Bank Negara Malaysia's New Tech Requirements
By: Stevie Heong, Director, Technology Advisory
What the TR PD means — and how it differs from RMiT
A significant new Bank Negara Malaysia policy document took effect in March 2026, quite silently, and under the radar. The Technology Requirements for Payment Services Regulatees, or TR PD, is a comprehensive technology governance framework…which actually overlaps with the current RMIT Policy from BNM. This policy covers e-money issuers, merchant acquirers, licensed money services businesses, and operators of designated payment systems (i.e PAYNET). The effective date is 12 March 2027, but there's a catch. Organisations must submit a gap analysis and remediation plan to BNM within 90 days of issuance of license approval.
A Framework Built on Proportionality
What sets the TR PD apart from previous policies like RMIT is its four-tier structure. Larger regulatees i.e those with annual transaction values above RM1.5 billion or volumes above 7 million, face the full suite of obligations under Tier-2. Smaller entities fall under Tier-3 with slightly lighter requirements, while non-digital money changers sit in Tier-4 and need only comply with a simplified set of basic controls. Entities already subject to RMiT are classified as Tier-1. There is a bit of confusion here whereby most of those regulated by TR PD are also regulated by RMIT. Except for “Licensed money service business”, all other regulatees have already been classified to be under the RMIT issued in 2025.
While it is a good attempt for BNM to add proportionality to their policies, our opinion is that this document requires more clarification as many companies would not know which to apply : - RMIT or TR, or both?
What It Requires
The TR Policy itself covers the known requirements: boards must approve Technology Risk Management Frameworks and Cyber Resilience Frameworks, appoint a certified CISO, and dedicate board time to cybersecurity discussions. Senior management must establish cross-functional technology committees and crisis management plans.
On the operational side, requirements span patch and end-of-life system management, cryptography standards, data centre resilience, network architecture, multi-factor authentication, cloud governance, and third-party vendor oversight. Cybersecurity requirements include Security Operations Centres, annual penetration testing, cyber incident response plans, and mandatory annual cyber drills involving board members. For consumer-facing digital services, the TR PD goes further: real-time fraud detection, mandatory customer kill-switch functionality, OTP binding to specific transactions, and continuous fraud awareness programmes are all required.
How It Differs from RMiT
RMiT remains BNM's flagship technology policy for banks, insurers, and digital banks. The TR PD is not seen as a replacement, but rather a complement. The differences we see:
- Proportionality: The TR PD's explicit tier system is more structured than RMiT's approach. Smaller entities get meaningfully lighter requirements.
- Payments-specific controls: Fraud detection standards, QR code controls, and payment acceptance device requirements (for merchant acquirers) are unique to the TR PD.
- Consumer focus: The TR PD places greater emphasis on retail customer protection — kill switches, fraud alerts, and digital literacy programmes — reflecting the consumer-facing nature of payment services.
Moving Forward
It is imperative for BNM to issue a clarification of how companies fall under TR or RMIT – are these mutually exclusive? Furthermore, what if companies fall under both such as registered merchant acquirer – do they do both or one takes precedent?
We have already sent out queries and in the next few weeks or months, there would likely be more clarifications. Meantime, it is a good time to have a conversation to our fintech clients on this new compliance in the landscape. For further information, contact us at avantedge@pkfmalaysia.com