Due to the global outbreak of the novel coronavirus (COVID-19) and with the implementation of the Restriction of Movement Order (Order) on 18 March 2020, Malaysian financial institutions will need to adapt their ‘business as usual’ practices. It is imperative for financial institutions to take appropriate measures and actions to ensure business continuity and their ability to comply with regulatory requirements. This alert highlights the key regulatory considerations for Malaysian financial institutions.

Regulatory requirements

Financial institutions must ensure they can comply with all regulatory requirements set by the Central Bank of Malaysia (BNM) including:

  • maintaining the minimum capital funds and/or liquidity ratios prescribed by BNM and capital adequacy level that commensurates with their risk profiles at all times; and 
  • ensuring that their directors and officers remain fit and proper under the current situation. To the extent that the directors and/or officers are unable to continue to discharge his/her respective functions for health reasons, notification should be made to BNM and discussions may be necessary to appoint another officer to hold the relevant role, or alternative measures that may include cessation from office by the relevant officer.

BNM should be notified immediately if the financial institution anticipates that there will be difficulty or delay in fulfilling any of the regulatory requirements.

Board and management

Financial institutions must ensure that their board of directors (Board) and management are kept informed of the impact and latest developments of the COVID-19 crisis on their businesses. The Board and management must continuously assess the threats and risks on the financial institution.

This includes considering the impact of the Order on its customers, suppliers and other contractual counterparties. Specifically, they will need to assess if these counterparties have the ability to avoid its obligations:

(a) pursuant to a force majeure clause (i.e., to seek reprieve from having to perform its obligations due to circumstances beyond its control);

(b) by claiming that it is released from its obligations as the contract has been frustrated (i.e., there has been a supervening event that is not the fault of either party such that the change to the rights/obligations under the contract is not within contemplation and therefore parties should be relieved from performing the contract); or

(c) otherwise seek to negotiate the inclusion of a material adverse change clause for pandemics or epidemics (i.e., the occurrence of an event that results in a material adverse change that would enable the parties to be relieved from being bound by the contractual terms).

Business continuity planning and communication

Financial institutions should ensure that appropriate business continuity plans (BCP) and disaster recovery plans (DRP) for all critical business functions are in place to address the likely disruption. Financial institutions need to ensure that the following are in place:

(a) procedures to be followed in response to a major operational disruption;

(b) escalation, declaration and notification procedures;

(c) conditions for the activation of BCP and authorised individuals empowered to declare a disaster and grant permission to execute recovery processes;

(d) list of all resources required to cover critical business functions;

(e) relevant information about the alternate and recovery sites; and

(f) procedures for restoring normal business operations.

Communication is of the utmost importance especially during a business disruption or a crisis. Accordingly, financial institutions should include in their BCP a communication plan for notifying all relevant and external stakeholders such as home and host regulators, counterparties, key service providers, media and the public, following a major operational disruption.

Banks1 are regarded as providers of an essential service under the Order and the Prevention and Control of Infectious Diseases (Measures within the Infected Local Areas) Regulations 2020 have clarified that the number of personnel and patron at the premises used for the provision of essential service must be kept at the minimum. Banks will therefore not be able to have its full team of employees on the ground to carry out its operations. The BCP and DRP, together with the communication strategies will need to be modulated as employees will likely be working in split teams across different locations and work-from-home arrangements. There will also need to be crowd containment measures at the various branch offices.

Cybersecurity

Under the Guideline on Risk Management in Technology, financial institutions must ensure the adequacy of their IT and cybersecurity strategic plans. Such plans must, amongst others, address the complexity of the institution’s operations and changes in the risk profile as well as business environment.

As alternative working arrangements would have been implemented, financial institutions should ensure that they are appropriately equipped to manage any cybersecurity risks that may arise as a result of employees working from various locations (including from their homes). In particular, sensitive data such as customer information and digital/electronic business data must continue to be protected during work-from-home arrangements.

Developments in Malaysia

Since the issuance of the Order, the Prime Minister, the National Security Council and various Ministries have issued clarifications to provide further colour to the Order and the restrictions. These supplemental explanations can guide financial institutions in their discussions with their contractual counterparties and employees. Our client alerts contain details of these clarifications and can be read on our website and LinkedIn pages.

It is uncertain whether the Order will be extended beyond 31 March 2020 and financial institutions will need to monitor these developments closely. Insurers are not regarded as providers of essential service.


1 Insurers are not regarded as providers of essential service.

Previous articleAhead of Privacy – Netherlands Update
Next articleWebinar: Key Employer Obligations and Data Privacy Implications