Malaysia SMS Compliance Guide: MCMC Regulations, PDPA Requirements & Best Practices

Send compliant SMS messages in Malaysia by following MCMC regulations, PDPA consent requirements, and mandatory content filtering rules. This comprehensive guide covers Malaysia's SMS compliance landscape, including the September 2024 URL blocking enforcement, RM 0.00 prefix requirements, PDPA Amendment 2024 rollout, and carrier-specific requirements for CelcomDigi, Maxis, and U Mobile.

Malaysia SMS Market Overview

Market Conditions: Malaysia operates a mature mobile market with high SMS adoption alongside popular OTT messaging apps like WhatsApp and WeChat. Following the Digi and Celcom merger completed in November 2022, CelcomDigi became Malaysia's largest telecommunications operator with over 20.3 million subscribers. The major Malaysian mobile carriers are CelcomDigi (largest market share), Maxis (second-largest with approximately 27.5% market share as of 2022), U Mobile, and smaller players like Unifi and Yes. The market serves a predominantly Android-based user base (approximately 80% Android vs. 20% iOS). SMS remains crucial for business communications in Malaysia – particularly OTP authentication, transaction notifications, and marketing campaigns – despite increasing competition from OTT messaging platforms.

SMS Messaging Capabilities in Malaysia

You'll find comprehensive SMS capabilities in Malaysia, including two-way messaging, message concatenation, and strict regulatory compliance requirements for business messaging.

Two-Way SMS Messaging in Malaysia

Yes. You can engage in bidirectional SMS messaging with your customers in Malaysia, though you must comply with local regulations regarding consent and opt-out mechanisms.

SMS Concatenation and Message Segmentation

Support: Yes. Most operators support concatenation. Note: Historical documentation indicated Digi Malaysia delivered split messages separately, but this may have changed following the CelcomDigi merger in November 2022. Verify current behavior with CelcomDigi before deploying to production.

Message length rules: Use 160 characters for single SMS with GSM-7 encoding, or 70 characters with Unicode (UCS-2).

Encoding considerations: Use GSM-7 for basic Latin characters and UCS-2 for local language support, including Bahasa Malaysia characters.

MMS Support in Malaysia

Malaysian carriers automatically convert MMS messages to SMS with an embedded URL link. As of September 1, 2024, the Malaysian Communications and Multimedia Commission (MCMC) blocks all URLs in SMS messages, including those in MMS-converted messages. Previously exempted credible entities (government agencies, financial institutions, corporations) lost their exemptions on this date. This makes MMS delivery effectively non-functional in Malaysia without prior URL whitelisting approval from MCMC – which remains extremely difficult to obtain.

Recipient Phone Number Compatibility

Mobile Number Portability (MNP) in Malaysia

Yes. Mobile Number Portability (MNP) has been available in Malaysia since 2008, implemented under MCMC direction. MNP enables customers to switch mobile service providers while keeping their existing phone numbers. Before MNP, mobile numbers were fixed to specific operators (e.g., 012/017 for Maxis, 016 for Digi, 013/019 for Celcom, 018 for U Mobile). Number portability doesn't significantly impact your SMS delivery – carriers handle routing automatically through Malaysia's MNP system. Note: Malaysia's MNP system faces performance challenges, with rejection rates exceeding 50% for port requests – significantly higher than the <10% best practice benchmark.

Sending SMS to Landlines

No. You cannot send SMS to landline numbers in Malaysia. Attempts will result in failed delivery with a 400 response error (code 21614), and you won't be charged.

Malaysia SMS Compliance: MCMC and PDPA Regulations

The Malaysian Communications and Multimedia Commission (MCMC) oversees SMS communications and enforces strict regulations to protect consumers from scams and unauthorized marketing. You must comply with the Personal Data Protection Act 2010 (PDPA) when handling customer data and communications. Significant amendments to the PDPA received royal assent on October 9, 2024, with implementation occurring in three phases: Phase 1 (January 1, 2025), Phase 2 (April 1, 2025), and Phase 3 (June 1, 2025). These amendments expand the definition of "sensitive personal data" to include biometric data, introduce mandatory data breach notification requirements, and require you to appoint data protection officers (both data controllers and processors).

PDPA Consent Requirements for SMS Marketing

Obtain explicit, recordable consent under the PDPA before sending any marketing or promotional messages. Passive opt-out methods are not sufficient – you must obtain consent in a form you can record and maintain, such as written consent or audio recordings. The PDPA requires you to obtain consent before processing personal data. Calling, texting, or emailing individuals without consent constitutes a PDPA breach. Follow these best practices:

• Maintain clear records of when and how you obtained consent
• Use double opt-in processes for marketing lists
• Provide clear terms and conditions during signup
• Specify the types of messages customers will receive
• Document consent timestamps and sources
• Obtain express written consent rather than relying on opt-out mechanisms
• Store consent records in auditable format (written or audio)

SMS Opt-Out Commands: STOP, BATAL, HENTI

Support these commands in all SMS campaigns:

• Opt-out keywords: STOP, BATAL, HENTI (standard opt-out commands)
• Help keywords: HELP, BANTUAN (must provide information in both English and Bahasa Malaysia)
• Respond immediately and free of charge
• Make keywords case-insensitive and functional in both languages
• Under PDPA Section 43: Individuals have the legal right to send written notice to stop you from using their personal data for direct marketing at any time

Malaysia Do Not Call (DNC) Registry Status

Important Update: Malaysia does not have an implemented Do Not Call (DNC) registry as of 2024, unlike neighboring countries such as Singapore and Hong Kong. The Personal Data Protection Department (PDPD) is studying the possibility of implementing a national DNC registry, but the PDPA 2010 does not provide for or mandate a specific DNC registry system. Until Malaysia establishes a formal DNC registry, rely on these internal compliance measures:

• Maintain an internal suppression list of opted-out numbers
• Remove numbers from marketing lists within 24 hours of receiving an opt-out request
• Regularly update and clean marketing databases
• Honor all opt-out requests received via SMS, email, or written notice (PDPA Section 43)
• Maintain comprehensive opt-out records for compliance audits

SMS Sending Time Restrictions in Malaysia

Industry Best Practice: Do not send marketing messages between 8:00 PM and 8:00 AM Malaysian time (UTC+8). Note: While SMS providers widely recommend this 8 PM – 8 AM restriction, explicit time-based sending restrictions are not codified in Malaysian telecommunications law as of 2024. However, respecting these quiet hours aligns with PDPA consumer protection principles and reduces complaint risk. You can send transactional and emergency messages (OTPs, security alerts, critical notifications) 24/7. Consider cultural sensitivities during Ramadan and other religious observances when scheduling marketing campaigns.

SMS Sender ID Options for Malaysia

Alphanumeric Sender ID Support in Malaysia

Operator network capability: Not supported for direct use

Registration requirements: N/A – alphanumeric sender IDs are not supported

Sender ID preservation: Operators overwrite all sender IDs with operator-approved numeric sender IDs

Long Code SMS in Malaysia

Domestic vs. International:

• Domestic: Supported with 200 messages per day limit
• International: Supported with no daily limits

Sender ID preservation:

• Domestic: Preserves original sender ID
• International: Operators overwrite with random operator-approved numeric ID

Provisioning time: Immediate to 24 hours

Use cases: P2P messaging (domestic), A2P messaging (international)

Short Code Registration and Approval in Malaysia

Support: Available through operator-approved channels in three MCMC-regulated categories:

• 2-Series: Reserved for cellular network operators' own services
• 3-Series: Premium services assigned to mobile content services providers
• 6-Series: Corporate and bulk SMS services

Provisioning time: 4 weeks upon application approval by mobile operators

Content requirements: Start every short code message with your full company name or company website (MCMC mandate)

Use cases: High-volume marketing, 2FA, alerts, corporate notifications

Recent regulatory change: As of September 1, 2024, MCMC revoked short code exemptions from URL blocking rules – even MCMC-approved short codes cannot send URLs without explicit whitelisting

MCMC SMS Content Filtering and Prohibited Industries

MCMC prohibits these content types and industries:

• Gambling and betting
• Adult content
• Political messages
• Religious content
• Controlled substances
• Cannabis products
• Alcohol-related content
• Firearms and weapons
• Money lending and loan services

Malaysia SMS Content Filtering Rules (September 2024)

Known Carrier Filtering Rules (MCMC enforcement effective September 1, 2024):

• MCMC completely blocks URLs and hyperlinks (no exceptions; previously exempted credible entities lost exemptions September 1, 2024)
• MCMC blocks callback phone numbers in message body
• MCMC blocks requests for personal information (anti-scam measure)
• Operators may add "RM 0.00," "RM 0.0," or "RM0" prefix to messages lacking it, disrupting message length and formatting

How to Avoid SMS Message Blocking in Malaysia:

Follow these guidelines to avoid message blocking:

• Always include "RM 0.00," "RM 0.0," or "RM0" prefix at the start (operators will add it if missing, breaking your formatting)
• Include your brand name in message content
• Never include URLs or hyperlinks (100% blocked as of September 1, 2024)
• Never include callback phone numbers (blocked to prevent scams)
• Never request personal information (e.g., account numbers, passwords, PINs)
• Keep content clear and straightforward
• Use approved templates for sensitive industries
• Enforcement timeline: MCMC implemented a courtesy period from June 1 to September 1, 2024 for you to adjust; full enforcement began September 1, 2024

Malaysia SMS Best Practices for Business Messaging

SMS Message Strategy and Content Guidelines

• Keep messages under 160 characters when possible (account for mandatory "RM 0.00" prefix, which consumes 7 – 8 characters including space)
• Include clear calls-to-action (without URLs due to September 2024 blocking rules)
• Use personalization tokens thoughtfully
• Maintain consistent brand voice
• Always include your full company or brand name (MCMC requirement)

SMS Sending Frequency and Timing Best Practices

• Limit marketing messages to 2 – 4 per month per recipient
• Respect quiet hours (8 AM – 8 PM)
• Consider Malaysian public holidays
• Space out messages to avoid overwhelming recipients

Localizing SMS Content for Malaysia

• Support both Bahasa Malaysia and English
• Use the appropriate language based on each user's preference
• Consider cultural nuances in your message content
• Provide customer support in both languages

Managing SMS Opt-Outs and Unsubscribes

• Process opt-outs within 24 hours (PDPA requirement)
• Maintain a centralized opt-out database
• Confirm opt-out with one final message
• Never send marketing messages to opted-out numbers
• Document all opt-out requests with timestamps for PDPA audit compliance

Testing SMS Delivery Across Malaysian Carriers

• Test across all major Malaysian carriers (CelcomDigi, Maxis, U Mobile)
• Monitor delivery rates by carrier
• Track opt-out rates and patterns
• Analyze engagement metrics by message type
• Run regular A/B tests on message content

SMS API Integration Options for Malaysia

Twilio

Twilio provides a robust SMS API with specific support for Malaysian regulations. Integration requires an Account SID and Auth Token from your Twilio console.

import { Twilio } from 'twilio';

// Initialize Twilio client with environment variables
const client = new Twilio(
  process.env.TWILIO_ACCOUNT_SID,
  process.env.TWILIO_AUTH_TOKEN
);

async function sendSMSToMalaysia() {
  try {
    // Note: RM 0.00 prefix and brand name are required for Malaysia
    const message = await client.messages.create({
      body: 'RM 0.00 CompanyName: Your verification code is 123456',
      from: process.env.TWILIO_PHONE_NUMBER,
      to: '+60123456789' // Malaysian number in E.164 format
    });

    console.log(`Message sent successfully: ${message.sid}`);
  } catch (error) {
    console.error('Error sending message:', error);
  }
}

Sinch

Sinch offers direct carrier connections in Malaysia with support for local regulations and formatting requirements.

import { SinchClient } from '@sinch/sdk';

const sinch = new SinchClient({
  servicePlanId: process.env.SINCH_SERVICE_PLAN_ID,
  apiToken: process.env.SINCH_API_TOKEN
});

async function sendSMSViaSinch() {
  try {
    const response = await sinch.messages.send({
      from: process.env.SINCH_SENDER_ID,
      to: ['+60123456789'],
      // Include required RM 0.00 prefix and brand name
      body: 'RM 0.00 CompanyName: Welcome to our service!',
      delivery_report: 'summary'
    });

    console.log('Message batch ID:', response.id);
  } catch (error) {
    console.error('Sinch API error:', error);
  }
}

MessageBird

MessageBird provides enterprise-grade SMS capabilities with Malaysian carrier connections.

import { MessageBird } from 'messagebird';

const messagebird = MessageBird(process.env.MESSAGEBIRD_API_KEY);

interface SMSResponse {
  id: string;
  status: string;
  recipients: {
    totalCount: number;
    totalSentCount: number;
  };
}

async function sendSMSViaMessageBird(): Promise<SMSResponse> {
  return new Promise((resolve, reject) => {
    messagebird.messages.create({
      originator: 'CompanyName',
      recipients: ['+60123456789'],
      body: 'RM 0.00 CompanyName: Your account has been activated',
    }, (err, response) => {
      if (err) {
        reject(err);
        return;
      }
      resolve(response);
    });
  });
}

Plivo

Plivo offers reliable SMS delivery to Malaysia with support for local compliance requirements.

import { Client } from 'plivo';

const client = new Client(
  process.env.PLIVO_AUTH_ID,
  process.env.PLIVO_AUTH_TOKEN
);

async function sendSMSViaPlivo() {
  try {
    const response = await client.messages.create({
      src: process.env.PLIVO_SENDER_ID, // Will be overwritten with local shortcode
      dst: '+60123456789',
      text: 'RM 0.00 CompanyName: Thank you for your purchase!',
      // Optional parameters for delivery tracking
      url: 'https://your-callback-url.com/status',
      method: 'POST'
    });

    console.log('Message UUID:', response.messageUuid);
  } catch (error) {
    console.error('Plivo API error:', error);
  }
}

SMS API Rate Limits for Malaysia

Understand these rate limits:

• Domestic long codes: 200 messages per day per number
• Short codes: Up to 100 messages per second
• International routes: Varies by provider

Apply these strategies for large-scale sending:

• Implement queue systems (Redis or RabbitMQ)
• Use batch APIs when available
• Monitor throughput and adjust your sending rates
• Implement exponential backoff for retries

Common SMS Error Codes in Malaysia

Log and monitor errors effectively:

• Log all API responses and delivery receipts
• Monitor these common error codes:
  • 21614: Invalid landline number
  • 30007: Blocked content detected
  • 30008: Message outside allowed hours
• Implement webhook handlers for delivery status updates
• Set up automated alerts for unusual error rates

Frequently Asked Questions About Malaysia SMS Compliance

What is the RM 0.00 prefix requirement in Malaysia?

The RM 0.00 prefix is mandatory for all SMS messages sent in Malaysia as of September 2024. The Malaysian Communications and Multimedia Commission (MCMC) requires this prefix to indicate to recipients that the SMS is free to receive. If you don't include "RM 0.00," "RM 0.0," or "RM0" at the start of your message, mobile operators will automatically add it, which can disrupt your message formatting and character count. The prefix consumes 7 – 8 characters including the space.

Can I send URLs in SMS messages in Malaysia?

No. As of September 1, 2024, MCMC strictly enforces a complete ban on URLs and hyperlinks in SMS messages in Malaysia. This applies to all senders, including previously exempted credible entities like government agencies, financial institutions, and corporations. Even MCMC-approved short codes cannot send URLs without explicit whitelisting approval, which is extremely difficult to obtain. The ban aims to protect Malaysian consumers from SMS-based scams.

Do I need PDPA consent to send marketing SMS in Malaysia?

Yes. The Personal Data Protection Act 2010 (PDPA) requires you to obtain explicit, recordable consent before sending any marketing or promotional SMS messages in Malaysia. Passive opt-out methods are not sufficient – you must obtain consent in a recordable form such as written consent or audio recordings. Sending marketing messages without proper consent constitutes a PDPA breach. Under PDPA Section 43, individuals have the legal right to stop you from using their personal data for direct marketing at any time.

What are the SMS sending time restrictions in Malaysia?

While not legally codified in Malaysian telecommunications law, industry best practice recommends not sending marketing SMS between 8:00 PM and 8:00 AM Malaysian time (UTC+8). Respecting these quiet hours aligns with PDPA consumer protection principles and reduces complaint risk. You can send transactional and emergency messages (OTPs, security alerts, critical notifications) 24/7. Consider cultural sensitivities during Ramadan and other religious observances when scheduling marketing campaigns.

Which mobile carriers operate in Malaysia?

Malaysia's major mobile carriers are CelcomDigi (largest operator with over 20.3 million subscribers following the Digi and Celcom merger in November 2022), Maxis (second-largest with approximately 27.5% market share as of 2022), U Mobile, and smaller players like Unifi and Yes. CelcomDigi's formation through the merger makes it the dominant player in Malaysia's telecommunications market.

Does Malaysia have a Do Not Call registry?

No. Malaysia does not currently have an implemented Do Not Call (DNC) registry as of 2024, unlike neighboring countries such as Singapore and Hong Kong. The Personal Data Protection Department (PDPD) is studying the possibility of implementing a national DNC registry, but the PDPA 2010 does not provide for or mandate a specific DNC registry system. Until Malaysia establishes a formal DNC registry, maintain an internal suppression list and honor all opt-out requests within 24 hours.

What is Mobile Number Portability in Malaysia?

Mobile Number Portability (MNP) has been available in Malaysia since 2008, implemented under MCMC direction. MNP enables customers to switch mobile service providers while keeping their existing phone numbers. Before MNP, mobile numbers were fixed to specific operators. Number portability doesn't significantly impact SMS delivery for businesses – carriers handle routing automatically through Malaysia's MNP system. However, Malaysia's MNP system faces performance challenges with rejection rates exceeding 50%.

What are the PDPA Amendment 2024 implementation dates?

The Personal Data Protection Act amendments received royal assent on October 9, 2024, with implementation occurring in three phases: Phase 1 (January 1, 2025), Phase 2 (April 1, 2025), and Phase 3 (June 1, 2025). These amendments expand the definition of "sensitive personal data" to include biometric data, introduce mandatory data breach notification requirements, and require both data controllers and processors to appoint data protection officers. Ensure your SMS compliance programs are updated to meet these new requirements.

Recap and Additional Resources

Key Takeaways

1. Compliance Priorities (Updated for 2024 – 2025):

   • Include "RM 0.00," "RM 0.0," or "RM0" prefix (mandatory; operators will add if missing)
   • No URLs or phone numbers in content (strictly enforced since September 1, 2024; exemptions revoked)
   • No requests for personal information (anti-scam enforcement)
   • Respect quiet hours (8 AM – 8 PM best practice, though not legally codified)
   • Obtain explicit, recordable consent before marketing (PDPA requirement; passive opt-out is insufficient)
   • Maintain proper opt-out mechanisms (PDPA Section 43 grants individuals the right to stop marketing)
   • Prepare for PDPA amendments: Phase 1 (January 1, 2025), Phase 2 (April 1, 2025), Phase 3 (June 1, 2025)

2. Technical Requirements:

   • Use E.164 number formatting
   • Implement proper error handling
   • Monitor delivery rates
   • Support both English and Bahasa Malaysia
   • Account for CelcomDigi as largest operator (merger completed November 2022)
   • Note MNP system limitations (>50% rejection rate; verify port status for critical sends)

Next Steps

Complete these steps to ensure compliance:

1. Review the MCMC Content Code (latest version: November 28, 2022) and MCMC Mobile Content Services guidelines
2. Consult legal counsel for PDPA Amendment 2024 compliance review (three-phase rollout: January 1, April 1, June 1, 2025)
3. Set up test accounts with your preferred SMS providers and verify behavior with CelcomDigi (largest operator)
4. Implement recordable consent management systems (written or audio; passive opt-out is not sufficient)
5. Remove all URLs from your SMS templates (strict enforcement since September 1, 2024)
6. Monitor PDPD announcements regarding potential Do Not Call registry implementation (under consideration but not yet implemented)

Additional Information

• Malaysian Communications and Multimedia Commission (MCMC)
• MCMC Mobile Content Services Guidelines
• Personal Data Protection Department (PDPD)
• Personal Data Protection Act 2010 (PDPA)
• MCMC Content Code (Version 6, November 28, 2022)
• Personal Data Protection Code of Practice for Communications Sector (2024)