When Bank Negara Malaysia issued the revised Management of Customer Information and Permitted Disclosures (MCIPD) in October 2025, the regulatory focus was clearly on strengthening controls across the customer information lifecycle.

What has received far less attention — yet carries significant governance implications — is how Standard 9.2, read together with Guideline 9.3, intersects with Section 133 of the Personal Data Protection Act 2010 (PDPA).

This is not a question of new liability, but of how accountability is now structured.

Standard 9.2 requires senior management of a financial service provider (FSP) to designate a person of sufficient senior ranking with overall responsibility for the implementation and ongoing maintenance of safeguards over customer information.

The responsibilities attached to this designation are substantive. They include:

• communicating and embedding relevant policies across the organisation; and
• coordinating with key stakeholders to ensure consistent implementation.

Guideline 9.3 then makes the accountability concrete by identifying roles such as the Chief Information Officer, Chief Data Officer or Data Protection Officer as possible designees.

In governance terms, this represents a shift from diffuse responsibility to named, senior ownership.

Why Section 133 PDPA becomes unavoidable

Once accountability is deliberately concentrated at senior level, the relevance of Section 133 PDPA becomes difficult to ignore.

Section 133 PDPA allows enforcement authorities to extend liability to any director, manager or other similar officer where a body corporate commits a PDPA offence, unless the individual can demonstrate absence of consent or connivance and the exercise of reasonable precautions and due diligence.

The provision is deliberately functional. It does not depend on formal titles, but on:

• the scope of responsibility,
• the level of authority, and
• control over compliance systems.

Where an FSP designates a CIO, CDO or DPO under Standard 9.2 with effective authority to influence implementation and remediation, the factual foundation for characterising that person as an “officer or similar officer” under Section 133 is materially strengthened.

MCIPD does not amend the PDPA, and Guideline 9.3 does not itself impose personal liability.

Yet together, they lower the evidentiary threshold for Section 133 to be engaged. MCIPD crystallises accountability at senior level; Section 133 supplies the enforcement consequence if customer information safeguards fail. This does not create automatic liability — but it does make personal exposure legally plausible and regulatorily coherent.

The real governance message

BNM’s approach signals a clear expectation: effective customer information protection must sit with senior accountability. Where accountability is explicit, responsibility is no longer abstract.

For boards, this calls for careful role scoping, shared governance and documented oversight.
For designated officers, it reinforces the importance of authority, escalation pathways and evidence of due diligence.

In the post-MCIPD landscape, accountability is no longer merely a governance principle; it is a structural reality with personal consequences where accountability is not carefully designed and supported.