Bank Negara Malaysia imposes MYR 2.85 million penalty on Bank Kerjasama Rakyat Malaysia for breaches of RMiT system availability requirements

Bank Negara Malaysia (BNM) imposed an Administrative Monetary Penalty of MYR 2,850,000 on Bank Kerjasama Rakyat Malaysia Berhad (BKRM) for non-compliance with the Development Financial Institutions Act 2002 and the Risk Management in Technology Policy Document (RMiT PD). The action relates to multiple unplanned downtimes between 1 June 2023 and 31 December 2024 that disrupted essential banking services and exceeded the permitted downtime thresholds for critical systems. Paragraph 10.32 of the RMiT PD requires relevant critical systems to be designed for high availability, including cumulative unplanned downtime affecting the user interface of no more than four hours on a rolling 12-month basis and a maximum tolerable downtime of 120 minutes per incident. BKRM’s outages affected e-banking channels, Automated Teller Machines, and debit and credit card systems, and were attributed to lapses in executing response and recovery processes to restore disrupted systems promptly. In setting the penalty, BNM considered factors including BKRM’s failure to take reasonable mitigation steps, the severity and impact on customers and counterparties, its past compliance record, and the effectiveness of remedial actions. BKRM has since taken steps to enhance recovery capabilities and strengthen its IT infrastructure as part of a multi-year technology infrastructure investment plan, and it paid the penalty on 26 June 2025. BNM stated it expects high technology resilience across financial institutions and will take supervisory and enforcement action where firms fall short of regulatory expectations.