Close Menu

    Fintech News Network

    Free Newsletter

    Fintech News Network

    Payments Security

    What Do BNM’s New Technology Risk Rules Mean for the Payments Industry?

    Non-bank payment players have one year to comply with BNM's new tiered rules, which base scrutiny on transaction volume whilst mandating dedicated CISOs, board oversight, and full accountability for third-party vendors.
    Izzat Najmi Abdullah6 Mins Read
    BNM Technology Requirements Payment Regulatees - Mainpic

    Malaysia’s payments landscape has evolved rapidly since the pandemic, accelerating into a more firmly digital-first economy.

    E-payment usage in Malaysia continues to climb rapidly, with transactions per capita rising from 285 in 2022 to 343 in 2023, before surging further to 409 in 2024, signalling that it has been steadily moving away from cash.

    At the same time, real-time payment rails and QR-based transactions have become deeply embedded in everyday transactions across the country.

    Instances like DuitNow QR, in particular, have reached near ubiquity.

    As of end-2024, there are over 2.6 million registered acceptance points, with transactions doubling to 870 million in 2024 from 360 million in 2023.

    The home of the Malayan tiger now ranks second globally in QR payment adoption, reflecting both strong consumer uptake and coordinated industry efforts to standardise the ecosystem.

    Cross-border connectivity is also expanding, with Malaysia linking its payment systems to regional counterparts, enabling seamless QR payments and real-time transfers across markets such as Singapore, Thailand and Indonesia.

    In this environment, resilience is no longer confined to back-end operations. It plays a central role in how payment providers deliver services, scale infrastructure, and maintain trust.

    Against this backdrop, regulatory expectations are also evolving.

    It is within this context that Bank Negara Malaysia issued its Policy Document on Technology Requirements for Payment Services Regulatees on 12 March 2026, establishing clearer expectations for how payment providers manage technology risk, cybersecurity and operational resilience in an increasingly digital financial system.

    At its core, the policy aims to strengthen the resilience and security of Malaysia’s payment ecosystem as digital adoption accelerates.

    Who Falls Under the New Framework?

    BNM’s policy centres on a category it defines as Payment Services Regulatees, encompassing a wide spectrum of non-bank players embedded within Malaysia’s payments ecosystem.

    Included within this group are approved issuers of electronic money, registered merchant acquirers, licensed money services businesses, and operators of a designated payment system.

    Together, these entities form the connective layer of digital payments. They can now enable funds to move seamlessly between consumers, businesses and financial institutions.

    Banks, by contrast, are already subject to BNM’s broader technology risk framework under its Risk Management in Technology (RMiT) policy.

    Extending similar expectations to non-bank players effectively closes a long-standing gap. It is particularly in areas such as cybersecurity, governance and operational resilience.

    A Tiered Approach to Regulating Payment Providers

    With such a diverse group in scope, a one-size-fits-all approach would have been impractical.

    The policy adopts a tiered structure that reflects differences in size, complexity and transaction activity across payment providers.

    The framework comprises four tiers, with one key threshold covering payment services regulatees that process more than RM1.5 billion in annual transaction value or over seven million transactions annually, subject to the document’s qualification criteria.

    BNM mandates that groups aggregate the transaction volumes and values of multiple entities sharing common technology infrastructure or controls to determine if they meet regulatory thresholds.

    This rule prevents firms from fragmenting their operations to avoid stricter requirements.

    This proportional model aligns regulatory expectations with systemic importance, while maintaining a consistent baseline of safeguards across the ecosystem.

    At the same time, certain non-digital money services businesses involved solely in currency exchange or wholesale currency activities fall under a simplified approach, where requirements focus on basic cyber hygiene such as firewalls, anti-virus protection and password controls rather than full-scale governance and strategic obligations.

    Boards to Take Greater Responsibility for Technology Risk

    Regulatory expectations now extend beyond operational controls, extending into the way firms govern their organisations.

    A notable shift within the policy is the elevation of technology risk to the highest levels of decision-making. Boards now must be able to take a more active role in oversight.

    Part of that responsibility involves setting technology risk appetite levels and ensuring alignment between IT strategy and the organisation’s broader risk management priorities.

    Attention is also turning to longer-term planning, with boards expected to oversee cybersecurity strategies spanning at least three years and ensure that sufficient resources are in place to support them.

    Taken together, these changes position technology risk alongside financial and operational risk as a core board-level concern.

    Cybersecurity Leadership Becomes Mandatory

    The central bank now requires payment providers to appoint a Chief Information Security Officer (CISO). The plan is for the person in charge to lead cybersecurity and system integrity management efforts.

    This role carries both operational and strategic responsibilities. It includes advising senior leadership on emerging threats, assessing existing safeguards, and ensuring that critical systems and data remain protected.

    The CISO must remain independent from day-to-day technology operations, but may take guidance from a group-level CISO and can hold additional roles, provided these do not compromise their independence or effectiveness.

    Preparing Firms to Detect and Respond to Disruptions

    Each payment provider must establish a comprehensive technology risk management framework (TRMF), covering system classification based on criticality, risk monitoring and incident response.

    The framework emphasises not only prevention, but also recovery. What this means is that now it requires firms to detect disruptions quickly, contain their impact and restore services with minimal downtime.

    Firms must also support their technology infrastructure with robust business continuity and disaster recovery capabilities.

    Furthermore, payment providers offering digital services must provide a secure self-service “kill switch” so that customers can instantly suspend and reinstate their accounts if they suspect fraud.

    Oversight of Third-Party Technology Providers

    BNM makes it clear that accountability remains with the payment provider.

    Outsourcing technology functions does not transfer responsibility for security or service reliability, reinforcing the need for robust vendor due diligence, contractual safeguards and ongoing risk monitoring.

    A One-Year Window to Get Ready

    Adapting to these heightened expectations will take time, with payment services regulatees being given a one-year implementation window.

    However, they are required to conduct a gap analysis and submit an implementation action plan to BNM within 90 days.

    This places the gap analysis deadline around June 2026, with full compliance required by 12 March 2027.

    This phased approach balances urgency with practicality, allowing firms to strengthen governance, enhance cybersecurity capabilities and formalise internal processes.

    Featured image: Edited by Fintech News Malaysia based on an image by Freepik.

    Share.

    Author

    Izzat Najmi

    Izzat Najmi is a Senior Writer for Fintech News Malaysia.

    Related Posts