Ever since the mandatory personal data breach notification regime under the Personal Data Protection Act 2010 (“PDPA”) came into force last year, on 1 June 2025, things have been moving extremely quickly. On top of that mandatory personal data breach notification framework under the PDPA, another rather similar form of customer information breach notification regime under the revised Management of Customer Information and Permitted Disclosures (“MCIPD”) issued by BNM also came into place not too long ago.

As we have already written substantially on the personal data breach notification requirements and obligations under the PDPA, we will now be shifting gear slightly by turning our focus to the MCIPD issued by BNM as well. In this article, we aim to set out the top 10 key takeaways that companies should take note of in relation to customer information breaches notification framework under the MCIPD, and it should certainly be read together with the personal data breach notification regime, because, more often than not, the two will go hand in hand.

1. 1. The MCIPD Customer Information Breach Notification Framework Applies Specifically to Financial Service Providers
2. For the first key takeaway, it is important to understand to whom the customer information breach notification obligation under the MCIPD applies.
3. Contrary to the mandatory personal data breach notification obligation under the PDPA, which is applicable to all data controllers and therefore covers, in practical terms, nearly all organisations, the customer information breach notification obligation under the MCIPD is more narrowly framed and applies only to financial service providers (“FSPs”). Within the MCIPD, FSP is clearly defined to include only the following categories, which are, in fact, very extensive and cover pretty much most regulated players within the financial industry and sector:

• • a) a licensed bank;
  • b) a licensed investment bank;
  • c) a licensed Islamic bank;
  • d) a licensed international Islamic bank;
  • e) a licensed insurer;
  • f) a licensed takaful operator;
  • g) a licensed international takaful operator;
  • h) a prescribed institution;
  • i) an approved insurance broker;
  • j) an approved takaful broker;
  • k) an approved financial adviser;
  • l) an approved Islamic financial adviser;
  • m) an approved money broker;
  • n) an approved issuer of a designated payment instrument;
  • o) an approved issuer of a designated Islamic payment instrument;
  • p) an approved operator of a payment system;
  • q) a registered operator of a payment system; and
  • r) a registered adjuster

2. 2. Financial Service Providers Must Notify BNM Immediately Once Any Prescribed Notification Threshold Is Met
3. The second takeaway is that FSPs must notify BNM immediately upon becoming aware of a customer information breach where the breach satisfies any one of the following three conditions:

• • a) poses or is likely to pose reputational risk to the FSP or a threat to public confidence and trust;
  • b) causes or is likely to cause significant harm to affected customer; or
  • c) involves or is likely to involve a large number of customers (i.e. significant scale).
  • .
• One of the key aspects that really warrants close attention here is the notification timeline expected by BNM, which is that the FSP is required to notify BNM immediately. This, too, is very much in line with the broader trend we are seeing in regulatory enforcement in relation to breaches generally that the expected window for notification is becoming shorter and shorter, to the point that customer information breaches now warrant immediate notification to the BNM now. Therefore, for boards and general counsel, the practical implication is straightforward that internal escalation protocols, legal assessment and regulatory engagement plans must now be designed to operate at a far quicker pace than many organisations have historically been accustomed to.

3. 3. The Reputational Risk and Public Confidence Trigger Is Deliberately Framed in Broad Terms
4. The third takeaway is that, within the MCIPD, it is further explained that a customer information breach poses or is likely to pose reputational risk to the FSP, or a threat to public confidence and trust, if the breach involves, includes, or is not limited to circumstances where it fulfils any of the following:

• • a) disclosures to a party suspected of being involved in criminal activity;
  • b) information being made public or circulated via any medium including the social media; or
  • c) a customer known to the public, e.g., a celebrity or a public figure or where the breach is likely to attract media attention.

It is important to note that the above three circumstances are not exhaustive, but are merely illustrations provided by BNM within the MCIPD. Even so, from the illustrations given, it is clear that the expectation is set at a very high level, as it effectively captures most forms of customer information breach. This would include, for example, a threat actor ransomware incident where the information is disclosed to a third party involved in criminal activity, a situation where the information is circulated or released publicly through a leaked database, the dark web, the clear web, or social media, or even a breach that is simply likely to attract media attention. In that sense, the threshold is, in reality, relatively low.

The MCIPD also makes clear that where customer information has been made public or circulated via any medium such as social media, the FSP must effectively manage the reputational risk arising from the incident. In addition, where the FSP assesses that the breach appears to involve fraud, criminal activity or may result in identity theft, the relevant law enforcement agency must also be notified as soon as practicable.

4. 4. The Significant Harm Threshold Is Closely Aligned with the Personal Data Protection Act 2010
5. The fourth takeaway is that the MCIPD also adopts a significant harm threshold broadly similar to the PDPA regime, although the wording is framed in a slightly different way. Under the MCIPD, FSPs are to consider that a customer information breach causes or is likely to cause significant harm where there is a risk that the breach:

• • a) may result in financial loss, damage to or loss of property, loss of business opportunities, damage to reputation, a negative effect on credit record or threat to safety of customer;
  • b) may be misused for illegal purposes;
  • c) could enable identification theft or fraud; or
  • d) consists of sensitive customer information.
• There is, in our view, real value in the fact that the significant harm concept under the MCIPD is so closely aligned with the PDPA framework as such regulatory similarity reduces unnecessary conceptual divergence, allows internal legal and compliance teams to assess incidents through a more coherent lens, and makes it easier for boards and management to adopt a single, disciplined framework when triaging breach severity. In an area already crowded with regulatory urgency and reputational pressure, we trust that this promotes a more coherent and workable compliance framework, particularly for regulated entities that now need to navigate both regimes in parallel.
•  

5. 5. The Significant Scale Threshold Is Likewise Aligned at More Than 1,000 Affected Customers
6. The fifth takeaway is that the significant scale assessment under the MCIPD is also closely aligned with the PDPA position. Under the MCIPD, a customer information breach is regarded as involving, or being likely to involve, a large number of customers, that is, significant scale, where the number of affected customers exceeds 1,000. The policy document further states that where the breach meets the criteria of significant scale, the FSP must assess the potential impact and take appropriate action to avoid or reduce harm to affected customers.
7. Again, that significant scale threshold alignment is helpful as it gives regulated entities a clearer benchmark, promotes consistency in internal incident assessment, and reduces the risk of fragmented decision-making between PDPA-led and BNM-led breach response processes.

6. 6. The Initial Notification to BNM Must Contain Prescribed Core Information
7. The sixth takeaway is that, for notification to BNM, the MCIPD mandates that the customer information breach notification to BNM must, at a minimum, include the following information:

• • a) a description of the customer information breach that has occurred, including the type or nature of customer information that has been affected by the breach;
  • b) the number of affected customers;
  • c) consequences or harm to the affected customers due to the customer information breach;
  • d) potential consequences or harm to the affected customers that may arise as a result of the customer information breach; and
  • e) a description of measures that have been taken or will be taken by the FSP to address the breach.
• It is important to note that where the complete information required is not yet available for submission to BNM, the FSP must nonetheless at least (i) proceed to immediately provide BNM with all other information that is available at the time, (ii) submit the estimated number of affected customers based on its initial assessment of the breach, and (iii) take timely and relevant measures to determine the final number of affected customers without undue delay.
• Of course, once the complete information required is obtained, the FSP must then provide the same to BNM immediately. This again reinforces a very clear regulatory expectation of BNM that the absence of complete information is not, in itself, a reason to delay notification, and that prompt engagement with BNM remains the priority from the outset. In other words, notify first based on the best information presently available, continue investigating with urgency, and update BNM as the factual picture becomes clearer.

7. 7. Financial Service Providers Must Investigate, Escalate to the Board, and Submit a Detailed Investigation Report to BNM
8. The seventh takeaway is that, on top of merely notifying BNM, FSPs must also submit a detailed investigation report to BNM in relation to the customer information breach. The MCIPD mandates that FSPs must carry out an investigation to ascertain the root causes of a customer information breach and determine the appropriate remedial actions to prevent future recurrence, and such investigation must be carried out by a competent party and overseen by a party independent of the relevant business unit where the breach occurred.
9. The MCIPD further provides that FSPs must complete the investigation within three (3) months upon detecting a customer information breach, having regard to the complexity of the breach, and table a detailed investigation report to the Board.
10. Based on experience, three months is typically more than sufficient to prepare and provide a full forensic investigation report to BNM. Importantly, upon tabling the investigation report to the Board, the obligation does not simply end there, as FSPs must then submit the detailed investigation report, together with the Template for Reporting Customer Information Breach prepared by BNM, to BNM within one (1) working day upon tabling to the Board, in respect of a customer information breach that:

• • a) causes or is likely to cause significant harm to the affected customer;
  • b) is of significant scale (i.e. affected customers exceed or are likely to exceed 1,000); or
  • c) involves a deliberate attempt at unauthorised disclosure of customer information.
• This is particularly significant, as it makes clear that the regulatory expectation is not limited to immediate notification alone, but extends equally to proper investigation, meaningful governance oversight, and very prompt post-investigation reporting to BNM.

9. 8. The MCIPD Also Imposes a Separate Obligation to Notify Affected Customers Without Undue Delay
10. The eighth takeaway is that the MCIPD does not only concern regulatory notification to BNM. It also imposes an obligation to notify affected customers. Where the customer information breach causes, or is likely to cause, significant harm, the FSP must notify the affected customers without undue delay after the notification is made to BNM. The MCIPD further makes clear that the FSP must ensure that any delay in notifying affected customers does not cause further harm to them.
11. Here again, the expectation is both clear and strict that the timeline for notifying affected customers is likewise urgent that affected customers should be notified almost immediately after notification to BNM. If there is any delay, the burden would, in practical terms, fall on the FSP to justify that such delay would not cause further harm to the affected customers. For example, where the nature of the breach is such that a customer may suffer financial loss unless immediate action is taken, such as changing a password, monitoring an account, blocking cards or taking steps against possible identity misuse, the expectation would plainly be that the affected customers are notified at once. In that sense, customer notification is not merely a compliance step but fundamentally a harm mitigation measure.
12.  
13. 9. Customer Notifications Must Be Clear, Practical, and Capable of Enabling Meaningful Protective Action
14. The ninth takeaway is that, when notifying affected customers, FSPs must ensure that the affected customers are, at a minimum, provided with the following information:

• • a) a brief description of the customer information breach that has occurred;
  • b) details of the potential consequences to the customer as a result of the breach;
  • c) advice on the steps that should be taken by the customer to reduce or mitigate any potential consequences resulting from the breach;
  • d) a description of the measures taken or proposed to be taken by the FSP to remedy the breach and mitigate its potential consequences; and
  • e) FSP’s contact details from whom more information or assistance regarding the customer information breach can be obtained.
• The MCIPD further requires that the notification to affected customers must be clear and written in plain language. The FSP must specifically draw the customers’ attention to the steps they should take to protect themselves from any potential consequences arising from the breach. This is an important point and, in many respects, a very sensible one as a customer notification should not read like a technical incident memo prepared for lawyers, forensic experts or regulators, but it must be intelligible to ordinary customers, actionable in its language, and genuinely useful in helping them protect themselves. In practice, this means the communication must do more than simply announce that a breach has occurred, in fact,  it should tell the customer what has happened, why it matters, what the potential risks are, what the FSP is doing, and most importantly, what the customer should now do immediately.

10. 10. Direct Notification Remains the Default Position, While Public Notification Is Reserved for Limited Exceptional Circumstances
11. The last takeaway is that, when it comes to notification to affected customers, the default position is that FSPs must notify the affected customers directly. However, in exceptional circumstances where direct notification would entail disproportionate effort, the FSP may then issue a public announcement and display prominent notices at the FSP’s branches and on its website, provided that such measures are sufficient.
12. For the avoidance of doubt, where an FSP is unable to identify the specific customers affected by a customer information breach at the point it is required to notify the affected customers, the FSP must first notify its customers generally through a public announcement and display a prominent notice at its branches and website. Upon identifying the specific affected customers, the FSP must then notify the customers directly as soon as it is feasible to do so.
13. This is again very similar to the notification position under the PDPA, in the sense that direct notification should always remain the default method, while public notification should only be considered where disproportionate effort is genuinely involved. Such approach is also entirely understandable as when it comes to customer information breaches, the natural expectation is that attention should be brought directly to the affected customers so that they may take the necessary steps to protect themselves, mitigate any potential harm, and respond appropriately.
14. Public notification should, therefore, always serve as an important fallback mechanism where direct notification would entail disproportionate effort, and should not be treated as a substitute for direct notification where direct notification is reasonably possible.

Closing Thoughts

Taken together, the position under the MCIPD by BNM makes it very clear that customer information breaches are to be treated with a very high level of seriousness, urgency and discipline, not only from a regulatory reporting perspective, but also from the standpoint of governance, investigation, remediation and customer protection. When read together with the personal data breach notification obligations under the PDPA, the overall regulatory direction is unmistakable that organisations, and in particular FSPs, are now expected to respond to breaches faster, more transparently and with far greater accountability than ever before.

If you have any questions on personal data protection, please feel free to reach out to the partners in our Technology Practice Group, Ong Johnson and Lo Khai Yi, for a consultation. We have extensive experience in assisting organisations with personal data breaches and data security incidents, and have advised on and responded to breaches at both the international and regional levels.

The Technology Practice Group of Halim Hong & Quek continues to be recognised by leading legal directories and industry benchmarks. Recent accolades include FinTech Law Firm of the Year at the ALB Malaysia Law Awards (2024, 2025 and 2026), Law Firm of the Year for Technology, Media and Telecommunications by the In-House Community, FinTech Law Firm of the Year by the Asia Business Law Journal, a Band 2 ranking for FinTech by Chambers and Partners, and a Tier 3 ranking by Legal 500.

About the authors

Ong Johnson
Partner
Head of Technology Practice Group
Fintech, Data Protection,
Technology, Media & Telecommunications (“TMT”),
IP and Competition Law
johnson.ong@hhq.com.my

◦

Lo Khai Yi
Partner
Co-Head of Technology Practice Group
Technology, Media & Telecommunications (“TMT”), Technology
Acquisition and Outsourcing, Telecommunication Licensing and
Acquisition, Cybersecurity
ky.lo@hhq.com.my.

More of our Tech articles that you should read:

• • Malaysia’s Regulatory Framework on Subsea Cables
• • Open Finance in Malaysia: Bank Negara Malaysia’s Exposure Draft
• • Ensuring Executable Exit in Technology Contracts