Quick verdict
CCRIS and CTOS are often discussed in the same breath, and that confuses Malaysian buyers who need to source credit data. They are different products run by different operators under different laws. CCRIS is the Central Credit Reference Information System operated by Bank Negara Malaysia (BNM). It is the source of truth for credit obligations across the Malaysian banking system, and access is restricted to licensed financial institutions and BNM-approved member entities. CTOS Data Systems is a commercial credit reporting agency licensed under the Credit Reporting Agencies Act 2010 (CRAA 2010), open to a wider B2B audience: SME lenders, fintechs, fund admins, law firms, foreign acquirers. CCRIS data flows into licensed CRAs through a separate BNM approval, but a CTOS report is not a raw CCRIS query. If you do not hold a relevant Malaysian banking license, you cannot pull CCRIS direct. You go via CTOS or RAM Credit Information.
What CCRIS is
CCRIS is operated by Bank Negara Malaysia under its Credit Bureau function. The system has been collecting credit-related information from lending institutions since 1982, currently under the Central Bank of Malaysia Act 2009. It covers consumer and corporate credit obligations across the Malaysian banking system: term loans, credit cards, hire purchase, trade finance, mortgages, Islamic financing facilities, and certain non-bank lines that fall under BNM’s reporting net.
Member institutions submit credit data on their loan portfolios on a regular cadence. When an authorised member queries CCRIS for a borrower, the system returns a consolidated picture stitched from every member’s contribution. That is what makes CCRIS the system of record for what a borrower owes across the Malaysian banking system. It is not a curated bureau view. It is the contributing institutions’ own data, returned in aggregate.
CCRIS does not carry corporate registry data, court records, directorship history, beneficial-ownership filings, or third-party trade-credit signals. What it carries is bank-system credit truth: outstanding facilities, repayment behaviour, arrears, restructuring, and legal-action records as contributed by reporting institutions.
Who can access CCRIS
Access is the single most misunderstood part of CCRIS. Eligible members are licensed commercial banks, licensed Islamic banks, licensed investment banks, development financial institutions, certain licensed insurance and takaful companies, and selected government agencies acting on a statutory basis. Approval runs through BNM’s Credit Bureau under the central bank’s member access framework. Per-search fees apply, and members are bound by strict use-case and consent rules around how the data is queried and how the results are stored.
Non-licensed entities cannot pull CCRIS direct. That includes most fintechs (until they secure a relevant license such as digital banking), foreign companies running pre-deal due diligence, law firms acting on transactions, fund administrators, and individual buyers other than the data subject themselves. Individuals can retrieve their own CCRIS report for free via the eCCRIS portal operated by BNM, but eCCRIS is for personal use only and is not a B2B channel.
A separate path exists for commercial credit reporting agencies. Licensed CRAs may access CCRIS data, but only with explicit BNM approval. As the New Straits Times reported in March 2024, this CRA access is conditional and revocable. In late 2024, BNM temporarily suspended CRA access to CCRIS as a precautionary measure following cybersecurity concerns, and access was restored to CTOS Data Systems in November 2024 after an independent compromise assessment. CRA access to CCRIS is not unconditional, and the regulatory grip is firm.
What CTOS is
CTOS Data Systems has operated as a Malaysian credit bureau since 1990. The parent group, CTOS Digital Berhad, is listed on Bursa Malaysia. CTOS Data Systems Sdn Bhd is registered as a credit reporting agency under CRAA 2010 by the Ministry of Finance’s Registrar Office of Credit Reporting Agencies (PPK). That registration is what permits the company to operate a commercial credit bureau in Malaysia.
CTOS aggregates several data layers. The base layer is corporate registry information sourced from the Companies Commission of Malaysia (SSM): incorporation details, directors, shareholders, registered addresses, financial statements where filed, and beneficial-ownership filings under Section 60B of the Companies Act 2016. On top of that, CTOS adds court records, bankruptcy filings, winding-up petitions, litigation, trade references through the eTR network, and credit scoring derived from its own data and (where authorised) the licensed CCRIS feed.
Product tiers run from pay-per-report (consumer or company) through subscription bundles like CTOS Credit Manager for monitoring and CTOS eKYC for onboarding. An enterprise REST API is available through CTOS Basis. A single business credit report typically falls in the USD 7 to USD 46 (MYR 30 to MYR 200) band depending on tier and inclusions.
Who can access CTOS
The CTOS audience is much wider than the CCRIS audience. SME lenders that are not BNM-licensed, fintech onboarding teams, peer-to-peer financing platforms, fund administrators, law firms, in-house counsel running counterparty diligence, foreign companies running pre-acquisition checks, recruitment agencies, and commercial landlords are all routine CTOS buyers. Customer due diligence, identity verification, and contractual purpose limits apply, but no banking license is required.
That breadth is exactly why a foreign acquirer evaluating a Malaysian target almost always ends up at CTOS rather than CCRIS. The acquirer cannot pull CCRIS direct, and the CTOS report carries the corporate registry, the court layer, the directors, and a credit score that surfaces some of the underlying credit signal.
Coverage difference
CCRIS coverage is narrow but deep. It carries credit obligations across the Malaysian banking system: bank loans, Islamic financing facilities, credit cards, hire purchase, trade finance, mortgages, and contributing non-bank lender lines. It does not carry corporate registry data, court records, directorship history, ultimate beneficial-ownership disclosures, or trade-credit signals.
CTOS coverage is wide. A CTOS company report typically pulls SSM corporate filings, current and historical directors, current and historical shareholders, court records, bankruptcy filings, winding-up petitions, litigation, registered charges, trade references, and CTOS’s own credit score. Where the buyer is authorised and the product tier permits, CCRIS-derived information may surface inside the CTOS view; the raw query result is not republished outside the licensed CRA channel.
The two products do different jobs. Most Malaysian banks running a lending decision use both: CCRIS for raw credit obligation truth, CTOS (or RAMCI, or Experian) for the wider corporate intelligence layer that ties the borrower entity to its directors, court history, and registered ownership.
Data freshness
CCRIS freshness tracks contributor cadence. Member institutions submit data on a regular reporting schedule, typically monthly aggregated balances with daily or near-daily updates on certain events. For raw credit obligation freshness, CCRIS wins because it is the source rather than a downstream aggregator.
CTOS freshness depends on the layer. SSM corporate data refreshes daily. Court and bankruptcy data refresh on upstream feed cadence. Consumer credit scoring is closer to real-time once contributing institutions report. For broader entity context (litigation, ownership change, charge filings), CTOS wins because it integrates those feeds.
API access
CCRIS is not a public REST API. Access runs through BNM’s secured member infrastructure with authentication, audit logging, and per-search fees built in. There is no self-serve commercial API. A regulated entity onboards as a member and the integration sits inside that member’s compliance perimeter.
CTOS publishes an enterprise REST API through CTOS Basis. Volume buyers integrate company report fetches, eKYC checks, and monitoring webhooks into their onboarding stacks. Pricing and rate limits are contract-priced. For lower volumes, the CTOS portal is the practical channel.
Pricing model
CCRIS pricing follows BNM’s member-access tariff: membership status (which requires regulated entity standing) plus per-search fees. The numbers are not published as a commercial price list because the audience is not commercial; the audience is licensed members.
CTOS pricing is commercial. One-off reports are priced per report on the portal. Subscription tiers add monitoring, alerts, and bulk lookups. Enterprise customers negotiate annual minimums with API and SLA terms. A small business doing occasional counterparty checks uses the portal; an SME lender doing thousands of decisions a month uses the subscription tier.
Compliance posture
CCRIS data use is governed by the Central Bank of Malaysia Act 2009 and the contractual member terms BNM imposes on access. Misuse, unauthorised access, or sharing CCRIS output beyond the agreed scope carries severe consequences, including statutory penalties.
CTOS data use is governed by CRAA 2010 and the Personal Data Protection Act 2010. The CRAA framework requires that credit information be processed only for permitted purposes (lending, employment with consent, tenancy with consent, KYC obligations under AMLA), with rights for the data subject to access and correct their record. PDPA layers in consent, purpose limitation, and cross-border transfer rules.
Both regimes are strict. Buyers who treat the output of either system as casual market intelligence misread the law. Statutory penalties for misuse run up to RM 1 million and five years’ imprisonment under CRAA 2010, and CCRIS member terms add their own contractual teeth.
When buyers actually use which
Three patterns describe how the data sources sit in practice.
A licensed bank making a lending decision on a corporate borrower uses CCRIS as the raw credit-obligation truth source: every facility the borrower carries across the banking system, arrears, restructuring history, legal action recorded by other lenders. The bank also pulls a CTOS or RAMCI report for the corporate registry layer, director history, court records, charges, and a derived credit score. Both feeds are part of the credit file.
A fintech doing SME onboarding without a banking license cannot access CCRIS direct. Its primary feed is CTOS: SSM corporate data, court history, bankruptcy, litigation, and a credit score. Some pre-license fintechs partner with a licensed bank or NBFI to get CCRIS data indirectly within an agreed scope. The cleanest path is still CTOS until the fintech holds a relevant license.
A foreign acquirer running pre-deal credit due diligence on a Malaysian target cannot access CCRIS direct. It goes to CTOS for the derived view, sometimes adds Experian for the cross-border graph, and brings a Malaysian licensed bank into the deal team if raw CCRIS visibility is needed.
Comparison matrix
| Attribute | CCRIS (Bank Negara Malaysia) | CTOS Data Systems |
|---|---|---|
| Operator | Bank Negara Malaysia | CTOS Digital Berhad (listed on Bursa Malaysia) |
| Legal basis | Central Bank of Malaysia Act 2009 | Credit Reporting Agencies Act 2010 (CRAA 2010) |
| Who can access | Licensed banks, Islamic banks, DFIs, approved insurers, certain government agencies; data subjects via eCCRIS | Wider B2B: SME lenders, fintechs, fund admins, law firms, foreign companies (with KYC) |
| Coverage | Banking system credit obligations only | SSM corporate + directors + shareholders + court + bankruptcy + litigation + credit score |
| Freshness | Live to member contributor cadence (typically daily on events, monthly on aggregates) | SSM daily; court/bankruptcy on upstream cadence; consumer credit near real-time |
| API | BNM member-access infrastructure (not a public REST API) | Enterprise REST API via CTOS Basis |
| Pricing | BNM membership plus per-search fees (regulated audience) | One-off USD 7 to USD 46 (MYR 30 to MYR 200) per report; subscription tiers; enterprise API contract |
| Best-fit buyer | Licensed banks and NBFIs sourcing raw credit obligation truth | SME lenders, fintech onboarding, fund admins, law firms, foreign acquirers |
What businessdataguide does
businessdataguide is an editorial publication. We publish neutral buyer-side comparisons of compliance and credit data sources so procurement teams, compliance leads, and deal teams can shortlist the right supplier without being sold to. We do not resell CCRIS access and we are not a credit reporting agency. We are a publisher, not a vendor and not a procurement advisor. For corrections, data issues, or editorial feedback, see the contact page.
Frequently asked questions
Can a fintech access CCRIS?
Only if the fintech holds a relevant license that puts it inside BNM’s CCRIS member framework: a licensed digital bank, Islamic financial institution, or development financial institution. Most pre-license fintechs cannot pull CCRIS direct. Some structure a partnership with a licensed bank or NBFI so that the licensed entity does the CCRIS query inside its own compliance perimeter and the fintech receives a permissible derived signal. CTOS and RAMCI remain the practical primary feeds for fintechs without a banking license.
Is eCCRIS the same as CCRIS?
No. eCCRIS is BNM’s portal for individuals to retrieve their own credit report. Registration is digital (since February 2022) and the report is free for personal use. eCCRIS is not a B2B channel and not a substitute for licensed-member access to CCRIS. A business checking a counterparty’s credit must go through a licensed CRA like CTOS or RAMCI, or hold its own CCRIS member access.
Can I get CCRIS data through CTOS?
CTOS holds a separate licensing arrangement with BNM that lets it surface credit information products in its reports. The data is generally a derived or scored view rather than a raw CCRIS member query result. Where a CTOS product surfaces CCRIS-sourced fields, it is bound by the underlying BNM approval and CRAA 2010 permitted-purpose rules. Verify the product scope with CTOS at procurement time, because inclusions vary by tier and by the buyer’s permitted use case.
What does CCRIS cover that CTOS does not?
CCRIS covers direct credit obligations across the Malaysian banking system as contributed by reporting institutions: outstanding facilities, repayment behaviour, arrears, restructuring, and recorded legal action by lenders. CTOS surfaces credit scoring and derived defaults plus a much wider corporate intelligence layer (SSM, court, bankruptcy, litigation, charges) but does not republish raw CCRIS member data outside specific licensing arrangements. For raw bank-system credit truth, CCRIS is the source. For wider entity context, CTOS is the source.
Which one shows defaults?
Both, at different levels. CCRIS shows arrears and write-offs as banks report them. It is the closest you get to raw credit-obligation truth on the Malaysian banking system. CTOS surfaces defaults via its own bureau data, court bankruptcy filings, winding-up petitions, and regulatory disclosures. For a lending decision, banks rely on CCRIS as primary truth and use the CTOS or RAMCI defaults layer as supplementary context. For a non-bank buyer (fintech, fund admin, foreign acquirer), CTOS is the practical default-signal source because CCRIS access is not available.