TL;DR: Bank Negara Malaysia’s updated RMiT policy tightens requirements around device binding, phone-number changes, cooling-off periods, and MFA resistant to interception, turning prior fraud guidance into mandatory controls for Malaysian financial institutions, according to Authsignal. The compliance question is now whether authentication architecture can bind transactions, devices, and trust state tightly enough to outpace account takeover tactics.
NHIMG editorial — based on content published by Authsignal: Bank Negara Malaysia’s RMiT update just raised the bar on authentication. Here’s how to comply
By the numbers:
- In 2024, Malaysian banks collectively blocked over RM 399 million in fraudulent transactions, five times the amount actually lost to online fraud that year.
Questions worth separating out
Q: How should financial institutions reduce account takeover risk without relying on SMS OTP?
A: They should move to phishing-resistant authentication, device-bound credentials, and transaction binding for high-risk actions.
Q: Why do device changes create more risk than login events?
A: Device changes often transfer trust from one endpoint to another, which is exactly where attackers hide.
Q: What breaks when authentication codes are not tied to the transaction?
A: A generic code can be replayed, redirected, or used to authorise a different beneficiary or amount after the user has already approved the session.
Practitioner guidance
- Separate device enrolment from routine authentication Require distinct verification for first-time device binding, device replacement, and device unbinding.
- Move phone-number changes off the compromised channel Do not approve mobile-number updates with an OTP sent to the current number.
- Bind authentication to the beneficiary and amount Make approval codes specific to the transaction so a replayed or redirected code cannot be used for a different payee or a different amount.
What's in the full article
Authsignal's full blog post covers the implementation detail this analysis intentionally leaves for the source:
- How the updated RMiT paragraphs map to specific authentication workflow changes across onboarding, device binding, and step-up verification
- The exact policy language around one-device-per-user defaults, mobile-number changes, and cooling-off periods for new devices
- How Authsignal positions its rules engine, passkey support, and risk-based flows against the RMiT requirements
- The operational examples that show how to translate fraud controls into an authentication architecture review
👉 Read Authsignal’s analysis of Bank Negara Malaysia’s updated RMiT authentication requirements →
RMiT authentication update: what does this change for IAM teams?
Explore further
Channel-bound authentication is no longer a sufficient trust model for banking access. The update shows that a phone number or SMS path can no longer be treated as a stable identity anchor. That matters because fraudsters do not need to defeat every control when the institution still accepts the compromised channel as the proof of legitimacy. Practitioners should read this as a signal to redesign assurance around transaction context, not just factor possession.
A few things that frame the scale:
- DeepSeek accidentally embedded over 11,000 secrets in its training data and left a database exposed online, revealing more than one million sensitive records including chat histories, backend credentials, and API keys, according to LLMjacking: How Attackers Hijack AI Using Compromised NHIs.
- Attackers attempt access to publicly exposed AWS credentials within an average of 17 minutes, and as quickly as 9 minutes in some cases, according to LLMjacking: How Attackers Hijack AI Using Compromised NHIs.
A question worth separating out:
Q: Who is accountable when fraud-resistant authentication is not implemented?
A: Accountability sits with the institution’s security, identity, and fraud governance functions together, because the control spans customer authentication, transaction monitoring, and device lifecycle management. In regulated banking environments, policy obligations typically land on the firm, not just the product team or fraud team alone.
👉 Read our full editorial: Bank Negara Malaysia raises authentication rules for financial institutions