.svg)
Malaysia's central bank has launched a public consultation on its plans for risk management in the financial sector, including for payments and e-money firms.
Bank Negara Malaysia (BNM) is seeking feedback on a new set of guidelines that aim to enhance cyber resilience and technology risk management within the nation’s financial sector.
The "Risk Management in Technology" (RMiT) exposure draft, released on November 7, outlines stringent new requirements for financial institutions to safeguard against evolving cyber threats, aiming to ensure the security and stability of Malaysia's financial systems.
The proposed rules, which are open for feedback until January 31, 2025, will apply to a wide range of financial institutions, including banks, insurers, e-money issuers, payment system operators and remittance service providers.
Once finalised, the policy is expected to take effect in 2025, with different timelines for specific institution types.
The central bank’s draft emphasises building resilience against rising cyber threats and operational disruptions, a concern that has been triggered by global trends in cybercrime and the increased complexity of technology systems in financial services.
The big picture
Considering ongoing regulatory work in the EU and the UK with regard to operational resilience, risk management to manage issues such as cybersecurity and technological advancements is becoming an increasingly global topic.
In July, for example, regional financial hub Singapore released updated guidelines on risk management, and the Hong Kong Monetary Authority finalised its risk management framework in 2023.
Malaysia’s new regulatory framework focuses on a variety of issues.
Institutions are instructed to adopt a "zero-trust" approach, carrying out frequent security testing and exercises. The regulator is also advising that financial institutions need to secure backup systems against ransomware, enable rapid data recovery, and limit service disruptions due to technology or cyber incidents to no more than four hours annually, with a maximum allowable downtime of 120 minutes per incident.
Additionally, Malaysia has said that institutions need to regularly update systems to address vulnerabilities and ensure the stability of critical financial infrastructure.
When it comes to cloud services, institutions have been advised to perform risk assessments that cover data ownership, confidentiality, and compliance with local and international standards.
The central bank’s guidelines also require separate virtual hosts for various environments and emphasise assessing risks such as deployment model complexity, data security in case of service termination and roles with cloud providers. Third-party providers also need to be closely monitored, with strict service level agreements for data protection and business continuity.
Malaysia’s regulator has also made clear that attention needs to be given at board level to these issues. The policy mandates boards of directors to actively oversee cybersecurity, requiring institutions to set clear cyber risk tolerances and establish board-level committees focused on technology risks.
Given the increasing cyber threat landscape, boards are advised to allocate time to discuss cyber risks, including strategic and reputational risks, with input from external experts. They must also ensure continuous engagement in cybersecurity training and preparedness.
Why should you care?
Once the guidelines are enacted, non-compliance could result in strict enforcement actions from the BNM, with the regulator saying that “enforcement or supervisory actions can be taken against the financial institutions including its directors, officers and employees for any non compliance with any provision”.
Potential enforcement actions for failing to comply with the incoming compliance requirements include mandating an independent external review of specific risk areas, requiring the institution to implement a targeted remediation plan, imposing additional capital requirements if necessary, and taking other appropriate measures to address the risks.
As things stand, payment firms operating in Malaysia should lay the groundwork for compliance with this framework, as it will undoubtedly impact on their day-to-day business.
For example, many payments firms rely on cloud services and third-party providers for their data handling. Organisations should evaluate their cloud infrastructure for risks, such as data co-mingling, vendor lock-in, security configuration limitations, and compliance with local and international standards.
Firms would also do well to scrutinise third-party agreements and service level agreements (SLAs) to ensure data ownership, secure data handling and adequate response protocols during service interruptions.
To protect against service disruptions, payments firms should also invest in secure, tamper-proof backup solutions with rapid data recovery capabilities, and regularly test these systems to ensure quick recovery, particularly for essential payment functions that are critical to customers and business partners.
Ultimately, payments firms with business in Malaysia can anticipate closer regulatory scrutiny under the new requirements, including potential external reviews if the BNM detects risk management deficiencies.
Preparing documentation, conducting internal audits and developing targeted action plans for identified risks will demonstrate readiness for compliance assessments.
Payments and e-money firms can lack the compliance resources that larger banks have, so it is crucial to get ready now, rather than face potential penalties later.
