Author: Vivekananda J

BNM’s three card policy documents introduce obligations across three deadline waves. Most Malaysian banks are treating them as three separate procurement tracks. The architecture decision is singular, not sequential.

The architecture decision behind the deadlines

BNM’s card PDs do not create three technology decisions for Malaysian banks. They create one architecture decision.

Malaysian issuers that treat real-time fraud detection, dispute workflow, card-not-present (CNP) authentication, and customer alerts as separate procurement tracks may meet each deadline individually. They will not meet the operating-model test BNM’s supervisor applies across the issuer.

The deadlines look sequential. The decision is singular.

The three policy documents for Debit, Credit, and Charge cards, covering conventional and Islamic variants, were issued by BNM on 19 December 2025. Their obligations land in three waves.

The first wave is already in force. Real-time fraud detection, mandatory kill switch on debit, default CNP and overseas opt-in blocking, and the liability shift provisions all activated immediately. Credit Card PD §26.1(d) sets the new standard: detection must operate in real time. Where losses arise from weaknesses in the issuer’s systems, processes, or controls, cardholder liability may be limited. BNM’s footnote example is unambiguous. A series of transactions within a short time frame, inconsistent with the customer’s normal transaction behavior, left unblocked, becomes the issuer’s exposure.

The second wave landed on 1 April 2026. Issuers now have three working days to acknowledge a card dispute, must issue a written decision, and on debit disputes, must extend provisional credit if investigation runs past 14 working days (RM 5,000 cap), with full disbursement by 30 days.

The third wave arrives on 1 January 2027. Strong customer authentication on every CNP transaction with SMS OTP capped at RM 250, secure device binding by default, cooling-off on new enrollment and contact detail changes, idle CNP re-blocking after 12 months, and expanded customer alerts covering every CNP transaction, every rejected CNP attempt, and every toggle activation.

These three waves usually engage three different internal functions and trigger three separate vendor evaluations. At audit, BNM reads them as one supervisory view.

The procurement trap

What I see consistently across deployments in India, Indonesia, the Philippines, and now Malaysia is a sequential reading of the PDs. Wave one is operational. Wave two is dispute workflow. Wave three is authentication and device. Each wave maps to a different internal function. Each function takes its slice to its preferred vendor.

The result is three procurement tracks running in parallel: three vendor evaluations, three contracts, three integrations, three audit trails reconciling to one supervisory view.

The cost is operational. When fraud detection, dispute investigation, customer alerting, and device intelligence sit on different stacks with different data formats, the bank spends investigator time on data reconciliation, not fraud analysis. An investigator opening a card dispute case routinely pivots through four or five systems before reaching a decision. Under the 3-working-day BNM acknowledgement clock, that pivoting time is the binding constraint, not the investigator’s analytical capability.

The trap is that the procurement decision feels rational at each step. Fraud buys detection. Card buys customer alerting. Risk buys device intelligence. Dispute buys case management. Each function gets what it asked for. The bank gets an architecture that BNM, at audit time, reads as one liability surface with multiple internal seams.

The dual-stack reality in Malaysia

For Malaysian Tier 1s, the procurement trap compounds with the conventional and Islamic banking duality. Most run parallel cards businesses across a conventional book and an Islamic subsidiary, often on different cards processors, with different rule sets, different investigation workflows, and different reporting lines into BNMLINK. Shariah governance overlays add an approval cycle to every rule change on the Islamic side.

From a technology-purchase view, this looks like two separate engagements. The conventional bank evaluates one stack, the Islamic subsidiary another. Vendors quote separately, deploy separately, run separate roadmaps.

From BNM’s supervisory view, it is one issuer-wide exposure. The 3-working-day dispute acknowledgement clock runs on the slowest side. The behavioral baseline asked for in audit has to be assemblable across both books. The customer alert channel cannot fragment per book if the customer holds cards across both.

This is not a Shariah question but an architecture one. Islamic-side governance can be preserved with one platform and dual-rule-policy management. Banks that try to preserve it by buying two platforms end up paying twice for the same compliance capability and running twice the integration work.

What integrated looks like

The architecture that holds across all three BNM card PD waves runs four functional layers on one platform.

1. The detection layer operates pre-authorization. Every card transaction is scored in real time against behavioral baselines built from device, location, network, and transaction signals. Rules catch known patterns. Machine learning surfaces anomalies and behavior drift. The detection layer addresses Wave 1 and produces the evidence trail the dispute desk later relies on.
2. The decide-and-investigate layer is the case management workflow. It opens a case file with detection rationale, customer history, and device evidence pre-assembled. The 14 and 30 working-day debit provisional credit triggers operate automatically. Generative AI investigator support compresses case investigation time, which is where post-April 2026 dispute volume math becomes tractable. This layer addresses Wave 2.
3. The inform-customer layer handles transaction alerts and customer notifications across SMS, in-app, and voice channels. BNM’s anti-phishing constraints (no hyperlinks, no callback numbers) are built into the alerting template. The layer scales to Wave 3’s expanded scope.
4. The learn-and-adapt layer feeds detection rules with channel-level intelligence the other layers cannot see. Voice analytics on call-center intake surfaces social engineering coaching patterns and mule recruitment scripts before they appear in transaction data. These patterns become new detection rules in the detection layer, closing the loop. This is what continuous improvement looks like under the BNM standard, and it is what allows the detection layer to keep pace with fraud typology drift between PD reviews.

That is one audit trail end-to-end. The same architecture handles the conventional book and the Islamic book under one operational model, with Shariah governance preserved at the rule-policy level rather than at the platform level.

The three BNM card PD deadlines are sequential. The architecture decision that meets them is singular. Banks scoping it as one platform decision will be in compliance position when the third deadline lands. Banks buying in three pieces will spend the next twelve months reconciling vendors instead of investigating fraud.

The deadlines are the regulator’s design. The operating model that meets them is the bank’s responsibility. Integrated platform thinking is how that operating model gets built.

Approach BNM card PD compliance as one platform decision with Clari5

The architecture described in this article is one Clari5 has built, deployed, and refined across Indian, APAC, and MENA banks, including environments running parallel conventional and Islamic banking books on different cores. Request a conversation with our solution team →

Voice analytics is the behavioral detection layer most banks already hold the raw material for. It sits inside the bank’s own call archive, in the 95 percent of recordings that go unanalyzed. 

Bank fraud detection runs on two layers today. Transaction monitoring catches what moves through the payment system. Digital behavioral analytics catches how customers click, swipe, and type. There is a third behavioral signal most banks have not yet operationalized: what customers say and how they say it during analyst calls.

The threat data tells a consistent story. Pindrop’s 2025 Voice Intelligence and Security Report tracked a 149 percent year-on-year increase in synthetic voice attacks against banks and a 1,300 percent surge in deepfake fraud attempts. UK Finance reports that 17 percent of authorized push payment fraud cases in the first half of 2025 began through telecommunications.

The conversation is no longer a customer service channel. It is a fraud surface, an investigation source, and a compliance record, all at once. Every recording already sits inside the bank’s environment. Voice analytics is the layer that can turn it into intelligence.

The behavioral intelligence layer most banks already own

Banks record every analyst-customer call as standard practice. Most do not analyze them. The industry benchmark is well documented across multiple call quality studies: traditional manual quality assurance reviews 2 to 5 percent of calls, which means 95 to 98 percent of recorded conversations are never analyzed for fraud, compliance, or investigation value. That is the gap.

Inside that gap sits evidence fraud teams cannot find elsewhere. The contact center carries fraud risk on both sides of the call: Coached mule scripts that surface long before the money moves, agent collusion, coercive language toward distressed customers, and regulatory disclosure failures that sampling cannot catch. Voice carries intent, coercion, scripted behavior, and repeat-caller patterns. None of it reaches a fraud system if the recording is never opened.

Analyzing every call rather than a sample changes what fraud teams can find. Detection no longer depends on what the agent flagged in the moment or what made it into the post-call notes. The recording is the evidence. 

What changes when every call is analyzed

Transactional fraud detection asks what happened in the payment. Digital identity analytics asks how the customer accessed the bank across devices and sessions. Voice analytics asks how the customer sounded, what they said, and what they did not. The three layers are complementary, each carrying intelligence the others cannot generate alone.

Capabilities that open up once the voice layer is in place include:

1. Earlier detection of social engineering through stress patterns, urgency cues, and coached language captured inside the call recording.
2. Mule network identification across calls, where voice biometrics link first-time-seen accounts to repeat caller voices, adding evidence at the voice layer that transaction-pattern analysis cannot generate on its own.
3. Genuine-victim versus coached-mule distinction within a single call, through pitch, rate, pauses, emotion, and cooperation patterns across the two speakers.
4. Faster case action on high-risk calls, where findings route directly into the case management workflow rather than sitting in a separate quality assurance silo.

Call recordings thus stop being archive material and become operational evidence. Voice analytics enable banks to consistently extract intelligence that is scored objectively and pushed into the same workflows where fraud and compliance teams already act.

The Clari5 Maestro fit

Clari5 Maestro Voice Analytics is built for this layer. It is a post-call forensics and audit platform that runs every analyst-customer call recording through an advanced eight-stage analytical pipeline combining machine learning, voice biometrics, and generative-AI-accelerated language understanding. Sentiment, intent, fraud indicators, compliance adherence, and conversation quality are extracted from each call and surfaced inside the bank’s existing case management workflow. Each call receives a composite risk score across voice, emotion, behavior, and fraud patterns, classified Low to Critical. Coverage is 100 percent. Languages are configurable to local market needs. 

Voice analytics is the third layer, and the one most banks already hold the raw material for. The recordings exist. The processing capacity is available. What is left is the decision to treat the call archive as evidence rather than overhead.

See how Clari5 Maestro applies to fraud and compliance operations at your bank. clari5.com/maestro

A structural reality that card issuers across the GCC, South Asia, Southeast Asia, and Africa are now confronting in operational terms: cross-border payment fraud is increasingly industrialized, with attackers deliberately routing transactions through jurisdictions where authentication standards are weakest.

A recent coordinated fraud attack on an Indian bank revealed how cross-border authentication asymmetry creates exposure for every issuer with internationally enabled card products, from forex and prepaid cards to cross-border credit and debit. This piece breaks down the attack pattern, maps who carries the exposure, and outlines what practitioners should be reviewing now.

Authentication asymmetry is the gap that opens when a card transaction routes through a jurisdiction whose authentication standard is weaker than the issuer’s home market. It is the structural vulnerability behind almost every coordinated cross-border card fraud attack in the past two years.

How protected is a card portfolio when customers transact abroad?

Your customers’ fraud exposure on international transactions is not determined by how robust your domestic authentication framework controls are. It is determined by the weakest authentication standard on the transaction route. The moment a card is used with a merchant in a jurisdiction that does not enforce the same standard you do, your domestic safeguards stop protecting. Earlier this year, a coordinated fraud attack proved exactly how it works.

The incident: A coordinated card fraud attack hit a bank’s internationally enabled card portfolio. In a five-hour window, fraudsters drained USD 280,000 across 15 merchants operating in a jurisdiction that does not mandate two-factor authentication for e-commerce. Around 5,000 cardholders were impacted before the bank’s monitoring systems contained the breach.

The bank’s systems did work, partially. They intercepted nearly 700 additional unauthorized attempts and prevented an estimated USD 100,000 in further losses. The breach was detected, contained, and followed by coordinated chargeback action. But the damage was already done before detection.

What made this attack different

Every element of the attack pointed to deliberate planning:

• The fraudsters targeted specific Bank Identification Numbers (BINs), suggesting prior intelligence about the card program’s infrastructure. This kind of BIN-targeted attack pattern is increasingly common in industrialized card-not-present fraud.
• Activity was concentrated across 15 merchants in a single geography, pointing to coordinated merchant-side infrastructure rather than scattered opportunism
• The attack was timed during early morning hours (3:30 AM to 8:30 AM local time) to maximize automated system dependency and minimize the window for human intervention
• There are reported indications of CVV compromise, raising open questions about where in the supply chain card data was exposed

The jurisdiction choice, the BIN targeting, the timing, the merchant concentration all indicate an industrialized operation built around a regulatory gap.

Who carries this exposure

If you are thinking “this is a forex card problem” or “this is a country-specific issue,” I would push back.

This exposure applies to any card product with international transaction capability: debit cards enabled for cross-border use, credit cards in international e-commerce, multi-currency prepaid cards, co-branded and partnership products, and any card-not-present flow that spans multiple jurisdictions.

The attack happened to target one bank’s forex card portfolio. The vulnerability it exploited exists in every internationally enabled card program I have seen.

Direct, regulatory, and trust costs of a cross-border card fraud incident

The USD 280,000 in direct losses is not the only number that keeps a business head up at night. The real cost is threefold:

• Direct financial impact. Fraud losses, chargeback processing costs, and the operational expense of investigating, containing, and remediating across thousands of affected accounts. For a larger portfolio or a longer detection window, multiply the numbers from this incident accordingly.
• Regulatory exposure. In the mentioned case, the central bank summoned senior bank officials for a detailed briefing on root cause, timeline, and cybersecurity adequacy. Supervisory scrutiny does not end with a single meeting. It triggers audit cycles, remediation mandates, and in some jurisdictions, public disclosure requirements. If your regulator is already tightening expectations around card security, an incident like this accelerates that pressure significantly.
• Customer trust erosion. Cardholders who discover unauthorized international transactions on their accounts do not parse the technical distinction between a domestic control failure and a cross-border authentication gap. They see a bank that failed to protect them. For card products where customer acquisition cost is high and switching cost is low, the downstream attrition impact can far exceed the fraud loss itself.

How this plays out differently across regions

The underlying vulnerability, cross-border authentication asymmetry, is universal. But the risk profile varies by market.

In Southeast Asia, cross-border e-commerce volumes are growing significantly faster than the fraud frameworks designed to monitor them. Banks scaling international card products into new corridors are inheriting authentication gaps they may not have stress-tested yet.

Across African markets, the rapid expansion of mobile money and prepaid card ecosystems is extending international reach into corridors where cross-border fraud controls are still maturing. The co-branded and partnership card models common in these markets add a layer of distributed accountability that this incident specifically exploited.

In the Middle East, regulatory modernization is moving quickly, but authentication standards still vary significantly across jurisdictions within the region. Banks operating across multiple MENA markets carry exposure not just to external geographies but to asymmetries within their own regional footprint.

None of these are hypothetical concerns. They are the operating reality for card issuers in these markets today.

Three questions your board will ask after an incident like this

If a similar attack hits your portfolio, your board or risk committee will want answers to three questions. It is worth having them ready now:

What is our actual exposure on internationally enabled card products? Not the number of cards issued, but a clear view of which products, which corridors, and which destination geographies carry the highest authentication risk.

Have we tested our cross-border fraud controls against this specific attack pattern? Coordinated multi-merchant, BIN-targeted, off-hours, routed through a jurisdiction with no two-factor mandate. If your last fraud control review did not simulate this scenario, it left a gap.

What is our detection and response time if this hits during off-hours? The five-hour window in this incident was not a coincidence. It was the attack design. If your escalation framework depends on human intervention during those hours, that is a timing vulnerability your board should know about.

What issuers should be reviewing

From a practitioner’s standpoint, four areas deserve priority attention:

1. Cross-border fraud ruleset adequacy. Do your current detection rules account for coordinated multi-merchant attacks routed through jurisdictions with weaker authentication? Most legacy rulesets were not built for this pattern.
2. Portfolio-level exposure mapping. Which card products in your book have international transaction capability, and which destination geographies carry the highest authentication risk? If you do not have a clear answer, that is the gap.
3. Off-hours monitoring calibration. Fraudsters deliberately target windows of reduced human oversight. If your detection framework relies on manual escalation during these hours, you have a timing vulnerability worth closing.
4. Card-not-present controls by jurisdiction. A flat set of rules applied uniformly across all geographies will not catch attacks designed to exploit jurisdiction-specific weaknesses. Detection logic needs to be sensitive to where the transaction is being processed, not just where the cardholder sits.

The structural trend behind cross-border card fraud

The incident is a case study in how cross-border payment fraud is evolving. Fraudsters are not just finding technical vulnerabilities. They are finding regulatory ones, jurisdictions where the rules give them room to operate, and building industrialized attack frameworks around those gaps.

The question for every issuer is not whether this can happen to you. It is whether your fraud detection framework is built for the world where it will happen.

If you would like to pressure-test your current cross-border fraud controls against this attack pattern, let’s connect.

The Regulatory Context
RBI’s latest advisory to all banks in India on integrating with the National Cyber Crime Reporting Portal (NCRP) for real-time complaint handling is unambiguous. Banks that have not completed onboarding must do so “without further delay” and treat this as “highest priority.”

The advisory also directs all banks, including those already on the portal, to complete API-based integration for real-time action on complaints. The integration must cover all systems and delivery channels. Performance must be reviewed periodically.

The message is clear; manual processing is no longer sufficient. Real-time response is now the expectation.

The Challenge
India’s instant payment infrastructure is a remarkable achievement. But speed cuts both ways. When fraud succeeds, funds can move through multiple banks, mule accounts, and exit channels within 30 minutes.

Still most banks process NCRP complaints through manual workflows. This made sense when volumes were lower. But as digital transactions scale and fraud patterns evolve, the gap between how fast money moves and how fast banks can respond is widening.

The goal now is to close that gap. When a complaint lands on NCRP, the response should be immediate: lien marked, freeze triggered, investigation initiated. This is the Golden Hour standard.

We Started This Journey Early
At Clari5, we recognised the importance of real-time NCRP integration before the regulatory push. In 2024, we partnered with Punjab National Bank to build India’s first national-scale implementation. Serving 180 million customers across 10,000 branches; PNB needed a system that could match the speed of the threat.

The Clari5 Cybercrime Complaints Processing Platform (CCCP) delivered:

• Resolution time reduced from days to within the Golden Hour
• Thousands of complaints processed daily without slowdowns
• Full automation from 1930 Helpline intake to resolution
• Complete alignment with RBI, DFS, and I4C requirements

We did not stop there. Since PNB, we have extended real-time NCRP API integration to more banks across India. Each implementation has sharpened our understanding of what works at scale.

Why Automation Matters
The benefits go beyond compliance.

Speed. When complaints resolve in the Golden Hour instead of days, funds have a better chance of recovery. Customers see the difference.

Focus. Automation handles the volume. Your investigators get to do real investigative work: pattern analysis, mule network mapping, regulatory coordination.

Confidence. When RBI reviews your fraud response capability, a working system speaks louder than a roadmap.

What This Means for Your Bank
Regardless of size, every bank faces the same question: can we respond in real time?

This does not require a multi-year transformation. We have helped banks go live under 30 days. The platform scales alike from regional players to institutions.

Nearly two decades of building fraud systems for Indian banks taught us one thing. The only defense that works is one that moves as fast as the attack. We have done this more than anyone else in this space, and we are ready to help you get there.

Looking Ahead
Regulatory expectations are only going to increase. Banks that move early will have time to refine their systems. Those that wait will find themselves under pressure.

Clari5 & PNB chose to be the Pioneers, we chose to lead. The playbook is proven. The technology is production-ready.

If you are evaluating your options, we would welcome the conversation. Schedule a demo.

Indonesia’s Financial Services Authority (OJK) is bringing in a new era of anti-fraud governance with Regulation No. 12/2024. It mandates that all Financial Services Institutions (LJKs), including banks, insurers, and fintechs, implement a comprehensive, four-pillar anti-fraud strategy. This regulation supersedes earlier fragmented rules, holds  boards and commissioners directly accountable, and expands requirements across the broader financial landscape.​

The four foundational pillars that OJK sets out are prevention; detection; investigation, reporting, and sanctions; and monitoring, evaluation, and follow-up. These anti-fraud pillars demand holistic integration across all channels and product lines. Banks must unify monitoring systems, deploy forward-looking behavioral analytics, conduct scenario-based simulations for emerging threats such as fraud rings, and provide audit-ready documentation at all times. Institutions relying on legacy rule-based systems, disconnected fraud tools, or manual reporting workflows face a critical choice: modernize rapidly or risk operational disruption, regulatory penalties, and erosion of customer trust.

Timeline: POJK 12/2024 was issued on July 31, 2024, and took effect on October 31, 2024. Banks must now have anti-fraud strategies fully operational, with the next semi-annual reporting deadline of January 31, 2026, rapidly approaching.

The Impact for Indonesian Banks
Clari5 has been transforming fraud prevention over the last two decades, iterating continuously to address challenges typically faced by large FIs and to provide an enterprise-wide solution equipped for the new-age fraud landscape. Just as the brain processes threats instantly, Clari5 can help process fraud intelligence across channels in milliseconds.

Holistic integration
Institutions must unify real-time monitoring, AI-driven analytics, and scenario management across all channels. No more silos.

Board-driven compliance
Boards are explicitly accountable for embedding anti-fraud strategies, with sharp personal penalties for lapses.

Stricter controls
From enhanced identity verification and fraud scenario simulations to real-time behavioral monitoring and fraud ring detection, compliance is both proactive and preventive.

Ecosystem-wide effect
The rules extend beyond banks, affecting conglomerate subsidiaries and non-regulated entities under their control.​

Meeting OJK 12/2024’s Mandates: The Clari5 (Perfios) Approach
OJK 12/2024 requires a unified, intelligence-led fraud strategy. Clari5, a Perfios company, delivers this through

• Holistic Integration (Article 7): Unified real-time monitoring across accounts, cards, payments, and wallets, eliminating the data silos that plague legacy systems
• Board Accountability (Article 5): Automated dashboards with incident tracking, ensuring boards have real-time visibility into fraud KPIs
• Rapid Reporting (Article 12): was Significant fraud incidents must be reported to OJK within 3 business days of discovery—a deadline impossible to meet with manual processes. Clari5’s pre-configured report templates and automated data aggregation enable 1-click submission, ensuring timely compliance and protecting board members from personal liability.
• Advanced Detection (Article 8): Graph-based analytics for fraud ring/mule detection, going beyond transaction rules to behavioral patterns

Unlike generic fraud alerts that frustrate customers by halting legitimate transactions, Clari5’s AI learns each customer’s transaction behavior. This reduces false positives and enables smooth, secure transactions. A win-win for the bank and its customers!

Why Clari5 Stands Out

Enterprise Fraud Management vs Traditional Systems

Why Clari5 Stands Out

• For a large Global Retail Bank with 150M customers, Clari5 prevented $600M fraud losses over 5 years demonstrating 90%+ fraud detection rates in real time.
• Clari5 is recognized by Chartis Research as a Global Category Leader in the RiskTech Quadrant for EFM and AML for the past 5 years.

Why Does This Change the Game?

• OJK 12/2024 accelerates Indonesia from a reactive, incident-driven model to a unified, real-time and intelligence-led approach. It will help the country outpace many regional peers while reflecting the urgency due to runaway fraud losses compared to neighboring markets:
• A recent report from Indonesia’s Financial Services Authority (OJK) found that between November of 2024 and February of 2025, the Indonesian economy lost about IDR 700 billion (USD 45 million) to scams.
• Losses accelerating faster than regional peers in the ASEAN region.
• Online Scams Drain $474 Million from Indonesians in a Year.
• The OJK established the Indonesian Anti-Scam Center (IASC) in November 2024 to identify the scale of the problem and work on collaborative solutions.
• The IASC deals with 18 types of fraud, including illegal investments, online shopping scams, unlicensed lending and social media fraud.

The Risk of Non-Compliance: Financial, Operational & Reputational

• OJK 12/2024’s penalties are designed to compel immediate action.
• Non-compliant institutions face escalating administrative sanctions including financial penalties, license suspensions.
• The market impact is equally damaging. Indonesian consumers increasingly evaluate banks on security and digital experience.
• Institutions suffering publicized fraud incidents risk deposit flight and market share loss to competitors demonstrating superior protection.
• In a digitally-driven market where switching costs are low, security perception directly impacts customer acquisition, retention, and brand value.

OJK 12/2024 marks a shift from fragmented controls to an integrated, intelligence-driven fraud framework. Indonesia’s comprehensive framework positions its financial institutions to leapfrog regional peers if they act decisively.

The path forward requires unified platforms, AI-driven detection, and automated compliance workflows. With the right technology foundation, Indonesian banks can transform OJK 12/2024’s requirements into competitive advantages: faster fraud interdiction, operational efficiency, and customer trust.

Clari5 delivers this through real-time behavioral analytics, automated reporting, and proven fraud prevention capabilities. The institutions that move quickly will define Indonesia’s financial services landscape for the decade ahead.