Outsourcing 2021

Last Updated October 28, 2021


Law and Practice


Gan Partnership is led by a team of advocates with more than 20 years’ experience, and is among the leading law firms specialising in dispute resolution, alternative dispute resolution and intellectual property (IP). Internationally recognised, Gan Partnership provides clients with an arsenal of services and skillsets, ranging from senior counsel with over 25 years’ experience to aggressive junior and modern litigators. Following the latest addition of two partners with over three decades' experience between them, the firm has gone from strength to strength. The IP team is known for litigation and enforcement, registration and prosecution, commercialisation, strategy and branding, franchising and licensing, privacy and data protection, confidential information, entertainment, gaming, advertising and media, technology and telecommunication.

As Malaysia begins to recover from the COVID-19 pandemic, it is now faced with another potentially disruptive phenomenon – The Great Resignation.

At the time of writing, this resignation tsunami seems to have gained more traction in the west. However, countries in the Asia Pacific region have started to feel its ripple effects with projects from western countries being transferred to the east to fill the exodus.

In light of this, Malaysia expects an influx of IT outsourcing in the years to come. This is evidenced as Malaysia retains its third spot on the 2021 Kearney Global Services Location Index, behind only India and China (“Kearney’s 2021 Index”).

However, several questions fall for consideration surrounding supply and demand in the ever-evolving digital and tech-savvy world, and the battle between financial attractiveness and digital resonance. It is believed Malaysia’s prospect is quite promising.

The 12th Malaysian Plan

The recent unveiling of the 12th Malaysian Plan (the “12th Plan”) on 27 September 2021 is timely. Amongst the four catalytic policy enablers identified to achieve the three themes of the 12th Plan are “developing future talent and accelerating technology adoption and innovations”.

Under these catalytic policy enablers, the government plans to elevate the quality of education and leverage on emerging technologies such as virtual reality, augmented reality and artificial intelligence. Further, the government is committed to promote digital infrastructure, adopt and apply digital and advanced technology and enhancing digital connectivity.

With the focus on shifting towards more a more digital-centric environment and promoting digital infrastructure, Malaysia will be able to adapt and meet the needs of the new world. 

BP outsourcing has increased significantly over the last decade, notwithstanding the pandemic. It is reported in a local newspaper that the BP outsourcing market in Malaysia is set to surpass USD1.4 billion in 2021.

There also seems to be a shift as companies now incorporate global business services (GBS) into their businesses to provide integration of governance, location and business practices. Further, the aspect of GBS commonly associated with the capacity of delivering high value functions into the business process (eg, data analytics and consulting) is a driving factor for companies preferring this service-delivery model over conventional shared services. 

The importance of technology and digitisation became clear during COVID-19. It is unequivocal that technology has played a pivotal role in enabling companies to adapt to this new normal, particularly AI and cloud computing services. Thus, it is no surprise that while Malaysia was seemingly paralysed due to the pandemic, the development and implementation of technology in the workplace grew.

Whilst the implementation or roll-out of new technology in a company is associated with high initial costs, new technology has proven to increase efficiency, productivity, quality and, over time, lower costs. This inevitably affects the outsourcing market in Malaysia as traditionally the services offered were more manual or simpler in nature.

The government has rightly identified that to support the growth of global services, digital infrastructure and connectivity are vital, both set to be boosted by the implementation of the Malaysia Digital Economy Blueprint. In this regard, 5G network and cloud storage services will be a catalyst for enhancing Malaysia’s attractiveness as a destination for companies. With these initiatives, it is hopeful that Malaysia will continue to successfully tap into IT and BP outsourcing demand by producing digitally savvy professionals.

With increasing accessibility due to the use of new technologies, local regulators such as the Securities Commission and the Central Bank of Malaysia (BNM) are constantly kept on their toes to issue guidelines, rules and/or regulations to regulate these new technologies especially those that concern currency, ie, cryptocurrency.

There is no one specific “parent” statute that regulates or governs outsourcing in Malaysia, but there are many industry-specific statutes that imply restrictions, controls or regulations on outsourcing, eg, the Communication and Multimedia Act 1998 (CMA) and the Employment Act 1955 (EA).

Further, certain industries, such as capital markets and financial services, have strict guidelines or regulations in place that affect the outsourcing of services associated with capital markets or the provision of financial services.

For example, the Licensing Handbook (the “Handbook”), issued by the SC, regulates outsourcing activities by market intermediaries under the Capital Markets and Services Act 2007 (CMSA), and the Policy Document on Outsourcing, issued by the BNM, regulates outsourcing activities for financial institutions under the Financial Services Act 2013 (FSA), the Islamic Financial Services Act 2013 (IFSA) and the Development Financial Institutions Act 2002 (DFIA).


The CMA regulates the increasingly convergent communications and multimedia industries in Malaysia. It does not expressly provide for restrictions on the outsourcing of related services but does put in place a mechanism that effectively restricts outsourcing.

For example, Section 36 of the CMA provides that the grant of an individual licence is personal to the licensee, and the individual licence cannot be assigned or transferred to another party without the prior written approval of the Minister. This effectively prohibits the outsourcing of licensed telecommunications services to third parties where it relates to licensable activities.


The EA is the principal act that regulates and governs the labour industry in Malaysia. It provides for a minimum statutory benefit that must be afforded to workers by employers. Pursuant to an amendment in 2012, Section 33A was inserted into the EA, recognising the role of contractors for labour in the employment landscape. A contractor for labour means a person who contracts with a principal, contractor or sub-contractor to supply the labour required for the execution of any work, ie, supplying workers (particularly foreign workers) to any trade or business. It is noteworthy that Section 33A only applies to the agriculture industry (Section 2 of the Employment (Exemption) Order 2012).

Section 33A imposes a legal obligation that a contractor for labour who intends to supply or undertakes to supply any employee must registers with the Director General of Labour Department within 14 days before supplying the employee. The provision also mandates that the contractor for labour must keep or maintain a record of information relating to the supply of employees for the inspection and investigation of the relevant authority.

The purport and intent of Section 33A is to ensure that workers who are employed under contract for labour are protected and enjoy rights and minimum benefits as provided for under the EA, because an employer must enter a contract of service with the employee in order to be afforded the benefits. This contract is non-existent if the employees are supplied by contractors for labour. This system (commonly known as labour outsourcing) involves the conclusion of a contract for service between the principal and a contractor – thus, no contract of service is executed between worker and owner, which would be most detrimental to the protection and benefit of the workers who technically would not fall under the applicability of the EA.

With the new amendment, the Director General will be informed of the particulars of the contractors and their employees, enabling the Ministry of Human Resources and other relevant authorities to trace any irresponsible contractors, keep up to date with the statistics of contract labourers, and protect the contract labourers.

The Handbook

The Handbook was issued pursuant to Section 377 of the CMSA and sets out guidelines pertaining to licence applications and licensing regimes and obligations.

The Handbook applies to all Capital Market and Services Licence (CMSL) holders which covers entities that carry out regulated activities provided under Schedule 2 of the CMSA, including:

  • dealing in securities;
  • dealing in derivatives;
  • clearing for securities or derivatives;
  • fund management;
  • dealing in private retirement schemes;
  • advising on corporate finance;
  • investment advice; and
  • financial planning.

Chapter 10 of the Handbook sets out the requirements for outsourcing processes, services or activities provided by CMSL holders. Chapter 10 of the Handbook does not apply to investment banks unless stipulated in any laws, regulations or guidelines.

The Handbook distinguishes between material and non-material outsourcing arrangements. A CMSL holder must notify the SC within two weeks of signing the service level agreement for any material outsourcing arrangement.

Material outsourcing

The outsourcing of the following functions by a CMSL holder are considered as material outsourcing arrangement and can be outsourced to the following service providers:

  • internal audit function to its group or an external auditor;
  • compliance function to its group;
  • risk management function to its group;
  • clearing and settlement to any service provider;
  • fund accounting to any service provider;
  • fund valuation to any service provider;
  • the maintenance of register of unit holders to any service provider; and
  • any other function of the CMSL holder that the SC may determine.

A CMSL is not allowed to outsource any back office function that involves:

  • the decision-making functions of the CMSL holder; or
  • any interaction or direct contact with the clients of the CMSL holder.

Other than the material functions set out above, other outsourcing arrangements will also be considered as material outsourcing arrangement in the following circumstances:

  • there may be a financial, reputational or operational impact on the CMSL holder in the event of a default or failure of the service provider;
  • the CMSL holder’s services or support rendered to its clients may be potentially impacted by the outsourcing arrangement;
  • the CMSL holder’s ability and capacity to comply with regulatory requirements may be impacted by the outsourcing arrangement; and
  • if the appointed service provider may not be able to perform the outsourced function, there is a degree of difficulty and time required for the CMSL holder to select an alternative service provider or to bring the outsourced function in-house.

Additional measures can be required depending on the parties involved and the individual circumstances.

Non-material outsourcing

Examples of non-material functions that do not require notification are human resource (eg, payroll, performance of appraisal, employment of personnel) and accounting and financial matters.

Internal audit, compliance and risk management functions cannot be sub-contracted.

A CMSL who is also a participating organisation or a trading participant must concurrently forward a copy of the notification to the stock exchange or derivatives exchange, as the case may be.

Chapter 10 of the Handbook provides that a CMSL holder must select an appropriate and efficient service provider as well as monitor the outsourcing arrangement on a continuous basis to ensure that it does not lead to business disruption and negative consequences for the CMSL holder's clients.

Policy Document on Outsourcing (the “Policy Document”)

On 23 October 2019, the BNM issued the Policy Document which came into effect on the same date. The Policy Document superseded its predecessor, the policy document on outsourcing issued on 28 December 2018.

The Policy Documents sets out the scope of arrangements relevant to the outsourcing policy, and the requirements and expectations on financial institutions to maintain appropriate internal governance and outsourcing risk frameworks, including those relevant to the protection of data confidentiality. The requirements also serve to ensure the BNM’s continued ability to carry out effective supervisory oversight over financial institutions in relation to their outsourced activities.


The Policy Document is applicable to all financial institutions. Financial institution is defined under the Policy Document as “a licensed person and a prescribed development financial institution”.

A licensed person is:

  • under the FSA, a person licensed to carry out banking business, insurance business or investment banking business; and
  • under the IFSA, a person licensed to carry out Islamic banking business, takaful business, international Islamic banking business or international takaful business.

A “development financial institution” under the DFIA is an institution which carries on any activity, whether for profit or otherwise, with or without any government funding, with the purpose of promoting development in the industrial, agricultural, commercial or other economic sector, including the provision of capital or other financing facility; and for the purposes of this definition, "development" includes the commencement of any new industrial, agricultural, commercial or other economic venture or the expansion or improvement of any such existing venture.

Material outsourcing arrangement

The Policy Document provides for its own definition of a “material outsourcing arrangement” as an arrangement which:

  • in the event of a service failure or security breach, has the potential to significantly impact the financial institution’s provision of financial services to customers, business operations, financial position, reputation, or compliance with applicable laws and regulatory requirements; or
  • involves customer information and in the event of unauthorised access, disclosure or modification, or loss or theft of the information, has a material impact on the customer or financial institution.

In assessing whether an outsourcing arrangement is material, a financial institution shall have regard to the following factors:

  • significance of the activity to be outsourced;
  • financial, reputational and operational impact on the financial institution or significant business line;
  • impact on the financial institution’s continuing ability to meet its obligations to its customers and counterparties in the event the service provider fails to provide the service or encounters a breach of confidentiality or security;
  • impact of the outsourcing on the financial institution’s ability to maintain strong internal controls and meet its legal and regulatory requirements;
  • risk to security, confidentiality and integrity of its customer information;
  • interdependence of the outsourced activity with other activities of the financial institution;
  • aggregate exposure to a particular service provider in cases where the financial institution, including any affiliates, outsources multiple activities to the same service provider;
  • impact to the financial institution’s business continuity and recovery and resolution plans, including the degree of difficulty, cost and time required to select an alternative service provider or to bring the outsourced activity in-house; and
  • complexity of the outsourcing arrangement and number of parties involved, in particular where the service is sub-contracted or where more than one service provider collaborates to deliver an end-to-end outsourcing solution.

Any arrangement involving internal control functions (ie, risk management, internal audit and compliance) would generally be considered as a material outsourcing arrangement.

Regulatory and approval process

A financial institution must obtain the BNM’s written approval before:

  • entering into a new material outsourcing arrangement; or
  • making a significant modification to an existing material outsourcing arrangement.

A financial institution is not required to obtain the BNM’s prior written approval:

  • where the outsourced activity is to be performed by an affiliate which is a financial institution or a financial holding company; or
  • where the outsourced activity is to be performed by an affiliate which is not supervised by BNM, BNM determines that the management of outsourcing risk by the financial institution is effective and having regard to:
    1. the affiliate is subject to the supervision of a financial regulatory authority; and
    2. effective home-host supervisory co-operation arrangements between the BNM and the relevant financial regulatory authorities are in place.

Outsourcing agreement

An outsourcing arrangement must be governed by a written agreement that is legally enforceable. The outsourcing agreement must, at a minimum, provide:

  • the duration of the arrangement, including dates;
  • the responsibilities of the service provider, with well-defined and measurable risk and performance standards in relation to the outsourced activity;
  • the controls to ensure the security of any information shared with the service provider at all times, covering at a minimum:
    1. the responsibilities of the service provider with respect to information security;
    2. the scope of information subject to security requirements;
    3. the provisions to compensate the financial institution for any losses and corresponding liability obligations arising from a security breach attributable to the service provider;
    4. the notification requirements in the event of a security breach; and
    5. the applicable jurisdictional laws;
  • the use of information shared with the service provider is limited to the extent necessary to perform the obligations under the outsourcing agreement;
  • the continuous and complete access by the financial institution to its data held by the service provider in the event of a dispute with the service provider, or termination of the arrangement;
  • the ability of the financial institution and its external auditor to conduct audits and on-site inspections on the service provider and its sub-contractors, and to obtain any report or finding made in relation to the outsourced activity;
  • the notification to the financial institution of adverse developments that could materially affect the service provider’s ability to meet its contractual obligations;
  • the measures that the service provider would take to ensure continuity of the outsourced activity in the event of an operational disruption or failure on the part of the service provider;
  • regular testing of the service provider’s business continuity plans (BCP), including specific testing that may be required to support the financial institution’s own BCP testing, and a summary of the test results to be provided to the financial institution with respect to the outsourced activity;
  • the dispute resolution process in the event of default or non-performance of obligations, including remedies and indemnities where relevant;
  • the circumstances that may lead to termination of the arrangement, the contractual parties’ termination rights and a minimum period to execute the termination provisions, including providing sufficient time for an orderly transfer of the outsourced activity to the financial institution or another party;
  • where relevant, terms governing the ability of the primary service provider to sub-contract to other parties; sub-contracting should not dilute the ultimate accountability of the primary service provider to the financial institution over the outsourcing arrangement, and the institution must have clear visibility over all sub-contractors; therefore, the outsourcing agreement between the financial institution and primary service provider must stipulate the following:
    1. the accountability of the primary service provider over the performance and conduct of the sub-contractor in relation to the outsourcing arrangement;
    2. the rights of the financial institution to terminate the outsourcing agreement in the event of excessive reliance on sub-contracting (eg, where the sub-contracting materially increases the risks to the financial institution); and
    3. the requirement for the sub-contractor and its staff to be bound by confidentiality provisions even after the arrangement has ceased; and
  • corresponding obligations for staff of the service provider, who are involved in the delivery of services to the financial institution’s customers, to comply with similar conduct standards imposed by the BNM on the financial institution.

The outsourcing agreement must also contain provisions which:

  • enable the BNM to have direct, timely and unrestricted access to the systems and any information or documents relating to the outsourced activity;
  • enable the BNM to conduct on-site supervision of the service provider where BNM deems necessary;
  • enable the BNM to appoint an independent party to perform a review of the relevant systems, information or documents of the service provider relating to the outsourced activity, where the BNM deems necessary; and
  • allow the financial institution the right to modify or terminate the arrangement when the BNM issues a direction to the financial institution to that effect under the FSA, IFSA or DFIA, as the case may be.

Responsibilities of the board and senior management

The board must:

  • establish a clear risk appetite governing outsourcing arrangements;
  • approve the outsourcing risk management framework which, among others, addresses the financial institution’s basis and approach for identifying material outsourcing arrangements. The framework must cover all outsourcing arrangements, regardless of whether they involve third parties or affiliates;
  • establish a sound internal governance structure that provides effective oversight and control over outsourcing arrangements, consistent with the financial institution’s overall business strategy and risk appetite, and does not result in the delegation of the board and management oversight and decision making responsibilities;
  • retain sufficient management capacity and skilled resources within the institution to oversee the outsourced activity, including where the outsourced activity is undertaken by an affiliate of the financial institution; and
  • ensure effective management of outsourcing risk, having regard to the assessments made by senior management.

The senior management must:

  • develop the outsourcing risk management framework, clearly articulating the accountability of the board and senior management and the process involved in approving and managing outsourcing arrangements, and must be reviewed periodically;
  • manage outsourcing risks on an institution-wide basis;
  • continuously monitor all outsourcing arrangements, including:
    1. ensuring timely escalation to the board of material developments on outsourcing arrangements, outsourcing risk issues and incidents of non-compliance by the service provider;
    2. ensuring outsourcing arrangements continue to remain within the outsourcing strategy and risk appetite;
    3. conducting an independent review on a periodic basis to ensure compliance with the outsourcing framework and taking prompt remedial actions to address any gaps identified;
    4. ensuring internal audit covers outsourcing risk as part of the risk-based audit plan; and
    5. where relevant, ensuring outsourcing arrangements do not compromise the financial institution’s ability to comply with sharia requirements;
  • conduct assessments on the effectiveness of management of outsourcing risk on a periodic basis, covering at a minimum:
    1. a review of the performance of the service provider (this includes an assessment of the continued ability of the service provider to perform the activity to the level expected in accordance with the outsourcing agreement) and whether the service provider complies with the terms of the outsourcing agreement;
    2. the adequacy of internal control processes, including data security practices of the service provider;
    3. whether prompt corrective actions taken by the service provider in the event of a breach of the outsourcing agreement are effective;
    4. whether the terms of the outsourcing agreement remain appropriate and are in line with the financial institution’s outsourcing risk appetite; and
    5. the financial institution’s ability to preserve continuity of the outsourced activities under periods of stress;
  • ensure prompt notification to BNM of developments concerning outsourcing arrangements that result, or could result, in a material impact on the financial institution; and
  • maintain a complete register of all outsourcing arrangements; the register must, at a minimum, include the following information and be made readily available to the BNM upon request:
    1. date of last update of the register;
    2. a reference number for each outsourcing arrangement;
    3. name, registered address, country of registration and corporate registration number of the service provider and sub-contractors;
    4. clear identification of any service provider or sub-contractor that is an affiliate of the financial institution;
    5. whether the service provider and sub-contractors are regulated by a financial regulatory authority;
    6. a brief description of the outsourced activity;
    7. whether the activity is considered material, the reasons and the date of last materiality assessment;
    8. date of first commencement of arrangement, current date of appointment and expiry/renewal date;
    9. the locations (eg, city and country) where the outsourced activity is undertaken by the service provider and sub-contractors, including where information is processed or stored, and back-up locations;
    10. where an arrangement involves the use of cloud service provider, the nature of data held and locations where such data is stored;
    11. costs of arrangement, including pricing basis;
    12. the governing law of the outsourcing agreement;
    13. the date of the last and next scheduled audit, where relevant;
    14. consideration of an alternative service provider;
    15. where there are incidents involving data security breaches, a brief description of the incidents including the date of incidents and corrective actions taken by the service provider; and
    16. the date of the last and next scheduled joint business continuity plan testing.

Due diligence

A comprehensive assessment on a potential service provider must cover the following:

  • capacity, capability, financial strength and business reputation (this includes an assessment that the service provider is a going concern and has strong governance structures to manage the outsourced activity throughout the duration of the arrangement);
  • risk management and internal control capabilities, including physical and IT security controls, and business continuity management (including the ability of the service provider to respond to service disruptions or problems resulting from natural disasters, or physical or cyber-attacks, within an appropriate timeframe);
  • the location of the outsourced activity (eg, city and country), including primary and back-up sites;
  • access rights of the financial institution and the BNM to the service provider;
  • measures and processes to ensure data protection and confidentiality;
  • reliance on sub-contractors, if any, in particular where the sub-contracting adds further complexity to the operational chains of the outsourcing arrangement;
  • undue risks (for instance, concentration risk to a systemic service provider in the industry or where the service provider’s fee structure or relationship with the financial institution may create potential conflict of interest issues) resulting from similar business arrangements, if any, between the service provider and the financial institution;
  • the extent of concentration risk to which the financial institution is exposed with respect to a single service provider and the mitigation measures to address this concentration; this does not apply to a service provider that is an affiliate and is supervised by a financial regulatory authority; and
  • the ability of the service provider to comply with relevant laws, regulations and requirements in this policy document.

Thereafter, the findings and outcomes from the due diligence exercise will need to be documented and escalated to the board.

Outsourcing arrangements outside Malaysia and involving cloud services

The Policy Document acknowledges where service providers are located, or performs the outsourced activity outside Malaysia, or via cloud service provider, there is an inherent added risk with regards to data accessibility, confidentiality, integrity, sovereignty, recoverability and regulatory compliance.

A financial institution should have appropriate controls and safeguards to manage these additional risks in place.

Personal Data Protection Act 2010 (PDPA)


Data processing or data security in Malaysia is governed by the PDPA, which regulates the processing of the personal data involved in commercial transactions. The PDPA applies to the processing of personal data by persons established in Malaysia (or by any other person employed or engaged by a person established in Malaysia), and to the processing of personal data by persons who are not established in Malaysia but use equipment located in Malaysia to process personal data (other than for purposes of transit through Malaysia). The PDPA does not apply to the processing of personal data outside Malaysia, unless the personal data is intended to be processed further in Malaysia.

Principles under the PDPA

Pursuant to the PDPA, every data user has to comply with the seven Personal Data Protection Principles, namely the following.

  • General Principle: this prohibits the data user from processing the data subject’s personal data without their consent, unless such processing is necessary for the following:
    1. the performance of a contract to which the data subject is the party;
    2. the taking of steps, at the data subject’s request, with a view to entering into a contract; 
    3. compliance with any legal obligation to which the data user is subject, other than a contractual obligation; 
    4. protecting the vital interests of the data subject, namely matters relating to life, death or security;
    5. the administration of justice; or 
    6. the exercise of any functions conferred on any person by or under any law.
  • Notice and Choice Principle: this requires a data user to inform the data subject of the following, by written notice, as soon as practicable, in both the national and English language:
    1. the personal data of the data subject that is being processed, and a description thereof;
    2. the purposes for which the personal data is being collected and further processed; 
    3. any information available to the data user as to the source of that personal data;
    4. the data subject’s right to request access to and correction of the personal data and contact particulars of the data user should inquiries or complaints arise;
    5. the class of third parties to whom the data will or may be disclosed;
    6. the choices and means offered to the data subject to limit the processing of the data; and 
    7. whether it is obligatory or voluntary for the data subject to supply data, and, if obligatory, the consequences of not doing so.
  • Disclosure Principle: this prohibits the disclosure of personal data, without the data subject’s consent, for any purpose other than that for which the data was to be disclosed at the time of collection, or a purpose directly related to it, nor to any party other than a third party of the class notified to the data user.
  • Security Principle: this imposes an obligation on the data user to take steps to protect the personal data during its processing from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction.
  • Retention Principle: this imposes an obligation that personal data is not to be retained longer than is necessary for the fulfilment of the purpose for which it was processed. Once the purpose has been fulfilled, the data user must take reasonable steps to ensure the data is destroyed or permanently deleted.
  • Data Integrity Principle: this imposes a responsibility on the data user to take reasonable steps to ensure that the personal data is accurate, complete, not misleading and kept up-to-date, with regard to the purpose (and any directly related) for which it was collected and processed.
  • Access Principle: this provides the data subject with the right to access his or her own data and to correct any personal data that is inaccurate, incomplete, misleading or outdated.

The PDPA on cross-border transfer of data

The PDPA imposes cross-border restrictions, with the general rule being that personal data may not be transferred to locations outside Malaysia unless somewhere specified by the Minister.

The Personal Data Protection Commissioner (the “Commissioner”) of the Ministry of Communications and Multimedia Malaysia issued a Public Consultation Paper entitled Personal Data Protection (Transfer of Personal Data to Places Outside Malaysia) Order 2017 (the “Proposed 2017 Order”), which sought feedback from the public on the Commissioner’s draft Whitelist of countries to which personal data originating in Malaysia may be freely transferred without having to rely on the exemptions of Section 129 of the PDPA. The Proposed 2017 Order never came to fruition.

Subsequently, the Commissioner issued a Public Consultation Paper No 01/2020 entitled Review of Personal Data Protection Act 2010 (the “Consultation Paper No 01/2020”). In Consultation Paper No 01/2020, the Commissioner acknowledged that the whitelist seems to curb and set barriers for data user to transfer personal data to places outside Malaysia. Further, the Commissioner observed that a clear provision and the conditions for transferring personal data to places outside Malaysia are essential to facilitate e-commerce transactions and free trade agreements. As such, the Consultation Paper No 01/2020 seeks feedback on its proposal to remove the whitelist provision of the PDPA.

General Data Protection Regulation (GDPR)

The GDPR came into effect on 25 May 2018 in the European Union (EU) and is directly applicable to all EU member states. This new set of rules is designed to give EU citizens more control over their personal data and aims to simplify the regulatory environment for businesses so that both citizens and businesses in the EU can fully benefit from the digital economy. 

The GDPR applies not just to organisations within the EU but also to organisations outside the EU that offer goods or services to individuals within the EU.

The penalties for the breach of each law are outlined below. “Person” includes an individual, corporation, statutory body, local authority, society, trade union, co-operative society, partnership and any other body, organisation, association or group of persons, whether corporate or unincorporate.


the suspension or cancellation of the individual licence (Section 37(b) of the CMA). Failure to comply with suspension or cancellation is deemed an offence punishable, on conviction, with a fine not exceeding MYR500,000 or imprisonment for a term not exceeding five years, or both (Section 41 of the CMA).

The EA

A contractor for labour who supplies employees without registering with the Director General as required under subsection (1), or who fails to keep or maintain any register or make any register for available inspection as required under subsection (2), commits an offence and shall, on conviction, be liable to a fine not exceeding MYR10,000 (Section 33A of the EA).

The Handbook

if any person fails to comply with the Handbook, they are deemed to have committed a breach. The SC may take one or more of the following actions (Section 377 of the CMSA).

Section 354:

  • directs the person in breach to comply with, observe, enforce or give effect to rules, provisions, written notice, direction, practice note, condition or guideline;
  • imposes a penalty in proportion to the severity of the breach on the person in breach, but in any event not exceeding MYR1,000,000;
  • reprimands the person in breach;
  • requires the person in breach to take such steps as the Commission may direct to remedy the breach or to mitigate the effect of such breach, including making restitution to any other person aggrieved by such breach;
  • in the case of a breach of Part VI or guidelines issued pursuant to Part VI, refuses to accept or consider any submission under Part VI; and
  • in the case of a promoter or a director of a corporation, the following actions may be taken by the Commission in addition to the actions listed above that may be taken:
    1. impose a moratorium on, or prohibit any trading of or any dealing in, the corporation's securities or any other securities the Commission thinks fit; or
    2. issue a public statement if, in the Commission's opinion, the retention of office by the director is prejudicial to the public interest.

Section 355:

  • directs the exchange holding company or derivatives exchange, as the case may be, to:
    1. suspend trading on the derivatives market in a particular class of derivatives;
    2. limit transactions on the derivatives market to the closing out of derivatives;
    3. defer, for a stated period, the completion date for all derivatives or for a particular class of derivatives entered into on the derivatives market; or
    4. cause a particular derivative entered into on the derivatives market or each derivative included in a particular class of derivatives so entered into to be:
      1. closed out immediately as the result of the matching up of the derivative with a derivative of the same kind whose price or value is equal to a price or value determined by the derivatives exchange; or
      2. invoiced back to a stated date at a price or value determined by the derivatives exchange;
    5. requires a derivative entered into on the derivatives market or each derivative included in a particular class of derivatives so entered into to be discharged by:
      1. the tendering of a merchantable lot of an instrument determined by the derivatives exchange that is of a quality or standard determined by the derivatives exchange, which is different from the quality or standard of the instrument stated in the derivative; and
      2. the tendering of a price adjusted by an amount determined by the derivatives exchange that is appropriate having regard to the quality or standard of the instrument;
    6. requires any affiliates of the derivatives exchange to act in a particular manner in relation to trading in derivatives on the derivatives market of that derivatives exchange or in relation to trading in a particular class of derivatives;
  • directs the person in breach to comply with, observe, enforce or give effect to rules, provisions, written notice, direction, practice note, condition or guideline;
  • imposes a penalty, not exceeding MYR1,000,000, in proportion to the severity or gravity of the breach on the person in breach;
  • reprimands the person in breach; or
  • requires the person in breach to take steps as directed by the SC to remedy the breach or mitigate the effect of a breach, including making restitution to any aggrieved person.

Section 356:

  • directs the person in breach to comply with, observe, enforce or give effect to any requirement or provision of the CMSA, any securities laws, written notice, direction, guideline, practice note, or any condition of or restriction on a licence granted under or pursuant to the CMSA;
  • imposes a penalty, no exceeding MYR1,000,000, in proportion to the severity of the breach on the person in breach;
  • reprimands the person in breach; and
  • requires the person in breach to take steps, as directed by the SC, to remedy or mitigate the effect of a breach, including making restitution to any person aggrieved by such breach.

The Policy Document

The Policy Document provides for “standard” and “guidance” applicable to financial institutions. It is noteworthy that the “standard” and “guidance” are defined as:

  • “standard” – an obligation, requirement, specification, direction, condition and any interpretative, supplemental and transitional provisions that must be complied with. Non-compliance may result in enforcement action;
  • “guidance” – consist of statements or information intended to promote common understanding and advice or recommendations that are encouraged to be adopted.

Although neither the Policy Document nor the FSA defines “enforcement action”, BNM has clarified that “enforcement action” is synonymous with administrative actions as provided for under Part XV, Division 2 of the FSA.

If an errant financial institution breaches a standard imposed by BNM, BNM is empowered to take any one or more of the following administrative actions:

  • issue of an order to comply;
  • impose a monetary penalty;
  • reprimand in writing the person in breach or require the person in breach to issue a public statement in relation to such breach;
  • make an order in writing requiring the person in breach to take steps to mitigate the effect of such breach; and
  • make an order to remedy the breach, including making restitution to any other person aggrieved by such breach.

Contractual terms effecting the seven principles of the PDPA are included in contracts.

There is no standard supplier customer model in Malaysia for outsourcing contracts. Thus, organisations are free to select a suitable contracting model, negotiate its terms and conceptualise bespoke outsourcing contracts that best fit their outsourcing needs. Large organisations may have a fixed, existing template of outsourcing contracts.

Whilst outsourcing contracts are generally bespoke, the models generally used are as follows.

Single Outsource Service Provider

As its title suggests, the customer contracts with a single outsource service provider to provide the outsourced services to the customer. This is the most common and direct outsourcing model, suitable for a single-faceted outsourced service.


Contrary to the above, multi-sourcing simply means the customer contracts with numerous outsource service providers. Each outsource service provider’s job scope would be mutually exclusive and independent of one another, but cumulatively provides for a total solution for the customer.


This is the evolution of shared services and BP outsourcing. Instead of operating numerous shared service centres and managing outsourcing vendors independently, GBS provide integration of governance, locations and business practices to all shared services and outsourcing activities across the enterprise. The catalyst for growth of GBS in Malaysia were the government’s initiatives, including the Malaysia Digital Economy Blueprint, the National Fourth Industrial Revolution and the National Digital Network. According to the SSON State of the Shared Services Market report 2020 – Malaysia, GBS is the predominant model in Malaysia and a large segment is already moving towards digitised GBS. 

Build-Operate-Transfer (BOT)

In recent trends, Malaysia seems to be inclined in favour of this contract model for developing public infrastructure projects such as toll highways, railways, ports and bridges. It is noteworthy that the viability of a BOT project to private investors depends on fundamental legal issues such as enforcement of contracts, private ownership, security arrangements, taxes, remittance of foreign exchange and profits. Amongst the successful BOT projects in Malaysia are the North South Highway Project (ProjekLebuhraya Utara Selatan), Lekir Bulk Terminal, Shah Alam Expressway, Tanjung Pelepas Port, East Coast Expressway, Tun Salahuddin Bridge and Johor Eastern Dispersal Link Expressway. The key advantage to this contract model in a developing country like Malaysia is information and expertise transfer.

Joint Venture or Partnership

These contract models may be seen to go against the grain of conventional outsourcing as the customer may be directly involved in the provision of what was intended to be an outsourced service.

According to the SSON State of the Shared Services Market report 2020 – Malaysia, four out of ten Malaysian-based centres have more than a decade’s worth of experience behind them. Another 40% of those surveyed are in the planning or early implementation stage.

Malaysia as a hub for shared services centres is evidenced when in 2018, global insurers, AXA announced the establishment of its new AXA Shared Services Centre in Puchong Financial Corporate Centre (PFCC) – the latest MSC Cybercentre and an iconic corporate landmark in Puchong. AXA is set to generate an approximate 200 jobs across different technologies and capabilities by the end of 2018. In August 2019, Tricor Group announced the official opening of the Shared Service Centre located in Kuala Lumpur, known as Tricor ace. Tricor ace functions as the centre of excellence and provide support across the group’s financial accounting, payroll, IT, corporate services and other shared service centre functions.

As shared services centres mature, they shift from single function to multi-functional activities to a more holistic end-to-end process life cycle and subsequently to GBS, where shared services focus on innovation management and competence centres by providing more complex services.

Customer falls under the definition of “consumer” under the Consumer Protection Act 1999 (CPA). The CPA provides for the protection of consumers and promotes a fair, accessible and sustainable marketplace for consumer products and services.

The main customer/consumer protections with regards to goods include the following guarantees:

  • to the right to sell (Section 31 of the CPA);
  • to acceptable quality (Section 32 of the CPA);
  • to fitness for particular purpose (Section 33 of the CPA);
  • that goods comply with description (Section 34 of the CPA);
  • that goods comply with sample (Section 35 of the CPA);
  • to price (Section 36 of the CPA); and
  • to repairs and spare parts.

The main customer/consumer protections with regards to services include the following guarantees:

  • to reasonable care and skill (Section 53 of the CPA);
  • to fitness for particular purpose (Section 54 of the CPA);
  • to time of completion (Section 55 of the CPA); and
  • to price (Section 56 of the CPA).

The remedies available to the consumer against the supplier where any goods or services fail to comply with the above-mentioned guarantees are as follows:

  • where the failure is one that can be remedied, the consumer may require the supplier to remedy the failure within a reasonable time; or
  • where the failure is one that cannot be remedied or is of a substantial character, the consumer may cancel the contract or obtain damages (Sections 41 and 60 of the CPA).

Courts and Tribunals

Where the Court or Tribunal for Consumer Claims comes to the conclusion that a contract or a term of a contract is either procedurally or substantively unfair or both, they may declare the contract or the term of the contract as unenforceable or void and the Court may grant judgment or the Tribunal may make an award as provided for under the CPA (Section 24G(1) of the CPA).

The Court or the Tribunal may, in proceedings before it, raise an issue as to whether a contract or its terms are unfair, even if none of the parties has raised the issue in its pleadings (Section 24F of the CPA).

A contract or a term of a contract is procedurally unfair if it has resulted in an unjust advantage to the supplier or unjust disadvantage to the consumer on account of the conduct of the supplier or the manner in which or circumstances under which the contract or the term of the contract has been entered into or has been arrived at by the consumer and supplier (Section 24C(1) of the CPA).

A contract or a term of a contract is substantively unfair if the contract or the term of the contract is in itself harsh, oppressive, unconscionable, excludes or restricts liability for negligence or excludes or restricts liability for breach of express or implied terms of the contract without adequate justification (Section 24D(1) of the CPA).

Parties may enter into an agreement to govern their relationship, including terms as to when the contract may be terminated. Depending on the terms agreed by the parties, termination may be for convenience or for default (also known as for cause).

The customer or supplier may terminate the contract when one party breaches a condition to the contract. A condition is a stipulation that is essential to the main purpose of the contract, the breach of which gives rise to a right to treat the contract as repudiated (Section 12 of the Sale of Goods Act 1957).

The principal act that deals with loss suffered due to a breach of a contract is the Contracts Act 1950 (CA). Section 74 of CA provides that an aggrieved party is entitled to receive compensation from the party that breaks the contract for any loss or damage that arose naturally in the usual course of things from the breach, or which the parties knew was likely to occur when they made the contract (Section 74(1) of the CA). This compensation is not to be given for any remote and indirect loss or damage sustained by reason of the breach (Section 74(2) of the CA).

In Malaysia, there is a distinction between direct and indirect loss. The plaintiffs/claimants are entitled to claim losses that were the natural consequence of the defendant’s breach, or losses that were within the contemplation of both parties at the time they made the contract. Losses that are too remote or not within the contemplation of the parties may not be claimable.

The general rule in Malaysia for a party seeking substantial damages is that said party has the burden of proving the liability, the remoteness of the damage (foreseeability) and the actual damage suffered (quantum) based on clear and sound evidence; failure to do so may entail the award of only nominal damages.

It is worth highlighting that there was a recent development on the law pertaining to liquidated damages clause in a contract. In the case of Cubic Electronics Sdn Bhd v Mars Telecommunications Sdn Bhd [2019] 2 CLJ 723 where the Federal Court succinctly laid down guidelines (see Federal Court Judgment, page 56, No 74).

Loss of Profit

As a general rule, the Court may not be inclined to order an award of damages for loss of profit in fear of causing a windfall in favour of the plaintiff. With that being said, cases in Malaysia (SPM Membrance Switch Sdn Bhd v Kerajaan Negeri Selangor [2016] 1 CLJ 177; Bank Bumiputra Malaysia Bhd. Kuala Terengganu v Mae Perkayuan Sdn. Bhd. & Anor. [1993] 2 CLJ 295) have held that loss of profit may be regarded as a head of damages in specific circumstances. In this regard, Section 74 of the CA still applies. Therefore, as long as the damage suffered for loss of profit is deemed to be a natural result of the breach or within the contemplation of the breaching party, nothing precludes the Court from ordering substantial damages for loss of profit in favour of the aggrieved party.

Loss of Goodwill

Case law in Malaysia has regarded loss of goodwill as a head of damages (Taiping Poly (M) Sdn Bhd v Wong Fook Toh, Wong Che Leong and Wong Su Fah (t/a Kong Wah Trading Co) [2011] 1 MLJ 798). Although it would be impossible to quantify the actual loss suffered with regards to loss of goodwill, the Courts have held that the applicable principle in determining loss of goodwill is by utilising the “best means” test, whereby the Court must assess what is a fair and temperate sum for the plaintiff, by the best means it can. The rationale for this is that the law assumes that damages will result if the goodwill of a man’s business has been interfered with by the passing off of goods. The Federal Court upheld the finding of the Court of Appeal in Taiping Poly and held that it was trite law that damages for loss of goodwill and reputation was presumed and the sum to be awarded was a matter of the court’s discretion. In that case, RM50,000 was deemed fair and reasonable.

In brief, the quantum of award in respect of goodwill is a matter of Court discretion, depending on the facts of the particular case. Factors that the Court consider in determining this include the plaintiff’s reputation and the length of time of the defendant’s wrongful act.

In recent years, Malaysian Courts seem inclined to be guided by intellectual property valuation reports when determining the quantum of damages for loss of goodwill. In this regard, the Intellectual Property Commission of Malaysia (IPCM) provides training and even certification to certify an individual as a registered IP Valuer with IPCM.

The general rule is that parties are bound by what they sign. For the purposes of contract interpretation, where the words used in the contract are plain and unambiguous, the Court is to adopt its natural and ordinary meaning.

The Malaysian Courts will not intervene to rewrite or audit the bargain between the parties, and will instead hold them to the contract, agreement or instrument they made for themselves by giving effect to the clear and unequivocal words of the terms.

However, in a situation where there are two competing interpretation of clauses in a contract, the one which makes more commercial sense should be preferred if the natural meaning of the words is unclear.

There are no fixed implied terms that are relevant to outsourcing contracts in Malaysia. This is in tandem with the fact that a myriad of services may be outsourced, so the terms would vary depending on the nature of the outsourcing contract.

With that being said, there are three ways in which a term can be implied:

  • by custom or trade;
  • by law (common law or statute); or
  • by the courts (from the facts of the particular contract).

With regards to an implied term by the courts, the test is two-fold: the business efficacy test and the officious bystander test. Therefore, there is no hard and fast rule with regards to implied terms for a contract, including an outsourcing contract. Should a term fulfil both the tests, the Court may imply said term into the outsourcing contract.

It is a deeply entrenched principle in industrial jurisprudence that employers have managerial prerogative to transfer their employees. The Court would normally not interfere when this prerogative is exercised, unless there is a contract to the contrary. 

However, the power to transfer employees is subject to the following well-recognised restrictions:

  • that there is nothing to the contrary in the terms of employment;
  • that the management has acted in a bona fide manner and in the interest of its business;
  • that the management is not actuated by any indirect motive or any kind of mala fide;
  • that the transfer is not made for the purpose of harassing and victimising the workman; and
  • that the transfer does not involve a change in the conditions of service: Ladang Holyrood v Ayasamy Manikam & Ors [2004] 3 MLJ 339.

Furthermore, consent is usually required (unless provided otherwise in the employment contract), as case law has shown that, in some cases, the transfer of an employee to another legal entity without their consent could potentially result in a claim of constructive dismissal, especially if the employee is transferred to the service provider and the employee’s job scope differs significantly. Transfer without consent may also be deemed a violation of the Federal Constitution, as the employee has the right to be employed by an employer of their choice. Therefore, compelling an employee to work for a particular employer without affording him a choice in the matter has been interpreted to constitute one form of forced labour: Barat Estates Sdn Bhd & Anor v Parawakan A/L Subramaniam & Ors [2000] 4 MLJ 107.

To avoid any claims for constructive dismissal, an employer should ensure that any transfer:

  • does not involve a demotion;
  • does not involve a significant change in employment terms and conditions;
  • is being proposed for a genuine reason; and
  • is between entities that are not only in the same group of companies, but have the unity of a group enterprise or are genuinely inter-dependent (Ng Bee Yoong v Capital Development Sdn Bhd [2016] 1 ILR 609).

Workers council do not exist in Malaysia. Trade unions are governed under the Industrial Relations Act 1967 (IRA) and the Trade Unions Act 1959 (TUA).

Neither the IRA nor the TUA mandates for consultation with a trade union prior to outsourcing. However, employers ought to be wary and peruse a collectively agreement thoroughly as the requirement for consultation may be provided in collective agreements.

Further, it is noteworthy that there is the Code of Conduct for Industrial Harmony (the “Code”) which is an agreement between the Ministry of Human Resources, the Malaysian Council of Employers and the Malaysian Trades Union Congress. The Code provides that an employer should regularly provide its employees with as much information as possible on matters affecting then, which includes organisational and management changes which affect employees.

The Code is merely a guideline and has no legal force. Nevertheless, Section 30(5A) of the IRA provides that the industrial court in make its award, may take into consideration any agreement or code relating to employment practices between organisations representative of employers and workmen respectively where such agreement or code has been approved by the Minister.

It is standard practice in Malaysia that in the event of a transfer of business which will entail the transfer of employee from the transferor to the transferee, the transferor will issue a notice of termination to the employees. This is followed by the transferee’s offer to continue the employment of the employee at terms no less favourable than the previous employment contract.

The EA governs the length of time of the notice of termination:

  • less than two years of employment, a minimum four weeks’ notice;
  • within two to five years of employment, a minimum six weeks’ notice; and
  • more than five years of employment, a minimum eight weeks’ notice.

Upon issuing the notice of termination, the transferee, within seven days of the change of ownership may make an employment offer to the employees under the same employment terms or terms that are not less favourable (r. 8(1) of the Employment (Termination and Lay-Off Benefits) Regulations 1980).

In the event the transferee does not make an offer within seven days of the change of ownership, the employment contract with the transferor is deemed terminated and the transferor will be liable for the payment of termination benefits to the employees.

However, if the transferee does make an offer and the offer is accepted, the process of transfer of employees is completed and the transferor will be absolved from any liability against the employees. The change of employer from transferor to transferee will be deemed as a continuing employment and will not constitute a break in the continuity of period of his employment.

The employee may also refuse the offer by the transferee. In such a situation and if reasonable grounds are canvassed by the employee, the transferor may be liable to pay the termination benefits. 

There are no general terms or standard contracts governing the transfer of assets in outsourcing agreements in Malaysia. Such terms are entirely transaction specific and thus will be a matter for negotiation.

With that being said, Malaysian law imposes formality requirements in the transfer of certain assets; for example, the following.

  • Premise/Land – transfer of any alienated land shall be effected by an instrument in Form 14A of the National Land Code 1965 (“Memorandum of Transfer”). A stamp duty is imposed on the Memorandum of Transfer and the rate of chargeable stamp duty will depend on the value of the premise/land as prescribed under the Stamp Act 1949. Subsequently the Memorandum of Transfer will need to be registered in the Land Office.
  • IP Rights – transfer and assignment intellectual property rights such as trade marks, copyright, industrial design, patents and utility innovation would generally require the assignor and assignee to complete and execute the prescribed forms under the relevant statute or subsidiary legislation, supported by a written deed of assignment.

Movable property and other assets are not generally subjected to any formalities but a written agreement is advisable for clarity and evidential purpose.

Gan Partnership

D-32-02, Menara SUEZCAP 1
KL Gateway, 2
Jalan Kerinchi
59200 Kuala Lumpur

+603 7931 8668

+603 7931 8063

zhijian@ganlaw.my www.ganlaw.my
Author Business Card

Law and Practice


Gan Partnership is led by a team of advocates with more than 20 years’ experience, and is among the leading law firms specialising in dispute resolution, alternative dispute resolution and intellectual property (IP). Internationally recognised, Gan Partnership provides clients with an arsenal of services and skillsets, ranging from senior counsel with over 25 years’ experience to aggressive junior and modern litigators. Following the latest addition of two partners with over three decades' experience between them, the firm has gone from strength to strength. The IP team is known for litigation and enforcement, registration and prosecution, commercialisation, strategy and branding, franchising and licensing, privacy and data protection, confidential information, entertainment, gaming, advertising and media, technology and telecommunication.

Compare law and practice by selecting locations and topic(s)


Select Topic(s)

loading ...

Please select at least one chapter and one topic to use the compare functionality.