Skip to content
Pacific Resilience Institute
All insights
MalaysiaMar 2026 · PRI Insights Team

Malaysia's BNM RMiT and the third-line question

Bank Negara's Risk Management in Technology policy has been in force since January 2021. Supervisory focus has moved from framework design to whether the three lines are working as intended.

Informational only. This article reflects the views of its author and does not constitute legal, regulatory or risk-management advice. References to MAS, APRA, HKMA, RBI or JFSA are for context; PRI is not endorsed by any regulator.

Bank Negara Malaysia issued the Risk Management in Technology policy document, known as RMiT, in June 2020, with effect from 1 January 2021. The policy applies across licensed banks, insurers, takaful operators and a broader set of financial institutions, and it sets a single comprehensive framework for technology risk that brings together governance, cyber security, technology operations management, cloud risk, data and third-party arrangements.

RMiT was deliberately written as a substantive expectation rather than a high-level principle. It sets minimum standards on board and senior management responsibilities, on the role and independence of the chief information security officer, on cyber resilience capabilities including detection and response, and on specific technical controls including encryption, identity management and patching. It also sets expectations on cloud risk assessment, on third-party arrangements and on incident reporting timelines, with significant incidents notifiable to BNM promptly.

Five years in, the supervisory dialogue has moved from whether institutions have implemented the framework to whether the framework is actually functioning. BNM's recent thematic engagement has focused on the effectiveness of the three lines of defence in technology risk. The first line is asked to demonstrate that its risk decisions are informed, not delegated upwards. The second line is asked to challenge rather than to coordinate. The third line, internal audit, is asked to provide independent assurance rather than to confirm management's own view.

Cyber resilience has been a particular focus. RMiT's expectations on cyber detection, response and recovery capability have been tested by a series of incidents affecting Malaysian and regional firms, and supervisory questions have sharpened on the quality and timeliness of incident response, on the realism of recovery testing and on the integration of cyber response with broader business continuity. The supervisory test is increasingly whether the institution can demonstrate operational effectiveness, not whether it can produce a policy.

Cloud and outsourcing arrangements have been a second focus area. RMiT permits cloud use with appropriate risk management and BNM notification or approval depending on materiality. Practice across institutions varies in the depth of due diligence, the rigour of ongoing monitoring and the realism of exit planning. Concentration on a small number of providers across the Malaysian financial system has been recognised as a system-level question rather than only an institutional one, and BNM has engaged on the topic in line with international peer regulators.

Operational resilience is the direction of travel. BNM has signalled, in line with international standards and peer regional regulators, that the next phase of supervisory expectation will move beyond technology risk into explicit operational resilience, with identification of critical business services, tolerances for disruption and tested mappings to the supporting people, processes, technology, information and third parties. The boundary between RMiT and a future operational resilience framework is one of the practical implementation questions for boards and executives this year.

For Malaysian institutions setting their priorities, three areas reward investment. Make sure the three lines model in technology risk is functioning rather than nominal, because that is where supervisory attention sits. Treat cyber incident response as a regularly rehearsed capability, not a documented procedure. And begin building the bridge between RMiT and operational resilience now, so the next supervisory cycle does not find the institution starting from the framework rather than from capability.

ShareLinkedInXEmail

More insights