Following on from the issue of an exposure draft in December 2021, Bank Negara Malaysia (‘
BNM’) issued the policy document on
Business Continuity Management (‘
BCM Policy Document’) on 19 December 2022. The BCM Policy Document will come into effect on
19 December 2023 (except for requirements on testing of a disaster recovery plan specified in paragraph 9.48 which will come into effect on 19 December 2025).
The BCM Policy Document applies to licensed banks, licensed investment banks, licensed Islamic banks, licensed insurers, licensed takaful operators, prescribed development financial institutions, operators of designated payment systems and approved issuers of electronic money (individually an ‘
FI’ and collectively ‘
FIs’).
The BCM Policy Document seeks to:
To achieve the aforesaid objectives, the BCM Policy Document requires each FI to, among others:
An FI’s BCP must include contingency arrangements for the continued availability of
essential services such as self-service terminals (e.g. automated teller machines (ATM) and cash deposit machines), online services (e.g. electronic banking, mobile banking, trading platforms, payment card services, money changing, fund transfers and electronic money services), call centres, issuance of guarantee letters for medical insurance or medical takaful coverage, claims processing and issuance and renewal of insurance policies and takaful certificates and authorisation, clearing and/or settlement of payment transactions.
The BCM Policy Document also sets out factors that are to be taken into consideration by an FI in performing the RA and BIA, determining its CBFs and the business objectives for CBFs, formulating the CMP, BCP, DRP and the crisis communication plan, and establishing its alternate site and recovery site. It also sets out the requirements for a regular review and testing of an FI’s BCM. FIs are also required to ensure their CMP, BCP and DRP provide for all outsourcing arrangements and comply with the relevant requirements in BNM’s policy document on
Outsourcing.
The BCM Policy Document requires an FI to notify BNM of all non-cyber and cyber incidents in accordance with BNM’s prescribed templates via BNM’s centralised email system (or via alternative channels where notification through the centralised email is not possible) as soon as the FI is able to do so.
For non-cyber incidents, an FI must categorise the level of disruption (‘
LoD’) that affect the CBFs based on the locality and notify BNM of such disruption based on the timelines corresponding with the LoD under paragraph 10.4 of the BCM Policy Document.
For all cyber incidents, an FI must notify BNM within two hours upon the confirmation of the disruption. ‘Confirmation’ (of the disruption) is clarified by BNM in the BCM Policy Document to mean ‘following a preliminary investigation to determine if the incident is cyber centric or originated from a cyber related root cause (e.g. ransomware, DDoS, data leak).’
In addition, the BCM Policy Document outlines the roles and responsibilities of the board of directors, senior management and the CMT in the implementation of the FI’s BCM framework. An FI may also establish a BCM function either as a standalone function or as part of other functions, whose responsibilities may include coordinating and facilitating the implementation, testing and review of the BCM function, reporting to the committee on the implementation and issues relating to the BCM framework and coordinating actions on business continuity and recovery in the event of a disruption.
When the BCM Policy Document comes into effect, it must be read together with the documents set out in paragraph 6.1 and will replace the documents set out in paragraph 7.1 thereof.
Alert by Lee Ai Hsian (Partner) of the Banking and Finance Practice and Grace Teo Shi Kay (Senior Associate) of Corporate Practice of Skrine.