.png)
Malaysia’s updated RMiT policy shifts authentication from guidance to enforceable standards, requiring phishing-resistant, device-bound methods. It reflects a broader move toward continuous, risk-based security tied to real-world fraud threats.
In November 2025, Bank Negara Malaysia (BNM) updated its Risk Management in Technology (RMiT) policy, turning long-standing guidance into enforceable requirements.
The direction is towards strong, phishing-resistant authentication - it is no longer just a recommendation but a mandatory part of fraud prevention. Institutions must implement security mechanisms and demonstrate their effectiveness against real-world attacks such as phishing, SIM swaps, and OTP interception.
What Has Actually Changed
At a high level, the update pushes authentication toward a more robust, real-world model.
Device Binding as the Default
First, identity is expected to be tied to a trusted device, a single device by default. Rather than allowing loosely controlled multi-device access, institutions should treat a primary device as the anchor of trust, with any changes carefully verified and auditable. This directly limits common account takeover scenarios.
Stronger Re-Verification for Sensitive Changes
Second, sensitive actions - like changing a phone number or registering a new device - must be handled with stronger, independent verification. Think identity verification, biometric user authentication, or physical verification at the branch.
Cooling-Off Periods and Behavioral Controls
Third, authentication enrollment is no longer a one-time event. New devices should be restricted and gradually unlocked over a cool-off period, transaction limits should be applied dynamically, and user behavior should be continuously evaluated. The philosophy is: Trust evolves over time - it is not something granted once in full.
Phishing-Resistant, Transaction-Bound MFA
Finally, the role of SMS OTP is clearly diminishing. Regulators expect authentication methods that are resistant to phishing, interception, and manipulation, and that can be bound to transaction details. In practice, this points toward cryptographic, key-based approaches rather than channel-based verification, such as passkeys or mobile-first authentication.
Shift in Authentication Architecture
Banking authentication in Malaysia is moving away from passwords and OTPs toward device-bound, cryptographic models. It becomes more tightly linked to the transaction itself, more resilient to phishing (by design), and less dependent on external infrastructure like telecom networks.
At the same time, lifecycle events - such as enrollment, recovery, or device replacement - are treated as core security flows. Combined with real-time risk evaluation, the new requirements create a more adaptive and context-aware user authentication system.
Development in Malaysia: Part of a Broader Trend
One thing is clear: Malaysia is not an outlier. Similar patterns are emerging globally, from Southeast Asia to Europe. Regulators are converging on the same principles: device binding, phishing resistance, and continuous risk-based controls.
The message behind the update is straightforward:
Authentication is no longer just about verifying users. It is about securing transactions in a real-world environment. Institutions that treat this as a compliance task may keep up in the short term, but those who use it as an opportunity to modernize their architecture will be better positioned for what comes next.
.webp)
