MFA Update to Malaysian Central Bank Risk Management

Want to learn how top banks deploy passkeys? Get our +90-page Banking Passkeys Report (incl. ROI insights). Trusted by JPMC, UBS & QNB.

Get Report

1. Introduction#

Bank Negara Malaysia (BNM) issued an updated Risk Management in Technology (RMiT) policy in November 2025, replacing the June 2023 version. While the update covers a broad range of technology risk areas, the most consequential changes sit in authentication, device binding, multi-factor authentication, and fraud prevention. This Malaysia banking regulation for financial institutions, is no longer best practices or guidance, but has now become a mandatory standart.

BNM has been slowly pushing institutions away from SMS OTP since 2023. The reason was straightforward: fraudsters have built tools to intercept SMS authentication codes before customers could see them, and SIM-swap attacks allowed criminals to redirect codes to devices they controlled. By 2024, Malaysian banks collectively blocked over 383 million Ringgit Malaysia (over 100 million USD) in fraudulent transactions (according to their annual report). The November 2025 update takes that progress and codifies it into binding regulation.

This article breaks down the key authentication and MFA changes in the updated RMiT, explains the regulatory context, and shows where passkeys and phishing-resistant authentication fit into the compliance picture. We answer the following questions:

What is the RMiT policy and who does it apply to?
What did the authentication landscape look like before November 2025?
What are the most important changes to authentication and MFA requirements?
How do passkeys help financial institutions comply with the updated RMiT?

2. What Is the Bank Negara Malaysia (BNM) Risk Management in Technology (RMiT) Policy?#

The RMiT policy is BNM’s central regulatory framework governing how regulated financial institutions manage technology risk. BNM RMiT compliance sets requirements for IT governance, cybersecurity, digital services, cloud usage, and authentication controls, with the goal of keeping financial services available, resilient, and trusted as digital channels and threat levels evolve.

The policy also treats cloud usage as a form of outsourcing, requiring institutions to retain appropriate ownership and control over customer data and cryptographic keys. In practice, the RMiT is the compliance baseline that every regulated financial institution in Malaysia must build its technology risk posture around.

3. Who must comply with the RMiT Policy?#

RMiT requirements apply to all financial institutions regulated by BNM. The scope is broad, covering not only traditional banks but also insurers, e-money issuers, payment system operators and remittance institutions. The following table summarises the main categories:

Institution Category	Examples
Licensed banks	CIMB Bank, Maybank, HSBC Malaysia, Hong Leong Bank, AmBank, Public Bank
Licensed investment banks	CIMB Investment Bank, Affin Hwang, AmInvestment Bank
Licensed Islamic banks	Bank Islam Malaysia, Bank Muamalat, CIMB Islamic Bank
Licensed insurers & reinsurers	AIA Berhad, Allianz General, Etiqa General, AXA Affin
Takaful operators & retakaful	AIA PUBLIC Takaful, Etiqa Family Takaful, FWD Takaful
Development financial institutions	Agrobank, Bank Rakyat, BSN, SME Bank, EXIM Bank
Approved e-money issuers	Boost, GrabPay, BigPay, TNG Digital, Kiplepay
Payment system operators	Visa, Mastercard, PayNet, UnionPay, JCB, Alipay Connect
Registered merchant acquirers	iPay88, Adyen Malaysia, GHL Cardpay, Revenue Monster
Intermediary remittance institutions	MoneyGram, Western Union, Merchantrade Asia, Tranglo

In practical terms: if your organisation holds a BNM licence, registration, or approval to operate in Malaysia’s financial sector, the RMiT applies to you.

Subscribe to our Passkeys Substack for the latest news.

4. What did the Authentication Requirements from BNM look like before November 2025?#

Before the November 2025 update, the RMiT already contained meaningful authentication requirements, but many sat at the level of guidance rather than mandatory standards. Understanding the baseline helps clarify how much has changed.

4.1 MFA Controls#

MFA was required for high-risk transactions, particularly open third-party fund transfers and payment transactions.
A specific focus existed on transactions above RM 10,000, though the 2023 version began pushing MFA for all digital transactions.
The 2023 version explicitly encouraged moving toward authentication “resistant to interception or manipulation,” signaling the beginning of the end for SMS-based OTPs.
MFA was elevated from “Guidance” (best practice) to “Standard” (mandatory) in 2023.

4.2 Authentication Controls and Access Management#

Institutions had to apply the principle of least privilege and review access matrices at least annually.
Privileged accounts required stricter controls, including mandatory MFA regardless of whether access was internal or external.
Remote access to internal networks (e.g. via VPN) required MFA as a non-negotiable standard.

4.3 Digital Service Controls#

Appendix 11 of the 2023 RMiT was the key reference for digital banking security. It required transaction signing (linking MFA to transaction details like recipient and amount), device binding (linking a user’s digital identity to a trusted device), and general fraud countermeasures.

Become part of our Passkeys Community for updates & support.

Join

5. What are the most important Changes to the BNM RMiT Policy?#

The November 2025 update consolidates and strengthens several earlier circulars and specifications, including the 2022 and 2024 fraud countermeasure specifications. The result is a single, comprehensive policy with sharper, mandatory requirements for how institutions authenticate users and protect digital services. There are five areas that matter most.

5.1 One Device per User, by Default#

"ensure secure binding and unbinding processes for restricting authentication of digital service transactions by default to one mobile device or secure device per account holder"

— RMiT Appendix 3, paragraph 3(a)

This is a direct response to SIM-swap fraud and account takeover attacks, where fraudsters register a new device to an existing account and drain it while the legitimate device remains active. The “default” framing is important: customers can opt to use multiple devices, but they must explicitly request this and accept the associated risks. The institution cannot make multi-device the default.

Practically, this means onboarding and authentication flows need to track device registration, enforce a single binding by default, and maintain a clear, auditable process for customer-requested exceptions.

5.2 Robust Verification for Phone Number Changes#

"the registration of new mobile phone number or replacement of existing mobile phone number is only processed after applying robust verification methods to confirm the authenticity of the customer"

— RMiT Appendix 3, paragraph 3(c)

Many institutions still process phone number changes with nothing more than an OTP sent to the current number. That approach fails if the number has already been compromised or the SIM swapped. “Robust verification” in BNM’s framing means methods that go beyond the channel being changed: identity re-verification, step-up authentication using biometrics, or in-branch confirmation for high-risk changes.

5.3 Cooling-Off Periods and Transaction Limits for New Devices#

"apply appropriate verification and cooling-off period for first time enrolment of digital services or secure device and multiple successive high-volume transactions or other abnormal transaction patterns"

— RMiT Appendix 3, paragraph 3(e)

A newly enrolled device should not immediately have full transaction capabilities. Institutions need to implement time-based restrictions and velocity controls that gradually unlock as the device and user behaviour establish a trust history. If a hacker gains access, they typically try to raise the daily transfer limit and move money immediately. A cooling-off period gives the legitimate owner and the bank’s fraud team a window to detect and stop the session.

Combined with the fraud detection standards, which require real-time behavioural profiling and risk scoring, this creates a clear expectation: the authentication layer needs to be aware of context, not just credentials.

5.4 MFA that is more secure than unencrypted SMS#

This is the most significant authentication requirement in the update. It builds on years of BNM guidance and turns it into a binding standard:

"deployment of MFA technology and channels that are more secure than unencrypted SMS … the MFA solution is resistant to interception or manipulation by any third party throughout the authentication process"

— RMiT Appendix 3, paragraphs 5 and 6

The policy goes further by introducing transaction binding:

"authentication code must be initiated and generated locally by the payer/sender using MFA … authentication code generated by payer/sender must be specific to the confirmed identified beneficiary and amount"

— RMiT Appendix 3, paragraphs 6(c) and 6(d)

Transaction binding means the authentication code must be tied to the specific transaction details (recipient and amount), not just to a session or login. This directly addresses “OTP redirect” attacks, where fraudsters manipulate the transaction after the user has already authenticated. An OTP that was generated for a payment of RM 500 to Account A cannot be reused for a payment of RM 50,000 to Account B.

For institutions still relying on SMS OTP as their primary second factor, this is the clearest signal yet: the migration path is not optional. The table below summarises which MFA methods align with the new requirements:

MFA Method	Phishing-Resistant?	RMiT Compliant?
SMS OTP	No	No
TOTP (e.g. Google Authenticator)	No	Partial (transitional only)
Push notification	No	Partial (transitional only)
In-app OTP with transaction details	Partial	Yes (if interception-resistant)
Passkeys (FIDO2 / WebAuthn)	Yes	Yes
Hardware security keys (FIDO2)	Yes	Yes

5.5 Passkeys and cryptographic Key-based Authentication for BNM RMiT#

BNM also explicitly requires institutions to offer passwordless alternatives:

"offer to its customer a robust cryptographic key-based authentication such as digital certificate or passwordless as an alternative to existing password-based authentication method"

— RMiT Appendix 3, paragraph 9

This is a clear directive to move toward passkeys, hardware-backed authentication, or certificate-based methods. Unlike the MFA upgrade, which focuses on replacing SMS OTP, this requirement targets the password itself. The two requirements work in tandem: institutions need to move beyond SMS for the second factor and offer an alternative to the password for the first factor.

Passkeys are the most natural fit here. A single passkey credential satisfies both requirements simultaneously. It is a cryptographic key-based authentication method (paragraph 9), it is more secure than unencrypted SMS (paragraphs 5–6), and because passkeys bind the authentication to the specific origin (website or app), they also support the intent behind transaction binding.

6. Summary: Before and after the November 2025 Update#

Area	Before November 2025	After November 2025
Device binding	Required, but multi-device was common and loosely governed	One device per user by default; multi-device only by explicit customer request with audit trail
Phone number changes	Often processed with SMS OTP to the current number	Robust verification required (biometrics, branch visit, or independent channel)
New device enrollment	Immediate full access after enrollment was common	Mandatory cooling-off period; transaction limits during trust-building phase
SMS OTP	Discouraged but tolerated as primary second factor	Explicitly non-compliant as sole MFA; must be replaced by interception-resistant methods
Transaction binding	Required for high-risk transactions (general)	Auth code must be specific to beneficiary and amount; locally generated

7. Regional Context: Malaysia is not alone#

Malaysia’s updated RMiT sits within a broader regional trend. Across Asia-Pacific, financial regulators are converging on the same set of requirements: device-bound credentials, phishing-resistant MFA, and a move away from passwords and SMS OTP.

Singapore (MAS): The Monetary Authority of Singapore has long required device binding and transaction signing for digital banking and has been progressively tightening its Technology Risk Management (TRM) guidelines in a direction closely mirroring BNM’s approach.
India (RBI): The Reserve Bank of India has pushed for additional factors of authentication and transaction-specific authorization, particularly for card-not-present and UPI transactions.
Hong Kong (HKMA): The Hong Kong Monetary Authority’s e-banking guidelines require strong customer authentication and device registration controls for high-risk operations.
Vietnam (State Bank of Vietnam): Circular 45/2025 requires banks to verify customer biometrics against the chip-based Citizen ID or national database for certain high-value transactions, introducing a centralized verification step.

The architecture required for RMiT compliance, including cryptographic device binding, passkeys, and transaction-level authentication, is where the entire region is heading. Institutions that invest in this architecture now are building for regulatory convergence, not just a single national policy.

8. How Corbado helps Financial Institutions meet the updated RMiT#

Corbado’s platform is built for the authentication challenges the updated RMiT is designed to address. Here is how the key requirements map to Corbado’s capabilities:

Phishing-resistant MFA and passwordless authentication: Corbado’s passkey implementation provides a direct path to compliance with BNM’s requirements for MFA that is more secure than unencrypted SMS (paragraphs 5–6) and for cryptographic key-based authentication as an alternative to passwords (paragraph 9). A single passkey credential addresses both requirements simultaneously.
Device binding: Corbado supports device-bound passkeys and cryptographic credentials that are tied to a specific device. Enrollment flows can enforce the one-device-per-user default with clear mechanisms for customer-requested exceptions, all with a full audit trail.
Audit and compliance readiness: Corbado’s telemetry, event logging, and reporting capabilities make it straightforward to demonstrate that authentication controls are not only designed but operating effectively. Corbado operates under an ISO 27001-certified ISMS and holds SOC 2 Type II attestation, aligning its own security posture with the expectations placed on Malaysian financial institutions.

Igor Gjorgjioski

Head of Digital Channels & Platform Enablement, VicRoads

Corbado proved to be a trusted partner. Their hands-on, 24/7 support and on-site assistance enabled a seamless integration into VicRoads' complex systems, offering passkeys to 5 million users.

Enterprises trust Corbado to protect their users and make logins more seamless with passkeys. Get your free passkey consultation now.

Get free consultation

9. Conclusion#

The November 2025 RMiT update turns years of BNM guidance on authentication security into binding regulation. SMS OTP is no longer compliant as a standalone second factor. Device binding is mandatory by default. Transaction authentication must be tied to specific payment details. And institutions must offer cryptographic key-based alternatives to passwords.

For institutions that have already started migrating away from SMS and toward phishing-resistant methods, the update codifies what they were already doing. For those that have not, the gap between current practice and the new standard is significant, and the compliance timeline is now fixed.

Passkeys are the most direct path to meeting the updated requirements. A single passkey credential satisfies the MFA upgrade, the passwordless alternative, and the device binding requirements in one implementation. Combined with step-up authentication for sensitive operations and cooling-off logic for new enrollments, this gives institutions a coherent architecture rather than a patchwork of point solutions.

We could also answer the most important questions regarding this topic:

What is the RMiT policy and who does it apply to? The RMiT is BNM’s central technology risk framework, applicable to all regulated financial institutions in Malaysia including banks, insurers, e-money issuers, payment system operators, and remittance providers.
What did the authentication landscape look like before November 2025? MFA was already mandatory for high-risk transactions and privileged access, but SMS OTP was still tolerated, multi-device setups were loosely governed, and the passwordless alternative was not yet required.
What are the most important changes to authentication and MFA? Five changes stand out: one device per user by default, robust verification for phone number changes, mandatory cooling-off periods for new devices, MFA that is more secure than SMS with transaction binding, and a requirement to offer passkeys or cryptographic key-based authentication.
How do passkeys help financial institutions comply? Passkeys satisfy the MFA upgrade, the passwordless alternative, and the device binding requirements in a single implementation, while also being resistant to phishing, SIM-swap, and OTP interception attacks.