Global menu

Our global pages


Bank Negara Malaysia - Policy Guidance on ‘Risk Management in Technology’ (‘RMiT’)

  • United Kingdom
  • Privacy, data protection and cybersecurity


The Central Bank of Malaysia or Bank Negara Malaysia (‘BNM’) on 18 July 2019 issued another policy document which sets out its requirements to the nation’s Financial Institutions (‘FIs’) management of technology risk.

When does this take effect?

The Effective Date of this document is 1 January 2020.

Who does this apply to?

This document will affect any FIs that are listed under the scope of BNM as:

a) A licensed person under the Financial Services Act 2013 (‘FSA’) and the Islamic Financial Services Act 2013 (‘IFSA’), excluding branches of a foreign professional reinsurer and a professional retakaful operator;

b) A prescribed development financial institution under the Development Financial Institutions Act 2002 (‘DFIA’);

c) An eligible issuer of electronic money with substantial market presence; and

d) An operator of a designated payment system.

This means, the RMiT would apply to the following entities:

1. Licensed Banks

2. Licensed Investment Banks

3. Licensed Islamic Banks

4. Licensed Insurers including Professional Reinsurers

5. Licensed Takaful Operators including Professional Retakaful Operators

6. Prescribed Development Financial Institutions

7. Approved Issuer of Electronic Money

8. Operator of a Designated Payment System

What are the policy requirements?

Before consideration for compliance is to be made, FIs must hold regard to its size and complexity of their operations in order to adequately commensurate the increased technology risk exposure with suitable risk management practices contained within the RMiT. The requirements under this policy document, much like the RMiT Exposure Draft published last year on the 4th September 2018 and which came into effect on the 1st June 2019 expands the standardized hygiene and effective management practices expected for:

(1) Governance - Responsibilities of the Board of Directors and Senior Management

a. By requiring effective implementation of a sound and robust Technology Risk Management Framework (‘TRMF’) and Cyber Resilience Framework (‘CRF’);

b. And designating several board-level committees for oversight, such as a Board Risk Committee (‘BRC’), a Board Audit Committee (‘BAC’) that is separate and independent from one another.

(2) Technology Risk Management

a. By understanding the apparent risks of technology in the FIs by ensuring the TRMF is an integral part of the entire enterprise’s Risk Management Framework (‘ERM’);

b. And the designation of an independent certified Chief Information Security Officer (‘CISO’) who is responsible that the FIs information assets and technologies are adequately protected, through such measures like a Data Centre Risk Assessment (‘DCRA’)

(3) Technology Operations Management

a. Project Management - By establishing appropriate governance requirements commensurate with the risk and complexity of technology projects and their implementation giving regard to 7 key areas from general adequacy and competency to configuration of security controls over the project’s life cycle to disaster recovery readiness and crisis management.

b. Systems Development and Acquisition - By establishing an Enterprise Architecture Framework (‘EAF’) on which FIs plan and structure system development and acquisition strategies to meet business goals.

c. Cryptography - Through the use of industry standard encryption algorithms, message authentication, digital signatures, cryptographic key lifecycles and compromise recovery plans.

d. Data Centres - By specifying the resilience and availability of such centres are aligned with the FIs business needs with an infrastructure that is secure and scalable.

e. Cloud Storage - By consulting BNM before using any public cloud for any critical FI systems, in essence not prohibiting any cloud use but regulating its aspects strictly for CII and confidential information.

f. Outsourcing to Third-Parties - By requiring the arrangements at service level agreements with minimum incorporation requirements that are compliant with applicable regulations.

(4) Cybersecurity Management

a. Through the first and foremost enterprise-wide focus and understanding of cyber-threats prevalent and employment of measures such as Identification, Protection, Detection, Response and Recovery (‘IPDRR’) against extreme but plausible cyber-attacks such as a Distributed Denial of Service (‘DDOS’) with a clear Data Loss Prevention (‘DLP’) strategy and a dedicated Security Operations Centre (‘SOC’) that may also supervise regular internal awareness and training.

What are the new regulatory processes involved?

(1) Notification for Technology-Related Applications

a. When introducing new technology, FIs must notify the Central Bank prior to conducting e-banking, internet insurance and internet takaful services submit to BNM, the following information:

i. Risks identified and strategies to manage such risks;

ii. Security arrangements and controls;

iii. Terms and Conditions for e-banking, internet insurance and internet takaful services;

iv. Client charter for e-banking, internet insurance and internet takaful services;

v. Privacy policy statement; and

vi. Any outsourcing or website link arrangements, or strategic alliances or partnerships with third parties that have been finalised.

(2) Assessment and Gap Analysis

a. A FIs must perform a gap analysis of existing practices in managing technology risk against the requirements in this Policy Document issued to highlight key implementation gaps. This gap analysis and action plan with a clear timeline and milestones must be submitted to BNM no later than 18 October 2019.


Much like the RMiT Exposure Draft, this official policy document reflects the growing development and great strides made towards affecting substantial change in the IT infrastructure of the nation’s financial sector. With there being a number of cyberattacks that have impacted several prominent FIs in 2019, this policy document and its effective mandatory requirements lays out a systematic detailed guidance for FIs to follow zealously.

This policy document being one of many that BNM has issued in relation to RMiT has undoubtedly spurned a technological upheaval of FI’s to rigorously continue reviewing their existing systems, frameworks and processes to ensure their sustainability. The results of which have yet to be revealed in their efficacy of deterring the imminent danger and showcasing calm proficiency in the event of a crisis. FIs should immediately recognize this opportunity to either rise to the occasion of being cybersecure in this digital age or be prepared to suffer irrecoverable consequences.

For more information, please contact:

Suaran Singh Sidhu
Partner Intellectual Property and Technology
T: +603 9212 9287

Brian Law
Regional head of IP Partner Head, Intellectual Property
T: +65 6361 9873

For more information contact

< Go back

Print Friendly and PDF
Subscribe to e-briefings