Search for:

In brief

Bank Negara Malaysia (i.e., the Central Bank of Malaysia) (BNM) had on 1 June 2023 updated its existing Risk Management in Technology Policy Document (“Updated RMIT PD“) to, among others, provide further guidance on the use of cloud services to be adopted by selected financial institutions. These changes take effect on 1 June 2023 (for licensed digital banks and licensed Islamic digital banks) and 1 June 2024 (for all other financial institutions).

Licensed banks, investment banks, insurers and takaful operators (including professional reinsurers and retakaful operators), issuers of electronic money, operators of designated payment systems, and prescribed development financial institutions (each a FI and collectively, FIs), and cloud service providers should familiarise themselves with these changes as it will impact a FI’s cloud adoption initiatives and roll-out strategy.


Updated RMIT PD

  1. Adoption of Cloud Services
    • Under the existing Risk Management in Technology Policy Document issued on 19 June 2020 (“Existing RMIT PD“), a FI is required to consult BNM prior to the use of public cloud for critical systems and notify BNM of its use of cloud services for non-critical systems. Under the Updated RMIT PD:
      1. A FI is only required to consult BNM prior to its first time adoption of public cloud for critical systems (“Consultation Requirement“). Before the consultation with BNM, the FI will need to, among others, undertake a risk assessment on the cloud adoption (as further elaborated below) and submit to BNM a confirmation that the FI is ready to adopt public cloud for critical systems.

During the consultation with BNM, the FI must be able to demonstrate to BNM that specific risks associated with usage of cloud services have been adequately considered and addressed to the satisfaction of BNM.

  1. A FI must thereafter, notify BNM on any subsequent adoption of public clouds for critical systems (“Notification Requirement“).
  2. A FI is no longer required to notify BNM on its use of cloud services for non-critical systems.

The updated processes under the Updated RMIT PD represents a shift by BNM to a risk-based approach in the cloud consultation and notification procedure.

  • BNM has formally incorporated the Cloud Technology Risk Assessment Guide Exposure Draft (issued on 3 June 2022) (CTRAG) into the Updated RMIT PD. In this regard, BNM has provided guidance on the common key risk areas and control measures for a FI to consider and implement (on a risk based, proportionate manner) before it adopts public cloud for critical systems, for the first time:
    1. Cloud Governance – a FI must undertake various initiatives such as, among others:
    • Implementation of a cloud risk management framework by senior management which integrates with a FI’s outsourcing risk management framework, technology risk management framework and cyber resilience framework
    • Ensure that the contracts with cloud service provider addresses risks stipulated in the RMIT PD and Outsourcing Policy Document
    • Ensure relevant internal resources (including in finance, procurement, legal, risk and compliance) are adequately skilled and engaged to manage the change of risk profile from cloud adoption,

towards ensuring that the FI has in place a comprehensive cloud usage policy and technology skills capacity to implement cloud services securely and effectively; and

  1. Cloud Design and Control – a FI must take into consideration various factors such as:
    • Enhancing existing cyber crisis management policies and procedures, and its Cyber Incident Response Plan, to include responses to cyber threats in a cloud environment
    • Arrangements entered into by a FI with cloud service providers which should require that the providers undertake integrated business continuity testing and cyber drills in accordance with the Business Continuity Management Policy Document and the RMIT PD,

towards designing a robust cloud infrastructure and for the operationalisation of the cloud environment.

FIs which have already deployed cloud services for critical systems have up to one year (until 1 June 2024) or up to the next renewal of the FI’s contract with cloud service providers (whichever is later) to ensure that the requirements set out within the Updated RMIT PD are addressed.

  1. Strengthening of Multi-factor Authentication security control

Further, the Updated RMIT PD also seeks to strengthen the guidance provided under the Existing RMIT PD on the use of multi-factor authentication (MFA) security controls. Under the Existing RMIT PD, FIs are required to deploy adequately secure MFA solutions for open third party fund transfer and open payment transactions above RM 10,000.

The Updated RMIT PD imposes stronger requirements on the MFA controls used, such that FIs must now ensure that the MFA security controls are resistant to interception or manipulation by any third party throughout the authentication process, and deploy MFA technology and channels which are more secure than unencrypted short messaging services (SMS) (the latter of which was previously only a recommendation and not a requirement).

  1. Compliance Assessment and Gap Analysis

Within 90 days of the issuance of the Updated RMIT PD, all FIs are required to:

  • Perform a compliance assessment and gap analysis of its existing practices in managing technology risks against the Updated RMIT PD
  • Establish an action plan to address such gaps
  • Submit the gap analysis and action plan to BNM.

This requirement will nonetheless apply to FIs which have previously made such submission under the Existing RMIT PD, such that new gaps arising from the Updated RMIT PD requirements need to be assessed and addressed.

Takeaways

FIs are encouraged to take stock of their existing systems, plans, resources and frameworks and revise the same to ensure that they comply with the standards and requirements stipulated under the Updated RMIT PD. The Updated RMIT PD reflects BNM’s recognition of the increased reliance by FIs of cloud services across the organisation to support the FI’s digitalisation initiatives (especially those of digital banks which operate on a technology-first model).

* * * * *

This client alert was issued by Wong & Partners, a member firm of Baker McKenzie International, a global law firm with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a “partner” means a person who is a partner or equivalent in such a law firm. Similarly, reference to an “office” means an office of any such law firm. This may qualify as “Attorney Advertising” requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.

Author

Sue Wan Wong is a partner in the Corporate, Commercial & Securities Practice Group of Wong & Partners and she also drives the Firm's fintech practice. Chambers FinTech Legal ranks the practice as the sole Band 1 firm in Malaysia and lists Sue Wan as a Notable Practitioner. She was recognised as a Notable Practitioner for M&A in 2020 and 2021 by IFLR1000, having previously been named as Rising Star in 2018 and 2019. She is also ranked as a Distinguished Practitioner for Corporate and M&A since 2020 by Asialaw Profiles, which has also recognised her expertise in Labour & Employment and Insurance & Reinsurance previously. Sue Wan was named as Woman Lawyer of the Year in 2018 by Asian Legal Business, and was recognised in 2015 in their inaugural The ALB 40 Under 40 list which showcases the brightest legal minds in Asia. Sue Wan is a member of the US-ASEAN Business Council (Financial Services Committee) and she was the former Secretary of the Fintech Association of Malaysia.

Author

Serene Kan is a Partner in Wong & Partners, Kuala Lumpur office.

Author

Kean Lynn Tai is a Legal Assistant in Wong & Partners, Kuala Lumpur office.

Author

Eliza Chow is a Legal Assistant in Wong & Partners, Kuala Lumpur office.

Write A Comment