Malaysia: Bank Negara Malaysia issues Exposure Draft of Payment System Operator Policy Document

In brief

Bank Negara Malaysia ("BNM"), the Central Bank of Malaysia, has on 15 December 2021 issued an exposure draft of the Payment System Operator policy document ("PSO Exposure Draft"). The PSO Exposure Draft is intended to apply to all approved operators of a payment system under the Malaysian Financial Services Act 2013 and Malaysian Islamic Financial Services Act 2013 ("PSO"). The objectives of the PSO Exposure Draft are to:

  1. ensure the safety, efficiency and reliability of payment systems;
  2. preserve public confidence in the payment systems and the use of payment instruments; and
  3. ensure payment systems are aligned with relevant international standards.


Key takeaways

  1. Under the PSO Exposure Draft, PSOs, will:
  • be subject to enhanced obligations and requirements in relation to corporate governance, risk management and operational requirements and access and participation rule requirements; and
  • have to ensure that they maintain liquid net assets of at least six months of their current operating expenses.
  1. The PSO Exposure Draft will also affect other participants in the payment chain and persons who deal with PSOs, including direct and indirect participants of payment systems and outsourced service providers, to the extent that obligations are passed on to them by the PSOs.
  2. PSOs should immediately undertake a gap analysis to begin planning for compliance with the final policy document as the PSO Exposure Draft does not contemplate a transitional period before it comes into force.
  3. For further information and to discuss what this development might mean for you, please get in touch with us.

In more detail

The key requirements and standards that BNM is proposing to introduce are set out below.



Key Requirements and Standards


Corporate Governance

  • The Board of a PSO is generally tasked with establishing policies that promote safety, efficiency, and reliability of payment systems. This entails having to implement control functions (e.g., risk management, compliance) that are competently staffed with reporting measures in place.
  • The Board must include an appropriate combination of personnel with calibre and independent directors.


Risk Management and Operational Requirements

  • PSOs are required to establish and implement risk management frameworks (including a technology risk management framework, liquidity risk management framework, credit risk management framework and cyber resilience framework), risk monitoring and reporting requirements, collateral management practices, management and control systems to mitigate operational risks, a business continuity plan and a disaster recovery plan.
  • These frameworks and plans should address:
    1. controls in safeguarding the confidentiality, integrity and availability of information;
    2. maximum tolerable downtime and recovery time objectives for all critical business functions; and
    3. and identification of scenarios that may prevent its ability to provide its critical operations and services with the appropriate plans for its recovery or orderly wind-down.


Adequate Capital and Liquid Net Assets Requirement

  • At the minimum, PSOs must maintain liquid net assets equivalent to at least six (6) months of current operating expenses.
  • PSOs are also required to maintain:
    1. adequate liquid resources in all relevant currencies to ensure smooth settlement under normal or stress scenarios; and
    2. sufficient financial resources to cover its credit exposure to each participant. 


Outsourcing Arrangements and Interlinkages

  • PSOs will be accountable for services provided by an outsourced service provider.
  • PSOs must ensure appropriate due diligence is undertaken on the provider.
  • PSOs will need to ensure that it monitors the service providers and allow BNM to exercise its regulatory and supervisory powers including have unrestricted access to their systems, information and documents.
  • PSOs must have contingency plans to secure business continuity.


Access and Participation Rules

  • Access criteria to a PSO's payment system should be fair, open, objective, transparent and risk-based, to commensurate with the risk profile of the participants. Procedures on suspension or orderly exit upon breach of, or inability to meet, participation requirements should be clearly outlined and disclosed.
  • Rules and procedures established by PSOs must be clear, comprehensive, up-to-date and fully disclosed to its participants. Processes for proposing, implementing and communicating changes to rules and procedures must also be clear and fully disclosed.
  • PSOs must publicly disclose their fees and relevant information that would allow participants to assess the total cost of participating in the payment system and/or services offered by a PSO. PSOs must provide a timely notice to their participants of any changes to its fees.
  • Under a tiered-participation arrangement (i.e., where an indirect participant relies on services provided by a direct participant of a PSO to access a PSO's payment system), PSOs shall:
    1. establish rules and procedures with the direct participants to enable the PSO to obtain information on the indirect participants to identify and monitor risk;
    2. identify the significant dependencies between direct and indirect participants that may adversely affect the PSO; and
    3. regularly review the risks associated with the tiered-participation arrangements and institute appropriate mitigating measures.











































The PSO Exposure Draft will have far reaching implications on PSOs. Changes will need to be made to their operational day-to-day requirements and interactions with participants across the payment infrastructure as well as their service providers. It is imperative for PSOs to undertake a gap analysis to determine the refinements that it will need to make to comply with the requirements of the PSO Exposure Draft.


For further information and to discuss what this development might mean for you, please get in touch with your usual Baker McKenzie contact.

LOGO Malaysia_Wong & Partners_KualaLumpur

This client alert was issued by Wong & Partners, a member firm of Baker McKenzie International, a global law firm with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a "partner" means a person who is a partner or equivalent in such a law firm. Similarly, reference to an "office" means an office of any such law firm. This may qualify as "Attorney Advertising" requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome. 

Copyright © 2023 Baker & McKenzie. All rights reserved. Ownership: This documentation and content (Content) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms). The Content is protected under international copyright conventions. Use of this Content does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All Content is for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulations and practice are subject to change. The Content is not offered as legal or professional advice for any specific matter. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any Content. Baker McKenzie and the editors and the contributing authors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The Content may contain links to external websites and external websites may link to the Content. Baker McKenzie is not responsible for the content or operation of any such external sites and disclaims all liability, howsoever occurring, in respect of the content or operation of any such external websites. Attorney Advertising: This Content may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Content may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. Reproduction: Reproduction of reasonable portions of the Content is permitted provided that (i) such reproductions are made available free of charge and for non-commercial purposes, (ii) such reproductions are properly attributed to Baker McKenzie, (iii) the portion of the Content being reproduced is not altered or made available in a manner that modifies the Content or presents the Content being reproduced in a false light and (iv) notice is made to the disclaimers included on the Content. The permission to re-copy does not allow for incorporation of any substantial portion of the Content in any work or publication, whether in hard copy, electronic or any other form or for commercial purposes.