BNM Fines Maybank RM4.32 Million for Non-Compliance in Technology Risk Management

Bank Negara Malaysia imposed a RM4.32 million penalty on Maybank for failing to comply with technology risk management regulations, resulting in multiple service disruptions. Maybank has since taken steps to address the issues and prevent future non-compliance.


14 August 2024 – Bank Negara Malaysia (BNM) levied an Administrative Monetary Penalty (AMP) of RM4.32 million on Malayan Banking Berhad and Maybank Islamic Berhad, collectively known as Maybank. The penalty was imposed due to non-compliance with specific regulatory requirements outlined in the Financial Services Act 2013 (FSA), Islamic Financial Services Act 2013 (IFSA), and the Risk Management in Technology (RMiT) Policy Document.

The RMiT Policy Document mandates that financial institutions must ensure critical systems are highly available, with cumulative unplanned downtime affecting the user interface not exceeding four hours within a rolling 12-month period and a maximum allowable downtime of 120 minutes per incident.

Between June 1, 2023, and May 31, 2024, Maybank’s Regional Mobile Banking Platform (RMBP) and MAE applications experienced multiple unplanned downtimes, resulting in prolonged disruptions to customer and counterparty services. These disruptions exceeded the thresholds set by the RMiT Policy Document. Investigations revealed that Maybank’s non-compliance stemmed from its inadequate recovery measures following unexpected system disruptions. Additionally, Maybank had not completed the required improvements to its application and infrastructure resilience at the time of the incidents, further delaying recovery.

In response to these findings, Maybank has undertaken necessary actions to address these gaps as part of its ongoing multi-year infrastructure investment strategy aimed at preventing future non-compliance.

BNM considered several factors in its decision to impose the penalty, including Maybank’s failure to take timely steps to mitigate the downtime incidents, the severity of the non-compliance and its impact on customers, and Maybank’s past compliance history. BNM emphasizes the importance of maintaining technology resilience to ensure the continuous availability of essential financial services and has warned that it will not hesitate to take enforcement action against institutions that fall short of regulatory expectations.

Maybank paid the RM4.32 million penalty on August 8, 2024.

Author: Terry KS

Share This Post On