Personal Data Protection Act 2010 and Secrecy Provision Presented by HRMG, As at 19th March 2018 From Compliance & Risk Management Department Recruitment & Development Department 1 PERSONAL DATA PROTECTION ACT 2010 What is PDPA? • The Personal Data Protection Act 2010 (“PDPA”) is an Act that regulates the processing of personal data in regards to commercial transactions. It was gazette in June 2010. • On 15 November 2013, the PDPA came into force in Malaysia with the objective of protecting the personal data of individuals with respect to commercial transactions. • The penalty for non-compliance is between RM100k – 500k and/or between 1 – 3 years imprisonment. 2 PERSONAL DATA PROTECTION ACT 2010: What is Personal Data? Personal Data Sensitive Data Any information in respect of commercial Any personal data that contains any of the transactions that relates directly or following attributes: indirectly to an individual, who is identified • Physical or Mental Health or identifiable from that information alone • Political Opinions or with other information including any • Religious Beliefs sensitive personal data and expression of • Commission or alleged commission of opinion about the individual. any offence or any other personal data as determined by the minister Example of personal data are (but not limited to): For sensitive personal data, explicit • Name consent has to be obtained from the • Address individual for processing of the personal • Gender data. • Date of Birth • Telephone Number • Photographs • Videos 3 Personal Data Protection Act 2010 How does PDPA affect us? • This Act applies to any person who collects and processes personal data in regards to commercial transactions. • The 7 principles of the Act are: 1. General Principle Sets out the rights and obligations of the data user when processing personal data. Notice and Choice Principle 2. A data user shall inform an individual by written notice that his personal data is being processed by or on behalf of the data user, the purposes for which the personal data is to be collected and further processed, the individual‟s right to request access or correction of the personal data and how to contact the data user with any inquiries or complaints regarding the personal data, class of third parties to whom personal data will be disclosed to, the choice to limit the processing, whether it is obligatory or voluntary for the individual to supply the personal data and the consequences if he fails to supply. 4 Personal Data Protection Act 2010 3. Disclosure Principle The data user shall not disclose a data subject‟s personal data, 6. Data Integrity Principle A data user shall take responsible steps to ensure that the personal without the consent of the data data is accurate, complete, not subject, unless it is for the misleading and kept up-to-date. purpose for which it was originally collected. 4. Security Principle The data user shall take practical 7. Access Principle An individual shall be given access to his personal data held by a data steps to safeguard the personal data from any loss, misuse, user and be able to correct it. modification, unauthorized or accidental disclosure, alteration or destruction. 5. Retention Principle The personal data processed for any purpose shall not be kept longer than is necessary for the fulfillment of that purpose. 5 PERSONAL DATA PROTECTION ACT 2010: Our Role As employees of ACSM, we are ALL obliged to carry out our role to ensure compliance to the PDPA principles as follows; PDPA Principles Our Role 1. General Principle Use the data for the original intended purposes only. 2. Notice and Choice Principle Inform customer about our PDPA Privacy Notice (available in ACSM Website). 3. Disclosure Principle Only disclose personal data to third parties for the purpose of fulfilling the contract. Otherwise, seek consent. 4. Security Principle Safeguard customers’, employees’ and vendors’ data from loss and misuse. 5. Retention Principle Don’t keep the data longer than is necessary for your intended purpose. If you keep it longer, you’ll need to justify why. 6. Data Integrity Principle Make sure your customer’s data is accurate, complete and up-to-date. 7. Access Principle Allow your customer to access his/ her personal data 6 SECRECY PROVISIONS OF FINANCIAL SERVICES ACT 2013 (FSA) As at 19th January 2018 Presented by HRMG, From Legal Department Recruitment & Development Department 7 • All Financial Institutions are expected GENERAL RULE to ensure the confidentiality of Section 133(1) FSA customer documents or information are preserved at all times. • Imprisonment not exceeding 5 years; PENALTY or Section 133(4) FSA • Fine not exceeding RM10million; or • Both of the above. 8 EXCEPTIONS PERMITTED DISCLOSURE (Section 133 FSA) (Section 134 & Schedule 11 FSA) - Schedule 11 FSA provides 18 - If the document/information is circumstances of Permitted Disclosure disclosed to the Bank Negara for including the followings: the purpose of exercising its power under FSA. > Disclosure required to be made under the court order (>/= Sessions - If the document/information is in Court); the form of a summary or collection of information. > Disclosure to investigating officer due to order made by enforcement - If the document/information has agency in Malaysia; already been made lawfully available to the public. > Disclosure of credit information to any authorized officer of credit reporting agency; > Disclosure in relation to criminal or civil proceedings. 9 Any breaches must be The DCO, BCO or HOD must The secrecy breaches are reported to the Department complete and submit the required to be reported and Compliance Officer (DCO), IMDC* form and escalate the escalated to the Bank Branch Compliance Officer issues and findings to the Negara. (BCO) or HOD. Head of Compliance. * Incident Management & Data Collection Re: BNM Letter dated 4th July 2016 reminded us that Financial Institutions (FIs) are expected to take measures to ensure that the confidentiality of customer documents or information are preserved at all times. Financial Institutions (FIs) are required to conduct a comprehensive independent review on its compliance to the secrecy provisions. 10 Secrecy Provisions Applicable to FIs Practices currently in place to ensure compliance:- Clean desk policy Out-going external email filter Internet browsing limitations Computer hardware limitations, e.g. staff are unable to transfer any data out from the PC to external hard drives without obtaining proper approval On-going audits by internal and external parties Revision of the Handphone Policy effective March „17 11 Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001 (AMLATFPUAA) Presented by HRMG, As at 30th April 2019 From Compliance Department Recruitment & Development Department 12 AMLATFPUAA Law: • Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001 (AMLATFPUAA) BNM Guideline: • Anti-Money Laundering and Counter Financing of Terrorism (AML/CFT) – Electronic Money and Non-Bank Affiliated Charge & Credit Card (Sector 4) • Related BNM circulars on AML/CFT: Public statement by the Financial Action Task Force (FATF) on the ‘High-risk and non- cooperative jurisdictions’. Public statement by the FATF-Style Regional Bodies (FSRBs) on countries having inadequate AML/CFT Systems. Order on Al-Qaida and Taliban Sanction Lists imposed by the Security Council of the United Nation. ACSM Policy: • COM-AML-A01 Anti Money Laundering & Counter Financing of Terrorism Policy • COM-AML-G01 Suspicious Transaction Reporting Guideline 13 AMLATFPUAA: What is “Money Laundering” The process where illegal, or “dirty” money is put through a cycle of transactions, or “washed”, so that it comes out the other end as legal, or “clean” money Human Trafficking Robbery Drug Trafficking Kidnapping Legitimate money/ Corruption “Clean Money” Financial Institutions Laundered Money Violent Offences Arms Smuggling 14 AMLATFPUAA: What is “Financial of Terrorism” Providing or Arranging for collecting property for carrying out an retention or control act of terrorism of terrorist property Providing services Dealing with terrorist for terrorism property purposes 15 AMLATFPUAA: Money Laundering Offences Section 4 (1) of AMLATFPUAA: Conceals, disguises Acquires, receives, or impedes the possesses, Engages, establishment of Participate in, be disguises, transfers, directly or true nature, origin, an accomplice in, converts, indirectly, in location, attempt to, aid to, exchanges, carries, transaction that movement, exhort to, facilitate uses, removes from or provide counsel involves proceeds disposition, title of, or brings into regarding any of of an unlawful rights with respect Malaysia proceeds the acts referred activity to, or ownership of of any unlawful proceeds of an activities unlawful activity 16 AMLATFPUAA: Money Laundering Offences Non-Compliance to Section 4 (1) of AMLATFPUAA be liable to imprisonment for a term not exceeding 15 years and shall also be liable to a fine of not less than 5 times the sum or value of the proceeds of an unlawful activity or instrumentalities of an offence at the time the offence was committed or RM5 Million, whichever is the higher. 17 AMLATFPUAA: Money Laundering Stages Placement stage Layering stage Integration stage • The physical disposal of • The separation of illicit • Re-injecting laundered bulk cash proceeds proceeds from their proceeds into economy derived from illegal source by creating • Provides an apparently activity complex layers of legitimate explanation to financial transactions criminally derived wealth • These disguise the audit trail & provide anonymity 18 AMLATFPUAA: Who responsible under AML/CFT New Front Liner ACSM Supervisor and STAFF Manager Employee All Level of Staff are required to comply with the requirements. 19 AMLATFPUAA: Roles & Responsibilities Roles & Responsibilities of Employee: 1. Aware and understand the following: • money laundering laws and regulation • processes and method of money laundering and terrorism financing • „Red-flags‟ of suspicious transaction • AEON Credit’s internal process to report the suspicious transaction 2. Conduct Know Your Customer (KYC) and on-going Customer Due Diligence (CDD) 3. Promptly perform the Internal Suspicious Transaction Reporting (ISTR) to Compliance whenever necessary. 4. Attend Refresher Training programs on AML/CFT practices and measures. 20 AMLATFPUAA: Reporting Institutes Financial Institutions: • Banks & Financial Service Providers • Insurance agencies Others: • Unit trust companies • Lembaga Tabung Haji • Money changers & lenders • Racing club • Fund management • Leasing companies, etc. • Leasing companies Professional services: • Accounting firms • Auditing firms • Legal firms • Company secretarial firms • Real estate developers & consultants 21 AMLATFPUAA: AML/CFT Framework In order to establish a business relationship with customers, the company should comply with the following requirement; 1) Customer Acceptance Policy 2) Customer Due Diligence 3) Record Keeping 4) Suspicious Transaction Report 5) Combating the Financing of Terrorism 6) Non-compliance with Provisions under AMLATFPUAA 2001 Please refer to ACSM’s Policy at the Workflow for further details: COM-AML-A01 Anti Money Laundering & Counter Financing of Terrorism Policy 22 AMLATFPUAA: Customer Acceptance Policy Business unit should identify and assess risk of customers by applying Risk-Based Approach. Should consider the customer’s risk profile based on following factor: i. customer risk (e.g. resident or non resident, type of customers, occasional or one-off, legal person structure, types of PEP, types of occupation); ii. country or geography (e.g. location of business, origin of customers); iii. products, services, transactions or delivery channels (e.g. cash-based, face-to-face, non face-to-face, cross- border); and iv. Any other information suggesting that the customer is of higher risk. Main Responsible: Front Liner (Sales, Marketing) 23 AMLATFPUAA: Customer Due Diligence (CDD) •Validate Customer Individual •Validate Transactions & Beneficial Owner •Validate Documents •Documents Retention Trustee/ Corporate Nominee CDD Perform Enhanced If High Risk Due Clubs/ Intermediaries Societies Diligence (EDD) Main Responsible: Front Liner (Sales, Marketing) Back Office (Transaction Monitoring) 24 AMLATFPUAA: Customer Due Diligence (CDD) CDD should be undertaken whenever : Establishing business relationship with any customer. Carrying out cash or occasional transaction that involves a large amount of money. It has suspicion of money laundering or financing of terrorism. The veracity or adequacy of previously obtained information is in doubt. When the customer’s purse size is equivalent to RM5,000 and above (in relation to electronic money issuers). When customer conduct any reload, usage or withdrawal transaction amounting to RM3,000 and above (in relation to electronic money issuers). 25 AMLATFPUAA: Customer Due Diligence (CDD) • Full name, NRIC/passport number, Residential and mailing address • Date of birth, Nationality, Occupation type/self employed Ind. • Name of employer or nature of self-employment/nature of business; and • Contact number (home, office or mobile) • Purpose of Transaction *DOCUMENTS* • Memorandum/Article/Certificate of Incorporation/ Partnership; • Identification document of Directors/Shareholders/ Partners; Corp. • Authorization for any person to represent the company/ business; and • Identification document of the person authorized to represent the company/business in its dealing with ACSM. *DOCUMENTS* 26 AMLATFPUAA: Record Keeping Record Keeping and Document Retention Section 13 and 17 of AMLATFPUAA defines as below: • Company obligation to kept records • Retention period of record to be kept at least 6 years. ACSM Policy: • All records and files must be retained for at least 7 years. Non-Compliance to Section 17 of AMLATFPUAA be liable to a fine not exceeding RM 3 million or an imprisonment of a term of 5 years or to both. 27 AMLATFPUAA: Suspicious Transaction Report Suspicion shall arise when transaction (including attempted or proposed): appears unusual; has no clear economic purpose; appears illegal; involves proceeds from an unlawful activity; indicates that customer is involved in ML/TF; or any of customer transactions or attempted transactions fits the list of “red flags”. 28 AMLATFPUAA: Suspicious Transaction Report Example of “Red Flags” / Suspicious Transaction • Discrepancies between the information submitted by the customer and information detected by reporting institutions monitoring systems. • Individuals who hold an unusual number of accounts with the same provider. • A large and diverse source of funds (e.g. bank transfers, credit card and cash reload from different locations) used to reload the same account. • Multiple reference bank accounts from banks located in various locations used to reload the same e-money account frequently. • Frequently re-loading of account by third parties. 29 AMLATFPUAA: Suspicious Transaction Report Example of “Red Flags” / Suspicious Transaction (Cont’d) • Numerous cash reloads, just under the reporting threshold, of the same account, conducted by the same individual(s) on a number of occasions. • Multiple reload by third party followed by the immediate transfer of funds to beneficiary bank account. • Multiple occasions of reloading of an account, followed by ATM withdrawals. • Multiple withdrawals conducted at different ATMs (including those outside the country where the account was reloaded). • Account only used for withdrawals and not for purchases. 30 AMLATFPUAA: Suspicious Transaction Report HOW TO REPORT? 1 3 4 2 Fill up ISTR Submit ISTR Form Suspicious Submit to to Compliance Transactions Form HOD Dept ISTR FORM - Can be obtained from Document Portal in Workflow under Form/Template 31 AMLATFPUAA: Tipping-Off REMINDER!!! Please Treat ISTR as “Strictly Confidential” Non-Compliance to Section 35 of AMLATFPUAA : Tipping-Off be liable to a fine not exceeding RM 3 million or to imprisonment for a term not exceeding 5 years or to both. 32 AMLATFPUAA: Training Training on AML/CFT will be conducted on regular basis and supplemented with refresher courses. Awareness expectation to the level of staff, at minimum as follows: Front-Line Employees Employees that Establish Business Supervisors and Managers Relationships Able to conduct effective on- Focus on customer identification, May include overall aspects of going CDD. verification and CDD procedures, AML/CFT procedures, in Able to detect suspicious including when to conduct particular, the risk-based transactions and on the enhanced CDD and approach to CDD, risk profiling measures that need to be circumstances where there is a of customers, enforcement taken upon determining a need to defer establishing actions that can be taken for transaction as suspicious. business relationship with a new non-compliance with the customer until CDD is completed relevant requirements May give rise to suspicion, such satisfactorily. pursuant to the relevant laws as dealing with occasional and procedures related to the customers transacting in large financing of terrorism. cash volumes, PEPs, higher risk customers and the circumstances where enhanced CDD is required. 33 AMLATFPUAA: Other Important Offence Non-compliance to Section 22 of AMLATFPUAA : Failure to comply with reporting obligations be liable to a fine not exceeding RM 1 million or to imprisonment for a term not exceeding 3 years or to both, and in the case of a continuing offence, shall in addition be liable to a fine not exceeding RM 3 thousand for each day or part thereof during which the offence continues to be committed. Non-Compliance to Section 86 of AMLATFPUAA: Any person who contravenes any provision under AMLATFPUAA be liable to a fine not exceeding RM 1 million. 34
Enter the password to open this PDF file:
-
-
-
-
-
-
-
-
-
-
-
-