Bank Negara issues Policy Document on Technology Requirements for Payment Services Regulatees
16 April 2026
- a non-bank e-money issuer as defined in the Policy Document on Electronic Money;
- a non-bank merchant acquirer (“MA”) as defined in the Policy Document on Merchant Acquiring Services;
- a licensed money services business under the Money Services Business Act 2011; and
- an operator of a designated payment system under the Financial Services Act 2013 and the Islamic Financial Services Act 2013.
Notwithstanding the foregoing:
- a PSR which is regulated under the Policy Document on Risk Management in Technology (“RMiT PD”) is only subject to paragraphs 2.7 and 13.3 and Appendix 10 of the TR PD; and
- an approved operator of a payment system which is regulated under the Policy Document on Payment System Operator is excluded from the requirements under the TR PD.
The TR PD outlines the new requirements for managing technology risks by PSRs. It also consolidates the technology requirements within the payment sector into a single policy document which will supersede the following information technology (“IT”) requirements when the TR PD comes into effect:
- paragraphs 30 to 34 of the Policy Document on Governance, Risk Management, and Operations for Money Services Business;
- paragraphs 27 to 31 of the Policy Document on Electronic Money;
- paragraphs 17 to 22 of the Policy Document on Merchant Acquiring Services; and
- paragraphs 18 to 19 of the Policy Document on Payment System Operator.
Tiered Approach
To cater for proportionate regulation, PSRs will be classified into the following four tiers:
| Tier |
Criteria |
Applicable Policy Document |
| Tier-1 |
PSRs that fulfil the criteria for inclusion under the RMiT PD. |
RMiT PD |
| Tier-2 |
PSRs with annual transaction value of more than RM1.5 billion or annual transaction volume of more than seven million and not
categorised as Tier-4. |
TR PD |
| Tier-3 |
PSRs with annual transaction value of less than or equal to RM1.5 billion or annual transaction volume of less than or equal to seven million and not categorised as Tier-4. |
TR PD |
| Tier-4 |
PSRs who are non-digital money services business licensees carrying on currency exchange business or wholesale currency
business. |
TR PD |
For the purposes of determining the appropriate tier applicable to a PSR, the annual transaction value or volume of PSRs that operate payment services businesses under more than one entity within the same group are to be combined when determining the RM1.5 billion (annual transaction value) or seven million (annual transaction volume) threshold, if the entities share the same technology infrastructure or controls.
Further, in applying the requirements applicable for each tier:
- paragraphs 12.6 and 12.8(a) of the TR PD are not applicable for MAs;
- for Tier-3 PSRs, paragraphs 9.4, 9.6, 10.37, 10.54(d), 11.3(d), 11.8, 11.9(a), 11.15, 11.16 and 12.8(a) and their corresponding appendices of the TR PD are to be considered as “guidance” and not “standard” requirements that must be complied with;
- Tier-4 PSRs are subject to requirements under paragraph 16 (Simplified Approach) of the TR PD which only applies to Tier-4 PSRs; and
- the requirements in Appendix 10 only apply to MAs.
BNM may require a PSR that conducts both regulated and non-regulated business within the same regulated entity to:
- provide justification, with supporting evidence, that its non-regulated business does not cause contagion risk to or compromise the regulated business; and
- put in place risk mitigation measures or take certain actions to eliminate or reduce any risks or negative impact caused by its non-regulated business to its regulated business.
Summary of Main Provisions of the TR PD
Part B of the TR PD consists of ten paragraphs, the provisions of which are summarised below.
Governance
Paragraph 8 sets out the responsibilities of the board of directors in relation to the IT requirements of a PSR. Their responsibilities include, among others, reviewing the adequacy of the PSR’s IT and cybersecurity plans covering a period of not less than three years and ensuring that the PSR’s IT-related framework, policies and guidelines are reviewed at least once every three years.
The PSR’s senior management is primarily responsible for the day-to-day management of technology risk, including cyber risks. The senior management must establish a cross-functional committee (comprising senior management from the cyber and technology functions, as well as major business units) to provide guidance on the PSR’s technology plans and operations. The responsibilities of this committee include, among others, overseeing the formulation and effective implementation of the strategic technology plan and associated technology policies and procedures, and providing timely updates to the board on key technology matters.
Technology Risk Management
A PSR is required to ensure that its Technology Risk Management Framework (“TRMF”) is an integral part of the PSR’s enterprise risk management framework.
The TRMF is required to cover the matters set out in paragraphs 9.2(a) to 9.2(k) of the TR PD.
The PSR must establish an enterprise-wide technology risk management function which is responsible for, among others, implementing the TRMF and cyber resilience framework, advising on critical technology projects and providing independent views to the board and senior management on third party assessments, where necessary.
A PSR must also designate a Chief Information Security Officer (“CISO”) who is to be responsible for the technology risk management function of the PSR. Details of the CISO’s responsibilities are set out in paragraphs 9.5 and 9.7 of the TR PD.
Technology Operations Management
Paragraph 10 of the TR PD sets out the requirements that a PSR and, where applicable, its board and senior management, must comply with in respect of the following:
- Technology Project Management;
- System Development and Acquisition;
- Patch and End-Of-Life System Management;
- Cryptography;
- Data Centre Resilience;
- Service Availability;
- Network Resilience;
- System Backup and Restoration;
- Third Party Provider Management;
- Cloud Services; and
- Access Control.
Cybersecurity Management
Paragraph 11 of the TR PD sets out the requirements in relation to Cybersecurity Management. These requirements are dealt with under the following specific areas:
- Cyber Risk Management;
- Cybersecurity Operations;
- Cyber Response and Recovery; and
- Cyber Reporting and Threat Information Sharing.
Digital Services
Specific requirements relating to digital services are set out in paragraph 12 of the TR PD as follows:
- Security of Digital Services; and
- Digital Fraud Management and Customer Awareness.
Other Requirements
PSRs are required to comply with requirements for Technology Audits, External Party Assurance, and Security Awareness and Education as set out in paragraphs 13, 14 and 15 respectively of the TR PD.
Assessment and Gap Analysis
Paragraph 17 of the TR PD requires PSRs to perform a gap analysis of their existing technology risk management practices against the requirements set out in the TR PD. PSRs must also develop an action plan with a clear timeline and key milestones to address the gaps identified. The gap analysis and action plan must be submitted to BNM within 90 days from 12 March 2026.
Simplified Approach
As mentioned earlier, PSRs who are categorised under Tier-4 are only required to comply with the requirements set out in paragraph 16 (Simplified Approach) of the TR PD. This paragraph 16 does not apply to PSRs classified under Tiers 1 to 3.
Further Requirements
The TR PD also contains 11 Appendices setting out the requirements relating to the following:
- Appendix 1 : Storage and Transportation of Sensitive Data in Removable Media;
- Appendix 2 : Control Measures on Self-service Terminals;
- Appendix 3 : Control Measures for Digital Services;
- Appendix 4 : Control Measures for Mobile Applications and Devices;
- Appendix 5 : Control Measures on Cybersecurity;
- Appendix 6 : IT and Cyber Risks associated with Third Party Service Providers;
- Appendix 7 : Guidance on Emerging Technologies;
- Appendix 8 : Key Risks and Control Measures for Cloud Services;
- Appendix 9 : Fraud Detection Standards;
- Appendix 10: Control Measures on Payment Acceptance Device; and
- Appendix 11 : Control Measures on Quick Response (QR) Code.
Comments
In a nutshell:
- Tier-1 PSRs are subject to the requirements of the RMiT PD and to paragraphs 2.7 and 13.3 and Appendix 10 of the TR PD;
- Tier-2 PSRs are subject to all the requirements of the TR PD, other than paragraph 16;
- Tier-3 PSRs are subject to all the requirements of the TR PD, other than paragraph 16 and the requirements in paragraphs 9.4, 9.6, 10.37, 10.54(d), 11.3(d), 11.8, 11.9(a), 11.15, 11.16 and 12.8(a) and their corresponding appendices of the TR PD which are to be considered as “guidance”;
- Tier-4 PSRs are only subject to paragraph 16 of the TR PD; and
- Approved operators of payment systems which are regulated under the Policy Document on Payment System Operator is excluded from the requirements under the TR PD.
PSRs must now conduct a gap analysis of their existing technology practices against the requirements set out in the TR PD and develop an action plan with a clear timeline and key milestones to address the gaps identified and submit the same to BNM within 90 days from 12 March 2026. Thereafter, PSRs must rectify the identified gaps in readiness for the coming into effect of the TR PD on 12 March 2027.
Article by Lee Ai Hsian (Partner) and Chong Zhi Shin (Associate) of the Banking and Finance Practice of Skrine.