Malaysia's New Payment Tech Rules: Why Banks Need a Real-Time Fraud Decision Engine Now

Malaysia lost RM2.7 billion to scams in 2025 — a 76% increase from the year before. On 12 March 2026, Bank Negara Malaysia responded with a new policy document on technology requirements for payment services regulatees. At first glance, it looks like a routine compliance update. It is not.

This policy signals a structural change in how fraud risk must be managed — not just in Malaysia, but very likely across Southeast Asia. And the compliance clock is already ticking: gap analysis due within 90 days, full compliance by March 2027.

Fraud Is No Longer an Operational Issue

Fraud control just became a regulated, real-time technology capability with board-level accountability.

Traditionally, fraud has been handled as an operational problem: rules configured by risk teams, alerts reviewed manually, losses managed after the fact. Under BNM's new expectations, that model is no longer sufficient.

The policy requires payment providers to appoint dedicated Chief Information Security Officers, establish board-level technology risk oversight, and accept full accountability for third-party vendor security. This is not guidance — these are mandated governance structures.

Who's in Scope — And Why That's New

For the first time, non-bank payment providers face bank-grade technology requirements.

BNM's policy covers what it defines as Payment Services Regulatees (PSRs): approved issuers of electronic money, registered merchant acquirers, licensed money services businesses, and operators of designated payment systems. The framework classifies providers into four regulatory tiers based on transaction volume and complexity. Any provider processing more than RM1.5 billion in annual transaction value or 7 million transactions per year faces the most stringent requirements.

This tiering matters because even mid-sized e-wallet issuers and payment processors — companies that previously operated under lighter-touch supervision — now need the same calibre of fraud detection infrastructure that banks do.

What Regulators Now Expect (Translated into Reality)

BNM's policy introduces five categories of expectations. When translated into technical terms, here is what they actually require:

1. Real-time fraud decisions

Fraud must be prevented before money leaves the account. Batch detection or post-event review is no longer enough. Payment providers need millisecond-level decisioning that operates inline with the payment flow — not as a sidecar process that reviews transactions after approval.

2. Explainable, auditable decisions

Every approval or block must be traceable, auditable, and understandable. "Black box" decisions are not acceptable. Regulators want to see decision reason codes, policy version tracking, and full audit trails — the kind of explainability that most legacy fraud systems were never built to provide.

3. Unified risk scoring across channels

Banks must move from fragmented checks to consistent decision logic and risk scoring across all channels — cards, transfers, QR payments, and digital wallets. A customer should not be blocked on one channel while the same suspicious pattern sails through another.

4. Detection of modern scam patterns

BNM explicitly highlights the surge in SMS phishing, fraudulent apps, credential theft, and remote access scams draining Malaysian bank accounts. Transaction data alone is not enough. Providers need device intelligence — the ability to detect compromised devices, emulators, malware, and remote control tools — to catch scams that look normal at the transaction level.

5. Operational resilience and senior governance

Fraud systems must be resilient, continuously monitored, and governed at a senior level. The CISO mandate and board oversight requirements mean that fraud technology failures are now executive-level accountability events, not IT incidents to be quietly resolved.

The Three Gaps Inside Most Payment Providers

Most payment providers in Malaysia are not structured to meet these five expectations. The typical setup still looks like this: multiple rule engines across channels, disconnected fraud systems for cards versus transfers versus login, limited device visibility, manual investigation workflows, and weak audit traceability.

This creates three structural gaps:

Gap 1 — No single decision layer. Decisions are made in different systems with no unified logic. When the regulator asks "why was this transaction approved?", there is no single source of truth to point to.

Gap 2 — Limited real-time capability. Latency, manual steps, and batch processing slow down fraud response. By the time an alert fires, the money has already moved.

Gap 3 — Poor visibility into device and behaviour. Providers see transactions, but not the full context behind them. A compromised device initiating a seemingly normal transfer is invisible to transaction-only monitoring.

Why This Matters Beyond Malaysia

Malaysia is not acting in isolation. Similar regulatory patterns are emerging across the region — Indonesia, Thailand, Vietnam, and Singapore are all tightening technology risk requirements for financial institutions. BNM's policy is notable because it extends these expectations to non-bank payment providers for the first time, setting a precedent that other ASEAN regulators will likely follow.

Payment providers that move early will reduce fraud losses, improve legitimate transaction approval rates, and meet regulatory requirements ahead of schedule. Those that delay will face mounting compliance pressure, higher operational costs, and growing scam exposure — particularly as the BNM-PayNet AI fraud detection system raises the bar for the entire industry in 2026.

A Starting Point: Five Questions for Your Gap Analysis

With the 90-day gap analysis deadline approaching, payment providers can start with a practical self-check. If the answer to any of these is "no," there is a structural gap to address:

1. Can we make fraud decisions in real time — milliseconds, inline with the payment flow?
2. Can we explain every decision clearly to auditors, with reason codes and full trails?
3. Do we use device intelligence, or only transaction data?
4. Is our risk scoring unified across all channels — cards, transfers, QR, wallets?
5. Can we deploy flexibly — on-premise, cloud, or hybrid — to meet data residency requirements?

Regulations will continue to tighten across Southeast Asia. Fraud control is becoming core financial infrastructure. The providers that treat it as such — by building or adopting a real-time decision layer — will be better positioned to compete, comply, and grow.

Run-True Decision is building a fraud decision engine purpose-built for Southeast Asian banks and payment providers — supporting real-time decisioning, device intelligence, and flexible deployment. Talk to us to learn more.