What exactly is meant by fiduciary duty? Fiduciary duty, according to a law dictionary, simply means an individual in whom another has placed the utmost trust and confidence to manage and protect property or money. It stems from the Latin fiducia, meaning "trust," a person (or a business like a bank) who has the power and obligation to act for another (often called the beneficiary) under circumstances which require total trust, good faith and honesty. To ensure the upholding of their fiduciary duty, banks in Malaysia are bound by a solid framework of best practices determined by Bank Negara Malaysia. It’s known as the Banking and Financial Institutions Act, 1989 (BAFIA) wherein lie the terms of reference on how banks and financial institutions shall operate to the highest integrity in their fiduciary duty. Fabiani Azmi still has many questions to ask…

In recent weeks, more attention has been drawn to BAFIA than ever before since PKR Strategy Director Rafizi Ramli was charged in the sessions court on 1 August for violations of the Act. It began on 7 March this year when Rafizi made public, at a news conference, the confidential information of 21 bank accounts belonging to companies and individuals. He did so illegally without the permission of the account holders, the bank or Bank Negara Malaysia (BNM). Police reports were lodged in March and April, and complaints were also filed with both Public Bank Berhad and BNM.

Despite BAFIA being in place to protect the security of bank customers’ information and transactions, there were obviously weaknesses in which the opposition was able to pry, spy or buy. Banks have a fiduciary duty to protect and safeguard the information in their custody and many, like top-class, award-winning Public Bank, even have a client charter and a privacy policy in place to guarantee customers of their fiduciary duty.

What is the promise by Public Bank Berhad to its customers? Its client charter specifically states, “We highly respect and thoroughly appreciate your concerns on the privacy and security of all personal information and financial transactions handled by us. We will employ the tightest security architecture to prevent unauthorised access and ensure your peace of mind concerning all your transactions with us. We will pursue the strongest form of preventive and punitive measures against any party which attempts to compromise your right to transaction security and confidentiality.”

It would appear that Public Bank has failed on these accounts. Notably, it has failed to demonstrate that it “will pursue the strongest form of preventive and punitive measures against any party which attempts to compromise your right to transaction security and confidentiality” for it failed to take action against the main culprit, Rafizi Ramli, who had infiltrated its systems and exposed its customers’ confidential information to journalists. Why Public Bank has yet to take action against Rafizi is puzzling. The strongest punitive measure has just been to investigate the bank clerk. The bank did not even have the chance to fire him. The bank clerk resigned.

If it were not for Rafizi, there would really be no blatant abuse of the bank and BAFIA. Rafizi, with his passion for dramatics, wielded and distributed the documents to chalk up his political points - much to the detriment to the sterling reputation of award-winning Public Bank Berhad. 

So how did a bank clerk gain access?

It is very puzzling that a bank clerk with no access to privileged customer information was able to extract confidential data. There are concerns if serious weaknesses exist. If there are, would our wealth be equally vulnerable to prying hands – stolen at the click of a mouse?

One can only deduce that there are more senior people behind the BAFIA breach than just a mere clerk. Could tellers, officers, managers, branch managers, regional managers, general managers right up to the executive directors have had a hand? Did any of them collude to provide a back door for the bank clerk to pry into the 21 bank accounts? Were there opposition sympathisers from within the bank? Enquiring minds would really like to know. 

The plot can get quite convoluted. Let’s suppose a senior bank official well-connected with the opposition did go into cahoots with Rafizi. He might have given the access password to the bank clerk to print. Having done so, the information is then passed to Rafizi. But because the customer complained of the leak to the bank and BNM, internal audit and security had to investigate. The audit trail would point to the terminal that was used to download the information. CCTV cameras would focus in on the perpetrator. Such evidence cannot be ignored or dismissed. Internal auditors work independently, reporting only to the very top echelons in the bank. Public listed companies like Public Bank Berhad would have their internal auditors report directly to the Board Audit Committee. So the clerk is apprehended and interrogated by the bank and BNM. His handphone is seized. He denies wrongdoing. He says he had no access as he is only a clerk. So the plot must go deeper into how he managed it. Was it really the bank clerk? Or is he just a smoke screen to something more devious?

The bank has confirmed in its Privacy Policy Statement that there is limited employee access. Section 1.3 reads, “The PBB Group maintains stringent procedures authorising only such employees as are strictly relevant or required to access the Customer's information on a need-to-know basis. The PBB Group's employees have been educated on the Customer's right to privacy and confidentiality. Any breach by the employee of the PBB Group's policies would subject the employee to such disciplinary action as the PBB Group may consider appropriate.”

This would certainly suggest that there is obviously someone else senior in the bank that has committed the heinous crime to violate the customers and betray the bank through his privilege and access. It just wasn’t the bank clerk on a solo mission. It just couldn’t be. He had no privileged access.

BNM may have been misled by the bank and even by Rafizi into believing it was just the clerk. In a 14 May news conference organised by the opposition, Rafizi tried to shift blame and public perception on the BAFIA breach to the bank clerk, claiming the bank clerk was the whistleblower. Why only the clerk when he had no access? One needs to ask, is there a lot more going on than BNM initially suspected?

Section 2 of the bank’s Private Policy Statement reads, “In accordance with strict compliance to the Banking and Financial Institutional Act 1989 (BAFIA), and apart from the sharing of information between members of the PBB Group, the PBB Group will not disclose the Customer's information to any third party or external organisations.”

BNM governor Tan Sri Dato' Sri Dr Zeti Akhtar Aziz was also clear on this when she said, “The confidentiality of customer information is clearly protected by the Banking and Financial Institution Act 1989 (BAFIA).”

Zeti said it s only when there is a suspected offence under federal law or if there is a court order or where a customer has given consent, that relevant law enforcement agencies are authorised under the law to obtain information. This information must be obtained through Bank Negara Malaysia, and if the central bank says there is no foundation for it, the information will not be given.

Read more at: http://www.mole.my/content/banks-and-bank-negara-have-fiduciary-duty