Revisiting Banking Confidentiality: The Federal Court’s Decision In The Public Bank Berhad Case

This matter arose from a high-profile dispute over banking confidentiality between Public Bank Berhad and the National Feedlot Corporation group of companies and its director, Dato’ Sri Dr Mohamad Salleh bin Ismail (the Respondents). The dispute centred on the unauthorised disclosure of the Respondents’ confidential banking information, which surfaced during a press conference held in 2012 held by a Member of Parliament, Rafizi bin Ramli.

At that press conference, Rafizi revealed documents related to Dr Salleh’s loan application for the purchase of eight condominium units at KL Eco City. Although the loan was ultimately not disbursed (the offer was withdrawn in January 2012) the disclosure of these details led to damaging allegations of financial impropriety.

The Respondents sued Public Bank, alleging breaches of statutory, fiduciary and contractual duties of confidentiality; and sought substantial damages amounting to RM560 million. The High Court initially dismissed the suit, finding no liability on the part of the Bank. However, the Court of Appeal reversed that finding and held that Public Bank was liable for breaching confidentiality but only awarded nominal damages of RM10,000 because the Respondents had not proved actual loss.

The Respondents appealed to the Federal Court on the premise whether Public Bank was legally liable for the disclosure of confidential information by its employees and whether that liability was strict (without a finding of fault) or based on fault.

Principal Legal Issues

Three main legal issues emerged:

1. Statutory vs Common Law Duties

Whether Malaysia’s Banking and Financial Institutions Act 1989 (BAFIA) supersedes or coexists with common law principles on banking secrecy.

2. Nature Of The Bank’s Duty Of Confidentiality

Whether, under Malaysian law, the Bank’s duty of confidentiality is absolute or qualified, and whether the principles from Tournier v National Provincial and Union Bank of England [1924] 1 KB 461 apply.

3. Strict Liability vs Fault-Based Liability

Whether the Bank could avoid liability by demonstrating that its employees acted without its authority and beyond the scope of their employment.

Decision Of The Federal Court

Relevance Of Tournier And Section 3 Of The Civil Law Act 1956 (CLA)

A significant question was whether the common law principles established in Tournier remain applicable in Malaysia following the enactment of BAFIA. Under Section 3(1) of the CLA, English common law applies in Malaysia only where there is no local written law on the same subject. The Federal Court held that because the BAFIA comprehensively governs banking secrecy and its exceptions, Tournier no longer applies.

In effect, BAFIA has displaced the common law position, and any exceptions to banking secrecy must be found within the statute, not in common law.

Statutory Duty Of Confidentiality

The Federal Court confirmed that the Bank owes its customers a duty of confidentiality under Section 97(1) of the BAFIA. However, the BAFIA also provides for exceptions to this duty, which are set out in Sections 97(2), 98(1) and 99(1). These statutory exceptions are more specific and detailed than the four broad exceptions recognised in Tournier and it was not disputed that those statutory exceptions did not apply to Public Bank. 

For completeness, the Tournier exceptions allow disclosure:

(a) under compulsion of law;

(b) where there is a duty to the public to disclose;

(c) where the bank’s interest requires disclosure; and

(d) where the customer has expressly or impliedly consented.

Strict vs Fault-Based Liability

Public Bank’s main defence was that the leak of the Respondents’ information was caused solely by two “rogue” employees who acted without authority and beyond the scope of their employment. The Bank argued it should not bear strict liability for actions committed by employees acting independently and that liability should be fault-based, requiring proof that the Bank itself had failed to exercise reasonable care.

The Federal Court rejected this argument. It held that under the BAFIA, the duty of confidentiality rests on the financial institution itself, not just on individual officers or employees. The fact that employees accessed and disclosed confidential information without authorisation does not absolve the Bank of liability. Otherwise, statutory protections would be rendered ineffective if financial institutions could escape liability merely by blaming individual staff members.

The Federal Court emphasised that Parliament could have included a fault-based exception in the BAFIA, as Public Bank argued, but deliberately did not. As a result, the Bank remains liable for breaches committed by its staff, even where it may not have been directly at fault.

However, the Federal Court clarified that the Bank’s liability under BAFIA is not strictly absolute because the statute provides exceptions under which liability may be avoided if the requisite criteria are met.

Commentary

This decision has significant implications as it firmly establishes that the BAFIA governs banking confidentiality and that banks cannot avoid liability for breaches by attributing them solely to employee misconduct.

The Federal Court clarified that the English common law played a limited role in Malaysia’s banking secrecy framework, highlighting the primacy of domestic statutory provisions. In light of this ruling, financial institutions must, therefore, implement rigorous internal controls and data security measures to prevent unauthorised disclosures, recognising that under the BAFIA, liability is effectively strict unless specific statutory exceptions apply.

This ruling reinforces that banks bear a heavy responsibility to safeguard customers’ confidential information, with statutory duties overriding common law principles where Parliament has legislated.

14 July 2025