"No data is shared." But Bank of Maldives and Immigration quietly rewrote the rules.

Customers were not told. The bank confirmed to the Maldives Independent that "no direct customer notification was issued for this amendment, consistent with the bank's standard practice." Terms and conditions are "routinely updated and published on the bank’s website" and the bank does not provide direct notifications via email, mobile app, or text message, it added.

The revised clause grants the bank full authority to obtain and verify cardholders' personal information from government agencies. The previous clause reserved only a general right to verify information through any sources it deemed appropriate. The revision also expanded the bank's authority to "continuous" monitoring of accounts and transactions, replacing language that tied such monitoring to specific events such as card renewals.

"No data is shared between Immigration and Bank of Maldives," the bank sought to reassure the public on social media amid an outcry over digital privacy and questions raised over the legal basis on which a state agency is sharing data on the movements of named individuals with a commercial bank. The Maldives lacks a comprehensive data protection law, despite a draft bill that has been pending for years.

Under the integration, BML's transaction system queries Immigration to verify whether a cardholder is physically inside or outside the Maldives at the moment a card is presented at an overseas ATM or point-of-sale terminal.

"This targeted approach ensures that customers travelling abroad can continue to use their cards seamlessly for genuine transactions, while strengthening safeguards against unauthorised or abusive practices which are against the international card payment networks standards," the bank said, referring to individuals who hand their physical cards to others travelling abroad in order to circumvent monthly foreign currency limits.

The Immigration integration is one component of a wider package Bank of Maldives has rolled out to manage a structural and worsening dollar shortage. BML, the country's largest bank and majority state-owned, previously imposed a 30 percent transaction fee on six foreign e-commerce platforms including Temu, Shein and AliExpress, halved foreign ATM cash withdrawal limits, and launched a new "Student Card" with a US$ 1,200 monthly cap. New measures formally announced this week introduced a daily aggregate budget for online dollar transactions and a 30-transaction monthly cap per customer on e-commerce. The bank says the daily allocation is intended to ensure dollars are distributed to a wider population rather than aggregated by a small number of parties using personal limits for commercial purposes.

The pattern of abrupt policy shifts has precedent. In August 2024, the bank suspended foreign transactions on Rufiyaa-linked debit cards overnight, triggering panic among Maldivian students and patients abroad before the government forced a reversal within six hours. President Dr Mohamed Muizzu subsequently accused the bank of attempting "a financial coup," A police investigation has yet to produce arrests or charges.

Over the past week, the new measures prompted a flurry of complaints on social media about declined transactions, blocked card payments and unexplained limits. Many said they only learnt the rules when their cards stopped working. The complaints span subscriptions, online purchases and travel-related payments.

The package has also drawn political pushback. Fayyaz Ismail, the former chairman of the opposition Maldivian Democratic Party who served as economic development minister in the previous administration, accused the bank of "patchwork decisions to cover up gross incompetence" and said BML "needs to stop being the purse and lapdog of the Muizzu government." Replying on X, Bank of Maldives spokesman Mohamed Saeed said the measures were intended to ensure "fair and equitable access to foreign currency for legitimate personal use and essential public needs."

In a written response to the Maldives Independent, BML described the arrangement with Immigration as a "strategic digital partnership" but declined to provide documentation of the legal instrument. It pointed to a 2017 partnership with Immigration for the launch of the digital Passport Card as historical context for the institutional relationship.

Clause 6.1 of the terms and conditions prior to the recent amendment authorised the bank to "verify the veracity of the information furnished by whatever means or from whichever source deemed necessary," BML noted.

The bank said the verification step at the heart of the new arrangement was "an extension of the transaction authorisation process which verifies the authenticity and validity of the card and availability of funds. An additional check has been introduced as part of this transaction authorisation process to ensure that the cardholder is indeed abroad when a cardholder present international transaction takes place. The purpose of the verification is to enhance fraud prevention, particularly in situations where cards have been fraudulently used abroad while the cardholder remained within the country."

The arrangement involves no transfer or storage of personal data on the bank's side, it stressed: "The bank maintains that the additional verification measures do not represent a departure from standard banking practice. Banks are already required to carry out ongoing verification checks, including confirming cardholder identity and transaction legitimacy."

But the insistence that the integration involves no transfer of personal data leaves unanswered the question of whether Immigration's response to a query – confirmation that a named individual is inside or outside the country – itself constitutes a disclosure by the agency, regardless of what BML subsequently does with the response. The amended terms also reserve the authority to obtain "personal information" from Immigration and the ID Card Unit. 

Lawyers and technical specialists who have examined the arrangement say the privacy concern is not about what the bank knows of its own customers' transactions – a routine feature of banking – but about the legal authority for Immigration, a state agency holding data on the movements of every person crossing the Maldivian border, to disclose it on demand to a commercial bank.

A cybersecurity researcher who goes by the handle Fishie challenged the "no data is shared" claim. "Data is anything that relates to a person," he told the Maldives Independent. "I can turn a light on and off – that might not mean anything to anyone. But if I only turn the light on when I'm home and off when I'm not, that is information to everyone around me that I am not home. So even if Immigration responds with a yes or no, that is data being shared. The question is, does the bank have the right to ask Immigration for this without the user's consent? And does Immigration have the right to give it without the user's consent?"

The underlying problem is about consumer rights, argued Fishie, an advocate for data protection. "Is BML our legal attorney? How can a company consent on behalf of us? What else can they consent for?" he asked. Customers who have not engaged in card-sharing are nevertheless subject to the same surveillance, he added.

If either system were breached, an attacker would learn whether a person was inside or outside the country at any given time. Depending on what is logged at each end, they could potentially extract destinations, timestamps, and patterns of travel.

Lawyer Hamza Latheef set out a constitutional analysis on X. Article 24 of the constitution gives every person a reasonable expectation that their personal information will be handled in accordance with the Maldives' international obligations and democratic practices. Any action engaging a fundamental right is constitutional only if it is a proportionate measure, taken in accordance with due process, in pursuit of a legitimate aim. A bank's interest in improving dollar liquidity, Hamza argued, does not meet that threshold in the way crime prevention might. The proper route in suspected card-misuse cases should be referral to law enforcement, which can then obtain travel data through established legal channels.

"Their [Immigration's] privacy policy gives the public the impression that they will not under any circumstances share data with third parties such as BML. Failure to follow that published policy is a violation of the trust people had in it," he added.

"The mass sharing of travel data with a private entity, even one in which the state holds shares, is in my view an unwarranted infringement of the privacy of the persons to whom the data pertains," he wrote, calling the arrangement "a harbinger of other more serious violations."

Former MP Ali Hussain questioned the legality of information sharing between the bank and Immigration in the absence of a comprehensive data protection or privacy law. 

Other legal experts cast doubt on whether private contract terms between a bank and a customer could create authority that does not otherwise exist in statute, or whether consent obtained through a unilateral change – with surrender of the card as the only refusal mechanism – could qualify as valid consent under data protection norms applied in most jurisdictions.

Immigration has also amended its published privacy policy. Until this week, the policy on the IMUGA portal stated unambiguously that data was "not shared with third-party companies or external entities." That commitment has been replaced with new language authorising Immigration to "share data and information with law enforcement agencies and other relevant entities for the purposes of law enforcement and compliance with financial and telecommunication regulatory requirements." 

Article 41 of the constitution guarantees freedom of movement, including the freedom to leave the country. Any infringement of either right must be a proportionate measure, taken in accordance with due process and pursuing a legitimate aim. 

On Wednesday, Attorney General Ahmed Usham announced at a press conference that the government would submit the data protection bill to the People's Majlis "in the next two or three days." Work on the bill had been ongoing for some time, he said, describing it as legislation that would establish a framework for the collection, processing and use of personal data as well as defining the rights of data subjects and the obligations of those processing the data. 

The Maldives Independent sent detailed questions to Immigration and the Maldives Monetary Authority on Tuesday morning, including questions on the legal instrument underpinning the integration, the timing and approval of the terms and conditions amendment, and whether the Attorney General's Office was consulted. Neither responded by the time of publication on Thursday afternoon.