5 Misunderstandings About PayNet’s DuitNow—Answered

5 Misunderstandings About PayNet’s DuitNow—Answered

by October 22, 2018

Here’s where we stand on this DuitNow function that was launched by PayNet, and will be adopted by 44 banks by 6th December 2018—honestly this should have happened much sooner, and it is a step in the right direction towards moving Malaysia into our cashless future.

Similar functions, such as Singapore’s NETSPay has been launched in other countries already, and Malaysia is now finally coming aboard what seems to be an outdated function for those familiar with fintech overseas.

But many on Malaysians are rightfully confused.

The automatic opt-in method has left a sour taste in many Malaysians’ mouths—many who may not have gotten over the forced upgrade to PayWave-enabled debit cards last year. While we understand that this automatic onboarding method may have been a necessary evil from the banks’ perspective, it is equally understandable that users may feel like their privacies have been violated.

It doesn’t help matters that despite banks’ notification efforts, many users only found out about DuitNow from an SMS, are pulled in without earlier consent, are not given much context into what it even is, and only have a few days to opt-out. Many customers were left confused, and according to some accounts, the opt-out process can be rather difficult.

What is DuitNow?

duitnow money transfer ictf bank negara

To put things simply, DuitNow exists in hopes of making bank transfers more convenient. Instead of having to send over unwieldy bank account numbers to receive money from someone, you can instead just send over an easier to memorise number.

Identifiers that can be linked to DuitNow are:

  • Mobile phone number
  • IC number
  • Army or police number
  • Passport number (only for non-locals)
  • Business registration number (only applicable for SSM-registered businesses)

To use DuitNow, each number can only be tied to one bank account. It is also worth noting that all someone can do with these identifiers on DuitNow is send money to it. Accessing your bank account, and other functions, can only be done with existing methods already in place.

DuitNow will not be launching its own app, and instead the money transfers will still be done via your individual bank portals.

Basically, DuitNow is an extra layer you can choose to interact with if you would rather not send your bank account number to someone, and that’s it for now.

Like bank GIRO transfers or Instant Transfers, you will be given a digital receipt for each successful DuitNow transaction. You can read this article for more information regarding DuitNow.

With that out of the way, here are some common confusions we’ve seen about DuitNow on the internet, and where things stand, as far as we understand them:

1. What third-party organisations are gaining access to my sensitive banking information?

duitnow PayNet CEO Peter Schisser

Netizens are rightfully concerned whether a third-party company is gaining access to their banking information—one that may not be able to secure such crucial details. After all, they have no idea who are running DuitNow and what their affiliations are.

However, we can at least say that your information is probably no more or less safe than it was before the launch of DuitNow.

The DuitNow network was developed by PayNet which is jointly owned by 11 banks, with BNM being the largest shareholder. The holding company that runs such crucial online banking platforms like MEPS, JomPay, FPX and etc. Basically, if you have ever engaged in online banking activities such as shopping online, paying bills online, direct debits, using e-wallets or even linking your Malaysian credit/debit cards to an app, your information has passed likey through MEPS, and also to PayNet.

PayNet will also be running the platform under BNM’s purview, as DuitNow is part of the central bank’s push towards a cashless society.

2. What happens if I lose my phone?

One of the more shared posts on Facebook wonders—if a Malaysian loses their phone, will their banking information be compromised thanks to DuitNow?

As discussed, the way DuitNow is just an added option to transfer money. Since DuitNow will only be made available as an extension of your individual bank applications or platforms, like Instant Transfers, it doesn’t seem to add an extra layer of compromise if you were to lose your phone.

Many banks implement either a fingerprint identification, or password protection before you’re able to access its mobile app.

Therefore, unless your phone isn’t password protected or if you store your passwords in an easy-to-access document, DuitNow will not compromise your safety any more than just having your mobile banking app will.

3. I have multiple bank accounts tied to the same number. How do I know which account will receive money when someone sends uses my phone number to transfer money?

During the automatic opt-ins, you will be notified (or have been via SMS) of which bank account your number will be tied to. Since the opt-in will be happening in batches, you should keep your eyes peeled towards the SMS sent out by your respective banks to see which accounts your numbers will be tied to.

However, once DuitNow actually launches and is available via your banks’ portals, you’ll be able to change what accounts are tied to each of your numbers, or remove your identifying numbers completely.

4. Is my phone number now my bank account number?

You will still have your original account number, and can still choose to do accept payments or money with it if you do not wish to use DuitNow. As mentioned, you will be able to log into your bank portals and remove associations between your identifying numbers and DuitNow if you so wish.

5. What about people who don’t use online banking, but still have their numbers tied to a bank account?
misconceptions duitnow paynet press conference

At the press conference.

Similar to online banking on most banking apps, while the opt-in has been made automatic, the DuitNow service will be deactivated for individual numbers or accounts if are no transactions made within a certain period of time.

This was confirmed during the DuitNow press event today by Peter Schiesser, CEO of PayNet.

“Any number you have needs to be registered through the bank. Additionally, we are working with the telcos to get lists for when mobile numbers are recycled so we can maintain those numbers that have been deregistered and recycled, and remove them from the database. Also, we’ll have some inactivity measures as well, where if a number is inactive for quite a while,” said Peter.

However, users are still able to manually switch out their identifiers via the bank portals of their choice if they so wish.

Bonus: Aren’t automatic opt-ins Like DuitNow illegal?

While BNM has decreed that automatic opt-ins are illegal in Malaysia, the rule could potentially exclude PayNet, but that depends on how the permissions are obtained.

Netizens have pointed out that the Personal Data Protection Act 2010 (PDPA), which was designed to “regulate the processing of personal data in commercial transactions.”

And according to Donovan & Ho as it pertains to the PDPA:

“It is also common for companies to use an opt-out method of obtaining consent, whereby a company gives the option to an individual (e.g. by SMS or written notice) to not receive marketing messages and if the individual does not opt-out, the company proceeds to market to the individual. Obtaining consent by opt-out methods may not be permissible, given that the PDPA Regulations require consent to be recordable.”

It is by this logic that many Malaysians feel like DuitNow is a breach of their privacy. However, Section 3 of the PDPA document does state that “this Act shall not apply to the Federal Government and State Governments”.

Therefore, there is a possibility that the move by PayNet, participating banks, and BNM is completely legal, as long as the move is considered a federal government measure.

Unfortunately, we don’t have an easy answer for this one.

Update: In response to this query, PayNet has issued the following statement:

“DuitNow is a payment service offered by banks to their customers within the banks’ internet and mobile banking services.”

“When customers sign up for internet and mobile banking, their banks typically have a set of terms and conditions, which may or may not include granting consent to share information for the purpose of providing services in internet and mobile banking.  In making a decision on how to pre-register customers, banks would have taken into account what is permitted or has  been granted under these existing terms and conditions.”

“The decision whether to pre-register customers for DuitNow using an opt-out or opt-in approach depends on banks’ terms and conditions with their customers. Banks may determine which approach to take, as long as they comply with the relevant laws and regulations including the Personal Data Protection Act 2010. “