CHAPTER 6: SAFEGUARDING CUSTOMERS’ INTERESTS

Learning Outcome

At the end of the chapter, you will be able to:

• Describe how customer interests are intended to be safeguarded by regulatory guidelines

through their interpretation in financial services organisations policies and processes.

Key Topics

In this chapter, you will be able to read about:

• Regulatory and supervisory approach in market conduct and consumer protection

• Regulatory compliance oversight on fairness of treatment and protection for financial
consumers
• Key features of BNM guidelines on fair treatment of financial consumers
• Key features of BNM guidelines on product transparency and disclosure
• Key features of BNM guidelines on the imposition of fees and charges on financial
products and services
• Key features of BNM guidelines on complaint handling
• Key features of BNM guidelines on fair debt collection practices
• Key features of BNM guidelines on introduction of new products
• Key features of BNM guidelines on prohibited business conduct
• Key features of BNM guidelines on responsible financing
• Key features of BNM guidelines on management of customer information and
permitted disclosure
• Key features of the principles for a fair and effective financial market for the Malaysian
financial market
• Key features of BNM code of conduct for Malaysia wholesale financial markets
• Key features of BNM guidelines on investor protection
• Case study – Wells Fargo Bank
• Case study – Lehman Brothers
• Case study – CIMB Bank Bhd vs Anthony Lawrence Bourke & Anor [2019] 2 MLJ1
• Case study – Personal data breach
• Case study – Transparency and information obligations

Assessment Criteria

During the exam, you will be expected to:

• Examine the financial customers’ interest, information and protection.

• Examine the regulatory and supervisory approach ensuring industry-wide
standardised market conduct and fair treatment of financial consumers and financial
market clients.

97
 • Examine the financial institutions to ensure that they comprehensively adopt the legal
and industry requirements in various retail and wholesale banking business conduct
and practices to achieve the outcomes of the regulatory and supervisory intentions.
• Assess the establishment of internal controls and measures to monitor the
effectiveness of the policies and procedures regarding the market conduct and fair
treatment of financial consumers and financial market clients.

6.1 Regulatory and Supervisory Approach in Market Conduct and Consumer

Protection

6.1.1 Overview of Market Conduct and Consumer Protection

Banking products and services are getting complex alongside the advanced technology in
distribution channels making the scrutiny on financial institutions’ market conduct and
consumer protection measures more important than ever.

Market Conduct
REGULATORY & Consumer Protection
Ensures that the market and its SUPERVISORY Ensures that the financial system
participants operate on equal
OBJECTIVES and its participants treat all its
playing level in prospering the
customers fairly and equitably.
economy.

Figure 6.1: Market Conduct and Consumer Protection

Market conduct and consumer protection objectives would ensure that customers caught in
an asymmetric information situation be treated fairly and not being taken advantage of.
Hence, the full disclosure requirements of all material information by banking institutions to
facilitate informed decision-making by prospective customers.

Market conduct regulations on the other hand, also govern the activity of banking institutions
against each other to create a fair competition in the industry in the interest of all
stakeholders including the economy in general. This arising from the rampant speculative
investment activities of the US banks during the GFC resulted in the extensive reforms of the
banking industry.

98
6.1.2 The Scope of Market Conduct and Consumer Protection Framework

The market conduct and consumer protection regulations are intended to ensure that
customers are treated fairly and transparently in a responsible and professional manner. In
achieving this, various standards and guidelines are issued where good banking conduct is
expected in the following areas:

a) Transparency and disclosure

b) Fairness of terms of contract and agreement

c) Promotion/advertisement of financial services and products

d) Advice and recommendation for suitability and affordability of banking services and
product

e) Administration of complaints and dispute resolution

It is important to ensure customers are treated fairly and equitably to promote a sense of
trust and confidence in the financial system that the unsuspecting public will not be taken
advantage of. In this regard, the regulator has intensified the regulations for the elements of
fairness, equity and transparency to be evidently present, particularly in financing contract
terms and conditions, pricing and cost-practices, and other lop-sided deals in the banking-
customer relationship. This sums up the expectation of the market conduct regulation and it
is also replicated into the wholesale market conduct where the professionalism and integrity
of the wholesale financial market are preserved with the acts and practices devoid of market
manipulations, misinformation and rumour, and insider-dealings.

6.1.3 Legislation on Market Conduct and Consumer Protection

There are various legislations in Malaysia dealing with market conduct and consumer
protection across all business segments. Members of the public are protected against
misleading advertisements, unfair treatment or unfair contractual terms when acquiring a
commercial product or service. Apart from getting a fair business deal, consumer are also
protected from the potential abuse of their personal data by the data users where their
express consent is required prior to any disclosure to any third party or marketing purposes.
Most importantly, consumer are assured of adequate fairness and protection when dealing
with a financial institution for deposits and when applying a banking product or service.

The present legislative measures among others are:

a) FSA /IFSA 2013

Administered by BNM, both legislations have clauses related to business conduct and
consumer protection, information and secrecy as well as restrictions relating to consumer
protection.

99
b) Personal Data Protection Act 2010 (PDPA)

PDPA is administered by the PDP department, an agency under the Ministry of

Communications and Multimedia Commission (MCMC) established in May 2011. This
Commission will oversee the processing of personal data of individuals involved in
commercial transactions by User Data that is not misused and misapplied by the parties
concerned as mandated by the PDPA.

c) Competition Act 2010

The Competition Act 2010 prohibits anti-competitive agreements and the abuse of dominant
position in the market where it is administered by the Competition Commission.

d) Credit Reporting Agency Act 2010

The Act provides for the registration and regulation of credit reporting agencies that are
carrying on credit reporting. Except for BNM’s CCRIS, other credit reporting agencies such
as CTOS are now subject to this Act.

e) Consumer Protection Act 1999

The Act was amended multiple times to ensure adequate protection to the consumers
particularly relating to unfair contract terms and misleading advertisements. This Act is
administered by the Ministry of Domestic Trade and Consumer Affairs.

f) Malaysia Deposit Insurance Corporation Act 2011

The MDIC Act is for the establishment of the MDIC or PIDM in overseeing the
implementation of the insurance deposit schemes in Malaysia which is critical for the
protection of banking depositors and insured persons. It is to note that Malaysian legislative
measures are adequate to ensure fairness and accord protection to the people in their
commercial dealings.

6.1.4 Regulatory Guidelines on Market Conduct and Financial Consumer Protection

Apart from having its own legislative measures, BNM also issued various regulations and
guidelines to further enhance the market discipline in ensuring adequate business conduct
and financial consumer protection, as follows:

Table 6.1: Market Conduct and Financial Consumer Protection

Guidelines Description
Fair Treatment of Financial Provide business conduct principles and best practices in implementing
Consumers (FTFC) the FTFC. The details of the Guidelines are provided in Table 6.2

100
 Guidelines Description
Product Transparency & Specify conduct and format for financial institutions to observe in
Disclosure conducting marketing of financial products. Specific disclosures to
assist customers in making informed decisions are expected prior to
them acquiring any financial product or service. The details of
the Guidelines are provided in Table 6.3
Fees & Charges Provide guidance on allowable fees and charges for financial products
and services to ensure fair and equitable treatment of individual or
SME customers. The details of the Guidelines are provided in Table 6.4
Complaint Handling Provides requirements for fair and efficient complaint handling in
consumer protection and retention to avoid costly and time-
consuming consumer dispute resolution and redress mechanism.
The details of the Guidelines are provided in Table 6.5
Fair Debt Collection The Guidelines ensure orderly conduct of debt collection practices by
Practices the financial institutions. The details of the Guidelines are provided in
Table 6.6
Introduction of New Set out the requirements on the development, offering and marketing of
Products new financial products and services with responsibilities to ensure
product suitability to customers and their awareness of the related
nature and risks. The details of the Guidelines are provided in Table 6.7
Prohibited Business Complement the prescribed prohibited business conduct as set out in
Conduct Schedule 7 of the FSA or IFSA or the Second Schedule of the DFIA.
The details of the Guidelines are provided in Table 6.8
Responsible Financing Enforce responsible financing practices in dealing with retail consumers to
support informed decision making by such consumers. The details of
the Guidelines are provided in Table 6.9
Management of High standard of confidentiality and care in handling customer
Customer Information and information including controls against theft, loss, misuse or
Permitted Disclosure unauthorised access, modification or disclosure. Information release is
subject to the given circumstances and format. The details of the
Guidelines are provided in Table 6.10

The regulatory oversight on market conduct and protection does not only cover financial consumer
market but also extends to the financial and capital market clients, as follows:

Table 6.2: Market Conduct and Capital Market Clients

Guidelines Description
Principles for a Fair and The Principles set out is to achieve a financial market environment that
Effective Financial Market is trusted, competitive, resilient and best positioned to support the
for the Malaysian Financial sustainable growth of the Malaysian economy. The details are provided
Market in Table 6.11
Code of Conduct for The Code sets out standards of market conduct and practices to
Malaysia Wholesale maintain the professionalism and integrity of the wholesale financial
Financial Markets markets. The details are provided in Table 6.12
Investor Protection Allow financial institutions and their employees to carry out permitted
capital market activities subject to them meeting the requirements on the
“fit and proper” and relevant investor protection. The details of the
Guidelines are provided in Table 6.13

101
6.2 Regulatory Compliance Oversight on Fairness of Treatment and Protection for
Financial Consumers

6.2.1 Inter-agency Approach in Managing Consumer Finance

It is to note that consumer finance in Malaysia is a broad business activity offered by multiple
players beyond those in the financial industry. This is more prevalent nowadays where credit
consumers are more reachable than ever in this age of digitalisation. With financial
institutions being made subject to the stringent regulations of the fair treatment and
protection of financial consumers, it is very challenging to implement similar standards
across diverse credit businesses and services. To this end, efforts are underway since mid-
2019 for the enactment of the new Consumer Credit Act to further strengthen the foundations
for the development of consumer finance in the digital age. The Government has expedited
the new Act for it is a critical piece of legislation as the household debt is now at 82.1 per
cent of the Malaysian’s gross domestic product (GDP).

In promoting consistent and well-coordinated fair consumer credit treatment and protection,
the new Act will among others reinforce fundamental protections provided to credit
consumers and institutionalise inter-agency arrangements between responsible authorities
for regulating consumer credit activities. This included explicitly addressing consumer data
ownership rights and permitted uses of personal customer information including establishing
safeguards against data theft and manipulations leading to unfair practices and other abuses
by the market players.

The new Act will complement the country’s effort in elevating the financial literacy among
Malaysians, where a five-year national plan was launched in 2019. The strategies involve:

a) nurturing good financial values from a young age

b) increasing access to good financial management information

c) inculcating positive financial behaviour among targeted groups

d) educating on long-term financial management and retirement planning

e) building and safeguarding wealth

The national strategies are being implemented through the Financial Education Network
which is an inter-agency grouping co-chaired by BNM and SC and with members comprising
Ministry of Education, Ministry of Higher Education, PIDM, Employees Provident Fund, AKPK
and Permodalan Nasional Berhad.

The national strategies on financial literacy and the new Act are indeed positive
developments in ensuring comprehensive consumer credit fairness and protection framework
across all products and services as well as legions of regulators and players.

102
6.2.2 Subscribing to the Market Conduct for Consumer Fairness and Protection
Measures in Business Operations

The myriad of legislative measures and regulatory guidelines have provided various sources
and mandates to ensure full adoption of such market conduct and implementation of fair
treatment as well as protection to the financial consumers and financial market clients alike.

Tables 6.3 to 6.11 showcased the key features of BNM requirements in imposing market
conduct and the FTFC which should be incorporated in the retail banking policies and
procedures. There may be some duplicity for the similar requirements across the guidelines,
but the common requirements to the financial consumers can be summarised as follows :

a) Publication of Financial Treat Customers Fairly Charter where financial institutions are
obliged to comply with;

b) The tone from the top in driving the FTFC agenda throughout the institutions;

c) Clear and fair legal contractual terms including the financial fees and charges;

d) Transparency for financial information to the consumers for their informed decisions,
where the information must be timely and comprehensive for their full awareness and
comparative understanding;

e) Responsible conduct in offering any product or service suitable to the affordability of

consumers or the ones needed by them. Financial institutions must have the interest of
consumers in offering and marketing new products and do not engage in any
misleading or deceiving conduct; and

f) Effective handling of financial consumer complaints.

Meanwhile, Tables 6.12 to 6.14 dealt with the expected market conduct and protection to the
financial market clients where the requirements are summarised as follows:

a) Adoption of the universal principles for a fair and effective financial market which
promote adoption of best market practices, transparency and accountability,
competitive market, good governance and due diligence, and adherence to the
prevailing rules and codes;

b) Code of conduct to maintain the professionalism and integrity of the wholesale financial
markets with eligible brokers and dealers and governance and ethical controls over
financial market conduct and dealings; and

c) Investor and client protection through stringent regulation of financial and capital
markets. It is thus the role of regulatory compliance in ensuring the legislative
measures and regulatory guidelines pertaining to the FTFC and the financial market is
fully embedded into the operations of retail and wholesale banking businesses across
the institution. This will inculcate the appropriate conduct and culture to achieve the
objective of the respective legislation and regulations. Case in 6.15 and 6.16 will
highlight the lapses of market conduct and compromises on the internal controls for
illegal business gains

103
6.3 Key Features of BNM Guidelines on Fair Treatment of Financial Consumers

6.3.1 Introduction

Effective May 2020, the Guidelines require financial service providers (FSPs) to be
responsive to the needs of financial consumers and conduct their business that brings trust
and confidence. The corporate culture that places high importance on fair treatment of
financial consumers (FTFC) will result in high customer satisfaction and retention. The
conduct risk management is now expected to be the financial institutions’ overall risk
management framework.

6.3.2 Expected Outcomes

Table 6.3: Fair Treatment of Financial Consumers

Outcome 1: Financial Outcome 2: Financial Outcome 3: Financial consumers are
consumers have the consumers are not subject to provided with clear, relevant and
confidence that they are unfair discriminatory practices, timely information for them to make
dealing with a FSP where including unfair contract terms informed decisions before, during
the fair treatment of its that significantly disadvantage and after the point of sale, including
financial consumers and financial consumers the costs, risks and important
consideration of their best exclusions or limitations
interests are integral to its
corporate culture and core
values
Outcome 4: Staff, Outcome 5: Financial Outcome 6: Financial consumers’
representatives and agents consumers receive suitable complaints and claims are handled in a
of a FSP exercise due care, advice and recommendations prompt, fair and effective manner
skill and diligence when that take into account their
dealing with financial financial needs and
consumers circumstances

6.3.3 FTFC Charter

FSP Commitment on FTFC:

• publish on the website
• set out in a separate Treat Customers Fairly Charter or incorporated into its Customer
Fair Treatment of Financial Consumers Service Charter
• guided by the FTFC principles set out in the Guidelines in developing the charter

104
6.3.4 Key Principles

a) Principle 1: Corporate Culture

The Board and Senior Management must set clear expectations on the FTFC and
ensure that this is embedded in the FSP’s corporate culture and core values.

• The board is responsible for setting the tone from the top to ensure reasonable
standards of fair dealing
• Senior management is primarily responsible for driving the FTFC agenda and
embedding FTFC into the FSP’s corporate culture and core values
• Staff, representatives and agents are trained on the core values and desired
conduct and behaviour to deliver fair outcomes to financial consumers
• Ensure that performance measures at the enterprise, business or functional unit
and individual levels are aligned with the FTFC outcomes
• Shall investigate and take appropriate action to prevent future recurrence if
undesirable conduct or behaviour of staff, representatives or agents results in
detriment to financial consumers

b) Principle 2: Fair Terms

A FSP must ensure that financial consumers are provided with fair terms in contracts
with financial consumers

• Ensure that terms in its standard contracts are fair to financial consumers

✓ a contract is reviewed during product development and periodically to ensure

the terms are clear and accurately reflect the financial product as designed
and contract terms comply with the regulatory requirements at all times.
✓ must not have contract terms that impose barriers which make it difficult for
financial consumers to switch to another financial product or another FSP
before the end of the contract tenure
✓ a clear and prominent statement to remind financial consumers to read and
understand contract terms
✓ include key contract terms that affect financial consumers’ rights and
obligations in the product disclosure sheet

c) Principle 3: A FSP must provide financial consumers with clear, relevant, and timely
information on financial services and products

• Information disclosure:

✓ a clear and balanced representation on key features, risks and benefits

necessary for financial consumers to make informed financial decisions
✓ keep financial consumers adequately informed regarding a financial service or
product at the pre-contractual stage, at the point financial consumers enter
into a contract and during the term of the contract as stipulated in the
Guidelines on Product Transparency and Disclosure
✓ promotional materials are clear and not misleading (whether by statement or
omission) as financial consumers often rely on information in promotional
materials when making decisions
✓ the same expectations of adequate transparency and disclosure shall apply to
digital financial services or products

105
 ✓ information delivered contains financial consumers’ financial information,
should be adequately protected

d) Principle 4: Fair dealing

A FSP must ensure its staff, representatives agents exercise due care, skill and
diligence when dealing with financial consumers.

• establish policies for staff, representatives and agents to carry out their duties
and responsibilities with due care, skill and diligence in accordance with
professional ethical standards

• implement measures, including training, supervision and monitoring, to ensure

that its staff, representatives and agents do not recklessly, negligently or
deliberately mislead financial consumers on the advantages or disadvantages of
any financial service or product

• representatives and agents:

✓ subject to proper due diligence

✓ the expectations to uphold high standards of ethics, integrity and

professionalism in all dealings with financial consumers are reflected in the
service level agreement between the FSP and its representatives and agents

• staff, representatives and agents do not exert undue pressure or influence on any
financial consumer to acquire a financial service or product

• not impose conditions that are unfairly prejudicial to a particular financial

consumer or group of financial consumers to obtain a financial service or product
from the FSP

e) Principle 5: Advice and Recommendation

A FSP must take reasonable care to ensure the suitability of advice and
recommendations provided to financial consumers.

• staff, representatives and agents must ensure that any advice or

recommendation on a financial service or product provided to financial
consumers have a reasonable basis and are provided in the best interests of
financial consumers:

✓ to obtain sufficient information from the financial consumer as necessary or

appropriate to the nature and complexity of the financial service or product
being sought by the financial consumers

✓ to provide information to the financial consumers on all financial services or

products that are assessed to be suitable so that financial consumers are
adequately informed of all choices available

• for investment-related services or products where the capital invested by financial

consumers could be at risk of potential loss, to ensure that the financial

106
 consumers understand the implication of this risk before making any advice or
recommendation on the financial service or product

• disclose to financial consumers the quantum of any commission, prior to

providing any advice or recommendation on the financial service or product

• periodically check the competency of its staff, representatives and agents remain
competent to provide quality advice and recommendations to financial consumers

f) Principle 6: Redress
A FSP must handle financial consumer complaints and claims promptly, fairly, and
effectively.

• Handling of financial consumer complaints and claims

✓ provide an effective, simple and easily accessible internal dispute resolution

process
✓ have in place proper processes, and well-documented procedures for
complaints and claims handling, including contact points for complaints and
claims
✓ ensure sufficient and well-trained resources are allocated to handle and
resolve complaints/claims as well as timeframes for complaints and claims
resolutions
✓ establish effective monitoring and evaluation mechanisms for all complaints
and claims received including communication with financial consumers
throughout the processes
✓ inform financial consumers of the availability of the Ombudsman for Financial
Services, should the financial consumer decide to continue pursuing a case
which the FSP considers as either resolved or closed

6.4 Key Features of BNM Guidelines on Product Transparency and Disclosure

6.4.1 Introduction

BNM in issuing the Guidelines on Product Transparency and Disclosure (the Guidelines)
sought to establish a consistent and comprehensive disclosure regime aimed at improving
information disclosure on products and services offered by financial service providers
(FSPs). The Guidelines are applicable to individual/SME retail customers of banking
products and services or their intermediaries.

6.4.2 Objectives

a) Promote consumer awareness and understanding of the financial product and services;

b) Facilitate consistency in disclosure of essential information on financial products and

services to enable comparison;

107
c) Minimise mis-selling and ensure that financial products and services are sold
appropriate to the needs, resources and affordability of consumer; and

d) Promote informed decision-making by the customer.

6.4.3 Disclosure Principles

The FSP should pay due regard to the information needs of the customer by adopting the
following disclosure principles:

Timely Clear and Concise

▪ information at an early stage in the buying ▪ disclosure must be concise and focused
process to assess suitability of the financial to serve its intended purpose
products or services ▪ information on products and services must
▪ disclosure must be adopted at each of the be presented in a clear and reasonably
three stages of the contractual process: the understandable format
pre-contractual stage, at the point of entering ▪ contracts, agreements and policy
into a contract and during the term of the documents should be presented in plain
contract language

Highlight Important Information Consistent and Comparable

▪ draw the customer’s attention to key terms ▪ a product disclosure sheet should be
and features of the financial product or service provided to the customer to facilitate
▪ highlight major terms and conditions comparison with similar products offered
applicable to a financial product or service by other FSPs, i.e. product
such as penalties, restrictions, exclusions, characteristics, risks and benefits, costs
consequences of early termination of contract and returns.
and information pertaining to the customer’s
rights and obligations
▪ display warnings on product details such as
the risks associated with a financial product,
where applicable
▪ disclose the underlying assumptions and any
circumstances or conditions that may affect
future performance, where necessary

Accurate and Relevant

▪ disclose accurate and relevant information necessary to enable the customer to make informed
decisions with regard to financial products and services
▪ disclosure of product risks should have equal prominence with information on product benefits
▪ avoid using hypothetical circumstances or unrealistic assumptions to project future returns which
are likely to be misleading
▪ unless explicitly guaranteed by issuer, investment related products aimed at returning the
customer’s capital shall not be represented as capital protected product
▪ financial products where the funds are invested in Shariah-approved investment instruments are
108
not allowed to be marketed as Islamic or Shariah-compliant products
6.4.4 Key Requirements

a) Sharing of customer information with third parties with consent

i) No sharing of information between companies within the financial group for cross
selling purpose, if objected by customers. Also, to provide an ‘opt out’ opportunity
later for such disclosure.
ii) No sharing of customer information with third parties for marketing and
promotional purposes except with expressed consent of the customer. The
customer must be given an option to ‘opt in’.

b) Disclosure requirements for advertisement

i) Must be clear and not misleading

▪ Name of the financial service provider to be clearly shown
▪ Easily understood by customers
▪ Product/facility or promotional gifts should not be described as ‘free’ or ‘no
cost’ not if there are any charges or conditions attached to such
▪ Legible fonts are used to bring attention to the pricing and charges. Avoid
using font size less than 8 point for footnotes

ii) Disclose accurate and relevant information

▪ Product’s features, risks, costs, and benefits must be accurate
▪ Disclose the effective lending rate or effective annual yield (for conventional
loans / deposits products) or effective profit rates or historical profit rates (for
Islamic financing / deposit products), to facilitate comparison by consumers.
▪ A new promotion should make known the duration of the promotional period
and the terms and conditions which apply to that particular promotion
▪ Display warnings on product details, such as the risks associated with a
financial product, as a boxed warning statement, where applicable with
appropriate font and in bold print

iii) Illustration of past and future performance

▪ Advertising on the potential returns of a financial product should state that the
forecast is for illustrative purposes only and is not indicative or construed as
likely returns
▪ When presenting past performance of a product, to use the returns of the
immediately preceding 5 years (or the available period, if shorter). It must be
accompanied by a prominent statement that past performance is not indicative
of future performance with the source of data and period used in the
illustration to be clearly stated

c) Language of regular communication

i) Forms and pamphlets should be made available in Bahasa Malaysia alongside

other languages
ii) Contracts, agreements and insurance/takaful policies/certificates may be prepared
in either Bahasa Malaysia or English at a customer’s request
iii) Customers to sign the agreement/contract in a language that they understand

109
d) PDS or Shariah contract briefing

i) PDS should be provided to customers in given format(s) in the Guidelines to

facilitate informed decisions and facilitate comparison between products
ii) PDS to be given before purchasing a product or service and if there is a material
change to the information, at the point of entering into a contract. Otherwise, a
copy of PDS should be sent to the customers together with the policy
document/agreement
iii) Shariah contracts should be explained clearly

e) Consumer awareness on their rights

i) Consumer should be directed to consumer education booklet or the customer

hotlines at the bank or BNM LINK/telelink for enquiry or complaint unresolved by
the FSP.

6.5 Key Features of BNM Guidelines on the Imposition of Fees and Charges on
Financial Products and Services

6.5.1 Introduction

The Guidelines aim to ensure fair and equitable fees and charges are levied on financial
products and services offered to individuals and small and medium-sized enterprises
(SMEs).

6.5.2 Key Requirements

BNM prior approval is required only for any upward revision of existing fees and charges or
any introduction of new fees and charges imposed on SMEs and/or individuals. The fees and
charges are subject to the following guiding principles:

Table 6.4: Guiding principles for fees and charges

Principle 1 Principle 2 Principle 3
The FSP should not impose For ad-hoc services at the Outsourcing should lead to
charges that are part and parcel request of customers, the amount ofmore competitive and efficient
of enhancing the FSP’s own charges to be imposed pricing and thus should not
internal operating processes should be based on actual direct result in additional
and/or risk management costs incurred provided not part charges imposed on the
practices on customers of the core features of a financial customer
product and not exceeding the
actual direct costs
Principle 4 Principle 5 Principle 6
If there is a convenient, cheap If the services offered are not part For deposit products and
and effective alternative of the core features of the services where protection is
arrangement offered, the FSP product, the FSP may be allowed toalready accorded under the
may be allowed to impose impose fees and charges on basic banking services
charges on similar additional and/or value-added framework, market forces will
services/products offered services offered determine the pricing of similar
products and services

110
6.5.3 Applications for New Fee or Fee Revision

a) To write to BNM using the format under the Guidelines, explaining the justification for
the imposition of, or increase in, fees and charges, conditions under which these fees
may be imposed and the mode of disclosure of such fees to existing and new
customers;

b) For Islamic financial products, to submit any proposed changes on the imposition of
fees and charges via the Product Approval and Repository System16 (PARS) after it is
endorsed by the respective Shariah committee; and

c) If BNM does not revert within 14 working days from the date of acknowledgement of
receipt of complete information, FIs may proceed to introduce the fees and charges.
Additionally, the customer must be informed of any revised fees at least 21 days before
the effective date.

6.5.4 Commitment Fee

a) A commitment fee of not more than 1% per annum on the unutilised portion of overdraft
and revolving credit facilities is allowed; and

b) A commitment fee on the unutilised portion of overdraft-i and revolving credit-i facilities
based on sales contract such as murabahah and tawarruq is not allowed.

6.5.5 Penalty Charges on Financial Products

a) A penalty rate of more than 1% per annum (on a daily rest basis) on the instalment
amount in arrears on conventional financial products (excluding credit card and hire
purchase loans) is not allowed;

b) The charges for late payment must not be added to the outstanding amount in arrears
for computing interest due; and

c) A penalty for late payment for Islamic financial products is subject to the Guidelines on
Late Payment Charges for Islamic Banking Institutions.

6.5.6 Disclosure Requirements

a) Publish in branches and websites for the rates of fees and charges being imposed on
financial products and services offered to individuals and SMEs, including the changes;

111
b) Any changes to the fees and charges of any products and services shall be
communicated to the relevant customer at least 21 days before the changes occur to
allow customers to make any adjustments to banking arrangements; and

c) The automated teller machine (ATM) screen is required to include a message on

screen to prompt the ATM user on the charges applicable to each cash withdrawal
transaction (i.e. the relevant network charges).

6.6 Key Features of BNM Guidelines on Complaint Handling

6.6.1 Introduction

Effective February 2010, the Guidelines provides requirements for fair and efficient complaint
handling in consumer protection and retention to avoid costly and time-consuming consumer
dispute resolution and redress mechanism.

6.6.2 Key Requirements

1. Complaints Handling Unit

Mandatory requirements Best Practices
▪ establish a centralised platform for lodging ▪ staff handling complaints are equipped and
a complaint and to assist customer in empowered to act decisively to resolve complaints,
pursuit of redress or resolution of a i.e. supported by clear lines of authority and
complaint decision making that are flexible enough to handle
complaints effectively and authoritatively.
▪ establish a dedicated complaints unit for
referring customer complaints, either in person ▪ staff handling complaints must have the
or in writing, via the telephone, fax or e-mail necessary knowledge and experience in the
relevant area of services provided by the FSP
▪ dedicated officers responsible for handling
complaints ▪ senior management is expected to play a
key
role in complaint management governance and
operations

▪ appoint a Customer Advocate in the

organisation to provide an independent and
impartial approach to the resolution of customer
complaints and disputes

2. Complaints Procedures
Mandatory requirements Best Practices
▪ have in place appropriate and well-documented ▪ Complaint procedures should be
complaint handling procedures simple and clear, involving as few
steps as possible
▪ all complaints received either through letter,
complaint form, e-mail or telephone must be channelled to
the centralised complaints unit

▪ have in place fair and effective policies and

procedures
for complaint resolution including consistency with
Shariah requirements for Islamic products and

112
 services
▪ staff must be trained to ensure sufficient
understanding
of and compliance with the complaints procedures as
well as to treat customers in a courteous manner

3. Accessibility
Mandatory requirements Best Practices
▪ a complaint handling process should ▪ The FSP should set up service counters at each
be easily accessible to all customers branch and dedicated ‘hotline’ telephone number for
complaints
▪ must publish information on premises
and ▪ The FSP should also appoint designated officers to
website on how to make a complaint, to handle complaints at every branch, if appropriate
and its complaint handling procedures

▪ have in place fair and effective policies and procedures for complaint resolution including
consistency with Shariah requirements for Islamic products and services

▪ staff must be trained to ensure sufficient understanding of and compliance with the complaints
procedures as well as to treat customers in a courteous manner

▪ details of the complaints unit (including the name, department, dedicated customer service
telephone number and e-mail address of its dedicated officers) must be displayed in the FSP’s website
including in its contract, agreement or policy document with its customer, where any changes to be
updated to BNM

4. Responsiveness
Mandatory requirements Best Practices
Each complaint must be addressed in an ▪ The FSP’s communication approach when
equitable, objective and timely manner, handling complaints should be clear and
including establishing timelines for handling constructive
complaints
must ensure that a customer receives On a regular basis, an independent party with the
prompt acknowledgement of any complaint, FSP such as the internal audit department should
and the name of the FSP’s contact person conduct a review on the effectiveness of its
and when the customer can expect to complaints handling function
receive a response
the customer must be informed of the decision Regular assessment by senior management on
within specific timelines: complaint handling process and outcomes will
✓ no later than 14 days from the date of assist in improving the quality of complaint
receipt of the complaint handling
✓ not later than 30 days from the date the
complaint was first lodged if require further
investigation where customer is informed on
the delay.
✓ updates on the progress of the case to the
customer at least on a monthly basis, if a
decision cannot be made within the 30 days
due to the need to obtain material
information or document from a third party
5. Decision and Referral
Mandatory requirements
▪ Upon completion of any investigation into a complaint, the decision should be communicated to the
customer immediately either by letter, email or other acceptable means
▪ The decision should:
✓ clearly explain the basis of the decision and that the complaint has been properly investigated and
considered
✓ provide clear and accurate information about the next stage of complaint process, so that the

113
 customer may pursue the next course of action including appeal to BNM or FMB (now FOS)
▪ Customers to be further notified:
✓ the services of the Credit Counselling and Debt Management Agency (CCDMA) for complaints
involving restructuring of loans
✓ the services of the Small Debt Resolution Committee (SDRC) for complaints involving
restructuring / rescheduling of loans of the small and medium scale enterprises (SMEs), the SMEs
should be informed about if eligible

6.7 Key Features of BNM Guidelines on Fair Debt Collection Practices

6.7.1 Introduction

The Guidelines ensure the orderly conduct of debt collection practices by the financial
institutions.

6.7.2 Key Requirements

a) Authorisation document must be provided to external debt collection agencies where

authorisation cards are issued to their debt collectors;

b) Customer information provided to debt collectors is clear and accurate;

c) Written notice to borrowers must be given at least 7 days in advance containing

relevant particulars and details;

d) Accurate record-keeping on collection of payments received by the debt collectors;

e) Debt Collectors are prohibited from the conduct of violence or harassment, intrusion of
privacy, misleading debtor, recovery of debt from the third parties etc; and

f) Accountability of financial institutions to remain:

i) to customers for any complaints against their debt collectors
ii) ensure debt collectors adhere to the regulated practices

6.8 Key Features of BNM Guidelines on Introduction of New Products

6.8.1 Introduction

Effective March 2014, the Guidelines basically set out the applicable regulatory procedures
and expectations regarding the management and control of risk associated with the
development, offering and marketing of new financial products and services by FIs. It also
addresses the responsibilities of FIs towards consumers in ensuring that products sold or

114
recommended are suitable, and that consumers are clearly and fully informed of the nature
and risks associated with these products.

6.8.2 Key Requirements

a) General product governance:

i) The board of directors (board) and senior management of an FI are responsible

to ensure that product risks are well managed, and the needs and rights of
consumers are appropriately addressed
ii) The chief risk officer or other designated senior risk officer identified by the FI
shall be responsible for determining whether a combination of a product and any
existing or new product or variation to an existing product constitutes a material
change for the purpose of the definition of “new product”
iii) Shariah-compliant products, the Shariah Committee should be consulted in
assessing whether the proposed variation which would result in a material
change would give rise to any Shariah issue.

b) New product governance:

i) The new product must fall within the ambit of banking business, investment
banking business or Islamic banking business, as appropriate, or other permitted
activities/business
ii) The FI has the capacity to adequately manage and control the risks associated
with the new product, including the financial capacity to support existing and new
product lines
iii) The FI must not knowingly offer a new product that has been prohibited in other
countries and which may potentially give rise to public concerns. This
requirement does not apply to Shariah products which have been approved by
the SAC.
iv) In offering its new product, the FI must comply with all necessary approvals
and/or any other applicable regulatory requirements, including other related
policy documents issued by BNM as well as regulatory requirements issued by
the SC
v) An FI that offers new Shariah-compliant products shall ensure a sound and
robust Shariah governance framework is in place that includes a comprehensive
end-to-end Shariah-compliant product development and implementation process

c) New Shariah-compliant product governance:

i) the product (including its accompanying documentations) must be approved by

the FI’s Shariah Committee
ii) the product’s underlying Shariah contract, structure and features must be similar
to the products that have been approved by the SAC of BNM
iii) the product must be consistent with the SAC resolutions

d) “Launch and file” system

115
 i) The submission of information to the Bank shall be signed off by the Chief
Executive Officer, Chief Risk Officer or Chief Operating Officer
ii) The submission requirements are not applicable to:
• new products related to bankers’ acceptances, repurchase, transactions
securities borrowing and lending programmes under RENTAS and asset-
backed securities shall comply with the submission requirements (if any)
under the related policy documents
• where the FI is engaged in the distribution of financial products originated by
another FIs under permitted outsourcing arrangement or strategic partnership
as approved by BNM
iii) The “launch-and-file” system is not applicable to the following new products:
• products involving innovative structures that are being introduced in the
Malaysian market for the first time
• Shariah-compliant products that require the SAC resolution which:
✓ involve the application of a new Shariah contract in the Malaysian market;
or
✓ are a combination of two or more products that were previously approved
on a stand-alone basis or constitute a variation in an existing Shariah-
compliant product that attract Shariah issues that have not been
deliberated by the SAC
• investment products that may potentially expose a consumer to losses
exceeding the principal amount invested
• designated payment instruments (DPI) and designated Islamic payment
instruments (DIPI) which require prior BNM’s approval
• Except for DPI and DIPI, submission for new product via the ‘Product Approval
and Repository System’ (PARS), is subject to the information as per Appendix
3, proposed capital and accounting treatment for the new product and the
SAC approval for product not yet deliberated by the SAC
• For Shariah-compliant products that require the SAC resolution, to facilitate
the deliberation process by the SAC, FIs are required to submit information, 3
weeks before the next SAC meeting date

6.8.3 Product Risk Management

a) Have in place appropriate policies and procedures to prudently manage risks

associated with the products it offers and to manage its responsibilities to consumers:

i) must be commensurate with the complexity of risks associated with the products
offered by the FI and designed to identify and control product risk across the
value chain, including the stages of product development, authorisation and
governance, pricing, marketing, sale, distribution, portfolio management,
accounting and on-going service and maintenance
ii) For retail financing products, to comply with all the requirements as per the Risk-
Informed Pricing policy document related to the pricing strategy and practices

iii) shall be formally endorsed by the board, properly documented and must be
communicated by the FI in a timely manner to all relevant parts and levels within

116
 the organisation and periodically reviewed by the FI in the light of changing
circumstances.

b) The management of product risks must be well integrated within the FI’s overall
governance framework and risk management system to align with the FI's business
objectives, and consistent with its capability and capacity to manage associated risks.

c) Ensure the adequacy and security of the IT systems and infrastructure to support their
product suites by performing proper assessments on the IT-related risks, which include
strategic, compliance, system support, operational, security, business resumption and
reputation risks.

d) On-going monitoring and control of product risk

i) provide for the ongoing identification, measurement and mitigation of existing and
potential risks inherent in the FI’s product offerings, including:
▪ clearly defined responsibilities within business lines for managing product risks
within approved parameters/limits
▪ clearly delineated lines of responsibility for monitoring and controlling risk by
control functions that are independent of business lines
▪ adequate systems for measuring risk on a continuing basis
▪ regular reviews of identified risk exposures in the light of changing market
conditions not previously factored in to ensure that all material risks are
identified and monitored
▪ adequate coverage of the internal audit function to ensure the timely
identification of internal control weaknesses, adherence to regulatory
requirements and internal policies and procedures, and proper accounting and
capital treatment
▪ comprehensive and regular reports to the board and senior management on
the overall effectiveness of policies and procedures for managing product
risks, current assessment of product risks and any change in the direction of
risk, material changes in market conditions that may impact the product risk
profile going forward and (d) internal control breaches and weaknesses

6.8.4 Establishment of Product Management Programme

a) Supports product risk management:

i) reflect the FI’s corporate strategy, competitive positioning and risk/reward

philosophy
ii) relate the product strategy (e.g., considerations that influence the nature and
timing of new product innovations) to the FI’s consumer relationship philosophy
iii) define parameters for the authority which approves new products or material
variations to existing products, including the circumstances under which such
authority may be delegated
iv) establish restrictions and/or prudent concentration limits for exposures to
geographic regions, product lines, distribution channels, economic sectors,
consumer groups or any other relevant risk dimension
v) establish lines of responsibility for managing related risks

117
 vi) establish internal communication flows to ensure that new product offerings are
fully integrated throughout the FI’s line functions

b) Product approval:

i) all new products must be approved by senior management and/or the board as
appropriate
ii) supported by internal review and documentation:
• the new product proposal is consistent with the FI’s product management
programme
• systems and procedures are in place to manage related risks and consumer
expectations
• both frontline and back-end staff are adequately trained to support the new
product
• product illustrations and marketing strategies are appropriate and not misleading
iii) Relevant information for approval:
• the objective of introducing the new product, target consumers and a
description of strategic alliance arrangements (if any)
• the key features of the new product, method of distribution and samples of the
term sheet and promotional material
• a quantification of the new product’s financial impact, including financial
projections based on the target take-up rate and expected market share, risk-
adjusted returns, sensitivity of projections to changes in market conditions,
and whether adequate capital has been provided for the new product, for both
internal and regulatory capital purposes
• an assessment of the potential risks associated with the new product,
including exposures to money-laundering risk, and how these risks will be
measured, monitored and controlled
• an assessment of the appropriateness of the new product for the targeted
consumer groups
• an assessment of the skills, expertise and resources required to sell and
manage the new product throughout the pre-, during and post-contractual
stages
• a description of related accounting and tax implications attached to the new
product, highlighting in particular accounting or tax treatments on which the
success of the new product will hinge, or which will materially alter the new
product’s risk-return profile
• whether the new product fully complies with applicable legal and regulatory
requirements or restrictions, including a description of any unresolved legal or
regulatory issues

c) Shariah-compliant product development process to avoid being nullified on Shariah

grounds:

i) appropriate processes have been established to ensure proper Shariah governance

and compliance with all Shariah requirements as prescribed under the “Shariah
Governance Framework for Islamic Financial Institutions”

118
 ii) all Shariah issues are thoroughly researched prior to the deliberation by the Shariah
Committee and the certification by the Shariah Committee must be backed by the
relevant fiqh literature, evidence and reasoning
iii) there is an effective process in place to monitor Shariah compliance of products on
an ongoing basis

6.8.5 Business Conduct

a) Financial institutions shall give due regard to the interests of consumers in the
development, marketing and sale of new products:

i) covers both pre-product approval (i.e. process of product structuring and

developing prior to introduction to the market) and post-product approval process
(i.e. process after the product has been offered to the customers and transactions
have been carried out)
ii) new policies and procedures:
✓ approved by the Board
✓ regarding product offerings and sales activities shall be aimed at mitigating
reputational risk and safeguarding the financial institution from liability under
applicable anti-fraud and fair practice laws and regulations
✓ specifically contain:

explicit consideration consumers are fully the new product is fees and charges
of consumer-related informed through appropriate for the imposed on the
issues and implications isappropriate disclosures target group of consumer are
incorporated within the of the key features, terms,consumers taking into equitable and in the
product development conditions, relevant consideration their case of Islamic
and authorisation Shariah principles broad needs and risk financial products, the
stages (where applicable) and appetite basis for determining
risks associated with the the fees comply with
new product Shariah rulings
staff involved in sales compensation adequate and effective an adequate and
are suitably trained in arrangements for sales controls are in place to effective system for
the products offered, in staff do not induce an prevent contravention resolving and
particular investment excessive bias towards of relevant provisions monitoring consumer
products, to properly high revenue-generating of laws relating to complaints is put in
advise consumers products that are likely customer information place, and consumers
to result in unsuitable are provided with
product information on where
recommendations or and how to lodge a
sales to consumers complaint

iii) regular reports by the relevant business lines shall be provided to senior
management on trends in the volume and nature of complaints against the
financial institution, and actions as well as the time taken to deal with complaints
iv) develop customer suitability procedures for investment products within the
product range, in particular non-conventional and sophisticated investment
products to ensure that these products are only sold to suitable customers:
• the customer has a practical understanding of the features of the product and the
investment risks assumed
• the product would meet the customer’s investment objectives and horizon
• the product is consistent with the customer’s appetite for risk

119
 • Components of effective customer suitability procedures include:
✓ processes that clearly describe the types of consumers that a product
would generally be suitable for
✓ clear lines of authority for approving transactions with customers that do not
meet generic customer suitability categorisations
✓ sales personnel who are suitably trained to properly analyse customers’
needs and risk appetites
✓ effective supervision of personnel involved in sales
✓ appropriate documentation and record-keeping to facilitate reviews of
compliance with approved procedures
✓ shall not recommend products to customers unless it is reasonably satisfied
that the product is suitable for the particular customer on the basis of
information sought and obtained from the customer. Greater due diligence
is expected for new and retail customers

6.8.6 Reporting Requirement

The board is required to submit an annual attestation to BNM by 30 June of each year that
the requirements of the policy document have been met throughout the reporting period.

6.9 Key Features of BNM Guidelines on Prohibited Business Conduct

6.9.1 Introduction

Effective July 2016, the Guidelines serve to complement the prescribed prohibited business
conduct as set out in Schedule 7 of the FSA or IFSA or the Second Schedule of the DFIA.
Prohibited business conduct is conduct deemed to be unfair to consumers.

6.9.2 Key Guidance

a) Engaging in misleading or deceptive conduct:

i) the tendency or capacity to mislead or deceive financial consumers in relation to a
financial service or product
ii) in determining such misleading or deceptive conduct, BNM to consider:
▪ whether the standards on product transparency and disclosure, and proper
advice practices are met
▪ the circumstances in which the alleged misconduct occurred, for example, the
manner in which information was communicated to financial consumers, and
whether it was appropriate to the level of financial knowledge and
understanding of the person receiving the information
iii) refer to the examples of misleading or deceptive conduct as provided under the
Guidelines

b) Exerting undue pressure or influence:

i) involved in the abuse of authority, harassment or threat which limited customers’
freedom in making informed financial decisions. This relates to the sale or

120
 provision of financial services or products, as well as in the collection of
payments from financial consumers
ii) in determining such conduct, BNM to consider:
▪ the timing, location, nature or persistence of the conduct
▪ any use of threatening/abusive language or behaviour
▪ whether there was any exploitation of a specific misfortune or circumstance of
the financial consumer that may impair the financial consumer’s judgment to
the FSP’s advantage
▪ any threat made to take actions that legally cannot be taken
iii) refer to the examples as provided under the Guidelines

c) Demanding payments for unsolicited financial services or products:

i) financial services or products are deemed unsolicited if such services or products
are provided to a financial consumer without any request made by the financial
consumer
ii) in determining such conduct, BNM to consider the manner in which an agreement
to purchase a financial service or product is obtained from a financial consumer,
notwithstanding any purported acceptance by the financial consumer
iii) refer to the examples as provided under the Guidelines

d) Coercing financial consumers to acquire a bundled product:

i) in determining such conduct, BNM to consider:
▪ the price, cost structure or components of individual unbundled financial
services or products
▪ whether consumers consistently choose the bundle over the individual
financial services or products, even for consumers who only indicate interest
in an individual financial service or product which can be separately purchased
▪ the price of comparable individual financial services or products sold by other
FSPs
ii) refer to the examples as provided under the Guidelines

e) Colluding to fix features or terms to the detriment of financial consumers:

i) regarded to be engaging in prohibited business conduct if it colludes in a way that
impacts financial consumers negatively, whether financially or non-financially
ii) in determining such conduct, the arrangement that results in significant benefits
to financial may not be considered as prohibited business conduct
iii) refer to the examples as provided under the Guidelines

121
6.10 Key Features of BNM Guidelines on Responsible Financing

6.10.1 Introduction

Effective May 2019, the Guidelines ensure the FSPs adopt responsible financing practices in
dealing with retail consumers to support informed decision making by such consumers. Only
financial products suitable to the consumers’ financial circumstances and interests are
allowed to be offered. Except for paras 12.8 to 12.16 (BNM Guidelines on Responsible
Financing) which came into effect in August 2019.

The Guidelines cover retail financing products such as home financing, personal financing,
overdraft facilities, vehicle financing, credit and charge cards and financing for the purchase
of securities including units of funds managed by Amanah Saham Nasional Berhad and other
unit trusts. It is however optional for employee financing facilities.

6.10.2 Key Requirements

a) Suitability and affordability assessment:

i) Applies to each new and additional financing facility it offers
ii) ensure that a financing product sold suits the customer’s needs, circumstances
and affordability (if the amount and terms allow the customer to reasonably meet
the repayment obligations in full throughout the course of financing, without
recourse to debt relief or substantial hardship)

b) Computing Debt Service Ratio (DSR):

i) the DSR computation complements the FSP’s other lending decisions such as a
customer’s repayment history and credit scores for affordability and vulnerability
assessments
ii) The DSR computation shall be as follows:
DSR = All outstanding debt repayment obligations from banks and nonbanks
the new financing instalment Income after statutory deductions
(i.e. tax, EPF, SOCSO)
iii) reliable income sources and amount should be enquired to determine the DSR
iv) set a prudent level of DSR to be applied in their financing decisions that allow
sufficient buffers for expenditures and contingencies, having regard to the
relevant circumstances of a customer
v) assess affordability by taking into account DSR notwithstanding any collateral
that may have been pledged by a customer

c) Checking Debt repayment obligations

i) conduct a comprehensive check on a customer’s overall indebtedness by

obtaining information on the customer’s outstanding debt obligations, including
secured and unsecured financing from all FSPs and other non-bank entities that
provide credit facilities (e.g. co-operative societies, building societies, credit
companies and merchants that provide credit sales):

122
 • check the Central Credit Reference Information System (CCRIS) for customer’s
outstanding debt obligations and repayment history
• make specific inquiries from the customer regarding the customer’s financing
from entities not covered by CCRIS, if any. Any information obtained here from
the customer may be relied on a best-effort basis
ii) customer to disclose essential and correct information in the financing application
as well as the consequences of providing incomplete or incorrect information
iii) for financing application, the amount included in the debt repayment obligations
shall reflect the scheduled repayment of principal and interest or profit (including
any fees and charges included in the financing amount and where discounted
interest or profit rates apply in the early part of a financing plan, the highest
applicable rate of interest or profit shall be used
iv) For high net-worth customers (i.e. customers with total net personal assets
exceeding one million Ringgit), flexibility is provided to consider the customers’
deposits, assets and/or investments in assessing the customers’ ability to repay
the financing
v) the basis for a financing decision shall be properly documented and supported
with information relevant to the decision

vi) Setting tenure of financing:

▪ if the financing tenure extends into retirement, the rate of accumulation of
EPF, pension provisions or contracted annuity payments may be considered
▪ for vehicle financing, the tenure of financing shall not exceed 9 years
▪ for home financing, the tenure of financing shall not exceed 35 years

d) Marketing and disclosure:

i) to read with the disclosure requirements on loan and financing products in the
Guidelines on Product Transparency and Disclosure
ii) ensure that advertisements and promotional materials on financing products are
clear, fair and not misleading or deceptive
iii) ensure that its sales and marketing staff and representatives pay due regard to
the interests and circumstances of a customer by inquiring into the customer’s
financial requirements and financial situation to ensure that the financing
product offered is suitable in meeting the customer’s needs:
• clearly explain to customers or ask them to read key terms affecting the
obligations of the customer, the impact of an increase in financing rate on the
monthly instalment and total repayment amount, fees and charges that the
customer may incur and whether the fees and charges are one-off or recurring,
the customer’s responsibility and obligations and consequences of defaulting on
any repayments, for example, possibility of an increase in financing rate,
penalty charges, impaired credit profile and foreclosure of property
• provide customers a reasonable opportunity to read the pre-contractual
information and make enquiries about the financing product without any
harassment, undue pressure or inappropriate enticement into signing up for a
financing product
• provide customers with information about the “Program Pengurusan Wang
Ringgit Anda” or “POWER!” offered by Agensi Kaunseling dan Pengurusan
Kredit and encourage customers to attend the programme
• do not contact customers at unreasonable hours and shall ensure that
telemarketing staff and representatives identify themselves and inform
customers the purpose of the call and the FSP being represented

123
 • properly trained in the key features, risks and critical terms of financing products
iv) provide a product disclosure sheet (PDS) to facilitate comparison and decision-
making by customers:
• at the point of entering into the financing contract if there is any material change
in the information
• alert customers on the importance of reading and understanding the PDS
• clearly disclose in the PDS the effective annual financing rate and any
applicable fees and charges
• ensure to draw customers’ attention to the total repayment amount and total
interest cost or profit as contained in the PDS to facilitate comparison with
similar products offered by other FSPs
v) establish and maintain remuneration policies and procedures that promote fair
and responsible conduct by its sales and marketing staff and representatives
vi) deal firmly and expediently with any mis-selling of financing products, including
actions to provide appropriate remedies to affected customers

e) Imposing type/quantum of fees and charges:

i) to comply with the Guidelines on Imposition of Fees and Charges on Financial Products
and Services, Guidelines on Late Payment Charges for Islamic Banking Institutions and
Guidelines on Ibra’ (Rebate) for Sale-Based Financing
ii) early termination fee imposed on a customer for repaying or paying the financing, in part
or in full, during the lock-in period shall reflect a reasonable estimate of the costs to be
incurred by a FSP as a direct result of early termination, including:
▪ costs that have not been recovered because a financing contract with
discounted rate during the lock-in period is terminated early
▪ initial costs that have not been recovered (e.g. for zero moving cost products)
▪ to exclude loss of profit that would have been received if the financing
continues until the end of the lock-in period or the end of the financing tenure
and marketing and other costs associated with obtaining new customers
iii) charges for late payment must not be added to the outstanding amount in arrears for
computing interest or profit due where payments made shall first be allocated to clearing
any instalments due (principal and interest or profit) before any fees and charges
iv) comply with the debt collection requirements as contained in the circular on Fair Debt
Collection Practices:
▪ ensure that a customer who is unable to meet his repayment due to illness,
unemployment or other reasonable cause, is treated fairly and with due
consideration:
✓ contact a customer promptly upon detecting signs of repayment difficulty
and discuss alternative repayment measures to address financial difficulties
speedily and appropriate to a customer’s changed circumstances and
financial situation with the aim of resolving genuine repayment difficulties of
the customer
✓ given adequate information to understand the implications of any proposed
repayment arrangement where an alternative repayment plan shall not
unreasonably increase the payment obligation of and financial difficulty
facing the customer
✓ a financing facility that is in arrears (excluding credit card and hire purchase
financing) shall not be repriced and revised unless there is a change in the
credit risk profile or creditworthiness of the customer during the tenure of
the financing facility

124
 ✓ customer shall be alerted of possible recovery actions he/she continues to
be in default, such as legal and foreclosure proceedings and that the
related costs will be borne by him/her
✓ foreclosure on a customer’s property shall generally only be initiated when
other reasonable attempts to reach a resolution have been unsuccessful
✓ customer to be allowed to conduct a private sale before foreclosing if there
are favourable prospects for a private sale to be concluded more
expeditiously and this benefits efforts to resolve the customer’s
indebtedness
v) provide a dedicated point of contact for customers facing repayment difficulties to seek
assistance

6.11 Key Features of BNM Guidelines on Management of Customer Information and

Permitted Disclosure

6.11.1 Introduction

Banking secrecy is the cardinal principle of the banker-customer relationship in safeguarding

the confidentiality of all matters related to customer information in the custody of a bank.
Except for permitted disclosures, the FSA and IFSA strictly prohibit unauthorised disclosures
of customers’ information at all times. In this regard, the Guidelines impose a high standard
of confidentiality and care in handling customer information including controls against theft,
loss, misuse or unauthorised access, modification or disclosure. This is to secure public trust
and confidence in their banking affairs along with mitigating potential reputational damage to
financial institutions.

FIs are also subject to the Personal Data Protection Act (PDPA) 2010, being the user of
personal information collected from their financial customers. The sharing of such information
with third parties for marketing purpose or otherwise requires explicit consent from their
customers.

6.11.2 Key Requirements

a) Governance:
i) The Guidelines must be applied to commensurate with the size, nature and
complexity of the FSP’s operations, the amount and sensitivity of customer
information held as well as the potential impact on the FSP and its customers in
the event of a customer information breach

b) Board:
i) set the tone-at-the-top on the importance of safeguarding customer information
and potential consequences in the event of a customer information breach
ii) approve the policies and ensure satisfactory procedures and controls for the
effective confidentiality and security of customer information
iii) require annual assurance from senior management on the effectiveness of
customer information protection

125
 c) Senior management:
i) responsible to establish and implement procedures for effective systems and
controls to safeguard customer information
ii) designate the chief data officer or chief information officer or other senior officer
to oversee overall controls, including policy communication and liaising with key
stakeholders for compliance with customer information policies and procedures
iii) place the responsibility in preserving the confidentiality and security of customer
information on the business and functional lines as well as appointed
representatives and agents with relevant training
iv) ensures an independent review is carried out at least once in every two years on
the effectiveness of policies, procedures and control measures in protecting
customer information
v) must notify the board upon detection of customer information breaches,
depending on the nature of the breach and sensitivity of the customer information
and to also report to the board on the findings of the investigation of such
breaches

6.11.3 Control Mechanism

a) Risk assessment
i) Identify internal or external potential threats and vulnerabilities that could result in
theft, loss, misuse, or unauthorized access, modification or disclosure by
whatever means
ii) assess the likelihood that such threat and vulnerability will materialise and the
potential impact it will have on the FSP and its customers in the event a customer
information breach occurs
iii) The risk assessment must be proportionate to the size, nature and complexity of
the FSP’s operations as well as the amount and sensitivity of customer
information held
b) Policies and procedures
i) have in place readily accessible and clearly communicated updated written policies
and procedures to safeguard customer information, which cover collection, storage,
use, transmission, sharing, disclosure and disposal of customer information
ii) appropriate to the FSP’s size, nature and complexity of the FSP’s operations and
the amount and sensitivity of customer information the FSP handles, covering:
• off-site work arrangements that allow access to customer information in the
FSP’s systems
• handling and transporting physical documents containing customer information
outside the FSP’s premises
• the use of portable IT equipment and data storage devices
• customer information breach incident handling

c) Information and communication technology (ICT) controls

i) deploy preventive and detective ICT controls to prevent theft, loss, misuse or
unauthorised access, modification or disclosure of customer information and to detect
errors and irregularities when they occur
ii) regularly monitor the effectiveness of these controls to ensure that they remain
responsive to changing threats including off-site work arrangements involving staff,
representatives or agents using ICT equipment to access into FSPs’ systems and customer
information

126
iii) information access control:
▪ staff with a legitimate business need to download customer information into
portable storage devices provided by the FSP protected with a password and
data encryption
▪ access to call recordings strictly on a “need-to-know” basis for recorded
telephone conversations with customers that contain customer information
▪ consider disabling USB ports and CD writers on desktop and laptop
computers of staff who do not have any operational need to download,
transmit or store customer information
▪ restrict access to web-based communication websites and social media
platforms, particularly those which are encrypted from end-to-end for staff who
handle customer information, to prevent unauthorised disclosure of customer
information to external parties via internet services
▪ identify the location of customer information residing in different systems and
ensure that adequate access controls are in place at different levels
iv) implement mechanisms for the prompt detection of:
▪ unauthorised access to customer information
▪ unusual frequent viewing of customer information in the FSPs’ systems by
staff
▪ unusual or suspicious downloading activities that involve customer information
▪ unauthorised disclosure of customer information to external parties

d) Other access controls:

i) regularly review the access rights of staff and immediately revoke the access rights of a
staff leaving the FSP or changing to a new role or position that does not require access to
customer information
ii) implement adequate physical security controls restrict access and employ robust
intruder deterrents to areas where large amounts of customer information are accessible and
stored
iii) consider implementing a clear-desk policy
iv) adequate controls to be put in place for the proper handling of customer information
collected off-site and in-transit
v) identify customer information that is no longer required for appropriate disposal
vi) outsourced agents:
▪ assess the risks and benefits of engaging an outsourced service provider for
the destruction of customer information which involves transporting customer
information outside the FSP’s premises
▪ conduct random checks on the collection and destruction process carried out
by outsourced service providers to ensure that customer information is
properly destroyed
▪ must shred or store customer information in a manner that is inaccessible
such as sealed in bags with tamper-proof fastener or stored in locked
containers before it is collected by outsourced service providers for destruction

e) Staff, Representatives, Agents and External Vendors’ Personnel

i) all staff:
▪ to sign a confidentiality undertaking that clearly specifies the obligation and
requirement of any written law to safeguard customer information as well as
the consequences for failure to comply with such obligation and requirement
▪ be provided with relevant and effective training and regularly remind all staff
on their obligations to properly handle customer information and alerted on the

127
 possible actions that may be taken for non-compliance with policies and
procedures
▪ new staff to undergo a specific training to explain the relevant policies and
procedures on protecting customer information
ii) external vendors carrying out duties or services within the FSPs’ premises (e.g.
security guards, cleaners and maintenance officer/ engineer) must undergo an
appropriate level of vetting and monitoring on their personnel to reduce the risk of
customer information theft
iii) ensure a high degree of staff awareness at all times on the following:
▪ the need to protect the confidentiality and security of customer information
▪ the importance of complying with relevant policies and procedures established
by the FSP
▪ the consequences if staff is involved in any theft, loss, misuse or unauthorised
access, modification or disclosure by whatever means of customer information
iv) conduct an investigation upon detecting theft, loss, misuse or unauthorised
access, modification or disclosure by whatever means of customer information by
staff and take appropriate actions against the staff concerned. The result of such
investigation and actions taken must be reported to the board
v) FSPs shall remain accountable for the conduct and actions of their appointed
representatives and agents for any theft, loss, misuse or unauthorised access,
modification or disclosure by whatever means of customer information

f) Independent review:
i) carry out an independent review on policies, procedures and control measures
for safeguarding customer information to at least once in every two years
ii) must include an assessment of the effectiveness of senior management and its
oversight as well as the adequacy and effectiveness of measures undertaken by
the FSP to protect customer information from theft, loss, misuse or unauthorised
access, modification or disclosure by whatever means
iii) the reviewer must communicate its findings to senior management and the board
iv) Based on the findings, senior management must ensure that appropriate and
timely actions are taken to rectify any deficiencies in the control measures

g) Customer information breaches:

i) must have in place a customer information breach handling and response plan in
the event of theft, loss, misuse or unauthorised access, modification or disclosure
by whatever means of customer information
• include escalation procedures and a clear line of responsibility to contain
the customer information breach and take remedial actions
• staff understands the escalation procedures and relevant staff are trained to
take the appropriate remedial action to a customer information breach
effectively to protect affected customers’ interests
ii) have in place a mechanism to identify customer information breaches including
those which arise from customer complaints and investigate the complaints
promptly and properly
• independent review is to be carried out by a function independent of the
business units involved in the handling of customer information, such as
internal audit
• take appropriate mitigating actions to contain a customer information breach
immediately

128
 iii) assess the impact arising from the theft, loss, misuse or unauthorised access,
modification or disclosure by whatever means of customer information that:
• whether the breach involved accidental errors or intentional and malicious action
• the type and sensitivity of customer information involved
• the number of customers affected
• to whom the customer information was exposed to
• the likelihood of the customer information being used for fraudulent or other
harmful purposes
iv) carry out an investigation to ascertain the root causes of a customer information
breach and determine appropriate remedial actions to prevent future recurrence
• must be carried out by a competent party, overseen by a party independent of the
business unit where the breach occurred
• must complete the investigation within three months upon detecting a customer
information breach, having regard to the complexity of the breach
• the investigation report must be signed off by a senior officer and submitted to
BNM the next day after the board tabling
v) circumstances of the breach:
▪ if likely to pose reputational risk to FSPs or a threat to public confidence and
trust, must notify BNM immediately upon discovery of the breach
✓ the customer information has been disclosed to a party suspected of being
involved in criminal activity
✓ it involves or likely to involve a large number of customers due to system
failures or weaknesses
✓ the customer information has been made public or circulated via any
medium including the social media
✓ it involves a customer known to the public, e.g. a celebrity or a public figure
or the breach is likely to attract media attention
▪ If appears to involve fraud, criminal activity or may result in identity theft, FSPs
must also notify the relevant law enforcement agency
▪ If affects a large number of customers, FSPs must assess the potential impact
and take appropriate actions to avoid or reduce any harm on the affected
customers
✓ making a public announcement to notify the customers promptly to regain
customers’ confidence
✓ providing contact details for customers to obtain further information or raise
any concern with regard to the breach
✓ providing advice to affected customers on protective measures against
potential harm that could be caused by the breach
vi) have in place a register to record all customer information breaches covering the
root causes, remedial actions and lessons learnt to prevent future recurrences

h) Outsourced service provider

i) must monitor the risks that may arise from OSPs with the functions of handling of
customer information
▪ perform adequate and relevant due diligence assessments when selecting an
OSP which has access to customer information including for processing,
storing, or disposing customer information
▪ satisfied that the OSP has in place policies, procedures and controls that are
comparable to that of the FSPs, to ensure that customer information is
properly safeguarded at all times

129
 ii) the obligation to safeguard customer information is adequately reflected in the
Service Level Agreement (SLA) with an OSP:
▪ undertake to safeguard the customer information and prevent any theft, loss,
misuse or unauthorised access, modification or disclosure by whatever means
▪ ensure the adequacy and effectiveness of its policies and procedures to
protect the FSP’s customer information
▪ conduct robust vetting on its personnel who handles customer information
▪ only allow its personnel access to customer information strictly for the purpose
of carrying out their functions
▪ ensure that its personnel understands and undertakes to comply with the
prohibition on disclosure by whatever means of customer information to any
person for any purpose other than that which is specified in the SLA, permitted
under the written law or approved by BNM, as the case may be (including after
the end of the contract term)
▪ investigate any customer information breach to determine when and how the
breach occurred
▪ report any customer information breach to the FSP within an agreed
timeframe
▪ destroy or return all customer information to the FSP upon the expiry or
termination of the SLA
▪ allow the FSP to audit or inspect how customer information is safeguarded
iii) the OSP to sign a binding non-disclosure undertaking with regard to the handling of
customer information
iv) the OSP conducts training to its staff, at regular intervals, on relevant policies
and procedures relating to the proper handling of customer information as well
as reviews the adequacy and effectiveness of the training programme
v) must conduct review of the OSP at least once in every two years to confirm that
the OSP fulfils its obligations in accordance with the contract provisions in
safeguarding the FSPs’ customer information
vi) must take reasonable steps to maintain accurate and complete records and trail
of all customer information that have been shared or given to the OSPs

i) specific permitted disclosure:

i) must comply with the conditions specified in the Guidelines:

Allowed Information Conditions

an order or request made by an enforcement ▪ request must be for specific customer and
agency in Malaysia under any written law for the account details
purposes of an investigation or prosecution of ▪ using given application forms format
an offence under any written law ▪ financial institutions to validate the request/
order
document or information is required by LHDN for▪ written notice is received from LHDN
the purpose of Income Tax Act 1967 regarding specific customer/account
▪ customer to be informed if any information is
furnished to LHDN
performance of outsourced functions ▪ in compliance with the Outsourcing Guidelines
▪ OSP to enter NDA to access the
customer information
disclosure to a consultant or adjuster engaged by▪ strictly on the need-to-know basis
the financial institution ▪ limited to customer information in the
Malaysian premises
▪ must enter NDA
performance of any supervisory functions, ▪ must be the foreign authority responsible for

130
 Allowed Information Conditions
exercise of any supervisory powers or discharge the financial group supervision of the FI
of any of supervisory duties by a relevant ▪ no deposit account information disclosure
authority outside Malaysia which ▪ notify BNM of any provision of information to
exercises functions corresponding to those of foreign authority
BNM under the FSA or IFSA ▪ foreign supervisor to undertake the
customer information for supervision purpose
and not share with any third party
conduct of centralised functions, which ▪ strictly on the need-to-know basis
include internal audit, risk management, finance▪ The head office or holding company must be a
or information technology or any other regulated institution which is subject to
centralised function within the financial group equivalent obligations under any law or
regulation (in or outside Malaysia) which
protects confidentiality of customer information
due diligence exercise approved by the board of▪ only for named individuals responsible for the
directors of the financial institution in due diligence exercise and must be time-bound
connection with merger and acquisition, ▪ subject to the NDA
capital raising exercise or sale of assets or ▪ the information release is subject to the
whole or part of business approval of BNM or MOF related to capital raise
or M&A exercises

6.12 Key Features of the Principles for a Fair and Effective Financial Market for the
Malaysian Financial Market

6.12.1 Introduction

The financial market is a critical component of the economy where it must function effectively
and provide a fair and competitive setting to earn the confidence and trust of market players.
The Principles are thus set out to achieve a financial market environment that is trusted,
competitive, resilient and best positioned to support the sustainable growth of the Malaysian
economy.

6.12.2 The Universal Principles

There are 5 universal principles for a fair and effective financial market and the expected
actions for implementation, are as follows:

a) Universal adoption of best market practices by all participants to uphold the highest
standards of expertise, independence and conduct
i) Adopting the internationally accepted standards and best practices
• establish internal best practices or codes of conduct to be internalised and
demonstrated in day-to-day activities
• Market associations and accreditation and training bodies should become drivers
of best practices and standard setters of their industries

b) Full transparency and accountability in all aspects of market participation

131
 i) The integrity of financial market is important to ensure the activities are
conducted without any anomalies, emerging vulnerabilities and potential
breaches in market conduct
• employees to sign a document stating their accountability for all their actions and
decisions in the financial market
• any cases of misconduct or lack of transparency should be immediately reported
to the board of directors and senior management of the market participant
remedial actions should be swiftly taken for resolutions
• practice truthful and transparent communications, including the disclosure of
actual and potential conflicts of interest and risks associated with the activities in
the financial market

c) Market outcomes result from a competitive environment, and are not driven by
collusive and manipulative activities
i) financial market must be free from anti-competitive behaviours such as collusion
and price manipulation to promote an environment of trust confidence
• prices are referenced to benchmark onshore rates and always reflect its true and
fair value, based on underlying economic fundamentals
• respect standards of confidentiality and non-disclosure and take effective
measures to prevent leakages of confidential information
• fair-play rules and regulations and provide deterrents of misconduct in the form of
legal repercussions, penalties, revocation of licenses or employment and other
deterrents role of market authorities

d) Good governance and due diligence are in place, supported by robust internal
surveillance and reporting mechanisms
i) embed within an organisation good governance and due diligence practices
• formalise a process at every level of the institution, from board approval
processes to front- and back-office operations
• have in place efficient and robust data capture processes for surveillance
and monitoring purposes to assist in the pro-active identification of risks
• establish proper escalation procedures and whistleblowing policies to detect
misconduct or conflicts of interest while ensuring that those who report
wrongdoings are adequately protected
e) Adherence to prevailing rules, regulations and market codes while extending full
cooperation to the authorities
i) Comply to the rules, regulations and guidelines pertaining to market conduct
issued by the market regulators or any reporting required in a timely and accurate
manner

6.13 Key Features of BNM Code of Conduct for Malaysia Wholesale Financial Markets

6.13.1 Introduction

The Code sets out standards of market conduct and practices to maintain the
professionalism and integrity of the wholesale financial markets.

132
6.13.2 Key Requirements

a) Dealers and brokers

i) Eligibility requirements for dealers and brokers

• dealers and brokers must be licensed members of FMAM and abide by
membership rules of FMAM
• ensure the licensing requirements as well as other professional requirements
imposed by FMAM are met prior to appointing any person as a dealer or broker
respectively
• ‘Trainee dealers’ and ‘trainee brokers’ are not authorised to conclude a deal or
broke but can be assigned under a dealer or a broker to provide indicative
quotation to other market participants, make or receive calls from other market
participants and key-in concluded deals into the dealing system
• ensure any person who is, or is to be, employed as a dealer or broker to fulfill the
fit and proper test
ii) Compliance declaration
• Dealers or brokers must declare compliance with this Code to the financial
institutions annually in the format specified by FMAM
iii) Execution of deals
▪ the management of an interbank institution or an approved money-broker
must ensure that its dealer or broker executes client orders based on the ‘best
execution’ principles
▪ whether acting in the capacity as a principal or an agent, a dealer is
encouraged to disclose the following information in order to allow a client to
make an informed decision on the transaction
✓ the prevailing liquidity and market conditions
✓ the associated risks of the transaction
✓ trading strategy of the dealer and how it would impact the execution
of the transaction
✓ fees and commissions applicable to the transaction
▪ a dealer must neither accept a client’s order that may indicate an attempt of
market manipulation nor enter a dealing with an intention to disrupt the market
▪ a broker (whether by way of voice-broking, broking through an electronic
broking platform, an aggregation provider or otherwise) is only permitted to act
as an intermediary or an arranger of deals
▪ a broker should facilitate the conclusion of transactions between principals on
terms that are agreed by the principals
▪ a dealer is encouraged to reconfirm material details when concluding a deal
through voice-broking to minimise the likelihood of a dispute
▪ ensure that any approved money-brokers or electronic trading platforms used
are duly approved or authorised by BNM

b) Prohibited conduct
i) market manipulation
▪ FSA/IFSA defines market manipulation as
✓ taking part in or carrying out a transaction that has or is likely to have the
effect of creating a rate which is an off-market rate which results in an

133
 artificial rate for dealing in financial instruments in the money market or
foreign exchange market
✓ creating or causing anything that creates a false or misleading appearance
of active dealing in financial instruments in the money market or foreign
exchange market
▪ Other forms of market manipulation
✓ trading with an intent to benefit from influencing the closing price of a financial
instrument
✓ interfering with the normal supply and demand factors in the market for a
financial instrument, such as wash trades or stop loss hunting
✓ dealing without a legitimate or genuine trading and commercial intention
✓ colluding or manipulating in the calculation of a benchmark fixing rate
✓ bidding or offering with an intent to cancel the bid or offer before execution,
such as spoofing to mislead the market
✓ manipulating the price on an electronic trading or broking system by entering
prices without intent to deal, such as price flashing, in order to create false
impression of the market price or liquidity
ii) misinformation and rumour
▪ start and spread rumors to move markets or to deceive other market
participants
▪ discuss with any other person without care, unsubstantiated information which
is suspected to be false or materially misleading and damaging to third parties
iii) insider dealing
▪ circumstances amount to insider dealing
✓ profit or seek to profit from insider’s information with intent or through
negligence
✓ provide any other person with such information to make a profit for their
institutions, clients or third parties with intent or through negligence
▪ market participants, who possess insider’s information, must not disclose such
information, except where the disclosure is required as a part of the course of
employment, required by laws or relevant supervisory authorities
iv) whistleblowing
▪ Market participants may whistle blow to BNM in good faith if they have
knowledge or information that a contravention of the Code has been
committed or is about to be committed

c) Responsibility to preserve a reputable, ethical and honest marketplace

i) Adoption of global best practices
▪ observe best market practices contained in “The Model Code” published by
ACI The Financial Markets Association apart from the applicable laws, rules,
and regulations in the jurisdiction in which financial market transactions are
undertaken
ii) Treatment of reference or fixing rate
▪ must not intentionally influence or attempt to influence a reference or fixing
rate, either by way of collusion or inappropriate sharing of confidential
information
▪ if engaged in a transaction executed against a reference or fixing rate must
not undertake dealings in the market that are intended to move the reference
or fixing rate in their favour and to the detriment of their clients
▪ interbank institutions engaging in transactions executed against a reference or
fixing rate must:

134
 ✓ ensure that prices are transparent to their clients in a manner which reflect
the risk to be borne in accepting such transactions
✓ establish and enforce internal policies and procedures for collecting and
executing fixing orders. 19 Position Parking S 19.1 Market participants
must not engage in position parking with a counterparty. G 19.2 Position
parking occurs when two or more market participants agree to conclude a
deal that will be reversed on a future date with a view towards concealing
dealing positions or transferring profits and losses
iii) Offshore dealings of Ringgit products
▪ must not participate in offshore ringgit non-deliverable derivatives market,
including ringgit non-deliverable forwards (NDFs) or engage in any foreign
exchange dealings that could be deemed as facilitating non-deliverable ringgit
related dealings in the offshore market
iv) Dealing at non-current rates
▪ should avoid dealing at non-current rates where the transacted rate deviates
from an actual market rate at the time of execution and may result in
✓ concealment of a profit or loss
✓ perpetration of a fraud or tax evasion
✓ unauthorised extension of credit
✓ disorderly market pricing

▪ if the use of non-current rates is necessary, the management must

✓ put in place proper controls with clear audit trails for monitoring and
reporting of such dealings
✓ establish internal thresholds for determination of non-current rates
v) Dealing for personal account
▪ where dealing for personal account is permitted, the management must
ensure safeguards are in place to manage any potential conflict of interest and
to prevent insider dealing and front-running
▪ maintain confidentiality with respect to non-public price sensitive information
▪ specify the instruments that dealers can deal for personal accounts
▪ ensure dealers do not act in a way which might adversely affect the interests
of employer, clients or counterparties
▪ dealers must not deal with dealers from other institutions who are dealing for
their personal accounts instead of dealing for their employing institutions
vi) Dealing quotations
▪ Dealers and brokers must make clear whether their price or rate is firm or
merely indicative
▪ dealers quoting a firm price or rate must deal at the price or rate in a marketable
amount with an acceptable name which may include a list of counterparties
approved by the risk management unit of the institution
▪ dealers must not revise the firm price or rate when the name of the counterparty is
disclosed
▪ dealers and brokers must not make frivolous quotes which they have no intention
of honoring
vii) Entertainment and gifts
▪ must not offer entertainment and gifts which can be perceived as inappropriate
inducements to conduct business, nor solicit them from other market
participants
▪ formulate and enforce a policy for offering and accepting entertainment and
gifts, and ensure compliance of its employees to the Code

135
d) Sharing of information and transparent communications
i) Handling of confidential information
• treat information relating to the deals transacted or being transacted as confidential
and limit access to such information except with the explicit permission from the
parties involved or required by laws, a court of law or relevant supervisory
authorities
✓ ensure non-disclosure of confidential information, specifically when using
telephone loudspeakers, other telecommunication systems and discussions in
public domain including private chat channels
✓ employees are trained to identify and treat confidential information appropriately
as well as deal with situations that require anonymity and discretion
✓ employees must not reveal confidential information even following termination
of employment
• safeguard the confidential information that a dealer or broker must not visit each
other's dealing rooms except with the explicit permission of the management of both
parties and a dealer must not deal from a broker’s office
• not solicit confidential information from other market participants
✓ a market participant pressures another market participant to divulge confidential
information whether by way of inducement, threat or otherwise
✓ a dealer places an order with a broker to find out the name of the counterparty
and other information in order to conclude the deal with such counterparty or
any other person
✓ a dealer coerces a broker to divulge confidential information on a dealing which
is concluded by other counterparties
✓ brokers must not divulge the names of dealing counterparties prematurely until
both sides confirm an intention to transact
▪ Transparent communication
✓ identify and manage actual and potential conflict of interest that may
compromise or be perceived to compromise ethical or professional
judgement
✓ In enabling the client to make an informed decision regarding a transaction,
the disclosure of conflict of interest by market participants must state the
general nature of the conflict, the potential risks to the client due to the
conflict and the mitigation actions that have been taken to manage the
conflict

e) Traceability, auditing and record keeping

i) methods of communication
• communicate with other market participants through approved methods of
communication, including tele-conversation devices and messaging applications,
which allow for traceability, auditing, recordkeeping and access control in
accordance with the market participants’ internal standards of information
security
• put in place internal policies to retain records of the communication for a period
which reflects the terms and conditions of dealings that have been agreed and
the duration of dealings or in a manner as to enable the records to be properly
audited
ii) record keeping

136
 • observe market practice to retain records of communication for at least two
months. However, for dealings of longer-term interest rate swaps, forward rate
agreements or similar instruments should retain records of communication for
longer periods since errors may only be apparent in the future (e.g., the first
movement of funds)
• put in place controls on access to the records of the communication to prevent
their contents from being tampered with
• put in place clear policies to ensure any communication device without a
recording function, such as mobile phones, can only be used for dealing purpose
during emergency, disaster recovery situation or other circumstances as
approved by the management
iii) audit trail
• put in place procedures to allow an end-to-end transaction audit trail
• maintain complete and accurate records of all dealings, including the policies and
procedures in relation to the dealings, for a minimum period of seven years,
excluding the records of communication

f) Robust and clear policies, procedures and organisational structure

i) establish clear segregation of duties among front, middle and back offices
whereby authorisations and responsibilities are reflected by separate reporting
lines
• Dealers must not take part in the settlement of dealings or have an influence over
the back-office operation
• The process of confirming dealings shall only be carried out by the back-office
staff who must be independent and separated from the officers who executed the
dealings
ii) put in place adequate processes and appropriate resources in the back office for
dealings confirmation
• put in place clear procedures to allow the back office to confirm dealings during
normal and unexpected situations within the stipulated timeline
• The back-office staff must only send confirmations to the authorised persons of
the counterparty
• All dealings must be confirmed in writing. Confirmation can only be done verbally
in circumstances where other methods to obtain written confirmation have been
exhausted. In the event of a verbal confirmation, such confirmation must be
recorded and accompanied with a written confirmation
iii) put in place security measures to safeguard the dealing area
• cover controls over access to dealing equipment (including electronic trading
or broking systems) and physical access to the dealing room, where
applicable
• review the security measures as and when reasonably required
• identify the staff who are authorised to deal after hours or engage in off-
premises dealings
• put in place internal policies for authorised persons which cover eligible
counterparties types of dealings, dealing limits and prompt recording and
reporting of dealings
• brokers must not arrange deals outside their own premises

137
g) Internal governance and controls
i) must put in place robust internal risk management controls to continuously
identify, measure, monitor and mitigate risks in relation to treasury activities
▪ facilitates the timely and reliable reporting of risks and the integration of
information across the institution
▪ keep pace with any changes in the institution’s risk profile (including its
business growth and complexity) and the external risk environment
ii) compliance
• internal systems and controls are in place to ensure adherence of institution and
its employees to the Code and conduct on-going internal assessments on such
compliance
• Any findings or incidences of non-compliance must be immediately reported to
the management and related corrective measures undertaken, which records
must be maintained for up to seven years
iii) Internal Audit
• integrate market conduct risk into the risk-based assessment when formulating
audit plan where periodic internal audit must be conducted based on the audit
risk methodology to validate the quality and relevance of risk management and
compliance
• significant audit findings uncovered in the course of audit that would materially
affect the institution’s treasury activities and financial condition must be promptly
reported to the management with proposal on corrective measures. Must
maintain a record of the audit report for up to seven years
iv) Non-compliances
• report to BNM on non-compliance with the Code and audit findings that materially
affected the financial institutions’ treasury activities and financial condition
• initiate inquiry into a dealer or broker who is suspected of non-compliance with
the Code and take appropriate actions on such dealer and broker proportionate
to the severity of the non-compliance which may include suspension, non-access
by the dealers or brokers into the dealing room and restriction on dealing or
broking activities
• assist FMAM in assessing the member eligibility of a dealer or broker
• inform BNM and FMAM in writing within a week of the decisions to initiate an
inquiry into a dealer or broker for suspected noncompliance with the Code and
the conclusion of such inquiry, including any action taken against such dealer or
broker
• may lodge complaints with FMAM in accordance with the by-laws of FMAM if the
financial institutions have reasons to believe that their existing or former dealers
or brokers have contravened the Code
• disclose on the above if requested in writing by another market participant who
considers employing a dealer or broker currently or formerly employed with a
financial institution

h) Trade Surveillance

i) establish policy and system to monitor all dealings

• detect trends indicative of insider dealing and market manipulation or the
attempt of such behaviour (such as the monitoring of profit or loss spikes)
• maintain accurate dealing information by reconciling their own electronic
trading logs with records provided by their brokers or other counterparties, as
soon as practicable

138
 • the staff working within trade surveillance is trained adequately to detect
patterns of dealing that suggest any market misconduct
ii) establish sufficient technical capacity and operational resources to ensure end-to-
end dealings can take place in both normal and peak market conditions without
undue impact on the settlement timeline

i) Use of technology
i) Electronic Trading and Broking Systems
▪ internal policies for the usage of electronic trading or broking systems and
business continuity plan for related contingencies
▪ encouraged to synchronise and preserve time stamps on electronic trading
and broking systems internally and globally to ensure appropriate tracking of
dealings
▪ robust and has adequate controls and security features to deal with normal
and stressed operating conditions
ii) inform BNM for any suspicious dealings in the wholesale financial markets and
material breach of security to the systems, such as through hacking or other
intrusions
iii) submit requested information to BNM in an accurate and timely manner

6.14 Key Features of BNM Guidelines on Investor Protection

6.14.1 Introduction

The Guidelines seek to allow financial institutions and their employees being registered
persons in carrying out permitted capital market activities under the CMSA subject to them
meeting the requirements on the “fit and proper” and relevant investor protection.

6.14.2 Key Requirements

a) registered persons are not required to hold CMSL license for permitted capital market
activities as listed in the Guidelines
b) fit and proper standard which comply with minimum “fit and proper” criteria outlined in
the Guidelines, passed all relevant examination modules requirements, unless
exempted and fulfill the required Continuing Professional Education (CPE) points in
approved capital market activities
c) comply with investor protection provisions under the CMSA as well as the requirements
listed under the Malaysian Code of Conduct for Principals and Brokers in the
Wholesale Money and Foreign Exchange Markets through appropriate disclosures by
registered persons and its employees
d) maintain a register:
i) updated names of employees undertaking permitted capital market activities
ii) interests of registered persons and employees in securities

139
6.15 Case Study – Wells Fargo Bank

Wells Fargo Bank’s reputation was marred by the widespread fraud and fraudulent practices
by its employees regarding cross-selling business targets. This involved the creation of
fraudulent savings and checking accounts on behalf of the bank clients without their consent.

6.15.1 The Scandal

The bank employees falsified, manipulated and created false account of more than 2.1
million deposit and credit card accounts arising from cross-selling activity. This was arising
from the internal pressure to meet high sales targets. The wrongdoings were later exposed
when clients complained being charged fees for unapplied credit or debit cards or lines of
credit.

6.15.2 Regulatory Actions

The bank was fined USD185 in 2017 by the regulatory bodies, including the Consumer
Financial Protection Bureau (CFPB). In 2018, the bank agreed to a USD1 billion settlement
with the CFPB and the Office of the Comptroller of the Currency to resolve auto and
mortgage lending violations.

The bank also faced civil claims arising from cross-selling scandal when it paid USD480
million to settle a securities class action lawsuit over cross-selling.

CEO John Stumpf was also made to appear before the US Senate where senators were
sharply critical that the board of directors had not clawed back on significant pay from John
Stumpf or former Retail Banking Head Carrie Tolstedt, who retired earlier in the summer with
a pay package valued at USD124.6 million. The CEO later resigned with no severance
package. Recently, the bank agreed to pay USD3 billion to settle its long-running civil and
criminal probes into the heinous accusations of rampant fraudulent sales practices.

6.15.3 Internal Investigation

Following the US Senate hearing, the bank conducted an indepedent internal investigation
which blamed the bank’s leadership, sales culture, performance systems, and organisational
structure as root causes of the cross-selling scandal. This included setting unreasonably high
sales goals that led employees to sell unwanted or unneeded products to customers and, in
some cases, open unauthorised accounts for a fear of retributions.

The independent investigator asked the CEO Stumpf and his retail banking head, Carrie
Tolstedt to forfeit USD41 million and Tolstedt USD19 million, respectively in outstanding,
unvested equity awards. Additionally the board clawed back the additional USD47.3 million in

140
outstanding stock option awards from Tolstedt and an additional USD28 million in previously
vested equity awards from Stumpf.

6.15.4 Market Conduct and Customer Protection Lessons

The legislative measures and regulatory guidance of recent times are adequate to mitigate
the recurrence of Wells Fargo Bank scandal. However, this will have to be aligned with the
corporate culture of a financial institution where the financial rewards to the employees must
not elevate the conduct risks and compromise customers’ interests and rights.

6.16 Case Study – Lehman Brothers

During the mid-2000s, the housing boom was in full force, and Lehman, like many other
investment firms, were becoming more and more heavily involved in issuing mortgage-
backed securities (MBSs) and collateral debt obligations (CBOs). However, Lehman took it to
the next level between 2003 and 2004 by extending into loan origination - acquiring, among
three other lenders, BNC Mortgage and Aurora Loan Services - both of which specialised in
subprime loans.

6.16.1 What Caused Lehman Brothers to Become Bankrupt?

The Lehman failure leans-to countless interrelated and mutual causes that added to the
failure of major financial institutions, including:

a) Irresponsible lending practices, viewed as a risk cutback mechanism;

b) Excessive dependence on credit ratings by investors;

c) An extensive view of markets, assuming they could auto correct themselves and an
inadequate appreciation of the risks of deregulation, led to weaker principles and
regulatory breach;

d) The explosion of complex financial products, together with derivatives, with lack of
liquidity and other risk characteristics that were not transparent or understood;

e) Vicious incentives and asymmetric return arrangements encouraged unwarranted risk-

taking. Deficient management of risk and oversight of companies involved in marketing
and purchasing complex financial products;

f) Lack of monitoring in financial regulatory framework and lessening the risks across has
synchronised entities and markets;

141
g) The lack of an adequate legitimate framework for the lapse of large investment bank
holding companies on a consolidated basis; and

h) Regulator’s Inaction. The Securities and Exchange Commission (SEC) and other
regulators didn’t take action. As early as 2007, the SEC knew Lehman Brothers was
taking on too much risk, but the agency never required Lehman to do anything
about it. It also didn’t publicly disclose to rating agencies that the bank had
exceeded risk limits

One of the primary causes for the firm's collapse was due to their overzealous lending during
the housing bubble in 2003 to 2004. By acquiring five lending firms that focused primarily on
subprime lending, Lehman was investing in a risky enterprise that, although earning a huge
market capitalisation in 2007 of around USD60 billion, soon came crashing down due to a
historic high of subprime loan defaults and, despite the firm's assurances to the contrary,
inevitably came back to bite them. The firm was over-leveraged, and the value of its
mortgage portfolio was no longer compelling.

6.16.2 Impact of Lehman’s Bankruptcy

Lehman’s bankruptcy sent financial markets reeling. The Dow Jones Industrial Average fell
504.48 points, its worst decline in seven years. Investors fled to the relative safety of U.S.
Treasury bonds, sending prices up. Investors knew that Lehman’s bankruptcy threatened the
financial institutions that owned its bonds and its shares become worthless. Investors lost
confidence in the money market fund when it announced losses of USD785 million in
Lehman’s commercial paper.

On Sept. 17, 2008, the collapse spread. Investors withdrew a record USD196 billion from
their money market accounts and losses continued until March 5, 2009. Lehman’s collapse
was a major contributor to the domino effect of multiple financial disasters that eventually
became the Global Financial Crisis of 2008. Trust remained an enormous question mark
following Lehman's collapse. The public, who had previously placed so much trust into "too
big to fail" firms like Lehman were suddenly finding themselves skeptical of the economy
altogether.

6.17 Case Study – CIMB Bank Bhd v Anthony Lawrence Bourke & Anor [2019] 2 MLJ 1

6.17.1 Introduction

In the landmark decision, the Federal Court held that where such exclusion clauses are
drafted in a manner which effectively limits a party from enforcing their rights under a
contract, such clauses would be void and in direct contravention of Section 29 of the
Contracts Act, 1950 where terms of a contract which absolutely restrict a party from
enforcing his rights under a contract is void to that extent.

142
6.17.2 Case Facts

The purchasers of a property sued the Bank for negligence and breach of contract for its
failure to make a progressive payment to a housing developer. This eventually resulted in the
termination of the sale and purchase agreement (SPA) between the housing developer and
the purchasers. In its defence, the Bank relied on an exclusion clause which reads as
follows:

“Notwithstanding anything to the contrary, in no event will the measure of damages payable
by the Bank to the borrower for any loss or damage incurred by the Borrower include, nor will
the Bank be liable for, any amounts for loss of income or profit or savings, or any indirect,
incidental consequential exemplary punitive or special damages of the Borrower, even if the
Bank had been advised of the possibility of such loss or damages in advance, and all such
loss and damages are expressly disclaimed.”

Upon appeal, the Federal Court affirmed that where an exclusion clause in an agreement
sought to (1) exonerate a contract breaker of its liability for a breach of that contract and (2)
negates the contract breakers’ liability to pay compensation for non-performance of that
contract, it would be void. Section 29 may be invoked to strike down and invalidate such a
clause.

6.17.3 Duty of Care and Skill Case in Disbursing a Loan

The key question to consider was whether a party would be absolutely restricted from
enforcing his or her rights under a contract. On these facts, despite the finding that there was
a clear breach by the Bank, yet if the exclusion clause was upheld, that would preclude the
purchasers from claiming any remedy whatsoever against the Bank. A duty of care and skill
applied whenever a bank is disbursing a loan n accordance with relevant SPA or of the
benefits of its customer. In light of this, the failure of the Bank to make a progressive
payment which then caused the developer to terminate SPA amounted to a breach of the
loan agreement and negligence by the Bank. This case reaffirms the FTFC Principle 2 (A
FSP must ensure that financial consumers are provided with fair terms in contracts with
financial consumers) where financial consumers are not subject to unfair discriminatory
practices, including unfair contract terms that significantly disadvantage financial consumers.

6.18 Case Study – Personal Data Breach

6.18.1 Customer Data for Sale

In Malaysia, the Personal Data Protection Act 2010 (“Act”) regulates the processing of
personal data in commercial transactions and is placed under the purview of the Personal
Data Protection Commissioner (“Commissioner”). The main responsibility of this
Commissioner is to enforce and regulate the Act in Malaysia.

143
In 2017, a massive data breach of customers’ data along with personal information of 46.2
million mobile subscribers in Malaysia was leaked on the dark web.

The Lowyat.net report have announced that an unscrupulous party has put up an
advertisement to sell personal data belonging to millions of Malaysians due to a massive
data leak of personal details of telecommunications service providers’ customers happened
in 2014. Subsequently, the MCMC has ordered Lowyat.net to remove a report where the
technology portal says is one of the country’s biggest data breaches in Malaysia ever and it
has since removed the story since the sources of breach was still unknown.

The initial report was based on a tip-off someone was selling databases with Bitcoin of
personal details of Malaysians on Lowyat Forums. Those who get hold of this data can fake
documents for personal loans, credit cards and more without raising any suspicion.

Apparently, on sale was 50 million entries of data from various telcos, including customer
names, billing addresses, mobile phone numbers, sim card numbers, handset models and
MyKad numbers, and this may have occurred anywhere between 2012-2015.

The breach highlighted:

a) 17 million rows of customer information from a job’s portals, including candidate’s

name, login name, hashed password, email address, nationality, address and mobile
phone number; and

b) 2 sets of 20,000 and 62,000 data of doctors respectively, including MyKad numbers,
operating addresses and mobile numbers, obtained from medical associations and
720,000 entries of housing loan applications.

6.19 Case Study – Transparency and Information Obligations

On 21 January 2019, Google LLC (Google’s French arm) was fined EUR50million by the
Commission Nationale de l ’information et des Liberties (“CNIL”) [regulator] for various
failings under GDPR. The ruling attacked the accessibility of the information saying that,
although most of the information was there, it was scattered around its site via various
different “links”.

The CNIL found that Google had not been transparent with Android users about how it
collected and used personal data. Its fair processing notice was not accessible, it displayed
information spread across many applications and webpages, it did not contain all required
elements, and the general form and structure was non-compliant. This meant that users
could not understand how personal data would be processed by Google or what the
consequences of processing might be.
The CNIL drew particular attention to the number of Google services collecting personal data
on the Android system (approximately 20 including phone, Gmail, YouTube, Google Maps,
and Google Analytics cookies on third-party websites) and to the vagueness of the
information Google gave regarding how data would be used, citing generic purposes such as
to “ensure the safety of products and services”.

144
One reason for the fine that was imposed was that Google did not ensure that consent met
the General Data Protection Regulation (GDPR) threshold through using pre-ticked boxes
and not separating consents for advert personalisation from other processing by Google.

145