13 Effect of lack of licence
(1) The liability limits specified in Chapter 8 of Part IV shall not apply to unlicensed certification authorities.
(2) Part V shall not apply in relation to a digital signature which cannot be verified by a certificate issued by a licensed certification authority.
(3) In any other case, unless the parties expressly provide otherwise by contract between themselves, the licensing requirements under this Act shall not affect the effectiveness, enforceability or validity of any digital signature.
14 Return of licence
(1) Where the revocation of a licence under section 9 has taken effect, or where the licence has expired and no application for its renewal has been submitted within the period specified or where an application for renewal has been refused under section 17, the licensed certification authority shall within fourteen days return the licence to the Commission.
(2) A person who contravenes subsection (1) commits an offence and shall, on conviction, be liable to a fine not exceeding five hundred thousand ringgit or to imprisonment for a term not exceeding ten years or to both, and in the case of a continuing offence shall in addition be liable to a daily fine not exceeding five thousand ringgit for each day the offence continues to be committed, and the court shall retain the licence and forward it to the Commission.
15 Restricted licence
(1) The Commission may classify licences according to specified limitations including-
(a) maximum number of outstanding certificates;
(b) cumulative maximum of recommended reliance limits in certificates issued by the licensed certification authority; and
(c) issuance only within a single firm or organization.
(2) The Commission may issue licences restricted according to the limits of each classification.
(3) A licensed certification authority that issues a certificate exceeding the restrictions of its licence commits an offence.
(4) Where a licensed certification authority issues a certificate exceeding the restrictions of its licence, the liability limits specified in Chapter 8 of Part IV shall not apply to the licensed certification authority in relation to that certificate.
(5) Nothing in subsection (3) or (4) shall affect the validity or effect of the issued certificate.
16 Restriction on use of expression "certification authority"
Except with the written consent of the Commission, no person, not being a licensed certification authority, shall assume or use the expressions "certification authority" or "licensed certification authority", as the case may be, or any derivative of these expressions in any language, or any other words in any language capable of being construed as indicating the carrying on or operation of such business, in relation to the business or any part of the business carried on by such person, or make any representation to such effect in any bill head, letter, paper, notice, advertisement or in any other manner.
17 Renewal of licence
(1) Every licensed certification authority shall submit an application to the Commission in such form as may be prescribed for the renewal of its licence at least thirty, but not more than sixty, days before the date of expiry of the licence and such application shall be accompanied by such documents and information as may be required by the Commission.
(2) The prescribed fee shall be payable upon approval of the application.
(3) If any licensed certification authority has no intention of renewing its licence, the licensed certification authority shall, at least thirty days before the expiry of the licence, publish such intention in the certification authority disclosure record of the certification authority concerned and advertise such intention in at least one national language and one English language national daily newspaper for at least three consecutive days.
(4) Without prejudice to any other grounds, the Commission may refuse to renew a licence where the requirements of subsection (1) have not been complied with.
18 Lost licence
(1) Where a licensed certification authority has lost its licence, it shall immediately notify the Commission in writing of the loss.
(2) The licensed certification authority shall, as soon as practicable, submit an application for a replacement licence accompanied by all such information and documents as may be required by the Commission together with the prescribed fee.
19 Recognition of other licences
(1) The Commission may recognize, by order published in the Gazette, certification authorities licensed or otherwise authorized by governmental entities outside Malaysia that satisfy the prescribed requirements.
(2) Where a licence or other authorization of a governmental entity is recognized under subsection (1),-
(a) the recommended reliance limit, if any, specified in a certificate issued by the certification authority licensed or otherwise authorized by the governmental entity shall have effect in the same manner as a recommended reliance limit specified in a certificate issued by a licensed certification authority of Malaysia; and
(b) Part V shall apply to the certificates issued by the certification authority licensed or otherwise authorized by the governmental entity in the same manner as it applies to a certificate issued by a licensed certification authority of Malaysia.
20 Performance audit*
(1) The operations of a licensed certification authority shall be audited a least once a year to evaluate its compliance with this Act.
(2) The audit shall be carried out by a certified public accountant having expertise in computer security or by an accredited computer security professional.
(3) The qualifications of the auditors and the procedure for an audit shall be as may be prescribed by regulations made under this Act.
(4) The Commission shall publish in the certification authority disclosure record that it maintains for the licensed certification authority concerned the date and result of the audit.
*NOTE-The Central Bank of Malaysia is exempted from the requirements of this section for the purpose of implementing the Real-Time Electronic Transfer of Funds and Securities System or also known as "RENTAS"-see P.U. (A) 300/1999.
21 Exemption from performance audit
(1) The Commission may exempt a licensed certification authority from the requirements of section 20 if-
(a) the licensed certification authority requests in writing for exemption;
(b) the most recent performance audit, if any, of the licensed certification authority resulted in a finding of full or substantial compliance with this Act; and
(c) the licensed certification authority declares under oath or affirmation that one or more of the following is true with respect to the licensed certification authority:
(i) the licensed certification authority has issued fewer than six certificates during the past year and the total of the recommended reliance limits of all such certificates does not exceed twenty-five thousand ringgit;
(ii) the aggregate lifetime of all certificates issued by the licensed certification authority during the past year is less than thirty days and the total of the recommended reliance limits of all such certificates does not exceed twenty-five thousand ringgit;
(iii) the recommended reliance limits of all certificates outstanding an issued by the licensed certification authority total less than two thousand five hundred ringgit.
(2) Where the licensed certification authority's declaration under paragraph (1)(c) falsely states a material fact, the licensed certification authority shall be deemed to have failed to comply with the performance audit requirement under section 20.
(3) Where a licensed certification authority is exempted under subsection (1), the Commission shall publish in the certification authority disclosure record that it maintains for the licensed certification authority concerned a statement that the licensed certification authority is exempted from the performance audit requirement under section 20.