Data Protection Act (PDPA) and evolving regulations in Malaysia’s financial sector by securing the organization’s data and enabling organizations to maximize data value and fulfilling an organization’s obligations around data security, data privacy, data governance, and compliance.

Organizations can overcome hyperscale data environment challenges by delivering unified intelligence and controls for data across public clouds, data clouds, and SaaS, enabling organizations to swiftly comply with privacy, security, governance, and compliance requirements.

Request a demo today to witness Securiti in action.