CTOS Consent Form (Malaysia)
CTOS CREDIT REPORT CONSENT FORM
Credit Reporting Agencies Act 2010 (CRAA 2010) | Personal Data Protection Act 2010 (PDPA 2010)
Date: [Consent Date]
SUBJECT DETAILS
Full Name: [Subject Full Name]
NRIC / Passport / SSM No.: [Subject ID Number]
Address: [Subject Address]
Contact No.: [Subject Contact Number]
REQUESTOR DETAILS
Name: [Requestor Name]
Address: [Requestor Address]
Purpose: [Purpose Of Access]
Remarks: [Purpose Remarks]
CONSENT AND AUTHORISATION
I/We, [Subject Full Name] (NRIC / SSM No.: [Subject ID Number]), hereby authorise [Requestor Name] (the "Requestor") to access my/our CTOS credit report from CTOS Data Systems Sdn Bhd, a credit reporting agency licensed under the Credit Reporting Agencies Act 2010 (CRAA 2010) by the Registrar of Credit Reporting Agencies.
The purpose of this access is: [Purpose Of Access] — [Purpose Remarks].
I/We understand that this consent is given in accordance with Section 29 of the CRAA 2010 and that the Requestor is authorised to access my/our CTOS report solely for the stated purpose. The Requestor shall not use or disclose the CTOS data for any other purpose without my/our further written consent, in compliance with the Personal Data Protection Act 2010 (PDPA 2010), Section 6.
I/We acknowledge that under Section 23 of the CRAA 2010, I/we have the right to access my/our own CTOS report and to dispute any inaccurate information under Section 26 of the CRAA 2010 directly with CTOS Data Systems Sdn Bhd.
Subject Signature: _______________________________
Name: _______________________________
NRIC / SSM No.: _______________________________
Date: _______________________________
Subject (Consenting Party)
________________
Signature
What Is a CTOS Consent Form (Malaysia)?
A CTOS Consent Form in Malaysia documents a party's authorisation or waiver and the limits that apply to it.
CTOS Data Systems Sdn Bhd operates one of Malaysia's two main private credit reporting systems — the other being Experian Credit Services Malaysia Sdn Bhd. A CTOS report aggregates publicly available credit information including: court judgments from the High Court of Malaya, Sessions Court, and Magistrates Court; winding-up petitions and bankruptcy proceedings filed under the Companies Act 2016 and the Insolvency Act 1967; Trade References contributed by subscribing businesses; company SSM information; and — for consenting individuals — information from CCRIS and financial institutions.
The Credit Reporting Agencies Act 2010 (CRAA 2010), Section 29, prohibits credit reporting agencies from disclosing a Subject's credit information to a third party without the Subject's written consent, except in specified circumstances including compliance with a court order or direction from BNM. A CTOS Consent Form is the instrument through which the Subject provides this consent, authorising the named requestor to obtain a full CTOS report or a specific CTOS product (such as a CTOS Score or CTOS Business Report).
The Personal Data Protection Act 2010 (PDPA 2010) applies to the personal data collected in the CTOS Consent Form — specifically the Subject's full name, NRIC number, and contact details. Under Section 6 of PDPA 2010, personal data may only be collected and processed for the purpose for which consent is given. The CTOS Consent Form must therefore state the specific purpose for which the credit report is being accessed — for example, credit assessment for a loan application, employment screening, or trade credit assessment.
A CTOS Consent Form differs from a CCRIS consent, as CCRIS (Central Credit Reference Information System) is maintained by BNM and accessible only to financial institutions licensed under the Financial Services Act 2013 and Islamic Financial Services Act 2013. Non-bank entities — employers, landlords, trade creditors — access credit information through CTOS or Experian rather than CCRIS.
The legal framework governing the CTOS Consent Form (Malaysia) in Malaysia draws on several key statutes and regulatory bodies. Under Malaysian law, the Contracts Act 1950 (Act 136) governs contractual obligations. The Companies Act 2016 (Act 777) regulates corporate entities through the Companies Commission of Malaysia (SSM). The Employment Act 1955 (Act 265) and the Department of Labour govern employment matters. The Personal Data Protection Act 2010 (Act 709) and the Personal Data Protection Department protect personal data. The Inland Revenue Board of Malaysia (LHDN) administers tax obligations. The Industrial Court adjudicates employment disputes under the Industrial Relations Act 1967 (Act 177). Parties executing a CTOS Consent Form (Malaysia) in Malaysia should confirm the document reflects current law, including any amendments enacted since the original drafting date. The Financial Services Act 2013 (Act 758) sets the foundational requirements.
When Do You Need a CTOS Consent Form (Malaysia)?
A CTOS Consent Form in Malaysia is needed whenever a creditor, employer, or other authorised party seeks to access an individual's or company's CTOS credit report under the CRAA 2010.
A CTOS Consent Form is required when a trade supplier assesses a new business customer before extending credit terms. Under the CRAA 2010, the supplier must obtain the customer's written consent before accessing their CTOS Business Report, which shows court judgments, winding-up petitions, and trade reference information.
A CTOS Consent Form is needed when a landlord evaluates a prospective tenant's creditworthiness before entering a tenancy agreement. Commercial landlords in Kuala Lumpur and other major centres routinely require CTOS consent as part of the tenancy application process.
A CTOS Consent Form is required when an employer conducts background screening of a job applicant — particularly for positions involving financial responsibility, access to company funds, or fiduciary duties. Section 29 of the CRAA 2010 requires consent for such disclosures.
A CTOS Consent Form is needed when a licensed moneylender under the Moneylenders Act 1951 or a cooperative under the Co-operative Societies Act 1993 assesses a loan application and does not have access to BNM's CCRIS system.
A CTOS Consent Form is required when a company seeking to enter a joint venture or partnership performs due diligence on the financial standing of the prospective partner's key individuals or directors, to assess whether there are undisclosed court judgments or bankruptcy proceedings under the Insolvency Act 1967.
Parties in Malaysia should prepare a CTOS Consent Form (Malaysia) proactively rather than waiting for a dispute to arise. Courts interpret agreements based on the written terms rather than oral representations. Under Malaysian law, the Contracts Act 1950 (Act 136) governs contractual obligations. The Companies Act 2016 (Act 777) regulates corporate entities through the Companies Commission of Malaysia (SSM). The Employment Act 1955 (Act 265) and the Department of Labour govern employment matters. The Personal Data Protection Act 2010 (Act 709) and the Personal Data Protection Department protect personal data. The Inland Revenue Board of Malaysia (LHDN) administers tax obligations. The Industrial Court adjudicates employment disputes under the Industrial Relations Act 1967 (Act 177). Where the transaction involves regulated activities, prior approval from the relevant authority may be required before execution.
What to Include in Your CTOS Consent Form (Malaysia)
A valid CTOS Consent Form in Malaysia must contain the following essential elements to comply with the CRAA 2010 and PDPA 2010.
Subject Identification: Full name of the individual or company as per NRIC, passport, or SSM records; NRIC number (for individuals) or SSM registration number (for companies); and contact details including address and telephone number.
Requestor Identification: Full legal name, SSM registration number, and address of the entity authorised to access the CTOS report. The Requestor must be a CTOS subscriber or an entity accessing the report through a licensed channel.
Purpose of Access: A clear statement of the specific purpose for which the CTOS report is being accessed — for example, 'credit assessment for a trade credit application,' 'pre-employment screening,' or 'tenancy application assessment.' Under PDPA 2010, Section 6, the purpose must be stated and the data may only be used for that stated purpose.
Consent Statement: An unambiguous written consent by the Subject authorising the named Requestor to access the Subject's CTOS report, including CTOS Score, CTOS MyCTOS Score, CTOS Business Report, or other specified products. The consent must reference the CRAA 2010 and PDPA 2010.
Data Retention and Confidentiality: A statement that the Requestor will use the CTOS data solely for the stated purpose, will not disclose it to unauthorised third parties, and will retain it only as long as necessary — consistent with PDPA 2010, Section 10 (storage limitation principle).
Signature and Date: The Subject's signature and the date of consent. The consent date is material — CTOS consent is generally valid for a single access or for the duration of a specific transaction, not as a blanket ongoing authorisation. The Requestor should obtain fresh consent for each new access.
Additional compliance elements for a CTOS Consent Form (Malaysia) used in Malaysia include: Under Malaysian law, the Contracts Act 1950 (Act 136) governs contractual obligations. The Companies Act 2016 (Act 777) regulates corporate entities through the Companies Commission of Malaysia (SSM). The Employment Act 1955 (Act 265) and the Department of Labour govern employment matters. The Personal Data Protection Act 2010 (Act 709) and the Personal Data Protection Department protect personal data. The Inland Revenue Board of Malaysia (LHDN) administers tax obligations. The Industrial Court adjudicates employment disputes under the Industrial Relations Act 1967 (Act 177). Forms-legal.com provides this template as a starting point for Malaysia-compliant documentation.
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). CTOS Consent Form (Malaysia) (Malaysia) [Legal document template]. Forms Legal. https://forms-legal.com/malaysia/financial/forms/ctos-consent-form-malaysia
"CTOS Consent Form (Malaysia) (Malaysia)." Forms Legal, 2026, https://forms-legal.com/malaysia/financial/forms/ctos-consent-form-malaysia.
@misc{formslegal-ctos-consent-form-malaysia,
author = {{Forms Legal}},
title = {CTOS Consent Form (Malaysia) (Malaysia)},
year = {2026},
howpublished = {\url{https://forms-legal.com/malaysia/financial/forms/ctos-consent-form-malaysia}},
note = {Free legal document template. Based on Financial Services Act 2013 (Act 758)}
}Frequently Asked Questions
Under the Credit Reporting Agencies Act 2010 (CRAA 2010), Section 29, a credit reporting agency licensed by the Registrar of Credit Reporting Agencies (an officer of Bank Negara Malaysia) must not disclose a Subject's credit information to a third party without the Subject's written consent. CTOS Data Systems Sdn Bhd, as a CRAA 2010-licensed agency, requires written consent before releasing a CTOS report to a requestor. This means that an employer, landlord, or trade creditor cannot legally obtain a CTOS report on an individual or company without first obtaining written consent from the Subject. Failure to obtain consent before accessing credit information may expose the requestor to liability under Section 29 and the penalty provisions of the CRAA 2010, which provide for fines and imprisonment for unauthorised disclosure.
A CTOS report in Malaysia aggregates multiple categories of publicly available and consented credit information. Standard CTOS report contents include: court judgments from the High Court of Malaya, Sessions Court, and Magistrates Court of Malaysia where the Subject is a judgment debtor; winding-up petitions and orders under the Companies Act 2016; bankruptcy petitions and adjudication orders under the Insolvency Act 1967; trade references contributed voluntarily by CTOS-subscribing businesses; and SSM company information for corporate entities. For individuals who have opted in, CTOS MyCTOS Score includes a credit score calculated from repayment behaviour and CCRIS data accessed through Bank Negara Malaysia channels. A CTOS Business Report additionally includes directorship information and any legal suits involving the company.
The CRAA 2010 does not specify a fixed validity period for CTOS consent. In practice, CTOS consent is treated as valid for the specific purpose and transaction stated in the consent form — for example, a single credit application or a specific employment assessment. For ongoing credit relationships, some creditors request annual renewal of CTOS consent. Under the Personal Data Protection Act 2010 (PDPA 2010), the Subject retains the right to withdraw consent at any time under Section 38 of PDPA 2010, though withdrawal of consent after a credit report has been obtained does not invalidate the report already accessed. Requestors should obtain fresh consent for each new access of the Subject's CTOS report, particularly where a significant period has elapsed since the previous consent was signed.
Under the Credit Reporting Agencies Act 2010 (CRAA 2010), Section 23, every individual has the right to access their own credit report held by a licensed credit reporting agency. CTOS Data Systems Sdn Bhd allows individuals to access their MyCTOS Score report — which includes their CTOS credit score, legal information, and trade references — through CTOS's online platform (myctos.com) upon identity verification using MyKad (NRIC). The CRAA 2010 requires that credit reporting agencies provide one free report per year to individuals upon request, and charge a reasonable fee for subsequent requests. Individuals who discover inaccurate information in their CTOS report have the right to dispute it under Section 26 of the CRAA 2010, and CTOS must investigate and correct verified errors. Under Malaysia law, Financial Services Act 2013 (Act 758), parties should seek independent legal advice from a qualified lawyer to confirm compliance with all applicable requirements. Under Malaysian law, the Contracts Act 1950 (Act 136) governs contractual obligations. The Companies Act 2016 (Act 777) regulates corporate entities through the Companies Commission of Malaysia (SSM). Forms-legal.com provides this template as a starting point for Malaysia-compliant documentation.
CTOS and CCRIS serve different purposes in Malaysia's credit information ecosystem. CCRIS (Central Credit Reference Information System) is operated by Bank Negara Malaysia (BNM) and contains information on credit facilities granted by financial institutions licensed under the Financial Services Act 2013 and Islamic Financial Services Act 2013 — including loans, overdrafts, credit cards, and hire purchase. Access to CCRIS is restricted to BNM-licensed institutions. CTOS, operated by CTOS Data Systems Sdn Bhd (licensed under CRAA 2010), aggregates publicly available information including court judgments, bankruptcy and winding-up records, and trade references — accessible to a broader range of subscribing businesses. CTOS also incorporates CCRIS data for consenting individuals through BNM-authorised channels, creating a more comprehensive report. Non-bank entities — employers, landlords, trade creditors — typically use CTOS rather than CCRIS for credit assessments.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
CCRIS Consent Form (Malaysia)
A CCRIS Consent Form for Malaysia authorising a Bank Negara Malaysia-licensed financial institution to access the subject's Central Credit Reference Information System (CCRIS) data for credit assessment under the Financial Services Act 2013, Islamic Financial Services Act 2013, and the Personal Data Protection Act 2010.
Credit Application Form (Malaysia)
A Credit Application Form for Malaysia that enables businesses to assess a customer's creditworthiness before extending trade credit. Collects company details, financial information, trade references, and authorisation for CCRIS and CTOS credit checks under the Credit Reporting Agencies Act 2010 (CRAA 2010) and Personal Data Protection Act 2010.
BNM KYC Form (Malaysia)
A Know Your Customer (KYC) form for Malaysia aligned with Bank Negara Malaysia (BNM) Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001 (AMLA) requirements. Collects identity, beneficial ownership, source of funds, and risk classification information required by financial institutions, money service businesses, and designated non-financial businesses under AMLA 2001.