Malaysia's regulatory framework for financial technology is expanding beyond the established RMiT policy. For payment service providers and fintech operators, understanding the evolving requirements is essential. This article presents only verified facts.
A Broadening Regulatory Landscape
Bank Negara Malaysia's Risk Management in Technology (RMiT) policy has long been the central technology risk framework for financial institutions. More recently, BNM has introduced additional technology governance requirements specifically targeting payment service providers — reflecting the growth of e-money, digital payments, and fintech in Malaysia.
A new policy document, the Technology Requirements for Payment Services Regulatees (often referred to as TR PD), is a comprehensive technology governance framework that overlaps with the existing RMiT policy. It covers entities such as e-money issuers, merchant acquirers, licensed money services businesses, and operators of designated payment systems.
According to published analysis, this payment-services technology policy has an effective date in 2027, though aspects of the broader technology requirements framework have been taking effect on a phased basis. Given the overlap between RMiT and the newer payment-services requirements, affected organisations should carefully determine which framework — or both — applies to their operations, and confirm applicable dates with qualified advisors.
Common Cybersecurity Requirements
Across these frameworks, certain cybersecurity requirements recur: board-approved technology risk and cyber resilience frameworks, a certified CISO, dedicated board attention to cybersecurity, Security Operations Centre capability, annual penetration testing, cyber incident response plans, and cyber drills involving board members.
For payment service providers specifically, the security of payment systems and the prevention of digital fraud are central concerns — making the security testing of payment applications and APIs particularly important.
Why Payment Systems Demand Rigorous Testing
Payment systems carry money and process high volumes of sensitive transactions. The vulnerability classes that matter most — transaction manipulation, authorisation bypass, race conditions enabling double-spending, and business-logic abuse — require expert manual testing to detect. Automated scanning alone cannot evaluate whether a sequence of valid-looking payment API calls results in unauthorised value transfer.
How Simuna Infosec Helps
Our experience securing payment platforms, mobile wallets, and BSS systems for telecom and financial clients gives us deep familiarity with the transaction-logic vulnerabilities that matter most for payment service providers. We test the payment flows, transaction integrity, and API authorisation logic that automated tools cannot evaluate, helping Malaysian payment and fintech operators meet the annual penetration testing expectations of BNM's frameworks while genuinely securing the systems that carry their customers' money.
*This article reflects publicly available information as of mid-2026. Regulatory frameworks and effective dates evolve and overlap; consult qualified legal counsel to determine which requirements apply to your operations.*