Bank Negara Malaysia's Risk Management in Technology (RMiT) policy was introduced in July 2019 to address cyber-risk exposures in Malaysian financial institutions. It covers governance, technology risk management, cybersecurity, technology operations, audit, and internal training.
Overview of RMIT Policy by Bank Negara Malaysia (BNM)
The BNM’s Risk Management in Technology (RMiT) policy aims to reduce vulnerabilities that could disrupt essential services or compromise customer data. The policy is mandated under various legislations to preserve public confidence and ensure Malaysia's financial system's resilience in digital transformation.
The latest version of RMiT policy was updated and came into effect on November 28, 2025. The policy revision outlines new requirements on the financial institution’s management of technology risks to improve the resilience of financial services and enhance system-wide cyber defence and extending RMiT standards to more institutions.
- Licensed banks
- Licensed investment banks
- Licensed Islamic banks
- Licensed insurers including professional reinsurers
- Licensed takaful operators including professional retakaful operators
- Prescribed development financial institutions
- Approved issuers of electronic money
- Operator of a designated payment system
- Registered merchant acquirers
- Intermediary remittance institutions
COMPLIANCE BRIEF
Data Risk Management for Financial Institutions in Malaysia
Discover how financial institutions can address RMiT Policy through our comprehensive cybersecurity solutions and learn more about the requirements.
How Thales Helps with the BNM’s RMiT Policy in Malaysia
Thales’ solutions can help financial institutions in Malaysia to address the RMiT Policy on Part B Policy Requirements as well as Appendix 1, 3, 4, 5 and 10 on Control Measures by simplifying compliance and automating security with visibility and control, reducing the burden on security and compliance teams.
RMiT Compliance Solutions
Application Security
Protect applications and APIs at scale in the cloud, on-premises, or in a hybrid model. Our market leading product suite includes Web Application Firewall (WAF), protection against Distributed Denial of Service (DDoS) and malicious BOT attacks, security for APIs, and a secure Content Delivery Network (CDN).
Data Security
Discover and classify sensitive data across hybrid IT and automatically protect it anywhere, whether at rest, in motion, or in use, using encryption tokenization and key management. Thales solutions also identify, evaluate, and prioritize potential risks for accurate risk assessment as well as identify anomalous behavior, and monitor activity to verify compliance, allowing organizations to prioritize where to spend their efforts.
Identity & Access Management
Provide seamless, secure and trusted access to applications and digital services for customers, employees and partners. Our solutions limit the access of internal and external users based on their roles and context with granular access policies and Multi-Factor Authentication that help ensure that the right user is granted access to the right resource at the right time.
Address the BNM’S RMiT Policy
Part B – Policy Requirements
How Thales helps:
- Classify and assign specific sensitivity levels for data when you are defining your data stores and your classification profiles for different types of data sets.
- Identify the current state of compliance and document gaps.
- Provide data activity monitoring for structured and unstructured data across cloud and on-prem systems.
- Monitor data access activity over time to set up alerts on activity that can put financial institutions at risk.
- Detect and report non-compliant, risky, or malicious data access behavior across all your data repositories enterprise-wide to accelerate remediation.
- Categorize and prioritize by real risks with risk scoring rather than anomalies.
How Thales helps:
- Pseudonymize and mask sensitive information for production or tests while maintaining the ability to analyse aggregate data without exposing sensitive data.
How Thales helps:
- Encrypt structured and unstructured data such as source codes to safeguard them from unauthorised access.
- Pseudonymize sensitive information in databases.
How Thales helps:
- Enforce security-by-design by ensuring sensitive data is protected during system development and modification.
- Provide developers with accessible data protection tools such as encryption and key management to integrate security early in the development lifecycle and foster DevSecOps practices.
- Shift Data Security operations to Data Security Admins, enabling better segregation of duties and change control for system modifications.
- Deploy data protection controls in hybrid and multi-cloud applications to protect DevSecOps.
- Easily access data security solutions through online marketplaces.
- Protect and automate access to secrets across DevOps tools.
- Secure change management by enabling integration tools for versioning, traceability, and rollback capabilities.
- Safeguard critical network assets from DDoS attacks and Bad Bots while continuing to allow legitimate traffic.
- Detect and prevent cyber threats with web application firewall, ensuring seamless operations and peace of mind.
How Thales helps:
- Run assessment tests on data stores such as MySQL or so to scan for known vulnerabilities.
- Scan your databases with over 1,500 predefined vulnerability tests based on CIS and PCI-DSS benchmarks to help you keep your databases covered for the latest threats.
- Detect and virtually patch database software vulnerabilities.
How Thales helps:
- Offer the use of industry-standard-based algorithms, hashing, and signing with RNG in a centralized and secure platform.
- Centralize key lifecycle management tasks, including generation, rotation, destruction, import, and export via various methods including the KMIP standards abd PKCS#11.
- Protect cryptographic keys in a FIPS 140-2 Level 3 environment.
- Unify all cloud Key Management Services with a single pane of glass view across regions for cloud native, BYOK and HYOK keys and one straightforward UI.
- Allow automatic key rotation with no application downtime, enabling customers to easily migrate to newer cryptographic standards if and when required.
- Offer key rotation that can assist in case of recovery where cryptographic keys are compromised. Keys can be rotated on demand to minimize the impact of any key compromises.
Solutions:
Data Security
How Thales helps:
- Reduce third-party risk by maintaining on-premises control over encryption keys, protecting data hosted in the cloud.
- Ensure complete separation of roles between cloud provider admins and your organization, and restrict access to sensitive data.
- Protect cryptographic keys in a FIPS 140-2 Level 3 environment.
- Streamline key management in cloud and on-premises environments.
Solutions:
Data Security
How Thales helps:
- Protect the root-of-trust of a cryptographic system within FIPS140-2 Level 3 - a highly secure environment.
- Support cryptography algorithms such as Advanced Encryption Standard (AES) 256bits, RSA 3072 bits, and are designed for a post-quantum upgrade to maintain crypto-agility.
- Manage and protect all secrets and sensitive credentials.
How Thales helps:
- Encrypt sensitive data once it is created and make sure cleartext data will not be processed or stored by unauthorized applications and personnel in removable media.
- Integrate with the leading backup solution vendors to manage the backup encryption keys and to separate the data from the keys to further secure the sensitive data.
How Thales helps:
- Retain full control and ownership of the sensitive data by controlling encryption keys access via Cloud Key Management, negating the risk of data being released to foreign powers with the Hold-Your-Own-Key (HYOK) approach.
- Secure sensitive data for migration by encrypting data-at-rest on-premises, across clouds, and in big data or container environments.
- Pseudonymize sensitive information in databases.
- Enable relationship management with suppliers, partners or any third-party user; with clear delegation of access rights.
- Minimize privileges by using relationship-based fine-grained authorization.
How Thales helps:
- Encrypt data stored in cloud servers to protect against unauthorised disclosure and access, even from the Cloud Service Provider.
- Gain full sensitive data activity visibility, track who has access, audit what they are doing and document.
- Allow cloud users to separate the keys from the data stored in the cloud, if using the Cloud Service Provider's native encryption, preventing unauthorized data access by the Cloud Service Provider by using the Hold-Your-Own-Key (HYOK) approach.
Solutions:
Data Security
How Thales helps:
- Limit access to systems and data based on roles and context with policies.
- Apply contextual security measures based on risk scoring.
- Centralize access policies and enforcement to multiple hybrid environments in a single pane of glass.
- Enable continuous monitoring to capture and analyze all data store activity, providing detailed audit trails that show who accesses what data, when, and what was done to the data.
- Provide a unified strategy for access control across all user populations.
- Enable a consistent and policy-driven approach to identification, authentication, and authorization of all users to their IT assets, data, and services.
- Manage all users, including the workforce, contractors, third-party users such as customers, suppliers, logistics, and B2B or B2C type users.
How Thales helps:
- Enable the separation of duties between the security administrator and the system administrator inside servers, ensuring the system admins or privileged accounts do not have access to sensitive encryption keys, while the security administrators do not have access to the data.
- Limit the access of internal and external users to systems and data based on roles and context with policies.
- Apply contextual security measures based on risk scoring.
- Offer “least privilege” access rights where minimum sufficient permissions are granted to legitimate users and adhere to a “deny all” access control policy for users by default.
- Deploy time-bound access which restricts access to a specific period based on the nature of work.
- Adopt robust user authorization and authentication based on the criticality of IT assets by defining the right access policies, step-up authentication, and enforcing phishing-resistant authenticators.
How Thales helps:
- Enforce phishing-resistant MFA for a wide variety of users' access to critical systems.
- Offer MFA that combines two or more of the knowledge factors, inherent factors (e.g., biometric characteristics), or possession factors (e.g., security keys, tokens, smart cards).
How Thales helps:
- Record access to the database system and detect login attempts on the database system.
- Produce audit trail and reports of all access events to all systems, stream logs to external SIEM systems.
- Manage authentication and access control by supporting Multi-Factor Authentication and Single Sign-On (SSO) and displaying access log reports.
- Detect and alert administrators if abnormal access attempts are found, and administrators can respond quickly.
- Detect and pinpoint critical threats to data, prioritizes what matters most, and provides actionable insights.
- Support the creation of audit trail reports of all accesses for auditing and investigation in the event of any incidents.
- Detect system threats with Web Application Firewall, API Security and Database Security and stream logs to SIEM system.
- Monitor API activity, track usage, detect anomalies, and identify potential unauthorized access attempts.
- Safeguard critical network assets from DDoS attacks and Bad Bots while continuing to allow legitimate traffic.
- Apply contextual security measures based on risk scoring.
- Manage and monitor access controls to enterprise-wide systems effectively.
- Flag access anomalies for investigation by the security team, and integrate seamlessly with SIEM solutions for a more comprehensive approach to threat and anomaly detection.
- Log all user access and authentication activities.
Solutions:
Application Security
Data Security
Identity & Access Management
How Thales helps:
- Provide ongoing monitoring of database traffic, monitoring who the users are accessing them, and provide timely alerts.
- Protect personal data from unauthorized access, monitor what has been changed and who is accessing.
- Detect anomaly behavior and provide deeper insight.
- Offer an authentication solution to identify users, devices, and authorize transactions in the digital services, such as online and mobile banking.
- Detect anomaly and mitigate fraud.
Solutions:
Data Security
Identity & Access Management
How Thales helps:
- Gather fraud signals from the client side, such as mobile applications and web platforms, for real-time fraud detection and analysis.
- Employ machine learning–based fraud analysis techniques and a multi-layered detection approach to identify and mitigate fraudulent activities.
- Deliver continuous transaction surveillance and monitoring, and proactively advise customers to adopt updated fraud detection rules to address emerging vulnerabilities and threats.
How Thales helps:
- Enable timely updates of fraud detection rules through a configurable Policy Manager, allowing quick response to new fraud patterns.
- Enhance detection accuracy, reduce false positives, and strengthen protection against account takeovers and fraudulent transactions, by multi-layered fraud detection techniques and continuous machine learning.
How Thales helps:
- Provide a secure and encrypted communication channel between the organization and its end users’ devices.
- Provide a phishing-resistant solution, such as a FIDO hardware and software solution.
How Thales helps:
- Encrypt sensitive data once it is created and make sure cleartext data will not be processed or stored by unauthorized applications and personnel in removable media.
- Gain full sensitive data activity visibility, track who has access, audit what they are doing and document.
- Ensure complete separation of roles between cloud provider admins and your organization, and restrict access to sensitive data.
How Thales helps:
- Provide robust customer authentication and identity verification processes, including multi-factor authentication (MFA) for activation of digital services, passive liveness that is compliant to iBETA PAD Level 2.
- Perform all transactions and data exchanges over TLS minimally, with additional end-to-end encryption layer for sensitive information, such as user’s key and/or password.
- Encrypt all sensitive data at both client and host applications prior to transmission using AES-256 or equivalent encryption standards.
- Implement mutual TLS to authenticate the connection between endpoints and the server that hosts the solution.
- Include secure session handling, automatic timeouts, and protection against session hijacking or replay attacks.
- Offer transaction and audit log.
- Provide FIDO authentication that validates the authenticity of the website domain during the login process, ensuring that customers are interacting only with the genuine financial institution site and preventing credential phishing or redirection attacks.
- Detect and limit repeated failed login or MFA authentication attempts to prevent brute-force and credential-stuffing attacks.
- Deploy MFA to ensure proper customer authentication and authorization when changing transaction limits or performing other sensitive account activities.
Solutions:
Identity & Access Management
How Thales helps:
- Provide a highly secure environment that is resistant to phishing, malware, and man-in-the-middle attacks with a combination of Strong Customer Authentication (SCA), Risk Management solution, FIDO authentication, device binding, and Run-time Application Self-Protection (RASP).
- Ensure accuracy and reliability in customer authentication through the advanced biometric verification with a low False Acceptance Rate (FAR).
- Adopt internationally recognized standards, including but not limited to FIDO2, WebAuthn, ISO/IEC 30107 (Biometric Presentation Attack Detection), OATH/OCRA, and SOC 2.
Solutions:
Identity & Access Management
How Thales helps:
- Deploy strong device binding to ensure the user’s credentials or cryptographic keys are securely linked to the device. The user–device association is configurable, with the default setting restricting authentication to one registered mobile or secure device per account holder.
- Identify behavioral or anomaly detection mechanisms, events such as new device access or unusual location changes, triggering immediate customer notification or further verification actions from the Bank’s resource.
- Enable MFA validation for registering a new or replacement mobile number, device change, or processing personal particulars updates. Additional identity verification or part of KYC procedures may be applied when necessary to ensure authenticity.
- Apply systematic risk management controls to detect multiple successive high-volume transactions or abnormal transaction patterns, enabling proactive fraud mitigation.
Solutions:
Identity & Access Management
How Thales helps:
- Apply Strong Customer Authentication (SCA) to all financial and high-risk non-financial transactions. It leverages FIDO authentication, biometrics, or OTP-based validation to ensure the authenticity of the user, device, and transaction integrity.
- Adopt SCA that requires users to review and confirm transaction details (e.g. payee information, amount, and destination account).
- Deploy Mobile Secure Messenger – a secure channel for sending push notifications.
How Thales helps:
- Perform MFA Activation only after strong verification of the customer’s identity through a secure KYC process.
- Deploy Mobile Secure Messenger – a secure channel for sending push notifications.
- Offer multiple MFA options that are more secure than SMS OTP, such as OTP/OATH authenticator, FIDO authenticator, and Risk-Based Authentication.
Solutions:
Identity & Access Management
How Thales helps:
- Deploy MFA to secure against interception or manipulation by third parties, leveraging FIDO authentication, strong device binding, transaction signing, risk-based authentication, and cryptographic protections (e.g. Run-time Application Self-Protection) throughout the authentication execution.
- Enable Strong Customer Authentication (SCA) to prompt the payer/ sender to review and confirm the beneficiary details and transaction amount prior to authorizing the transaction.
- Generate authentication codes locally on the payer’s mobile phone device or a separate hardware authenticator.
- Fully support transaction signing, whereby the authentication code is uniquely tied to the confirmed beneficiary and transaction amount.
- Deploy Mobile Secure Messenger – a secure channel for sending push notifications.
Solutions:
Identity & Access Management
How Thales helps:
- Support time-bound OTP generation that aligns with OATH/OCRA standard.
- Deploy OTP that is cryptographically bound to specific transaction details (transaction signing), ensuring that it can only be used for the intended transaction.
- Generate authentication codes locally on the customer’s mobile phone device or a separate hardware authenticator.
How Thales helps:
- Offer a passwordless solution through FIDO2 Passkey authentication for both server and authenticator (hardware and software).
- Provide a FIDO 2 standard solution that is certified by the FIDO Alliance.
How Thales helps:
- Deploy a Mobile Strong Customer Authentication (SCA) solution that is designed to operate within a secure and tamper-resistant runtime environment, equipped with Run-time Application Self-Protection (RASP), device integrity checks, and anti-tampering controls to defend against malware, rooting/ jailbreaking, and unauthorized access.
- Ensure continuous mitigation against emerging mobile application threats by providing mobile security that is periodically penetration-tested by independent third-party security labs.
- Offer a Mobile SCA solution that is strictly prohibited from storing sensitive authentication data such as PINs and passwords on the device.
- Enable activation of the mobile authenticator only after strong identity verification by the bank. Cryptographic keys are securely transmitted via end-to-end encrypted channels to prevent interception or manipulation.
- Support strong device binding between the customer’s device and the user’s cryptographic key is enforced during the provisioning stage, effectively preventing unauthorized installations or cloning attempts.
How Thales helps:
- Secure data in transit at Layers 2, 3, and/or 4 without slowing down the network.
- Safeguard critical network assets from DDoS attacks and Bad Bots while continuing to allow legitimate traffic.
- Provide instant protection against both volumetric and application-layer DDoS attacks in one solution.
- Leverage 63 global PoPs to absorb large attacks, avoiding costly hardware or over-provisioning—elastic defense scales automatically.
Solutions:
Application Security
Data Security
How Thales helps:
- Encrypt data at rest on-premises, across clouds, and in big data or container environments.
- Pseudonymize sensitive data once it is created and make sure cleartext data will not be processed or stored by unauthorized and to prevent exposure of real data applications and personnel.
- Gain full sensitive data activity visibility, track who has access, audit what they are doing and document.
- Pinpoint risky data access activity for all users, including privileged users.
- Protect data with real-time alerting or user access blocking of policy violations.
How Thales helps:
- Monitor API activity, track usage, detect anomalies, and identify potential unauthorized access attempts.
- Enable continuous monitoring to capture and analyze all data store activity, providing detailed audit trails that show who accesses what data, when, and what was done to the data.
- Enforce user rights management based on data type and user role and produce reports for audit trails.
- Capture detailed data activity automatically for audit purposes.
- Record all changes to permissions, along with the identity of the perpetrator and session details.
- Monitor active processes to detect ransomware – identifying activities such as excessive data access, exfiltration, unauthorized encryption, or malicious impersonation of a user, and alerts/blocks when such an activity is detected.
- Apply contextual security measures based on risk scoring.
- Monitor user behavior such as admin login from a new location/IP or a wrong system access pattern to alert and prevent attacks.
Solutions:
Application Security
Data Security
Identity & Access Management
How Thales helps:
- Offer advanced API Verification capabilities to strengthen your defenses against potential vulnerabilities.
- Run assessment tests on data stores such as MySQL or so to scan for known vulnerabilities.
- Scan your databases with over 1,500 predefined vulnerability tests based on CIS and PCI-DSS benchmarks to help you keep your databases covered for the latest threats.
How Thales helps:
- Provide continuous discovery and classification potential risk of all public, private, and shadow APIs.
- Monitor API activity, track usage, detect anomalies, and identify potential unauthorized access attempts.
- Offer advanced API Verification capabilities to strengthen your defenses against potential vulnerabilities.
- Safeguard your login endpoints from credential stuffing, brute force attacks, and account fraud.
- Detect and prevent cyber threats with web application firewall, ensuring seamless operations and peace of mind.
- Enable complete visibility and help in singling out enterprise-wide attack campaigns.
- Safeguard critical network assets from DDoS attacks and Bad Bots while continuing to allow legitimate traffic.
- Protect against both volumetric and application-layer DDoS attacks in one scalable solution at ease.
- Deploy data protection controls in hybrid and multi-cloud applications to protect DevSecOps.
- Protect and automate access to secrets across DevOps tools.
- Offer FIPS 140-2 Level 3 root of trust for credentials and keys.
- Access data security solutions easily through online marketplaces.
Solutions:
Application Security
Data Security
How Thales helps:
- Secure sensitive data and maintain complete governance and control of sensitive data and the associated encryption keys and policies with Bring-Your-Own-Encryption (BYOE), Hold-Your-Own-Key (HYOK) and Bring-Your-Own-Key (BYOK) approaches, as well as a centralized multi-cloud key management.
- Offer transparent encryption and access control for data residing.
- Encrypt sensitive data once it is created and make sure cleartext data will not be processed or stored by unauthorized applications and personnel.
- Allow root users to do their job without abusing data by privileged user access controls.
- Accelerate threat detection and ease forensics with data access audit logging.
- Employ strong, standards-based encryption protocols, such as the Advanced Encryption Standard (AES) for data encryption and
- Elliptic Curve Cryptography (ECC) for key exchange.
- Simplify key management across on-premises and multi-cloud deployments by centralizing control on the FIPS140-2 Level 3 environment.
Solutions:
Data Security
How Thales helps:
- Protect network tunnel between cloud and on-premises environment to ensure data is encrypted.
How Thales helps:
- Offer tamper-evident hardware protection, which is critical for digital signing solutions.
How Thales helps:
- Integrate key management with VMware to enable VM image encryption and VSAN encryption.
- Enable data inside VMs and containers to be secured via encryption and access control transparently without any changes to the application.
How Thales helps:
- Allow encrypted data to be migrated between different clouds, removing any reliance on specific formats used by different cloud providers; customers are not locked to a single cloud.
- Pseudonymize sensitive information in databases.
How Thales helps:
- Ensure secure deletion by removing keys from CipherTrust Manager, digitally shredding all instances of the data.
Appendix 10: Key Risks and Control Measures for Cloud Services | Part B – Cryptographic Key: 8 a – d
How Thales helps:
- Provide various encryption options and methods for customers to protect their data stored in the cloud.
- Centralize key lifecycle management tasks including generation, rotation, destruction, import and export.
- Enforce separation of duty between your data and external party as well as your cloud service provider (CSP) by securely storing encryption keys outside of the corresponding cloud with the Hold-Your-Own-Key (HYOK) approach.
- Automate key lifecycle management across clouds and hybrid environments with processes and tools.
- Manage and protect all secrets and sensitive credentials.
- Protect cryptographic keys in a FIPS 140-2 Level 3 environment.
How Thales helps:
- Enforce granular access control (separated from the OS access control) with transparent encryption for privileged users to prevent misuse or abuse.
- Manage system and data access rights (access control) by supporting role-based authorization (RBAC) and conditional authorization (ABAC).
- Control and manage privileged user accounts by supporting the enforcement of multi-factor authentication (MFA) for accessing critical systems.
- Design authorization and approval procedures (User Journey Orchestration) for privileged user accounts and store and display as a privileged user activity report for detailed auditing.
Solutions:
Data Security
Identity & Access Management
How Thales helps:
- Safeguard critical network assets from DDoS attacks and Bad Bots while continuing to allow legitimate traffic.
- Leverage global PoPs to absorb large attacks, avoiding costly hardware or over-provisioning—elastic defense scales automatically.
- Ensure uptime with fast, effective DDoS mitigation and a 3-second SLA for Layers 3 & 4 attacks.
- Protect against both volumetric and application-layer DDoS attacks in one solution.
Related resources
Other key data protection and security regulations
PCI HSM
MANDATE | ACTIVE NOW
The PCI HSM specification defines a set of logical and physical security compliance standards for HSMs specifically for the payments industry. PCI HSM Compliance certification depends on meeting those standards.
DORA
REGULATION | ACTIVE NOW
DORA aims to strengthen the IT security of financial entities to make sure the financial sector in Europe is resilient in the face of the growing volume and severity of cyber-attacks.
Data Breach Notification Laws
REGULATION | ACTIVE NOW
Data breach notification requirements following loss of personal information have been enacted by nations around the globe. They vary by jurisdiction but almost universally include a “safe harbor” clause.
GLBA
REGULATION | ACTIVE NOW
The Gramm-Leach-Bliley Act (GLBA)--also known as the Financial Services Modernization Act of 1999--requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data.