A banker's duty of secrecy in Malaysia is statutory as it is clearly provided under the Financial Services Act 2013 ("FSA"). This article will only focus and discuss the relevant provisions of the FSA. It will not include any analysis on the Islamic Financial Institution Act 2013.

A banker owes a duty of secrecy to its customers at all times, including a duty to keep information concerning its customers' affairs confidential. This duty is also contractual in nature and is to be implied by a banker and customer relationship.

Section 133(1) of the FSA stipulates that no person who has access to any document or information relating to the affairs or account of any customer of a financial institution, including the financial institution or any person who is or has been a director, officer or agent of the financial institution, shall disclose to another person any document or information relating to affairs or account of any customer of the financial institution.

Tournier v National Provincial and Union Bank of England is a landmark case which laid down and defined the scope of a banker's duty of secrecy and confidentiality to its customer. In this case, the Bank had disclosed to the Plaintiff's employer about the Plaintiff's information which he had obtained from the drawer of a cheque made in favour of the Plaintiff. After receiving the information from the Bank, the Plaintiff's employer did not renew the Plaintiff's contract of employment. The Plaintiff then commenced an action for breach of confidentiality.

Their Lordships held that the right of a customer to have his affairs kept confidential is a legal right, which is not absolute but qualified. It was further held that the duty of secrecy is not only confined to the actual state of the customer's account but it also extends to information derived from the account itself.

In other words, a banker's duty to maintain secrecy and confidence not only encompasses information and facts that he learns from the state of the customer's account but includes and extends to all information gained from other sources than the customer's actual account by virtue of the banking relationship. The same principles were enunciated in our local case of Wong Yeng Mun v CIMB Bank Berhad.

The next concern is whether an ex-employee of a bank is also bound by the duty of secrecy. The answer is simply, yes. According to section 133(1) which is read together with section 133(3) of the FSA, the duty of confidentiality encompasses a person who is not just a bank officer but even a third party. Section 133(3) of the FSA states that a person who has any information or document which to his knowledge has been disclosed in contravention of section 133(1) of the FSA is prohibited from disclosing the same to any other person. The duty of secrecy continues even after the termination of the banker and customer relationship.

As a result, in the event that a banker breaches his duty of secrecy, the customer may be entitled to claim for damages, if he has suffered losses. When a customer successfully sues a banker for breach of duty of secrecy, the amount of damages which he is entitled to recover depends on whether he is able to establish the actual extent of the damages he had suffered as a result of the disclosure.

In the case of Tan Eng Seong v Malayan Banking Bhd, the Plaintiff who was the Bank's employee had left and orally closed his bank account with the Bank without giving any written instruction. The Bank did not close the account as there was no written authorisation from the Plaintiff. Lying dormant, the service charge and interest on the account accumulated to RM15. The Bank's credit officer subsequently informed the Plaintiff's brother and upon knowing, the Plaintiff commenced an action for breach of confidentiality. The Court held that the Plaintiff failed to close his account as the required written instruction was not given. The alleged statement made by the Bank's credit officer was not defamatory.

The Court further held that in the absence of clear authority, it is reluctant to find the act in contravention of section 97(1) of the Banking & Financial Institution Act 1989 ("BAFIA") (currently replaced by section 133(1) of the FSA which is pari materia), particularly as, in this case, the Plaintiff can succeed on the claim based on implied duty. In other words, it is sufficient to state that the Plaintiff could even succeed based on an implied duty of confidentiality between him and the bank. The Court allowed the civil action and granted the nominal damages of RM15 to the Plaintiff.

The author opines that the principles from the abovementioned cases must be interpreted in the context of the statutory regime. As the duty of confidentiality is contractual between the banker and the customer, the remedy would be an action for breach of contract and possibly an action for defamation.

Under section 133 (4) of the FSA, any person who is found guilty of breaching his duty of secrecy to a customer, shall be liable to imprisonment for a term not exceeding 5 years or to a fine not exceeding RM10 million or both. This imposes a criminal penalty.

Despite aforesaid, there are qualifications which entitle the Bank to divulge and disclose the information:-

1. If directed by the court order or compulsion by law;

2. To protect the Bank's interest where the Bank initiates action to recover monies owed by the customer and the notice of demand and pleading tendered to the court contain the details of the debt;

3. Disclosure for public interest;

4. If consent is given by the customer either impliedly or expressly;

5. The exceptions provided under the statute are the following:-

(a) Section 133(2)(a) of the FSA where the disclosure is for the purpose of exercising any powers or functions of the Bank under the FSA or the Central Bank of Malaysia Act 2009;

(b) Section 133(2)(b) of the FSA where the document or information is in the form of a summary or collection of information set out in such a manner as it does not enable information to be ascertained from it;

(c) Section 133(2)(c) of the FSA where it is not applicable to the information lawfully available to the public from any source other than the bank;

(d) Section 134(1) of the FSA which is read together with Schedule 11 where it clearly stipulates that the information is permitted to be divulged:-

(1) If written consent is given by the customer or his personal representative;

(2) If the customer is declared bankrupt or wound up;

(3) For the purpose of legal proceedings, either criminal or civil, where the financial institution is a party to it;

(4) For the purpose of of fulfilment of a garnishee order;

(5) To comply with a court order made by a court not lower than a Sessions Court;

(6) To comply with an order or request made by an enforcement agency in Malaysia under any written law for the purpose of an investigation or prosecution of an offence under any written law;

(7) For the performance of functions of the Malaysia Deposit Insurance Corporation;

(8) Disclosure by a licensed investment bank for the purpose of performance of relevant functions of:-

(a)the Securities Commission under the securities laws as defined in the Securities Commission Act 1993;

(b)the stock exchange or derivatives exchange approved under the Capital Markets and Services Act 2007;

(c)the clearing house approved under the Capital Markets and Services Act 2007; or

(d)the central depository approved under the Securities Industry (Central Depositories) Act 1991

  (9) For the purpose of performance of functions of an approved trade repository under the Capital Markets and Services Act 2007.

(10) If documents or information are required by the Inland Revenue Board of Malaysia for taxation purpose;

(11) Disclosure of credit information of a customer to a credit reporting agency registered under the Credit Reporting Agencies Act 2010;

(12) For performance of any supervisory function, exercise of any supervisory power or discharge of any supervisory duty by a relevant authority outside Malaysia which exercises functions corresponding to those of the Bank under the FSA;

(13) To conduct centralised functions, which include audit, risk management, finance or information technology or any other centralized function within the financial group;

(14) For due diligence exercise approved by the board of directors of the financial institution in connection with a merger and acquisition, capital raising exercise or sale of assets or whole or part of business;

(15) For performance of functions of the financial institution which are outsourced;

(16) Disclosure to a consultant or adjuster engaged by the financial institution; or

(17) If a financial institution has reason to suspect that an offence under any written law has been, is being or may be committed.

It is only by the abovementioned qualifications or exceptions that such information may be disclosed legally to a third party. The bank can raise the applicable qualification(s) or exception(s) as a defence against any claim made by its customers. In a nutshell, the author opines that such right of secrecy and confidentiality of a customer has been diluted by the abovementioned exceptions.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.