AKTA AGENSI PELAPORAN KREDIT 2010

Credit Reporting Agencies 1 REPRINT Act 710 CREDIT REPORTING AGENCIES ACT 2010 As at 1 November 2024 PUBLISHED BY THE COMMISSIONER OF LAW REVISION, MALAYSIA UNDER THE AUTHORITY OF THE REVISION OF LAWS ACT 1968 2024 Laws of Malaysia 2 Act 710 Date of Royal Assent … … … 2 June 2010 Date of publication in the Gazette … … … 10 June 2010 Credit Reporting Agencies 3 Act 710 ARRANGEMENT OF SECTIONS

Part I

PRELIMINARY Section

1. Short title and commencement

2. Interpretation

Part II

APPOINTMENT, FUNCTIONS AND POWERS OF REGISTRAR

3. Appointment of Registrar

4. Functions of Registrar

5. Powers of Registrar

6. Appointment of Deputy Registrar and Assistant Registrar

7. Appointment of officers

8. Delegation of Registrar’s functions and powers

9. Register of Credit Reporting Agencies

10. Restriction on enquiring specifically into affairs of particular customer

Part III

REGISTRATION OF CREDIT REPORTING AGENCIES

11. Prohibition to carry on credit reporting business unless registered

12. Restriction to carry on business other than credit reporting business

13. Application for registration Laws of Malaysia 4 Act 710 Section

14. Certificate of registration

15. Renewal of certificate of registration

16. Revocation of registration

17. Surrender of certificate of registration

18. Appeal against decision of Registrar

19. Handling of credit information when registration of credit reporting agency is revoked, etc.

Part IV

MANAGEMENT OF CREDIT REPORTING AGENCIES

20. Minimum paid-up capital

21. Appointment of chief executive, etc.

Part V

CONDUCT OF BUSINESS OF CREDIT REPORTING AGENCIES

22. Collection of credit information

23. Notice to customer on processing of credit information

24. Disclosure of credit information

25. Prohibited disclosure in credit report

26. Storage and security of credit information

27. Obligation of subscribers, etc.

28. Unfavourable credit action

29. Accuracy of credit information

30. Right of access to credit information or credit report

31. Right to correct credit information or credit report

Part VI

INSPECTION, COMPLAINT AND INVESTIGATION

32. Inspection of data system

33. Relevant credit reporting agency to be informed of result of inspection Credit Reporting Agencies 5 Section

34. Reports by Registrar

35. Complaint

36. Investigation by Registrar

37. Restriction on investigation initiated by complaint

38. Registrar may carry out or continue investigation initiated by complaint notwithstanding withdrawal of complaint

39. Enforcement notice

40. Variation or cancellation of enforcement notice

Part VII

ENFORCEMENT

41. Authorized officers

42. Authority card

43. Power of investigation

44. Search and seizure with warrant

45. Search and seizure without warrant

46. Access to computerized data

47. Warrant admissible notwithstanding defects

48. List of computer, book, account, etc., seized

49. Release of computer, book, account, etc., seized

50. No cost or damages arising from seizure to be recoverable

51. Obstruction to search

52. Power to require production of computer, book, account, etc.

53. Power to require attendance of persons acquainted with case

54. Examination of persons acquainted with case

55. Admission of statements in evidence

56. Forfeiture of computer, book, account, etc., seized

57. Joinder of offences

58. Power of arrest Laws of Malaysia 6 Act 710

Part VIII

MISCELLANEOUS Section

59. Appeal to Minister

60. Exemption

61. Transfer of credit information to places outside Malaysia

62. Unlawful collecting, etc., of credit information

63. Abetment and attempt punishable as offences

64. Compounding of offences

65. Offences by body corporate

66. Prosecution

67. Jurisdiction to try offences

68. Service of notice or other documents

69. Protection against suit and legal proceedings

70. Protection of informers

71. Obligation of secrecy

72. Power of Minister to make regulations

73. Prevention of anomalies

74. Power of Minister to amend First Schedule and Second Schedule

75. Power to issue Summary of Rights, codes of practice, etc.

76. Personal Data Protection Act 2009 shall not apply

Part IX

SAVINGS AND TRANSITIONAL PROVISIONS

77. Carrying on credit reporting business before the commencement of this Act First Schedule Second Schedule Third Schedule Fourth Schedule Credit Reporting Agencies 7

An Act to provide for the registration and regulation of persons carrying on credit reporting businesses and for matters connected therewith and incidental thereto. [15 January 2014; P.U. (B) 12/2014] ENACTED by the Parliament of Malaysia as follows:

Part I

PRELIMINARY Short title and commencement

1. (1) This Act may be cited as the Credit Reporting Agencies Act 2010.

(2) This Act comes into operation on a date to be appointed by the Minister by notification in the Gazette, and the Minister may appoint different dates for different provisions of this Act. Interpretation

2. In this Act, unless the context otherwise requires— “credit reporting agency” means a person who carries on a credit reporting business and is registered under subsection 14(2); Act 710 Laws of Malaysia 8 Act 710 “relevant credit reporting agency”, in relation to—

(a) an inspection, means the credit reporting agency who uses the data system which is the subject of the inspection;

(b) a complaint, means the credit reporting agency specified in the complaint;

(c) an investigation—

(i) in the case of an investigation initiated by a complaint, means the credit reporting agency specified in the complaint;

(ii) in any other case, means the credit reporting agency who is the subject of the investigation;

(d) an enforcement notice, means the credit reporting agency on whom the enforcement notice is served; “credit rating agency” means a person who is specified to be a registered person in Part 2 of Schedule 4 to the Capital Markets and Services Act 2007 [Act 671] and who provides investment advice in relation to the provision of ratings for debentures; “this Act” includes regulations, orders, notifications or other subsidiary legislation made under this Act; “Register” means the Register of Credit Reporting Agencies established and maintained under section 9; “specified”, where no mode is mentioned, means specified from time to time in writing; “prescribed” means prescribed by the Minister under this Act and, where no mode is mentioned, means prescribed by order published in the Gazette; “document” has the meaning assigned to it in section 3 of the Evidence Act 1950 [Act 56]; Credit Reporting Agencies 9 “constituent documents”, in relation to a body, corporate or unincorporate, means the statute, charter, memorandum of association, articles of association, rules, by-laws, partnership agreement, or other instrument, under or by which the body is incorporated or established, and its governing and administrative structure and the scope of its functions, business, powers and duties as set out, whether contained in one or more documents; “chief executive”, in relation to a credit reporting agency, means the principal executive officer of the credit reporting agency for the time being, by whatever name called, and whether or not he is a director; “credit” means—

(a) any Islamic financing facility in whatever form or by whatever name called whether or not such facility involves a sale, purchase, sale and repurchase, lease, sale and lease back, sale and buy back arrangement, joint venture arrangement, deferred payment sale, return sharing arrangement and any other financing arrangements or dealings involving assets or properties made in accordance with Islamic law;

(b) any advance, loan, trade credit or other facility in whatever form or by whatever name called whereby the person to whom the advance, loan, trade credit or other facility is given has access, directly or indirectly, to the funds or property of the person giving it;

(c) any hire-purchase, Islamic hire-purchase, leasing, factoring, debt trading and such similar dealings or transactions;

(d) the giving of a guarantee or any security in relation to the obligations of any person; or

(e) any other like dealing or transaction as may be prescribed by the Minister on the recommendation of the Registrar; “credit report” means any record or information, whether in a written, oral or other form, that—

(a) has any bearing on a customer’s—

(i) eligibility to be provided with credit; Laws of Malaysia 10 Act 710

(ii) history in relation to credit; or

(iii) capacity to repay credit; and

(b) is used, has been used or is capable of being used as one of the factors in establishing a customer’s eligibility for credit; “access log” means a record of every access made to credit information held by a credit reporting agency; “credit information” means any information of a customer collected by a credit provider in the course of or in connection with the providing of credit, or any record or information of a customer processed in the course of or in connection with the carrying on of a credit reporting business, and may include information as listed in the First Schedule; “use”, in relation to credit information, does not include the act of collecting or disclosing such credit information; “collect”, in relation to credit information, means an act by which such credit information enters into or comes under the control of a credit reporting agency; “Minister” means the Minister responsible for finance; “disclose”, in relation to credit information, means an act by which credit information is made available by a credit reporting agency; “person” includes an individual, any corporation, society, trade union, co-operative society, partnership or any other body, organization, association or group of persons, whether corporate or unincorporate; “relevant person”, in relation to a customer, howsoever described, means—

(a) in the case of a customer who is incapable of managing his own affairs, a person who is appointed by a court to manage those affairs, or a person authorized in writing by the customer to act on behalf of the customer; or Credit Reporting Agencies 11

(b) in any other case, a person authorized in writing by the customer to make an access request, correction request, or both such requests, on behalf of the customer; “subscriber” means any person who has entered into a subscriber agreement with a credit reporting agency; “officer”, in relation to a credit reporting agency, includes the chief executive and any employee; “authorized officer” means any officer authorized in writing by the Registrar under section 41; “customer” means any person who is applying for credit from, or who has been granted credit by, a credit provider and who is the subject of the credit information; “credit provider” means any person as listed in the Second

Schedule; “correction”, in relation to credit information, includes amendment, variation, modification or deletion; “requestor”, in relation to an access request or correction request, means the customer or the relevant person on behalf of the customer, who has made the request; “credit information processor”, in relation to credit information, means any person, other than an employee of the credit reporting agency, who processes the credit information solely on behalf of the credit reporting agency, and does not process the credit information for any of his own purposes; “processing”, in relation to credit information, means collecting, recording, holding or storing the credit information or carrying out any operation or set of operations on the credit information, including— (a) the organization, adaptation or alteration of credit information; (b) the retrieval, consultation or use of credit information; Laws of Malaysia 12 Act 710 (c) the disclosure of credit information by transmission, transfer, dissemination or otherwise making available; or (d) the alignment, combination, correction, erasure or destruction of credit information; “Registrar” means the Registrar of Credit Reporting Agencies appointed under section 3; “subscriber agreement” means a written agreement providing a subscriber with access to credit information held by a credit reporting agency and is as specified in the Fourth Schedule; “credit reporting business” means a business that involves the processing of credit information for the purpose of providing a credit report to another person, whether for profit, reward or otherwise, but shall not include the processing of credit information— (a) for the purpose of discharging regulatory functions or that is required or authorized by or under any law; or (b) by a credit rating agency; “Summary of Rights” means the Summary of Rights as may be determined by the Registrar; “company” has the meaning assigned to it in section 4 of the *Companies Act 1965 [Act 125]; “appointed date” means the relevant date or dates, as the case may be, on which this Act comes into operation; “unfavourable credit action” means a denial or revocation of credit, an unfavourable change in the terms of an existing credit arrangement, or a refusal to grant credit in substantially the amount or on substantially the terms as requested. *NOTE—The Companies Act 1965 [Act 125] has since been repealed by the Companies Act 2016 [Act 777] which comes into operation on 31 January 2017 – see subsection 620(1) of Act 777. Credit Reporting Agencies 13 Part II APPOINTMENT, FUNCTIONS AND POWERS OF REGISTRAR Appointment of Registrar 3. (1) The Minister shall appoint a public officer to be known as the “Registrar of Credit Reporting Agencies” for the purposes of carrying out the functions and powers assigned to the Registrar under this Act. (2) The appointment of the Registrar shall be published by notification in the Gazette. Functions of Registrar 4. The Registrar shall have all the functions imposed on him under this Act and without prejudice to the generality of the foregoing, shall also have the following functions: (a) to advise the Minister on all matters in relation to the administration of this Act; (b) to implement and enforce this Act including the formulation of operational policies and procedures; (c) to promote awareness and dissemination of information to the public in relation to the operation of this Act; (d) to be responsible for the monitoring, controlling, supervision and regulation of credit reporting agencies; (e) to encourage and promote the sound and orderly development of credit reporting agencies and the credit reporting sector; (f) to create a conducive environment for credit reporting agencies to carry out their activities; and (g) to carry out such activities or do such things as are necessary, advantageous and proper for the administration of this Act, or such other purposes consistent with this Act as may be directed by the Minister. Laws of Malaysia 14 Act 710 Powers of Registrar 5. (1) The Registrar shall have all such powers to do all things necessary or expedient for or in connection with the performance of his functions under this Act. (2) Without prejudice to the generality of subsection (1), the powers of the Registrar shall include the power— (a) to appoint such agents, experts or consultants as he thinks fit to assist him in the performance of his functions; (b) to enter into contracts; (c) to establish and maintain the Register; (d) to collect such fees as may be prescribed under this Act; and (e) to do all such other things as he thinks fit to enable him to perform his functions effectively or which may be incidental to or consequential upon the performance of his functions. Appointment of Deputy Registrar and Assistant Registrar 6. (1) The Minister shall appoint such number of public officers as Deputy Registrars and Assistant Registrars as are necessary to assist the Registrar in the performance of his functions and the exercise of his powers under this Act. (2) The Deputy Registrars and Assistant Registrars appointed under subsection (1) shall be subject to the supervision, direction and control of the Registrar. Appointment of officers 7. (1) The Registrar may, with the approval of the Minister, appoint such number of public officers as are necessary to assist the Registrar in the performance of his functions and the exercise of his powers under this Act. Credit Reporting Agencies 15 (2) All officers appointed under subsection (1) shall be subject to the supervision, direction and control of the Registrar. Delegation of Registrar’s functions and powers 8. (1) The Registrar may, subject to such conditions, limitations or restrictions as he may think fit to impose, delegate any of his functions or powers imposed or conferred upon him under this Act, except his power of delegation, to any of the officers appointed under subsections 6(1) and 7(1) and any function or power so delegated may be performed and exercised by the officer in the name and on behalf of the Registrar. (2) The delegation under subsection (1) shall not preclude the Registrar himself from performing or exercising at any time the delegated functions or powers. Register of Credit Reporting Agencies 9. (1) The Registrar shall establish and maintain a Register of Credit Reporting Agencies. (2) The Register shall contain the names and addresses of all credit reporting agencies which have been registered under subsection 14(2) and any other particulars regarding such credit reporting agencies as may be determined by the Registrar. (3) Subject to subsection (4), the Registrar shall make the Register available for inspection by the public, subject to such conditions as he may think fit. (4) A person may on payment of the prescribed fee— (a) inspect the Register; or (b) make a copy of or take extracts from an entry in the Register. Laws of Malaysia 16 Act 710 Restriction on enquiring specifically into affairs of particular customer 10. Without prejudice to the powers of inspection, examination, investigation or enquiry conferred on the Registrar or authorized officer, nothing in this Act shall— (a) authorize the Minister to direct the Registrar; or (b) authorize the Registrar, to enquire specifically into the affairs of a particular customer. Part III REGISTRATION OF CREDIT REPORTING AGENCIES Prohibition to carry on credit reporting business unless registered 11. (1) No person shall carry on a credit reporting business unless— (a) it is a company; and (b) it has been registered as a credit reporting agency and been issued a certificate of registration by the Registrar under subsection 14(5). (2) A person who contravenes subsection (1) commits an offence and shall, upon conviction, be liable to a fine not exceeding one million ringgit or to imprisonment for a term not exceeding three years or to both. (3) In the case of a continuing offence, the offender shall, in addition to the penalties under subsection (2), be liable to a fine not exceeding ten thousand ringgit for each day or part of a day during which the offence continues after conviction. Credit Reporting Agencies 17 Restriction to carry on business other than credit reporting business 12. (1) A credit reporting agency shall not carry on any business other than a credit reporting business, unless it has obtained the prior written approval of the Registrar. (2) A person who contravenes subsection (1) commits an offence and shall, upon conviction, be liable to a fine not exceeding two hundred thousand ringgit or to imprisonment for a term not exceeding two years or to both. Application for registration 13. (1) A person who intends to carry on a credit reporting business shall submit an application in writing for registration as a credit reporting agency to the Registrar in such form as he may determine. (2) Every application for registration shall be accompanied by— (a) a copy of the memorandum of association and articles of association or other constituent documents under which the applicant is established, and its certificate of incorporation duly verified by a statutory declaration made by a director of the applicant; (b) a copy of the latest audited accounts of the applicant, where applicable; and (c) such other information or documents as may be determined by the Registrar for the purposes of determining the application and the suitability of the applicant. (3) The Registrar may in writing at any time after receiving the application and before it is determined, require the applicant to provide such additional documents and information within the time as specified by the Registrar. Laws of Malaysia 18 Act 710 (4) If the requirement under subsection (3) is not complied with, the application for registration shall be deemed to have been withdrawn by the applicant and shall not be further proceeded with by the Registrar, but without prejudice to a fresh application being made by the applicant. Certificate of registration 14. (1) In considering an application for registration as a credit reporting agency, the Registrar shall be satisfied that— (a) the applicant has a minimum paid-up capital as prescribed in section 20; and (b) the chief executive and directors of the applicant have fulfilled the criteria as specified in the Third Schedule. (2) After having given due consideration to the application for registration and the conditions as referred to in subsection (1), the Registrar may register the applicant or refuse the application for registration. (3) The decision of the Registrar to register the applicant or refuse the application for registration shall be communicated to the applicant in a written notice issued by the Registrar as soon as practicable. (4) Where the Registrar refuses the application for registration in pursuance of subsection (2), he shall in the written notice issued under subsection (3) state— (a) that the application has been refused; and (b) the reasons for the refusal. (5) Where the Registrar is satisfied that an applicant may be registered under subsection (2), he shall, upon receipt of the prescribed registration fee, issue to the applicant a certificate of registration in such form as may be determined by him, and the certificate of registration may be subject to such conditions or restrictions as the Registrar may think fit to impose. Credit Reporting Agencies 19 (6) The certificate of registration shall be valid for a period not exceeding three years. Renewal of certificate of registration 15. (1) A credit reporting agency may make an application for the renewal of the certificate of registration not later than ninety days before the date of expiry of the certificate of registration in the manner and form as determined by the Registrar and the application shall be accompanied with the prescribed renewal fee and such documents as may be required by the Registrar, but no application for renewal shall be allowed where the application is made after the date of expiry of the certificate of registration. (2) When renewing a certificate of registration, the Registrar may vary the conditions or restrictions imposed upon the issuance of the certificate of registration or impose additional conditions or restrictions. (3) The Registrar may refuse to renew a certificate of registration— (a) if the credit reporting agency has failed to comply with any of the provisions of this Act; (b) if the credit reporting agency has failed to comply with any conditions or restrictions imposed upon the issuance of the certificate of registration; or (c) if he is satisfied that the credit reporting agency is unable to continue the credit reporting business in accordance with this Act. Revocation of registration 16. (1) The Registrar may revoke the registration of a credit reporting agency if he is satisfied that— (a) the credit reporting agency has failed to comply with any of the provisions of this Act; Laws of Malaysia 20 Act 710 (b) the credit reporting agency has failed to comply with any of the conditions or restrictions imposed upon the issuance of the certificate of registration; (c) the issuance of the certificate of registration was induced by a false representation of fact by the credit reporting agency; (d) the credit reporting agency is in the course of being wound up or otherwise dissolved; (e) a receiver, manager or receiver and manager or an equivalent person has been appointed in respect of any property of the credit reporting agency; (f) the credit reporting agency has ceased to carry on the credit reporting business for a continuous period of three months; (g) the credit reporting agency carries on the credit reporting business in addition to other businesses without the prior written approval of the Registrar under subsection 12(1); or (h) the credit reporting agency surrenders its certificate of registration to the Registrar. (2) Notwithstanding subsection (1), the Registrar shall not revoke the registration of the credit reporting agency unless the Registrar is satisfied that, after giving the credit reporting agency an opportunity of making any representation in writing it may wish to make, the registration should be revoked. (3) Where the registration of the credit reporting agency is revoked, the Registrar shall issue a notice of revocation of registration to the credit reporting agency, and the certificate of registration issued in respect of such registration shall have no effect upon service of the notice of revocation of registration. (4) A credit reporting agency whose registration has been revoked under this section and who continues to carry on the credit reporting business thereafter commits an offence and shall, upon conviction, be liable to a fine not exceeding one million ringgit or to imprisonment for a term not exceeding three years or to both. Credit Reporting Agencies 21 (5) In the case of a continuing offence, the offender shall, in addition to the penalties under subsection (4), be liable to a fine not exceeding ten thousand ringgit for each day or part of a day during which the offence continues after conviction. Surrender of certificate of registration 17. (1) Where the certificate of registration is revoked pursuant to section 16, the holder of the certificate shall, within fourteen days from the date of service of the notice of revocation of registration, surrender the certificate to the Registrar. (2) A person who fails to comply with subsection (1) commits an offence and shall, on conviction, be liable to a fine not exceeding two hundred thousand ringgit or to imprisonment for a term not exceeding two years or to both. Appeal against decision of Registrar 18. Where the Registrar— (a) refuses an application for registration under section 14 or an application for the renewal of registration under section 15; or (b) revokes the certificate of registration under section 16, the person so aggrieved by the decision of the Registrar may appeal to the Minister against such decision in accordance with section 59. Handling of credit information when registration of credit reporting agency is revoked, etc. 19. (1) Any credit reporting agency which— (a) has ceased to be a credit reporting agency; or (b) has its certificate of registration revoked by the Registrar pursuant to section 16, Laws of Malaysia 22 Act 710 shall, within the period as determined by the Registrar, hand over all the credit information in its databases or within its possession, in whatever form available, and the databases, including back-up files, to the Registrar. (2) Upon receipt of the credit information and databases from the credit reporting agency under subsection (1), referred to as the “first credit reporting agency”, the Registrar may decide either— (a) to destroy the credit information and databases; or (b) with the approval of the Minister, to hand over the credit information and databases to another credit reporting agency, referred to as the “subsequent credit reporting agency”, upon payment of compensation by the subsequent credit reporting agency to the first credit reporting agency of an amount to be agreed between the first credit reporting agency and the subsequent credit reporting agency. (3) In granting his approval to the handing over of the credit information and databases of the first credit reporting agency in pursuance of paragraph (2)(b), the Minister shall be satisfied that the subsequent credit reporting agency to which the credit information and databases is proposed to be handed over to has at least similar or equivalent financial abilities, expertise and facilities to that of the first credit reporting agency to assume the processing of the credit information. (4) The subsequent credit reporting agency shall, upon receipt of the credit information and databases under paragraph (2)(b)— (a) inform the customer by written notice of the fact that his credit information has been handed over to the subsequent credit reporting agency; and (b) have the same duties and obligations in relation to that customer as if it was the first credit reporting agency and shall comply with all the provisions of this Act. Credit Reporting Agencies 23 (5) Where the first credit reporting agency hands over any credit information and databases to a subsequent credit reporting agency in pursuance of paragraph (2)(b), any consent obtained by the first credit reporting agency from a customer under paragraph 24(1)(a) shall lapse, and the subsequent credit reporting agency shall obtain the consent of the customer under paragraph 24(1)(a) if it intends to disclose the credit information of the customer under that section. (6) A credit reporting agency which contravenes subsection (1) commits an offence and shall, upon conviction, be liable to a fine not exceeding two hundred thousand ringgit or to imprisonment for a term not exceeding two years or to both. Part IV MANAGEMENT OF CREDIT REPORTING AGENCIES Minimum paid-up capital 20. (1) The minimum amount of paid-up capital of a credit reporting agency shall be one million ringgit or such other amount as may be prescribed in an order made by the Minister, on the recommendation of the Registrar, from time to time. (2) Subject to subsection (4), every credit reporting agency shall maintain the minimum amount of paid-up capital as prescribed in subsection (1), and if such minimum amount is at any time increased, the credit reporting agency shall maintain the increased amount within such period as may be stated in the order that prescribed the increased amount, but such period shall not be less than three months. (3) Subject to subsection (4), no person shall be issued a certificate of registration under subsection 14(5) and no credit reporting agency shall carry on a credit reporting business if its paid-up capital unimpaired by losses or otherwise is less than the minimum amount prescribed in subsection (1). Laws of Malaysia 24 Act 710 (4) Where the minimum paid-up capital of a credit reporting agency is less than the minimum amount prescribed at any time under subsection (1), the credit reporting agency may, with the written consent of the Registrar and subject to such terms and conditions as the Registrar may impose, carry on the credit reporting business. (5) A credit reporting agency which contravenes this section commits an offence and shall, upon conviction, be liable to a fine not exceeding two hundred thousand ringgit or to imprisonment for a term not exceeding two years or to both. Appointment of chief executive, etc. 21. (1) A credit reporting agency shall appoint a chief executive who shall satisfy the criteria as set out in the Third Schedule. (2) The credit reporting agency shall notify the Registrar of the appointment of its chief executive within fourteen days from the date of the appointment. (3) Where a person, who is a director or chief executive of a credit reporting agency, at any time does not satisfy the criteria as set out in the Third Schedule, he shall immediately cease to hold the office and act in such capacity, and the credit reporting agency concerned shall immediately terminate his appointment in such capacity. (4) A credit reporting agency which contravenes subsection (1) or (2) commits an offence and shall, on conviction, be liable to a fine not exceeding two hundred thousand ringgit. (5) A person who contravenes subsection (3) commits an offence and shall, on conviction, be liable to a fine not exceeding two hundred thousand ringgit. (6) In the case of a continuing offence, the offender shall, in addition to the penalty under subsection (4) or (5), be liable to a fine not exceeding ten thousand ringgit for each day or part of a day during which the offence continues after conviction. Credit Reporting Agencies 25 Part V CONDUCT OF BUSINESS OF CREDIT REPORTING AGENCIES Collection of credit information 22. (1) No credit reporting agency shall collect any credit information about a customer unless— (a) the credit information is collected for a specific and lawful purpose directly related to an activity of the credit reporting agency and shall not be further processed in any manner incompatible with that purpose; (b) the collection of the credit information is necessary for or directly related to that purpose; and (c) the credit information is adequate but not excessive in relation to that purpose. (2) A credit reporting agency which contravenes subsection (1) commits an offence and shall, upon conviction, be liable to a fine not exceeding five hundred thousand ringgit or to imprisonment for a term not exceeding two years or to both. (3) The collection and use of credit information by a credit reporting agency under subsection (1) shall not require the consent of the customer concerned. Notice to customer on processing of credit information 23. (1) A credit reporting agency shall by written notice inform a customer— (a) that credit information of the customer is being processed by or on behalf of the credit reporting agency, and shall provide a description of the credit information to that customer; (b) the purposes for which the credit information is being or is to be processed; Laws of Malaysia 26 Act 710 (c) of any information available to the credit reporting agency as to the source of that credit information; (d) of how to contact the credit reporting agency with any inquiries or complaints in respect of the credit information and of the customer’s right to request access to and to request correction of the credit information; (e) of the subscribers or other persons to whom the credit reporting agency discloses or may disclose the credit information; (f) of the choices and means the credit reporting agency offers the customer for limiting the processing of credit information, including credit information relating to other persons who can be identified from that credit information; (g) whether it is obligatory or voluntary for the customer to supply the credit information; (h) where it is obligatory for the customer to supply the credit information, the consequences for the customer if he fails to supply the credit information; and (i) of a summary of the customer’s rights as contained in the Summary of Rights. (2) The notice under subsection (1) shall be given as soon as practicable to the customer— (a) when the credit reporting agency first collects the credit information of the customer; or (b) when the customer is first asked to provide his credit information to the credit reporting agency, and such notice shall be in the national and English languages. (3) Where the credit reporting agency possesses a website, the credit reporting agency shall conspicuously display on its website a statement that sets out the purposes for which it collects credit information and the purposes for which the credit information will be further processed. Credit Reporting Agencies 27 (4) A credit reporting agency which contravenes this section commits an offence and shall, upon conviction, be liable to a fine not exceeding five hundred thousand ringgit or to imprisonment for a term not exceeding two years or to both. Disclosure of credit information 24. (1) No credit reporting agency shall disclose any credit information for any purpose or to any person unless— (a) the customer has given his consent to the disclosure; (b) the disclosure is necessary for the purpose of preventing or detecting crime or for the purpose of investigations; or (c) the disclosure is required or authorized by or under any law, or by the order of a court. (2) Subject to subsection (3), where a credit reporting agency has obtained the consent of the customer under paragraph (1)(a), it shall not disclose the credit information— (a) for any other purpose other than the purpose for which; or (b) to any other person other than the person to whom, the customer has consented under that paragraph. (3) Where a credit reporting agency intends to disclose the credit information— (a) for any other purpose other than the purpose for which the customer has consented to under paragraph (1)(a); or (b) to any other person other than the person to whom the customer has consented to under paragraph (1)(a), Laws of Malaysia 28 Act 710 the credit reporting agency shall obtain the consent of the customer under paragraph (1)(a) to disclose the credit information for that other purpose or to that other person, as the case may be. (4) A credit reporting agency which contravenes this section commits an offence and shall, upon conviction, be liable to a fine not exceeding five hundred thousand ringgit or to imprisonment for a term not exceeding two years or to both. Prohibited disclosure in credit report 25. (1) Subject to section 24, a credit reporting agency shall not include any of the following in a credit report: (a) any information unless such information includes the name and address of the source of the credit information; (b) any information unless the identity of the customer can be identified; (c) any information in relation to a person’s bankruptcy two years after the date of his discharge from the bankruptcy; (d) any information in relation to a pecuniary action in court against a person more than two years after the date of commencement of the proceedings, unless the current status of the court action has been ascertained and is included in the credit report; and (e) any information in relation to any default in repayment of credit two years after the date of final settlement of the amount in default, including settlement of the amounts payable pursuant to a scheme of arrangement with the credit provider. (2) A credit reporting agency which contravenes subsection (1) commits an offence and shall, upon conviction, be liable to a fine not exceeding five hundred thousand ringgit or to imprisonment for a term not exceeding two years or to both. Credit Reporting Agencies 29 Storage and security of credit information 26. (1) A credit reporting agency shall, when processing any credit information, take practical steps to protect the credit information from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction by having regard— (a) to the nature of the credit information and the harm that would result from such loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction; (b) to the place or location where the credit information is stored; (c) to any security measures incorporated into any equipment in which the credit information is stored; (d) to the measures taken for ensuring the reliability, integrity and competence of personnel having access to the credit information; and (e) to the measures taken for ensuring the secure transfer of the credit information. (2) Where processing of credit information is carried out by a credit information processor on behalf of the credit reporting agency, the credit reporting agency shall, for the purpose of protecting the credit information from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction, ensure that the credit information processor— (a) provides sufficient guarantees in respect of the technical and organizational security measures governing the processing to be carried out; and (b) takes reasonable steps to ensure compliance with those measures. Laws of Malaysia 30 Act 710 (3) Without limiting the generality of subsections (1) and (2), a credit reporting agency shall take the following measures to safeguard the credit information it holds against unauthorized access or misuse: (a) develop written policies and procedures to be followed by its credit information processors, its employees, agents and contractors, or any other person providing services to it; (b) impose access authentication controls such as the use of passwords, credential tokens, digital signatures or other mechanisms; (c) provide information and training to its employees to ensure compliance with the policies, procedures and controls; (d) ensure that a subscriber agreement that complies with the Fourth Schedule is in place before disclosing the credit information to a subscriber; (e) identify and investigate possible breaches of the subscriber agreement, policies, procedures and controls; (f) take prompt and effective action in respect of any breaches that are identified; (g) systematically review the effectiveness of the policies, procedures and controls and promptly remedy any deficiencies; and (h) maintain an access log. (4) Without prejudice to section 27, a credit reporting agency shall ensure that if it is necessary for the credit information to be given to a person in connection with the provision of a service to the credit reporting agency, the credit reporting agency shall take all reasonable measures to prevent any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction of the credit information. Credit Reporting Agencies 31 (5) The access authentication controls required under paragraph (3)(b) shall include, in respect of an access made, a means of identifying both the subscriber and the specific person of the subscriber who have access to the credit information, or other person who has access to that credit information. (6) The access log required under paragraph (3)(h)— (a) shall include a record of the time and date of access to the credit information, the identity of the subscriber or other person who has access to the credit information, and the purpose in relation to each access; and (b) shall identify or provide a means to identify the specific person of the subscriber who has accessed that credit information and the specific customer whose credit information was so accessed. (7) A credit reporting agency shall ensure that the access log contains records of all accesses made for a period of not less than two years preceding the date of the access. (8) A credit reporting agency which contravenes this section commits an offence and shall, upon conviction, be liable to a fine not exceeding five hundred thousand ringgit or to imprisonment for a term not exceeding two years or to both. Obligation of subscribers, etc. 27. (1) Any subscriber or other person, including a person providing services to a credit reporting agency, who has access to the credit information processed by the credit reporting agency shall take appropriate measures to safeguard the credit information against any unauthorized or improper access, use, modification or disclosure, including— (a) developing written policies and procedures to be followed by its employees, agents and contractors; (b) establishing controls, including— (i) the use of passwords, credential tokens, digital signatures or other mechanisms; and Laws of Malaysia 32 Act 710 (ii) user identification; (c) providing information and training to ensure compliance with the policies, procedures and controls; (d) monitoring usage and regularly checking compliance with the policies, procedures and controls; (e) taking appropriate action in relation to identified breaches of the policies, procedures and controls; and (f) maintenance of logs of all accesses, amendments and audit trails to the credit information provided to it by the credit reporting agency. (2) A person who contravenes subsection (1) commits an offence and shall, upon conviction, be liable to a fine not exceeding two hundred thousand ringgit or to imprisonment for a term not exceeding two years or to both. Unfavourable credit action 28. Where a credit provider has taken an unfavourable credit action against a customer based on a credit report, the credit provider shall, upon request of the customer, disclose to the customer— (a) that the unfavourable credit action was on the basis of the credit report provided by a credit reporting agency; and (b) the identity of the credit reporting agency from which the credit report was obtained that resulted in such unfavourable credit action. Accuracy of credit information 29. (1) A credit reporting agency shall not use or further process any credit information without taking such steps as are in the circumstances reasonable to ensure that the credit information is accurate, up-to-date, complete, relevant and not misleading. Credit Reporting Agencies 33 (2) A credit reporting agency shall, when undertaking a comparison of credit information within its control with any other credit information for the purpose of producing or verifying information about an identifiable customer, take such measures as are reasonably practicable to avoid the incorrect matching of the credit information. (3) Without limiting the generality of subsection (1), a credit reporting agency shall— (a) establish and maintain controls to ensure that, as far as is reasonably practicable, only credit information that is accurate, up-to-date, complete, relevant and not misleading is used or further processed; (b) monitor credit information to ensure that it is accurate, up-to-date, complete, relevant and not misleading; and (c) conduct regular checks on compliance with the controls. (4) A credit reporting agency which contravenes this section commits an offence and shall, upon conviction, be liable to a fine not exceeding five hundred thousand ringgit or to imprisonment for a term not exceeding two years or to both. Right of access to credit information or credit report 30. (1) Subject to subsection (5), a credit reporting agency shall not later than twenty-one days from the date of receipt of an access request from a requestor— (a) provide the requestor with a confirmation of whether or not the credit reporting agency has processed the credit information of a customer; and (b) where the credit reporting agency has processed the credit information of the customer, it shall— (i) allow the requestor to have access to the credit information held; or Laws of Malaysia 34 Act 710 (ii) allow the requestor to have access to the credit information held and any credit report furnished by the credit reporting agency to any subscriber or other person, within the period of twelve months preceding the date of the access request; or (c) where the credit reporting agency has processed the credit information of the customer, it shall, upon payment of the prescribed fee by the requestor, supply the requestor with— (i) a copy of the credit information mentioned in paragraph (b); or (ii) a copy of the credit report mentioned in subparagraph (b)(ii) in an intelligible form. (2) Where a credit reporting agency does not hold the credit information, but controls the processing of the credit information in such a way as to prohibit the credit reporting agency which holds the credit information from complying, whether in whole or in part, with the access request under subsection (1) which relates to the credit information, the first-mentioned credit reporting agency shall be deemed to hold the credit information and the provisions of this Act shall be construed accordingly. (3) Subject to subsection (5), a credit reporting agency which is unable to comply with an access request within the period as specified in subsection (1) shall, before the expiration of that period— (a) inform the requestor by notice in writing that it is unable to comply with the access request and the reasons why it is unable to do so; and (b) comply with the access request to the extent that it is able to do so. (4) Where the requestor is given access to, or supplied with a copy of the credit information or credit report pursuant to subsection (1), the credit reporting agency shall advise the requestor that he may request for the correction of that credit information or credit report under section 31. Credit Reporting Agencies 35 (5) A credit reporting agency may refuse to comply with an access request made under subsection (1) if— (a) the credit reporting agency is not supplied with such information as it may reasonably require— (i) in order to satisfy itself as to the identity of the requestor; or (ii) where the requestor claims to be a relevant person, in order to satisfy itself— (A) as to the identity of the customer in relation to whom the requestor claims to be the relevant person; and (B) that the requestor is the relevant person in relation to the customer; (b) the credit reporting agency is not supplied with such information as it may reasonably require to locate the credit information to which the access request relates; (c) the burden or expense of providing access is disproportionate to the risks to the customer’s privacy in relation to the credit information in the case in question; (d) the credit reporting agency cannot comply with the access request without disclosing credit information relating to another person who can be identified from that information, unless— (i) that other person has consented to the disclosure of the credit information to the requestor; or (ii) it is reasonable in all the circumstances to comply with the access request without the consent of the other person; (e) subject to subsection (7), any other credit reporting agency controls the processing of the credit information to which the access request relates in such a way as to prohibit the first-mentioned credit reporting agency from complying, whether in whole or in part, with the access request; Laws of Malaysia 36 Act 710 (f) providing access would constitute a violation of an order of a court; (g) providing access would disclose confidential commercial information; or (h) such access to credit information is regulated by another law. (6) In determining for the purposes of subparagraph (5)(d)(ii) whether it is reasonable in all circumstances to comply with the access request without the consent of the other person, regard shall be had, in particular, to— (a) any duty of confidentiality owed to the other person; (b) any steps taken by the credit reporting agency with a view to seeking the consent of the other person; (c) whether the other person is capable of giving consent; and (d) any express refusal of consent by the other person. (7) Paragraph (5)(e) shall not operate so as to excuse the credit reporting agency from complying with the access request— (a) in so far as the access request relates to paragraph (1)(a), to any extent; or (b) in so far as the access request relates to paragraph (1)(b) or (c), to any extent that the credit reporting agency can comply with the request without contravening the prohibition concerned. (8) Where the credit reporting agency refuses to comply with an access request under subsection (1), the credit reporting agency shall not later than twenty-one days from the date of receipt of the access request, by notice in writing— (a) inform the requestor of the refusal and the reasons for the refusal; Credit Reporting Agencies 37 (b) advise the requestor of his rights under section 35; and (c) provide the requestor with a copy of the Summary of Rights. (9) A credit reporting agency which contravenes this section commits an offence and shall, upon conviction, be liable to a fine not exceeding two hundred thousand ringgit or to imprisonment for a term not exceeding two years or to both. Right to correct credit information or credit report 31. (1) Where— (a) a copy of the credit information or credit report has been supplied by the credit reporting agency in compliance with an access request under section 30 and the requestor considers that the credit information or credit report is inaccurate, not up-to-date, incomplete, irrelevant or misleading; or (b) the customer knows that the credit information being held by the credit reporting agency is inaccurate, not up-to-date, incomplete, irrelevant or misleading, the requestor or customer, as the case may be, may make a correction request in writing to the credit reporting agency that it makes the necessary correction to the credit information or credit report. (2) Where a credit reporting agency does not hold the credit information, but controls the processing of the credit information in such a way as to prohibit the credit reporting agency who holds the credit information from complying, whether in whole or in part, with the correction request under subsection (1) which relates to the credit information, the first-mentioned credit reporting agency shall be deemed to be the credit reporting agency to whom such a request may be made and the provisions of this Act shall be construed accordingly. Laws of Malaysia 38 Act 710 (3) A credit reporting agency shall upon being satisfied that the credit information or credit report to which a correction request under subsection (1) relates is inaccurate, not up-to-date, incomplete, irrelevant or misleading, or on its own initiative— (a) take steps to correct the credit information or credit report to ensure that the credit information or credit report is accurate, up-to-date, complete, relevant and not misleading; (b) pending the making of any correction under paragraph (a), either suppress the disputed credit information or credit report or clearly identify the credit information or credit report as disputed and being checked for accuracy; and (c) provide the requestor with a copy of the Summary of Rights. (4) Subject to subsections (5), (7) and (8), where a credit reporting agency receives a correction request under subsection (1), the credit reporting agency shall not later than twenty-one days from the date of receipt of the correction request— (a) inform the requestor of the action taken as a result of the correction request; (b) inform the requestor of the correction made in compliance with the request and supply the requestor with a copy of the credit information or credit report as corrected; and (c) subject to subsection (6), where— (i) the credit information or credit report has been disclosed to a subscriber or other person during the twelve months immediately preceding the day on which the correction is made; and (ii) the credit reporting agency has no reason to believe that the subscriber or other person has ceased using that credit information or credit report for the purpose, including any directly related purpose, for which the credit information or credit report was disclosed to the subscriber or other person, Credit Reporting Agencies 39 take all practicable steps to supply the subscriber or other person with a copy of that credit information or credit report as so corrected accompanied by a notice in writing stating the reasons for the correction. (5) A credit reporting agency which is unable to comply with a correction request within the period specified in subsection (4) shall before the expiration of that period— (a) inform the requestor by notice in writing that it is unable to comply with the correction request within such period and the reasons why he is unable to do so; and (b) comply with the correction request to the extent that it is able to do so. (6) A credit reporting agency is not required to comply with paragraph (4)(c) in any case where the disclosure of the credit information or credit report to a subscriber or other person consists of the subscriber’s or other person’s own inspection of the Register— (a) in which the credit information or credit report is entered or otherwise recorded; and (b) which is available for inspection by the public. (7) Where a credit reporting agency is requested to correct the credit information under subsection (1) and the credit information is being processed by another credit reporting agency that is in a better position to respond to the correction request— (a) the first-mentioned credit reporting agency shall immediately transfer the correction request to such credit reporting agency, and notify the requestor of this fact; and (b) section 31 shall apply as if the references therein to a credit reporting agency were references to such other credit reporting agency. Laws of Malaysia 40 Act 710 (8) A credit reporting agency may refuse to comply with a correction request if— (a) the credit reporting agency is not supplied with such information as it may reasonably require— (i) in order to satisfy itself as to the identity of the requestor; or (ii) where the requestor claims to be a relevant person, in order to satisfy itself— (A) as to the identity of the customer in relation to whom the requestor claims to be the relevant person; and (B) that the requestor is the relevant person in relation to the customer; (b) the credit reporting agency is not supplied with such information as it may reasonably require to ascertain in what way the credit information or credit report to which the correction request relates is inaccurate, not up-to-date, incomplete, irrelevant or misleading; (c) the credit reporting agency is not satisfied that the credit information or credit report to which the correction request relates is inaccurate, not up-to-date, incomplete, irrelevant or misleading; (d) the credit reporting agency is not satisfied that the correction which is the subject of the correction request is accurate, up-to-date, complete, relevant or not misleading; or (e) subject to subsection (9), any other credit reporting agency controls the processing of the credit information to which the correction request relates in such a way as to prohibit the first-mentioned credit reporting agency from complying, whether in whole or in part, with the correction request. Credit Reporting Agencies 41 (9) Paragraph (8)(e) shall not operate so as to excuse the credit reporting agency from complying with subsection (4) in relation to the correction request concerned to the extent that the credit reporting agency can comply with that subsection without contravening the prohibition concerned. (10) Where a credit reporting agency refuses to comply with a correction request under subsection (1), the credit reporting agency shall, not later than twenty-one days from the date of receipt of the correction request, by notice in writing— (a) notify the requestor of the refusal and the reasons for such refusal; (b) advise the requestor that there is attached to the credit information or credit report a statement of the correction sought but not made; (c) if so requested by the requestor, take such steps as are reasonable in the circumstances to attach to the credit information or credit report, in such a manner that it will always be read with the credit information or credit report, any statement provided by the requestor of the correction sought; (d) where paragraph (8)(e) is applicable, notify the requestor of the name and address of the other credit reporting agency concerned; and (e) advise the requestor of his rights under section 35. (11) A credit reporting agency which contravenes this section commits an offence and shall, upon conviction, be liable to a fine not exceeding two hundred thousand ringgit or to imprisonment for a term not exceeding two years or to both. Laws of Malaysia 42 Act 710 Part VI INSPECTION, COMPLAINT AND INVESTIGATION Inspection of data system 32. (1) The Registrar may carry out an inspection of any data system used by credit reporting agencies for the purpose of ascertaining information to assist the Registrar in making recommendations to the relevant credit reporting agency relating to the promotion of compliance with the provisions of this Act by the relevant credit reporting agency. (2) For the purposes of this section— “credit reporting agency” includes a credit information processor; “data system” means any system, whether automated or otherwise, which is used, whether in whole or in part, by a credit reporting agency for the processing of credit information, and includes any document and equipment forming part of the system. Relevant credit reporting agency to be informed of result of inspection 33. Where the Registrar has completed an inspection of a data system, he shall in such manner and at such time as he thinks fit inform the relevant credit reporting agency of— (a) the results of the inspection; (b) any recommendations arising from the inspection that the Registrar thinks fit to make relating to the promotion of compliance with the provisions of this Act by the relevant credit reporting agency; and (c) such other comments arising from the inspection as he thinks fit. Credit Reporting Agencies 43 Reports by Registrar 34. (1) The Registrar may, after completing the inspection of any data system used by a credit reporting agency, publish a report— (a) setting out any recommendations arising from the inspection that the Registrar thinks fit to make relating to the promotion of compliance with the provisions of this Act by the relevant credit reporting agency; and (b) in such manner as he thinks fit. (2) A report published under subsection (1) shall be so framed as to prevent the identity of any individual being ascertained from it. Complaint 35. Any person or relevant person may make a complaint in writing to the Registrar about an act, practice or request— (a) specified in the complaint; (b) that has been done or engaged in, or is being done or engaged in, by the relevant credit reporting agency specified in the complaint; (c) that relates to credit information of which the person is the customer; and (d) that may be a contravention of the provisions of this Act, including any codes of practice. Investigation by Registrar 36. (1) Where the Registrar receives a complaint under section 35, the Registrar shall, subject to section 37, carry out an investigation in relation to the relevant credit reporting agency to ascertain whether the act, practice or request specified in the complaint contravenes the provisions of this Act. Laws of Malaysia 44 Act 710 (2) Where the Registrar has reasonable grounds to believe that an act, practice or request has been done or engaged in, or is being done or engaged in, by the relevant credit reporting agency that relates to credit information and such act, practice or request may be a contravention of the provisions of this Act, the Registrar may carry out an investigation in relation to the relevant credit reporting agency to ascertain whether the act, practice or request contravenes the provisions of this Act. (3) The provisions of Part VII shall apply in respect of investigations carried out by the Registrar under this Part. Restriction on investigation initiated by complaint 37. (1) The Registrar may refuse to carry out or continue an investigation initiated by a complaint if he is of the opinion that, having regard to all the circumstances of the case— (a) the complaint, or a complaint of a substantially similar nature, has previously initiated an investigation as a result of which the Registrar was of the opinion that there has been no contravention of the provisions of this Act; (b) the act, practice or request specified in the complaint is trivial; (c) the complaint is frivolous, vexatious or is not made in good faith; or (d) any investigation or further investigation is for any other reason unnecessary. (2) Notwithstanding the generality of the powers conferred on the Registrar by this Act, the Registrar may refuse to carry out or continue an investigation initiated by a complaint— (a) if— (i) the complainant; or (ii) in the case where the complainant is a relevant person in relation to a customer, the customer or relevant person, as the case may be, Credit Reporting Agencies 45 has had actual knowledge of the act, practice or request specified in the complaint for more than two years immediately preceding the date on which the Registrar received the complaint, unless the Registrar is satisfied that in all the circumstances of the case it is proper to carry out or continue the investigation; (b) if the complaint is made anonymously; (c) if the complainant cannot be identified or traced; (d) if the Registrar is satisfied that the relevant credit reporting agency has not been a credit reporting agency for a period of not less than two years immediately preceding the date on which the Registrar received the complaint; or (e) in any other circumstances as he thinks fit. (3) Where the Registrar refuses under this section to carry out or continue an investigation initiated by a complaint, he shall, as soon as practicable but in any case not later than thirty days after the date of receipt of the complaint, by notice in writing served on the complainant inform the complainant of the refusal and of the reasons for the refusal. (4) An appeal may be made to the Minister against any refusal specified in the notice under subsection (3) by the complainant on whom the notice was served or if the complainant is a relevant person, by the customer in respect of whom the complainant is the relevant person. Registrar may carry out or continue investigation initiated by complaint notwithstanding withdrawal of complaint 38. Where the Registrar is of the opinion that it is in the public interest so to do, he may carry out or continue an investigation initiated by a complaint notwithstanding that the complainant has withdrawn the complaint and, in any such case, the provisions of this Act shall apply to the complaint and the complainant as if the complaint had not been withdrawn. Laws of Malaysia 46 Act 710 Enforcement notice 39. (1) Where, following the completion of an investigation about an act, practice or request specified in the complaint, the Registrar is of the opinion that the relevant credit reporting agency— (a) is contravening a provision of this Act; or (b) has contravened such a provision in circumstances that make it likely that the contravention will continue or be repeated, then the Registrar may serve on the relevant credit reporting agency an enforcement notice— (A) stating that he is of that opinion; (B) specifying the provision of this Act on which he has based that opinion and the reasons why he is of that opinion; (C) directing the relevant credit reporting agency to take such steps as are specified in the enforcement notice to remedy the contravention or, as the case may be, the matters occasioning it within such period as is specified in the enforcement notice; and (D) directing, where necessary, the relevant credit reporting agency to cease processing the credit information pending the remedy of the contravention by the relevant credit reporting agency. (2) In deciding whether to serve an enforcement notice, the Registrar shall consider whether the contravention or the matter to which the enforcement notice relates has caused or is likely to cause damage or distress to the customer of the credit information to which the contravention or matter relates. (3) The steps as specified in the enforcement notice to remedy the contravention or matter to which the enforcement notice relates may be framed— (a) to any extent by reference to any code of practice issued under section 75; or Credit Reporting Agencies 47 (b) so as to afford the relevant credit reporting agency a choice between different ways of remedying the contravention or matter. (4) The period specified in an enforcement notice under subsection (1) for taking the steps specified in it shall not expire before the end of the period specified in subsection 59(2) within which an appeal against the enforcement notice may be made and, if such an appeal is made, those steps need not be taken pending the determination or withdrawal of the appeal. (5) Notwithstanding subsection (4), if the Registrar is of the opinion that by reason of special circumstances the steps specified in the enforcement notice should be taken as a matter of urgency— (a) he may include a statement to that effect in the enforcement notice together with the reasons why he is of that opinion; and (b) where such a statement is so included, subsection (4) shall not apply but the enforcement notice shall not require those steps to be taken before the end of the period of seven days from the date on which the enforcement notice was served. (6) An appeal may be made to the Minister against an enforcement notice by the relevant credit reporting agency in accordance with section 59. (7) Where the Registrar— (a) forms an opinion referred to in subsection (1) in respect of the relevant credit reporting agency at any time before the completion of an investigation; and (b) is also of the opinion that, by reason of special circumstances, an enforcement notice should be served on the relevant credit reporting agency as a matter of urgency, Laws of Malaysia 48 Act 710 he may so serve the enforcement notice notwithstanding that the investigation has not been completed and, in any such case— (A) the Registrar shall, without prejudice to any other matters to be included in the enforcement notice, specify in the enforcement notice the reasons as to why he is of the opinion referred to in paragraph (b); and (B) the other provisions of this Act, including this section, shall be construed accordingly. (8) A person who fails to comply with an enforcement notice commits an offence and shall, on conviction, be liable to a fine not exceeding two hundred thousand ringgit or to imprisonment for a term not exceeding two years or to both. Variation or cancellation of enforcement notice 40. The Registrar may, on his own initiative or on the application of a relevant credit reporting agency, vary or cancel an enforcement notice served under subsection 39(1) by notice in writing to the relevant credit reporting agency if the Registrar is satisfied with the action taken by the relevant credit reporting agency to remedy the contravention. Part VII ENFORCEMENT Authorized officers 41. The Registrar may, either generally or in any particular case, in writing authorize any officer appointed under subsection 6(1) or 7(1) or any public officer to exercise the powers of enforcement under this Act. Authority card 42. (1) The Registrar shall issue to each authorized officer an authority card which shall be signed by the Registrar. Credit Reporting Agencies 49 (2) Whenever the authorized officer exercises any of the powers of enforcement under this Act, he shall produce on demand to the person against whom the power is being exercised the authority card issued to him under subsection (1). Power of investigation 43. (1) An authorized officer may investigate the commission of any offence under this Act. (2) For the avoidance of doubt, it is declared that for the purposes of this Act, the authorized officer shall have all or any of the special powers of a police officer of whatever rank in relation to police investigations in seizable cases as provided for under the Criminal Procedure Code [Act 593], and such powers shall be in addition to the powers provided for under this Act and not in derogation thereof. Search and seizure with warrant 44. (1) If it appears to a Magistrate, upon written information on oath from the authorized officer and after such inquiry as the Magistrate considers necessary, that there is reasonable cause to believe that— (a) any premises has been used for; or (b) there is in any premises evidence necessary to the conduct of an investigation into, the commission of an offence under this Act, the Magistrate may issue a warrant authorizing the authorized officer named in the warrant at any reasonable time by day or night and with or without assistance, to enter the premises and if need be by force. (2) Without affecting the generality of subsection (1), the warrant issued by the Magistrate may authorize the search and seizure of— (a) any computer, book, account, computerized data or other document which contains or is reasonably suspected to contain information as to any offence suspected to have been committed; Laws of Malaysia 50 Act 710 (b) any signboard, card, letter, pamphlet, leaflet or notice representing or implying that the person is registered under this Act; or (c) any equipment, instrument or article that is reasonably believed to furnish evidence of the commission of the offence. (3) An authorized officer conducting a search under subsection (1) may, for the purpose of investigating into the offence, search any person who is in or on the premises. (4) An authorized officer making a search of a person under subsection (3) or section 45 may seize or take possession of, and place in safe custody all things other than the necessary clothing found upon the person, and any of those things which there is reason to believe were the instruments or other evidence of the offence may be detained until the discharge or acquittal of the person. (5) Whenever it is necessary to cause a woman to be searched, the search shall be made by another woman with strict regard to decency. (6) If, by the reason of its nature, size or amount, it is not practicable to remove any computer, book, account, computerized data or other document, signboard, card, letter, pamphlet, leaflet, notice, equipment, instrument or article seized under this section, the authorized officer shall by any means seal such computer, book, account, computerized data or other document, signboard, card, letter, pamphlet, leaflet, notice, equipment, instrument or article in the premises or container in which it is found. (7) A person who, without lawful authority, breaks, tampers with or damages the seal referred to in subsection (6) or removes any computer, book, account, computerized data or other document, signboard, card, letter, pamphlet, leaflet, notice, equipment, instrument or article under seal or attempts to do so commits an offence and shall, on conviction, be liable to a fine not exceeding fifty thousand ringgit or to imprisonment for a term not exceeding six months or to both. Credit Reporting Agencies 51 Search and seizure without warrant 45. If an authorized officer is satisfied upon information received that he has reasonable cause to believe that by reason of delay in obtaining a search warrant under section 44 the investigation would be adversely affected or evidence of the commission of an offence is likely to be tampered with, removed, damaged or destroyed, the authorized officer may enter the premises and exercise in, upon and in respect of the premises all the powers referred to in section 44 in as full and ample a manner as if he were authorized to do so by a warrant issued under that section. Access to computerized data 46. (1) An authorized officer conducting a search under sections 44 and 45 shall be given access to computerized data whether stored in a computer or otherwise. (2) For the purposes of this section, “access”— (a) includes being provided with the necessary password, encryption code, decryption code, software or hardware and any other means required to enable comprehension of computerized data; and (b) has the meaning assigned to it by subsections 2(2) and (5) of the Computer Crimes Act 1997 [Act 563]. Warrant admissible notwithstanding defects 47. A search warrant issued under this Act shall be valid and enforceable notwithstanding any defect, mistake or omission therein or in the application for such warrant, and any computer, book, account, computerized data or other document, signboard, card, letter, pamphlet, leaflet, notice, equipment, instrument or article seized under such warrant shall be admissible in evidence in any proceedings under this Act. Laws of Malaysia 52 Act 710 List of computer, book, account, etc., seized 48. (1) Except as provided in subsection (2), where any computer, book, account, computerized data or other document, signboard, card, letter, pamphlet, leaflet, notice, equipment, instrument or article is seized pursuant to this Act, the authorized officer making the seizure— (a) shall prepare— (i) a list of the computer, book, account, computerized data or other document, signboard, card, letter, pamphlet, leaflet, notice, equipment, instrument or article seized and shall sign the list; and (ii) a written notice of such seizure containing the grounds for the seizure and shall sign the notice; and (b) shall as soon as practicable serve a copy of the list of the computer, book, account, computerized data or other document, signboard, card, letter, pamphlet, leaflet, notice, equipment, instrument or article seized and the written notice of the seizure to the occupier of the premises which have been searched, or to his agent or servant at those premises. (2) The written notice of the seizure shall not be required to be served in pursuance of paragraph (1)(b) where the seizure is made in the presence of the person against whom proceedings under this Act are intended to be taken, or in the presence of the owner of such property or his agent, as the case may be. (3) If the premises are unoccupied, the authorized officer shall post a copy of the list of the computer, book, account, computerized data or other document, signboard, card, letter, pamphlet, leaflet, notice, equipment, instrument or article seized conspicuously on the premises. Credit Reporting Agencies 53 Release of computer, book, account, etc., seized 49. (1) If any computer, book, account, computerized data or other document, signboard, card, letter, pamphlet, leaflet, notice, equipment, instrument or article has been seized under this Act, the authorized officer who effected the seizure may, after referring to the Public Prosecutor, release the computer, book, account, computerized data or other document, signboard, card, letter, pamphlet, leaflet, notice, equipment, instrument or article to the person as he determines to be lawfully entitled to it, if he is satisfied that the computer, book, account, computerized data or other document, signboard, card, letter, pamphlet, leaflet, notice, equipment, instrument or article is not liable to forfeiture under this Act, and is not otherwise required for the purpose of any proceedings under this Act or for the purpose of any prosecution under any other written law, and in such event neither the authorized officer effecting the seizure, nor the Federal Government, Registrar or any person acting on behalf of the Federal Government or Registrar shall be liable to any proceedings by any person if the seizure and the release of the computer, book, account, computerized data or other document, signboard, card, letter, pamphlet, leaflet, notice, equipment, instrument or article had been effected in good faith. (2) A record in writing shall be made by the authorized officer effecting the release of the computer, book, account, computerized data or other document, signboard, card, letter, pamphlet, leaflet, notice, equipment, instrument or article under subsection (1) specifying in detail the circumstances of and the reason for the release, and he shall send a copy of the record to the Public Prosecutor within seven days of the release. No cost or damages arising from seizure to be recoverable 50. No person shall, in any proceedings before any court in respect of any computer, book, account, computerized data or other document, signboard, card, letter, pamphlet, leaflet, notice, equipment, instrument or article seized in the exercise or the purported exercise of any power conferred under this Act, be entitled to the costs of such proceedings or to any damages or other relief unless such seizure was made without reasonable cause. Laws of Malaysia 54 Act 710 Obstruction to search 51. Any person who— (a) refuses any authorized officer access to any premise which the authorized officer is entitled to have under this Act or in the execution of any duty imposed or power conferred by this Act; (b) assaults, obstructs, hinders or delays any authorized officer in effecting any entry which the authorized officer is entitled to effect under this Act, or in the execution of any duty imposed or power conferred by this Act; or (c) refuses any authorized officer any information relating to an offence or suspected offence under this Act or any other information which may reasonably be required of him and which he has in his knowledge or power to give, commits an offence and shall, on conviction, be liable to imprisonment for a term not exceeding two years or to a fine not exceeding two hundred thousand ringgit or to both. Power to require production of computer, book, account, etc. 52. An authorized officer shall, for the purposes of the execution of this Part, have the power to do all or any of the following: (a) to require the production of any computer, book, account, computerized data or other document kept by the credit reporting agency or any other person and to inspect, examine and to download from them, make copies of them or take extracts from them; (b) to require the production of any identification document from any person in relation to any act or offence under this Act; (c) to make such enquiries as may be necessary to ascertain whether the provisions of this Act have been complied with. Credit Reporting Agencies 55 Power to require attendance of persons acquainted with case 53. (1) An authorized officer making an investigation under this Act may by order in writing require the attendance before himself of any person who appears to the authorized officer to be acquainted with the facts and circumstances of the case, and such person shall attend as so required. (2) If any person refuses or fails to attend as so required, the authorized officer may report such refusal or failure to a Magistrate who shall issue a summons to secure the attendance of such person as may be required by the order made under subsection (1). Examination of persons acquainted with case 54. (1) An authorized officer making an investigation under this Act may examine orally any person supposed to be acquainted with the facts and circumstances of the case and shall reduce into writing any statement made by the person so examined. (2) Such person shall be bound to answer all questions relating to the case put to him by the authorized officer: Provided that such person may refuse to answer any question the answer to which would have a tendency to expose him to a criminal charge or penalty or forfeiture. (3) A person making a statement under this section shall be legally bound to state the truth, whether or not such statement is made wholly or partly in answer to questions. (4) The authorized officer examining a person under subsection (1) shall first inform that person of the provisions of subsections (2) and (3). (5) A statement made by any person under this section shall, whenever possible, be taken down in writing and signed by the person making it or affixed with his thumb print, as the case may be, after it has been read to him in the language in which he made it and after he has been given an opportunity to make any corrections he may wish. Laws of Malaysia 56 Act 710 Admission of statements in evidence 55. (1) Except as provided in this section, no statement made by any person to an authorized officer in the course of an investigation made under this Act shall be used in evidence. (2) When any witness is called for the prosecution or for the defence, other than the accused, the court shall, on the request of the accused or the prosecutor, refer to any statement made by that witness to the authorized officer in the course of the investigation under this Act and may then, if the courts thinks fit in the interest of justice, direct the accused to be furnished with a copy of it and the statement may be used to impeach the credit of the witness in the manner provided by the Evidence Act 1950. (3) Where the accused had made a statement during the course of an investigation, such statement may be admitted in evidence in support of his defence during the course of the trial. (4) Nothing in this section shall be deemed to apply to any statement made in the course of an identification parade or falling within section 27 or paragraphs 32(1)(a), (i) and (j) of the Evidence Act 1950. (5) When any person is charged with any offence in relation to— (a) the making; or (b) the contents, of any statement made by him to an authorized officer in the course of an investigation made under this Act, that statement may be used as evidence in the prosecution’s case. Forfeiture of computer, book, account, etc., seized 56. (1) Any computer, book, account, computerized data or other document, signboard, card, letter, pamphlet, leaflet, notice, equipment, instrument or article seized shall be liable to forfeiture. Credit Reporting Agencies 57 (2) An order for the forfeiture of the computer, book, account, computerized data or other document, signboard, card, letter, pamphlet, leaflet, notice, equipment, instrument or article seized and liable to forfeiture under this Act shall be made by the court before which the prosecution with regard thereto has been held if it is proved to the satisfaction of the court that an offence under this Act has been committed and that the computer, book, account, computerized data or other document, signboard, card, letter, pamphlet, leaflet, notice, equipment, instrument or article seized was the subject of or was used in the commission of the offence, notwithstanding that no person has been convicted of such offence. (3) If there is no prosecution with regard to any computer, book, account, computerized data or other document, signboard, card, letter, pamphlet, leaflet, notice, equipment, instrument or article seized under this Act, such computer, book, account, computerized data or other document, signboard, card, letter, pamphlet, leaflet, notice, equipment, instrument or article shall be taken and deemed to be forfeited at the expiration of a period of one calendar month from the date of service of a notice to the last known address of the person from whom the computer, book, account, computerized data or other document, signboard, card, letter, pamphlet, leaflet, notice, equipment, instrument or article was seized indicating that there is no prosecution in respect of such computer, book, account, computerized data or other document, signboard, card, letter, pamphlet, leaflet, notice, equipment, instrument or article, unless before the expiration of that period a claim thereto is made in the manner set out in subsections (4), (5) and (6). (4) Any person asserting that he is the owner of the computer, book, account, computerized data or other document, signboard, card, letter, pamphlet, leaflet, notice, equipment, instrument or article referred to in subsection (3) and that the computer, book, account, computerized data or other document, signboard, card, letter, pamphlet, leaflet, notice, equipment, instrument or article is not liable to forfeiture may, personally or by his agent authorized in writing, give written notice to the authorized officer in whose possession such computer, book, account, computerized data or other document, signboard, card, letter, pamphlet, leaflet, notice, equipment, instrument or article is held that he claims the computer, book, account, computerized data or other document, signboard, card, letter, pamphlet, leaflet, notice, equipment, instrument or article. Laws of Malaysia 58 Act 710 (5) On receipt of the notice under subsection (4), the authorized officer shall refer the matter to a Magistrate for his decision. (6) The Magistrate to whom the matter is referred under subsection (5) shall issue a summons requiring the person asserting that he is the owner of the computer, book, account, computerized data or other document, signboard, card, letter, pamphlet, leaflet, notice, equipment, instrument or article and the person from whom the computer, book, account, computerized data or other document, signboard, card, letter, pamphlet, leaflet, notice, equipment, instrument or article was seized to appear before the Magistrate, and upon their appearance or default to appear, due service of the summons having been proved, the Magistrate shall proceed to the examination of the matter and, on proof that an offence under this Act has been committed and that the computer, book, account, computerized data or other document, signboard, card, letter, pamphlet, leaflet, notice, equipment, instrument or article seized was the subject matter of or was used in the commission of such offence, the Magistrate shall order the computer, book, account, computerized data or other document, signboard, card, letter, pamphlet, leaflet, notice, equipment, instrument or article to be forfeited, and shall, in the absence of such proof, order its release. (7) Any computer, book, account, computerized data or other document, signboard, card, letter, pamphlet, leaflet, notice, equipment, instrument or article forfeited or deemed to be forfeited shall be delivered to the Registrar and shall be disposed of in such manner as the Registrar thinks fit. Joinder of offences 57. Notwithstanding anything contained in section 164 of the Criminal Procedure Code, where a person is accused of more than one offence under this Act, he may be charged with and tried at one trial for any number of such offences committed within the space of any length of time. Credit Reporting Agencies 59 Power of arrest 58. (1) An authorized officer or police officer may arrest without warrant any person whom he reasonably believes has committed or is attempting to commit an offence under this Act. (2) An authorized officer making an arrest under subsection (1) shall without unnecessary delay make over the person so arrested to the nearest police officer or, in the absence of a police officer, take such person to the nearest police station, and thereafter the person shall be dealt with as is provided for by the law relating to criminal procedure for the time being in force as if he had been arrested by a police officer. Part VIII MISCELLANEOUS Appeal to Minister 59. (1) A person who is aggrieved by a decision of the Registrar may appeal to the Minister. (2) An appeal shall be made in writing to the Minister within thirty days from the date of the decision of the Registrar or, in the case of an enforcement notice, within thirty days after the enforcement notice is served upon the relevant credit reporting agency, and the appellant shall serve a copy of the appeal upon the Registrar. (3) The appeal shall state briefly the substance of the decision of the Registrar against which an appeal is made to the Minister, contain an address at which any notice or document connected with the appeal may be served upon the appellant or his advocate, and shall be signed by the appellant or his advocate. (4) A decision of the Registrar shall be valid, binding and enforceable pending the decision of an appeal by the Minister, except where an appeal against an enforcement notice has been made to the Minister in accordance with subsection (2), or a stay of the decision of the Registrar has been applied for under subsection (5) and granted by the Minister. Laws of Malaysia 60 Act 710 (5) An aggrieved person may apply in writing to the Minister for a stay of the decision of the Registrar on or after the appeal has been made to the Minister under subsection (1). (6) The Minister shall, after considering the appeal, make such decision as he thinks fit and the decision of the Minister shall be final and binding on the parties to the appeal. Exemption 60. (1) The Minister may, on the recommendation of the Registrar, if he considers it consistent with the purposes of this Act or in the interest of the public, by order published in the Gazette exempt a credit reporting agency, person or such class, category or description of persons, from all or any of the provisions of this Act for such duration and subject to such terms and conditions as the Minister may specify. (2) The Minister may at any time, on the recommendation of the Registrar, by order published in the Gazette, revoke any order made under subsection (1). Transfer of credit information to places outside Malaysia 61. (1) A credit reporting agency shall not transfer any credit information of a customer to a place outside Malaysia unless to such place as specified by the Minister, upon the recommendation of the Registrar, by notification published in the Gazette. (2) For the purposes of subsection (1), the Minister may specify any place outside Malaysia if— (a) there is in that place in force any law which is substantially similar to that as provided under this Act, or that serves the same purposes as this Act; or (b) that place ensures an adequate level of protection in relation to the processing of credit information which is at least equivalent to the level of protection afforded by this Act. Credit Reporting Agencies 61 (3) Notwithstanding subsection (1), a credit reporting agency may transfer any credit information to a place outside Malaysia if— (a) the customer has given his consent to the transfer; (b) the transfer is necessary for the performance of a contract between the customer and the credit reporting agency; (c) the transfer is necessary for the conclusion or performance of a contract between the credit reporting agency and a subscriber or other person which— (i) is entered into at the request of the customer; or (ii) is in the interests of the customer; (d) the transfer is for the purpose of any legal proceedings or for the purpose of obtaining legal advice or establishing, exercising or defending legal rights; (e) the credit reporting agency has reasonable grounds for believing that in all circumstances of the case— (i) the transfer is for the avoidance or mitigation of unfavourable credit action against the customer; (ii) it is not practicable to obtain the consent in writing of the customer to that transfer; and (iii) if it was practicable to obtain such consent, the customer would have given his consent; (f) the credit reporting agency has taken all reasonable precautions and exercised all due diligence to ensure that the credit information will not in that place be processed in any manner which, if that place is Malaysia, would be a contravention of this Act; or (g) the transfer is necessary in order to protect the interests of the customer or the database of credit information owned by the credit reporting agency. Laws of Malaysia 62 Act 710 (4) Where the Registrar has reasonable grounds for believing that in a place as specified under subsection (1) there is no longer in force any law which is substantially similar to that as provided under this Act, or that serves the same purposes as this Act— (a) the Registrar shall make such recommendations to the Minister who shall, either by cancelling or amending the notification made under subsection (1), cause that place to cease to be a place to which credit information may be transferred under this section; and (b) the credit reporting agency shall cease to transfer any credit information of a customer to such place with effect from the time as specified by the Minister in the notification. (5) A credit reporting agency which contravenes subsection (1) commits an offence and shall, on conviction, be liable to a fine not exceeding two hundred thousand ringgit or to imprisonment for a term not exceeding two years or to both. Unlawful collecting, etc., of credit information 62. (1) A person shall not knowingly or recklessly, without the consent of the credit reporting agency— (a) collect or disclose credit information that is held by the credit reporting agency; or (b) procure the disclosure to another person of credit information that is held by the credit reporting agency. (2) Subsection (1) shall not apply to a person who shows— (a) that the collecting or disclosing of credit information or procuring the disclosure of credit information— (i) was necessary for the purpose of preventing or detecting a crime or for the purpose of investigations; or (ii) was required or authorized by or under any law or by the order of a court; Credit Reporting Agencies 63 (b) that he acted in the reasonable belief that he had in law the right to collect or disclose the credit information or to procure the disclosure of the credit information to the other person; or (c) that he acted in the reasonable belief that he would have had the consent of the credit reporting agency if the credit reporting agency had known of the collecting or disclosing of credit information or procuring the disclosure of credit information and the circumstances of it. (3) A person who collects or discloses credit information or procures the disclosure of credit information in contravention of subsection (1) commits an offence. (4) A person who sells credit information commits an offence if he has collected the credit information in contravention of subsection (1). (5) A person who offers to sell credit information commits an offence if— (a) he has collected the credit information in contravention of subsection (1); or (b) he subsequently collects the credit information in contravention of subsection (1). (6) For the purposes of subsection (5), an advertisement indicating that credit information is or may be for sale is an offer to sell the credit information. (7) A person who commits an offence under this section shall, upon conviction, be liable to a fine not exceeding five hundred thousand ringgit or to imprisonment for a term not exceeding two years or to both. Abetment and attempt punishable as offences 63. (1) A person who abets the commission of or who attempts to commit any offence under this Act shall be guilty of that offence and shall, on conviction, be liable to the punishment provided for that offence. Laws of Malaysia 64 Act 710 (2) A person who does any act preparatory to or in furtherance of the commission of any offence under this Act shall be guilty of that offence and shall, on conviction, be liable to the punishment provided for the offence: Provided that any term of imprisonment imposed shall not exceed one-half of the maximum term provided for the offence. Compounding of offences 64. (1) The Registrar may, with the consent in writing of the Public Prosecutor, compound any offence committed by any person under this Act and prescribed to be a compoundable offence by making a written offer to the person suspected to have committed the offence to compound the offence upon payment to the Registrar of an amount of money not exceeding fifty per centum of the amount of maximum fine for that offence within such time as may be specified in his written offer. (2) An offer under subsection (1) may be made at any time after the offence has been committed but before any prosecution for it has been instituted, and if the amount specified in the offer is not paid within the time specified in the offer or such extended time as the Registrar may grant, prosecution for the offence may be instituted at any time after that against the person to whom the offer was made. (3) Where an offence has been compounded under subsection (1), no prosecution shall be instituted in respect of the offence against the person to whom the offer to compound was made, and any computer, book, account, computerized data or other document, signboard, card, letter, pamphlet, leaflet, notice, equipment, instrument or article seized in connection with the offence may be released or forfeited by the Registrar, subject to such terms and conditions as he thinks fit to impose in accordance with the conditions of the compound. (4) All sums of money received by the Registrar under this section shall be paid into the Federal Consolidated Fund. Credit Reporting Agencies 65 Offences by body corporate 65. (1) If a body corporate commits an offence under this Act, any person who at the time of the commission of the offence was a director or officer of the body corporate or was purporting to act in any such capacity or was in any manner or to any extent responsible for the management of any of the affairs of the body corporate or was assisting in such management— (a) may be charged severally or jointly in the same proceedings with the body corporate; and (b) if the body corporate is found to have committed the offence, shall be deemed to have committed that offence unless, having regard to the nature of his functions in that capacity and to all circumstances, he proves— (i) that the offence was committed without his knowledge, consent or connivance; and (ii) that he had taken all reasonable precautions and exercised due diligence to prevent the commission of the offence. (2) If any person would be liable under this Act to any punishment or penalty for his act, omission, neglect or default, he shall be liable to the same punishment or penalty for every such act, omission, neglect or default of any employee or agent of his, or of the employee of the agent, if the act, omission, neglect or default was committed— (a) by that person’s employee in the course of his employment; (b) by the agent when acting on behalf of that person; or (c) by the employee of the agent in the course of his employment by the agent or otherwise on behalf of the agent acting on behalf of that person. Prosecution 66. No prosecution for an offence under this Act shall be instituted except by or with the written consent of the Public Prosecutor. Laws of Malaysia 66 Act 710 Jurisdiction to try offences 67. Notwithstanding any other written law to the contrary, a Sessions Court shall have jurisdiction to try any offence under this Act and to impose full punishment for any such offence under this Act. Service of notice or other documents 68. (1) Service of a notice or any other document upon any person shall be effected— (a) by delivering the notice or other document to the person; (b) by leaving the notice or other document at the last-known address of residence or place of business of the person in a cover addressed to that person; or (c) by forwarding the notice or other document by post in an A.R. registered letter addressed to the person at his last-known address of residence or place of business. (2) Where the person to whom there has been addressed an A.R. registered letter containing any notice or other document which may be given under this Act is informed of the fact that there is an A.R. registered letter awaiting him at a post office, and such person refuses or neglects to take delivery of such A.R. registered letter, such notice or other document shall be deemed to have been served upon him on the date on which he was so informed. Protection against suit and legal proceedings 69. No action, suit, prosecution or other proceedings shall lie or be brought, instituted or maintained in any court against— (a) the Registrar; (b) any Deputy Registrar, Assistant Registrar, authorized officer or any officer of the Registrar; or Credit Reporting Agencies 67 (c) any person lawfully acting on behalf of the Registrar, in respect of any act or omission done or omitted by him or it in good faith in such capacity. Protection of informers 70. (1) Except as provided in subsections (2) and (3), no witness in any civil or criminal proceedings pursuant to this Act shall be obliged or permitted to disclose the name or address of any informer or the substance and nature of the information received from him or state any matter which might lead to his discovery. (2) If any computer, book, account, computerized data or other document, signboard, card, letter, pamphlet, leaflet, notice, equipment, instrument or article which is in evidence or is liable to inspection in any civil or criminal proceedings whatsoever contains any entry in which any informer is named or described or which might lead to his discovery, the court shall cause all such entries to be concealed from view or to be obliterated in so far as may be necessary to protect the informer from discovery. (3) If in a trial for any offence under this Act the court, after full inquiry into the case, is of the opinion that the informer wilfully made in his complaint a material statement which he knew or believed to be false or did not believe to be true, or if in any other proceeding the court is of the opinion that justice cannot be fully done between the parties in the proceeding without the discovery of the informer, the court may require the production of the original complaint, if in writing, and permit an inquiry and require full disclosure concerning the informer. Obligation of secrecy 71. (1) Except for any of the purposes of this Act or for the purposes of any civil or criminal proceedings under any written law or where otherwise authorized by the Minister— (a) the Registrar, Deputy Registrars, Assistant Registrars, authorized officers or officers of the Registrar, whether during or after his tenure of office or employment, shall not disclose any information obtained by him in the course of his duties; and Laws of Malaysia 68 Act 710 (b) no person who has by any means access to any information or documents relating to the affairs of the Registrar shall disclose such information or document. (2) A person who contravenes subsection (1) commits an offence and shall, on conviction, be liable to a fine not exceeding one hundred thousand ringgit or to imprisonment for a term not exceeding one year or to both. Power of Minister to make regulations 72. (1) The Minister may make such regulations as may be necessary or expedient for the purpose of carrying into effect the provisions of this Act. (2) Without prejudice to the generality of the powers conferred by subsection (1), the Minister may make regulations for all or any of the following purposes: (a) to regulate all matters relating to the registration of credit reporting agencies, including prescribing the registration fees and renewal fees; (b) to provide and prescribe any fees to be imposed by the credit reporting agencies and any other fees payable in connection with the provision of any service or any matter under this Act; (c) to regulate procedures in respect of the inspection of data systems, investigation of complaints and issuance of enforcement notices, and all matters related to them; (d) to prescribe the offences which may be compounded and the forms to be used and the method and procedure for compounding the offences; (e) to prescribe any matter for which this Act makes express provision to be made by regulations; (f) to prescribe all other matters as are necessary or expedient to be prescribed for giving effect to this Act. Credit Reporting Agencies 69 (3) The regulations made under this section or any other subsidiary legislation made under this Act may prescribe for any act or omission in contravention of the regulations or other subsidiary legislation to be an offence and may prescribe for penalties of a fine not exceeding two hundred and fifty thousand ringgit or imprisonment for a term not exceeding two years or to both. Prevention of anomalies 73. (1) The Minister may, by order published in the Gazette, make such modifications to the provisions of this Act as may appear to him to be necessary or expedient for the purpose of removing any difficulties or preventing anomalies in consequence of the coming into operation of this Act. (2) The Minister shall not exercise the powers conferred by subsection (1) after the expiration of one year from the appointed date. (3) In this section, “modifications” means amendments, additions, deletions and substitutions of any provisions of this Act. Power of Minister to amend First Schedule and Second Schedule 74. The Minister may, on the recommendation of the Registrar, from time to time, by order published in the Gazette, vary, delete, add to, substitute for, or otherwise amend the First and Second Schedules. Power to issue Summary of Rights, codes of practice, etc. 75. (1) The Registrar shall issue a Summary of Rights in such form and manner as determined by him that contains information about credit reporting agencies and a summary of rights of customers in respect of transactions involving such credit reporting agencies as provided under this Act. Laws of Malaysia 70 Act 710 (2) The Registrar may issue generally in respect of this Act or in respect of any particular provision of this Act, or generally in respect of the conduct of all or any of the credit reporting agencies, from time to time, codes of practice, guidelines, circulars or notes as may be necessary or expedient for giving full effect to the provisions of this Act, for carrying out or achieving the objects and purposes of this Act or any provision thereof, or for the further, better and more convenient implementation of the provisions of this Act. Personal Data Protection Act 2009 shall not apply 76. The provisions of the Personal Data Protection Act 2010 [Act 709] shall not apply to the processing of credit information by a credit reporting agency. Part IX SAVINGS AND TRANSITIONAL PROVISIONS Carrying on credit reporting business before the commencement of this Act 77. (1) Any person who has been carrying on a credit reporting business prior to the appointed date may continue to do so as if this Act has not been enacted for a period of three months from the appointed date or such other period as may be allowed by the Registrar in writing, referred to as “grace period”, and shall, if he or it intends to continue to carry on such business after the expiry of the grace period, make an application for registration as a credit reporting agency under section 13 within the grace period. (2) Where the applicant has been registered as a credit reporting agency by the Registrar, the credit reporting agency shall within six months from the expiry of the grace period fully comply with the provisions of this Act in respect of all credit information collected and further processed, whether before or after the appointed date, by the credit reporting agency for the purpose of carrying on the credit reporting business. Credit Reporting Agencies 71 (3) Where the applicant has not applied to be registered as a credit reporting agency or has been refused registration as a credit reporting agency on the expiry of the grace period, he or it shall immediately cease to collect and further process all credit information for the purpose of carrying on a credit reporting business, whether such credit information was collected or further processed before or after the appointed date. (4) Any person referred to in subsection (1) who is aggrieved by the decision of the Registrar in refusing to approve his or its registration as a credit reporting agency under section 14 may appeal to the Minister under section 18. (5) The grace period granted to a person under subsection (1) shall expire— (a) in the case where the person fails to apply for registration as a credit reporting agency, on the date of expiry of the grace period; or (b) in the case where the person has applied for registration as a credit reporting agency— (i) on the date his or its application for registration as a credit reporting agency is approved by the Registrar and a certificate of registration is issued; (ii) on the date of service of the notice issued under subsection 14(3) stating that his or its application for registration is refused by the Registrar; or (iii) on the determination of his appeal to the Minister under section 18. Laws of Malaysia 72 Act 710 First Schedule [Section 2] DETAILS OF CREDIT INFORMATION 1. Identification information (a) Individual: (i) Name (ii) Any alias or previous name (iii) Identity Card Number or other identity number (iv) Nationality (v) Gender (vi) Date of birth (vii) Address (viii) Occupation (ix) Any previous occupation (x) Employer (xi) Any previous employer (xii) Contact number (b) Body corporate or unincorporate: (i) Name (ii) Registration Number/Licence Number/Permit Number (iii) Date of registration/Date of establishment (iv) Country of operation (v) Entity type (vi) Addresses (including principal office and branch office) (vii) Contact number Credit Reporting Agencies 73 2. Information on credit facility (a) Information reported by the credit provider about an application for credit by a customer and information on approved credit of customer: (i) Identity of credit provider (ii) Date of application (iii) Application reference number (iv) Capacity of customer (whether as borrower or as guarantor) (v) Amount applied (vi) Status of application (Pending, Approved, Rejected, etc.) (vii) Status date (viii) Reason for rejection (ix) Approved credit amount or credit limit (x) Approval date (xi) Account number (xii) Type of credit approved (xiii) Original tenure (xiv) Principal repayment term (xv) Legal action status (xvi) Date of legal action (xvii) Type of collateral (xviii) Collateral value (xix) Collateral details (b) Credit repayment information: (i) Amount last due (ii) Months in arrears (iii) Instalment in arrears (iv) Amount of payment made during the last reporting period Laws of Malaysia 74 Act 710 (v) Remaining available credit or outstanding balance (vi) Account status (Outstanding, Closed, Settled, Write-off, etc.) (c) Credit enquiry information: (i) Identity of subscriber/other person making credit enquiry (ii) Date and time of credit enquiry (iii) Identification of specific person making credit enquiry (iv) Identification of customer being enquired. Second Schedule [Section 2] CREDIT PROVIDERS 1. Institutions licensed under the *Islamic Banking Act 1983 [Act 276], the **Banking and Financial Institutions Act 1989 [Act 372] or the ***Insurance Act 1996 [Act 553]; 2. Any person carrying on a scheduled business as defined in subsection 2(1) of the †Banking and Financial Institutions Act 1989; 3. Institutions prescribed under the Development Financial Institutions Act 2002 [Act 618]; 4. Takaful operators registered under the ††Takaful Act 1984 [Act 312]; 5. Issuers of designated payment instruments approved under the †††Payment Systems Act 2003 [Act 627]; 6. Moneylenders licensed under the Moneylenders Act 1951 [Act 400]; *NOTE—The Islamic Banking Act 1983 [Act 276] has since been repealed by the Islamic Financial Services Act 2013 [Act 759]—see section 282 of Act 759. **NOTE—The Banking and Financial Institutions Act 1989 [Act 372] has since been repealed by the Financial Services Act 2013 [Act 758]—see section 271 of Act 758. ***NOTE—The Insurance Act 1996 [Act 553] has since been repealed by the Financial Services Act 2013 [Act 758]—see section 271 of Act 758. †NOTE—The Banking and Financial Institutions Act 1989 [Act 372] has since been repealed by the Financial Services Act 2013 [Act 758]—see section 271 of Act 758. ††NOTE—The Takaful Act 1984 [Act 312] has since been repealed by the Islamic Financial Services Act 2013 [Act 759]—see section 282 of Act 759. †††NOTE—The Payment Systems Act 2003 [Act 627] has since been repealed by the Financial Services Act 2013 [Act 758]—see section 271 of Act 758. Credit Reporting Agencies 75 7. Pawnbrokers licensed under the Pawnbrokers Act 1972 [Act 81]; 8. Fishermen’s Associations registered under the Fishermen’s Associations Act 1971 [Act 44]; 9. Co-operative societies registered under the Co-operative Societies Act 1993 [Act 502]. Third Schedule [Paragraph 14(1)(b) and subsection 21(1)] Chief executive and director to be “fit and proper” persons 1. (1) In determining whether a person is a “fit and proper” person to hold or is to hold the position of a chief executive or director of a credit reporting agency, regard shall be had to the following criteria, namely— (a) his probity, competence and soundness of judgement for fulfilling the responsibilities of that position; (b) the diligence with which he is fulfilling or is likely to fulfil those responsibilities; and (c) whether the interests of the credit reporting agency, the subscribers or other persons, the customers and the general public are, or are likely to be, in any way threatened by that position. (2) Without prejudice to the generality of the foregoing provisions, regard may be had to the previous business conduct and activities of the person in question and, in particular, to any evidence that he— (a) has been compounded or convicted, or as the chief executive or director, has caused to be compounded or convicted, of an offence which is punishable with— (i) imprisonment for one year or more, whether by itself, or in lieu, or in addition to, a fine; or (ii) a fine of twenty thousand ringgit or more; or (b) has been engaged in or associated with any business practices, or otherwise conducted himself in such a way as to cast doubt on his competence and soundness of judgement. Laws of Malaysia 76 Act 710 Additional criteria for chief executive 2. A person who is, or is to be, a chief executive of a credit reporting agency— (a) shall have the educational qualifications and experience which will enable him to satisfactorily discharge his responsibilities; (b) shall not have held a position of responsibility in the management of a company which has been convicted of an offence under any written law during his tenure of office, unless he proves that such offence was committed without his knowledge or consent and he was not in a position to prevent the offence; (c) shall not have held a position of responsibility in the management of any company which during his tenure of office— (i) has defaulted in payment of any judgement sum against it; (ii) has suspended payment or has compounded with its creditors; or (iii) has had a receiver or manager appointed in respect of its property; (d) shall be available for full time employment, and shall not carry on any other business or vocation, except as a non-executive director or shareholder of another company; and (e) shall not have acted in a manner which may cast doubt on his fitness to hold the position of a chief executive, or acted in blatant disregard for proper professional conduct, especially in dealings with the subscribers or other persons, customers and the general public. Additional criteria for director 3. A person who is, or is to be, a director of a credit reporting agency— (a) shall have the educational qualifications and experience which will enable him to carry out and perform his duties; (b) shall not have acted in a manner which may cast doubt on his fitness to hold the position of a director; and (c) shall not have been a party to any action or decision of the board or management of the credit reporting agency which is detrimental to its interests. Credit Reporting Agencies 77 Other criteria as the Minister may prescribe 4. The Minister may, with the concurrence of the Registrar, prescribe such other additional criteria which is necessary or expedient for the purpose of protecting the interests of the credit reporting agency, subscribers or other persons, customers and the general public. Discretion of the Registrar 5. The Registrar shall have full discretion to determine whether a person has complied with this Schedule. Fourth Schedule [Paragraph 26(3)(d)] SUBSCRIBER AGREEMENT A Subscriber Agreement (“Agreement”) shall include provisions imposing the following obligations upon the subscriber: 1. Where the credit reporting agency collects credit information directly or indirectly from the customer for disclosure to a subscriber, the credit reporting agency shall inform the customer of the purposes for which the credit reporting agency is collecting the credit information and the purposes for which the credit information will be further processed. 2. The credit reporting agency shall not disclose credit information to the subscriber without taking such steps as are, in the circumstances, reasonable to ensure that the credit information is accurate, up-to-date, complete, relevant, and not misleading. 3. The credit reporting agency shall, as soon as reasonably practicable, update any credit information previously disclosed to the subscriber and ensure that the credit information remains accurate, up-to-date, complete, relevant, and not misleading. 4. The subscriber undertakes that it shall take all necessary steps to maintain the utmost security and confidentiality of credit information obtained or communicated, documents prepared and records kept, whether obtained from the credit reporting agency or otherwise, and any other matter undertaken in connection with this Agreement, whether before the effective date of the Agreement, during the period of the Agreement or after the expiry or termination of this Agreement. Laws of Malaysia 78 Act 710 5. The subscriber undertakes that it shall take such steps that are necessary to ensure that its employees, agents or any other person that may have access to the confidential credit information do not disclose or use the same other than in accordance with the Agreement. 6. The subscriber shall promptly cooperate with the credit reporting agency in its efforts to investigate and resolve complaints and correction requests of credit information. 7. The subscriber shall in order to safeguard the credit information held by it against unauthorized or improper access, use, modification or disclosure take appropriate measures, including the following: (a) to develop written policies and procedures to be followed by its employees, agents and contractors; (b) to establish controls, including— (i) the use of passwords, credential tokens, digital signatures or other mechanisms; and (ii) user identification; (c) to provide information and training to ensure compliance with the policies, procedures and controls; (d) to monitor usage and regularly check compliance with the policies, procedures and controls; (e) to take appropriate action in relation to identified breaches of the policies, procedures and controls; and (f) to maintain logs of all accesses, amendments and audit trails to the credit information provided to it by the credit reporting agency. Credit Reporting Agencies 79 Act 710 LIST OF AMENDMENTS Amending law Short title In force from-NIL-Laws of Malaysia 80 Act 710 Act 710 LIST OF SECTIONS AMENDED Section Amending authority In force from-NIL-