On 22 May 2025, Bursa Malaysia Berhad (“Bursa Malaysia”) has launched Shares2U, a securities transfer scheme which allows Participating Organisations (“POs”) to incentivise retail investors with eligible Bursa Malaysia-listed shares as part of their marketing initiatives.

POs, through Shares2U, can reward investors with selected shares when investors perform specific actions, such as opening a Central Depository System (“CDS”) account, depositing funds, or executing trades, thereby boosting investor acquisition and retention.

This initiative aims to boost participation across various investor profiles by encouraging new investors, motivating existing investors to reactivate dormant accounts, and rewarding active investors. Brokers can create dynamic, valuedriven campaigns beyond conventional marketing strategies, thereby enhancing customer interaction digitally.

The press release on the launch of Shares2U can be accessed here. More information on Shares2U can be found here and the Frequently Asked Questions on Shares2U may be found here.

MITI to issue Non-Preferential Certificate of Origin (NPCO) for Exports to the United States

The Ministry of Investment, Trade and Industry (“MITI”) has announced that effective 6 May 2025, all Non-Preferential Certificates of Origin (“NPCO”) for shipment to the United
States (“US”) will be issued by MITI.

As a result, the issuance of NPCO to the US market by business councils, chambers or associations appointed by MITI, in accordance with the NPCO issuance guidelines established by MITI, will cease immediately.

This significant policy change comes amid growing concerns over the misuse of Malaysia’s export channels as a transshipment route for goods originating from countries facing higher tariffs in the US market.

Employment & Industrial Relations

Ministry of Human Resources reviewing proposal to raise mandatory retirement age to 65 years.

The Ministry of Human Resources has recently announced that it is currently reviewing
the proposal to raise the mandatory retirement age from 60 to 65 years.

In Malaysia, the mandatory retirement age for civil servants is currently 60, which is also the minimum retirement age for private sector employees under the Minimum Retirement Age Act 2012. For clarity, at the moment, there is no mandatory retirement age for private sector employees; and the Minimum Retirement Age Act 2012 only sets a minimum age of retirement at 60 years of age and does not specifically set the mandatory retirement age at 60 years of age.

Whilst the reported review by the Ministry of Human Resources relates to the raising of
the “mandatory” retirement age which would suggest that the review would likely
impact the civil servants only, it should be anticipated that the Malaysian Government
may consequently look to increase the minimum retirement age of private sector
employees as well, considering Malaysia’s ageing population and its trajectory towards
being an aged nation.

Should the minimum retirement age of private sector employees be consequently
increased as well, it would be the first time the minimum retirement age is raised since
the standardised statutory minimum retirement age for private sector employees was
first imposed over a decade ago (i.e., when the Minimum Retirement Age Act 2012 first
came into effect).

The potential changes above will likely mark a significant shift in the retirement policies
in Malaysia, and it would be interesting to see the impacts of the same on the nation as
a whole.

Personal Data Protection & Privacy Laws

Appointment of Data Protection Officer

We previously discussed the appointment of a Data Protection Officer (“DPO”) in our
February 2025 edition of the Personal Data Protection & Privacy Laws Updates. As of 1
June 2025, section 12A of the Personal Data Protection Act 2010 (“PDPA”) has come into force, requiring data controllers and processors (“Organisations”) to appoint one or more DPOs to oversee PDPA compliance. In this regard, the Personal Data Protection
Commissioner (“Commissioner”) has issued the Personal Data Protection Guideline on
Appointment of Data Protection Officer (“Guideline”) to assist Organisations in fulfilling
this necessary obligation.

Under the Guideline, an Organisation is required to appoint a DPO if:

  • it processes personal data exceeding 20,000 or more data subjects;
  • it processes sensitive personal data, including financial information, exceeding
    10,000 data subjects; or
  • its personal data processing involves activities that require regular and systematic
    monitoring of personal data.

The Guideline also sets out the minimum qualifications for DPOs, which include expertise
in areas such as corporate governance and IT & data security. The DPO may be an internal or external appointment but must either be a resident of Malaysia or be easily
contactable. Once appointed, Organisations are required to register their DPO with the
Commissioner within 21 days from the date of appointment, providing the relevant
business contact information.

The core responsibilities of the DPO can be summarised generally to include, among
others, acting as the primary contact with the Commissioner, liaising between the
Organisation and data subjects, advising and supporting on data processing activities,
and monitoring compliance with the PDPA, including data breach management.

Importantly, appointing a DPO does not exempt the Organisation from its obligations
under the PDPA. Organisations remain ultimately accountable for ensuring compliance
with the PDPA in respect of all personal data processing activities, and remain liable in
the event of any non-compliance.

CONTACT US FOR FURTHER INFORMATION REGARDING PERSONAL DATA PROTECTION MATTERS.