Bank Negara Malaysia has released a comprehensive Technology Requirements Policy Document aimed at improving the management of technology and cyber risks among payment services regulatees (PSRs), including non-bank e-money issuers, merchant acquirers and money services businesses.
The policy sets out minimum standards for governance, cybersecurity safeguards and operational resilience, reflecting the growing reliance on digital infrastructure in payment services. According to the central bank, payment firms must invest in expertise, strengthen risk controls and maintain robust oversight of third-party technology providers to mitigate disruptions and digital crime risks. pd-tecreq-psr-mar2026
Under the framework, PSRs will be classified into four regulatory tiers based on transaction value and volume, as well as operational complexity. Larger or more digitalised firms are expected to implement stronger technology risk controls that match their higher exposure to cyber threats. pd-tecreq-psr-mar2026
The policy also empowers the central bank to take supervisory action against firms that fail to comply with mandatory standards, including requiring independent technology reviews, remediation plans or additional capital buffers where material weaknesses are identified. pd-tecreq-psr-mar2026
Boards of payment firms are required to set technology risk appetite levels and oversee cybersecurity strategies spanning at least three years. Institutions must also establish robust technology risk management and cyber resilience frameworks to ensure continuity of financial services. pd-tecreq-psr-mar2026
Operational requirements include encryption of customer data, frequent backup and restoration testing, and maintaining accessible transaction records for regulatory review. Firms must also conduct gap analyses and submit implementation action plans to the central bank within 90 days of the policy’s issuance. pd-tecreq-psr-mar2026
The policy will take effect one year after its issuance and must be read alongside other existing regulations covering electronic money, merchant acquiring services and consumer protection. pd-tecreq-psr-mar2026
