Banks in Malaysia are legally required to protect the personal and financial data you share when you apply for a credit card, personal loan, or savings account online under rules set by Bank Negara Malaysia (BNM) and the Personal Data Protection Act 2010 (PDPA). This guide walks through what data is collected, how it's protected, who can see it, what happens to your data whether your application is approved or not, and what to do if something goes wrong.
What Data Do Banks Collect?
When you apply for a credit card, personal loan, or savings account online, banks collect several categories of information to assess your application:
| Category | Examples | Why it's collected |
| Identification details | Full name, IC number, date of birth, contact information | Confirm identity and eligibility |
| Financial profile | Monthly income, employer details, existing loan commitments, recent bank statements | Assess affordability |
| Supporting documents | Latest payslip, EA form, or EPF statement; a selfie for digital banks | Verify income and identity |
| Platform-level details (if applying via a comparison site) | Initial contact and product-matching details | Match you to suitable products before passing the application to your chosen bank |
For credit products specifically, banks use your existing debts and monthly obligations to calculate your Debt Service Ratio (DSR), which measures how much you can realistically afford to borrow.
How Do Malaysian Banks Protect Customer Data?
Two regulatory frameworks govern how banks handle your data during an application: BNM's technology risk rules, and the PDPA's data protection principles.
Risk Management in Technology (RMiT)
BNM's Risk Management in Technology (RMiT) policy document, most recently revised in November 2025, sets out the technical standards banks must meet. In practice, this means your data is encrypted in transit between your browser and the bank's servers, so intercepted traffic is unreadable. Banks are also required to use multi-factor authentication, maintain access logs, and run regular security assessments.
Personal Data Protection Act 2010 (PDPA)
The PDPA, amended in 2024, governs how organisations collect, process, and store personal data. Since 1 June 2025, those that handle personal data at scale must appoint a Data Protection Officer (DPO). Separately, breach notification rules apply to any business that handles personal data when a breach happens, regardless of its size.
If a bank suffers a data breach that could significantly affect you, the obligations are specific:
| Step | Requirement | Timeframe |
| Notify the Commissioner | Notify the Personal Data Protection Commissioner as soon as practicable | Within 72 hours of the breach |
| Notify affected individuals | Notify you directly if the breach is likely to cause significant harm | Within 7 days of the Commissioner notification |
Penalties differ by violation type: failing to notify a qualifying breach carries a fine of up to RM250,000 and/or up to 2 years' imprisonment. Breaching the PDPA's core Data Protection Principles, which cover security and retention of your data, carries a higher maximum penalty of RM1 million and/or up to 3 years' imprisonment, raised from RM300,000 under the 2024 Amendment Act.
Who Can See Your Data?
Your bank's credit assessment team reviews your application and financial documents. As part of that process, they pull your CCRIS report from Bank Negara Malaysia, the primary tool banks use to assess creditworthiness.
CCRIS is a centralised system that records your loan repayment history, outstanding balances, and credit applications made over the past 12 months. It doesn't generate a score; it provides a factual record that each bank interprets against its own lending criteria. CCRIS data is updated by BNM on the 10th of the following month, based on records submitted by financial institutions. See RinggitPlus's guide to checking your CCRIS report for how to access it yourself.
Your data may also be shared with the bank's fraud detection and compliance teams, and with third-party providers who verify your documents.
The Financial Services Act 2013 makes it a criminal offence for a bank to disclose your information without authorisation (Section 133), unless a specific exception applies (Section 134). Islamic banks are subject to equivalent rules under the Islamic Financial Services Act 2013 (Sections 145–146). BNM's policy document on the Management of Customer Information and Permitted Disclosures (MCIPD), last revised in October 2025, sets out the rules on how banks must get your consent before sharing your data with third parties, in addition to the PDPA's general consent requirements. That consent has to:
- name the specific recipient and purpose
- stand on its own, not be bundled into a broader agreement
- be actively given, not assumed from your silence
- be something you can withdraw at any time
All of this applies alongside the notice you agree to under the PDPA.
What Happens To Your Data After You Apply?
If your application is approved, your data will continue to be used to manage your account or facility for as long as it remains open. Under the banking sector's Personal Data Protection Code of Practice, banks may then retain your data for up to seven years after the account or facility is closed or terminated. Retention can run longer in specific circumstances, such as legal reporting obligations or requirements from regulators like BNM.
If your application is unsuccessful or you withdraw it partway through, the bank isn't required to keep your data indefinitely. Under the PDPA's Retention Principle (Section 10), personal data must not be kept longer than necessary for the purpose in which it was collected, and must be deleted or destroyed once that purpose is fulfilled. In practice, the same Code of Practice permits retention for up to seven years from the date your application is rejected, longer only in the specific circumstances noted above.
Regardless of the outcome, your application will still appear on your CCRIS report — banks are required to report every credit application to BNM whether it's approved or rejected. This is why submitting several applications to different banks within a short window can work against you: to a reviewer, several recent applications can read as financial stress, even if your finances are stable, and in some cases this can lead to a higher interest rate or a rejection on a later application.
If you cancel an application midway, the data you've already submitted is retained in line with the bank's privacy policy. The PDPA gives you the right to request access to your personal data (Section 30), ask for corrections if anything is inaccurate (Section 34), and withdraw your consent to further processing at any time (Section 38).
Note: While all financial institutions in Malaysia must adhere to BNM and PDPA standards, individual banks' internal policies and retention periods may vary. Always refer to the specific bank's Privacy Policy and Notice during your application.
Ways To Protect Your Data
- Check your CCRIS report periodically via eCCRIS (free). It's one of the best early-warning tools for spotting an application or loan you didn't make.
- Read the privacy notice before submitting any application. It should state what's collected, how it's used, who it's shared with, and how long it's kept.
- Use strong, unique passwords and two-factor authentication on your online banking accounts.
- Avoid submitting applications over public Wi-Fi.
- Check for HTTPS (the padlock icon in your browser's address bar) before entering personal data.
- Space out applications rather than applying to several banks at once for the same product.
If Something Goes Wrong
| Situation | What to do |
| You spot an unrecognised loan or application on your CCRIS report | Contact the bank or financial institution involved immediately to flag the issue |
| You believe your personal data has been misused | Lodge a complaint with the Department of Personal Data Protection (JPDP) via their online portal |
| You suspect you're a victim of a scam involving your banking details | Contact your bank immediately and call the National Scam Response Centre (997, 24 hours) — the call itself now counts as your police report |
Malaysia recorded 66,204 online fraud cases in 2025, with losses of roughly RM2.97 billion, according to the Inspector-General of Police — up from 35,368 cases and RM1.57 billion in 2024. Separately, a 2024 consumer survey by GASA and Whoscall found identity theft accounted for 21% of scam types reported by respondents. Leaked personal data is often a starting point.
Staying In Control Of Your Data
Reviewing privacy notices and monitoring your CCRIS report are the most effective ways to stay in control of your data as you apply.












