Gilagolf

July 8, 2023 · 2:03 am

Withholding Tax on Special Classes of Income Part 3

8. Rent or Other Payments Made under any Agreement for Use of Moveable

Property [Paragraph 4A(iii) of the ITA]

8.1 Paragraph 4A(iii) of the ITA consists of rents or other payments made to non –

residents for the use of any moveable property which include rents or other

payments made for the use of oil rigs, boats, ships, cars, aircraft or other

equipment in or outside Malaysia. The following are activities falling within the

scope of paragraph 4A(iii) of the ITA:

(a) Slot hire / charter

Slot hire / charter is where the hirer / charterer has exclusive use of a

particular slot / space in a ship / aircraft to the exclusion of others.

Payments paid for slot hire / charter are subject to withholding tax at

10% on the gross amount.

(b) Leasing of ships / aircrafts

Leasing of a ship / aircraft is the exclusive use of a ship / aircraft which

is chartered, whether bare boat (dry lease ) or with crew (wet lease ).

Payments made to non-residents who lease out ships /aircrafts fall

within the scope of paragraph 4A(iii) of the ITA and are subject to

withholding tax at the rate of 10% on the gross receipt.

Time charter is where a ship / aircraft is chartered for a specific time.

Thus, if a ship / aircraft is chartered, for instance if it is for 3 years,

withholding tax at the rate of 10% on the gross amount must be deducted

from the payment or the charter fe es paid in respect of the use of the

ship / aircraft.

WITHHOLDING TAX

ON SPECIAL CLASSESS OF INCOME

Public Ruling No. 10/2019

INLAND REVENUE BOARD OF MALAYSIA Date of Publication: 10 December 2019

Page 13 of 42

(d) Voyage charter

Voyage charter is in respect of a particular voyage / flight, i.e a

predetermined route. If a ship / aircraft is chartered in respect of a

particular voyage / flight, the charter fee re ceived is subject to

withholding tax at 10% on the gross fees.

8.2 The following income does not fall within the scope of paragraph 4A(iii) of the

ITA:

Freight charges

Freight charges paid to non -residents in respect of export/import of goods do

not fall withi n the scope of paragraph 4A(iii) of the ITA as freight charges are

fees for the shipment of goods and not payments for the use of a moveable

property.

However, fees other than freight charges for the shipment of goods such as

handling fees and agency service fees falls under the scope of paragraph

4A(ii) of the ITA and would be subject to withholding tax under section 109 B

of the ITA.

8.3 The following are taxable income under paragraph 4A (iii) of the ITA that is

specifically given exempt ion under the Inc ome Tax (Exemption ) Orders : –

8.3.1 Pooling arrangements

A non -resident deriving income under paragraph 4A(iii) of the ITA

consisting of payments made under an agreement or arrangement for

participation in a pool by a company resident in Malaysia who is

engaged in the business of transporting passengers or cargo by sea

is specifically exempted from payment of income tax under the

Income Tax (Exemption) (No.25) Order 1995 [P.U. (A) 322/1995].

Consequently, withholding tax under section 109B of the ITA shall not

apply to the exempted income.

8.3.2 Income received from a Malaysian shipping company

(a) A non -resident person in Malaysia deriving income under

paragraph 4A(iii) of the ITA from a Malaysian shipping company,

consisting of payments made under any agreement or

arrange ment for the use of a ship is specifically exempted from

payment of income tax under the Income Tax (Exemption) Order

2007 [P.U.(A) 58/2007].

WITHHOLDING TAX

ON SPECIAL CLASSESS OF INCOME

Public Ruling No. 10/2019

INLAND REVENUE BOARD OF MALAYSIA Date of Publication: 10 December 2019

Page 14 of 42

The income is in relation to the use of the ship on a voyage

charter or time charter or bare boat charter. Consequently,

withholding tax under section 109B of the ITA shall not apply to

the exempted income. The exemption is effective from 2.9.2006.

(b) For the purpose of this exemption, the words below have the

following meaning:

“Ship” means a sea -going ship other than a ferry, barge, tug –

boat, supply vessel, crew boat, lighter, dredger, fishing boat or

other similar vessel”.

“Bare boat” means a ship which is chartered without crew and

the charterer has the exclusive use of the ship for a period or for

a voyage,

“Malaysian ship” means a sea -going ship registered under

theMerchant Shipping Ordinance 1952, and

“Malaysian shipping company” means a resident company

incorporated under the Companies Act 1965 or Companies Act

2016, which owns a Malaysian ship and carrying on a business

of –

(i) transporting passengers or cargoes by sea on a ship, or

(ii) letting out a ship.

8.3.3 Income derived from the rental of International Standard Organisation

(ISO) containers by a Malaysian shipping company

A non -resident person who receives income derived from the rental

of ISO containers by a Malaysian shipping company is exempted from

withholding tax from 20.10.2001 under the Income Tax (Exemption)

(No. 24) Order 2002 [P.U.(A) 210/2002].

For the purpose of this exemption, Malaysian shipping compa ny has

the same meaning as in subparagraph 8.3.2(b).

9. Reimbursements

9.1 Reimbursements refer to out -of-pocket expenses incurred by the payee –

WITHHOLDING TAX

ON SPECIAL CLASSESS OF INCOME

Public Ruling No. 10/2019

INLAND REVENUE BOARD OF MALAYSIA Date of Publication: 10 December 2019

Page 15 of 42

(a) in the course of rendering services to the payer, or

(b) in respect of the use of any moveable property,

and are subsequently reimbursed by the payer. Such expenses include the

cost of airfare, travelling, accommodation, telephone and photocopying

charges.

9.2 Reimbursements are considered as being part of the contract value for

services rendered or for rent or payments made for the use of moveable

property. As such, it is income of the payee under section 4A of the ITA and

is subject to withholding tax at the rate of 10% on the gross amount under

section 109B of the ITA.

9.3 Reimbursements on hotel accommodation are not incl uded in the

computation of gross income falling under section 4A of the ITA for the

purposes of withholding tax. This exclusion is aimed at reducing the cost of

services provided by non -residents. Hotel accommodation means

accommodation in a hotel, apartme nt hotel, service apartment, motel or hostel

in or outside Malaysia.

10. Disbursements

10.1 Disbursements are out -of-pocket expenses incurred by the payer and paid to

a third party on behalf of the payee –

(a) in connection with services rendered by the payee, or

(b) in respect of the use of any moveable property.

Disbursements are considered as being part of the contract value for services

rendered or for rent or payments made for the use of any moveable property.

As such, it is income to the payee under section 4A of the ITA and is subject

to withholding tax at the rate of 10% on the gross amount under section 109B

of the ITA.

10.2 Disbursements on hotel accommodation in or outside Malaysia are not

included in the computation of gross income falling under section 4A of the

ITA for the purposes of withholding tax. The purpose of this exclusion is

similar to that of reimbursement, i.e. is to reduce the cost of services provided

by non -residents.

WITHHOLDING TAX

ON SPECIAL CLASSESS OF INCOME

Public Ruling No. 10/2019

INLAND REVENUE BOARD OF MALAYSIA Date of Publication: 10 December 2019

Page 16 of 42

Example 13

SH Pte Ltd, a Singapore company, rendered services to Roadworks Sdn Bhd

in March 201 8. The services were performed in Malaysia. SH Pte Ltd issued

an invoice dated 15.6. 2018 for the value of RM1,000. Roadworks Sdn Bhd

paid the cost of air fares of RM500 for the representative of SH Pte Ltd to XS

Airlines (XS) on 15.3. 2018 . Thes e expenses were classified as travelling

expenses in the profit and loss account of Roadworks Sdn Bhd. Upon

receiving the invoice, Roadworks Sdn Bhd paid RM900 to SH Pte Ltd and

subsequently remitted the balance of RM100 to the Director General.

The gross amount paid to SH Pte Ltd is subject to withholding tax under

section 109B of the ITA at the rate of 10%.

The payer should remit the sum of RM100 to the DGIR within one month after

the payment for the services has been paid or credited to SH Pte Ltd.

Howev er, if it can be confirmed that SH Pte Ltd is a tax resident in Singapore,

then the withholding tax rate is 5% pursuant to the DTA between Malaysia

and Singapore.

The disbursements or out -of-pocket expenses of RM500 incurred by

Roadworks Sdn Bhd are subje ct to withholding tax under section 109B of the

ITA. Even though the payment for the airfare to XS is made in full, withholding

tax of RM50 (10% X RM500) should be borne by the payee and the payer

should remit the sum of RM50 to the DGIR within one month a fter the payment

of the airfare has been paid or credited to XS .

The total amount of withholding tax charged on the payee should be:

10% X RM1,000 = 100.00

10% X RM500 = 50.00

150.00

The payer may subsequently recover the amount of tax of RM50.00 fr om SH

Pte Ltd.

For the purpose of this example, it is assumed that SH Pte Ltd did not submit

documentary proof of its resident status.

WITHHOLDING TAX

ON SPECIAL CLASSESS OF INCOME

Public Ruling No. 10/2019

INLAND REVENUE BOARD OF MALAYSIA Date of Publication: 10 December 2019

Page 17 of 42

11. Advance Payments and Deposits

11.1 Advance payments and non -refundable deposi ts paid to a non -resident

payee –

(a) for services to be rendered, or

(b) in respect of the use of any moveable property

under section 4A of the ITA form s part of the gross income of a contract and

would be subject to withholding tax under section 109B of the ITA.

On the other hand, deposits paid upon the signing of an agreement for

services, which are refundable upon completion of the service do not form

part of the gross income of a contract.

11.2 Advance payments and non -refundable deposits for services performed in

and outside Malaysia are deemed to be derived from Malaysia and

chargeable to tax under paragraph 4A(ii) of the ITA. Even though the services

are yet to be performed, the advance payment or non -refundable deposit

made are purely for the services which will be performed and form part of the

gross amount payable for the services. The advance payment and non –

refundable deposit would be subject to withholding tax under section 109B of

the ITA at the rate of 10%.

Leave a comment

Filed under Malaysian Golf Courses

July 8, 2023 · 2:01 am

Withholding Tax on Special Classes of Income Part 2

7. Advice, Assistance or Services Rendered in Connection with Management or

Administration [Paragraph 4A(ii) o f the ITA]

7.1 Pursuant to section 5 of the Finance Act 2018 [Act 812], effective 28.12.2018,

paragraph 4A(ii) of the ITA consist s of amounts paid to a non -resident person

in consideration of advice given , assistance or services, which are performed

in and out side Malaysia, rendered in connection with management or

administration of any scientific, industrial or commercial undertaking, venture,

project or scheme.

The amendment to paragraph 4A(ii) of the ITA does not affect the scope of

payment made to the non -resident person in which the scope of payment

includes payments for non -technical assistance and non -technical services.

WITHHOLDING TAX

ON SPECIAL CLASSESS OF INCOME

Public Ruling No. 10/2019

INLAND REVENUE BOARD OF MALAYSIA Date of Publication: 10 December 2019

Page 6 of 42

7.2 Advice, assistance or services rendered in connection with management of

any scientific, industrial or commercial undertaking, venture, project or

scheme would include the passing over or utilisation of expert or specialised

knowledge, skills or expertise. Among the examples of management include

the provision of marketing, consultancy and legal services, supply of software

person nel, inter -company services and support such as testing and

calibration services.

7.3 Administration would cover management or administrative services in

connection with any scientific, industrial or commercial undertaking, venture,

project or scheme. Among th e example s of administration include assistance,

services, management and administrative functions such as planning,

direction, control, co -ordination, accounting, financial management

consultation and labour negotiations.

7.4 The following are examples of ser vices that generate income falling within the

scope of paragraph 4A(ii) of the ITA:

(a) Management or marketing services

Example 4

KMN International Hotel Management Ltd, a company resident in the

United Kingdom (UK), entered into an agreement with ABC Hotel (M)

Sdn Bhd in February 2017 to provide hotel management and marketing

services in Malaysia in connection with:

(i) the supervision and control of the general manager;

(ii) the supervision and co -ordination of staff training and development

programmes; and

(iii) the promotion and marketing plans for the hotel in Malaysia.

Under the terms of the agreement, the Malaysian company will pay a

monthly fee based on 5% of the gross turnover to KMN International

Hotel Management Ltd for the management and marketing services

provided in Malaysia. In addition, an annual fee of 2% on gross overseas

sales will be charged for marketing services performed overseas.

The fees for services rendered by KMN International Hotel Management

Ltd in and outside Malaysia are deemed derived from Malaysia and

chargeable to tax under paragraph 4A(ii) of the ITA. The monthly fees of

5% on the gross turnover and the annual fee of 2% on gross overseas

sales paid to KMN International Hotel Management Ltd are subject to

WITHHOLDING TAX

ON SPECIAL CLASSESS OF INCOME

Public Ruling No. 10/2019

INLAND REVENUE BOARD OF MALAYSIA Date of Publication: 10 December 2019

Page 7 of 42

withholding tax under section 109B of the ITA at the rate of 10%.

However, if it can be confirmed that KMN International Hotel

Management Ltd is a tax resident in the UK, then the withholding tax

rate is 8% pursuant to the DTAA between Malaysia and UK.

Effective 6.9.2017, the annual fee of 2% on gross overseas sales is

exempted from income tax as the services are rendered and performed

by KMN International Hotel Management Ltd outside Malaysia.

For the purpose of this example, it is assumed that KMN Interna tional

Hotel Management Ltd does not have a permanent establishment in

Malaysia.

If the non -resident company has a permanent establishment in

Malaysia, please refer to paragraph 19 in this PR for further information.

(b) Consultancy services

(i) Fee for consultanc y services

Example 5

Jet Engineering (M) Sdn Bhd, entered into an agreement in April

2017 with Jet Engineering Services (Asia) Pte Ltd, a Singapore

company. The Singapore company would provide specialist or

personnel to carry out engineering inspection and rectification

works in Port Dickson, Kuantan, Melaka and Vietnam for a period

of 2 months (May and June 201 9). The total agreed fee s was

RM500,000 including RM150,000 which is attributable to the work

done in Vietnam.

The fees for services rendered by Jet Engineering Services (Asia)

Pte Ltd in and outside Malaysia are deemed derived from Malaysia

and chargeable to tax under paragraph 4A(ii) of the ITA. The gross

fee of RM350,000 is subject to withholding tax under section 109B

of the ITA at the rate of 10% . If it can be confirmed that Jet

Engineering Services (Asia) Pte Ltd is a tax resident in Singapore,

then the withholding tax rate is 5% as provided in the DTA between

Malaysia and Singapore. The fee of RM150,000 relating to the

services performed in Viet nam is exempted from –

(i) income tax effective 6.9.2017; and

(ii) withholding tax in the said DTA.

WITHHOLDING TAX

ON SPECIAL CLASSESS OF INCOME

Public Ruling No. 10/2019

INLAND REVENUE BOARD OF MALAYSIA Date of Publication: 10 December 2019

Page 8 of 42

For the purpose of this example, it is assumed that Jet Engineering

Services (Asia) Pte Ltd does not have a permanent establishment

in Malaysia; and

If the non -resident company has a permanent establishment in

Malaysia, please refer to paragraph 19 in this PR for further

information.

(ii) Fee for consultancy services includes reimbursement

Example 6

M & A Ltd, an architectural firm in London was engaged in April

2017 to provide plans for a modern hospital in Kuala Lumpur. Staff

from the firm came several times to Malaysia for inspection of the

site, discussions with the local company and finally delivered the

master plan. The plans were drawn in its office in London. I t was

agreed that consultancy fees of RM1 million would include

reimbursements payable by monthly invoices based on the

progress of work done. The agreement also provided an analysis

of the fees charged.

The fees for services rendered by M & A Ltd in and o utside

Malaysia are deemed derived from Malaysia and chargeable to tax

under paragraph 4A(ii) of the ITA. The fees including

reimbursements are subject to withholding tax under section 109B

of the ITA at the rate of 10%. However, if it can be confirmed tha t

M & A Ltd is a tax resident in the UK, then the withholding tax rate

is 8% pursuant to the DTA between Malaysia and UK.

Effective 6.9.2017, the portion of the fees including

reimbursements related to the services performed outside

Malaysia is exempted fr om income tax.

For the purpose of this example, it is assumed that M & A Ltd does

not have a permanent establishment in Malaysia.

If the non -resident company has a permanent establishment in

Malaysia, please refer to paragraph 19 in this PR for further

information .

(iii) Monthly fees for consultancy services include reimbursement in

respect of related expenses

WITHHOLDING TAX

ON SPECIAL CLASSESS OF INCOME

Public Ruling No. 10/2019

INLAND REVENUE BOARD OF MALAYSIA Date of Publication: 10 December 2019

Page 9 of 42

Example 7

FGH (M) Sdn Bhd, is a hardware and software provider. The

company had entered into an agreement with PQR Software Pte

Ltd, a company in India. PQR would provide personnel to work with

FGH to supply and implement an Integrated Cash Management

System in a Malaysian bank in Malaysia. It was agreed that FGH

would pay monthly fees which included reimbursements such as

air tickets, local lodging, food and other related expenses.

The fees for services rendered by PQR are deemed derived from

Malaysia and chargeable to tax under paragraph 4A(ii) of the ITA.

The monthly fees which includes reimbursements are subject to

withholding tax under section 109B of the ITA at the rate of 10%.

However, reimbursements for local lodging would not be subject to

withholding tax under section 109B.

For more information on reimbursements, please refer to

paragraph 9 of this PR.

For the purpose of this example, it is assume d that PQR does not

have a permanent establishment in Malaysia.

If the non -resident company has a permanent establishment in

Malaysia, please refer to paragraph 19 in this PR for further

information.

Example 8

A legal firm resident in Spain was engaged by a Malaysian company in

December 201 8 to advise on matters regarding a debt reduction

agreement and an agency agreement. The services were performed

wholly in Malaysia.

The fees for services ren dered in Malaysia by the legal firm are deemed

derived from Malaysia and chargeable to tax under paragraph 4A(ii) of

the ITA. The fees are subject to withholding tax under section 109B of

the ITA at the rate of 10%. However, if it can be confirmed that the legal

firm is a tax resident in Spain, then the withholding tax rate is 5%

pursuant to the DTA between Malaysia and Spain.

WITHHOLDING TAX

ON SPECIAL CLASSESS OF INCOME

Public Ruling No. 10/2019

INLAND REVENUE BOARD OF MALAYSIA Date of Publication: 10 December 2019

Page 10 of 42

(d) Inter-company services

Example 9

Em Electric Canada Limited is a multi -national company dealing with

multi -branded products in the fields of telecommunications, process

management, storage solutions, industrial automation and other related

services. The Malaysian subsidiary, Em Technology Sdn Bhd, while

undertaking projects for various Malaysian customers, always seeks

assistance fro m its parent company or other subsidiaries who are not

resident in Malaysia to provide training, project management and other

related services.

Staff from the parent company and other subsidiaries in Canada are

assigned to work in Malaysia for 3 months from June to August 201 9.

The salaries of the assigned staff are borne by the non -resident parent

company or subsidiaries. The parent company or subsidiaries will issue

debit notes to recover the staff cost and other reimbursements from Em

Technology Sdn B hd. A debit note is issued as an allocation of cost

depending on the nature of the jobs involved.

The fees (debit notes) for assistance and service rendered by Em

Electric Canada Limited and its subsidiaries are deemed derived from

Malaysia and chargeable to tax under paragraph 4A(ii) of the ITA. The

amount shown in the debit notes are subject to withholding tax under

section 109B of the ITA at the rate of 10%.

For the purpose of this example, it is assumed that the Canadian

company does not have a permanen t establishment in Malaysia.

If the non -resident company has a permanent establishment in

Malaysia, please refer to paragraph 19 of this PR for further information.

Note

In the absence of Technical Fee Article in the DTA between Malaysia

and Canada, the In come Not Expressly Mentioned Article is applicable.

Please refer to paragraph 18(1)(b) of this PR for further information.

Example 10

AZ Sdn Bhd pays management fees to its parent company in the United

States of America (USA). The parent company provided personnel to

carry out the management services in Malaysia. The managerial

services provided by the USA company to AZ Sdn Bhd are assis tance,

WITHHOLDING TAX

ON SPECIAL CLASSESS OF INCOME

Public Ruling No. 10/2019

INLAND REVENUE BOARD OF MALAYSIA Date of Publication: 10 December 2019

Page 11 of 42

management and support in management, decision making, sales and

business development, financial decision making, legal matters, public

relations activities, risk management service and other management

support as mutually agreed by AZ Sdn Bhd and its parent company. The

managerial services are rendered wholly in Malaysia.

The fees for services rendered by the parent company in Malaysia are

deemed to be derived from Malaysia and chargeable to tax under

paragraph 4A(ii) of the ITA. The fees are s ubject to withholding tax under

section 109B of the ITA at the rate of 10%.

(e) Specially -tailored training course

Specially -tailored training courses are courses that are specifically

designed to meet the business needs of a company in connection with

a compa ny project for a specific group of people may fall under

paragraph 4A(ii) of the ITA.

Example 11

Aircraft Services Sdn Bhd and Dublin Aerospace, Ireland entered into a

joint-venture agreement to provide maintenance and repair services of

aircrafts in Malay sia. Dublin Aerospace is required to provide assistance

to Aircraft Services Sdn Bhd in Malaysia. An aircraft engineer from

Dublin Aerospace who is an expert in aircraft engineering was assigned

to conduct a 2 week course in Malaysia for the aircraft techn icians from

Aircraft Services Sdn Bhd. This course was specially -tailored to provide

training in relation to the maintenance and repair of the latest aircrafts.

Payment was made to Dublin Aerospace.

The payment to Dublin Aerospace for the aircraft engineer to conduct

the specially -tailored training course to meet the business project needs

in Malaysia is deemed to be derived from Malaysia and chargeable to

tax under paragraph 4A(ii) of the ITA. The gross payment is subject to

withholding tax under section 109B of the ITA at the rate of 10%.

(f) Testing and calibration services

Example 12

Safety Products Sdn Bhd made payments to Inspec Ltd, a company

based in France, in consideration for its services in providing testing,

measurement and calibration services fro m 1.4.201 9 to 20.4.201 9 that

were carried out in Malaysia .

WITHHOLDING TAX

ON SPECIAL CLASSESS OF INCOME

Public Ruling No. 10/2019

INLAND REVENUE BOARD OF MALAYSIA Date of Publication: 10 December 2019

Page 12 of 42

The fees for services rendered by Inspec Ltd are deemed to be derived

from Malaysia and chargeable to tax under paragraph 4A(ii) of the ITA.

The gross amount paid to the company in France is subj ect to

withholding tax under section 109B of the ITA at the rate of 10%.

For the purpose of this Example, it is assumed that the company in

France does not have a permanent establishment in Malaysia.

If the non -resident company has a permanent establishment in

Malaysia, please refer to paragraph 19 in this PR for further information.

Leave a comment

Filed under Malaysian Golf Courses

July 8, 2023 · 1:58 am

Withholding Tax on Special Classes of Income Part 1

1. Objective

The objective of this Public Ruling (PR) is to explain –

(a) special classes of income that are chargeable to tax under section 4A of the

Income Tax Act 1967 (ITA);

(b) deduction of tax from special classes of income; and

income.

2. Relevant Provision s of The Law

2.1 This PR takes into account laws which are in force as at the date this PR is

published.

2.2 The provisions of the ITA related to this PR are sections 2, 4A, 4B, 7 and 8,

paragraphs 4(c) and 6(1)(e), section 15A, subsection 24(8), paragraph

39(1)( j), sections 98, 109B, 109H, sub section 113(2), section 131A,

subsection 132(1) and Part V, Schedule 1 of the ITA.

2.3 The relevant subsidiary law s referred to in this PR are:

(a) Income Tax (Exemption) (No. 9 ) Order 2017 [P.U.(A) 323/2017];

(b) Income Tax (Exemption) (No.25) Order 1995 [P.U. (A) 32 2/1995];

(d) Income Tax (Exemption) (No. 24) Order 2002 [P.U.(A) 210/2002].

3. Interpretation

The words used in this PR have the following meaning:

3.1 “Individual” means a natural person.

3.2 “Director General” means Director General of Inland Revenue.

3.3 “Person” includes a company, a body of persons, a limited liability partnership

and a corporation sole.

3.4 “Resident person” is a person resident in Malaysia for the basis year for a

year of assessment as determined u nder sections 7 and 8 of the ITA.

WITHHOLDING TAX

ON SPECIAL CLASSESS OF INCOME

Public Ruling No. 10/2019

INLAND REVENUE BOARD OF MALAYSIA Date of Publication: 10 December 2019

Page 2 of 42

3.5 “Non -resident person” in relation to the payee, is a person other than a

resident person.

3.6 “Double Tax Agreement (DTA) and protocols” means an agreement and its

protocols entered into between the two governments of two co untries to afford

relief from double taxation.

3.7 “Special Commissioners” means the Special Commissioners of Income Tax

referred to in section 98 of the ITA.

4. Special Classes of Income Chargeable to Tax

The income of a non -resident person from the following special classes of income is

chargeable to tax in Malaysia if it is derived from Malaysia:

(a) amounts paid in consideration of services rendered by the non -resident

person or his employee in connection with:

(i) the use of property or rights belonging to him; or

(ii) the installation or operation of any plant, machinery or other apparatus

purchased from him [paragraph 4A(i) of the ITA];

(b) amounts paid to a non -resident person in consideration of any advice given

or assistance or services rendered in connection with manag ement or

administration of any scientific, industrial or commercial undertaking, venture,

project or scheme [paragraph 4A(ii) of the ITA]; or

resident person for the use of any moveabl e property [paragraph 4A(iii) of the

ITA].

5. Derivation of Special Classes of Income

5.1 The gross income in respect of the amounts paid under paragraphs 4A(i),

4A(ii) and 4A(iii) of the ITA shall be deemed to be derived from Malaysia if:

(a) the responsibility for the payment lies with the Government, a State

Government or a local authority;

(b) the responsibility for the payment lies with a person who is resident in

Malaysia for that basis year; or

business carried on in Malaysia.

WITHHOLDING TAX

ON SPECIAL CLASSESS OF INCOME

Public Ruling No. 10/2019

INLAND REVENUE BOARD OF MALAYSIA Date of Publication: 10 December 2019

Page 3 of 42

5.2 Pursuant to section 6 of the Finance Act 2017 [Act 785], effective 17.1.2017,

income under paragraphs 4A(i) and 4A(ii) of the ITA which is derived from

Malaysia is chargeable to tax in Malaysia regardless of whether the se rvices

are performed in or outside Malaysia.

However, with effect from 6.9.2017 the Minister of Finance exempts a person

not resident in Malaysia from the payment of income tax in respect of income

derived from Malaysia in relation to –

(a) services referred t o in paragraph 4A(i) of the ITA; or

(b) advice, assistance or services referred to in paragraph 4A(ii) of the ITA

which are performed by the person outside Malaysia.

5.3 In a case where the contract requires performance of services both within and

outside Malaysia, the proportion of contract value that is attributable to

services performed in Malaysia must be ascertained in a manner that is fair

and justifiable. Apportionment of the contract value should be based on the

value of services performed in Malays ia. It is important that the contract value

be apportioned on these bases according to the facts of each case as only

the portion of contract value that is attributable to services performed in

Malaysia is subject to withholding tax under section 109B of t he ITA.

Example 1

Syarikat Maju Sdn Bhd, a Malaysian company signed an agreement with

Excel Ltd, a non -resident company, to provide a report addressing the

industry structure, market conditions and technology value for the Multimedia

Super Corridor Grant Scheme. A consultan t from Excel Ltd was in Malaysia

for 6 days for preliminary discussion on the project. The total number of days

spent on the whole project was 42 days from October to November 201 9. The

total fees paid for the project was RM20,000. The report was later com pleted

overseas.

The proportion of the project value attributable to the services performed in

Malaysia is computed on time cost.

Total fees for the project RM20,000

Number of days spent on the whole project 42 days

Number of days spent in Malaysia 6 days

Time cost in Malaysia RM2,857.14 (6/42 X 20,000)

WITHHOLDING TAX

ON SPECIAL CLASSESS OF INCOME

Public Ruling No. 10/2019

INLAND REVENUE BOARD OF MALAYSIA Date of Publication: 10 December 2019

Page 4 of 42

The fees of RM2 ,857.14 is subject to a withholding tax of 10% under section

109B of the ITA.

6. Services Rendered in Connection with the Use or Installation or Operation of

Assets [Paragraph 4A(i) of the ITA ]

6.1 Paragraph 4A(i) of the ITA consists of amounts paid in consideration of

services which are performed in or outside Malaysia, rendered by a non –

resident person or his employee, in connection with:

(a) the use of property or rights belonging to the non-resident person; or

(b) the installation or operation of any plant, machinery or other apparatus

purchased from him.

It should be noted that any services provided in connection with use of

property or rights belonging to the non -resident person that falls under the

scope of royalties would fall under the scope of paragraph 4A(i) of the ITA .

6.2 The following are examples of services that generate income falling within the

scope of paragraph 4A(i) of the ITA:

(a) Provision of personnel for advisory or supervisory se rvices

Example 2

A Sdn Bhd bought a power plant from B Ltd, a company resident in India

on 1.3.201 9. The terms of the purchase include installation of the plant

by B Ltd. For this purpose, B Ltd sent two of its engineers to Malaysia to

supervise the instal lation and operation of the plant from 15.4.201 9 to

31.5.201 9. The fees paid to B Ltd for the services was RM100,000.

The fees paid for services rendered by the employees of B Ltd in

connection with the installation of a plant purchased from B Ltd are

deem ed derived from Malaysia and chargeable to tax under paragraph

4A(i) of the ITA. The gross amount paid to B Ltd is subject to withholding

tax under section 109B of the ITA at the rate of 10%.

(b) Installation and commissioning services

WITHHOLDING TAX

ON SPECIAL CLASSESS OF INCOME

Public Ruling No. 10/2019

INLAND REVENUE BOARD OF MALAYSIA Date of Publication: 10 December 2019

Page 5 of 42

Example 3

Champ Ltd, a company resident in India, sold 3 stainless steel boilers to

Doublesteel Sdn Bhd, a steel manufacturer in Malaysia at a price of RM1

million in March 2017. It was agreed that an additional sum of

RM100,000 was payable to Champ Ltd for the inst allation services and

commissioning of the boilers in Malaysia and at the Malaysian

company’s branch in the United States of America (USA) in April 2017.

Subsequently i n January 2019, Champ Ltd sold an additional steel boiler

to Doublesteel Sdn Bhd and was paid RM120,000 for the installation

services and commissioning of the boiler s in the USA.

(i) The payment of RM100,000 for services rendered in April 2017 by

Champ Ltd in connection with the installation and commissioning of

the steel boiler s in and outside M alaysia are deemed derived from

Malaysia and chargeable to tax under paragraph 4A(i) of the ITA.

The gross amount paid to Champ Ltd is subject to withholding tax

under section 109B of the ITA at the rate of 10%.

(ii) The payment of RM120,000 for services r endered in January 2019

by Champ Ltd in connection with the installation and commissioning

of the steel boiler in the USA are deemed derived from Malaysia and

chargeable to tax under paragraph 4A(i) of the ITA.

However, e ffective 6.9.2017, payment for the installation and

commissioning is exempted from income tax as the services are

rendered and performed by Champ Ltd outside Malaysia.

Leave a comment

Filed under Malaysian Golf Courses

June 28, 2023 · 6:47 am

BNM RMIT 2023 Part 13

Appendix 10: Key Risks and Control Measures for Cloud Services (continued)

Cryptographic key management
(a) A financial institution should implement appropriate and relevant encryption
techniques to protect the confidentiality and integrity of sensitive data stored on
the cloud.
(b) A financial institution should ensure its policies and procedures on cryptography
are extended to cover cloud services where relevant, to promote the adoption
of strong cryptographic controls.
(c) Where appropriate and feasible, financial institutions should retain ownership
and control of the encryption key s (themselves or with an independent key
custodian), independent from the cloud service provider, to minimize the risk of
unauthorised access to the data hosted on the cloud.
(d) As the usage of cloud adoption increases, managing many encryption keys
used for protecting data has become more complex and may introduce new
challenges for f inancial institutions. A financial institution should adopt a
comprehensive and centralized approach to key management including the use
of centralised key management system that can handle generations, storage
and distribution of keys in a secure and scal able manner.
Access Controls
(a) The management plane is a key security difference between traditional
infrastructure and cloud computing where remote access is supported by
default. This access layer could be prone to cyber -attacks thereby
compromising the integrity of the entire cloud d eployment. In view of this,
financial Institutions should ensure the use of strong controls for accessing the
management plane which may include the following:
i) allocate dedicated and effectively hardened endpoints and up to date
patching of software to acc ess the management plane ;
ii) implement “least privilege” and strong multi -factor authentication (MFA)
e.g., strong password, soft token, privileged access management tool and
maker -checker functions;
iii) employ granular entitlement allocation for privileged user s;
iv) conduct continuous monitoring of the activities performed by privileged
users; and
v) ensure secure communication protocols are in place for accessing the management plane. e.g., secure end- to-end communication channels,
whitelisting of IP addresses , etc.
(b) A financial institution should extend its user access matrix to cover user access
rights for both the financial institution and its cloud service providers where
relevant for the ongoing access to cloud services.
(c) A financial institution should ensure their tenant access controls to all hypervisor
management functions or administrative consoles for systems hosting Risk Management in Technology 64 of 67

Issued on: 1 June 2023 virtualized systems are effectively implemented in accordance with the
requirements and guidance under the Access Control section (paragraphs
10.52 to 10.60) of this policy document. These controls should mitigate the risk
of any unauthorised access to the hypervisor management functions and virtual
machine.
(d) Point -to-point connections with cloud services m ay proliferate with the ease of
cloud adoption, resulting in fragmentation of identity and access management
and the risk of unsanctioned data being migrated to the cloud. In view of this,
rigorous planning is recommended for the design of identity and acc ess
management as it is inherently complex. Financial institutions are encouraged
to:
i) where appropriate and commensurate with the size and complexity of the
cloud adoption , implement a federated29 approach for identity and access
management to mitigate risks of identities in cloud services being
disjointed from the internal identities, unauthorised access and to ease
user access management; and
ii) consider additional attributes in context -aware decisi ons for identity and
access management such as pattern of access to further mitigate the risks
associated with remote access.

Cybersecurity Operations
(a) A financial institution should ensure the governance and management of
cybersecurity operations is extended to cover cloud services, with appropriate
control measures to prevent, detect , and respond to cyber incidents in the cloud
environment to maintain the overall security posture of the institution.
(b) The interconnected cloud service supply chain could become a source of cyber risk. A financial institution should ensure integrated monitoring and full visibility
of cloud services are established. This should include the following
:
i) continuous monitoring of system communications between the cloud
service provider, on- premise IT systems and other service providers to
ensure the security perimeter is not breached; and
ii) ensuring that third party service providers, including those providing
ancillary functions, have adequate capabilities to monitor, detect and respond to anomalous activities, with timely communication to the financial institution of relevant cyber incidents.

(c) A financial institution should understand the segregation of responsibility in
security management, which varies across the cloud service models. A financial

29 Federated approach for identity and access management is a process / arrangement between
multiple systems or enterprises that enables users to use the same identification data to access all
related networks. Risk Management in Technology 65 of 67

Issued on: 1 June 2023 institution should manage the sources of vulnerabilities appropriately including
by:
i) proactively seek ing assurance of their cloud service providers to cond uct
periodic VAPT on the cloud infrastructure to ensure tenant isolation and
overall security posture remains healthy; and
ii) understanding the cloud service provider’s VAPT policy for the financial
institution on cloud infrastructure for IaaS model given the varying degree
of the financial institution’s access to the cloud environment and establish
a VAPT arrangement with cloud service provider s upfront which
commensurate with the complexity of the cloud environment .

Distributed Denial of Service (DDoS)
(a) A financial institution should ensure that its DDoS mitigation service is
commensurate with the size and complexity of the cloud adoption.
(b) The risk of a single point of failure (SPOF) may surface when a financial
institution leverages solely on a cloud- based solution to mitigate DDoS attacks.
As such, a financial institution is encouraged to engage alternative DDOS
mitigation providers or establish circuit breakers to avoid service disruption
when the main DDOS mitigation provider is disrupted.
Data Loss Prevention (DLP)
(a) A financial institution should protect the data hosted in cloud services as
required under the Data Loss Prevention section (paragraphs 11.14 to 11.16)
of this policy document, including the expansion of the endpoint footprint if the
financial institution allow s its staff to use their own devices to access the
sensitive data.
(b) As it becomes increasingly easy to distribute digital content to customers via cloud services, a financial institution should adopt the appropriate digital rights
management mechanism to preserve the confidentiality of its proprietary and
customer information.
Security Operations Centre (SOC)
(a) A financial institution should understand the scope of cloud service providers’
responsibility for cybersecurity monitoring and adapt its SOC strategy and processes to ensure proactive and holistic monitoring of its cybersecurity
posture . This adapt ation should includ e the ability to ef fectively improve
cybersec urity telemetry and analysis to detect and respond to cyber threats.
(b) Where applicable, the responsibilities of cloud service providers with respect to
SOC operations should be formalised in the agreement or arrangement
between the financial institution and the cloud service provider s, including the
retention period required for relevant logs needed for forensic purposes and the right of the financial institution to access the logs for quick restoration as and Risk Management in Technology 66 of 67

Issued on: 1 June 2023 when needed, in accordance with the requirements and guidance under the
Access Control section (paragraphs 10.52 to 10.60) and Security of Digital
Services section (paragraphs 10.64 to 10.80) of this policy document.

Cyber response and recovery
(a) A financial institution should enhance existing cyber crisis management policies
and procedures to remain in a state of readiness to respond to cyber threats in
a cloud environment.
(b) A financial institution should extend its Cyber Incident Response Plan (C IRP)
to include adverse scenarios that may affect cloud services and establish clear
roles and responsibilities between the financial institution and cloud service
providers for incident response and remediation. The incident escalation
process and turnaro und time should be established with cloud service providers
and periodically reviewed, to achieve an effective incident response.
(c) A financial institution should consider the following additional measures in the
development of its CIRP:
i) enhance its ability to detect security breach incidents to achieve effective
incident management, including the ability to detect data leakage on the
dark web;
ii) provide adequate assistance to customers in the event of a security breach in view that the complexity of cloud arr angements and
sophistication of cyber -attacks often exceed the response range
reasonably expected of customers; and
iii) ensure CIRP is ready to manage cross -border incidents where the data
resides in a foreign jurisdiction.
(d) A financial institution should ensure that relevant Cyber Emergency Response Team (CERT) members are conversant with the CIRP covering cloud services to effectively activate the CIRP when incidents occur.
(e) A financial institution should extend its existing incident reporting requirements
to include cloud services.
(f) A financial institution should enter into agreements or arrangements with its
cloud service providers to conduct integrated business continuity testing
and
cyber drill in accordance with the requirement on testing of disaster recovery
plan in paragraph 9.48 and 9.50 of the Bank’s policy document on Business
Continuity Management (BCM) and paragraphs 11.22 to 11.27 relating to cyber
response and recovery under this policy document to test the effectiveness of
the financial institution’s CIRP and recovery plan.
(g) A financial institution should review its loss provision arrangements to ensure
its adequacy to cover cyber incidents based on its scenario analysis of extreme
adverse events. Where cyber insurance is adopted to mitigate impact of cyber
incidents, the financial institution should: Risk Management in Technology 67 of 67

Issued on: 1 June 2023 i) understand the cyber insurance policy scope t o ensure it adequately
covers the information security events and liability types identified;
ii) understand the insurance policy or takaful certificate’s terms and
conditions such as the accuracy of financial institution’s attestation on its
cyber risk manage ment capability and its on- going responsibility in
information security management to ensure any changes to the IT services and associated control measures do not result in unintended
exclusions from the insurance policy or takaful certificate; and
iii) continue to strengthen cloud risk management to mitigate likelihood of
cyber incidents from materialising.

Leave a comment

Filed under Malaysian Golf Courses

June 28, 2023 · 6:46 am

BNM RMIT 2023 Part 12

Appendix 10: Key Risks and Control Measures for Cloud Services (continued)

Part B: Cloud Design and Control
A financial institution should design its adoption of cloud services with a degree of
portability, scalability and fault tolerance that is proportionate to the materiality of the
cloud service to its business operation. It should also ensure robust operational
controls are in place to manage its ongoing cloud operations.

Cloud architecture
(a) A financial institution should design a robust cloud architecture and ensure such
design is in accordance with the relevant international standards for the
intended application.
(b) A financial institution is encouraged to adopt zero- trust principles23 to provide a
cyber resilient architecture by adopting an “assume breach” mindset, layering
defense- in-depth through micro- segmentation, “deny -by-default “, “least
privilege” access rights, and conducting deep inspection and continuous
validation where applicable.
(c) A financial institution should use the latest network architecture approach and
appropriate network design concept and solutions for managing and monitoring granular network security and centralized network provision in managing
complexity of the cloud network environment .
(d) A financia l institution should establish and utilise secure and encrypted
communication channels for migrating physical servers, applications, or data to
the cloud platforms .
(e) For financial institutions leveraging on their financial group’s cloud
infrastructure, the financial institutio ns should consider an appropriate level of
network segregation (e.g., logical tenant isolation in the shared environment of
the cloud) to mitigate the risk of cyber -attacks from propagating cross -border or
cross- entity and affecting the Malaysian financial institution’s operations.
(f) The increasing use of application programming interfaces (API) by financial
institution to interconnect with external application service providers could
achieve efficiency in new service delivery. However, this may increase the
cyber -attack surface and any mismanagement may amplify the impact of an
information security incident. A financial institution should ensure its APIs are
subject to rigorous management and control mechanism s which include the
following :
i) APIs should be designed for service resilience to avoid the risk of single points of failure and configured securely with appropriate access controls;
and

23 Zero-trust principles is a security paradigm designed to prevent data breaches and limit internal lateral
movement of threat actors by requiring all users, whether in or outside the organization’s network, to be
authenticated, authorized, and validated before being granted the access. Risk Management in Technology 59 of 67

Issued on: 1 June 2023 ii) APIs should be tracked and monitored against cyber -attacks with
adequate incident response measures and are de- commissioned on a
timely basis when no longer in use.

Cloud application delivery models
(a) Cloud application delivery models may evolve to support faster time- to-market
in response to consumer demand. Currently, DevOps and Continuous
Integration / Continuous Development (CI/CD)24 are amongst the prevailing
practices and processes for cloud application delivery. For instance, the ability
to enforce segregation of duties for CI/CD where application developers may require access to the management plane for service configuration. A financial
institution should ensure CI/CD pipelines are configured properly to enhance
security of automated deployments and immutable infrastructure
(b) A financial institution should continuously leverage enhanced cloud capabilities
to improve the security of the cloud services and financial institutions are,
among others, encouraged to:
i) adopt industry best practices such as infrastructure- as-code (IaC)26 to
automate the provisioning of IT infrastructure in a consistent, scalable and
secure manner; and
ii) use immutable infrastructure practices for deployment of services to
reduce the risk of failure by creating a new environment with the latest
stable version of the software . The on- going monitoring of the cloud
environment should include automating the detection of changes to
immutable infrastructure to improve compliance review and combat
evolving cyber -attacks.
(c) Where relevant, a financial institution should implement appropriate controls on
the IaC process to minimise the risk of misconfiguration and reduce the cyber –
attack surface. This includes the following measures that should be taken by
the financial insti tution:
i) conduct vulnerabilities scanning as part of IaC automation steps and
ensure issues are remediated prior to the provisioning of IT infrastructure;
ii) ensure virtual machine images (VMI) or container images of IaC templates are trusted and digitally si gned; and
iii) implement appropriate access control to prevent unauthorized changes to
IaC templates .

24 CI/CD is a set of methods that enables developers to deliver code changes more frequently using
automation.
25 Immutable infrastructure is an approach to managing and deploying infrastructure where
components, such as virtual servers and networks, are created once and then never modified. If a new
version of a service or application requires changes to the underly ing infrastructure components, new
instances of those components are created and the old instances are replaced.
26 The process of managing and provisioning an organization’s IT infrastructure using machine- readable
configuration files, rather than employin g physical hardware configuration or interactive configuration
tools.

NIST Special Publication 800- 172, U.S. Department of Commerce, February 2020 Risk Management in Technology 60 of 67

Issued on: 1 June 2023 3. Virtualization and containerization management
The guidance provided in this paragraph is applicable to financial institutions which
use or plan to use PaaS and IaaS cloud service models only .
(a) A financial institution should ensure virtualization services are configured in line
with the prevailing guidance from the cloud service provider s and industry best
practices, commensurate with the evolution of cloud computing technologies.
(b) A financial institution should ensure virtual machine and container images are
configured, hardened, and monitored appropriately. This includes the following:
i) use stable images and keep images up to date;
ii) store and use images from trusted repositories or registries;
iii) scan images for vulnerabilities, remediate any vulnerabilities prior running
in production;
iv) enforce “least privilege” access;
v) harden images based on industry best practices; and
vi) stored images are subjected to security monitoring from unauthorised
access and changes.

Change management
(a) A financial institution should establish a process to systematically assess and
take appropriate action to manage the impact of the releases by cloud service
providers in relatio n to existing infrastructure, network, upstream and
downstream systems to minimize the impact of any service disruption.
(b) A financial institution should ensure its existing change management process
is extended to cover cloud services where appropriate to promote effective and
secure system development. The escalation process and approving authority
should be clearly defined to ensure critical changes can be implemented and
risk of service disruptions are mitigated promptly .
(c) All critical changes deployed to the production environment should also be
timely applied across environments such as disaster recovery site or supported
cloud regions and availability zones where appropriate.
Cloud backup and recovery
(a) As part of an effective recovery capability, financial institutions should ensure
existing backup and recovery procedures are extended to cover cloud services,
which includes the following:
i) define and formalise backup and recovery strategy at the planning stage
of cloud adoption;
ii) conduct periodic reviews of the cloud service providers’ restoration and
recovery capabilities; and
iii) conduct testing of recovery strategy prior to deployment of the system .
(b) A financial institution should ensure backup and restoration procedures are
periodically tested to validate recovery capabilities. The frequency of backup Risk Management in Technology 61 of 67

Issued on: 1 June 2023 procedures should be commensurate with the criticality of the system and
recovery point objective ( RPO) of the system . Remedial actions should be taken
promptly by the financial institution for unsuccessful backups.
(c) A financial institution should ensure su fficient backup and recovery of virtual
machine and container including backup configuration settings (for IaaS and PaaS, where relevant), which includes the following:
i) ensure the capability to restore a virtual machine and container at point –
in-time
27 as per the business recovery objectives; and
ii) make virtual machine and container images available in a way that would
allow the financial i nstitutions to replicate those images at alternate sites
or recovery site s28 ;
(d) A financial institution should assess the resilience requirements of the cloud
services and identify appropriate measures that commensurate with the
criticality of the system, to ensure service availability in the extreme adverse
scenarios. Financial institution s should consider a risk -based approach and
progressively adopt appropriate mitigating controls t o ensure service
availability and mitigate concentration risk . Amongst the viable options are:
i) leverage cloud services’ high availability and redundancy features to
ensure production data centres have redundant capacity in different
availability zones;
ii) achieve geographical redundancy by having data centres in different geographical regions;
iii) adopt hybrid cloud (combination of on- premises and public cloud setup);
iv) establish back -up cloud service providers and identify appropriate
arrangement for porting of data and application to ensure timely service resumption; and
v) adopt multi -cloud strategy, with the use of services from different cloud
service providers to mitigate concentration risks and geopolitical risks.

Interoperability
and Portability
Interoperability standards for cloud services continue to evolve such that porting data,
related configurat ion and security logging across different cloud service providers may
be challenging. To facilitate the smooth process of interoperability and portability between on- premise IT systems or alternate cloud service providers, financial
institutions are encour aged to:
(a) assess technical requirements for interoperability and portability prior to
entering into an agreement or arrangement with the cloud service provider s to
avoid vendor lock -in;

27 Point -in-time refers to the ability to preserve and retrieve the state of a virtual machine or system at
a specific moment.
28 The alternate sites and recovery sites could either be in- house arrangements, or
available through agreement with third -party recovery facility provider, or a combination of both options. Risk Management in Technology 62 of 67

Issued on: 1 June 2023 (b) maintain a list of third party service providers and tools that are needed to
facilitate a smooth transition;
(c) ensure usage of standardized network and communication protocols for ease
of interoperability and portability with on- premise IT systems or alternate cloud
platforms;
(d) ensure the use of common electronic data format s, where applicable, to ease
the movement of data between cloud service providers or to on- premises IT
system; and
(e) extend patch and EOL management to ensure technology solutions employed
remain effective and protected against system vulnerabilities.

Exit strategy
(a) A financial institution should establish a robust cloud exit strategy as part of its
cloud risk management framework to prepare for extreme adverse events such
as the unplanned failure or termination of cloud service providers. The exit
strategy should:
i) be developed during the cloud deployment planning phase rather than on
an ex -post basis;
ii) identify alternative cloud service providers (multi -cloud approach) or third-
party solutions , or other such means to ensure no business recovery
objectives disr uption or vendor lock -in;
iii) be properly documented including details on the various exit trigger
scenarios, roles and responsibilities, and sufficient resources to manage
exit plans and the transition activities; and
iv) be updated in a timely manner to reflect any material developments.

(b) A financial institution’s exit strategy should be supported by an appropriate and
proportionate exit plan that establishes the operational arrangements to
facilitate an orderly exit from a n agreement or arrangement with cloud service
provider , includ ing the following:
i) conduct impact assessment to determine potential costs, resources, and timing implications of transferring cloud services to an alternative cloud
service provider s or rely on the in-house arrangement at the financial
institution;
ii) identify appropriate methods to port data and applications to an alternative arrangement;
iii) to obtain written confirmation or attestation from the cloud service
provider s or independent external service provider s that all sensitive data
has been securely deleted from the cloud service provider’s system upon
completion of the exit process; and
iv) conduct testing to validate the effectiveness of the exit plan, to obtain a
reasonable degree of assurance of its effectiveness. Risk Management in Technology

Leave a comment

Filed under Malaysian Golf Courses

June 28, 2023 · 6:44 am

BNM RMIT 2023 Part 11

Issued on: 1 June 2023 Appendix 10: Key Risks and Control Measures for Cloud Services
This appendix provides additional guidance to financial institutions for the assessment
of common key risks and considerations of control measures when financial
institutions adopt public cloud for critical system s. The guidance is broadly applicable
across various cloud service models and financial institutions should apply a risk –
based approach in implementing the guidance.
The guidance consists of two (2) parts:

Part A: Cloud governance – describes the considerations governing the cloud
usage policy, and technology skills capacity to implement cloud services securely and effectively.
Part B: Cloud design and control – describes the considerations related to
designing robust cloud infrastructure and in operationalising the cloud
environment. This places emphasis on cloud architecture, cloud application delivery model, high velocity software development, user access management,
data protection, key management , cloud backup and recovery, business
continuity management and cybersecurity management.

Part A: Cloud Governance
A financial institution should ensure robust cloud governance processes are established prior to cloud adoption and are subject to on- going review and continuous
improvement. This should cover the following areas:

Cloud risk management
(a) The board of a financial institution should p romo te and implement sound
governance principles throughout the cloud service lifecycle in line with the
financial institution’s risk appetite to ensure safety and soundness of the
financial institution .
(b) The senior management of a financial institution should d evelop and implement
a cloud risk management framework that integrates with existing outsourci ng
risk management framework, technology risk management framework (TRMF)
and cyber resilience framework (CRF) , for the b oard’s approval, proportionate
to the materiality of cloud adoption in its business strategy, to assist in the identification, monitoring and mitigating of risks arising from cloud adoption.
(c) Common cloud service models
22 are Software- as-a-Service (SaaS), Platform –
as-a-Service (PaaS), and Infrastructure- as-a-Service (IaaS ), where in each
presents a different set of capabilities offered to the financial institution as the

22 Cloud service models consist of SaaS, PaaS and IaaS. For SaaS, financial institutions, as a
consumer, uses the cloud service provider’s applications running on a cloud infrastructure. PaaS is a
service model where financial institutions deploy application onto cloud infrastructure using the
platform capabilities e.g., programming languages, libraries services and tools supported by the cl oud
service provider. IaaS is a service model where cloud service provider offers fundamental computing
resources such as compute, network, or storage, where financial institutions can deploy application and operation systems. Risk Management in Technology 53 of 67

Issued on: 1 June 2023 cloud consumer, and hence a different set of shared responsibilities. In view of
this, the cloud risk management framework of the financial institution should :
i) be an integral part of the financial institution’s enterprise risk management
framework (ERM);
ii) be tailored to the cloud service models, both currently in use or being
considered for use; and
iii) specify the scope of the financial institution’s responsibility u nder each
shared responsibility model, as the associated risks may vary.

(d) A financial institution is responsib le for the protect ion of data stored in cloud
irrespective of cloud service models and the cloud service providers . Therefore,
the financial institution’s understanding of the specific details of the cloud
arrangement, particularly what is or is not specified in the terms of the contract
with the cloud service provider s is essential .
(e) Regardless of the cloud arrangement with cloud service providers, the onus
remains on the financial institution to satisfy the Bank that it is protecting
customer information and ensuring service reliability.
(f) The use of cloud services may represent a paradigm shift in technology operation management as compared to on- premises IT infrastructure.
Business processes may change and internal controls on compliance, business continuity, information and data security may be overlooked due to
the ease of subscribing to cloud services. Therefore, the cloud risk management framework should also clearly articulate the accountability of the financial institution’s board and senior management and the process involved in appr oving and managing cloud service usage, including the responsibility of
key functions across the enterprise in business, IT, finance, legal, compliance and audit, over the lifecycle of cloud service adoption.
(g) As the cloud landscape rapidly evolves, a financial institution`s cloud risk management framework should undergo periodic review (at least once every
three years to ensure its adequacy and effectiveness to manage new service models over time) , or immediately upon any major cyber security incidents
involving the cloud services .

Cloud usage policy
(a) The financial institution’s senior management should develop and implement
internal policies and procedures that articulate the criteria for permitting or prohibiting the hosting of information assets on cloud services, commensurate with the level of criticality of the information asset and the capabilities of the
financial institution to effectively manage the risks associated with the cloud arrangement.
(b) A financial institution should expand the scope of its current technology assets
inventory to include critical system s hosted on the cloud services, with a clear Risk Management in Technology 54 of 67

Issued on: 1 June 2023 assignment of ownership, and to be updated upon deployment and changes of
IT assets to facilitate timely recalibration of cybersecurity posture in tandem
with an evolving threat landscape . Having visibility on the latest view of the
technology asset would enable effective triaging, escalation and response to
information security incidents.
(c) A financial institution should regularly review and update the cloud usage policy
at least once every three years. However, where any material changes arise,
including but not limited to adoption of new cloud service deployment model,
or adoption of cloud service for IT systems with higher degree of criticality, the
financial institution should review and update its cloud usage policy
immediately.

Due diligence
Due diligence on the prospective cloud service providers should be risk -based and
conducted to a level of scrutiny that is commensurate with the criticality of the
information and technology assets to be hosted on the cloud in compliance with
relevant requirements and guidance as stipulated in the Third Party Service Provider
Management section (paragraphs 10.41 to 10.48) of th is policy document and
paragraphs 9, 10 and 11 in the Bank’s Outsourcing policy document (Outsourcing
process and management of risks, O utsourcing outside Malaysia, Outsourcing
involving cloud services ).
Access to cloud service providers ’ certifications
A financial institution should review their cloud service providers’ certifications prior to
entering into any cloud a rrangement or contract with such cloud service providers . At
a minimum, a financial institution should:
(a) Seek assurance that the cloud service provider continues to be compliant with
relevant legal, or regulatory requirements as well as contractual obligations and
assess the cloud service provider’s action plans for mitigating any non-
compliance; and
(b) Obtain and refer to credible independent external party reports of the cloud
platforms when conducting risk assessments. The financial institution’s risk
assessment should address all the requirements and guidance as stipulated in
the Cloud Services section (paragraphs 10.49 to 10.51) of this policy document
and paragraph 11 of the Bank’s policy document on Outsourcing which sets out
provisions on outsourcing involving cloud services.
Contract management
A financial institution should set out clearly and where relevant, measurable,
contractually agreed terms and parameters on the information security and operational
standards expected of the cloud service provider s. Such contract terms and Risk Management in Technology 55 of 67

Issued on: 1 June 2023 parameters should be aligned with the financial institution’s business strategy,
information security policies and regulatory requirements.
(a) The terms of the contract s between the financial institution and cloud service
provider s should address the risks associated with cloud services and third
party service providers as stipulated in the Cloud Services section (paragraphs
10.49 to 10.51) of this policy document and related paragraphs in the Bank’s
Outsourcing policy document (Out sourcing agreement – paragraphs 9.6 and
9.7, and Protection of data confidentiality – paragraphs 9.8 and 9.9) ;
(b) Jurisdiction risk may arise because cloud service providers operate regionally
or globally in nature and may be subject to the laws and regulatory requirements
of its home country, the location of incorporation, and the country where the
client receives the service. Therefore, a financial institut ion should:
i) identify and address potential jurisdiction risks by adopting appropriate
mitigating measures, where practically possible, to ensure the use of cloud
services does not impair its ability to comply with local law and regulatory
requirements; and
ii) understand the scope of local customer protection legislation and
regulatory requirements as well as to ensure that the financial institution receive s adequate protection and recourse for the benefit of its customers,
in the event of a data breach or ful filment of a legal data request by the
cloud service provider ;
(c) A financial institution should assess the potential impact and formalise
arrangements with cloud service providers to comply with local laws and
regulatory requirements for incident investigation and law enforcement purposes. This would include adhering to data retention requirements and data access procedural arrangements to ensure the confidentiality and privacy of the customers are protected; an d
(d) The provision of cloud services by the primary cloud service provider may
interconnect with multiple layers of other fourth party
service providers ( such as
sub-contractors), which could change rapidly. For example, customer data
could be leaked due to e xposure caused by fourth party service providers. To
mitigate the risks associated with such fourth party service providers , financial
institutions should:
i) understand the scope of customer information shared across the supply chain and ensure that relevant information security controls can be legally
enforced by the financial institution ; and
ii) ensure S ervice Level Agreement (SLA ) negotiations and contractual
terms cover the performance matrix, availability, and reliability of services
in order to ensure that the cloud service providers agree and are formally
aligned on the requirements and standard of cloud services provided. In
addition, cloud service providers should be accountable to the financial
institution for the SLA, performance matrix, availability and reliability of
cloud services rendered by its service providers (i.e. subcontractors) . Risk Management in Technology 56 of 67

Issued on: 1 June 2023

Oversight over cloud service providers
A financial institution should ensure effective oversight over cloud service providers
taking into account the fact that the cloud service providers may engage sub-
contractor(s) to provide cloud services . This includes, at a minimum, the following:
(a) establish and define a continuous monitoring mechanism with alignment to the
enterprise outsourcing risk management framework (or equivalent) to ensure
adherence to the agreed SLA, compliance of the cloud service provider with
any applicable legal and regulatory requirements and resilience of outsourced
technology services on on- going basis;
(b) identify, assign and document the key responsibilities within the financial
institution for continuous monitoring of cloud service provid ers to ensure
accountabilities are clearly defined;
(c) perform assessments of the outsourcing arrangement involving cloud service
providers periodically in accordance with the financial institution’s internal policy
to achieve business resilience with emphasis on data security and ensure prompt notification to the Bank of the developments that may result in material
impact to the financial institution (such as jurisdiction risks for data hosted
overseas due to evolving foreign legislation and geopolitical development ) in
line with the Bank’s policy document on Outsourcing (Outsourcing PD) , in
particular, provisions relating to outsourcing of cloud services outside Malaysia
including paragraphs 9, 10 and 11 of the Outsourcing PD ; and
(d) promptly review or re- perform risk assessment upon any material changes in
cloud risk profile such as jurisdiction risks for data hosted overseas due to
evolving foreign legislation and geopolitical development.
Skilled personnel with knowledge on cloud services
(a) The adoption of cloud services require commensurate changes to the financial
institution’s internal resour ces and process capabilities. In this regard, a
financial institution should :
i) equip its board and senior management with appropriate knowledge to conduct effective oversight over the cloud adoption; and
ii) ensure its IT and security operations or relevant personnel are
appropriately skilled in the areas of cloud design, migration, security
configurations, including administrative, monitoring and incident
response;
(b) The effective management of cloud services is not purely the responsibility of
the financial institution s’ IT function. Therefore, a financial institution should
ensure relevant internal resources in business operations, finance, procurement, legal, risk and compliance are also adequately skilled and
engaged to manage the change in risk profile arising from cloud adoption. This Risk Management in Technology 57 of 67

Issued on: 1 June 2023 should also enable financial institutions to respond effectively to operational
incidents ;
(c) A financial institution should equip internal audit and personnel undertaking the
risk management and compliance functions with relevant cloud computing and
cloud security skills to be able to verify the effectiveness of the information security controls in alignment with the financial institution’s cloud usage policy and information security objectives ;
(d) A financial institutio n should ensure that its staff receive adequate training to
understand their responsibilities in complying with internal cloud usage policies
and are prepared to effectively respond to a range of security incident scenarios developed on a risk -based approach ; and
(e) A financial institution should expand the scope of the formal consequence
management process to govern the use of cloud services to ensure the cloud
usage policy is effectively enforced given that cyber hygiene is critical to ensure

Leave a comment

Filed under Malaysian Golf Courses

June 28, 2023 · 6:42 am

BNM RMIT 2023 Part 10

Issued on: 1 June 2023 Appendix 8 Format of Confirmation

Name of Financial Institution…. ………..……………………………………………………
As Chairman of the board of directors / designated board- level committee / CISO /
designated senior management officer * of [name of Financial Institution], I confirm that –

cloud service / e-banking / Internet insurance / Internet takaful * is consistent
with the bank’s / insurer’s / takaful operator’s * strategic and business plans;
the board of directors / senior management * understand and are ready to assume the roles and responsibilities stated in Bank Negara Malaysia’s policy document on Risk Management in Technology and are also apprised of all relevant provisions in the FSA, IFSA and DFIA and other relevant legislation,
guidelines and codes of conduct;
risk management process related to cloud service / e-banking / Internet
insurance / Internet takaful * is subject to appropriate oversight by the board of directors and senior management;
appropriate security measures to address cloud service / e-banking / Internet
insurance / Internet takaful * security concerns are in place;
customer support services and educat ion related to cloud service / e-banking /
Internet insurance / Internet takaful * are in place;
performance monitoring of cloud service / e-banking / Internet insurance /
Internet takaful * products, services, delivery channels and processes has been establ ished;
cloud service / e-banking / Internet insurance / Internet takaful * is included in
the contingency and business resumption plans;
there are adequate resources to support the offering of cloud service / e-banking
/ Internet insurance / Internet takaful * business; and
the systems, procedures, security measures, etc. relevant to sound operations
of cloud service / e-banking / Internet insurance / Internet takaful * will constantly
be reviewed to keep up with the latest changes. Signature : ………………………………
Name : …………………………………..
Date : ………………………..…………..

(delete whichever is not applicable) Risk Management in Technology 50 of 67

Issued on: 1 June 2023 Appendix 9 Supervisory Expectations on External Party Assurance

Part A: Financial Institutions are required to provide an external assurance

The assurance shall be conducted by an independent external service provider
(ESP) engaged by the financial institution.
The independent ESP must understand the proposed services, the data flows, system architecture, connectivity as well as its dependencies.
The independent ESP shall review the comprehensiveness of the risk
assessment performed by the financial institution and validate the adequacy of the control measures implemented or to be implemented.
The Risk Assessment Report (as per Part D in Appendix 7) shall state among
others, the scope of review, risk assessment methodology, summary of findings and remedial actions (if any).
The Risk Assessment Report shall confirm there is no exception noted based on the prescribed risk areas (Negative attestation).
The financial institution shall provide the Risk Assessment Report accompanied by the relevant documents.
Part B: Minimum controls to be assessed by the independent External Service Provider, where applicable
The independent ESP assessment of security requirements shall include the following key areas:
(a) access control;
(b) physical and environmental security;
(c) operations security;
(d) communication security;
(e) information security incident management; and
(f) information security aspects of business continuity management.
For online transactions and services, a financial institution has implemented the
following:
(a) adequate measures to authenticate customer identity and ensure legitimate transaction authorisation by the customer, including—
(i) measures to prevent session takeover or man- in-the-middle attacks;
(ii) internal controls must be in place to prevent compromise of relevant internal systems /application /database;
(iii) where appropriate, apply multi -level authentication, out of band
protocol and real -time verification;
(iv) secure session handling functions and authentication databases; and
(v) ensure strong password and cryptographic implementation
(recognised algorithm with reasonable key strength) ;
(b) adequate measures for transaction authentication that promotes non-repudiation and establishes accountability —
(i) mechanism exists to ensure proof of origin, content as well as the integrity of the message;
(ii) chosen channel to deliver transaction is secure; Risk Management in Technology 51 of 67

Issued on: 1 June 2023 (iii) mechanism exists to alert the user on certain type of transactions for
further authentication; and
(iv) establish mutual authentication or appropriate use of digital certific ation;
(c) segregation of duties and access control privilege for systems, databases and applications —
(i) implement dual control where applicable;
(ii) controls exist to detect and prevent unauthorised access to relevant resources/devices;
(iii) authorisation database should be tamper -resistant; and
(iv) periodic review of privileged users ;
(d) adequate measures to protect data integrity of transactions and information:
(i) implementation of end -to-end encryption for external communication;
(ii) implementation of multi -layer network security and devices;
(iii) absence of single point of failures in network architecture;
(iv) conduct network security assessment/penetration test to identify vulnerabilities;
(v) establish audit trail capabilities;
(vi) preserve the confidentiality of inf ormation;
(vii) use of stronger authentication for higher risk transactions; and
(viii) timely notification to customers that is sufficiently descriptive of the
nature of the transaction; and
(e) adequate measures to mitigate associated risks of using electronic mobile devices to perform online transactions, which shall include the following:
(i) application is running on secure mobile Operating System versions;
(ii) application is not running on compromised devices;
(iii) conduct penetration test to identify and rectify potential vulnerability;
(iv) secure end- to-end communication between the device and host;
(v) sensitive information is not stored on mobile devices;
(vi) user is notified of successful transactions;
(vii) user is notified of suspicious transactions;
(viii) continuous monitoring and takedown of fake applications in
application distribution platforms;
(ix) controls over the uploading of application to application distribution platforms;
(x) a unique code is generated per transaction; and
(xi) timely expiry of the transaction code.

Leave a comment

Filed under Malaysian Golf Courses

June 28, 2023 · 6:40 am

BNM RMIT 2023 Part 9

Issued on: 1 June 2023 Appendix 1 Storage and Transportation of Sensitive Data in Removable Media

Financial institutions should ensure adequate controls and measures are implemented for the storage and transportation of sensitive data in removable media, including:

Deploying the latest industry -tested and accepted encryption techniques;
Implementing authorised access control to sensitive data (e.g. password protection, user access matrix);
Prohibiting unauthorised copying and reading from the media;
Should there be a need to transport the removable media to a different physical
location, financial institutions should —
(a) strengthen the chain of custody process for media management which includes:
(i) the media must not be under single custody at any point of time;
(ii) the media must always be within sight of the designated custodians;
and
(iii) the media must be delivered to its target destination without unscheduled stops or detours;
(b) use secure and official vehicle for transportation;
(c) use strong and tamper -proof containers for storing the media with high-
security lock (e.g. dual key and combination lock); and
(d) implement location tracking functionality for each media container; and
Ensuring third party service providers comply with the requirements in paragraphs 1 to 4 of this Appendix, in the event third party services are required
in undertaking the storage management or transportation process of sensitive data. Risk Management in Technology 37 of 67

Issued on: 1 June 2023 Appendix 2 Control Measures on Self -service Terminals (SSTs)

Cash SST
Cash SSTs are computer terminals provided by banking institutions such as Automated Teller Machine, Cash Deposit Machine and Cash Recycler Machine that provide cash transactions such as cash withdrawals and deposits including in foreign currencies.
Financial institutions should ensure the adequacy of physical and logical security and controls implemented on the Cash SST, which includes:

Enforcing full hard disk encryption;
Retaining car ds or block access to Cash SST service when the following are
detected:
(a) exceed maximum PIN tries;
(b) invalid card authentication value;
(c) cash SST card unable to eject;
(d) “deactivated” card status;
(e) inactive account status such as “Dormant” or “Deceased”; and
(f) cards tagged as “Lost” or “Stolen”;
Ensuring Cash SST operating system is running on a secure version operating system with continued developer or vendor support for security patches to fix any operating system security and vulnerabilities;
Deploying Anti -virus (AV) solution for Cash SST and ensure timely update of
signatures. Ensure virus scanning on all Cash SSTs is performed periodically;
Implementing a centralised management system to monitor and alert any unauthorised activities on Cash SST such as unauthorised shutting- down of OS
or deactivation of the white- listing programme;
Ensuring effective control over the Cash SST lock and key by using a unique and non-duplicable key to open the Cash SST PC Core compartment as w ell as
ensure proper safekeeping and custody of the key;
Installing alarm system with triggering mechanism connected to a centralised alert system to detect and alert bank’s staff of any unauthorised opening or tampering of the physical component of the Cash SST, particularly the access to the Cash SST PC Core;
Securing physically the Cash SST PC Core by enclosing the CPU in a locked case;
Enforcing firewall and Intrusion Prevention System (IPS) at the financial institution’s network to filter communication between the host server and the
Cash SST;
Enforcing pairing authentication for key Cash SST components, particularly between cash dispenser and Cash SST controller;
Enforcing Basic Input Output System (BIOS) lock -down which includes: Risk Management in Technology 38 of 67

Issued on: 1 June 2023 (a) enabling unique pass word protection for accessing BIOS. The password
should be held by financial institutions under strict control;
(b) disabling external input device and port such as CD -ROM, floppy disk and
USB port. The Cash SST operating system can only be booted from the
internal hard disk; and
(c) disabling automatic BIOS update;

Ensuring proper configuration and hardening of the OS and application system, which includes:
(a) blocking any wireless network connection such as Bluetooth, Wi -Fi;
(b) disabling Microsoft default program system (such as Notepad, Internet browser, Windows shortcut, file download, file sharing and command prompt);
(c) disabling unnecessary services in the operating system such as the auto-play features;
(d) concealing Start Bar or Tray Menu;
(e) enabling cache auto -deletion; and
(f) disabling key combinations and right -click mouse functions;
Enforcing secure system parameter setting, which includes:
(a) changing defaults password and other system security parameters setting of the Cash SST;
(b) using a unique system adminis trator password for all Cash SSTs; and
(c) using lowest -level privileges for programmes and users system access;
Performing scanning and removing any known malware such as
Backdoor.Padpin and Backdoor.Ploutus;
Enforcing and monitor Cash SST end- point protectio n such as installing white-
listing programmes. The end- point protection programme, at a minimum, should
ensure only authorised Cash SST system processes and libraries are installed
and executed;
Enforcing strict control procedures over installation and maintenance of Cash SST OS and application systems, which includes:
(a) ensuring only authorised personnel have access to gold disk copy (master copy of Cash SST installation software);
(b) ensuring the gold disk copy is scanned for virus/malware prior to installation into Cash SST; and
(c) enforcing dual control for installation and maintenance of Cash SST software; and
Installing closed -circuit cameras and transaction triggered cameras at strat egic
locations with adequate lighting in order to ensure high quality and clear closed-circuit television images of cardholder performing a transaction as well as any suspicious activities. Risk Management in Technology 39 of 67

Issued on: 1 June 2023 Non-Cash SST

Non-cash SSTs are computer terminals such as des ktops, laptops, tablets and cheque
deposit machines that provide non- cash transactions such as cheque deposits,
balance enquiries, fund transfers, utilities bill payments and insurance quotations.
Financial institutions should ensure the adequacy of physic al and logical security and
controls implemented on the self -service terminals, which includes:

Enforcing the use of lock and key on the computer terminal’s central processing unit (CPU) at all times;
Deploying closed- circuit television to monitor the usage of self -service terminals;
Ensuring adequate control over network security of the self -service terminals to
ensure that the kiosks are secured and segregated from the internal network;
Disabling the use of all input devices (such as USB, CD and DVD), application
system (such as Notepad, Microsoft Word, and Microsoft PowerPoint) and file download as well as command prompt on the kiosk;
Disabling browser scripting, pop- ups, ActiveX, Windows shortcut;
Concealing Start Bar or Tray Menu;
Enabling cache aut o-deletion;
Disabling key combinations and right -click mouse functions; and
Restricting use of Internet browser i.e. only to be used to access the financial institution’s internet website. Risk Management in Technology 40 of 67

Issued on: 1 June 2023 Appendix 3 Control Measures on Internet Banking

A financial insti tution should ensure the adequacy of security controls
implemented for Internet banking, which include:
(a) Ensure Internet banking only runs on secured versions of web browsers that have continued developer support for security patches to fix any vulnerabilit ies;
(b) Put in place additional authentication protocols to enable customers to identify the financial institution’s genuine website such as deploying image or word verification authentication or similar controls. The system should require the customer to acknowledge that the image or word is correct before the password box is displayed to the customer;
(c) Assign a customer to MFA solution binding to a single device;
(d) Require MFA when registering an account as a “favourite” beneficiary. A financial institution must also require MFA, for the first funds transfer to the favourite beneficiary;
(e) For new customers, the default transfer limit shall be set at a conservatively low level (such as RM5,000 per day). However, customers should be provided with the option to change the limit via secure channels (e.g. online with MFA or at branches); and
(f) Deploy an automated fraud detection system which has the capability to conduct heuristic behavioural analysis. Risk Management in Technology 41 of 67

Issued on: 1 June 2023 Appendix 4 Control Measures on Mobile Application and Devices

A financial institution should ensure digital payment, banking and insurance services involving sensitive customer and counterparty information offered via mobile devices are adequately secured. This includes the following:
(a) ensure mobile applications run only on the supported version of operating systems and enforce the application to only operate on a secure version of operating systems which have not been compromised, jailbroken or rooted i.e. the security patches are up- to-date;
(b) design the mobile application to operate in a secure and tamper -proof
environment within the mobile devices. The mobile application should be
prohibited from storing customer and counterparty information used for
authentication with the application server such as PIN and passwords. Authentication and verification of unique key and PIN should be centralised
at the host;
(c) undertake proper due diligence processes to ensure the application
distribution platforms used to distribute the mobile application are
reputable;
(d) ensure proper controls are in place to access, maintain and upload the mobile application on application distribution platforms;
(e) activation of the mobile application should be subject to authentication by
the financial institution;
(f) ensure secure provisioning process of mobile application in the customer’s device is in place by binding the mobile application to the customer’s profile
such as device ID and account number; and
(g) monitor the application distribution platforms to identify and address the
distribution of fake applications in a timely manner.
In addition to the guidance in paragraph 1, a financial institution should also ensure the following measures are applied specifically for applications running on mobile devices used by the financial institution, appointed agents or intermediaries for the purpose of processing customer and counterparty
information:
(a) mobile device to be adequately hardened and secured;
(b) ensure the capability to automatically wipe data stored in the mobile devices in the event the device is reported stolen or missing;
(c) establish safeguards that ensure the security of customer and counterparty
information (e.g. Primary Account Numbers (PAN) , Card Verification Value
Numbers (CVV), expiry dates and Personal Identification Numbers (PIN) of payment cards), including to mitigate risks of identity theft and fraud
21;
(d) enforce masking of sensitive customer and counterparty information when
displayed on mobile devices; and
(e) limit the storage of customer and counterparty information for soliciting
insurance businesses in mobile devices to 30 days.

21 This includes risks associated with malwares that en able keystroke logging, PIN harvesting and other
malicious forms of customer and counterparty information downloading. Risk Management in Technology 42 of 67

Issued on: 1 June 2023 Appendix 5 Control Measures on Cybersecurity

Conduct periodic review on the configuration and rules settings for all security devices. Use automated tools to review and monitor changes to configuration and rules settings.
Update checklists on the latest security hardening of operating systems.
Update security standards and protocols for web services encryption regularly. Disable support of weak ciphers and protocol in web- facing applications.
Ensure technology networks are segregated into multiple zones according to threat profile. Each zone shall be adequately protected by various security devices including firewall and Intrusion Prevention System (IPS). This must
include mobile and wireless networks as well.
Ensure security controls for server -to-server external network connections
include the following:
(a) server -to-server authentication such as Public Key Infrastructure (PKI)
certificate or user ID and password;
(b) use of secure tunnels such as Transport Layer Security (TLS) and Virtual Private Network (VPN) IPSec; and
(c) deploying staging servers with adequate perimeter defences and protection such as firewall, IPS and antivirus.
Ensure security controls for remote access to server include the following:
(a) restrict access to only hardened and locked down end- point devices;
(b) use secure tunnels such as TLS and VPN IPSec;
(c) deploy ‘gateway’ server with adeq uate perimeter defences and protection
such as firewall, IPS and antivirus; and
(d) close relevant ports immediately upon expiry of remote access.
Ensure overall network security controls are implemented including the following:
(a) dedicated firewalls at all segments. All external -facing firewalls must be
deployed on High Availability (HA) configuration and “fail -close” mode
activated. Deploy different brand name/model for two firewalls located in sequence within the same network path;
(b) IPS at all critical network segments with the capability to inspect and monitor encrypted network traffic;
(c) web and email filtering systems such as web -proxy, spam filter and anti –
spoofing controls;
(d) end-point protection solution to detect and remove security threats
including viruses and malicious software;
(e) solution to mitigate advanced persistent threats including zero- day and
signatureless malware; and
(f) capture the full network packets to rebuild relevant network sessions to aid forensics in the event of incidents.
Synchronise and protect the Network Time Protocol (NTP) server against
tampering.

Leave a comment

Filed under Malaysian Golf Courses

June 28, 2023 · 6:38 am

BNM RMIT 2023 Part 8

PART C REGULATORY PROCESS

14 Notification for Technology -Related Applications

S 14.1 A financial institution must notify the Bank in accordance with the requirements

in paragraphs 14.2 to 14.7 prior to conducting e- banking, Internet insurance

and Internet takaful services, including introducing new technology relating to e-banking, Internet insurance and Internet takaful

20.

S 14.2 A financial institution offering e -banking, Internet insurance and Internet takaful

services for the first time must submit the following information in the

notification to the Bank:

(a) risks identified and strategies to manage such risks. This includes specific accountabilities, policies and controls to address risks;

(b) security arrangements and controls;

(c) significant terms and conditions for e- banking, Internet insurance and

Internet takaful services;

(d) client charter on e- banking, Internet insurance and Internet takaful

services;

(e) privacy policy statement; and

(f) any outsourcing or website link arrangements, or strategic alliances or partnerships with third parties that have been finalised.

20 For the purpose of this Part ̶

“e-banking ” means the provision of banking products and services through electronic channels.

E-banking includes banking via the Internet, phone, automated teller machines (ATM), and any other

electronic channel ;

“Internet insurance ” means the use of the Internet as a channel to transact insurance business with

customers or as a platform for transmission of customers’ information;

“Internet takaful ” means the use of the Internet as a channel to transact takaful business with customers

or as a platform for transmission of customers’ information. Risk Management in Technology 33 of 67

Issued on: 1 June 2023 S 14.3 In introducing any enhancement to existing e -banking, Internet insurance and

Internet takaful services, the financial institution is required to follow the

notification process based on whether the enhancement is explicitly listed in Appendix 6 (Positive List for Enhancement to Electronic Banking, Internet Insurance and Internet Takaful Services). The list may be updated as and when there are changes to the risk profile and risk management of the technology landscape.

S 14.4 For any enhancements listed in Appendix 6, the financial institution must

submit the notification together with the following information:

(a) description of the enhancements to the existing technologies; and

(b) risk assessment of the proposed enhancements, including the impact and measures to mitigate identified risks.

S 14.5 For the introduction of new services, and any enhancements to existing

services not listed in Appendix 6, the financial institution is required to

undertake the following measures prior to notifying the Bank:

(a) engage an independent external party to provide assurance that the

financial institution has addressed the technology risks and security

controls associated with the e- banking, Internet insurance and Internet

takaful services or any material enhancement to the existing e- banking,

Internet insurance and Interne t takaful services. The format of the

assurance shall be as set out in Appendix 7; and

(b) provide a confirmation by the CISO, senior management officer or the chairman of the board or designated board- level committee stipulated in

paragraph 8.4 of the financi al institution’s readiness to provide e- banking,

Internet insurance and Internet takaful services or implement any material enhancement to the e -banking, Internet insurance and Internet takaful

services. The format of the confirmation shall be as set out i n Appendix 8.

S 14.6 A financial institution must ensure that the independent external party

providing the assurance is competent and has a good track record. The assurance shall address the matters covered in, and comply with, Appendix 9.

G 14.7 For any enhancements that do not materially alter the prior assessments and

representations made by a financial institution to the Bank, a notification under paragraph 14.4 and Appendix 6 is not required.

S 14.8 A financial institution must have the relevant information pertaining to any

enhancements that do not materially alter the prior assessments and

representations made by a financial institution to the Bank readily available and submit the same to the Bank as and when required by the Bank within the

period specified by the Bank .

G 14.9 A financial institution may offer the services or implement any enhancement to

the services immediately upon submission of the notification under paragraph 14.1 and compliance with the requirements in paragraphs 14.2 to 14.6.

Risk Management in Technology 34 of 67

Issued on: 1 June 2023 15 Consultation and Notification related to Cloud Service s

S 15.1 A financial institution is required to consult the Bank prior to the first -time

adoption of public cloud for critical systems . During the consultation, t he

financial institution must demonstrate that specific risks associated with the use

of cloud services have been adequately considered and addressed to the

satisfaction of the Bank , in order to proceed with the adoption of the public

cloud for critical systems for the first time . The financial institution sh all

undertake the following prior to consulting the Bank on its adoption of public

cloud for critical systems:

(a) conduct a comprehensive risk assessment of the proposed cloud

adoption, including the possible impact and measures to address and

mitigate the identified risk s as outlined in paragraph 10.49 and in

Appendix 10. The financial institution shall also adopt the format of the

Risk Assessment Report as per Appendix 7;

(b) p rovide a confirmation by the CISO, senior management officer or the

chairman of the board or designated board- level committee stipulated in

paragraph 8.4 of the financial institution’s readiness to adopt public cloud

for critical system. The format of the confirmation shall be as set out in Appendix 8; and

(c) perform a third-party pre- implementation review on public cloud

implementation that covers the areas set out in Appendix 10 and Part A

of Appendix 9 for higher- risk public cloud s ervice s, such as when the

cloud services involve the processing or storage of customer information, or if data will be transmitted across borders .

S 15.2 A financial institution shall notify the Bank on any subsequent adoption of public

cloud for critical system, by submitting the notification together with the

necessary updates to all the information required under paragraph 15.1 ,

subject to the financial institution having met and included the following

requirements in the notification submitted to the Bank that the financial

institution :

(a) has consulted the Bank prior to adopting public cloud for critical system s

for the first time in accordance with paragraph 15.1, with no concerns

raised by the Bank during the first -time consultation ;

(b) has enhanced the technology risk management framework to manage

cloud risks;

(c) has established independent assurance on the cloud risk management

framework; and

(d) provided assurance to the Bank on the enhance d incident response to

cater for adverse/ unexpected events .

G 15.3 For the avoidance of doubt, notification to the Bank under paragraph 15.2 is

not required for any enhancement to existing cloud adoption that does not

materially alter t he prior assessments and representations made by a financial

institution to the Bank .

G 15.4 The Bank may at its discretion require a financial insti tution to consult the Bank

under paragraph 15.1, notify the Bank under paragraph 15.2 or observe any Risk Management in Technology 35 of 67

Issued on: 1 June 2023 of the guidance in Appendix 10 and to explain any deviations from the

guidance in Appendix 10 to the Bank , including for a non- critical system,

where necessary as determined by the Bank .

S 15.5 The financial institutions must ensure the roadmap for adoption of cloud

services (for critical systems and non -critical systems) is included in the

annual outsourcing plan submitted to the Bank in adherence to the

requirements in the policy document on Outsourcing or IT Profile. The risk

assessment as outlined in paragraph 10.49 must also be documented and made available for the Bank’s review as and when requested by the Bank.

16 Assessment and Gap Analysis

S 16.1 A financial institution must perform a gap analysis of existing practices in

managing technology risk against the requirements in this policy document and highlight key implementation gaps. The financial institution must develop an action plan with a clear timeline and key milestones to address the gaps identified . The gap analysis and action plan must be submitted to the Bank no

later than 90 days after the issuance date of this policy document . Financial

institutions that have previously made a submission in accordance with the equivalent provision in the previous version of this policy document are

required to maintain continuous compliance by identifying any new gaps

against the enhanced or revised requi rements in the latest version of this policy

document and taking the necessary steps to address such gaps . The updated

annual assessment of its level of compliance must be made available to the Bank upon request.

S 16.2 For the purpose of paragraph 8.12, a financial institution shall submit together

with the gap analysis and action plan its self -assessment on whether it is a

large financial institution.

S 16.3 The self -assessment, gap analysis and action plan in paragraphs 16.1 and

16.2 must be submitted to Jabatan Penyeliaan Konglomerat Kewangan,

Jabatan Penyeliaan Perbankan, Jabatan Penyeliaan Insurans dan Takaful or Jabatan Pemantauan Perkhidmatan Pembayaran, as the case may be.

Leave a comment

Filed under Malaysian Golf Courses

June 28, 2023 · 6:37 am

BNM RMIT 2023 Part 7

12 Technology Audit

S 12.1 A financial institution must ensure that the scope, frequency, and intensity of
technology audits are commensurate with the complexity, sophistication and criticality of technology systems and applications.

S 12.2 The internal audit function must be adequately resourced with relevant
technology audit competencies and sound knowledge of the financial
institution’s technology processes and operations.

S 12.3 A financial institution must ensure its internal technology audit staff are
professionally certifi ed and adequately conversant with the developing
sophistication of the financial institution’s technology systems and delivery channels.

S 12.4 In addition to paragraph 12.2, a large financial institution must establish a
dedicated internal technology audit function that has specialised technology audit competencies to undertake technology audits.

S 12.5 A financial institution must establish a technology audit plan that provides
appropriate coverage of critical technology services, third party service
providers, material external system interfaces, delayed or prematurely
terminated critical technology projects and post -implementation review of new
or material enhancements of technology services.

G 12.6 The internal audit function (in the case of paragraph 12.2) and the dedicated
internal technology audit function (in the case of paragraph 12.4) may be
enlisted to provide advice on compliance with and adequacy of control
processes during the planning and development phases of new major
products, systems or technology operations. In such cases, the technology auditors participating in this capacity should carefully consider whether such an advisory or consulting role would materially impair their independence or objectivity in performing post -impleme ntation reviews of the products, systems
and operations concerned.

13 Internal Awareness and Training

S 13.1 A financial institution must provide adequate and regular technology and
cybersecurity awareness education for all staff in undertaking their respective roles and
measure the effectiveness of its education and awareness
programmes. This cybersecurity aware ness education must be conducted at

19 Operational Risk Integrated Online Network Risk Management in Technology 32 of 67

Issued on: 1 June 2023 least annually by the financial institution and must reflect the current cyber
threat landscape.

S 13.2 A financial institution must provide adequate and continuous training for staff
involved in technology operations, cybersecurity and risk management in order
to ensure that the staff are competent to effectively perform their roles and responsibilities.

S 13.3 In fulfilling the requirements under paragraph 13.2, a large financial institution
shall ensure the staff working on day -to-day IT operations such as IT security,
project management and cloud operations are also suitably certified.

S 13.4 A financial institution must provide its board members with regular training and
information on technology developments to enable the board to effectively
discharge its oversight role.

Leave a comment

Filed under Malaysian Golf Courses