--- url: 'https://www.corbado.com/blog/malaysia-banking-mfa-passkeys' title: 'MFA Update to Malaysian Central Bank Risk Management' description: 'Learn what changed in Malaysia’s updated RMiT policy, why BNM now requires phishing-resistant MFA and how passkeys help stay compliant.' lang: 'en' author: 'Alex' date: '2026-03-19T08:08:24.103Z' lastModified: '2026-04-26T06:01:16.578Z' keywords: 'RMiT Malaysia, BNM RMiT 2025, Malaysia MFA regulation, Bank Negara Malaysia authentication, RMiT passkeys, phishing-resistant MFA Malaysia, device binding Malaysia banking, SMS OTP Malaysia, RMiT compliance, Malaysia digital banking security' category: 'Authentication' --- # MFA Update to Malaysian Central Bank Risk Management ## Key Facts - **RMiT** November 2025 converts BNM authentication guidance into binding regulation, covering all licensed banks, insurers, e-money issuers and payment system operators in Malaysia. - **SMS OTP** is now explicitly non-compliant as a standalone second factor. MFA must be interception-resistant and tied to specific beneficiary and amount. - **Device binding** defaults to one mobile device per account. Multi-device access requires explicit customer opt-in and an auditable exception process. - **Passkeys** (FIDO2/WebAuthn) satisfy phishing-resistant MFA, passwordless authentication and device binding requirements simultaneously, making them the most direct path to full compliance. - Malaysian banks blocked over 383 million Ringgit (100 million USD) in fraudulent transactions in 2024, driving the shift to mandatory phishing-resistant controls. ## 1. Introduction Bank Negara Malaysia (BNM) issued an updated [Risk Management in Technology (RMiT)](https://www.bnm.gov.my/documents/20124/938039/pd-rmit-nov25.pdf) policy in November 2025, replacing the June 2023 version. While the update covers a broad range of technology risk areas, the most consequential changes sit in authentication, device binding, multi-factor authentication, and fraud prevention. This Malaysia [banking](https://www.corbado.com/passkeys-for-banking) regulation for financial institutions, is no longer best practices or guidance, but has now become a mandatory standart. BNM has been slowly pushing institutions away from SMS OTP since 2023. The reason was straightforward: fraudsters have built tools to intercept [SMS authentication](https://www.corbado.com/blog/sms-costs) codes before customers could see them, and SIM-swap attacks allowed criminals to redirect codes to devices they controlled. By 2024, Malaysian banks collectively blocked over 383 million Ringgit Malaysia (over 100 million USD) in fraudulent transactions (according to their annual report). The November 2025 update takes that progress and codifies it into binding regulation. This article breaks down the key authentication and MFA changes in the updated RMiT, explains the regulatory context, and shows where passkeys and [phishing](https://www.corbado.com/glossary/phishing)-resistant authentication fit into the compliance picture. We answer the following questions: 1. What is the RMiT policy and who does it apply to? 2. What did the authentication landscape look like before November 2025? 3. What are the most important changes to authentication and MFA requirements? 4. How do passkeys help financial institutions comply with the updated RMiT? ## 2. What Is the Bank Negara Malaysia (BNM) Risk Management in Technology (RMiT) Policy? The RMiT policy is BNM’s **central regulatory framework** governing how regulated financial institutions manage technology risk. BNM RMiT compliance sets requirements for IT governance, cybersecurity, digital services, cloud usage, and authentication controls, with the goal of keeping [financial services](https://www.corbado.com/passkeys-for-banking) available, resilient, and trusted as digital channels and threat levels evolve. The policy also treats cloud usage as a form of outsourcing, requiring institutions to retain appropriate ownership and control over customer data and cryptographic keys. In practice, the RMiT is the compliance baseline that every regulated financial institution in Malaysia must build its technology risk posture around. ## 3. Who must comply with the RMiT Policy? RMiT requirements apply to all financial institutions regulated by BNM. The scope is broad, covering not only traditional banks but also insurers, e-money [issuers](https://www.corbado.com/glossary/issuer), [payment](https://www.corbado.com/passkeys-for-payment) system operators and remittance institutions. The following table summarises the main categories: | **Institution Category** | **Examples** | | ---------------------------------------- | ----------------------------------------------------------------------- | | **Licensed banks** | CIMB Bank, Maybank, HSBC Malaysia, Hong Leong Bank, AmBank, Public Bank | | **Licensed investment banks** | CIMB Investment Bank, Affin Hwang, AmInvestment Bank | | **Licensed Islamic banks** | Bank Islam Malaysia, Bank Muamalat, CIMB Islamic Bank | | **Licensed insurers & reinsurers** | AIA Berhad, Allianz General, Etiqa General, AXA Affin | | **Takaful operators & retakaful** | AIA PUBLIC Takaful, Etiqa Family Takaful, FWD Takaful | | **Development financial institutions** | Agrobank, Bank Rakyat, BSN, SME Bank, EXIM Bank | | **Approved e-money issuers** | Boost, GrabPay, BigPay, TNG Digital, Kiplepay | | **Payment system operators** | Visa, Mastercard, PayNet, UnionPay, JCB, Alipay Connect | | **Registered merchant acquirers** | iPay88, Adyen Malaysia, GHL Cardpay, Revenue Monster | | **Intermediary remittance institutions** | MoneyGram, Western Union, Merchantrade Asia, Tranglo | In practical terms: if your organisation holds a BNM licence, registration, or approval to operate in Malaysia’s financial sector, the RMiT applies to you. ## 4. What did the Authentication Requirements from BNM look like before November 2025? Before the November 2025 update, the RMiT already contained meaningful authentication requirements, but many sat at the level of guidance rather than mandatory standards. Understanding the baseline helps clarify how much has changed. ### 4.1 MFA Controls - MFA was required for high-risk transactions, particularly open third-party fund transfers and [payment](https://www.corbado.com/passkeys-for-payment) transactions. - A specific focus existed on transactions above RM 10,000, though the 2023 version began pushing MFA for all digital transactions. - The 2023 version explicitly encouraged moving toward authentication “resistant to interception or manipulation,” signaling the beginning of the end for SMS-based OTPs. - MFA was elevated from “Guidance” (best practice) to “Standard” (mandatory) in 2023. ### 4.2 Authentication Controls and Access Management - Institutions had to apply the principle of least privilege and review access matrices at least annually. - Privileged accounts required stricter controls, including mandatory MFA regardless of whether access was internal or external. - Remote access to internal networks (e.g. via VPN) required MFA as a non-negotiable standard. ### 4.3 Digital Service Controls Appendix 11 of the 2023 RMiT was the key reference for digital [banking](https://www.corbado.com/passkeys-for-banking) security. It required transaction signing (linking MFA to transaction details like recipient and amount), device binding (linking a user’s [digital identity](https://www.corbado.com/blog/digital-identity-guide) to a trusted device), and general fraud countermeasures. ## 5. What are the most important Changes to the BNM RMiT Policy? The November 2025 update consolidates and strengthens several earlier circulars and specifications, including the 2022 and 2024 fraud countermeasure specifications. The result is a single, comprehensive policy with sharper, mandatory requirements for how institutions authenticate users and protect digital services. There are five areas that matter most. ### 5.1 One Device per User, by Default _"ensure secure binding and unbinding processes for restricting authentication of digital service transactions by default to one mobile device or secure device per account holder"_ — RMiT Appendix 3, paragraph 3(a) This is a direct response to SIM-swap fraud and account takeover attacks, where fraudsters register a new device to an existing account and drain it while the legitimate device remains active. The “default” framing is important: customers can opt to use multiple devices, but they must explicitly request this and accept the associated risks. The institution cannot make multi-device the default. Practically, this means onboarding and authentication flows need to track device registration, enforce a single binding by default, and maintain a clear, auditable process for customer-requested exceptions. ### 5.2 Robust Verification for Phone Number Changes _"the registration of new mobile phone number or replacement of existing mobile phone number is only processed after applying robust verification methods to confirm the authenticity of the customer"_ — RMiT Appendix 3, paragraph 3(c) Many institutions still process phone number changes with nothing more than an OTP sent to the current number. That approach fails if the number has already been compromised or the SIM swapped. “Robust verification” in BNM’s framing means methods that go beyond the channel being changed: identity re-verification, [step-up authentication](https://www.corbado.com/glossary/step-up-authentication) using biometrics, or in-branch confirmation for high-risk changes. ### 5.3 Cooling-Off Periods and Transaction Limits for New Devices _"apply appropriate verification and cooling-off period for first time enrolment of digital services or secure device and multiple successive high-volume transactions or other abnormal transaction patterns"_ — RMiT Appendix 3, paragraph 3(e) A newly enrolled device should not immediately have full transaction capabilities. Institutions need to implement time-based restrictions and velocity controls that gradually unlock as the device and user behaviour establish a trust history. If a hacker gains access, they typically try to raise the daily transfer limit and move money immediately. A cooling-off period gives the legitimate owner and the bank’s fraud team a window to detect and stop the session. Combined with the fraud detection standards, which require real-time behavioural profiling and risk scoring, this creates a clear expectation: the authentication layer needs to be aware of context, not just credentials. ### 5.4 MFA that is more secure than unencrypted SMS This is the most significant authentication requirement in the update. It builds on years of BNM guidance and turns it into a binding standard: _"deployment of MFA technology and channels that are more secure than unencrypted SMS … the MFA solution is resistant to interception or manipulation by any third party throughout the authentication process"_ — RMiT Appendix 3, paragraphs 5 and 6 The policy goes further by introducing **transaction binding**: _"authentication code must be initiated and generated locally by the payer/sender using MFA … authentication code generated by payer/sender must be specific to the confirmed identified beneficiary and amount"_ — RMiT Appendix 3, paragraphs 6(c) and 6(d) Transaction binding means the authentication code must be tied to the specific transaction details (recipient and amount), not just to a session or login. This directly addresses “OTP redirect” attacks, where fraudsters manipulate the transaction after the user has already authenticated. An OTP that was generated for a [payment](https://www.corbado.com/passkeys-for-payment) of RM 500 to Account A cannot be reused for a payment of RM 50,000 to Account B. For institutions still relying on SMS OTP as their primary second factor, this is the clearest signal yet: the migration path is not optional. The table below summarises which MFA methods align with the new requirements: | **MFA Method** | **Phishing-Resistant?** | **RMiT Compliant?** | | --------------------------------------- | ----------------------- | ------------------------------- | | **SMS OTP** | No | No | | **TOTP (e.g. Google Authenticator)** | No | Partial (transitional only) | | **Push notification** | No | Partial (transitional only) | | **In-app OTP with transaction details** | Partial | Yes (if interception-resistant) | | **Passkeys (FIDO2 / WebAuthn)** | Yes | Yes | | **Hardware security keys (FIDO2)** | Yes | Yes | ### 5.5 Passkeys and cryptographic Key-based Authentication for BNM RMiT BNM also explicitly requires institutions to offer passwordless alternatives: _"offer to its customer a robust cryptographic key-based authentication such as digital certificate or passwordless as an alternative to existing password-based authentication method"_ — RMiT Appendix 3, paragraph 9 This is a clear directive to move toward passkeys, hardware-backed authentication, or certificate-based methods. Unlike the MFA upgrade, which focuses on replacing SMS OTP, this requirement targets the password itself. The two requirements work in tandem: institutions need to move beyond SMS for the second factor **and** offer an alternative to the password for the first factor. Passkeys are the most natural fit here. A single passkey credential satisfies both requirements simultaneously. It is a cryptographic key-based authentication method (paragraph 9), it is more secure than unencrypted SMS (paragraphs 5–6), and because passkeys bind the authentication to the specific origin (website or app), they also support the intent behind transaction binding. ## 6. Summary: Before and after the November 2025 Update | **Area** | **Before November 2025** | **After November 2025** | | ------------------------- | ---------------------------------------------------------- | ----------------------------------------------------------------------------------------------- | | **Device binding** | Required, but multi-device was common and loosely governed | One device per user by default; multi-device only by explicit customer request with audit trail | | **Phone number changes** | Often processed with SMS OTP to the current number | Robust verification required (biometrics, branch visit, or independent channel) | | **New device enrollment** | Immediate full access after enrollment was common | Mandatory cooling-off period; transaction limits during trust-building phase | | **SMS OTP** | Discouraged but tolerated as primary second factor | Explicitly non-compliant as sole MFA; must be replaced by interception-resistant methods | | **Transaction binding** | Required for high-risk transactions (general) | Auth code must be specific to beneficiary and amount; locally generated | ## 7. Regional Context: Malaysia is not alone Malaysia’s updated RMiT sits within a broader regional trend. Across Asia-Pacific, financial regulators are converging on the same set of requirements: device-bound credentials, [phishing](https://www.corbado.com/glossary/phishing)-resistant MFA, and a move away from passwords and SMS OTP. - **Singapore (MAS):** The Monetary Authority of Singapore has long required device binding and transaction signing for digital [banking](https://www.corbado.com/passkeys-for-banking) and has been progressively tightening its Technology Risk Management (TRM) guidelines in a direction closely mirroring BNM’s approach. - **India (RBI):** The Reserve Bank of India has pushed for additional factors of authentication and transaction-specific authorization, particularly for card-not-present and UPI transactions. - **Hong Kong (HKMA):** The Hong Kong Monetary Authority’s e-banking guidelines require [strong customer authentication](https://www.corbado.com/faq/sca-psd2-importance) and device registration controls for high-risk operations. - **Vietnam (State Bank of Vietnam):** Circular 45/2025 requires banks to verify customer biometrics against the chip-based Citizen ID or national database for certain high-value transactions, introducing a centralized verification step. The architecture required for RMiT compliance, including cryptographic device binding, passkeys, and transaction-level authentication, is where the entire region is heading. Institutions that invest in this architecture now are building for regulatory convergence, not just a single national policy. ## 8. How Corbado helps Financial Institutions meet the updated RMiT Corbado’s platform is built for the authentication challenges the updated RMiT is designed to address. Here is how the key requirements map to Corbado’s capabilities: - [**Phishing-resistant MFA**](https://www.corbado.com/blog/passkeys-phishing-resistant) **and passwordless authentication:** Corbado’s passkey implementation provides a direct path to compliance with BNM’s requirements for MFA that is more secure than unencrypted SMS (paragraphs 5–6) and for cryptographic key-based authentication as an alternative to passwords (paragraph 9). A single passkey credential addresses both requirements simultaneously. - **Device binding:** Corbado supports [device-bound passkeys](https://www.corbado.com/blog/fbi-operation-winter-shield-passkeys) and cryptographic credentials that are tied to a specific device. Enrollment flows can enforce the one-device-per-user default with clear mechanisms for customer-requested exceptions, all with a full audit trail. - **Audit and compliance readiness**: Corbado’s telemetry, event logging, and reporting capabilities make it straightforward to demonstrate that authentication controls are not only designed but operating effectively. Corbado operates under an [ISO 27001](https://www.corbado.com/blog/cybersecurity-frameworks)-certified ISMS and holds [SOC 2](https://www.corbado.com/blog/cybersecurity-frameworks) Type II [attestation](https://www.corbado.com/glossary/attestation), aligning its own security posture with the expectations placed on Malaysian financial institutions. ## 9. Conclusion The November 2025 RMiT update turns years of BNM guidance on authentication security into binding regulation. SMS OTP is no longer compliant as a standalone second factor. Device binding is mandatory by default. Transaction authentication must be tied to specific payment details. And institutions must offer cryptographic key-based alternatives to passwords. For institutions that have already started migrating away from SMS and toward [phishing](https://www.corbado.com/glossary/phishing)-resistant methods, the update codifies what they were already doing. For those that have not, the gap between current practice and the new standard is significant, and the compliance timeline is now fixed. Passkeys are the most direct path to meeting the updated requirements. A single passkey credential satisfies the MFA upgrade, the passwordless alternative, and the device binding requirements in one implementation. Combined with [step-up authentication](https://www.corbado.com/glossary/step-up-authentication) for sensitive operations and cooling-off logic for new enrollments, this gives institutions a coherent architecture rather than a patchwork of point solutions. We could also answer the most important questions regarding this topic: - **What is the RMiT policy and who does it apply to?** The RMiT is BNM’s central technology risk framework, applicable to all regulated financial institutions in Malaysia including banks, insurers, e-money [issuers](https://www.corbado.com/glossary/issuer), payment system operators, and remittance providers. - **What did the authentication landscape look like before November 2025?** MFA was already mandatory for high-risk transactions and privileged access, but SMS OTP was still tolerated, multi-device setups were loosely governed, and the passwordless alternative was not yet required. - **What are the most important changes to authentication and MFA?** Five changes stand out: one device per user by default, robust verification for phone number changes, mandatory cooling-off periods for new devices, MFA that is more secure than SMS with transaction binding, and a requirement to offer passkeys or cryptographic key-based authentication. - **How do passkeys help financial institutions comply?** Passkeys satisfy the MFA upgrade, the passwordless alternative, and the device binding requirements in a single implementation, while also being resistant to phishing, SIM-swap, and OTP interception attacks. ## Frequently Asked Questions ### What does 'transaction binding' mean in the context of BNM RMiT compliance? Transaction binding requires that each authentication code is generated locally by the payer and is mathematically tied to the specific beneficiary account and payment amount being authorized. This prevents OTP redirect attacks, where a fraudster manipulates transaction details after the user has already authenticated. A code generated for a payment to one account cannot be reused to authorize a different payment or amount. ### Why does the RMiT 2025 update require a cooling-off period after a customer enrolls a new device? The cooling-off period prevents fraudsters who gain access to an account from immediately transferring funds through a newly registered device. BNM requires institutions to apply transaction limits and time-based restrictions during an initial trust-building phase for newly enrolled devices. This gives both the legitimate account holder and the institution's fraud team a detection window before full transaction capabilities are unlocked. ### How does Malaysia's updated RMiT compare to authentication regulations in other Asian countries? Malaysia's RMiT 2025 aligns with a regional Asia-Pacific trend where Singapore's MAS, India's RBI, Hong Kong's HKMA and Vietnam's State Bank are all converging on device-bound credentials, phishing-resistant MFA and SMS OTP elimination. Vietnam's Circular 45/2025 specifically requires biometric verification against chip-based national ID documents for high-value transactions. Institutions investing in RMiT-compliant architecture are therefore positioning for regional regulatory convergence, not just a single national requirement. ### What verification does BNM RMiT now require when a customer changes their registered mobile phone number? The updated RMiT requires robust verification before processing any phone number change, going beyond simply sending an OTP to the current number. Acceptable approaches include identity re-verification, step-up biometric authentication or in-branch confirmation, ensuring the verification channel is independent from the one being replaced. This directly addresses SIM-swap attacks, where a fraudster who already controls a phone number could otherwise self-authorize the change.