Bank Negara Malaysia (BNM) has imposed an Administrative Monetary Penalty (AMP) of RM995,000 on Bank Simpanan Nasional (BSN) for non-compliance with the Development Financial Institutions Act 2002 and the Risk Management in Technology Policy Document (RMiT PD) requirements on critical system availability. The breach related to section 41(4)(a) of the Development Financial Institutions Act 2002, read together with paragraph 10.32 of the RMiT PD, which requires critical systems to be designed for high availability, including cumulative unplanned downtime affecting the user interface of no more than four hours on a rolling 12-month basis and a maximum tolerable downtime of 120 minutes per incident. Between 1 June 2023 and 31 October 2024, BSN experienced multiple unplanned downtimes that disrupted e-banking channels, Automated Teller Machines, and debit and credit card systems beyond the prescribed thresholds, linked to lapses in executing response and recovery processes. BNM considered aggravating and mitigating factors including BSN’s failure to take reasonable steps to mitigate incidents, the severity and impact of disruptions, BSN’s past compliance record, and the effectiveness of remedial actions; BSN has since enhanced recovery capabilities and strengthened IT infrastructure under a multi-year investment plan, and the AMP imposed on 16 June 2025 was paid on 25 June 2025.
Bank Negara Malaysia 2025-07-30
Bank Negara Malaysia imposes RM995,000 administrative penalty on Bank Simpanan Nasional for breaching technology resilience availability requirements
Bank Negara Malaysia imposed a RM995,000 Administrative Monetary Penalty on Bank Simpanan Nasional for breaching the Development Financial Institutions Act 2002 and Risk Management in Technology Policy Document requirements on critical system availability. The violations involved multiple unplanned downtimes affecting e-banking and card systems beyond allowed thresholds. BSN has since improved its IT infrastructure and recovery capabilities.