There are several regulators overseeing the financial services sector, and each such regulator would have oversight of their respective regulated institution. Specifically:

• Bank Negara Malaysia (that is, the Central Bank of Malaysia) (BNM) would have regulatory oversight of fintech-related issues affecting the banking, insurance, money broking, financial advisory, payment systems and instruments, foreign exchange, moneychanging and remittance services.
• Securities Commission Malaysia (SC) would regulate fintech/insurtech activities affecting the capital markets and its participants.

Given that fintech/insurtech involves technology and data, it is likely to also fall within the purview of:

• The Malaysian Communications and Multimedia Commission (MCMC), which regulates the communications and multimedia industry in Malaysia.
• The Malaysian Personal Data Protection Department (PDPD), which administers the data protection regime.
• The Intellectual Property Corporation of Malaysia (MyIPO), which administers the intellectual property regime.

Activities involving insurance, banking, money broking, financial advisory, payment systems and instruments and foreign exchange activities may be regulated by BNM under the Malaysian Financial Services Act 2013 (FSA), and its related regulations, directions, notices, guidelines and industry codes. Fintech/insurtech activities involving the money changing and remittance services may be regulated by BNM under the Malaysian Money Services Business Act 2011.

BNM had, in 2014, issued an announcement stating that Bitcoin (and likely, by extension, other virtual currencies) is not legal tender and that BNM does not regulate the operation/use of Bitcoin.

Any activities that relate to the dealing with derivatives, securities, fund management, advising on corporate finance, as well as providing investment advice and financial planning services may be regulated under the Malaysian Capital Market and Services Act 2007 (CMSA). The SC has issued guidelines to regulate the crowdfunding sector (both equity and peer-to-peer), and more recently, revised various guidelines to regulate digital investment management (robo-advice). Note that financial exchange derivatives fall within the purview of BNM.

To the extent that the activities relate to cryptography and data encryption, and the export of cryptographic/data encryption technology, the activities may be subject to regulation under the Malaysian Strategic Trade Act 2010.

The regulators have been positive and encourage fintech/insurtech innovation.

The SC has adopted a collaborative approach. In September 2015, the SC launched the aFINity@SC initiative (that is, the Alliance of FinTech Community) to create a network for fintech stakeholders to engage with the SC. More importantly, the SC intends to introduce policy and provide regulatory clarity for fintech/insurtech businesses through aFINity@SC. The SC also intends to work together with relevant fintech-related stakeholders, including innovators, entrepreneurs, established businesses, investors and other authorities, as part of a concerted effort to accelerate growth and innovation in the financial industry. The SC will function as the network organizer in pursuing key deliverables, which include (i) creating awareness and catalyzing development in fintech; (ii) forming hubs to organize and nurture a wider fintech/insurtech ecosystem; and (iii) providing policy and regulatory clarity that is conducive for innovation.

In June 2016, BNM established the Financial Technology Enabler Group (FTEG), which is responsible for the regulatory framework to facilitate fintech in the Malaysian financial services industry. FTEG demonstrates BNM's commitment toward supporting fintech innovations for a progressive financial services sector. BNM has also shown awareness of fintech initiatives in the industry. For example, BNM launched the Financial Technology Regulatory Sandbox Framework in October 2016 to allow regulatory flexibilities to be granted to financial institutions and fintech companies to experiment with fintech solutions in a live controlled environment with appropriate
safeguards for a limited period of not more than 12 months. The initiatives by the FTEG will complement other initiatives by BNM, for example, regulating the establishment and operations of the product aggregators in the insurance sector and launching the Market Development Fund framework to impose annual targets of point-of-sale terminals in Malaysia to be achieved by participating card organizations in collaboration with payment system operators.

The licenses required will depend on specific activities that are contemplated. The relevant licenses that may be required include, among others:

• Banking or insurance licenses and approvals for other approved businesses. No person may carry on banking or insurance businesses or any other approved businesses such as the operation of a payment system, issuance of a designated payment instrument, moneybroking businesses or financial advisory businesses without a license or an approval from BNM. However financial technology companies (approved by BNM under the Financial Technology Regulatory Sandbox Framework issued by BNM) are exempt from obtaining licenses required under the FSA and IFSA to carry out, among others, banking and insurance businesses.
• Capital market services license. No person may carry on a business in any of the regulated activities (which include dealing with derivatives, dealing with securities, fund management, advising on corporate finance, providing investment advice and financial planning services) unless licensed by the SC. Individuals undertaking such activities must also obtain a capital market services representative license from the SC. It should be noted that the SC also introduced a new category of capital market services license for fund management companies which undertake discretionary portfolio management by incorporating innovative technologies (robo-advice).
• Crowdfunding license. Any person carrying on a crowdfunding business (including peer-to-peer crowdfunding/lending activities) must be licensed by the SC.
• Moneylending license. Any person undertaking moneylending services must be licensed by the Ministry of Housing and Local Government, unless exempted.
• Money services license. Any person engaged in the money-changing or remittance businesses must be licensed by BNM.
• MCMC license. Network services, network facilities, application services and content application services providers must be licensed by the MCMC.
• Intellectual property registrations. Trademark and/or patent registrations can be filed for fintech/insurtech innovations, which involve a patentable innovation or which can be registered as a trademark with MyIPO. Depending on whether there are any objections raised to such registrations, it may take between 1 and 1.5 years to register a trademark and 5 and 6 years to register a patent in Malaysia.

Save for trademark registrations, which may take between 1 and 1.5 years, and patent registrations, which may take between 5 and 6 years, it generally takes 3 to 6 months to obtain licenses and approval from the various regulators above, subject to the submission of a complete set of documents and information for the application.

There are no specific regulations for the use of telematics or biometrics. It is likely that insurers will continue to be subject to general conduct of business and data privacy requirements. Further, depending on how such technology is used, other areas of regulation (for example, telecommunications or pharmaceuticals) may apply.

Yes, both BNM and the SC have indicated that different markets are subject to different levels of regulation, that is, adopting the concept of proportionate regulation. By way of examples:

• The SC takes the position that "the level of regulation imposed will depend on the proposed market characteristics, including the structure of the market; sophistication of market users and rights of access; types of products traded; and risks posed by such
  markets" for operators of equity crowdfunding.
• The CMSA distinguishes between the levels of investor protection for institutional and non-institutional investors.
• The FSA distinguishes payment systems and designated payment systems, which could affect public confidence or impact monetary stability and therefore carry a higher risk than normal payment systems.

Among others, licensed insurers must comply with the Guidelines on Management of IT Environment and Guidelines on Data Management and MIS Framework issued by BNM. Licensed insurers that carry out Internet insurance activities must also comply with BNM's Guidelines on Internet Insurance (Consolidated) issued by BNM. The Guidelines on Risk Governance and Guidelines on Stress Testing and the Code of Conduct for Malaysia Wholesale Financial Markets, both of which extend to the use of technology, also apply.

There is also a reporting and/or notification requirement on insurers in the event of cybersecurity breaches and cyber threats.

The Malaysian Personal Data Protection Act 2010 (PDPA) governs personal data collected or processed in respect of commercial transactions by persons established in Malaysia or who use equipment in Malaysia to process personal data. In addition to the baseline
requirements of the PDPA, additional requirements apply with respect to sensitive personal data (such as medical records, political affiliations and others) and data users in prescribed industries (such as the medical, banking and insurance industries).

The PDPA sets out data protection principles governing the collection, use, disclosure, accuracy, retention, access to and security of personal data. Data users are also required to develop and implement a security policy that complies with prescribed security standards.
Insurers are also required to comply with the Code of Practice on Personal Data Protection for the Insurance and Takaful Industry in
Malaysia issued pursuant to the PDPA effective on 23 December 2016 (Relevant Code of Practice).

The FSA and CMSA also have specific confidentiality restrictions relating to regulatory-related information and customer information.

Yes, the PDPA and the Relevant Code of Practice provide certain requirements in relation to the processing of personal data. Some of the requirements under the PDPA are as follows:

• consent from the data subject is required prior to the personal data being processed (including a transfer of such personal data)
• a written notice must be issued to notify the data subject of a prescribed list of information in the Malay and English languages
• the personal data shall not be disclosed for any purpose other than the purpose for which it is disclosed
• a data user shall take practical steps to protect the personal data
• the personal data processed shall not be kept longer than is necessary
• a data user must take all reasonable steps to ensure that the personal data is, among others, accurate and not misleading
• a data subject must be provided access to his personal data and be able to correct his personal data

The Malaysian Penal Code criminalizes theft, which could extend to conduct involving cybersecurity breaches/theft.

The Malaysian Computer Crimes Act 1997 criminalizes unauthorized access to computer material and unauthorized modification of the contents of any computer.

In addition, the Malaysian Communications and Multimedia Act 1998 criminalizes unauthorized use of any device and unauthorized interception of any communications and the distribution or advertising of any communications equipment used for interception.

The PDPA also has a security principle that requires data users to take practical steps to protect the personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction.

It should be noted that the SC has issued the Guidelines on Management of Cyber Risks, which apply to capital market entities (but not insurers). Among other requirements, the roles and responsibilities of the board and senior management in the governance of cyber risk is clearly stipulated. The guidelines have also mandated capital market entities to identify a responsible person to be accountable for the effective management of cyber risk.

As discussed previously, there is a requirement imposed on insurers to provide the relevant report/notice to BNM in the event of material security breaches and cyber threats.

Further, on 9 June 2017, the Deputy Prime Minister of Malaysia announced that the Malaysian government will introduce a new law that is aimed at protecting Malaysians from cybersecurity threats. The Deputy Prime Minister also mentioned that the draft Bill has been handed over to the Attorney-General of Malaysia and will be tabled in the next Parliament sitting, starting 24 July 2017. The National Cyber Security Agency, which was set up in January 2016, will coordinate all efforts in order to ensure that more effective actions may be taken against cybersecurity threats in Malaysia.

As mentioned in question 3 above, BNM has launched the Financial Technology Regulatory Sandbox Framework. In addition, BNM indicated that it intends to regulate the establishment and operations of the product aggregators by publishing requirements on the same in 2016. However, this has been delayed to 2017/2018 to enable BNM to draw on the experience from the regulatory sandbox.

Further, BNM, through FTEG has rolled out an initiative called "Fintech Hacks," which allows the public to submit their innovative ideas through, among others, its website on the improvements to the financial services sector by harnessing innovation and technology.

To date, banks in Malaysia have publicly announced the implementation of innovation and accelerator programs (rather than insurance companies). We expect insurance companies to undertake similar initiatives in the near future (as there have only been a handful that
have indicated or collaborated in the launch of accelerator programs).

There are no specific cases by the financial regulators so far.

• Regulatory and compliance – Currently, many fintech/insurtech businesses do not fall squarely within any particular regulatory regime in Malaysia. Until such time as there are clear regulatory prescription governing fintech/insurtech companies and their businesses,
  fintech/insurtech companies must evaluate their fintech/insurtech innovation at the outset and question whether their business activity can be undertaken without the fintech/insurtech company becoming a regulated entity, or whether it would have to seek
  appropriate licenses or approval and incorporate internal compliance frameworks such as anti-money laundering procedures. An understanding of the consumer protection and liability exposures may also be lacking.
• The high costs of development and innovation – Particularly for start-ups, the lack of funding has not been adequately dealt with and hinders access to facilities, especially for the fintech sector.
• Skill and talent – The necessary infrastructure, talent and skill set to catalyze fintech/insurtech developments in Malaysia are lacking. Guidance will have to be sought from more developed markets.

The most imminent impact of fintech/insurtech on the financial services industry in Malaysia will likely be in the banking and insurance (please refer to question 15 below) sectors.

In respect of the banking sector in particular, there has been an evolution in payment methods. Further, CIMB and Maybank (which are among the largest banking institutions in Malaysia) have also implemented innovation and accelerator programs in Malaysia.

Also, the regulation of crowdfunding platforms and peer-to-peer lending operators by the SC encourages alternative lending platforms, which provide an online marketplace for lenders to exercise greater discretion and choice, based on their risk appetite. There will also be
lower costs of borrowing and greater transparency in the communications chain between borrowers and lenders.

Finally, we foresee that the use of technology will eventually displace traditional labor-intensive working models and result in greater automation in respect of client-fronting activities and decision-making processes, through the use of robo advisers, artificial intelligence and blockchain technology, reducing reliance on skill-based labor.

Insurance companies will be disrupted at key pressures across the value chain.

In respect of product distribution, online aggregators that assist customers with comparisons of insurance coverage may displace traditional distribution channels, which are primarily manpower-focused (that is, through insurance agents and distributors). With such information easily accessible through a "one-click solution," there will be greater competition between insurers to leverage on technology to modify their traditional processes and allow for a shorter time for the issuance of insurance policies while at the same time ensuring compliance with underwriting risks measures.

Self-driving and pay-as-you-go rentals may affect traditional insurance underwriting models development based on a single or paper ownership structure. Risk determination for underwriting models may also shift toward the use of personalized statistical data through
telematics.

We expect insurance companies to vary their business models in the future, whereby they may choose to partner with or acquire noninsurance technology players to incorporate business models that are more data intensive (and less manpower and capital intensive) and platform/infrastructure based. This could result in greater access to more innovative product offerings, with better value for end customers. The greater utility value derived from the use of big data by insurers will also assist with ensuring such outcomes.