The Asian Banker Saturday, 12 October 2024

Bank Negara Malaysia fines CIMB $171,325 for regulatory breaches

5 min read

Bank Negara Malaysia issued an administrative monetary penalty on CIMB Bank Berhad and CIMB Islamic Bank Berhad for non-compliance with the Financial Services Act 2013 and Islamic Financial Services Act 2013.

Bank Negara Malaysia (BNM) has imposed an Administrative Monetary Penalty (AMP) of MYR 760,000 ($171,325) on CIMB Bank Berhad and CIMB Islamic Bank Berhad, collectively referred to as CIMB on 29 July 2024, for non-compliance with paragraph 48 (1) (a) of the Financial Services Act 2013 (FSA) and paragraph 58 (1) (a) of Islamic Financial Services Act 2013 (IFSA) read together with paragraph 10.32 of the Risk Management in Technology (RMiT) Policy Document.

Under paragraph 10.32 of the RMiT Policy Document, financial institutions must ensure their relevant critical systems are designed for high availability, specifically:

a. Cumulative unplanned downtime that affects user interface must not be more than four hours on a rolling 12-month basis; and

b. Maximum tolerable downtime of 120 minutes per incident.

On 8 and 9 April 2024, CIMB’s customers experienced prolonged service disruptions affecting e-banking channels, automated teller machines (ATM), as well as debit cards and credit cards. The duration of these disruptions to CIMB’s services exceeded the thresholds specified by BNM. Upon investigation into the root cause leading to the incidents, it was found that CIMB’s non-compliance resulted from lapses in the execution of its response and recovery process to restore the disrupted systems promptly, which impacted the availability of essential banking services for its customers and counterparties.

CIMB has taken the necessary remediation actions, including enhancing its real-time IT infrastructure monitoring function to further improve its recovery capabilities and prevent future non-compliance.

Aggravating and mitigating factors

In deciding to impose the AMP, BNM has considered the relevant aggravating and mitigating factors, which include:

a. Failure to take reasonable steps to mitigate the downtime incidents and avoid non-compliance;

b. Severity of the non-compliance, including the impact of the service disruption on customers and counterparties;

c. Past compliance record and history of formal enforcement actions imposed; and effectiveness of remedial actions taken to prevent recurrence.

BNM expects all financial institutions to maintain a high level of technology resilience against operational disruptions to ensure the continuous availability of essential financial services. BNM will not hesitate to take appropriate supervisory and enforcement actions when financial institutions fall short of regulatory expectations.

CIMB paid a total of MYR 760,000 ($171,325) for the AMP imposed by BNM on 12 August 2024.

The enforcement action taken is in line with the approach and processes outlined in the published Enforcement Approach document.

BNM imposed the AMP pursuant to subsection 234(3)(b)(i) of the FSA and subsection 245(3)(b)(i) of the IFSA.

Re-disseminated by The Asian Banker

Attend Our Next Events
Finance MEA 2024
20 November 2024
Wealth & Society 2024
06 December 2024
Japan Innovation Study Tour 2025
17 - 19 February 2025