PowerPoint Presentation

Personal Data Protection Act 2010 and Secrecy Provision As at 19 th March 2018 From Compliance & Risk Management Department 1 Presented by HRMG, Recruitment & Development Department What is PDPA? • The Personal Data Protection Act 2010 (“PDPA”) is an Act that regulates the processing of personal data in regards to commercial transactions. It was gazette in June 2010. • On 15 November 2013, the PDPA came into force in Malaysia with the objective of protecting the personal data of individuals with respect to commercial transactions. • The penalty for non-compliance is between RM100k – 500k and/or between 1 – 3 years imprisonment. PERSONAL DATA PROTECTION ACT 2010 2 3 Any information in respect of commercial transactions that relates directly or indirectly to an individual, who is identified or identifiable from that information alone or with other information including any sensitive personal data and expression of opinion about the individual. Example of personal data are (but not limited to) : • Name • Address • Gender • Date of Birth • Telephone Number • Photographs • Videos Any personal data that contains any of the following attributes: • Physical or Mental Health • Political Opinions • Religious Beliefs • Commission or alleged commission of any offence or any other personal data as determined by the minister For sensitive personal data, explicit consent has to be obtained from the individual for processing of the personal data. Personal Data Sensitive Data PERSONAL DATA PROTECTION ACT 2010: What is Personal Data? Personal Data Protection Act 2010 How does PDPA affect us? • This Act applies to any person who collects and processes personal data in regards to commercial transactions. • The 7 principles of the Act are: General Principle Sets out the rights and obligations of the data user when processing personal data. Notice and Choice Principle A data user shall inform an individual by written notice that his personal data is being processed by or on behalf of the data user, the purposes for which the personal data is to be collected and further processed, the individual‟s right to request access or correction of the personal data and how to contact the data user with any inquiries or complaints regarding the personal data, class of third parties to whom personal data will be disclosed to, the choice to limit the processing, whether it is obligatory or voluntary for the individual to supply the personal data and the consequences if he fails to supply. 1. 2. 4 Personal Data Protection Act 2010 Data Integrity Principle A data user shall take responsible steps to ensure that the personal data is accurate, complete, not misleading and kept up-to-date. 6. Access Principle An individual shall be given access to his personal data held by a data user and be able to correct it. 7. 5. Disclosure Principle The data user shall not disclose a data subject‟s personal data, without the consent of the data subject, unless it is for the purpose for which it was originally collected. Security Principle The data user shall take practical steps to safeguard the personal data from any loss, misuse, modification, unauthorized or accidental disclosure, alteration or destruction. Retention Principle The personal data processed for any purpose shall not be kept longer than is necessary for the fulfillment of that purpose. 3. 4. 5 6 PERSONAL DATA PROTECTION ACT 2010: Our Role As employees of ACSM, we are ALL obliged to carry out our role to ensure compliance to the PDPA principles as follows; PDPA Principles Our Role 1. General Principle Use the data for the original intended purposes only. 2. Notice and Choice Principle Inform customer about our PDPA Privacy Notice (available in ACSM Website). 3. Disclosure Principle Only disclose personal data to third parties for the purpose of fulfilling the contract. Otherwise, seek consent. 4. Security Principle Safeguard customers’, employees’ and vendors’ data from loss and misuse. 5. Retention Principle Don’t keep the data longer than is necessary for your intended purpose. If you keep it longer, you’ll need to justify why. 6. Data Integrity Principle Make sure your customer’s data is accurate, complete and up-to-date. 7. Access Principle Allow your customer to access his/ her personal data SECRECY PROVISIONS OF FINANCIAL SERVICES ACT 2013 (FSA) As at 19 th January 2018 From Legal Department 7 Presented by HRMG, Recruitment & Development Department • All Financial Institutions are expected to ensure the confidentiality of customer documents or information are preserved at all times. GENERAL RULE Section 133(1) FSA • Imprisonment not exceeding 5 years; or • Fine not exceeding RM10million; or • Both of the above. PENALTY Section 133(4) FSA 8 EXCEPTIONS (Section 133 FSA) - If the document/information is disclosed to the Bank Negara for the purpose of exercising its power under FSA. - If the document/information is in the form of a summary or collection of information. - If the document/information has already been made lawfully available to the public. PERMITTED DISCLOSURE (Section 134 & Schedule 11 FSA) - Schedule 11 FSA provides 18 circumstances of Permitted Disclosure including the followings: 9 > Disclosure required to be made under the court order (>/= Sessions Court); > Disclosure to investigating officer due to order made by enforcement agency in Malaysia; > Disclosure of credit information to any authorized officer of credit reporting agency; > Disclosure in relation to criminal or civil proceedings. Any breaches must be reported to the Department Compliance Officer (DCO), Branch Compliance Officer (BCO) or HOD. The DCO, BCO or HOD must complete and submit the IMDC* form and escalate the issues and findings to the Head of Compliance. The secrecy breaches are required to be reported and escalated to the Bank Negara. * Incident Management & Data Collection Re: BNM Letter dated 4 th July 2016 reminded us that Financial Institutions (FIs) are expected to take measures to ensure that the confidentiality of customer documents or information are preserved at all times. Financial Institutions (FIs) are required to conduct a comprehensive independent review on its compliance to the secrecy provisions. 10 Secrecy Provisions Applicable to FIs Practices currently in place to ensure compliance:-  Clean desk policy  Out-going external email filter  Internet browsing limitations  Computer hardware limitations, e.g. staff are unable to transfer any data out from the PC to external hard drives without obtaining proper approval  On-going audits by internal and external parties  Revision of the Handphone Policy effective March „17 11 Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001 (AMLATFPUAA) 12 As at 30 th April 2019 From Compliance Department Presented by HRMG, Recruitment & Development Department Law: • Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001 (AMLATFPUAA) BNM Guideline: • Anti-Money Laundering and Counter Financing of Terrorism (AML/CFT) – Electronic Money and Non-Bank Affiliated Charge & Credit Card (Sector 4) • Related BNM circulars on AML/CFT:  Public statement by the Financial Action Task Force (FATF) on the ‘High -risk and non- cooperative jurisdictions’.  Public statement by the FATF-Style Regional Bodies (FSRBs) on countries having inadequate AML/CFT Systems.  Order on Al-Qaida and Taliban Sanction Lists imposed by the Security Council of the United Nation. ACSM Policy: • COM-AML-A01 Anti Money Laundering & Counter Financing of Terrorism Policy • COM-AML-G01 Suspicious Transaction Reporting Guideline AMLATFPUAA 13 Corruption Arms Smuggling Robbery Laundered Money Financial Institutions Human Trafficking Drug Trafficking Kidnapping Legitimate money/ “Clean Money” The process where illegal, or “dirty” money is put through a cycle of transactions, or “washed”, so that it comes out the other end as legal, or “clean” money Violent Offences AMLATFPUAA: What is “Money Laundering” 14 AMLATFPUAA: What is “Financial of Terrorism” Providing or collecting property for carrying out an act of terrorism Arranging for retention or control of terrorist property Providing services for terrorism purposes Dealing with terrorist property 15 AMLATFPUAA: Money Laundering Offences Engages, directly or indirectly, in transaction that involves proceeds of an unlawful activity Acquires, receives, possesses, disguises, transfers, converts, exchanges, carries, uses, removes from or brings into Malaysia proceeds of any unlawful activities Conceals, disguises or impedes the establishment of true nature, origin, location, movement, disposition, title of, rights with respect to, or ownership of proceeds of an unlawful activity Participate in, be an accomplice in, attempt to, aid to, exhort to, facilitate or provide counsel regarding any of the acts referred Section 4 (1) of AMLATFPUAA: 16 AMLATFPUAA: Money Laundering Offences Non-Compliance to Section 4 (1) of AMLATFPUAA  be liable to imprisonment for a term not exceeding 15 years and shall also be liable to a fine of not less than 5 times the sum or value of the proceeds of an unlawful activity or instrumentalities of an offence at the time the offence was committed or RM5 Million, whichever is the higher. 17 Placement stage • The physical disposal of bulk cash proceeds derived from illegal activity Layering stage • The separation of illicit proceeds from their source by creating complex layers of financial transactions • These disguise the audit trail & provide anonymity Integration stage • Re-injecting laundered proceeds into economy • Provides an apparently legitimate explanation to criminally derived wealth AMLATFPUAA: Money Laundering Stages 18 All Level of Staff are required to comply with the requirements. AMLATFPUAA: Who responsible under AML/CFT ACSM STAFF 19 New Supervisor and Manager Employee Front Liner Roles & Responsibilities of Employee: 1. Aware and understand the following: • money laundering laws and regulation • processes and method of money laundering and terrorism financing • „Red - flags‟ of suspicious transaction • AEON Credit’s internal process to report the suspicious transaction 2. Conduct Know Your Customer (KYC) and on-going Customer Due Diligence (CDD) 3. Promptly perform the Internal Suspicious Transaction Reporting (ISTR) to Compliance whenever necessary. 4. Attend Refresher Training programs on AML/CFT practices and measures. AMLATFPUAA: Roles & Responsibilities 20