The Malaysian government has long understood the importance of building up its financial sector. It is fair to say that the respective regulators of the financial and capital markets sectors have encouraged fintech developments and, where necessary, proactively adjusted the regulatory framework to facilitate its growth. For example, the Malaysian Securities Commission (SC) was one of the first regulators in the Association of Southeast Asian Nations (ASEAN) region to introduce equity crowdfunding (ECF) guidelines.

There is no specific regulation or special licence for fintech companies in Malaysia. Regulation and licensing requirements are dependent upon the nature of fintech businesses that the company engages in. The Central Bank of Malaysia (BNM) and the SC are the main regulatory bodies that regulate licensing and marketing requirements for fintech companies. Their recent regulatory decisions demonstrate a measured approach to regulating innovations in these industries.

There are two main developments in the regulatory aspect of fintech businesses in Malaysia. First, the BNM, through the Financial Technology Enabler Group, launched a financial technology regulatory sandbox (the Regulatory Sandbox) in 2016, seeking to provide a regulatory environment that is conducive for the deployment of fintech as the end goal. As part of this process, the Regulatory Sandbox Framework (the Framework) was introduced to enable the innovation of fintech to be deployed and tested in a live environment, within specified parameters and time frames. The Framework is applicable to financial institutions and fintech companies approved for participation by the BNM. Successful applicants will be given an approval to test solutions in a live market within a period not exceeding 12 months.

Second, pursuant to the Capital Markets and Services Act 2007 (CMSA 2007), the Capital Markets and Services (Prescription of Securities) (Digital Currency and Digital Token) Order 2019 (the Order 2019) was gazetted and came into force on 15 January 2019. Pursuant to Order 2019, digital currencies and digital tokens that are not issued or guaranteed by any government body or BNM, and fulfils other specific features, are prescribed as securities. The implications of treating digital currencies and digital tokens as securities are significant, as the CMSA 2007 would apply. Thus, digital currencies and digital tokens will be regulated by the SC, affecting how they can be offered and traded in Malaysia moving forward.

There are no known tax incentives specifically catered to fintech companies. However, there are tax incentives and preferential tax rates available for small and medium enterprises (SMEs), which could be applicable to fintech start-ups depending on their business areas. Relevant fiscal incentives are as follows:

  1. the angel tax incentive granted to angel investors in technology-based start-ups administered by Cradle Fund Sdn Bhd. It is designed to encourage more investments from the private sector into early stage companies in technology space; and
  2. the Malaysia Digital Economy Corporation Sdn Bhd (MDEC) offers corporate tax exemption for technology start-ups in the Malaysian Digital Hub.

There are also the Multimedia Super Corridor (MSC) Malaysia tax incentives offered for MSC Malaysia status companies in information and communications technology (ICT) and ICT-facilitated businesses. Following from Malaysia's participation in the Organisation for Economic Co-operation and Development Base Erosion and Profit Shifting taxation initiatives, the new legislation and guidelines for MSC Malaysia tax incentives are currently being reviewed by the government and further information will be released in due course.

As an initiative to promote Malaysia as a hub for technology start-ups, MDEC has introduced the Malaysia Tech Entrepreneur Programme to attract entrepreneurs worldwide in the technology industry to establish their start-ups and expand their business within the ASEAN region.


i Licensing and marketing

A large number of fintech players in Malaysia are involved in payments and cryptocurrency sectors. A fintech company should always consider in advance whether a licence from a regulatory authority is required as there is no one-size-fits-all licence that applies to every fintech player. The issues with licensing will depend on the specific scope of activities of the fintech product or service the company has to offer. Generally, BNM regulates payment services and currency administration while the SC regulates activities related to capital markets.

The table below captures typical as well as upcoming fintech businesses and their respective regulators and licensing rules, if any.

Fintech service Regulatory body Licensing/approval/registration
E-money – a payment instrument that can be issued in different forms such as a digital wallet (e-wallet), which is a type of pre-paid account in which a user can store their money for any future online transaction. BNM E-money issuers must obtain approval from BNM pursuant to Section 11 of the Financial Services Act 2013 (FSA 2013). According to Division 1, Part 1, Schedule 1 of the FSA 2013, businesses that require approval includes issuance of a designated payment instrument.
Merchant acquiring service – a third party that facilitates merchants in accepting payments. BNM Merchant acquiring services is one of the registered business under Schedule 1, Part 2 of FSA 2013. As such, a person must register with the BNM and comply with the requirements in Section 17 to carry on a merchant acquiring service.
ECF – enables individuals to invest in a start-up in exchange for shares in that particular company. SC Under the Guidelines on Recognised Markets (the Guidelines), released pursuant to CMSA 2007, ECF operators must register as a recognised market operator (RMO) with the SC.
Property crowdfunding – a form of fundraising that envisages a homebuyer obtaining funds to pay for the property's purchase price through investments from multiple investors, through an online platform facilitating such transactions. SC The SC released a Public Consultation Paper on 6 March 2019, the 'Proposed Regulatory Framework for Property Crowdfunding' (Consultation Paper on Property Crowdfunding). The SC is seeking feedback on the proposed regulatory framework for property crowdfunding activities.
Digital assets* offered through initial coin offerings (ICOs) – an issuer, typically an early-stage venture, creates and issues its own digital assets in exchange for established digital currency (e.g., bitcoin or ether) or fiat currency. SC The SC released a Public Consultation Paper on 6 March 2019, the 'Proposed Regulatory Framework for the Issuance of Digital Assets Through Initial Coin Offerings (ICOs)' (Consultation Paper on ICOs).
It seeks to provide background as to the nature of digital assets, the risks involved in investing in digital assets and the proposed regulatory framework on ICOs.
Peer-to-peer lending (P2P) – a platform enabling individuals to lend money without the use of a bank or a financial institution as an intermediary. SC Under the Guidelines, a P2P operator must register as a RMO with the SC.
Digital Asset Exchange (DAX) – online platforms where digital currencies and digital tokens are traded. SC The SC regulates DAX platform operators. Under the Guidelines, digital exchanges must be registered as an RMO with the SC.
BNM According to the Anti-Money Laundering and Counter Financing of Terrorism (AML/CFT) – Digital Currencies (Sector 6) Policy Document, digital exchanges must be registered as a reporting institution, pursuant to the Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001 (AMLA 2001).
Digital Investment Management (DIM) – a company carrying on the business of fund management incorporating technologies into its automated discretionary portfolio management services. SC DIM is a regulated activity pursuant to Part 1, Schedule 2 of CMSA 2007, and as such must obtain a capital markets services licence from the SC pursuant to Section 58 of CMSA 2007.
* According to Chapter 15: Digital Asset Exchange of the Guidelines, digital asset refers collectively to a digital currency or digital token, which are both defined in the Order 2019.

Credit information services

BNM's credit bureau, which operates under the Central Bank of Malaysia Act 2009 (the CBA 2009), collects credit-related information on borrowers from lending institutions and furnishes the credit information back to the institutions2 in the form of a credit report via an online system known as the Central Credit Reference Information System (CCRIS).

CCRIS automatically processes the credit-related data received from participating financial institutions and synthesises the information into credit reports, which are made available to the financial institutions and the borrowers, upon request. The credit report contains information on outstanding credit facilities obtained by the borrower, information on credit applications that have been approved in the previous 12 months and pending credit applications made by the borrower.

Subject to approval by the BNM, credit reporting agencies (CRAs) must be registered under the Credit Reporting Agencies Act 2010 (the CRAA 2010). There are currently three CRAs that have obtained approval from the BNM, namely Credit Bureau Malaysia Sdn Bhd, CTOS Data Systems Sdn Bhd and RAM Credit Information Sdn Bhd.

Cloud computing

Cloud computing delivers computing services, such as managing and storing data and access to applications, over the internet via the cloud. Cloud computing for financial services companies is permitted in Malaysia. The BNM regulates cloud services, in the context of outsourcing arrangements3 entered into between companies and cloud service providers. The BNM issued the Policy Document on Outsourcing (the Outsourcing Policy), which came into effect on 1 January 2019 and applies to financial institutions. In the Outsourcing Policy, the BNM has expressed that a key concern to regulators is the over-reliance on service providers for activities that are critical to the ongoing operations and safety of financial institutions.4 Approval is required from the BNM where fintech companies enter into a material outsourcing arrangement or make a significant modification to an existing material outsourcing arrangement.

A material outsourcing arrangement is defined under the Outsourcing Policy as an outsourcing arrangement that:

  1. in the event of a service failure or security breach, has the potential to significantly impact the financial institution's provision of financial services to customers, business operations, financial position, reputation or compliance with applicable laws and regulatory requirements; or
  2. involves customer information and, in the event of unauthorised access, disclosure or modification, or loss or theft of the information, has a material impact on the customer or financial institution.

In conjunction with the Personal Data Protection Act 2010 (the PDPA 2010), the Personal Data Protection Regulations 2013 (the Regulations), which came into operation on 15 November 2013, require that data users develop and implement a security policy for their companies. This security policy must comply with the standards established by the Commissioner of the Department of Personal Data Protection (the Commissioner) from time to time.5 Some of the more prescriptive standards for implementation stipulate that transfer of personal data through cloud computing services is no longer permitted, unless authorised in writing by the top management of the company.

Digital advisory or asset management company

DIM is a form of fund management that is a regulated activity under the CMSA 2007. DIM companies providing automated discretionary portfolio management services must obtain a capital markets services licence from the SC pursuant to Section 58 of the CMSA 2007.

In 2018, StashAway Malaysia was the first DIM company to obtain a capital market services licence from the SC to commence operations.

Crowdfunding P2P

Pursuant to the Guidelines, ECF operators and P2P operators must be registered as a RMO as they provide an alternative trading venue or marketplace that brings together purchasers and sellers of capital markets products. The Guidelines set out the registration requirements for ECF and P2P operators and funding limitations for investors. Currently, there are seven ECF platforms and six P2P platforms registered with SC as a RMO.

An issuer6 hosted on a P2P platform will issue an investment note to investors as evidence of a monetary loan executed on the platform. Investment notes are prescribed as securities by virtue of the Capital Markets and Services (Prescription of Securities and Islamic Securities) (Investment Note and Islamic Investment Note) Order 2016, which came into force on 16 May 2016.

In the Consultation Paper on Property Crowdfunding, the SC proposes that property crowdfunding operators must be registered as RMOs pursuant to the Guidelines. The SC also proposes several regulatory requirements to be imposed in relation to platform operators (e.g., criteria to qualify, obligations, permissible activities), homebuyers (e.g., criteria, funding limit, obligations) and criteria on the type of properties that can be hosted on the platform. FundMyHome is an example of a property crowdfunding platform based on P2P principles. It enables a first-time home buyer to acquire a property for 20 per cent of the property price. The remaining 80 per cent will be fulfilled by interested investors in exchange for the potential appreciation in the property's value over a period of five years. When the five-year period expires, the property owner can choose to sell the property or stay by refinancing the property.


Insurtech refers to the use of technology innovations designed to squeeze out savings and efficiency from the current insurance industry model. Digital distribution of insurance products benefits the society by making information more accessible, lowering price barriers, unbundling insurance products and shaping healthier behaviours in the long run.7 Some of the established insurers such as Etiqa Insurance Bhd, Maybank Ageas Holdings and Zurich Malaysia have partnered up with fintech start-ups to provide platforms enabling users to customise insurance policies and to obtain the best insurance products in proportion to the income earned by the user. There are also start-ups such as Ringgitplus and GoBear that provide platforms for consumers to compare and contrast the available insurance policies in the market in a more layman friendly manner, according to factors such as coverage terms and payment plans.

However, insurtech is not limited to consumers purchasing insurance products directly from an insurer. It extends to the business-to-business ecosystem where insurers are working with those beyond the insurance industry to offer new solutions. For example, Allianz Malaysia partnered with local start-ups Recommend.my, an online service provider platform. Those who book services from Recommend.my will automatically receive insurance protection for each transaction.

Marketing of fintech products and services

Marketing of fintech products and services would depend on whether the fintech company is providing services and products that are regulated in Malaysia. Therefore, fintech companies must first recognise whether it provides regulated fintech services and products before they can be marketed.

ii Cross-border issues

Regulated or licensed activities cannot be passported from another jurisdiction into Malaysia. Fintech companies licensed in a foreign jurisdiction that intend to offer their services or products in Malaysia must obtain the relevant licences and approvals under the applicable Malaysian laws. However, the BNM's Regulatory Sandbox is open to all fintech companies both domestically and internationally.

In March 2017, Malaysia launched the world's first Digital Free Trade Zone (DFTZ) to help local SMEs get into cross-border trade by leveraging on digital technology and opportunities in e-commerce, and to attract e-commerce transhipment investment into Malaysia. It does so by providing physical and virtual zones to facilitate SMEs to capitalise on the convergence of exponential growth of the internet economy and cross-border e-commerce activities. The DFTZ is a product of collaboration between the MDEC and the Alibaba Group.


In 2001, it was made compulsory for all Malaysians to hold a national identity card known as 'MyKad', which contains an individual's name, address, race, citizenship status, religion and an inbuilt chip that stores fingerprint biometric data. The MyKad is primarily used as an official identification document to verify an individual's identity and can also be used as an ATM card, an e-wallet and a transit card.

The MyKad also enables Malaysians to access MyEG – an electronic government (e-government) service platform – that provides an array of government services such as renewal of foreign workers' permit, replacement of national identity card, payment of parking summons, auto insurance and road tax renewal and temporary transfer of vehicle ownership. The e-government services are also available to companies. A representative of a company would be required to provide their MyKad as a verification tool in order to access the e-government services.

As the MyKad is a physical identification document used to verify a person's identification, it does not qualify as a digital identity. In October 2018, the Minister for the Communications and Multimedia Ministry (the Ministry), Mr Gobind Singh Deo, announced the Ministry's plans to formulate a separate national digital identity.

The Minister mentioned that the proposed national digital identity aims to provide a 'verifiable platform of trust' to reduce the possibility of fraud which is common in e-commerce transactions. However, the national digital identity provides a platform to verify the identity of an individual, thus reducing the scope of such crimes. The Minister also announced that the national digital identity project will be an integral platform for the digital government initiative, which includes delivering targeted subsidies efficiently via an e-wallet account registered using the national digital identity. The Ministry will cooperate with the Malaysian Communications and Multimedia Commission and MDEC in the formulation of the national digital identity project. The Ministry intends to finalise the proposal for the national digital identity by mid-2019.

As the project is still being formulated, it is not known whether the digital identity will extend to fintech businesses and non-residents of Malaysia.

Digitised onboarding is a relatively new process in the financial services sector. In 2017, CIMB Bank Berhad (CIMB) was the first Malaysian bank to receive the BNM's Regulatory Sandbox approval to implement the electronic know-your-customer (e-KYC) method for customer-identity verification. In implementing e-KYC, financial service providers may be subject to the PDPA 2010, which sets out the seven data protection principles including the general principle establishing the legal requirements for processing data, notice, choice, disclosure, data security, integrity and retention and rights of access.


The extent to which blockchain technology is regulated is based on the laws applicable to the type of products or services provided. In 2017, the Department of Standards Malaysia – an agency under the purview of the Ministry of International Trade and Industry – has formed a national technical committee on blockchain and distributed ledger technology (DLT), focusing on the development of blockchain standards for the nation.

As mentioned above, digital currencies or digital tokens are only prescribed to be securities if they meet the characteristics set out in Section 3 and Section 4 respectively of Order 2019. In Section 3 of Order 2019, digital currencies are prescribed as securities where:

  1. they are traded in a place or on a facility where offers to sell, purchase or exchange the digital currency are regularly made or accepted;
  2. a person expects a return in any form from the trading, conversion or redemption of the digital currency or the appreciation in value of the digital currency; and
  3. they are not issued or guaranteed by any government body or central banks as may be specified by the Commission.

In Section 4 of Order 2019, a digital token that represents a right or interest of a person in any arrangement made for the purpose of, or having the effect of, providing facilities for the person is prescribed as securities where:

  1. the person receives the digital token in exchange for a consideration;
  2. the consideration or contribution from the person, and the income or returns, are pooled;
  3. the income or returns of the arrangement are generated from the acquisition, holding, management or disposal of any property or assets or business activities;
  4. the person expects a return in any form from the trading, conversion or redemption of the digital token or the appreciation in value of the digital token;
  5. the person does not have day-to-day control over the management of the property, assets or business of the arrangement; and
  6. the digital token is not issued or guaranteed by any government body or central banks as may be specified by the Commission.

To further safeguard the integrity of the capital market and protect investors' interest, the SC proposed a two-pronged approach for ICOs in the Consultation Paper on ICOs. The proposed regulatory framework involves:

  1. obtaining authorisation from the SC for the offering or issuance of the ICO; and
  2. the registration of a disclosure document (Whitepaper) prescribing minimum requirements set by the SC.

An ICO issuer has to approach a third party to 'host' the ICO and assess its Whitepaper. In this regard, the ICO issuer is required to undergo an assessment conducted by an independent third party authorised by the SC, prior to it submitting a formal application to the SC.

In the event that this proposed regulatory framework is implemented, SC would then be imposing a full control ex ante approach over issuances of all kinds of tokens. All types of token-issuance should be registered and authorised by the SC. The opaqueness in characterising the type of digital tokens in the Order 2019 and Consultation Paper on ICOs suggests that the SC is taking a broad approach in including all types of digital tokens as securities.

On 31 January 2019, the Guidelines were amended to include the requirements for DAX operators to be registered as RMOs. Companies that have submitted their application to be registered with the SC as DAX operators will be permitted to continue operations during the transitional period from 1 March 2019 until such period as may be notified by the SC.

The Sector 6 Policy Document, which came into effect on 27 February 2018, was issued pursuant to the Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001 (AMLA 2001), FSA 2013 and the Islamic Financial Services Act 2013. Pursuant to the Sector 6 Policy Document, any person offering services to exchange digital currencies is subject to obligations under the AMLA 2001 as a reporting institution. The Sector 6 Policy Document sets out minimum requirements and standards that a reporting institution must observe to increase the transparency of activities relating to digital currencies.

It remains to be determined if cryptocurrencies are subject to tax laws as there is no specific provision for digital currency in the Income Tax Act 1967. However, Malaysia's Inland Revenue Board (IRB) appears to be paying more attention to the tax leeway in the area of cryptocurrency. In an update release dated 12 January 2018 by Luno, a London based digital exchange, IRB temporarily froze the bank account of Bitx Malaysia, Luno's local entity in Malaysia. The bank account was frozen pending tax investigations.8 In an update release dated 2 February 2018, Luno stated that IRB had agreed to unfreeze the bank account while in the process of completing the investigation.9


There is no specific law governing the use of self-executing contracts (smart contracts) in Malaysia. However, these contracts would need to adhere to the general principles of creating a legally valid contract, including offer and acceptance, consideration and intention to create a legal relationship.

The increased number of fintech companies that offer smart contract development services demonstrates the increasing demand for smart contracts in Malaysia, which may affect the need to regulate smart contracts in Malaysia.

The Electronic Commerce Act 2006 (ECA 2006) recognises the validity of a contract that is formed wholly or partly in electronic form. Communication of proposals and acceptance of proposals in the form of electronic messages is recognised as a valid and enforceable contract.10 Furthermore, the ECA 2006 provides that the Digital Signature Act 1997 (DSA 1997) applies to any digital signature used as an electronic signature in any commercial transaction. The DSA 1997 states that, where a document is signed with a digital signature, it shall be as legally binding as a document signed with a handwritten signature, an affixed thumbprint or any other mark.

There is no regulator for third-party websites comparing or providing information about financial products. However, the activities of price comparator sites are subject to the Competition Act 2010 (CA 2010). The main prohibitions against anticompetitive agreements or abuse of dominance would govern the activities of price comparator sites. In other words, cases actioned in other jurisdictions as being anticompetitive or potentially so can be actioned under the provisions of the CA 2010. For example:

  1. price comparator sites have been found to facilitate information exchange between competitors; or
  2. the use of most favoured nation clauses leads to one comparator site always having the best deals, making it harder for other sites to effectively compete in the market, thus leading to the foreclosure of these other sites from the market.

Such cases will be subjected to intellectual property and personal data protection considerations, which are further discussed in Section VI.

Artificial Intelligence (AI) has made a headway in the local banking sector in the form of chatbots. RHB Bank Berhad launched an AI-powered messenger platform that operates in real time to streamline the credit card application process. Hong Leong Bank Berhad and the CIMB Group have also launched virtual assistants by employing AI technology.


Fintech business models and related software can be protected by various intellectual property rights, namely, copyright and patent. Alternatively, protection as confidential information under the common law in Malaysia is also available, depending on the nature of the business model. Software is generally protected by copyright under the Copyright Act 1987, with no requirements for registration. There is no system of registration for confidential information as well – business models and software can be protected if they are confidential in nature, disclosed in circumstances importing confidentiality and there is an actual or anticipated unauthorised use or disclosure of the information.

Patent protection is available for new inventive steps involving industrially applicable products and processes. In short, it provides a wider range of protection than copyright as it protects the idea or concept rather than just the work (e.g., source codes for software) – hence, business models would likely gain patent protection by filing a patent application.

If an employee develops an original work during his or her term of employment, the default rule is that ownership of the copyright vests in the employer. Alternatively, if a contractor develops an original work, the default rule is that the contractor continues to own the original work. However, it is common for employees and contractors to be bound by written contractual obligations that specify ownership of the intellectual property they develop, and these default rules may be overridden. Compensation, if any, owed to the author of the copyright work would also depend on the nature of the relationship or the agreements entered into between the parties. Fintech companies should ensure that their employees and contractors enter into agreements specifying the rules on ownership of intellectual property.

The PDPA 2010, which is enforced by the Commissioner, is based on a set of data protection principles similar to the European Union principles11 and is often described as European-style privacy law. The PDPA 2010 would apply to fintech companies as it provides for the protection of personal data (i.e., client data) in relation to all commercial transactions. A failure to comply with the PDPA 2010 would lead to possible fines or imprisonment.

Apart from the seven principles set out in the PDPA 2010, there are no rules that apply specifically to digital profiling of clients. A data subject12 must consent to the processing of the personal data unless the processing is necessary for specific exempted purposes.13 Although the PDPA 2010 does not define nor prescribe any formalities in terms of consent, the Regulations provide that the data user must keep a record of consents from data subjects and that the Commissioner or an inspection officer may require production of the record of consents.

Also, financial institutions in Malaysia are subject to secrecy rules in relation to customer affairs or account information as per Section 133 of the FSA 2013.


The following highlights SC and BNM initiatives in the regulation of fintech services in Malaysia.

In December 2018, SC announced the completion of Project Castor formed under SC's innovation laboratory, Alliance of Fintech Community. Project Castor seeks to explore the feasibility in implementing DLT as the underlying market infrastructure for unlisted and over-the-counter (OTC) markets as decentralised markets. As unlisted and OTC markets are less transparent and liquid when compared with listed markets, the implementation of DLT aims to reduce these challenges. In January 2019, the BNM released its Policy Document on 'Publishing Open Data using Open API' (the Policy Document), which set out the BNM's guidance on the development and publication of Open Application Programming Interface (Open API) for open data by financial institutions. The BNM aims to encourage open banking through the use of Open API, which enables third-party developers to access data without needing to establish a business relationship with financial institutions. The Policy Document provides that the publication of Open Data has the objective to facilitate the development of fintech in allowing consumers to compare a wide range of products and services matching their specific needs and circumstances. While not mandatory, financial institutions are encouraged to adopt Open Data API Specifications recommended by the Open API Implementation Groups for credit card, SME loans and motor insurance products.

In March 2018, SC and BNM joined forces to establish the Brokerage Industry Digitisation Group (BRIDGe), which aims to accelerate digitisation in the stockbroking industry in order to enhance operational efficiencies and service standards. According to the former SC Chairman, Tan Sri Ranjit Ajit Singh, the intention of BRIDGe is to create more efficiency in the entire value chain of the brokerage industry, including the way in which investors interact with trading and brokerage businesses.


The advent of fintech has brought about the need for regulation in the fintech industry. The approach taken by BNM and SC suggests that fintech is being welcomed, albeit in a cautious manner. BNM's Regulatory Sandbox, for example, clearly demonstrates BNM's approach in encouraging fintech while carefully monitoring the progress and development of fintech services and products. The Order 2019 and the consultation papers by the SC also aim to create certainty by regulating digital assets and fintech activities under the CMSA 2007. These initiatives will pave the way for a more digitally safe and literate country.

With ECF and P2P platforms coming into play, as well as the gaining popularity of DIM services, Malaysians now have the opportunity to diversify their investment portfolios. The guidelines and regulations of these platforms by SC minimise investment risks and create a more reliable environment for Malaysians to invest their money.


1 Shanthi Kandiah is a partner at SK Chambers. She was assisted in writing this chapter by Henin Tong, Denishia Rajendran and Nimraat Kaur.

2 Section 47 of the CBA 2009.

3 Paragraph 5.1 of the Outsourcing Policy defines 'outsourcing agreement' as an arrangement in which a service provider performs an activity on behalf of a financial institution on a continuing basis.

4 Paragraph 1.3 of the Outsourcing Policy.

5 The Personal Data Protection Standards 2015.

6 According to Chapter 14: Peer-to-peer financing (P2P) platform of the Guidelines, an issuer means a person that is seeking funding on or through a P2P platform and shall include seeking funding via invoice financing.

9 ibid.

10 Section 7 of the ECA 2006.

11 EU Data Protection Directive 95/46/EC.

12 Section 4 of the PDPA 2010 defines 'data subject' as an individual who is the subject of the personal data.

13 Section 6(2) of the PDPA 2010.