Bank Negara Malaysia has imposed a RM1 million administrative monetary penalty on Bank Rakyat over breaches involving cybersecurity and customer information protection. The penalty was paid on 26 January 2026.

The penalty was imposed on 20 January 2026 after BNM found that Bank Rakyat had failed to comply with requirements under its Risk Management in Technology policy document and its policy on the management of customer information and permitted disclosures.

BNM said the breaches were uncovered after a cybersecurity incident in which an external threat actor gained unauthorised access to the bank’s IT infrastructure.

It linked the breaches to inadequate cybersecurity controls and weaknesses in incident response.

According to the regulator, Bank Rakyat failed to implement robust cybersecurity standards and did not have adequate controls to safeguard customer information.

The bank has since taken steps to strengthen its cybersecurity and ICT controls, as well as its resources and governance arrangements.

In setting the penalty, BNM said it considered the severity of the breaches, the bank’s lack of reasonable care in ensuring compliance, its current controls to ensure compliance, and its past compliance record.

It also took into account the bank’s conduct after the incident, including the effectiveness of remedial measures taken to prevent a recurrence.

The latest action comes after BNM fined Bank Rakyat RM2.85 million in June 2025 over separate breaches linked to repeated service disruptions and weaknesses in its response and recovery processes.

Featured image: Edited by Fintech News Malaysia, based on image by pe_jo via Freepik