Project XBY

Asia-Pacific · GDP rank #35

Malaysia

MY · MYR @ 0.2532/USD

Malaysia ran the highest-velocity DuitNow rollout in ASEAN. PayNet cleared 8.44bn digital transactions in 2025 (+34% YoY), DuitNow QR alone doubled to 3bn, and the country operates the densest ASEAN cross-border QR mesh (live with SG, TH, ID, CN, KH; IN expected 2026). Malaysia is one of the five founding-country IPSs inside the BIS Project Nexus Scheme Organisation. BNM's five licensed digital banks are now in operational years two and three; the Securities Commission frames stablecoin and tokenised-deposit policy.

Tab 06

Fraud & security

Headline fraud totals and typology splits, the rollout of EMV chip, tokenisation, 3DS and biometrics, and the controlling data-protection and payments statutes.

Annual fraud losses

RM 1.9B +22% vs 2023

MYR · 2024

Loss rate

~5bp

basis points on transaction value · 2024

CNP share of fraud

76%

% · 2024

Fraud typology

Where losses come from

Card-not-present dominates every developed-market fraud profile — counterfeit and lost/stolen have both been mechanically suppressed by EMV and tokenisation over the last decade.

Share of card fraud

  • Authorised push payment (scam-led)+38%
  • Card-not-present (e-commerce)76%
  • Account takeover+28%

Authentication

What's deployed on cards today

EMV is the floor; tokenisation removes PAN from merchant systems; 3DS covers the CNP flow; biometric auth drives device-level wallet transactions. Adoption gaps between markets are the clearest signal of fraud-regime maturity.

EMV chip penetration

100%

% · 2024

Tokenised transactions

~50%

% · 2024

3DS coverage · CNP

94%

% · 2024

Biometric mobile wallet txns

~90%

% · 2024

Consumer protection

Framework
Financial Services Act 2013 / Islamic Financial Services Act 2013; Consumer Protection Act 1999; BNM Banking Supervision
Max consumer liability
RM 250 for unauthorised card transactions
Liability rules
Banks bear residual liability for unauthorised payment transactions unless gross negligence by the customer is established; ombudsman scheme operated via the Ombudsman for Financial Services (OFS). APP fraud reimbursement subject to BNM-issued circulars; no statutory mandate equivalent to the UK PSR rules.

Source · Bank Negara Malaysia

Security standards

  • PCI DSS 4.0 mandated by BNM for acquirers and processors
  • 3D Secure 2.0 mandatory on CNP
  • DuitNow Confirmation of Payee (recipient name display) live
  • National Scam Response Centre (NSRC) 997 hotline
  • 2024 amendments to the Anti-Money Laundering Act broadened liability for mule-account facilitation