KUALA LUMPUR (Aug 14): Bank Negara Malaysia on Wednesday imposed administrative penalties on the country’s top two banks for prolonged service disruptions in breach of financial services laws.

Malayan Banking Bhd (KL:MAYBANK) was fined RM4.32 million while CIMB Group Holdings Bhd (KL:CIMB) was slapped with a RM760,000 penalty, Bank Negara Malaysia (BNM) said in separate statements. Both companies have paid the fines, it noted.

“BNM expects all financial institutions to maintain a high level of technology resilience against operational disruptions to ensure the continuous availability of essential financial services,” the central bank said.

The central bank also stressed that it would not hesitate to take appropriate supervisory and enforcement actions when financial institutions fall short of regulatory expectations.

In imposing the penalties, BNM said it considered factors such as the failure to adequately address downtime and avoid non-compliance, the severity and impact of service disruptions on customers, and the institutions' past compliance records and history of enforcement actions.

BNM also took into account the effectiveness of CIMB's remedial actions to prevent recurrence.

Systems downtime too long

The penalties were for non-compliance with paragraph 48(1)(a) of the Financial Services Act 2013 and paragraph 58(1)(a) of the Islamic Financial Services Act 2013, in conjunction with paragraph 10.32 of the Risk Management in Technology (RMiT) Policy Document.

Paragraph 10.32 of the RMiT Policy Document mandates that financial institutions ensure high availability for critical systems, limiting unplanned downtime affecting user interfaces to a maximum of four hours over a rolling 12-month period, and no more than 120 minutes per incident.

CIMB customers experienced service disruptions on April 8 and 9, 2024, affecting e-banking channels, automated teller machines (ATMs), and debit and credit cards, which exceeded BNM's allowed thresholds.

The disruptions were attributed to lapses in CIMB's response and recovery processes, which delayed the restoration of essential banking services.

Meanwhile, Maybank's regional mobile banking platform and MAE smartphone app faced multiple unplanned downtimes between June 1, 2023, and May 31, 2024, disrupting customer and counterparty services in breach of RMiT rules.

These issues were due to Maybank's ineffective recovery from system problems and incomplete measures to enhance application and infrastructure resilience.

Steps taken to ensure uptime, says Maybank, CIMB

Both Maybank and CIMB said they have taken steps to ensure uptime since then, in response to BNM’s decision to impose the penalties.

“Internal measures to further strengthen and monitor our systems are in place to ensure optimum performance,” Maybank said in a statement. The bank also reiterated its commitment to improve customer experience and meet all BNM regulations.

CIMB, meanwhile, acknowledged the need for improvement and emphasised that it has taken necessary measures to minimize downtime with unnamed third parties.

“Further, the bank has strengthened its corrective and preventive measures to address service outages in a timely manner including adequate oversight of its third parties, while ensuring business continuity plans can be initiated immediately during critical times,” CIMB added.