In November 2025, Bank Negara Malaysia (BNM) officially issued an updated version of its Risk Management in Technology (RMiT) policy, introducing stricter requirements for enhanced identity verification, device binding, and fraud prevention across Malaysia’s financial sector.
1. About BNM’s RMiT Policy
Risk Management in Technology (RMiT) is Bank Negara Malaysia’s central policy framework for managing technology risk and cybersecurity risk in the financial sector.
The policy sets out minimum requirements for financial institutions to strengthen governance, cybersecurity, technology operations, digital services, third-party risk management, cloud adoption, fraud detection, and customer protection. Its objective is to ensure that financial institutions can maintain secure, stable, and trusted digital services amid increasingly complex cyber threats.
RMiT applies to all financial institutions regulated by BNM, ranging from banks to insurers and reinsurers, electronic money issuers, payment system operators, financial institutions, and money transfer intermediaries.
2. The November 2025 RMiT Update
The RMiT policy issued in June 2023 introduced several authentication-related requirements, including multi-factor authentication, access management, and digital service controls. However, these requirements remained largely guidance-based rather than mandatory standards.
In November 2025, the updated RMiT policy was issued, marking a significant turning point in strong authentication by introducing clearer mandatory requirements on how organizations must authenticate users and protect digital services. Below are the key changes.
a. One Device per User by Default
One of the most important changes is the default requirement to use only one device, aimed at preventing SIM-swap fraud and account takeover. Financial institutions must ensure secure device binding and unbinding processes, while limiting digital service transaction authentication by default to one mobile device per account holder.
Users may register additional devices, but they must actively request this and accept the associated risks. Financial institutions are not allowed to make multiple devices the default option. The process must include:
- Explicit user consent
- Additional authentication
- Security monitoring
b. Stronger Verification for Mobile Number Changes
Previously, many banking applications allowed users to update their mobile phone numbers by confirming an OTP sent to the existing number. However, this approach is no longer considered secure if the number has already been compromised or affected by SIM swapping.
Therefore, under the latest RMiT update, organizations are required to adopt stronger authentication mechanisms, such as:
- Identity reverification
- Biometric authentication
- Physical branch-based authentication for high-risk scenarios
c. Cooling-Off Periods and Transaction Limits for Newly Registered Devices
RMiT requires appropriate verification and cooling-off periods in the following cases:
- First-time registration for digital services or security devices
- Multiple consecutive high-value transactions
- Unusual transactions
Accordingly, newly registered devices should not be granted full transaction privileges immediately. Organizations need to establish time-based limits and transaction frequency controls. Transaction rights should be gradually expanded as the device and user behavior build a trusted history.
Combined with fraud detection standards that require behavioral analytics and real-time risk scoring, RMiT requires the authentication layer to understand context, not merely verify login credentials.
d. Multi-Factor Authentication and Passwordless Authentication to Reduce Dependence on SMS OTP
The most important change in the RMiT update is the requirement to use MFA and passwordless authentication methods. MFA must be resistant to interception or manipulation by third parties throughout the authentication process.
Examples of passwordless authentication methods include biometric authentication, device binding, cryptographic key-based authentication, and risk-based step-up authentication.
In addition, “transaction linking” requires the authentication code to be bound to specific transaction details, including the recipient and transaction amount, rather than being linked only to the login session.
3. Savyint – A Global Expert in Strong Payment Authentication and Risk Prevention
Amid rising security requirements, Savyint provides a comprehensive security ecosystem that helps banks and financial institutions comply with BNM’s RMiT regulations while enhancing their overall security and risk management capabilities.
Built on a Zero Trust architecture and centered around four key pillars – Secure Payment, Open Banking, Secure Data, and Digital Trust – Savyint’s RMiT compliance solution enables financial institutions to:
- Strengthen CSA/MFA
- Support passwordless authentication methods, including biometrics, SmartOTP, Passkey/FIDO2, and OTP Token,…
- Enable device authentication and behavioral authentication
- Provide end-to-end encryption
- Support transaction signing bound to the exact transaction content and context, following the WYSIWYS principle
- Ensure readiness for post-quantum cryptography algorithms
- Prevent Fraud and Manage Risk in Real Time with AI
- Integrate Device Intelligence to identify unique device fingerprints
- Analyze user behavior and conduct risk scoring
- Enable Adaptive Authentication, automatically adjusting the level of authentication based on user context and risk level
- Secure APIs in accordance with FAPI standards
- Secure Devices and Applications
- TrustShield and RASP+
- Device Identity and Device Fingerprint
- Device Binding
- Device Integrity
This solution is designed in strict compliance with international standards such as FIDO2, PSD2/PSD3 eIDAS, GDPR, PCI DSS,… ensuring rapid deployment, compatibility with existing infrastructure, and the highest level of security.
Connect with Savyint experts today to build a secure and compliant payment ecosystem.
