All questions

Intellectual property and data protection

Fintech business models and related software can be protected by various intellectual property rights, namely, copyright and patent. Alternatively, protection as confidential information under the common law in Malaysia is also available, depending on the nature of the business model. Software is generally protected by copyright under the Copyright Act 1987, with no requirements for registration. There is no system of registration for confidential information as well – business models and software can be protected if they are confidential in nature, disclosed in circumstances importing confidentiality and there is an actual or anticipated unauthorised use or disclosure of the information.

Patent protection is available for new inventive steps involving industrially applicable products and processes. In short, it provides a wider range of protection than copyright as it protects the idea or concept rather than just the work (e.g., source codes for software) – hence, business models would likely gain patent protection by filing a patent application.

If an employee develops an original work during his or her term of employment, the default rule is that ownership of the copyright vests in the employer. Alternatively, if a contractor develops an original work, the default rule is that the contractor continues to own the original work. However, it is common for employees and contractors to be bound by written contractual obligations that specify ownership of the intellectual property they develop, and these default rules may be overridden. Compensation, if any, owed to the author of the copyright work would also depend on the nature of the relationship or the agreements entered into between the parties. Fintech companies should ensure that their employees and contractors enter into agreements specifying the rules on ownership of intellectual property.

The PDPA 2010, which is enforced by the Commissioner, is based on a set of data protection principles similar to the European Union principles and is often described as European-style privacy law. The PDPA 2010 would apply to fintech companies as it provides for the protection of personal data (i.e., client data) in relation to all commercial transactions. A failure to comply with the PDPA 2010 would lead to possible fines or imprisonment.

Apart from the seven principles set out in the PDPA 2010, there are no rules that apply specifically to digital profiling of clients. A data subject must consent to the processing of the personal data unless the processing is necessary for specific exempted purposes. Although the PDPA 2010 does not define nor prescribe any formalities in terms of consent, the Regulations provide that the data user must keep a record of consents from data subjects and that the Commissioner or an inspection officer may require production of the record of consents.

Also, financial institutions in Malaysia are subject to secrecy rules in relation to customer affairs or account information as per Section 133 of the FSA 2013.