Malaysian lawmakers have been busy in the past several months. New laws are expected to affect technology companie and startups operating online platforms and businesses such as gig economy platforms, ‘Buy Now, Pay Later’ (BNPL) operators, social media and messaging platforms.
Other regulatory updates also include the anticipated Securities Commission of Malaysia’s fintech regulatory sandbox, additional personal data protection requirements, e-invoicing, to measure to promote more safety in cyberspace. Some of these measures may be necessary, as more of us are online than ever, however, they may also increase compliance costs for businesses.
Social media and messaging licensing framework enforced
Effective 1 January 2025, the Malaysian Communications and Multimedia Commission (MCMC) mandates online social media platforms. Considering the minimum threshold of the users count is at least 8 million registered users, we foresee the licensing to apply to major companies (eg, Telegram, TikTok, Facebook). The law was introduced amid public requests for more oversight on the content moderation by these platforms.
In contrast, a social media platform in Singapore may not need to be licensed but the Singapore Online Safety Act 2022 regulates harmful content, which requires relevant platforms to remove specific content as may be directed by the regular.
Regulating consumer credit via the Consumer Credit Bill 2025
The Consumer Credit Bill 2025 was tabled on 4 March 2025 aims to establish the Consumer Credit Commission (CCC), a new authority to regulate several entities which are currently not subject to any regulatory supervision. Affected business models include ‘Buy Now Pay Later’ (‘BNPL’) schemes, non-bank factoring and leasing companies, impaired loan buyers, debt collection agencies, and debt counselling and management agencies.
A fintech business seeking to operate any consumer credit related (eg, BNPL model) business may want to consult legal advice if a licence may be required under the new bill.
Regulating harmful content on the cyberspace
The Online Safety Bill 2024 seeks to make cyberspace a safer place for everyone. The bill may likely complement the new regulatory framework requiring social media (eg, Facebook) and internet messaging services providers (eg, Whatsapp) to be licensed under the Communications and Media Act 1998. The bill also includes step by step procedures for reporting harmful content to the regulator.
Opponents argue that the new bill may appear as an “overregulation” of industry players in cyberspace. However, Australia has implemented more stringent measures such as prohibiting users under the age of 16 years old from accessing social media services.
Streamlining data sharing among government entities under the National Data Sharing Bill
The Data Sharing Bill seeks to streamline data sharing among public sector agencies so that data and information are streamlined, and facilitate the use of cloud storage among government agencies in the public sector. The bill is long overdue as the government needs this law to help harmonise among ministries to allow more public services to be offered in cyberspace.
As a startup, you may be affected if you intend to partner up with a government entity or utilise certain public data. The bill includes provisions on how data sharing requests are carried out to how data should be managed by a government agency or a third party (eg, a startup providing analytics services to a government entity).
Malaysian Media Council to promote self-regulation of media practitioners
The Malaysian Media Council Bill 2024 is aimed to form the new Malaysian Media Council (MMC), which is authorised to set industry standards, establish a code of conduct for both print and digital media practitioners, and promote ethical journalism.
In the age of social media, the committee will also be tasked with addressing misinformation and disinformation by enforcing ethical reporting standards responsible journalism. Activities hope that the new bill will promote further media independence and enhanced protection for journalists.
New ‘Esha clause’ under the Penal Code to address cyberbullying
On 16 December 2024, the parliament passed The Penal Code (Amendment) Bill (2) 2024 which is also known the “Esha clause,” named in honour of Rajeswary Appahu, a cyberbullying victim and influencer who tragically died by suicide.
The amendments to the penal code include legal recognition of “doxing,” making it an offence to share someone’s personal information with the intent to harass, intimidate, or cause distress, with a penalty of up to three years in prison, a fine, or both. Online platforms and forums may likely be expected to exercise more vigilance in moderating contents.
Securities Commission of Malaysia’s fintech regulatory sandbox launched
On 17 February 2025, the Securities Commission of Malaysia (SC), the regulator for capital activities in Malaysia released the Guidelines on Regulatory Sandbox. The sandbox is aimed to promote new potential ideas including “asset tokenisation offerings”, following the initial announcement of the sandbox at the SCxSC fintech event in October 2024 last year.
The sandbox is aimed to help applicants test innovative capital market products so long as there is a regulatory gap in the existing regulatory frameworks, with a 12-month testing period.
Application for the first cohort will open 15 April 2025 to 31 May 2025. Note that a compulsory pre-consultation is required including providing supporting documents (eg, business plan, operating model and the eligibility criteria for sandbox).
In contrast, Thailand’s Securities and Exchange Commission (SEC) launched its Digital Asset Regulatory Sandbox which focuses on digital asset services.
To recap, note that the Central Bank of Malaysia (Bank Negara), the banking and financial services regulator had previously issued the revised Financial Technology Regulatory Sandbox Framework on 29 February 2024, which expanded the inclusion of a “Green Lane” path to fintech startups (usually may be backed by an existing institution).
Staged implementation of the new personal data protection amendments
Amendments to the Personal Data Protection Act (PDPA) were passed by the lawmakers on 31 July 2024. The guidelines involve the appointment of a Data Protection Officer, Data Breach Notification, Cross-border Data Transfer and Data Portability, including the revised version of the Personal Data Protection Standard will be released and enforced in several phases from 1 January 2025 to 1 June 2025.
As a founder, consult a legal counsel if your company’s existing privacy policy may require a legal review to ensure compliance to these new amendments.
E-invoicing regime for all businesses
Starting 1 July 2025, e-invoicing shall be mandatory for companies and will apply to all 1 July 2025, Note that startups with revenue below RM150,000 (US$33,587.10) yearly are exempted from e-invoicing.
On 22 February 2025, the Malaysian Finance Minister announced that micro small medium enterprises (SMEs) will be given a six month respite until 1 January 2026 to comply with the mandatory e-invoicing. Founders should consult their tax agent to get advice on adopting e-invoicing.
E-commerce law review ongoing
First announced on 27 June 2024, the review of all present laws relating to e-commerce is still ongoing. Based on the original announcement, mid-2025 was the targeted completion date. In any case, E-commerce platforms need to stay up to date on this new proposal as the government may likely emphasise consumer protection.
Gig workers commission bill
The Gig Workers Bill is aimed to address the welfare of a gig worker. The Bill aims to regulate the gig industry to ensure fair income structures and introduce social protection to gig workers.
Despite support by the gig workers, critics argue that more feasibility studies are required to address “gaps” in the Gig Workers bill (eg, the legal definition of who is a “gig worker”). The prime minister had assured that all stakeholders will be taken into account before tabling the bill. Therefore, it is unclear if the bill may be tabled during the current parliamentary sitting or may be deferred to mid – year 2025 (taking into account further inputs from other stakeholders).
In contrast, Singapore’s Platform Workers Act came into effect on 1 January 2025 also contains legal protections such as injury compensation to CPF retirement contributions, engaged in the gig economy via online platforms, like ride-hailing services and food delivery apps .
Founders seeking to implement a gig economy business model must assess and also likely budget for additional compliance costs in anticipation of the law.
Final thoughts
Founders need to stay up to date on these evolving laws, and seek legal advice to assess if the new regulatory change may affect their present business model. This is to ensure your operations align with these new laws, safeguarding your company’s future success.
This article reflects the current legal landscape as of 9 March 2025.
This article was first published on e27.