Empowering Compliance with Bank Negara Malaysia’s RMiT

Escalating cyber threats, accelerating cloud adoption and increasing regulatory scrutiny mean that financial institutions (FIs) in Malaysia are under pressure to implement better technology risk controls. However, many lack the expertise and resources to act swiftly to ensure robust compliance with fast-evolving regulations. 

Bank Negara Malaysia’s (BNM) Risk Management in Technology (RMiT) policy – an updated version of which became effective for various organizations in June 2023 and June 2024 – contains stringent cybersecurity, third-party risk and operational resilience requirements.¹

A consultative Exposure Draft issued on November 7, 2024 would extend key RMiT standards from large to smaller FIs across a broad range of areas including governance and cybersecurity monitoring.² It would also apply RMiT to other market participants such as non-bank merchant acquirers, as well as strengthening requirements in areas such as cybersecurity assessment. 

In this article, we explore some of the challenges implied by both the current RMiT policy and the Exposure Draft, before discussing how to overcome the related resourcing challenges.

 

BNM’s RMiT policy represents a significant evolution in cybersecurity and operational resilience, while introducing complex compliance demands in areas such as cybersecurity controls, third-party risk management and incident reporting. 

Stricter cybersecurity controls 

One of the most pressing challenges is the mandatory implementation of advanced cybersecurity controls, which many FIs are structurally unprepared to adopt in an efficient manner. For instance, multi-factor authentication (MFA) is now compulsory for high-risk transactions, offering a critical safeguard against account takeovers and fraud. 

However, legacy core banking systems, still prevalent across Malaysia’s financial sector, often lack the APIs or modular architecture needed to integrate MFA seamlessly. This creates friction in customer journeys, such as delayed transactions or enrollment drop-offs, while forcing FIs to undertake costly middleware upgrades.

The shift to zero-trust architecture (ZTA), which FIs are encouraged to adopt, eliminates implicit trust in networks and requires continuous verification. This also demands a full infrastructure overhaul. 

Many FIs continue to rely on perimeter-based firewalls and VPNs. Transitioning to ZTA necessitates micro-segmentation, identity-aware proxies and real-time threat analytics, all of which require specialist expertise and capital investment. 

Meanwhile, cloud security governance has become a top priority, with BNM imposing stricter due diligence regarding cloud service providers (CSPs) and explicit accountability for shared responsibility models. FIs now must assess CSP compliance (e.g. data localization, encryption standards) while ensuring in-house teams understand their residual risks – a complex task given the opacity of many cloud environments.

Collectively, these requirements force FIs to balance significant technology investments with the need to preserve an excellent customer experience – a dual mandate that strains budgets and timelines. If conducted purely in-house, it could cost some FIs tens of millions of ringgits over a few years to fully align with RMiT’s MFA and ZTA mandates and goals.

 

Third-party risk management (TPRM) – tighter rules 

RMiT fundamentally transforms how FIs must approach outsourcing and vendor relationships. Enhanced due diligence is mandatory regarding third-party providers such as fintech partners, cloud service providers and other critical vendors. 

This means FIs can no longer rely on basic vendor questionnaires or periodic audits. They must implement comprehensive assessments covering areas such as cybersecurity controls, data protection practices and business continuity measures before onboarding any external partner.  

Additionally, explicit exit strategy planning in RMiT 2023 compels FIs to develop and document contingency plans in case of vendor failures or contract terminations. This might include ensuring data portability, transition protocols and backup service providers to prevent operational disruptions. 

Perhaps the most challenging aspect is the new continuous monitoring mandate set out in the Exposure Draft, which would demand that FIs consider the automation of continuous monitoring of potential security vulnerabilities.³ This implies ongoing oversight of third-party cyber risks rather than annual or ad-hoc reviews.

However, many FIs still rely on manual, spreadsheet-based processes for vendor risk assessments, leaving them exposed to compliance gaps and oversight failures. Without integrated risk management platforms, institutions will struggle to keep pace with the volume of vendor reviews, the ongoing monitoring and the documentation required. 

Weaknesses will create not only regulatory risks but also operational vulnerabilities, as manual processes are prone to errors and delays in identifying emerging third-party threats. 

The shift to automated, continuous TPRM is no longer optional. It’s a strategic imperative for FIs seeking to comply with BNM's stricter standards while maintaining resilient third-party ecosystems.  

 

Incident reporting & operational resilience

FIs need to adhere to stringent new requirements that challenge traditional response protocols. 

They must now rapidly report cybersecurity incidents to BNM, leaving little room for manual verification or internal deliberations. This demands real-time monitoring capabilities and pre-approved escalation protocols that many institutions simply don't have in place.  

Beyond initial reporting, the RMiT 2023 mandates thorough post-incident reviews. Institutions must put in place long-term mitigations based on the reviews.

Operational resilience receives equal emphasis, with RMiT 2023 mandating annual cyber drills. The goal is to demonstrate the institution's ability to respond effectively to cyber incidents and maintain critical functions through various threats and scenarios. 

The fundamental challenge lies in execution: many FIs still rely on manual processes and siloed systems for incident management. To comply with the stricter requirements of the Exposure Draft, FIs will need to consider automated threat detection, integrated response workflows and tested playbooks, or they risk missing critical reporting deadlines.

More importantly, risk management  gaps would leave institutions vulnerable to prolonged outages during actual incidents, with direct impacts on customer trust and market stability. The transition from ad-hoc responses to ongoing institutionalized resilience represents one of RMiT’s most profound and costly operational challenges.

 

FIs face unprecedented challenges in meeting RMiT’s existing requirements and, potentially, the enhanced requirements set out in the Exposure Draft. 

Many FIs lack specialized in-house teams and qualified cybersecurity professionals with the expertise to fulfill RMiT's stringent mandates, particularly in areas such as third-party vendor assessments, demonstrating board-level accountability for technology risks and implementing complex security frameworks such as zero-trust architectures and advanced threat monitoring. 

This talent gap is further exacerbated by knowledge silos within organizations, where existing IT teams may lack specific expertise in interpreting and applying RMiT requirements. 

This can lead to costly compliance missteps, leaving institutions vulnerable to both cyber threats and regulatory penalties. 

The technological debt accumulated through years of operating on outdated infrastructure presents another major compliance hurdle. Many Malaysian FIs still rely on core banking systems that were designed decades before modern security requirements such as MFA and API security protocols became mandatory. 

These legacy platforms frequently lack the architectural flexibility to support RMiT advanced security controls without extensive – and expensive – modification. 

The result of these various challenges is that: 

• Even institutions with robust IT departments frequently find themselves overstretched, attempting to bridge capability shortages through ad-hoc measures that may not withstand regulatory scrutiny.
• The cost of modernization goes beyond simple software upgrades, often requiring complete infrastructure overhauls, data migration projects and extensive staff retraining. 
• For smaller institutions especially, these capital expenditures can represent a significant portion of annual IT budgets, forcing difficult trade-offs between compliance initiatives and other strategic investments. Many security upgrades beyond basic compliance offer intangible benefits that are difficult to quantify in traditional ROI calculations.

This perfect storm of budget constraints, competing priorities, and measurement challenges make strategic resource allocation one of the most persistent operational constraints in achieving full RMiT compliance.

This challenge is compounded by regulatory fatigue, as institutions struggle to reconcile RMiT requirements with overlapping obligations from regulators such as the Securities Commission (SC). 

Organizations can't simply throw money at the problem; they need structured, knowledgeable approaches to navigate RMiT's nuances while making sustainable improvements to their risk posture. This is driving more institutions to seek expert partners who can help bridge both capability and knowledge gaps efficiently.  

 

The rapid adoption of innovative financial technologies has introduced complex new risk vectors, which RMiT addresses through enhanced governance requirements. This is a particular focus of the new Exposure Draft, released in November 2024. 

According to the Exposure Draft, FIs must ensure effective Technology Risk Management (TRM) to monitor and manage risks arising from emerging technologies at the enterprise level. 

Governance arrangements for new technologies should include an appropriately cautious approach that considers potential unintended consequences, e.g. regarding fairness, ethics, legal liabilities, and impacts on vulnerable customers. Institutions must establish clear acceptance criteria for adopting new technologies, along with reporting structures and oversight mechanisms to maintain accountability throughout their lifecycle. 

Additionally, they should: 

• Enhance technology and cybersecurity controls to mitigate risks and continuously evaluate and improve the effectiveness of operating controls.
• Ensure that emerging technologies are only used in production environments when certain conditions are met. These include adequate testing of IT systems to ensure they meet service quality, resiliency and security objectives while keeping residual risks within the institution’s tolerance. 
• Adhere to industry standards for testing operational risk controls and cyber defense, while applying additional caution where such standards are not available. The use of an emerging technology might need to be suspended in extreme situations, such as cyberattacks, and the institution needs to be ready to act on this. 

Regular monitoring is necessary to ensure consistent quality, security and compliance, with timely identification and mitigation of emerging risks. 

Lastly, the institution must disclose the use of emerging technology to users, providing them with sufficient information to make informed decisions about associated risks. 

Collectively, these various requirements reflect a shift from securing traditional banking systems to managing the risks associated with increasingly interconnected and technologically advanced financial ecosystems.⁴

 

The path to robust RMiT compliance represents a fundamental transformation of FIs’ technology risk posture – this demands specialist expertise to plan and implement. 

FIs are increasingly turning to external partners to help them navigate this complex journey, recognizing three critical value propositions that internal teams can struggle to deliver: 

• Regulatory intelligence. This requires a dedicated focus as BNM continues to refine its supervisory approach. 
• Technology modernization. Experienced external partners can provide proven, phased implementation roadmaps. 
• Cost optimization. By shifting from significant upfront costs to more predictable, ongoing operational expenses, institutions can improve their flexibility and adaptability to changing technological risks and regulatory requirements.

A collaborative approach can prove particularly valuable for mid-tier banks and non-bank FIs that may lack the scale to maintain all the required capabilities in-house.

Institutions should view RMiT not as a one-time project, but as an opportunity to build institutional resilience that will serve them well beyond the current regulatory cycle. Those who recognize this will position themselves not just to avoid penalties, but to gain competitive advantage through demonstrably stronger security practices and customer assurances. 

Capco Malaysia can partner with financial institutions to help them navigate RMiT compliance. We offer unparalleled expertise as the largest financial sector-focused consultancy worldwide. 

With deep knowledge of BNM’s supervisory approach, we help institutions meet regulatory requirements while also aligning with the spirit of RMiT. Our proven frameworks and proprietary tools streamline compliance, reducing implementation time and minimizing the risks of DIY compliance programs. From policy templates to automated assessment tools, we provide the building blocks for a sustainable compliance program that can also meet critical deadlines.

In addition to compliance, Capco excels in cyber resilience and third-party risk management. We offer battle-tested solutions, including multi-factor authentication (MFA), zero-trust architectures (ZTA), and cloud security strategies that can help meet BNM's stringent expectations. Our comprehensive third-party risk management approach transforms compliance into a strategic advantage, leveraging AI-powered due diligence, contract safeguards and exit strategies. 

Capco’s forward-thinking approach combines global insights with local expertise. By ensuring that financial institutions are prepared for emerging risks in areas such as AI, blockchain and open banking, we offer a long-term partnership for building a secure, compliant and competitive digital future.

 

References

¹ BNM PD RMiT June 2023
² BNM RMiT Exposure Draft
³ BNM RMiT Exposure Draft, page 19
⁴ BNM RMiT Exposure Draft, pages 67-68