Introduction

In Malaysia, the sources of banking law are mainly provided in the Banking and Financial
Institution Act 19891 (hereinafter refer to as BAFIA). There are also other regulatory and
transactional banking laws which provide legal principles to regulate the financial institution in
Malaysia and for the operational mechanism of a transaction. In addition to this, the Common Law
principles on Banking Law are imported into Malaysian law via section 5(1) and section 5(2) of
the Civil Law Act 19562 which provides for the application of English law in commercial matters
when there is no provision made by any written law. In some cases, the common law position on
banking law is entrenched in the statutory law itself. It is important to note the common law
position in understanding the development of that particular law and to examine the relevant
provision in the statutes. One of the examples would be the common law Duty of Secrecy that a
banker owes the customer is statutorily provided in section 97 of BAFIA.

Common Law position

The landmark English case of Tournier v National Provincial and union Bank of England3
laid down the principle that the banker’s obligation to keep particulars of a customer’s account
confidential is an implied term that arises out of the banker-customer contractual relationship. 4
This Court of Appeal‘s decision in Tournier is the leading authority which defines the duty of
confidentiality and its exceptions at common law. Tournier is generally accepted as the basis of
banking confidentiality in Malaysia at common law. 5 There, it was established that the duty of
secrecy of the banker is not only confined to information derived from the state of the customer’s
account but also information from other sources which came about or became available to the
banker as a result of the banker and customer relationship. This duty will still bind the banker even
after the banker and customer relationship has ended. Four exceptions to the bank’s duty of
secrecy were given in that case, namely
a) where disclosure is under compulsion of law
b) where there is a duty to the public to disclosure
c) where the interests of the bank require disclosure and
d) where the disclosure is made by the express or implied consent of the customer.6

1
Act 372
2
Act 67
3
[1924] 1 KB 461
4
Yeo, Alvin, Tan, Joy, “Singapore”, Neate: Bank Confidentiality, 4th ed. (:Totte Publishing), pg 571 -606 at pg 573
5
Syed Ahmad Idid Bin “Chapter 12, Banking Secrecy ”, Judicial Decisions Affecting Bankers and Financiers, Ed., Wang
Kuo Shing, 2nd ed., (Malaysia: Lexis Nexis, 2003), pg 737-760 at pg 741
Statutory Provision in BAFIA and the Bankers’ Book (Evidence) Act 1949
In the Malaysian context, the scope of the banker’s duty of secrecy is, in addition to the
general principles enunciated in Tournier’s case, provided in BAFIA. BAFIA replaced the
Banking Act 1973. In the 1973 Act, section 36 specifically provided for banking secrecy. The
provisions on banking secrecy and information in art XIII are very much more comprehensive and
serve as a better guide as to the scope of the duty and the exceptions where disclosure is permitted.
The basic requirement for the maintenance of banking secrecy is provided in s.97(1) that no
director, officer, agent of licensed institution, or any person may disclose any information relating
to the affairs or account of such customer.

The exceptions to s.97(1) are in section 98, section 99 of the BAFIA.. Section 98 excludes
the application of s97 to Bank Negara Malaysia, its directors, officers, employees, appointed
persons and persons rendering professional services to Bank Negara Malaysia where the disclosure
is for the purpose of the exercise of powers, the performance of functions or the discharge of their
duties or services to the Bank. The exceptions in s.99(1) are of practical use to the banker and
should be noted. The situations provided in s.99(1) where s.97 shall not apply when
a) there is written consent
b) in a case where the customer is declared bankrupt, or, if the customer is a corporation, the
corporation is being or has been wound up
c) where the information is required by a party to a bona fide commercial transaction, or to a
prospective bona fide transaction, to access the creditworthiness of the customer
d) for the purposes of any criminal proceedings or in respect of any civil proceedings-
e) where the licensed institution has been served a garnishee order
f) to an external bureau established, or to an agent appointed by the licensed institution with
the prior written consent of the bank;
g) where such disclose is required or authorized under any other provision of this Act;
h) where such disclose is authorized under any federal law to be made to a police officer
investigating into any offence under such law
i) where sure disclosure is authorized in writing by the Bank Negara Malaysia
If a banker breaches his duty of secrecy, he could be liable to a claim for damages by his customer
as well as for an offence under the BAFIA.
6
Syed Ahmad Idid Bin “Chapter 12, Banking Secrecy ”, Judicial Decisions Affecting Bankers and Financiers, Ed., Wang
Kuo Shing, 2nd ed., (Malaysia: Lexis Nexis, 2003), pg 737-760 at pg 737-738
 Section 101 of BAFIA which allows relevant overseas supervisory authorities, if approved
by BNM, to examine books, accounts and transactions of financial institutions licensed under
BAFIA that are, inter alia, subsidiaries or associates of a foreign licensed institution. The Banker’s
Books (Evidence) Act 1949 also confers power upon the High Court or a judge to order the
production of copies of banker’s books and other documents without the necessity to produce the
original. However, it should be noted that the 1949 Act does not provide rules on banking secrecy.
Rather it is a procedural enactment to facilitate the production of copies of documents to overcome
the inconvenience or impracticality of production of the originals.7

After understanding the basic principle of the Duty of Secrecy, we will look into the
standard form contracts used by Malaysian banks and examine of the contracts uphold this basic
principle.

1. Do the standard form contracts used by Malaysian banks uphold this basic
principle?

Standard form contract (SFC) is a preprinted contract containing set clauses, used
repeatedly by a business or within a particular industry with only slight additions or modifications
to meet the specific situation.8 SFC in banking may include contract for banking services, loan or
credit card facility. 9

Generally, it is more often than not that such standard forms contracts include clauses on
use and disclosure of information or information sharing. Such information or data may include
name, address, e-mail address, telephone number, age, gender, race, nationality, assets, liabilities,
income, account information, account balance, payment records and any other information or data
that is relevant to that particular transaction or dealing. S.97 of BAFIA imposed duty on the
bankers and whoever having such information or access to such information not to disclose any
information in any way and keep it with high confidentiality. Hence, do such clauses on disclosure
of information in these SFCs uphold this duty of secrecy?
7
Yeo, Alvin, Tan, Joy, “Singapore”, Neate: Bank Confidentiality, 4th ed. (:Totte Publishing), pg 571 -606 a pg 738 739
8
Garner, Bryan, A, ed. Black’s Law Dictionary, (England:Thomas West) at pg 341
9
Example of terms and conditions of SFC for loan facility may be found at Appendix A
 It is quite amusing to note that when we read these disclosure clauses, it is usually
sentenced in a way on how the banks may disclose, and who may they disclose the information to
rather than asserting that the banks will protect the information and data provided by the
customers. Hence, such clauses do not aim to protect and uphold the duty of secrecy but are used
to gain customers’ consents and to exclude liability that may occur in the event of breach of the
duty of secrecy. These clauses usually provide that the bankers have absolute discretion and may
disclose the customer’s information to the Central Credit Unit, BNM, governmental agency,
auditiors, legal counsel, security party, branch or companies that are related to the bank, for any
legal action and when it is required by law. 10 It is also very common to have widely-drafted clause
like disclosure to any persons body authority credit bureau and or agency as the bank deems
proper.

Additionally, the customers are considered to be irrevocably consent to such clauses when
they signed the contact under the circumstances that the customers have inadequate bargaining
powers and these clauses are customarily provided in most of the banks’ SFCs. Subsequently, the
customer’s consent also includes the exclusion of liability on the part of the bank when they are in
breach of duty of secrecy. This is one of the examples in a land transaction:
“… the Bank may at any time, disclose to any person who may in the Bank’s absolute discretion,
require such information or access thereof any documents or records of, or information about the
Transaction document or assts or affairs of the Customer including his account or future account
with the bank, whether or not confidential and whether or not the disclosure would be in breach
of any law or of any duty owed to the Customer provided that in respect of documents, records or
information which the Customer has informed the Bank to be confidential, the person receiving
such information from the Bank may be required to undertake to maintain the confidentiality of
documents, records or information received.
The customer hereby irrevocably consents for the Bank to disclose any documents or records of,
or information about the transaction Documents, the Facility, or the assets or affairs of the
Customer, whether or not confidential and whether or not the disclosure would be in breach of
any law or of any duty owed to the customer.”

10
Refer to Appendix B
 Following the footsteps of internet, internet banking becomes one of the most common
mediums to complete banking transactions and any other banking dealings. Typically, there will be
terms and conditions which the customers must agree to when they subscribe to these online
banking services. Comparatively, these terms and conditions are more positive and affirmative in
non-disclosure policy. In these terms and conditions, it is generally provided that the employee or
staff or agents which have access to customer’s information may only access to such information
on “need-to-know’ basis and these persons must remain obliged to keep such information
confidential and adhere to the duty of secrecy under BAFIA. For example, Alliance Bank’s policy
maintains that they would not share information with third party without prior express agreement
and consent saves in accordance with law. 11 Also, internet banking is designed to have strict
security systems as to the protection of customer’s details.

HSBC Bank also set out the principles that provide assurance to their customers as to the
collection and usage of customer’s information which read as follows:
 Collection of personal data from customers shall be for purposes relating to the provision of
financial services or related products;
 All practical steps will be taken to ensure that personal data are accurate and will not be kept
longer than necessary or will be destroyed in accordance with the internal retention period;
 Personal data will not be used for any purposes other than the purposes set out herein;
 Personal data will be protected against unauthorised or accidental access, processing or
erasure;
 Customers have the right of access to and for correction of their personal data held by us as
explained herein.
 A customer’s personal data is classified as confidential and can only be disclosed where
permitted by law, regulations and guidelines on privacy policies in force or otherwise legally
compelled to do so.

In addition, the terms and conditions will lay down the purposes for which data relating to a
customer may be used and anything else not listed will not be included. This is an assurance from
the banks that they will not use the customer’s information for what is not stated. Although the list
may be long, but the customers will have an idea on how their information may be used.12
 The daily operation of the services and credit facilities provided to customers;
11
Refer to Appendix C
12
Refer to Appendix B
 Conducting credit checks;
 Assisting other financial institutions to conduct credit checks and collect debts;
 Ensuring ongoing credit worthiness of customers;
 Designing financial services or related products for customers’ use;
 Marketing financial services or related products of the Bank and other third parties;
 Determining the amount of indebtedness owed to or by customers;
 Collection of amounts outstanding from customers and those providing security for customers’
obligations;
 Meeting the requirements to make disclosure under the requirements of any law binding on the
Bank or any of its branches;
 Enabling an actual or proposed assignee of the Bank, or participant or sub-participant of the
Bank’s rights in respect of the customer to evaluate the transaction intended to be the subject of
the assignment, participation or sub-participation; and
Purposes relating thereto.

Unavoidably, the terms and conditions will include customer’s consent to allow disclosure
of information to the banks for providing more wide range of products and services. Nevertheless,
the duty of secrecy is better preserved when it comes to the terms and conditions of internet
banking as compared to SFCs used by Malaysian Banks.

2. Do latest legislations eg the Data Protection Act assist in strengthening the

Duty of Secrecy?
The newly enacted Personal Data Protection Act 2009 (PDPA) has been long waited and
the passing of this Act create among others aimed at regulating the processing of the personal data
of an individual or body corporate or partnership, who is involved in commercial transactions, by
the data user to provide protection to the individual's personal data and thereby protecting the
interest of the individual concerned. The first question that needs to be asked is whether this PDPA
applies to Malaysian banks and does this act impose any duty of secrecy on the banks?

The application of PDPA to the person who processes data is called data user and is
defined as “any person who processes or any person who has control over or authorizes the
processing of any personal data in respect of commercial transactions.” 13 Data user may as a
person who either alone or jointly or in common with other persons processes or authorizes the
processing of any personal data or has control over personal data. Commercial transactions have
the meaning of any transaction of a commercial nature, whether contractual or not, which includes
any matters relating to the supply or exchange of goods or services, agency, investments,
financing, banking and insurance, but does not include a credit reporting business carried out by a
credit reporting agency under the Credit Reporting Agencies Act 2009.14 Hence, commercial
transactions including daily banking transactions as well as banking related contracts. It appears
that PDPA applies to banks generally but a hesitation arises after reading s. 32(1)(h) which
provides that a data user may refuse to comply with a data access request by data subject under
section 30 if such access to personal data is regulated by another law. So the next question is does
the BAFIA provide for the regulation of access to personal data?15

Section 97 of the BAFIA provides that any person who has access to customer’s
information shall not disclose it and section 98 provides for the exceptions where disclosure may
be made. There is no explicit provision in BAFIA which provides for the right of individual to
access to his/her own personal data. Therefore, it is unlikely that BAFIA falls under this exception.

On the issue on whether PDPA enhance the duty of secrecy of bankers, we must look at the
duty imposed on data user in processing the personal data of data subjects. There are 7 principles
which outline the duties and responsibilities of data user in managing the information and data
received. These principles oblige data user to either request consent or notify data subject and take
precautions in processing data, in addition to the duty of non-disclosure.
Principle Explanation16
General The processing of personal data requires consent
Notice and Data users are required to notify the data subjects regarding the purpose for
Choice which the data is collected and about the right to request access and correction of
the personal data
Disclosure No personal data shall be disclosed without the consent of the data subject
(Exception is laid down in section 39 of the PDPA)
13
Section 3 of PDPA 2009
14
Munir, Abu Bakar, “The Malaysia Personal Data Protection Bill”, Law and Technology, 1st October 2010
<http://profabm.blogspot.com/2009/12/malaysian-personal-data-protection-bill.html>
15
Ibid
16
“Intoduction to the Malaysian Personal Data Protection Act 2010”, Data Protection Kuala Lumpur, 1st October
2010 <http://www.worldwideerc.org/gov-relations/global-tax-legal/Employment%20Law/Introduction%20to%20the
%20Malaysian%20Personal%20Data%20Protection%20Act%202010.html >
 Security A data user shall take practical steps to protect the personal data from any loss,
misuse, modification, unauthorised or accidental access or disclosure, alteration
or destruction
Retention The personal data processed for any purpose shall not be kept longer than is
necessary for the fulfillment of the purpose to which it was obtained for
Data Integrity A data user shall take reasonable steps to ensure the accuracy and to maintain
the data current for the purpose it was collected for
Access A data subject shall be given access to his personal data and shall be able to
correct the personal data where the data is inaccurate or incomplete

The PDPA provides for two types of exemptions - total and partial. Total exemption means
that the Act does not apply at all. Partial exemption means for some processing activities, certain
principles do not apply. For the former, the Act allows two exemptions. First, if the data is
processed for the purposes of personal, family or household affairs. Second, if the personal data is
processed for recreational purposes. The partial exemptions are; (1) personal data processed for the
prevention or detection of crime, apprehension or prosecution of offenders and assessment or
collection of tax and duty, (2) personal data processed in relation to information of the physical or
mental health of a data subject, (3) data processed for preparing statistics or carrying out research,
and (4) personal data processed only for journalistic, literary or artistic purposes.17

Also, the PDPA establishes certain rights to the data subject. They are the right of access to
personal data, right to correct personal data, right to withdraw consent, right to prevent processing
likely to cause damage or distress, and right to prevent processing for the purposes of direct
marketing.

Thus, the PDPA provides for a more comprehensive protection on customers’ personal data
where banker must not only keep the customers’ information in confidentiality, but to take extra
steps when processing the information.
3. Any legal reforms necessary to ensure that the Duty of Secrecy is not
unnecessarily eroded or over-ridden by other statutes?
There are statutes in Malaysia which permit the disclosure of confidential information by
bankers without the consent of the customer. Most of these provisions entitle the relevant body to

17
Munir, Abu Bakar, “The Malaysia Personal Data Protection Bill”, Law and Technology, 1st October 2010
<http://profabm.blogspot.com/2009/12/malaysian-personal-data-protection-bill.html>
compel to a bank to produce information for investigate purpose, include cases where disclosure is
authorized under any Federal Law for police investigation into any offence.18

Acts Provisions
Bankruptcy Act 1967 The court has power to summon any person to give information
(s.31(2) and s.55(5)) concerning debtor, his dealings or property
Companies Act 1965 The court may summon any person to give information concerning the
(s.249) promotion, formation, trade dealings, affairs or property of the
company
Income Tax Act 1967 Inland Revenue shall have full and free access to buildings, books, and
(s.80) other documents and may search such buildings (include bank
premises) and inspect, copy or make extracts from any such books or
documents(include banker’s books)
Anti-Corruption Act 1997 The Public Prosecutor may authorise entry premises and make copies
(s.23(1), s.24(1), s32(1) of document and may compel any bank to furnish copies any or all
(c)) accounts, documents and records
Kidnapping Act 1961 Public Prosecutor may order inspection of books, accounts or other
(s.8) documents of the person suspected of kidnapping
Dangerous Drugs Public Prosecutor may authorize any senior police officer to investigate
(Forfeiture of Property) and take copies of any banker’s book
Act 1988 (s.21)
Internal Security Act Where there is evidence of the commission of any offence likely to be
1960 (s.76) found in banker’s book, a police officer so authorized may enter the
bank and inspect and take copies of such documents
Anti- Money Laundering Reporting institutions will be required to keep a record of any
& Anti –Terrorism transaction involving domestic currency or foreign currency exceeding
Financing Act 2001 suspicious amount and to report any suspicious transaction
The weaknesses or BAFIA on the duty of secrecy are that
1. There is disclosure under the compulsion by law either in civil or criminal proceeding and
in Malaysia, there are more statutes than those which are listed here override BAFIA and
compel the banks to disclose customer’s information
2. There are more than 10 exceptions in BAFIA which allows for the disclosure of
information
3. There is no provision on the duration of the duty

18
Syed Ahmad Idid Bin “Chapter 12, Banking Secrecy ”, Judicial Decisions Affecting Bankers and Financiers, Ed., Wang
Kuo Shing, 2nd ed., (Malaysia: Lexis Nexis, 2003), pg 737-760 at pg 743 - 750
 4. The law has not provide for situations where there might be implied consent from the
customer (or has not explicitly exclude the possibility of implied consent)

Furthermore, the duty of secrecy may be overcome in cases where banks put in a clause in
the contracts between the customers or in the terms and conditions for banking transactions, that
the customer has irrevocably consent to the disclosure of information when the customers are in a
weaker position to bargain. When most of these contracts are SFCs, the contracts are not easily
understood by the customers and even if the customers understand the contracts, it is not usual that
the agent or employee of the banks will amend the contracts.

Strictly speaking, section 97 of the BAFIA was not amended for almost for 14 years since
the 1996 amendment act19. The latest amendment to the BAFIA was in 2005, which inserted
another exception to the duty of secrecy, s.98A on the disclosure for facilitating performance of
functions by Malaysia Deposit Insurance Corporation. A legal reform is necessary to overcome the
weaknesses in BAFIA to uphold the duty of secrecy as there are too many exceptions to this major
duty of bankers when it is authorised by any other federal law. Firstly, these exceptions need to be
reviewed as to whether it is necessary for the preservation of justice, and secondly, to be explicit
on the duration of this duty that it should extend even after the customer closes the account. 20
Thirdly, the provisions must curb with the situation when there is implied consent or to be explicit
whether implied consent should be allowed. In the case of Tan Lay Soon v Kam Mah Theatre Sdn
Bhd21, the court held that the customer (defendant) had given permission to disclose (impliedly) by
his letter to the Plaintiff.22

There is a thin line between imposing the duty and making sure that the relevant authorities
have access to information to determine the commission of an offence. Nevertheless, the most
effective measure would be the judiciary in determining whether the disclosure is allowed by the
law and the application of s.97 to s.99 of the BAFIA. In the case of Tan Eng Siong v Malayan
Banking Berhad23, it was held that s.97 may be relied on together with the Common Law principle
to initiate a civil action against the banks. Also in A-G of Hong Kong v Zauyah Wan Chik 24 his

19
Banking And Financial Institutions (Amendment) Act 1996 (Act A954)
20
Cheong, May Fong,” Banking Secrecy in Malaysia”, (1993) 20 Journal of Malaysia Comparative Law, pg 157 -182
21
[1992] 2 MLJ 434
22
Cheong, May Fong,” Banking Secrecy in Malaysia”, (1993) 20 Journal of Malaysia Comparative Law, pg 157 -182
23
[1997] 2 CLJ Supp 552
24
[1995] 2 MLJ 620
Lordship Gopal Sri Ram ruled that s.97 has no extra territorial effect in case of criminal liability
hence the disclosure of information in a foreign jurisdiction is not covered under the ambit of s.97.

Besides, the relevant authorities empowered such as the court, the police investigating
officer, the public prosecutor and etc. must exercise these powers discretely from any other
influences since these exceptions are eroding on the customers’ right to have their information kept
in confidentiality. Also, the law should look into the situation when the customers give their
consent in a SFC with the banks and to look into the reconciliation between the common law duty,
contractual duty and statutory duty.

Conclusion

The duty of secrecy forms a big part in the bank-customer relationship as this duty builds
the trust between the bank and their customers, for the latter to trust the former with their monies
and the management of their lives. All the information collected in this course of dealing, should
be kept in secret and the law should do its best to protect this, and only allow exceptions when it is
for the public interest or national security. The new PDPA provides a new aspect to the duty of
secrecy of the banks, that the banks have not only the duty not to disclose, but to take cautious
steps when disclosing the information and making sure that the customers are notified unless the
disclosure is required by law. Of course, there is always room for improvement for the law to do
more to protect the rights of individual as to their personal information. PDPA although has its
defects and imperfections, is a good start to enhance the protection of and impose stricter duty on
the part of the bankers.