By: Sonny Zulhuda
Much have been said and written in the past two days regarding the passing of the Personal Data Protection (PDP) Act by the Dewan Rakyat on Monday this week. Of those hypes and hits, the name CTOS has been among the top, even days and months before the lawmakers finally okays the law.
Not less than parliament members from both sides (ruling and oppositions) as well as the Minister in charge of the law had indicated that with the birth of this Act, people’s suffering and distress due to the alleged misuse of their data by credit reporting agencies (also known as credit rating agency), such as CTOS (Credit Tip-Off Service Sdn Bhd) will see the end.
So happy ending, or is it? I do not think so. And I think this is a mistake, which is unfortunately echoed by the press and media.
This is a misunderstanding, because as a matter of fact, the PDP Act as it is enacted and passed, excludes from its application the credit reporting agencies (CRA).
But don’t jump to the conclusion yet, because by excluding the CRA’s from its application, the authorities plan to have ANOTHER law that deals with the personal data protection that specifically relates to CRA. The draft bill is already table for first reading last year, and it would be tabled again soon. [A note on this draft law was provided by Prof. Abu Bakar Munir from Law Faculty, University of Malaya (UM). An international perspective on this can be found in a New York Law Journal article by Sack & Juris, here>
Let me share with you the quotes from the PDP Act that explains that:
Section 2 on the Application of the Act:
2. (1) This Act applies to—
(a) any person who processes; and
(b) any person who has control over or authorizes the processing of, any personal data in respect of commercial transactions.
The meaning of “commercial transactions” under section 4 of the Act:
“commercial transactions” means any transaction of a commercial nature, whether contractual or not, which includes any matters relating to the supply or exchange of goods or services, agency, investments, financing, banking and insurance, but does not include a credit reporting business carried out by a credit reporting agency under the Credit Reporting Agencies Act 2009.
The meaning of “personal data” under section 4 of the Act:
“personal data” means any information in respect of commercial transactions, which—
(a) is being processed wholly or partly by means of equipment operating automatically in response to instructions given for that purpose;
(b) is recorded with the intention that it should wholly or partly be processed by means of such equipment; or
(c) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system,
that relates directly or indirectly to a data subject, who is identified or identifiable from that information or from that and other information in the possession of a data user, including any sensitive personal data and expression of opinion about the data subject; but does not include any information that is processed for the purpose of a credit reporting business carried on by a credit reporting agency under the Credit Reporting Agencies Act 2009 [emphasis added].
The meaning of “credit reporting agency” under section 4 of the Act:
“credit reporting agency” has the meaning assigned to it in the Credit Reporting Agencies Act 2009 [Act ___ ].
CTOS is one of the source for financial institution to check credit of loan applicants, without it very difficult to confirm the applicants affordability to pay debt.
I agree, but the business should not be done at the expense of other people. After all, now we have the CRA that will put the balance between the industry needs and individual rights.
There are differences between Credit Reporting Agencies and Credit Rating Agencies. Credit Rating Agencies (or widely known as CRA) in the financial world are rating agencies such as S&P, Moody’s, and Fitch. Locally or domestically there are RAM and MARC. Both these local or domestic CRAs are governed by the SC Guidelines on Registration of Credit Rating Agencies dated 30 March 2011. The SC Guidelines “derive” its authority from the Capital Market Services Act (CMSA).
Domestically, CRAs are mandated by their clients to conduct a credit rating on them (clients). The rating process is lengthy and takes anything from 4 to 6 weeks. Information are provided by clients and several layers of check and balance are put in place to ensure no single individual could decide on the “assigned” rating.
I think it is not accurate to refer CRA as Credit Reporting Agencies. Rather CRA should be use to refer to Credit Rating Agencies.