Bank Negara Malaysia’s updated RMiT framework introduces stricter authentication requirements for financial institutions. The update focuses on stronger identity verification, device binding, and fraud-resistant authentication systems.

The regulation effectively moves the industry away from SMS OTP authentication and toward phishing-resistant authentication methods such as Passkeys and Multi-Factor Authentication.

Financial institutions must now implement stronger security controls including Device Binding, Adaptive MFA, and Risk-Based Authentication.

These changes aim to reduce fraud scenarios such as SIM-swap attacks, phishing campaigns, and account takeover attempts.

For fintech platforms and banking developers, the RMiT update means authentication systems must evolve from simple login verification to secure, device-bound identity systems.

Modern authentication platforms like MojoAuth help developers implement Passkey Authentication, Adaptive MFA, and Device Binding without building complex identity infrastructure internally.

What Is Bank Negara Malaysia’s RMiT Framework?

The Risk Management in Technology (RMiT) policy is the primary technology risk regulation for financial institutions operating in Malaysia.

It defines how regulated organizations must manage:

• Cybersecurity

• Authentication Security

• Fraud Protection

• Technology Infrastructure

• Cloud and Third-Party Risk

The framework applies to:

• Banks

• Insurance companies

• Payment providers

• Digital wallet platforms

• Remittance providers

Any organization regulated by Bank Negara Malaysia (BNM) must comply with the RMiT guidelines.

The framework ensures financial institutions adopt strong cybersecurity practices as digital banking continues to expand.

Why Malaysia Is Strengthening Authentication Requirements

Digital banking fraud has increased globally, particularly through social engineering and mobile-based attacks.

Common attack techniques include:

• SIM-swap fraud

• phishing attacks

• credential theft

• account takeover attacks

SMS-based authentication methods have become increasingly vulnerable.

Attackers can intercept SMS OTP codes through telecom vulnerabilities or redirect them through SIM swap attacks.

Because of these risks, regulators worldwide are encouraging banks to move toward phishing-resistant authentication methods.

Malaysia’s updated RMiT framework formalizes this shift.

Key Authentication Requirements in the Updated RMiT Policy

The updated regulation introduces several major changes to authentication security.

These changes focus on reducing fraud risk while improving identity assurance.

One Device Per User by Default

One of the most significant changes is the default single-device requirement.

Financial institutions must bind user accounts to a trusted primary device.

Additional devices can still be added, but the process must involve:

• Explicit User Consent

• Additional Verification

• Security Monitoring

This requirement helps prevent attackers from quickly registering new devices after gaining access to an account.

Device binding significantly reduces fraud scenarios involving unauthorized device enrollment.

Strong Verification for Phone Number Changes

Another critical update involves the process for changing a registered phone number.

Previously, many banking apps allowed users to update their phone number by confirming an OTP sent to the existing number.

However, if an attacker already controls the number through SIM swap attacks, this verification method fails.

The updated RMiT policy requires stronger verification mechanisms such as:

• Identity Re-Verification

• Biometric Authentication

• Alternative Secure Verification Channels

The verification process must not rely solely on the phone number being changed.

Cooling-Off Periods for Newly Registered Devices

The regulation also introduces cooling-off periods for newly registered devices.

During this period:

• high-risk transactions may be restricted

• transaction limits may apply

• account behavior should be monitored

This prevents attackers from immediately transferring funds after gaining access to an account.

Cooling-off periods are now considered an important fraud-prevention mechanism.

Multi-Factor Authentication Beyond SMS OTP

The most important change in the RMiT update is the move away from SMS OTP authentication.

Financial institutions must implement phishing-resistant Multi-Factor Authentication.

Authentication methods must be resistant to:

• Interception

• Phishing Attacks

• Manipulation During Login

This requirement pushes financial institutions toward modern authentication technologies such as:

• Passkey Authentication

• Biometric Authentication

• Cryptographic Device Credentials

These authentication models provide significantly stronger protection against account takeover attacks.

Why Passkeys Align with the RMiT Security Model

The security architecture encouraged by the RMiT update strongly aligns with Passkey Authentication.

Passkeys use cryptographic key pairs stored securely on user devices.

During login:

1. The server sends a cryptographic challenge.

2. The device signs the challenge using a private key.

3. The server verifies the signature using the public key.

This process provides strong protection against phishing attacks because the private key never leaves the user’s device.

Passkeys also support Device Binding, one of the key requirements introduced by the RMiT framework.

If you want to understand how passkeys work technically, read our guide:

https://mojoauth.com/blog/what-are-passkeys-and-how-they-work

Modern Authentication Architecture for Financial Applications

The updated RMiT framework reflects a broader shift toward modern identity architectures.

Secure banking platforms typically implement several authentication layers.

Device Binding

User accounts are tied to trusted devices to prevent unauthorized access from unknown environments.

Device identity becomes part of the authentication process.

Passkey Authentication

Passkeys replace passwords with device-bound cryptographic credentials.

This eliminates password reuse and prevents phishing attacks.

Adaptive MFA

Adaptive MFA introduces additional authentication steps when risk signals increase.

Examples of risk signals include:

• Device Changes

• Suspicious Login Locations

• Unusual Activity Patterns

This approach balances security with user experience.

Risk-Based Authentication

Risk-Based Authentication dynamically evaluates user behavior and adjusts verification requirements.

High-risk activities such as large financial transactions may trigger additional verification.

This approach significantly reduces fraud without increasing login friction for legitimate users.

How MojoAuth Helps Fintech Platforms Meet RMiT Requirements

Implementing regulatory-compliant authentication infrastructure can be complex.

Financial applications must support:

• Device Binding

• Passkey Authentication

• Adaptive MFA

• Risk-Based Authentication

• Secure Identity Verification

Authentication platforms like MojoAuth allow developers to implement these capabilities quickly without building identity infrastructure from scratch.

With MojoAuth, developers can easily integrate:

• Passkey Authentication

• Passwordless Authentication

• Adaptive MFA

• Device Binding

• Risk-Based Authentication

These capabilities help fintech teams meet evolving regulatory requirements while maintaining a seamless user experience.

Learn more about Passwordless Authentication:

https://mojoauth.com/passwordless-authentication/

What This Means for Banking and Fintech Developers

The RMiT update represents a broader shift in financial security architecture.

Authentication systems must now protect against sophisticated fraud techniques including:

• SIM-swap Attacks

• Phishing Campaigns

• Credential Interception

• Account Takeover Attacks

Legacy authentication methods such as SMS OTP are no longer sufficient for modern financial systems.

Developers must adopt phishing-resistant authentication models built around device identity and cryptographic credentials.

Technologies such as Passkey Authentication, Adaptive MFA, Device Binding, and Risk-Based Authentication are becoming the standard for secure financial applications.

Conclusion

Bank Negara Malaysia’s updated RMiT framework significantly raises the bar for authentication security in financial services.

The regulation moves the industry toward modern identity architectures based on:

• Device-Bound Authentication

• Phishing-Resistant MFA

• Risk-Based Security Controls

• Continuous Fraud Monitoring

For fintech platforms and digital banking applications, these changes represent an opportunity to modernize authentication systems.

Organizations that adopt technologies such as Passkeys, Adaptive MFA, and Device Binding will not only meet regulatory requirements but also significantly reduce fraud risk.

Modern authentication is no longer just about verifying credentials.

It is about building secure identity systems that protect both users and financial transactions.

*** This is a Security Bloggers Network syndicated blog from MojoAuth Blog - Passwordless Authentication & Identity Solutions authored by MojoAuth Blog - Passwordless Authentication & Identity Solutions. Read the original post at: https://mojoauth.com/blog/bank-negara-malaysia-rmit-update-new-authentication-rules-for-fintech-and-banks