A bank in Singapore has a contractual duty of confidentiality as implied from the banker and customer relationship while a statutory duty of confidentiality is imposed by section 47 of the Banking Act.
This article will focus mainly on banking secrecy as governed by the Act and include a short discussion of the unsatisfactory position of banking secrecy in Singapore due to the differences between the common law duty of confidentiality and section 47 of the Act.
Section 47 of the Act provides that customer information shall not, in any way, be disclosed by a bank (holding a valid banking licence in Singapore or the branches and offices located within Singapore of such a bank incorporated outside Singapore) or its officers to any other person except as expressly provided in the Act.
The exceptions are elaborated on in the Third Schedule of the Act. A bank may choose to provide a higher degree of confidentiality to a customer under section 47(8) of the Act but these exceptions ensure that by law, all banks will provide a basic level of confidentiality to all its customers.
Scope of information subject to secrecy
Customer information in relation to a bank is defined in section 40A of the Act to mean:
- any information relating to, or any particulars of, an account of a customer of the bank, whether the account is in respect of a loan, investment or any other type of transaction, but does not include any information that is not referable to any named customer or group of named customers; or
- any information relating to:
- any deposit of a customer of the bank;
- any funds or assets of a customer (whether of the bank or any financial institution) placed with that bank for the purpose of management or investment; or
- any safe deposit box maintained by, or any safe custody arrangements made by a customer with the bank,
but does not include any information that is not referable to any named person or group of named persons.
In 2001, the previous section 47 was repealed and re-enacted by the Banking (Amendment) Act 2001.
Under the previous regime, banks were hindered from taking advantage of potential operational benefits and savings.
For example, banks encountered difficulty in securitising mortgage loans or outsourcing data processing to third parties.
Now the new section 47 provides for a wider set of exceptions under which banks can disclose customer information, and the terms of such disclosure.
The new exceptions are covered by the Third Schedule and these include disclosure of credit information in the transfer and sale of credit facilities (for example, asset securitisation) and the disclosure of customer information to a bank’s head office for risk management purposes.
Thus a newly improved balance has been struck between the operational requirements of banks and the need to preserve customer confidentiality.
The exceptions to section 47 are set out in the Third Schedule of the Act, and are divided into two parts, Part I and Part II.
Each exception may also be subject to specific restrictions such as to whom the information may be disclosed, and the scope of such information that may be disclosed.
Where disclosure of customer information is made pursuant to an exception in Part I of the Third Schedule, the recipient of the information is not prohibited from further disclosing the information to any other person.
Clause 1 in Part I of the Third Schedule allows customer information to be disclosed where such disclosure is permitted in writing by the customer, or if he is deceased, his appointed personal representative.
The general exceptions under common law of implied consent no longer applies in light of the Act.
Apart from disclosure by obtaining a customer’s written consent, a bank is allowed under Part I of the Third Schedule to make disclosure in a large number of situations without the customer’s consent.
For example, a bank may make disclosure when it is involved in legal proceedings related to the customer’s affairs; in litigation proceedings involving its customer; when compelled to do so under the law; in matters involving the bank’s administration or regulation.
However, where the disclosure of customer information is made pursuant to an exception in Part II of the Third Schedule, the recipient of the information is prohibited from further disclosing the customer information to any other person, except as authorised under the Third Schedule or if required to do so by order of the court.
This obligation continues even after termination of the recipient’s appointment, employment or other office in which the information was received.
Additional situations under Part II of the Third Schedule allows customer information to be disclosed in connection with the acquisition or merger of the bank; for the purpose of outsourcing the bank’s operational functions where such disclosure is made to any person, including the head office of the bank or any branch outside Singapore, which is engaged by the bank to perform the outsourced functions.
If any outsourced function is to be performed outside Singapore, the bank must comply with the MAS Notice to Banks entitled “Banking Secrecy – Conditions for Outsourcing” (MAS 634).
MAS 634 requires banks, inter alia, to notify the MAS of all outsourcing arrangements involving the disclosure of customer information upon entering into the relevant outsourcing agreement.
Additionally, a bank may also provide information on a customer’s creditworthiness in connection with a bona fide commercial transaction; make disclosure to the credit bureau to assess a customer’s credit worthiness; and provide certain information in connection with the promotion of financial products and services made available in Singapore by other financial institutions.
Even though the exceptions in the situations above protect the Bank from criminal prosecution, the bank may still be obliged to uphold its contractual duty of confidentiality and may still be liable for breach of its common law liability for negligent misrepresentation or defamation.
Liability for breach of section 47 of the Act
There are criminal liabilities for breach of the banking secrecy provisions in the Act.
A bank officer who is in breach of section 47 is liable to a fine not exceeding S$125,000 or a term of imprisonment not exceeding three years or to both fine and imprisonment, and for the bank a fine, not exceeding S$250,000.
Further, section 20 allows MAS to revoke a bank’s licence if it is satisfied that the bank is contravening the provisions of the Act or the bank or any of its directors or officers holding a managerial or executive position have been convicted of any offence under the Act.
Unsatisfactory position in Singapore
Due to the presence of section 47, a vexed question pertaining to a banker’s duty of confidentiality arises in Singapore.
Is a banker’s contractual duty of confidentiality to be found in section 47 or is the duty implied from the banker and customer relationship?
The seminal case of Susilawati v. American Express Bank Ltd  2 SLR 737 sought to answer this question.
The Court of Appeal held that a banker’s contractual duty of confidentiality in Singapore is governed exclusively by section 47 and the general common law exceptions do not apply.
As the four common law exceptions expounded in Tournier v. National Provincial and Union Bank of England  1 KB 461 have already been embraced within the framework of section 47, there was no room for the implied common law duty of confidentiality to operate.
As stated in Poh Chu Chai, Banking Law, this approach taken by the Court of Appeal appears unsatisfactory.
First, the approach seems to suggest that section 47 is supposed to legislate on a banker’s contractual duty of confidentiality.
However this ignores the fundamental distinction between a bank’s contractual duty of confidentiality and its statutory obligation of secrecy under section 47.
This is especially since Parliament has recognised that section 47 is only the basic standard of confidentiality that banks have to adhere to.
Banks can set higher standards of confidentiality by reaching their own contractual arrangements if they so wish pursuant to section 47(8) of the Act.
Second, it would seem drastic to treat section 47 as the sole provision governing a bank’s contractual duty of confidentiality.
After all, section 47 does not provide a bank’s customer with contractual or civil remedy against the bank for breach of the provision.
Thus applying the Court of Appeal’s approach might unwittingly result in a much lower standard of confidentiality as compared to the common law position.
The Third Schedule allows a bank to disclose customer information in many situations without obtaining the customer’s consent, whereas the common law does not.
For example, under the Third Schedule, a bank may provide information on a customer’s credit-worthiness to a third party without the customer’s consent in connection with a bona fide commercial transaction.
However in Turner v. Royal Bank of Scotland Plc.  2 All E.R. (Comm.) 664 the English Court of Appeal held that such disclosure to other banks constituted a breach of the bank’s contractual duty of confidentiality.
While the new legislation helps improve the balance between operational requirements of banks and customer confidentiality, concerns such as the interaction between the bank’s contractual and statutory duties, and the lack of a remedy for customers still exist.
Further, with the much wider set of circumstances under which banks can disclose customer information, bank customers may be surprised to find that their confidential information could be disclosed without their consent.
For the best interest of their customers, it is pertinent for banks to seek the customer’s express written consent for disclosure in specific circumstances and continue to remain cautious when disclosing customer information.