Same players, new rules: Here’s how Consumer Credit Commission regulations safeguard BNPL users

KUALA LUMPUR, June 12 — As buy now, pay later (BNPL) and other non-bank credit services become increasingly embedded in Malaysians’ daily spending habits, their ease of access has also raised concerns about transparency, consumer protection and responsible lending practices.

Against this backdrop, the Consumer Credit Commission’s (CCC) new Conduct Standards seek to strike a balance between convenience and protection, strengthening consumer safeguards while holding providers more accountable.

For those unfamiliar, the CCC — established under the Consumer Credit Act, which took effect on March 1 this year — is the primary regulatory authority tasked with licensing and regulating credit service providers that were once outside formal oversight.

So how do the Conduct Standards — which took effect on June 5 — translate into tangible protection for consumers, particularly those who frequently use BNPL services?

More scrutiny for BNPL providers

Recognising the unique features and risks of BNPL arrangements, additional obligations have been introduced covering areas such as white-labelling, pricing methodologies, affordability thresholds, late payment practices, merchant conduct, digital authentication and Shariah compliance.

1. White labelling

Providers must give clear and prominent disclosures to credit consumers on their websites and across all communication channels, including mobile applications and marketing materials.

White labelling is an arrangement where a BNPL provider allows a partner to offer its credit products under the partner’s own brand, while the BNPL provider remains ultimately responsible for managing those products.

To avoid confusion, providers must ensure their white-labelling partners adopt the same disclosure practices to show they are working with a licensed BNPL provider and must not imply that the partners are regulated by the CCC.

TL;DR: BNPL providers must ensure clear disclosures across all channels, including white labelling, and prevent partners from misleading consumers or implying CCC regulation.

2. Pricing methodologies

Providers must not offer credit products where interest or profit charges are calculated using the flat rate or the Rule of 78 method.

3. Affordability thresholds (AT)

Providers must conduct an affordability assessment when a credit limit exceeds RM1,000 per consumer, and may set lower limits for higher-risk groups based on factors such as default history or vulnerability.

According to the CCC, the RM1,000 AT balances quick approval of short-term credit with the need for affordability checks on higher BNPL limits, which helps reduce the risk of unmanageable debt.

TL;DR: BNPL providers must check affordability for limits above RM1,000, with lower thresholds allowed for higher-risk users to balance access and debt protection.

4. Late payment practices

Providers must ensure late payment charges only cover the actual costs of recovering overdue instalments and must not set any fixed minimum charge.

Account suspension must be enforced if a consumer misses two consecutive payments until all outstanding amounts are fully settled, though providers may choose to suspend accounts after just one missed payment.

TL;DR: BNPL providers must limit late charges to actual recovery costs, avoid fixed minimum fees, and suspend accounts after two missed payments (or earlier if they choose) until dues are settled.

5. Merchant requirement

Providers must ensure merchants do not set BNPL as the default payment option for consumers and, if this occurs, must take corrective action, including, where possible, suspending BNPL acceptance for that merchant.

6. Digital authentication

Providers must implement multi-factor authentication (MFA) to strengthen fraud protection, ensuring it is securely linked to a consumer’s account, activated only after verification, and that any activation or changes are promptly notified through verified channels.

Providers that allow unauthenticated online transactions must also give consumers the option to opt out of or disable this feature.

They must strengthen security for updates to personal details such as mobile numbers and email addresses to prevent fraudsters from using stolen credentials to initiate transactions.

This includes immediately alerting consumers to any changes, applying strong verification for new or updated mobile numbers, and using additional checks or cooling-off periods for unusual or high-volume transaction activity.

Providers must deploy fraud detection systems to identify and block suspicious activity based on factors such as spending behaviour, device information and location.

Consumers must also be provided with tools such as a “kill switch” to quickly suspend or disable their accounts in cases of suspected fraud or unauthorised access.

Providers must educate consumers on the risks of unauthenticated transactions and available safeguards and clearly inform them of their responsibilities to protect credentials, report suspected fraud promptly and regularly monitor their account activity.

Consumers must not be held liable for unauthorised transaction losses caused by provider failures, system or security weaknesses, fraud or negligence by staff or merchants, cancelled accounts, missing credentials, or transactions occurring before or after a reported breach or where fraud investigations are not properly resolved.

However, providers may refuse liability if consumers act fraudulently, refuse to cooperate in investigations, or fail to meet their notified responsibilities, including safeguarding credentials and monitoring transactions.

TL;DR: BNPL providers must strengthen fraud protection through MFA, security controls, monitoring systems and tools such as a kill switch, while educating consumers on their responsibilities; consumers are generally not liable for unauthorised losses caused by provider failures, except in cases of fraud or non-cooperation.

7. Shariah compliance

An Islamic BNPL provider must ensure that purchases of gold and silver using BNPL are made on a spot basis, and if operational or customary practices require a delay, settlement must not exceed two business days.