KUALA LUMPUR – Malayan Banking Bhd (Maybank), CIMB Bank Bhd, and their respective Islamic finance arms have collectively paid over RM5 million in administrative penalties to Bank Negara Malaysia (BNM).
These penalties were imposed on July 29 due to prolonged service disruptions affecting customers.
Malayan Banking and Maybank Islamic Bhd had paid RM4.32 million on August 8, while CIMB Bank and CIMB Islamic Bank Bhd had paid RM760,000 on August 12.
The penalties were issued after BNM found that these banks had failed to comply with several legislative requirements, leading to extended service outages.
Specifically, the banks were found to have breached paragraph 48(1)(a) of the Financial Services Act 2013 and paragraph 58(1)(a) of the Islamic Financial Services Act 2013, in conjunction with paragraph 10.32 of the Risk Management in Technology Policy Document.
In two separate statements today, BNM highlighted that, according to the policy document, financial institutions must ensure their relevant critical systems are designed for high availability.
This includes how cumulative unplanned downtime affecting its user interface must not be more than four hours on a rolling 12-month basis and a maximum tolerable downtime of 120 minutes per incident.
In Maybank’s case, BNM said the bank’s Regional Mobile Banking Platform and MAE applications experienced multiple unplanned downtimes between June 1 and May 31, causing prolonged disruptions in several banking services interfaces with customers and counterparties.
Noting that the duration of the disruption had breached the referenced paragraph of the policy document, BNM said its investigations into the root cause of the incident revealed Maybank’s inability to recover “effectively and promptly” from unexpected system disruptions.
Measures by Maybank to further strengthen its application and infrastructure resiliency as required by BNM were also incomplete at the time of the incident, which impeded recovery effects, added the nation’s central bank.
“Maybank has taken the necessary actions to close these gaps as part of its multi-year infrastructure investments to prevent future non-compliance.”
Similarly, BNM said CIMB’s customers had experienced prolonged service disruptions on April 8 and 9 affecting e-banking channels, automated teller machines (ATM) as well as debit cards and credit cards.
Upon investigation, it was found that the disruptions resulted from lapses in CIMB’s execution of its response and recovery process to restore the disrupted systems promptly, thus impacting the availability of essential banking services.
For all the financial institutions involved, BNM had considered the relevant aggravating and mitigating factors, including failure to take reasonable steps to mitigate the downtime incidents and avoid non-compliance, as well as the severity of the non-compliance, including the impact of the service disruption on customers and counterparties.
Besides that, it also considered the banks’ past compliance record and history of formal enforcement actions imposed.
For Maybank, BNM also considered the effectiveness of remedial actions taken to prevent recurrence.
“BNM expects all financial institutions to maintain a high level of technology resilience against operational disruptions to ensure the continuous availability of essential financial services.
“BNM will not hesitate to take appropriate supervisory and enforcement actions when financial institutions fall short of regulatory expectations.”
Meanwhile, in a statement today, CIMB said it has invested and will continue to invest in technology, systems, and processes to strengthen its resilience and ensure that its critical customer infrastructure is able to serve and meet its customers’ needs.
“(CIMB) has strengthened its corrective and preventive measures to address service outages in a timely manner including adequate oversight of its third parties, while ensuring business continuity plans can be initiated immediately during critical times.”
It added that it accepts BNM’s decision and regrets previous unplanned downtimes to its critical systems. – August 14, 2024