Bank Negara Malaysia (“BNM”) has released its Exposure Draft on Open Finance (“ED”) on 18 November 2025, a landmark document that lays the groundwork for a more connected, interoperable, and consumer-centric financial system. The ED sets out the proposed regulatory framework for the implementation of open finance arrangement. Stakeholders can submit comments to the ED until 1 March 2026.
This article highlights 8 key elements of the ED to help financial institutions, in-house counsels, compliance teams, and data-protection professionals understand the upcoming requirements, and prepare ahead of implementation.
1. What is Open Finance?
The term “Open Finance” is defined in the ED as a framework that enables permissioned sharing of customer information between a data provider and a data consumer in a secure, open, accessible, interoperable, and timely manner.
In layman terms, open finance is a system that allows banking customers to share their financial information held by one financial institution, such as bank account data, e-wallet balance, or credit card transactions, with other financial institutions. You can think of it as the banking version of “allowing apps to connect with other apps”, just like how you would allow Microsoft Outlook to be connected with your mobile phone’s calendar app, or a fitness app to access Apple Health data for Apple users.
2. Why is Open Finance Useful?
Why is this useful if you ask me? Because it enables interconnectedness.
These days, customers do not just bank with one financial institution. We maintain several bank accounts for different purposes – payroll, savings, FDs, etc. The information about you that each financial institution may see differs largely by the banking products or services that you obtain from each of them, which can affect how “personalised” the services of these financial institutions are. If the financial institutions can see your financial information at the other banks, they may have a clearer picture about you as a customer, which allows better customisation of their services to you, or even facilitates the processing or approval of your application for certain financial products such as credit cards or loan.
For illustration, open finance can essentially allow Bank A to pull your last 12 months of data from Bank B so that your loan application can be expedited. Through open finance, you may also be able to view all your credit card statements from just one single application, as opposed to having to navigate across several banking apps when you are trying to clear your credit card bills.
3. Who Will be Impacted?
The open finance arrangement is set to impact financial institutions in Malaysia. The ED specifically states that the following financial institutions are mandated to participate in the open finance arrangement when it is being implemented:
- • Licensed banks;
- • Licensed investment banks;
- • Licensed Islamic banks;
- • Licensed insurers;
- • Licensed takaful operators;
- • Prescribed development financial institutions; and
- • Eligible e-money issuers (“EMIs”).
However, not all the categories of the financial institutions listed above will have to participate in open finance arrangement – only those that meet certain customer volume thresholds are mandated. For banks and prescribed development financial institutions, the open finance arrangement will be applicable to those with more than 100,000 customer base (BNM is proposing a phased implementation specifically for the banks, starting with banks with more than 1,000,000 customer base first). For eligible EMIs, only those operating a network-based e-money solution with an aggregate distinct count of more than 5,000,000 active users have to participate in open finance arrangement.
For the financial institutions that fall outside of the prescribed thresholds, participation in open finance arrangement is still possible, albeit on a voluntary basis.
4. When is the Open Finance Arrangement Expected to be Implemented?
BNM is proposing to adopt a phased implementation of the open finance arrangement, starting with banks with more than 1,000,000 customers first on 1 January 2027, gradually moving on to banks with more than 100,000 customers on 1 January 2028, and lastly to roll it out with development financial institutions with more than 100,000 customers and EMIs with more than 5,000,000 active users, on 1 January 2029.
The ED does not expressly mention when non-mandated financial institutions can participate in the open finance arrangement. Given that the earliest implementation of the open finance arrangement in relation to the mandated financial institutions falls on 1 January 2027, we surmise that the earliest that non-mandated financial institutions can opt to participate in the open finance arrangement would also start from the same date.
5. What Information Will be Shared?
According to the current proposal by BNM, only the following information is obligated to be shared by financial institutions participating in the open finance arrangement:
- • Transaction information for the most recent 12 months including the date, description and value; and
- • The current outstanding balance of an account.
The above being said, the ED does not prohibit participating financial institutions to share information beyond the scope prescribed above. Sharing of additional information of customers is allowed as long as industry standards and technological solutions permit, and where explicit consent of the customers has been obtained. It is thus entirely up to the participating financial institutions to explore possible use cases of open finance arrangement and to voluntarily propose additional scope of information to be shared through the open finance framework.
6. What is the Role of an Open Finance Platform?
The open finance arrangement is envisaged to be implemented through the so-called “open finance platforms”, being technical infrastructure, system or utility that enables capturing of customers consent and secure transmission of customer information.
One can think of the open finance platform as a standalone platform where participating financial institutions and banking customers will be using to facilitate the sharing of customer information.
Participating financial institutions that wish to access a customer’s financial information held by other participating financial institutions can make an access request on the open finance platform. Before any of the requested financial information can be shared, the customer will have to provide his consent to the data sharing through the open finance platform. Once consent has been received, the financial institution with the relevant requested information of the customer will then release the requested information to the requesting institution based on the scope of the customer’s consent.
At present, it is unclear whether an open finance platform will be operated exclusively by non-financial institutions (i.e,. third-party service providers to the financial institutions), or if a financial institution will also be allowed to operate an open finance platform. We view that the latter is unlikely given the risk of conflict of interest, but clarity on this point will have to be addressed when the definitive framework is up.
In order to enable the working of open finance platforms, it is envisaged that all participating financial institutions will have to establish API gateways with the open finance platform to facilitate data sharing.
7. Consent Requirements
All sharing of information on the open finance platform hinges on the consent of the banking customers. Based on the ED, customers’ consent will have to be both specific, voluntary, revocable, explicit and deliberate. Let us break down what these mean.
- • Specific – When requesting for consent, a participating financial institution is required to ensure that the terms used are clear, concise, and written in plain language. Specifically, the terms must describe to whom the disclosure will be made, the purpose of the disclosure, and the type of information that will be disclosed.
- • Voluntary – The giving of consent must be voluntary in that customers must not be compelled, coerced or misled into giving consent. Bundled or blanket consent, where customers are asked to indicate consent to a statement or term that combines agreement to the disclosure of their information with other matters in a single statement of consent, will be strictly prohibited.
- • Revocable – There must be a mechanism for the customers to revoke their consent to the sharing of information, which should be as easy to exercise as the grant of consent by customers. Once consent is revoked, the participating financial institutions will have to cease the sharing and usage of information forthwith.
- • Explicit and deliberate – The ED requires the giving of customer consent to be explicit and deliberate. In other words, there must be an affirmative action on the part of the customers when giving consent, either through the ticking of a consent box, or the clicking of “I Agree” button. Silence or inaction on the part of the customer cannot be taken as consent.
Furthermore, BNM is also proposing for the consent given by the customers to be time-bound. Essentially, each customer consent will be valid for a given period, during which the relevant information can be accessed by the requesting financial institution. If access to the information is required beyond the validity of the consent, customers will have to renew their consent to allow continued access to their information. At present, the proposal is for each consent to have a maximum validity of 6 months only.
The consent requirement under the proposed open finance framework is very similar to that of the consent requirement under the Personal Data Protection Act 2010 (“PDPA”). In fact, the consent requirement here is even more stringent than that of the PDPA, considering that consent given for the purpose of open finance is time-bound.
8. Customer Protection Requirements
A substantial portion of the ED focuses on customer protection requirements to be implemented by the participating financial institutions. It is undisputable that a person’s financial information is sensitive, and to establish a platform that facilitates the sharing of financial information, one must ensure that appropriate safeguards are in place to prevent misuse, unauthorised access or loss of the information being shared.
The ED has proposed substantial requirements on the establishment of data governance and privacy policies by participating financial institutions, implementation of technical and operational safeguards on the security of data, requirements on management of third-party service providers to ensure security of data is protected, as well as notification requirements on breaches of customer information.
However, it should not be too challenging for participating financial institutions to meet these requirements, given that the requirements will be more or less in line with the existing policies that financial institutions are already in compliance with, such as the Policy Document on Risk Management in Technology, Policy Document on Management of Customer Information and Permitted Disclosure, Guidelines on Data Management and MIS Framework, etc.
The ED marks a major step toward creating a connected, user-controlled, and innovation-friendly financial ecosystem. While it is certainly a welcomed initiative, the implementation of open finance framework will certainly expose banking customers to new form of risks. It will be crucial for BNM to closely monitor the safeguards to be implemented by the participating financial institutions, and for financial institutions to continuously uphold the security of customers’ information as their top priority, all while balancing the need for innovation.
The open finance initiative also presents opportunities for technology solution providers to explore how their innovations can complement the offerings of financial institutions under the open finance initiative. For those who may want to take advantage of the proposed open finance framework, it will be crucial to keep an eye on the space closer to the end of year 2026. Given that the first batch of implementation of open finance arrangement is proposed to be on 1 January 2027, we anticipate that the framework itself will have to be firmed up and released by Q3 or Q4 2026 latest.
Our Technology Practice continues to be recognised by leading legal directories and industry benchmarks. Recent accolades include FinTech Law Firm of the Year at the ALB Malaysia Law Awards (2024 and 2025), Law Firm of the Year for Technology, Media and Telecommunications by the In-House Community, FinTech Law Firm of the Year by the Asia Business Law Journal, a Band 2 ranking for FinTech by Chambers and Partners, and a Tier 3 ranking by Legal 500.
If you wish to know more about the open finance framework, or if you need any legal assistance regarding technology, media or telecommunications, you may reach out to the partners at our Technology Practice Group, Ong Johnson and Lo Khai Yi, for enquiries.
About the authors
Lo Khai Yi
Partner
Co-Head of Technology Practice Group
Technology, Media & Telecommunications (“TMT”), Technology
Acquisition and Outsourcing, Telecommunication Licensing and
Acquisition, Cybersecurity
ky.lo@hhq.com.my.
◦
Ong Johnson
Partner
Head of Technology Practice Group
Fintech, Data Protection,
Technology, Media & Telecommunications (“TMT”),
IP and Competition Law
johnson.ong@hhq.com.my
More of our Tech articles that you should read:
