3. (1) The Minister shall appoint a Controller of Controller.Certification Authorities for the purposes of this Act, in particular for the purpose of monitoring and overseeing the activities of certification authorities.

(2) The Controller shall exercise, discharge and perform the powers, duties and functions conferred on the Controller under this Act.

(3) The Controller may, after consultation with the Minister, appoint such number of officers and servants as the Controller considers necessary to exercise and perform all or any of the powers and duties of the Controller under this Act except the powers delegated to the Controller under subsection 4(4).

(4) The Controller and all officers and servants appointed by the Controller under subsection (3) shall exercise their powers under this Act subject to such directions as to general policy and orders as may be given or made by the Minister.

(5) The Controller shall maintain a publicly accessible data base containing a certification authority disclosure record for each licensed certification authority which shall contain all the particulars required under the regulations made under this Act.

(6) The Controller shall publish the contents of the data base in at least one recognised repository.

4. (1) No person shall carry on or operate, or hold himself out as carrying on or operating, as a certification authority unless that person holds a valid licence issued under this Act.

(2) A person who contravenes subsection (1) commits an offence and shall, on conviction, be liable to a fine not exceeding five hundred thousand ringgit or to imprisonment for a term not exceeding ten years or to both, and in the case of a continuing offence shall in addition be liable to a daily fine not exceeding five thousand ringgit for each day the offence continues to be committed.

(3) The Minister may, on an application in writing being made in accordance with this Act, exempt -

(4) The Minister may delegate his powers under subsection (3) to the Controller and such powers may be exercised by the Controller in the name and on behalf of the Minister.

(5) A delegation under subsection (4) shall not preclude the Minister himself from exercising at any time the powers so delegated.

(6) The liability limits specified in Chapter 8 of Part IV shall not apply to an exempted certification authority and Part V shall not apply in relation to a digital signature verified by a certificate issued by an exempted certification authority.

5. (1) The Minister shall, by regulations made under this Act, prescribe the qualification requirements for certification authorities.

(2) The Minister may at any time vary or amend the qualification requirements prescribed under subsection (1) provided that any such variation or amendment shall not be applied to a certification authority holding a valid licence under this Act until the expiry of that licence.

6. (1) The function of a licensed certification shall be to issue a certificate to a authorities.subscriber upon application and upon satisfaction of the licensed certification authority's requirements as to the identity of the subscriber to be listed in the certificate and upon payment of the prescribed fees and charges.

(2) The licensed certification authority shall,before issuing any certificate under this Act, take all reasonable measures to check for proper identification of the subscriber to be listed in the certificate.

(3) The licensed certification authority shall, on the issuance of any certificate under this Act, causethe application for the certificate to be certified by a notary public duly appointed under the Notaries Public Act 1959.

7. (1) An application for the grant of a licence.under this Act shall be made in writing to the Controller in such form as may be prescribed.

(2) Every application under subsection (1) shall be accompanied by such documents or information as may be prescribed and the Controller may, orally or in writing at any time after receiving the application and before it is determined, require the applicant to provide such additional documents or information as may be considered necessary by the Controller for the purposes of determining the suitability of the applicant for the licence.

(3) Where any additional document or information required under subsection (2) is not provided by the applicant within the time specified in the requirement or any extension thereof granted by the Controller, the application shall be deemed to be withdrawn and shall not be further proceeded with, without prejudice to a fresh application being made by the applicant.

8. (1) The Controller shall, on an application.having been duly made in accordance with section 7 and after being provided with all such documents and information as he may require, consider the application, and where he is satisfied that the applicant is a qualified certification authority and a suitable licensee, and upon payment of the prescribed fee, grant the licence with or without conditions, or refuse to grant a licence.

(2) Every licence granted under subsection (1) shall set out the duration of the licence and the licence number.

(3) The terms and conditions imposed under the licence may at any time be varied or amended by the Controller provided that the licensee is given a reasonable opportunity of being heard.

(4) Where the Controller refuses to grant a licence, he shall immediately notify the applicant in writing of his refusal.

9. (1) The Controller may revoke a licence granted under section 8 if he is satisfied that -

(2) Before revoking a licence, the Controller shall give the licensed certification authority a notice in writing of his intention to do so and require the licensed certification authority to show cause within a period specified in the notice as to why the licence should not be revoked.

(3) Where the Controller decides to revoke the licence, he shall immediately inform the certification authority concerned of his decision by a notice in writing.

(4) The revocation of a licence shall take effect -

(5) Where an appeal has been made against the revocation of a licence, the certification authority whose licence has been so revoked shall not issue any certificates until the appeal has been disposed of and the revocation has been set aside by the Minister but nothing in this subsection shall prevent the certification authority from fulfilling its other obligations to its subscribers during such period.

(6) A person who contravenes subsection (5) commits an offence and shall, on conviction, be liable to a fine not exceeding five hundred thousand ringgit or to imprisonment for a term not exceeding ten years or to both.

(7) Where the revocation of a licence has taken effect, the Controller shall, as soon as practicable, cause such revocation to be published in the certification authority disclosure record he maintains for the certification authority concerned and advertised in at least one national language and one English language national daily newspaper for at least three consecutive days.

(8) Any delay or failure in publishing or advertising such notice of revocation shall not in any manner affect the validity of the revocation.

10. (1) Any person who is aggrieved by -

(b) the revocation of any licence under section 9,

may appeal in writing to the Minister within fourteen days from the date on which the notice of refusal or revocation is served on that person.

(2) The decision of the Minister under this section shall be final and conclusive.

11. (1) A licensed certification authority may licence.surrender its licence by forwarding it to the Controller with a written notice of its surrender.

(2) The surrender shall take effect on the date the Controller receives the licence and the notice under subsection (1), or where a later date is specified in the notice, on that date.

(3) The licensed certification authority shall, not later than fourteen days after the date referred to in subsection (2), cause such surrender to be published in the certification authority disclosure record of the certification authority concerned and advertised in at least one national language and one English language national daily newspaper for at least three consecutive days.

12. (1) Where the revocation of a licence under section 9 or its surrender under section 11 has taken effect, or where the licence has expired, the licensed certification authority shall immediately cease to carry on or operate any business in respect of which the licence was granted.

(2) Notwithstanding subsection (1), the Minister may, on the recommendation of the Controller, authorise the licensed certification authority in writing to carry on its business for such duration as the Minister may specify in the authorisation for the purpose of winding up its affairs.

(3) Notwithstanding subsection (1), a licensed certification authority whose licence has expired shall be entitled to carry on its business as if its licence had not expired upon proof being submitted to the Controller that the licensed certification authority has applied for a renewal of the licence and that such application is pending determination.

(4) A person who contravenes subsection (1) commits an offence and shall, on conviction, be liable to a fine not exceeding five hundred thousand ringgit or to imprisonment for a term not exceeding ten years or to both, and in the case of a continuing offence shall in addition be liable to a daily fine not exceeding five thousand ringgit for each day the offence continues to be committed.

(5) Without prejudice to the Controller's powers under section 33, the revocation of a licence under section 9 or its surrender under section 11 or its expiry shall not affect the validity or effect of any certificate issued by the certification authority concerned before such revocation, surrender or expiry.

(6) For the purposes of subsection (5), the Controller shall appoint another licensed certification authority to take over the certificates issued by the certification authority whose licence has been revoked or surrendered or has expired and such certificates shall, to the extent that they comply with the requirements of the appointed licensed certification authority, be deemed to have been issued by that licensed certification authority.

(7) Nothing in subsection (6) shall preclude the appointed licensed certification authority from requiring the subscriber to comply with its requirements in relation to the issuance of certificates or from issuing a new certificate to the subscriber for the unexpired period of the original certificate provided that any additional fees or charges to be imposed shall only be imposed with the prior written approval of the Controller.

(8) Where the Controller has appointed a licensed certification authority to take over the certificates of a certification authority under subsection (6), the certification authority shall pay to the appointed licensed certification authority such part of the prescribed fee paid by the subscribers to it as the Controller may determine.

13. (1) The liability limits specified in Chapter 8 of Part IV shall not apply to unlicensed certification authorities.

(2) Part V shall not apply in relation to a digital signature which cannot be verified by a certificate issued by a licensed certification authority.

(3) In any other case, unless the parties expressly provide otherwise by contract between themselves, the licensing requirements under this Act shall not affect the effectiveness, enforceability or validity of any digital signature.

14. (1) Where the revocation of a licence under section 9 has taken effect, or where the licence has expired and no application for its renewal has been submitted within the period specified or where an application for renewal has been refused under section 17, the licensed certification authority shall within fourteen days return the licence to the Controller.

(2) A person who contravenes subsection (1) commits an offence and shall, on conviction, be liable to a fine not exceeding five hundred thousand ringgit or to imprisonment for a term not exceeding ten years or to both, and in the case of a continuing offence shall in addition be liable to a daily fine not exceeding five thousand ringgit for each day the offence continues to be committed, and the court shall retain the licence and forward it to the Controller.

15. (1) The Controller may classify licences according to specified limitations including -

(a) maximum number of outstanding certificates;

(2) The Controller may issue licences restricted according to the limits of each classification.

(3) A licensed certification authority that issues a certificate exceeding the restrictions of its licence commits an offence.

(4) Where a licensed certification authority issues a certificate exceeding the restrictions of its licence, the liability limits specified in Chapter 8 of Part IV shall not apply to the licensed certification authority in relation to that certificate.

(5) Nothing in subsection (3) or (4) shall affect the validity or effect of the issued certificate.

16. Except with the written consent of the Controller,use ofexpressionno person, not being a licensed certification authority, .shall assume or use the expressions "certification authority" or "licensed certification authority", as the case may be, or any derivative of these expressions in any language, or any other words in any language capable of being construed as indicating the carrying on or operation of such business, in relation to the business or any part of the business carried on by such person, or make any representation to such effect in any bill head, letter, paper, notice, advertisement or in any other manner.

17. (1) Every licensed certification authority shall submit an application to the Controller in such form as may be prescribed for the renewal of its licence at least thirty, but not more than sixty, days before the date of expiry of the licence and such application shall be accompanied with such documents and information as may be required by the Controller.

(2) The prescribed fee shall be payable upon approval of the application.

(3) If any licensed certification authority has no intention of renewing its licence, the licensed certification authority shall, at least thirty days before the expiry of the licence, publish such intention in the certification authority disclosure record of the certification authority concerned and advertise such intention in at least one national language and one English language national daily newspaper for at least three consecutive days.

(4) Without prejudice to any other grounds, the Controller may refuse to renew a licence where the requirements of subsection (1) have not been complied with.

18. (1) Where a licensed certification authority has lost its it shall immediately notify the Controller in writing of the loss.

(2) The licensed certification authority shall, as soon as practicable, submit an application for a replacement licence accompanied by all such information and documents as may be required by the Controller together with the prescribed fee.

19. (1) The Controller may recognise, by order published in the Gazette, certification authorities licensed or otherwise authorised by governmental entities outside Malaysia that satisfy the prescribed requirements.

(2) Where a licence or other authorisation of a governmental entity is recognised under subsection (1), -

20. (1) The operations of a licensed certification authority shall be audited a least once a year to evaluate its compliance with this Act.

(2) The audit shall be carried out by a certified public accountant having expertise in computer security or by an accredited computer security professional.

(3) The qualifications of the auditors and the procedure for an audit shall be as may be prescribed by regulations made under this Act.

(4) The Controller shall publish in the certification authority disclosure record he maintains for the licensed certification authority concerned the date and result of the audit.

21. (1) The Controller may exempt a licensed certification authority from the requirements of section 20 if -

(a) the licensed certification authority requests in writing for exemption;