Bank Negara’s policy on FREE bank transfers is actually about...paying with QR codes?

On 16 March 2018, Bank Negara announced their Interoperable Credit Transfer Framework (ICTF) policy that will take effect on 1 July 2018. The last big policy that Bank Negara announced was regarding Bitcoin, and measures being taken to prevent money laundering and terrorism-financing through cryptocurrencies.

[READ MORE - Is Bitcoin legal in Malaysia?]

Bank Negara’s policies are usually a bigger concern to players in the financial industries than the average consumer, but this time, consumers get a big break from the ICTF - free bank transfers! This means you won’t be charged xx sen for GIRO or xx sen for instant transfer transactions anymore.

But that’s not all the the ICTF is about, as Bank Negara also wants to help make electronic payments through QR codes a norm in Malaysia. We’ve come up with some frequently asked questions you might have and their answers to let you know about how the ICTF works, and how it affects you and your payments.
 

1. What is the ICTF and what does it do?

The ICTF is a policy that will streamline credit transfer services in Malaysia to make sure they are secure and easy to use. Credit transfer services won’t mean just your usual bank transfers and remittances, but will include electronic payments as well. These electronic payment systems require you to fund an electronic wallet using your money, and you’ll receive the equivalent value in credits to use (just like a prepaid service).

You might have heard of electronic money (e-money) payment services like Alipay which use a QR code for payments - just scan a shop’s QR code with the Alipay app on your mobile phone to make a payment. These payment systems are currently isolated from the rest of the financial system in Malaysia, and it becomes difficult on customers and merchants if this is not changed. For example, if you’re using Alipay, you can only pay someone who is also using Alipay, and you can’t transfer funds to someone’s WeChat, GrabPay, or even their bank account. The ICTF sets the framework for these payment systems to work with one another in the future.

According to Tan Nyat Chuan from Bank Negara:

“Our ambition is that if I’m GrabPay or Alipay or Touch ‘n Go, I can basically pay to someone who has got a Maybank, CIMB, any bank wallet. And from wallet to wallet transfer. It should be reachable, that is our endgame.” - quoted by VulcanPost at Malaysia FinTech Expo

2. What does this mean for me?

Among the measures Bank Negara is taking to make credit transfers smoother in Malaysia is waiving the transaction fee imposed on customers, whether they are the sender or recipient. So your everyday banking transactions will be free of charge. Bank Negara waives the fees on transactions up to RM5,000 only, but banks and issuers of e-money can specify a different transaction limit for their services.

The ICTF also requires banks and e-money service providers to make sure you can make payments using a universally accepted QR code. So in the future, you’ll be able to make QR code payments using the bank services you already use - no need to sign up with an individual/external e-money service provider like Alipay, GrabPay, or WeChat.

3. Great! Does this waiver apply to every type of financial transaction in Malaysia?

No, there are a few exceptions to the waiver because only “eligible credit transfer transactions” will have their transaction fees waived. As per paragraph 7.1(d) of the policy document:

The following types of credit transfer transactions are excluded:

1. Bulk payment transactions, including Interbank GIRO (TBG)

2. Bill payments including JomPAY transactions

3. Electronic or mobile commerce transactions, like Financial Process Exchange (FPX) transactions

4. Real-time Electronic Transfer of Funds and Securities System (RENTAS) transactions

5. Any other types of transactions as Bank Negara may specify

4. Can I still use cash and credit/debit cards come July?

QR codes are only going to become a payment option in the near future, and the ICTF is meant to help implement a fair and secure system. While the aim is to help Malaysians go cashless if they want to, cash and cards will still be valid forms of payment.

5. What can we do with e-money?

You’ll be able to pay for just about anything with e-money - as long as the merchant accepts it. If you’re familiar with PayPal, you’re already using a form of e-money, just one that doesn’t deal in QR codes.

In Malaysia, there will be certain restrictions on what can be done using e-money due to concerns of money laundering and terrorism-financing. Service providers will need to do what’s called a Customer Due Diligence (CDD) on you, which is basically a background check. They’ll collect your information, get you to fund your e-money account from your bank or a payment card, and then they verify your details with your bank.

You’ll still be able to use e-money even without a CDD, but your transactions will be limited as per the table below.

6. How do I know if using these QR codes are safe?

QR code security became a widespread concern in China after reports of fraudsters sticking fake QR codes on top of real ones that would pay money to the fraudsters’ accounts, or steal a customer’s personal information. This is exactly the kind of security concern which Bank Negara wants to address with the ICTF, which must be solved by service providers in time to come.

When implementing the QR payment framework in Malaysia, service providers will be required under Paragraph 11.1 of the ICTF to ensure that their customers’ information is securely protected, and implement measures that will prevent loss, theft, or unauthorized access to personal information. As an example of a security measure, Visa’s YouTube video here shows that with Visa’s QR payment services, your account is still safe even if you lose your phone because your PIN or fingerprint is still required to authorize any transactions.

You can also expect to be alerted by financial service providers from time to time about practical safety tips to protect yourself from becoming a victim of fraud. In the meantime, QR codes are already being used for payments in Malaysia, so if you do use services like Alipay and GrabPay, take note of some of these precautions issued by Quann Malaysia to protect yourself.

7. Can’t they use a identification system to catch the scammers easily?

Yes! Bank Negara has already announced that a “National Addressing Database” (NAD) shall be established. It’s a central database that will link a bank account (or an e-money account) to personal information that can identify a person. As defined in the ICTF policy document:

The database will also make payments easier to send (you can send payments to a friend using their phone number instead of their bank account number), and since we can all be identified in it, it should be able to track down anyone who may be committing crimes using QR payments as well.

8. Wait, they’re collecting our personal data? How do we know they’re keeping it safe and not selling our information?

Yes, they’re collecting our personal data. But no, they’re not allowed to do anything they want with it. Any person or company who collects personal data for commercial purposes in Malaysia has to comply with the requirements of the Personal Data Protection Act 2010. It contains a standard of security measures and duties that data collectors must fulfill, and they must protect your information from potential data thieves, including their own employees. Companies that fail to do so can be fined up to RM300,000 and the people responsible can be jailed for up to 2 years.

[READ MORE - The PDPA can be used to stop telemarketers from bugging you]

[READ MORE - How much responsibility do companies have if your personal data is stolen?]

9. What if the worst happens and someone hacks into my account?

Technology is marvelous and helps us greatly in our lives - until it fails. The technology behind the operation of banks and e-money are set up by them, and is under their control. So if a security measure fails, they will have to take responsibility for it.

Under the ICTF’s rules for credit transfer transactions, if your account is compromised, a bank or e-money service provider will not hold you responsible unless they can prove that your account was breached because of your own fault. This means that they should compensate you for the losses unless you did one of the following:

1. You were acting fraudulently

2. You deliberately shared your ID and password with other people

3. You did not take steps to keep your security device secure

4. You did not report a stolen password, loss of your security device, or any unauthorized transaction as soon as you knew about it

5. You failed to comply with security warnings that were sent to you to help keep your account safe

10. If e-money is as good as money, do we earn interest on it?

Unfortunately, no. Under Paragraph 12.2, e-money service providers in Malaysia cannot:

1. Issue e-money at a discount from the real value

2. Lend money

3. Lend you e-money, or pay you interest on your e-money balance

4. Associate or use the e-money scheme or platform to conduct illegal activities

We’ll have to wait and see what develops

The ICTF has a lot of information to take in about how electronic payments will work in Malaysia, but a lot of it is still just a framework and theory. The actual work and execution of the system is not yet in place.

Although, some banks have already made their moves towards helping Malaysia adopt electronic payments, such as making online transfers free, and adopting QR payments themselves.