BNM RMiT Independent Compliance Review — AKATI Sekurity

+Secure | Governance & Compliance

BNM RMiT Compliance Review

Independent Assessment Against Risk Management in Technology

Bank Negara Malaysia's Risk Management in Technology (RMiT) framework defines the minimum requirements for all financial institutions to manage technology risk, strengthen cybersecurity, and build operational resilience. The latest version — issued 28 November 2025 — introduces enhanced requirements across cloud services, digital fraud management, cryptographic controls, and service availability.

AKATI Sekurity provides independent, third-party compliance reviews against the full scope of RMiT — from board governance through to SOC operations, VAPT, cloud risk management, and external party assurance. We identify gaps, prioritise remediation, and prepare your institution for BNM scrutiny.

Who Must Comply

Applicable Financial Institutions

RMiT applies to all financial institutions regulated by BNM. The scope, intensity, and specific paragraph applicability vary by institution type and complexity.

Licensed Banks

Licensed Investment Banks

Licensed Islamic Banks

Licensed Insurers & Reinsurers

Licensed Takaful & Retakaful Operators

Development Financial Institutions

Approved E-Money Issuers

Designated Payment System Operators

Registered Merchant Acquirers

Intermediary Remittance Institutions

Policy Architecture

11 Compliance Domains

RMiT spans 11 core compliance domains — each with mandatory "S" standards enforceable by BNM. Click any domain to explore the key requirements AKATI Sekurity assesses during an independent compliance review.

8 Governance S 8.1 – 8.7

Board and senior management accountability for technology risk. Requires board-approved risk appetite, designated board-level technology committee, regular cyber risk updates, and cross-functional technology oversight committee.

Board must approve technology risk appetite aligned with enterprise risk appetite statement
Designated board-level committee with at least one member with technology competencies
Board must participate in cybersecurity awareness and training programmes
BAC responsible for technology audit effectiveness and competence of audit staff
Senior management must establish cross-functional committee for technology oversight
Crisis management plan must provide for timely escalation considering customer impact

9 Technology Risk Management S 9.1 – 9.5

Enterprise-wide TRMF integrated into ERM. Requires designated CISO with independence, authority, and certifications. Includes risk classification, scenario analysis, and incident management across all critical systems and third-party dependencies.

TRMF must be integral part of enterprise risk management framework
Designated CISO must be independent from day-to-day technology operations
CISO must have requisite technical skills, audit/governance expertise, and certifications
Risk classification of all information assets and systems based on criticality
Scenario analysis to strengthen readiness to resume critical systems under severe conditions
Independent enterprise-wide technology risk management function required

10 Technology Operations Management S 10.1 – 10.57

The largest domain — 57 mandatory standards covering project management, SDLC, patch and EOL management, cryptography, data centre resilience, service availability, network resilience, backup, third-party management, cloud services, and access control.

Cryptography policy must address post-quantum readiness and annual review of all algorithms
Critical systems: max 4 hours cumulative unplanned downtime per rolling 12 months
Stand-in processing arrangement required by 30 September 2027 for digital services
Service availability disclosure on quarterly basis from 15 October 2027
Cloud adoption: comprehensive risk assessment per para 10.50 and Appendix 10
Multi-factor authentication for critical systems must defend against social engineering
Network device logs and user activity logs retained for at least three years

11 Cybersecurity Management S 11.1 – 11.20

Cyber Resilience Framework (CRF) with IPDRR model. SOC operations, VAPT, red team exercises, cyber threat intelligence, incident response plans, cyber drill exercises, and NCII compliance. Zero-trust principles and defense-in-depth mandated.

CRF must support Identify, Protect, Detect, Respond, and Recover (IPDRR) across all systems
Red team simulation attack on infrastructure at least once every three years
SOC must operate 24x7 with competent resources and proactive monitoring tools
Annual cyber drill exercise involving board, senior management, and third-party providers
NCII-designated entities must comply with NACSA requirements and additional directives
Cyber threat intelligence must include dark web monitoring and misinformation detection

12 Digital Services & Fraud Management S 12.1 – 12.9

Security of digital services and fraud detection. MFA requirements, device binding, kill switch, fraud detection standards (Appendix 11), real-time transaction blocking, and customer awareness obligations. Phishing-resistant authentication mandated.

MFA for financial transactions must be resistant to phishing — OTP from customer device, not server
Secure device binding: default one device per account holder for authentication
Fraud detection must operate in real-time with behavioural analytics per Appendix 11
Kill switch and 24/7 contact centre for customers to report and suspend accounts
Cryptographic key-based authentication (e.g. passwordless) must be offered as alternative
Default transfer limit for new customers set conservatively low (e.g. RM1,000/day)

13 Technology Audits S 13.1 – 13.4

Internal audit function with dedicated technology resources. Scope, frequency, and intensity must be commensurate with system complexity. Annual review of technology audit plan covering critical services, third parties, and post-implementation reviews.

Dedicated technology audit resources with specialised competencies and certifications
Annual review of technology audit plan covering critical services and third-party providers
Must include post-implementation review of new or material technology enhancements
Coverage of delayed or prematurely terminated critical technology projects

14 External Party Assurance S 14.1 – 14.2

Mandatory external assessments every three years. Data Centre Resilience Assessment (DCRA) and Network Resilience Assessment (NRA) by technically competent external providers. Results deliberated by board-level committee.

DCRA by external provider at least once every three years or upon material data centre changes
NRA by external provider at least once every three years or upon material network changes
Both assessments must be deliberated by the designated board-level technology committee
AKATI Sekurity is qualified to deliver both DCRA and NRA assessments

15 Security Awareness & Education S 15.1 – 15.3

Annual cybersecurity awareness and continuous training. Board members, all staff, technology/cybersecurity specialists, and third-party service providers must receive appropriate training reflecting the evolving threat landscape.

Annual cybersecurity awareness education for all staff reflecting evolving threats
Continuous training for technology, cybersecurity, and risk management staff
Board members must receive regular training on technology developments
Third-party service providers to be included in relevant training programmes

App 10 Cloud Services — Key Risks & Controls Appendix 10

16-page appendix covering cloud governance and design. Cloud risk management framework, usage policy, due diligence, contract management, architecture, CI/CD, virtualisation, key management, access controls, DDoS, DLP, SOC extension, and exit strategy.

Cloud risk management framework integrated into ERM, TRMF, and CRF
Shared responsibility model clearly defined for each cloud service model (SaaS/PaaS/IaaS)
Zero-trust architecture with micro-segmentation and deny-by-default for cloud
Financial institution must retain ownership and control of encryption keys
Exit strategy must be developed during planning phase with multi-cloud options
First-time public cloud adoption for critical systems requires BNM consultation

App 11 Fraud Detection Standards Appendix 11

Real-time fraud detection for retail digital services. Comprehensive customer risk profiling, behavioural analytics, device fingerprinting, session hijack detection, AI deepfake detection, and a fraud management playbook updated at least annually.

Customer risk profiles based on demographics, geography, transaction, and behavioural patterns
Real-time detection and blocking of suspicious transactions based on individual profiles
Contact affected customers within 30 minutes of blocking suspicious transactions
Higher risk scoring for vulnerable customers (seniors, previous fraud victims)
Detect AI-powered account takeover attempts defeating authentication controls
Fraud management playbook validated at least annually against emerging modus operandi

Key Deadlines

Compliance Timeline

RMiT introduces specific implementation deadlines. Missing these dates puts your institution at risk of enforcement action.

28 Nov 2025

RMiT effective date. Supersedes June 2023 version.

~26 Feb 2026

Gap analysis and action plan due to BNM (90 days from issuance).

30 Sep 2027

Service degradation detection and stand-in processing arrangements required.

15 Oct 2027

Quarterly service availability disclosure begins (within 15 days of quarter-end).

AKATI Sekurity Services

How We Help You Comply

AKATI Sekurity delivers the independent assessments, testing, and advisory services that financial institutions need to demonstrate compliance with RMiT's mandatory standards.

External Assurance

Data Centre Resilience Assessment

Independent DCRA covering resilience, redundancy, physical security, and business recovery objectives as required by para 14.1 — at least once every three years.

External Assurance

Network Resilience Assessment

Independent NRA covering network design, redundancy, segmentation, and security controls as required by para 14.2 — at least once every three years.

Cybersecurity

VAPT & Red Team Exercises

Quarterly vulnerability assessments, annual intelligence-led penetration testing, and triennial red team simulation attacks per para 11.6 and Appendix 5.

Compliance

RMiT Gap Analysis

Comprehensive assessment of existing practices against all RMiT requirements, with prioritised action plan and timeline for the 90-day BNM submission.

Operations

24/7 SOC & Managed Security

Security Operations Centre with SIEM, threat hunting, vulnerability management, and incident coordination per Appendix 5 Part C requirements.

Advisory

Cloud & Third-Party Risk Advisory

Cloud risk assessment per para 10.50 and Appendix 10. Third-party service provider due diligence and continuous monitoring framework design.

Why AKATI Sekurity

Independent. Qualified. Trusted.

RMiT requires technically competent external providers for critical assessments. AKATI Sekurity meets every qualification standard — with deep experience across Malaysia's regulated financial sector.

Technically Competent

QSA, ASV, CREST-approved, and ISO 27001 certified — meeting RMiT's requirements for external party competence and accreditation.

Full RMiT Coverage

From DCRA and NRA through VAPT, red team, SOC, cloud advisory, and gap analysis — every domain under one engagement partner.

Financial Sector Experience

Deep experience with banks, insurers, takaful operators, payment systems, and e-money issuers across Malaysia and the region.

Actionable Reporting

Every finding mapped to specific RMiT paragraphs with practical remediation steps — not vague recommendations. BNM-ready documentation.

Next Step

Secure Your RMiT Compliance

The 90-day clock is ticking. Whether you need a full gap analysis, external assurance assessments, or ongoing SOC services, AKATI Sekurity is ready to support your institution's compliance journey.

Schedule Your RMiT Review →

hello@akati.com | akati.com

← Return to Governance & Compliance Page