Clari5 Market Insights


Bank Negara Malaysia

Guidelines for FIs for Risk Management in Technology

Bank Negara Malaysia Sets Out Guidelines for Financial Institutions for Risk Management in Technology

By when must Financial Institutions (FIs) comply with the mandate?

FIs must meet the BNM’s guidelines with immediate effect.

Why has BNM issued the new guidelines?

With the more prevalent use of technology in the provision of financial services, there is a need for financial institutions to strengthen their technology resilience against operational disruptions to maintain confidence in the financial system. The growing sophistication of cyber threats also calls for the increased vigilance and capability of financial institutions to respond to emerging threats. Bank Negara Malaysia issued the guidelines to ensure the continuous availability of essential financial services to customers and adequate protection of customer data, on the same lines.

Who are the new guidelines applicable to?

The guidelines are applicable to:

  • Licensed banks, including licensed digital banks 
  • Licensed investment banks
  • Licensed Islamic banks, including licensed Islamic digital banks
  • Licensed insurers including professional reinsurers
  • Licensed takaful operators including professional retakaful operators
  • Prescribed development financial institutions
  • Approved issuer of electronic money
  • Operator of a designated payment system

Highlights of the guidelines

The policy document covers six general policy areas:

  • Governance
  • Technology risk management
  • Technology operations management
  • Cybersecurity management
  • Technology audit and internal awareness
  • Training

and three regulatory processes:

  • Notification of technology-related applications
  • Consultation and notification related to cloud services
  • Assessment and gap analysis

Regarding control measures related to fraud, it is suggested to:

  • Deploy an automated fraud detection system which has the capability to conduct heuristic behavioral analysis and mitigate risks of all types of fraud.
  • Design and deploy reliable and stronger Multi Factor Authentication (MFA) methods where possible, like binding to a single device, and enabling on every step which could be part of a fraud.
  • Where a financial institution decides not to adopt MFA for financial transactions that are assessed to be of low risk, the financial institution must nevertheless implement adequate safeguards for such transactions which shall include at a minimum the following measures: (a) set appropriate limits on a per-transaction basis, and on a cumulative basis; (b) provide a convenient means for customers to reduce the limits described in paragraph (a) or to opt for MFA; (c) provide a convenient means for its customers to temporarily suspend their account in the event of suspected fraud; and (d) provide its customers with adequate notice of the safeguards set out.
  • A financial institution must implement controls to authenticate and monitor all financial transactions. These controls, at a minimum, must be effective in mitigating man-in-the-middle attacks, transaction fraud, phishing and compromise of application systems and information.
  • Establish safeguards that ensure the security of customer and counterparty information (e.g., Primary Account Numbers (PAN), Card Verification Value Numbers (CVV), expiry dates and Personal Identification Numbers (PIN) of payment cards), including to mitigate risks of identity theft and fraud.
  • Be able to set various thresholds like monetary values and change them as necessary to detect potential frauds.
  • Create risk assessment criteria and decide on proportionate controls and authentication methods for transactions. The financial institution must establish a set of criteria or factors that reflect the nature, size, and characteristics of a financial transaction. The financial institution must periodically review the risk assessment criteria to ensure its continued relevance, having regard to the latest developments in cybersecurity risks and authentication technologies as well as fraud trends and incidents.
  • A financial institution must perform continuous surveillance to assess the vulnerability of the operating system and the relevant technology platform used for its digital delivery channels to security breaches and implement appropriate corresponding safeguards. At a minimum, a financial institution must implement sufficient logical and physical safeguards for the following channels: (a) self-service terminal (SST); (b) non-cash SST; (c) Internet banking; and (d) mobile application and devices. In view of the evolving threat landscape, these safeguards must be continuously reviewed and updated to protect against fraud and to secure the confidentiality and integrity of customer and counterparty information and transactions.

Regarding control measures related to other areas:

  • The document includes additional guidance to strengthen financial institution’s cloud risk management capabilities. It embodies a shift to a risk-based approach in cloud consultation and notification process.
  • The board of financial institutions must designate a board-level committee to support it in providing oversight over technology-related matters.
  • Financial institutions are required to appoint a chief information security officer to be responsible for the technology risk management function, independent from day-to-day technology operations.
  • Financial institutions must establish an enterprise architecture framework that provides a holistic view of technology throughout their companies as well as establish clear risk management policies and practices for key phases of system development life cycle (SDLC).
  • Financial institutions need to adopt strong cryptographic controls for protection of data and information.
  • Financial institutions shall host critical systems in a dedicated space intended for production data center usage and appoint an external service provider to conduct resilience and risk assessment for the data center.
  • Financial institutions need to enforce and monitor cash self-service terminals (SSTs) end-point protection such as installing whitelisting programs.
  • Financial institutions must develop a cyber resilience framework.
  • Financial institutions must provide adequate and continuous training for staff involved in technology operations, cybersecurity, and risk management as well as adequate regular technology and cybersecurity awareness education for all staff.
  • Financial institutions need to consult BNM prior to the first-time adoption of public cloud for critical systems.
  • Financial institutions need to perform a gap analysis of existing practices in managing technology risk against requirements outlined in the RMiT policy document.

How Clari5 helps Malaysia’s FIs quickly comply with BNM’s guidelines

Need More Information?