BNM penalises Maybank RM4.3m, CIMB RM760,000 for e-banking disruptions

by RUPINDER SINGH

BANK Negara Malaysia (BNM) has fined Malayan Banking Bhd (Maybank) and CIMB Bank Bhd for e-banking service outages, highlighting serious lapses in their technology resilience.

In separate notices posted on its website, BNM revealed that Maybank was fined RM4.3 million for multiple instances of unplanned downtime, while CIMB Bank and CIMB Islamic Bank were fined RM760,000 on July 29, 2024.

These penalties were imposed due to the banks’ failure to comply with critical regulatory requirements outlined in the Financial Services Act 2013 (FSA), the Islamic Financial Services Act 2013 (IFSA), and the Risk Management in Technology (RMiT) Policy Document.

Maybank’s penalty resulted from several service disruptions between June 1, 2023, and May 31, 2024, which affected its Regional Mobile Banking Platform (RMBP) and MAE applications.

These outages exceeded BNM’s maximum downtime limits, which stipulate that cumulative unplanned downtime affecting user interfaces must not exceed four hours over a 12-month period, with no single incident exceeding 120 minutes.

BNM’s investigation found that Maybank’s inability to recover promptly from these disruptions severely impacted customer and counterparty interactions.

BNM said Maybank has since undertaken significant measures to enhance its infrastructure and application resilience as part of a broader multi-year investment strategy aimed at preventing future issues.

Meanwhile, CIMB Bank and CIMB Islamic Bank were fined RM760,000 for a service disruption that occurred on April 8 and 9, 2024.

During this period, customers faced significant interruptions to e-banking services, ATM operations, and both debit and credit card transactions.

The prolonged outages breached the thresholds established by BNM’s RMiT Policy Document.

BNM’s review indicated that CIMB’s response and recovery processes were inadequate, leading to extended downtime.

In response, BNM said CIMB has upgraded its real-time IT infrastructure monitoring to better manage and recover from such incidents.

BNM’s actions against Maybank and CIMB underscore its commitment to ensuring that financial institutions uphold high standards of technology resilience.

The central bank noted the critical need to minimize operational disruptions to maintain the continuous availability of essential financial services.

BNM has made it clear that it will continue to enforce strict compliance with regulatory expectations.

Maybank paid its fine on August 8, 2024, while CIMB settled its penalty on August 12, 2024.

In a press release issued today, CIMB Bank and CIMB Islamic Bank expressed regret over the unplanned downtime affecting their critical systems on April 8 and 9, 2024, which impacted customers and counterparties.

CIMB acknowledged the incident’s effect on banking transactions and committed to doing better.

The bank stated that it has invested and will continue to invest in technology, systems, and processes to strengthen its resilience and ensure that its critical customer infrastructure meets customer needs.

“Further, the Bank has strengthened its corrective and preventive measures to address service outages in a timely manner including adequate oversight of its third parties, while ensuring business continuity plans can be initiated immediately during critical times,” it said.

In a separate statement, Maybank reiterated its commitment to enhancing customer experience and communication, and ensuring that it abides and adheres to all BNM regulations in relation to its service uptime.

“Internal measures to further strengthen and monitor our systems are in place to ensure optimum performance,” it said.