Malaysia is an attractive market for e-commerce in Southeast Asia, with a dynamic economy, government incentives for digital technologies, and a sizeable young population. According to Nadarashnaraj Sargunaraj, Partner at Zaid Ibrahim & Co.,
“e-commerce activities have proven this point, particularly in this covid pandemic. There is no omnibus law governing e-commerce in Malaysia, which means that e-commerce businesses must be aware of the regulatory requirements that should apply to their operations, as well as product liability, consumer protection as well as data protection.”
Governing legislation/ framework
There is no single/omnibus legislation on E-commerce activities in Malaysia. The laws that would apply include those on consumer protection, sale of goods and services, trade description and personal data protection.
E-commerce generally comes under the purview of the Ministry of Domestic Trade and Consumer Affairs (“MDTCA”).
Licensing & market entry requirements
The MDTCA regulates wholesale and retail trade, and services which are not regulated by other regulatory authorities in Malaysia (“Unregulated Services”). The MDTCA has published Guidelines on Foreign Participation in the Distributive Trade Services in Malaysia (“Guidelines”) which regulate foreign participation in the distributive trade sector in Malaysia. Companies with 50% or more foreign equity and intending to participate in the distributive trade sector or the Unregulated Services sector are required to obtain the approval of the MDTCA.
Foreign equity restrictions
Please note our response above.
Payment solutions, foreign exchange administration and merchant acquiring services
- Payment solutions: The payment solutions space is vibrant and dynamic with numerous e-wallet and e-money players offering a variety of services to consumers. In February 2021, the Government also announced under the MyDigital blueprint (see response below) that it will go cashless by 2022 where all ministries and government agencies will adopt cashless payment solutions as the preferred payment option for government services.
- Foreign exchange administration: The Central Bank of Malaysia (“Central Bank”) has issued several foreign exchange notices (“FX Notices”), which permit certain transactions which would otherwise be prohibited under the Financial Services Act 2013 (“FSA”). This which comes under the purview of the Central Bank. The FX Notice permits a resident to make payment in ringgit to a non-resident in Malaysia. A non-resident however is not allowed to receive payment in ringgit outside of Malaysia.
- Merchant acquiring services: The FSA defines “merchant acquiring services” as “the business of an operator of a payment system (ie any system or arrangement for the transfer, clearing or settlement of funds or securities) that enters into a contract with a merchant for the purpose of accepting payment instruments for the payment of goods or services.” Persons who carry on merchant acquiring services in Malaysia must be registered under the FSA.
The Consumer Protection Act 1999 (“CPA”) provides for the protection of consumers in Malaysia. It applies in respect of all goods and services that are offered or supplied to one or more consumers in trade including any trade transaction conducted through electronic means. The CPA sets out mandatory statutory requirements including implied guarantees on the supply of goods and services, the consumer’s right of redress against suppliers and manufacturers, prohibition against unsafe goods, liability for defective product and prohibition against unfair contract terms with consumers.
The Personal Data Protection Act 2010 (“PDPA”) would apply to the processing of personal data (defined to cover personally identifiable information) by merchants or the E-commerce platform.
A data user (a term referring to data controllers under the EU GDPR) must comply with 7 processing principles including the General Principle and Notice & Choice Principle.
The processing principles are generally consent-based. Data can be used for analytics for marketing and advertising provided that the data user obtains consent (there are exceptions to consent which may apply depending on the circumstances) and clearly provides for this in the privacy notice.
In addition, the Notice & Choice Principle requires a privacy notice to be provided to data subjects providing 8 mandatory matters on the processing, including processing purpose and third party disclosures. The privacy notice must be provided in both English and Bahasa Malaysia.
The MDTCA enforces the Consumer Protection (Electronic Trade Transactions) Regulations 2012 (“Regulations”) – subsidiary legislation under the Consumer Protection Act 1999. The Regulations prescribe the mandatory information that must be displayed on the website by online sellers. The Regulations state that any person who operates a business for the purpose of supply of goods or services through a website or on an online marketplace must disclose the following information on the website or online marketplace. Failure to comply with this requirement is punishable as a criminal offence:
- name of the company or the business or person operating the business and registration number of the business or company;
- the e-mail address and telephone number, or address of the person operating the business;
- a description of the main characteristics of the goods or services;
- the full price of the goods or services including transportation costs, taxes and any other costs (the Regulation does not state that the price must be in Ringgit Malaysia);
- the method of payment;
- the terms and conditions; and
- the estimated time of delivery of the goods or services to the buyer.
An “online market place” is defined as a website where goods or services are marketed by third parties for the purpose of trade.
For more information about e-commerce across ASEAN, download the comparative guide, ASEAN Insiders: Electronic Commerce in ASEAN.