BNM penalised Malayan Banking Berhad and Maybank Islamic Berhad for non-compliance with the Financial Services Act 2013 and Islamic Financial Services Act 2013.
Bank Negara Malaysia (BNM) imposed an Administrative Monetary Penalty (AMP) of MYR 4.32 million ($974,526) on Malayan Banking Berhad and Maybank Islamic Berhad, collectively referred to as Maybank, on 29 July 2024.
This penalty was for non-compliance with paragraph 48(1)(a) of the Financial Services Act 2013 (FSA) and paragraph 58(1)(a) of the Islamic Financial Services Act 2013 (IFSA), in conjunction with paragraph 10.32 of the Risk Management in Technology (RMiT) Policy Document.
Under paragraph 10.32 of the RMiT Policy Document, financial institutions must ensure their relevant critical systems are designed for high availability, specifically:
a. Cumulative unplanned downtime that affects user interface must not be more than four hours on a rolling 12-month basis; and
b. Maximum tolerable downtime of 120 minutes per incident.
Between 1 June 2023 and 31 May 2024, Maybank’s Regional Mobile Banking Platform (RMBP) and MAE applications experienced multiple unplanned downtime that caused prolonged disruptions in several banking services interface with customers and counterparties. The duration of the disruption breached the thresholds specified in paragraph 10.32 of the RMiT Policy Document. Upon investigation into the root cause leading to the incidents, it was found that Maybank’s non-compliance resulted from its inability to recover effectively and promptly from the unexpected system disruptions, which severely impacted the interface experience of online banking services for its customers and counterparties. Measures by Maybank to further strengthen its application and infrastructure resiliency as required by BNM were also incomplete at the time of the incidents which impeded recovery effects.
Maybank has taken the necessary actions to close these gaps as part of its multi-year infrastructure investments to prevent future non-compliance.
Aggravating and mitigating factors
In deciding to impose the AMP, BNM has considered the relevant aggravating and mitigating factors, which include:
a. Failure to take reasonable steps to mitigate the downtime incidents and avoid non-compliance;
b. Severity of the non-compliance, including the impact of the service disruptions on customers and counterparties; and
c. Past compliance record and history of formal enforcement actions imposed.
BNM expects all financial institutions to maintain a high level of their technology resilience against operational disruptions to ensure the continuous availability of essential financial services. BNM will not hesitate to take appropriate supervisory and enforcement actions when financial institutions fall short of regulatory expectations.
Maybank paid a total of MYR 4.32 million ($974,526) for the AMP imposed by BNM on 8 August 2024.
The enforcement action taken is in line with the approach and processes outlined in the published Enforcement Approach document.
Re-disseminated by The Asian Banker