Bank Negara Malaysia (BNM) has imposed an Administrative Monetary Penalty (AMP) of RM1,000,000 on Bank Kerjasama Rakyat Malaysia Berhad (BKRM) following a series of cybersecurity and customer information protection failures, the central bank confirmed on 20 January 2026.
The penalty was issued after BNM found that BKRM had failed to implement robust cybersecurity standards as required under the Risk Management in Technology Policy Document (RMiT PD), and had also failed to adequately safeguard customer information in line with the Management of Customer Information and Permitted Disclosures Policy Document (MCIPD PD).
The regulator’s investigation revealed that the bank’s shortcomings came to light following a cybersecurity incident in which an external threat actor gained unauthorised access to BKRM’s IT infrastructure.
The breaches were attributed to inadequate cybersecurity controls and a deficient incident response capability.
In determining the scale of the penalty, BNM weighed both aggravating and mitigating factors. These included the severity of the breaches, the bank’s lack of reasonable care in ensuring compliance with the relevant policy documents, its current controls, its past compliance record, and its post-misconduct behaviour — including the effectiveness of remedial actions taken to prevent future non-compliance.
In response to the incident, BKRM has since undertaken remedial measures to strengthen its cybersecurity and information and communication technology (ICT) controls, resources, and governance arrangements. The bank settled the RM1,000,000 penalty on 26 January 2026, six days after it was imposed.
BNM has reiterated that all financial institutions operating in Malaysia are required to comply fully with both the RMiT PD and MCIPD PD. The central bank made clear it will not hesitate to take appropriate supervisory and enforcement action should any financial institution fail to meet its legal and regulatory obligations.
The case serves as a stark reminder of the growing scrutiny facing financial institutions over their cybersecurity posture, particularly as regulators across the region continue to tighten oversight of digital risk management and data protection practices.
Keep up with all the latest FinTech news here
Copyright © 2026 FinTech Global
