Resources
Welcome to our knowledge base of research that demonstrates our understanding of complex business challenges faced by companies around the world.
Featured highlights
New Regulatory Framework for Consumer Credit Industry Now in Effect
The Consumer Credit Commission (Suruhanjaya Kredit Pengguna, "SKP") has today, 5 June 2026, issued its Authorisation Standards (Version 1.0) pursuant to section 123 of the Consumer Credit Act 2025 ("CCA"). The Standards take immediate effect and establish the licensing and registration framework for entities carrying on credit businesses and credit service businesses in Malaysia.
Who is affected?
The Standards apply to entities carrying on or intending to carry on the following regulated activities:
- Credit business (requiring a licence): buy now pay later schemes, factoring, and leasing, including their Islamic equivalents.
- Credit service business (requiring registration): impaired loan or financing acquisition, debt collection, and debt counselling and management.
Entities already engaged in these activities, as well as new entrants to the market, must familiarise themselves with the authorisation criteria and ensure compliance.
Key requirements at a glance
The Standards prescribe minimum financial thresholds of RM2 million in shareholders' funds or total equity for credit businesses, and RM500,000 (or RM250,000 with professional indemnity insurance of RM250,000) for credit service businesses. Applicants must be companies incorporated in Malaysia under the Companies Act 2016 and must demonstrate organisational competence, sound business management, and the fitness and propriety of their key persons, including controllers, directors, and senior management.
All applications must be submitted via SKP's new digital regulatory platform, the Consumer Credit Commission Online Regulatory System ("CORE System"), together with the prescribed processing fee of RM2,000 per type of business.
Islamic credit business
The Standards include dedicated provisions for Islamic credit providers, who may operate either as full-fledged Islamic entities or through an Islamic window model. Key obligations include end-to-end Shariah compliance, establishment of an Islamic Credit Business Fund for window operators, prohibition on commingling of Islamic and conventional funds, and the appointment of a qualified Shariah adviser or Shariah committee.
Post-authorisation obligations
Authorised entities face ongoing compliance obligations, including periodic data submissions to SKP (annual audited financial statements, quarterly operational data, and monthly complaints data), notification requirements within 14 calendar days of specified events, and the obligation to submit credit consumer data to a credit reporting agency within 12 months of authorisation. Prior approval from SKP is required for matters such as changes in control, appointment of the chief executive, and addition of new business types.
Fees
Inaugural authorisation fees are RM8,000 per licence (credit business) and RM5,000 per registration (credit service business), with a 50% reduction for approvals granted in the second half of the calendar year. Annual fees are tiered by revenue, ranging from RM8,000 to RM100,000 for credit businesses and RM5,000 to RM50,000 for credit service businesses.
Entities not serving credit consumers
Entities carrying on a credit business or credit service business that does not involve credit consumers are not subject to the licensing or registration requirement. However, they must submit an annual declaration to SKP under section 79(2) of the CCA confirming their noninvolvement with credit consumers.
What should affected entities do now?
Entities currently carrying on or planning to carry on any of the regulated activities should review the Authorisation Standards in full, assess their readiness against the authorisation criteria, and take steps to prepare their applications via the CORE System. Particular attention should be given to ensuring that key persons meet the fit and proper criteria and that the requisite policies, procedures, and financial resources are in place.
We are available to assist clients in navigating the new framework, including advising on authorisation applications, corporate structuring, Shariah governance arrangements, and ongoing compliance obligations.
The full text of the Authorisation Standards is available on SKP's website at www.skp.gov.my.
If you have any questions or require any additional information, please contact Sharifah Shafika Alsagoff or the partner you usually deal with in Zaid Ibrahim & Co
This alert is for general information only and is not a substitute for legal advice.
Malaysia's Consumer Credit Commission Issues Authorisation Standards
The Personal Data Protection Commissioner’s Office (“JPDP”) has issued three new non-binding guidelines under the Personal Data Protection Act 2010 (“PDPA”): Data Protection by Design, Data Protection Impact Assessment, and Automated Decision-Making and Profiling. Together, they advance Malaysia’s data protection framework from reactive compliance to proactive, risk-based governance aligned with global standards.
Data Protection by Design
The DPbD Guideline requires embedding personal data protection throughout the data processing lifecycle—from design to decommissioning. It is structured around proactiveness, end-to-end protection, transparency, and user-centricity, applying these across the seven Personal Data Protection Principles. The DPbD Guideline encourages a risk-based approach tailored to each organisation’s processing activities.
Data Protection Impact Assessment
The DPIA Guideline provides guidance on identifying, assessing, and managing risks in personal data processing. A DPIA is required where processing is likely to result in high risk—determined quantitatively (more than 20,000 data subjects, or 10,000 data subjects where sensitive personal data (including financial data) is involved) or qualitatively (potential legal or significant effects on the data subject, systematic monitoring of the data subject, use of innovative technologies, denial or restriction of the data subject’s rights, tracking of the data subject’s location or behaviour, targeting of children or vulnerable individuals, and automated decision-making and profiling that present a high risk to the data subject). The Guideline prescribes the five-step “DEICA” methodology (Describe, Evaluate, Identify, Consider, Assess) and requires that DPIAs be refreshed every two years.
Automated Decision-Making and Profiling
The ADMP Guideline addresses automated systems used in personal data processing, despite the PDPA not containing specific provisions on such activities. It applies where outcomes may have legal or significant effects on data subjects (e.g., financial, employment, or service access decisions). Compliance with the Notice and Choice Principle is required, preserving the data subject’s right to withdraw consent. Notably, AI must not be the sole factor in decisions concerning data subjects, and the use of ADMP itself triggers the requirement for a DPIA.
JPDP’s power to issue guidelines
The PDPA confers on JPDP functions that include issuing guidance. Each of the three documents—the DPbD, DPIA and ADMP Guidelines—expressly records that it is issued by JPDP pursuant to subsection 48(g) of PDPA. They supplement the Act and related subsidiary instruments and are not intended to override them or to be prescriptive.
Are the Guidelines binding or legally effective?
The DPbD, DPIA and ADMP Guidelines provide guidance and promote good practice; they expressly state that they supplement and do not override the Act or subsidiary legislation. A failure to follow a Guideline does not, by itself, constitute an offence unless such non-compliance triggers a breach of the PDPA or subsidiary legislation.
Conclusion
Taken together, these guidelines form a cohesive framework reinforcing the obligations of data controllers and processors under the PDPA. The DPbD Guideline embeds privacy at the design stage, the DPIA Guideline ensures high-risk processing is rigorously assessed, and the ADMP Guideline addresses the particular challenges of automated technologies and AI.
If you have any questions or require any additional information, please contact Nadarashnaraj Sargunaraj or the partner you usually deal with in Zaid Ibrahim & Co. This alert was prepared with the assistance of Hana Wong Xin Yi, Associate in Zaid Ibrahim & Co.
This alert is for general information only and is not a substitute for legal advice.
Design. Assess. Automate—Safely: Malaysia’s New PDPA Guidelines at a Glance
This note highlights key bank secrecy obligations under Malaysian law, including guidance on disclosure of customer data and compliance with the Personal Data Protection Act 2010.
Reproduced from Practical Law with the permission of the publishers. For further information, visit practicallaw.com.
Practical Law Global - Practice Note Bank Secrecy Laws (Malaysia)
In this chapter, we take a closer look at Malaysia’s competition law framework on cartels — covering key legal principles, investigative powers, and notable enforcement developments over the past 12 months.
This article was first published in GLI – Cartels 2026 by Global Legal Group.
Global Legal Insights - Cartels 2026
Zaid Ibrahim & Co contributed to the Lexology Panoramic: Private Equity 2026 (Fund Formation)Malaysia.
Authored by Chief Operating Officer, Chua Wei Min, Partner, Geraldine Oh and Partner (Tax) Kellie Allison Yap, the article offers a detailed overview of essential information regarding Malaysia’s private equity fund formation regime whether through the use of Malaysia vehicles of a Sdn Bhd, LLP or Labuan entities of an LP, LLP. Each with its own pros and cons.
The guide explores, among other, formation, regulation, licensing and registration requirements (CMSL/PEMC), taxation, selling restrictions and investors generally and finally, updates and trends in the vibrant VC/PE space in the last year with a continued forward momentum in 2026.
Read the full article here.
Lexology Panoramic: Private Equity 2026 (Fund Formation) Malaysia
Zaid Ibrahim & Co contributed to the Lexology Panoramic: Private Equity 2026 (Transactions) Malaysia.
Authored by Chief Operating Officer, Chua Wei Min, Partner, Muhammad Zukhairi Muhammed Salehudin and Associate, Teng Yee Von, the article offers a detailed overview of things to know regarding Malaysia’s private equity transactions.
The guide explores, among other, transactions formalities, rules and practical considerations, debt financing, shareholders' agreement and more.
Read the full article here.
Lexology Panoramic: Private Equity 2026 (Transactions) Malaysia
Intellectual Property (“IP”) risks are often overlooked during a due diligence exercise on a company in a potential transaction. Parties involved in the transaction may treat IP as a mere checkbox when assessing the company. However, the impact of IP on a company’s risk profile should not be underestimated.
In many modern businesses, particularly those operating in technology, manufacturing, brand-driven or content-based sectors, IP constitutes a core component of the business. A superficial review of IP assets may therefore result in significant blind spots that only emerge after completion of the due diligence exercise.
From a risk management perspective, IP due diligence should not be treated as a mere formality. It should be approached as a substantive exercise designed to identify legal, commercial and operational risks.
There are several issues that legal practitioners should consider when conducting due diligence on a company’s IP assets.
(1) Evaluation of IP Assets
It is often assumed that IP risks can be adequately addressed by verifying a list of registered assets (such as trademarks, patents or industrial designs) and confirming that they are recorded in the target company’s name. While this is an important starting point, it is rarely sufficient on its own.
Many valuable IP assets are not registrable or remain unregistered by their nature. Confidential information, trade secrets, know-how, software source code, algorithms and business plans are examples of IP that do not appear on public registers. Protection of these assets depends largely on contractual controls, internal policies and employee discipline. Where due diligence focuses only on registered IP, unregistered IP assets are often overlooked or poorly documented. This increases the risk of misuse or leakage, particularly where contractual protections or internal safeguards are weak or absent.
These risks can be mitigated by confirming that employees, contractors and vendors have entered into agreements that clearly assign IP to the company and impose appropriate confidentiality obligations. Where such protections are missing or unclear, companies should implement updated agreements, obtain confirmatory assignments where necessary and restrict access to sensitive information, such as source code or technical know-how.
Where a company holds registered IP assets, registration alone does not guarantee that such assets are enforceable or aligned with the business's actual operations. For instance, trademarks may be registered in classes of goods or services that do not reflect actual use, potentially exposing the company to non-use cancellation actions in court or limiting enforcement options. Further, information recorded in public IP registers should not be accepted at face value. In practice, IP assets may have been assigned or licensed by the company without the relevant changes being recorded, creating discrepancies between the legal position on record and the company’s actual rights of ownership or control.
These risks can be addressed by verifying internal IP records against the information recorded in public registries. Where there are inconsistencies, corrective measures should be taken to ensure that the registers accurately reflect the company’s registered IP assets. This exercise should be supported by a review of any agreement with third parties that affect ownership or use of the IP, including assignments or licences. Ultimately, effective IP due diligence should confirm whether the company truly owns and controls the IP assets in its portfolio.
(2) Reliance on Open-Source Materials
In the course of conducting IP due diligence, it is important to identify whether the company relies on open-source software or components in its business operations or in the creation of new IP assets. Open-source materials are commonly used, particularly by small and medium enterprises and startups to manage and reduce operational costs. However, the use of open-source materials can carry legal and commercial implications if not properly managed. Certain open-source licences impose conditions on how software or components may be used, modified or distributed and, in some cases, may require the disclosure of source code or restrict the company’s ability to commercialise proprietary developments.
Due diligence should identify which open-source materials are used, the applicable licence terms and whether the company’s actual use complies with those terms. Failure to do so may create compliance issues that disrupt business operations and undermine the company’s long-term ability to develop, commercialise and benefit from its IP. Where higher-risk licences are identified, early action should be taken to adjust the company’s development practices and safeguard proprietary IP.
(3) Infringement and Third Party Risk Exposure
The target company should be assessed for potential exposure to IP infringement claims by third parties. The absence of ongoing litigation does not necessarily indicate a low-risk profile, as potential infringement issues may exist without having been challenged or detected. In many cases, such issues remain dormant because the company’s business has not yet attracted attention from competitors or other rights holders.
Infringement risk often arises in competitive markets where branding, software, product designs or marketing materials are adopted quickly without formal clearance. Therefore, it is prudent to check whether the company has procedures in place to review and clear the use of IP belonging to third parties for the company’s business activities. The absence of such controls increases the likelihood of inadvertent infringement, which may only surface at a later stage.
To mitigate the risk of IP infringement, it is advisable for companies to involve their legal department or external lawyers in the review and clearance process on a regular basis. This ensures that any decision to use a particular third-party IP right is based on legal reasoning rather than personal discretion. Early legal oversight can help identify potential issues before they escalate into disputes or disrupt the transaction.
Conclusion
IP due diligence warrants the same level of attention and rigour as financial or regulatory review. A due diligence exercise is only complete when IP risks are properly identified, understood and assessed in their commercial context. In practice, due diligence is often led by teams with strong corporate expertise but limited focus on IP. As a result, material IP issues may be overlooked or under-analysed. Involving IP specialists at an early stage is therefore essential to ensure that the due diligence exercise is robust and that IP risks are addressed before they crystallise into post-completion problems.
This article was originally published at the PRAKTIS website.
Assessment of Intellectual Property Risks in Due Diligence
Introduction
Malaysia has enacted the Cross-Border Insolvency Act 2026 (Act 877) (“Act”), which received Royal Assent on 20 January 2026 and was published in the Gazette on 30 January 2026. The Act will come into operation on a date to be appointed by the Minister charged with responsibility for law by notification in the Gazette.
The Act adopts the principles of the UNCITRAL Model Law on Cross-Border Insolvency dated 30 May1997, representing a significant modernisation of Malaysia's insolvency regime.
Key Objectives
The Act's objectives include fostering cooperation between Malaysian and foreign courts, providing legal certainty for trade and investment, ensuring fair administration of cross-border insolvencies, maximising debtor property value, and facilitating the rescue of financially troubled businesses.
Scope of Application
The Act applies to corporations as defined in the Companies Act 2016 and the Labuan Companies Act 1990, but expressly excludes individuals under the Insolvency Act1967, limited liability partnerships, and registered businesses under various state and federal business licensing statutes.
Notably, the Act contains significant carve-outs for regulated financial institutions. It does not apply to licensed financial institutions, Islamic financial institutions, development financial institutions, member institutions under the Malaysia Deposit Insurance Corporation Act 2011, stock exchanges, derivatives exchanges, clearing houses, central depositories, and various Labuan-licensed entities including Labuan banks, investment banks, insurers, reinsurers, takaful operators, trust companies, and foundations.
Recognition of Foreign Proceedings
The Act defines "foreign proceedings" as collective judicial or administrative proceedings in a foreign State, including interim proceedings, under the law relating to insolvency in which the property and affairs of the debtor are subject to control or supervision by a foreign court, for the purposes of reorganisation or liquidation. This broad definition encompasses a wide range of insolvency-related processes, whether formal court-supervised proceedings or administrative procedures, provided they involve collective creditor participation and supervisory oversight over the debtor's property and affairs. Importantly, interim or provisional proceedings also fall within the definition, enabling foreign representatives to seek recognition even while foreign insolvency proceedings are at an early stage.
A foreign representative may apply directly to the High Court in Malaya or the High Courtin Sabah and Sarawak for recognition of foreign proceedings. Applications for recognition must be accompanied by a certified copy of the decision commencing the foreign proceedings and appointing the foreign representative, or a certificate from the foreign court affirming the existence of the foreign proceedings and the appointment. The High Court is required to determine applications for recognition at the earliest possible time.
Effects of Recognition and Relief
Upon recognition, individual actions concerning the property, rights obligations or liabilities of the debtor is stayed, execution against debtor property is stayed, and the right to dispose of debtor property is suspended. These have the same effect as a winding-up order under Malaysian law.
The Court may also grant discretionary relief upon recognition of any foreign proceedings, including orders staying actions, suspending property disposal rights, directing examination of witnesses, and entrusting property administration to the foreign representative or a Malaysian insolvency office-holder.
Access Rights
Foreign representatives have direct access to Malaysian courts and may appear in person or through an advocate. Foreign creditors have the same rights as Malaysian creditors and cannot be ranked lower than general unsecured creditors solely due to their foreign status, though foreign tax, social security, and superannuation claims may be excluded.
Cooperation with Foreign Courts and Representatives
The Act mandates cooperation between Malaysian courts and insolvency office-holders with their foreign counterparts to the maximum extent possible, including direct communication and information sharing. Cooperation may include coordinating administration of debtor property, implementing agreements on coordination of proceedings, and managing concurrent proceedings.
Concurrent Proceedings
After recognition of foreign main proceedings, Malaysian insolvency proceedings are generally limited to property located in Malaysia. Where concurrent proceedings exist, the Court must ensure consistency between relief granted and Malaysian proceedings and that automatic stays do not apply if foreign main proceedings are recognised after Malaysian proceedings have commenced.
Protection of Creditors and Interested Persons
In granting relief, the Court must ensure adequate protection for creditors (including Malaysian creditors, secured creditors, and hire-purchase parties) and may impose conditions such as requiring security. Transferring property outside Malaysia requires court leave and certification that Malaysian creditors' claims below a prescribed threshold have been satisfied.
Public Policy Exception
The Court retains discretion to refuse any action or relief that would be contrary to the public policy of Malaysia.
Avoidance Actions
Upon recognition of foreign proceedings, a foreign representative has standing to apply to the Court for avoidance actions under relevant provisions of the Companies Act 2016 and the Labuan Companies Act 1990. These include actions relating to preferences, floating charges, and other transactions that may be detrimental to creditors. However, this power does not apply retrospectively to transactions entered into before the Act comes into operation.
Regulatory Restrictions
The Act contains important restrictions where regulatory authorities are involved. Recognition, relief, and cooperation under the Act are not permitted if theywould be prohibited by certain provisions of the Financial Services Act 2013, Islamic Financial Services Act 2013, Malaysia Deposit Insurance Corporation Act 2011, or Capital Markets and Services Act 2007.
The Act also protects the finality of payment and netting arrangements under financial services legislation and the enforceability of netting provisions in qualified financial agreements. Additionally, where regulatory authorities such as Bank Negara Malaysia, the Securities Commission Malaysia, or the Labuan Financial Services Authority have issued specific directions or orders in respect of a person for purposes of financial stability or systemic risk management, recognition and relief under the Act require the prior written approval of the relevant authority.
What This Means for Local Players
Malaysian corporations and insolvency practitioners now have a structured framework for dealing with cross-border insolvencies involving foreign counter parties. Local creditors benefit from explicit statutory protections as the Act mandates that Malaysian courts must ensure their interests are adequately protected before granting relief to foreign representatives, and any transfer of debtor property outside Malaysia requires prior court leave and certification that Malaysian creditors below a prescribed threshold have been satisfied. This offers meaningful safeguards against value leakage in cross-border restructurings.
Malaysian insolvency office-holders are expressly authorised to cooperate and communicate directly with foreign courts and representatives. This legitimises cross-border coordination efforts and should reduce uncertainty when Malaysian proceedings run concurrently with foreign proceedings. However, where concurrent proceedings exist, Malaysian proceedings will generally be limited to assets located in Malaysia, which may constrain the reach of local office-holders in complex group restructurings.
For local financial institutions, the broad carve-outs in the Schedule are significant. Licensed banks, insurers, securities market operators, and other regulated entities remain subject to their sector-specific resolution regimes under the Financial Services Act 2013, Islamic Financial Services Act 2013, and the Malaysia Deposit Insurance Corporation Act 2011, rather than this Act. This preserves regulatory control over systemically important institutions and ensures continuity in how their distress situations are managed.
What This Means for Foreign Investors
Foreign investors and multinational groups with Malaysian subsidiaries or assets now have a clear pathway to seek recognition of foreign insolvency proceedings in Malaysia. The Act grants foreign representatives direct access to the Malaysian High Courts without requiring submission to full local jurisdiction, removing a significant procedural barrier. Applications for recognition must be determined at the earliest possible time.
Once foreign main proceedings are recognised, the Act provides automatic stays on individual creditor actions and executions against the debtor's Malaysian assets, mirroring the effect of a local winding-up order. This is a substantial benefit for foreign insolvency practitioners seeking to preserve asset value and prevent a race to enforcement by local creditors. Foreign representatives may also apply for discretionary relief, including orders entrusting the administration of Malaysian assets to them or examining witnesses and gathering evidence.
Foreign creditors are afforded equal treatment with Malaysian creditors in terms of participation rights and cannot be ranked lower than general unsecured creditors solely by reason of being foreign. However, foreign tax claims, social security claims, and superannuation claims may be excluded from Malaysian proceedings, which investors should factor into recovery expectations.
Critically, cooperation and recognition under the Act may be refused or subject to prior regulatory approval where financial stability concerns are engaged. Foreign investors dealing with Malaysian financial institution counterparties should be aware that the Act's benefits may not extend to situations involving regulated entities or where Bank Negara Malaysia, the Securities Commission, or the Labuan Financial Services Authority has issued specific directions.
Conclusion
The Cross-Border Insolvency Act 2026 aligns Malaysia with international best practices under the UNCITRAL Model Law. Stakeholders should familiarise themselves with the Act and monitor for its commencement date.
Please contact us if you have any questions regarding the Act's implications for your business.
-yellow.webp)