Bank Negara Malaysia (BNM) recently imposed administrative monetary penalties on two major Malaysian banks, CIMB Bank and Maybank, for failing to comply with regulations related to service availability and operational resilience.
On 29 July 2024, BNM fined CIMB RM760,000 following service disruptions on 8 and 9 April 2024.
These disruptions affected e-banking channels, ATMs, and card services, exceeding the downtime limits set by BNM’s Risk Management in Technology (RMiT) Policy.
The investigation revealed that CIMB’s non-compliance resulted from lapses in the execution of its response and recovery process.
Specifically, CIMB struggled to restore services promptly, which led to prolonged outages and impacted the availability of essential banking services for its customers and counterparties.
In response, CIMB has taken steps to strengthen its IT systems, including enhancing its real-time IT infrastructure monitoring function, to improve its ability to recover from future incidents and prevent further non-compliance. The penalty was paid on 12 August 2024.
Maybank faced a heftier fine of RM4.32 million for repeated service outages between June 2023 and May 2024, impacting its mobile banking platform and MAE app.
These disruptions also breached BNM’s RMiT requirements, with investigations pointing to Maybank’s inability to recover effectively and promptly from unexpected system disruptions, as a key issue.
To prevent future problems, Maybank has started making improvements to its infrastructure, taking necessary actions to close these gaps as part of its multi-year infrastructure investments to enhance application and infrastructure resiliency. The fine was settled on 8 August 2024.
The central bank said in a statement,
“BNM expects all financial institutions to maintain a high level of technology resilience against operational disruptions to ensure the continuous availability of essential financial services.
BNM will not hesitate to take appropriate supervisory and enforcement actions when financial institutions fall short of regulatory expectations.”