0		CTOS-bashing:, Where's, beef?

UPDATED VERSION. Why did the authority, and by extension, editors at the mainstream newspapers, bark up the tree at CTOS and want it punished, strangled is possible?

Regarded as the successful Malaysian version of Dun & Bradstreet, did CTOS contravene the Banking and Financial Institutions Act (BAFIA) 1989?

When it comes to credit check on loan applicants, why do the financial institutions (FIs) licensed by Bank Negara favour and rely more on the CTOS database rather than the one maintained by Bank Negara, the Central Credit Information System (CCRIS)?

The answer is simple. The banks wanted stringent background checks on their customers in order to mitigate credit risks.

The flip side of the answer tells us that, on hind sight, CTOS was far-sighted in its business acumen by having started way back in 1988. It has reportedly accumulated more than 13 million entries in its database. In comparison, Bank Negara's CCRIS has just two million entries.

The choice for the banks and FIs -- precisely people who deal with money and optimise profits -- is obvious. They would go for a service that gives them more value for the money. Period.

However, thus far, nobody from Putrajaya to our mainstream media has the right brain to ask the pertinent question: Which was the party that holds the last say to deny a loan applicant? It's the banks and the licensed FIs.

Admittedly, it's fundamentally a different issue if you fault CTOS for its business ethics, and on how it collates database for sale, and there are ample laws to deal with it.

CTOS and the banks

Legally, CTOS is a service provider that aggregates credit information of a huge number of people, turning it into a compelling service that the banks and FIs can't decline.

It's a case of willing buyer of service (on the port of the FIs) and willing seller of the relevant information (CTOS), for an agreed fee. This practice is permissible in laisser faire.

Subsequently, it's the banks and the FIs which decide whose loan applications to reject, and whose loans to approve.

Once this basic business relationship is understood, the sinister shall surface: Why didn't the authority go after the banks and FIs but to snarl at a bona fide information service provider?

The proof is revealed when the Companies Commission of Malaysia (CCM) took swift action to charge CTOS for 85 offences. Blatantly, CTOS was not charged for contravening any laws related to banking and Bank Negara. CTOS was merely charged on technicalities under the Companies Act 1965.

So, the questions that remained unanswered, and the editors failed to dissect, are that: ( 1 ) What sort of credit search information had had caused the bank customers to have their loan applications rejected -- if CTOS database isn't the sole information source that precipitates in such a situation? ( 2 ) Why was the bank customers' personal data compromised to such a grave extent that these people became absolutely not credit-worthy in the eyes of the banks?

The key phrase is obviously Personal Data.

A big piece of joke

July 6, The Finance Ministry was compelled to announce some interim measures following a Cabinet directive two days earlier. One of such 'handyplast' measures is that banks must now obtain a borrower’s permission before they can acquire information on the person’s financial history from companies which supply credit information.

Banks must now obtain a borrower’s permission before they can acquire information on the person’s financial history from companies which supply credit information.

“The Government is very concerned about the individual’s right over his or her personal particulars and the importance of providing accurate and up-to-date information to the clients,” the ministry said as quoted by The Star.

Again, the key phrase is Personal Data.

Today, Deputy Minister of Finance II Awang Adek Hussin told the Parliament that a new law will be drafted to protect private information, in particular financial transactions.

Awang also announced that a commission will be created, which will be led by the Finance Ministry and managed by Bank Negara. It will also involve other relevant ministries.

This Awang is a huge comedy.

In the digital age, Personal Data Protection is not restricted to financial and banking matters. It also involves privacy issues related to one's medical records and mobility-based digital lifestyle options linked to real-time, networked databases.

How would Awang Adek justify privacy and personal medical data and mobile multimedia accounts with international roaming coming under the purview of Bank negara?

There was indeed a Personal Data Protection Bill ready for the second reading at the Parliament as early as 2001.

Web download: Personal Data Protection Bill 2000

Admittedly, I only first looked into the issue of Personal Data Protection (PDP) bill way back in 2002, after it was about to be derailed and ultimately aborted! Then, the custodian of the Bill was the Minister of Energy, Communications and Multimedia, Leo Moggie.

Looking back, there is a serious dragging of feet on the part of the Government in the last five years. Whose interest is the Government protecting by delaying the reading of the bills in the Parliament?

The trading of customers’ personal data is not limited to the Financial Institutions (FIs) licensed by Bank Negara.

It’s a well-known fact that there is an industry pact where a database of defaulters is being maintained and shared among the mobile operators.

This is a database derived from the personal information volunteered by the post-paid mobile phone customers when they first signed up with the respective service providers. It is believed that the “churn rate” is high among the habitual defaulters who migrate from one operator to another, leaving behind piles of unpaid bills. A few years ago, the mobile operators got together to share this defaulters’ database to bar the blacklisted customers from signing with another operator after defaulting the previous one. This shared database has remained in use ever since.

However, in most cases, customers’ consent was not obtained before their personal data was being shared across networks. The customers originally proffered their personal data to facilitate customer identification and billing. Once this boundary is crossed, it could be argued as a unilateral breach of service contract on the part of the database custodian as the protection for the customers’ personal data has been rendered effectively non-existent.