Bank Negara issues new Policy Document on Risk Management in Technology

06 June 2023

Bank Negara Malaysia (‘BNM’) issued a new Policy Document on Risk Management in Technology (‘RMiT PD’) on 1 June 2023.

The RMiT PD applies to:

Licensed banks, including licensed digital banks;
Licensed investment banks;
Licensed Islamic banks, including licensed Islamic digital banks;
Licensed insurers, including professional reinsurers;
Licensed takaful operators, including professional retakaful operators;
Prescribed development financial institutions;
Approved issuers of electronic money; and
Operators of a designated payment system.

The key updates to the RMiT PD include:

additional guidance to strengthen a financial institution’s cloud risk management capabilities as set out in paragraph 10.50 and Appendix 10 of the RMiT PD;

a shift to a risk-based approach in cloud consultation and notification process as set out in paragraph 15 of the RMiT PD, with corresponding updates in the risk assessment and submission requirement; and

the use of multi-factor authentication (MFA) security control denoted as a standard requirement.

The RMiT PD came into effect on 1 June 2023 except for paragraph 10.50, paragraph 15 and Appendix 10 which come into effect on the dates set out below in respect of the relevant financial institutions other than a licensed digital bank or licensed Islamic digital bank:

1 June 2024 in respect of financial institutions which have already adopted public cloud for critical systems prior to the issuance date of the RMiT PD. However, if any of the terms of the financial institution’s existing cloud service contracts are not in accordance with the provisions of Appendix 10, the financial institutions may make the necessary amendments or modifications during the next renewal of the relevant contracts, i.e. after the effective date of the relevant provisions in the RMiT PD in respect of the financial institution; and

1 June 2024 in respect of financial institutions which have not adopted public cloud for critical systems prior to the issuance date of the RMiT PD.

The RMiT PD came into effect on 1 June 2023 in respect of a licensed digital bank or licensed Islamic digital bank.

The RMiT PD supersedes the policy documents, circulars and guidelines listed in paragraph 7.1 of the RMiT PD. It is important to note that the Policy Document on Risk Management in Technology issued by BNM on 1 January 2020 will be superseded from 1 June 2023 except for paragraphs 10.49, 10.50, 10.51 and 10.52 thereof which will remain applicable until 31 May 2024 in respect of financial institutions described in paragraphs (a) and (b) above.

BNM has also issued a set of revised Frequently Asked Questions on Risk Management Information Technology to assist in the implementation of the revised policy requirements in the RMiT PD. The revised Frequently Asked Questions can be accessed here.

Comments

The RMiT PD provides, among others, additional guidance and standards for financial institutions in the adoption of cloud services. For example, when conducting the comprehensive risk assessment prior to cloud adoption, financial institutions are required to not only address the risks associated with the location of the cloud infrastructure, but also any potential geo-political risks and legal risks that may impede compliance with any legal or regulatory requirements.¹

As cyberattacks and data security breaches become increasingly common, the enhancements introduced under the RMiT PD are welcomed and will serve to preserve public confidence in the Malaysian financial system.

Alert by Lee Ai Hsian (Partner) of the Banking and Finance Practice of Skrine.

¹ Paragraph 10.49(c) of the RMiT PD.

This alert contains general information only. It does not constitute legal advice nor an expression of legal opinion and should not be relied upon as such. For further information, kindly contact skrine@skrine.com.

Search

Bank Negara issues new Policy Document on Risk Management in Technology