Legal and Regulatory Developments on Artificial Intelligence (AI) Governance in Malaysia
Malaysia’s artificial intelligence (“AI“) governance agenda advanced significantly in the first quarter of 2026. Malaysia’s first AI Governance Bill (“AI Bill“), a broad legislative framework addressing AI risks, is expected to be presented to Cabinet in June 2026. While full details have not been released, the Digital Minister has indicated in Parliament that the principal elements of the proposed legislation are expected to include[1]<sup\>:
- the establishment of clear accountability obligations for entities that develop, deploy, or operate AI systems;
- mandatory implementation of proactive risk management and appropriate preventive measures by technology providers to minimise potential harm to the public;
- enforcement mechanisms to address negligence or misuse of AI systems, including in cases involving fraud or security threats;
- the introduction of incident and harm reporting mechanisms, particularly to address increasingly sophisticated deepfake-related risks;
- the implementation of comprehensive governance requirements covering the entire AI system lifecycle, grounded in ethical principles such as safety, transparency, and the protection of fundamental rights; and
- the positioning of the AI Bill as a coordinating mechanism to promote regulatory coherence across agencies, rather than as a substitute for existing sectoral regulators.
In a related development, on 16 March 2026, the Government announced the launch of the MY-AI Standards (or Malaysia-AI Standards), which will serve as a “trust infrastructure” that will provide a practical framework for the development and implementation of AI standards in Malaysia. By adopting a “trust by design” approach, the MY-AI Standards aims to ensure that AI technologies are developed and deployed based on clear, transparent, auditable standards.
The MY-AI Standards will also complement national efforts to combat AI-enabled fraud and digital scams by embedding transparency, traceability and accountability into AI systems. The Digital Minister noted the MY-AI Standards complement ongoing initiatives, including (i) the upcoming Digital Trust and Data Security Strategy 2026-2030; (ii) Malaysia AI Action Plan 2026–2030; (iii) the introduction of the AI Bill; (iv) the development of the National AI Code of Ethics; and (v) AI literacy programmes.
These developments signal Malaysia’s momentum toward a more structured AI governance framework as it advances towards its aspiration of becoming an AI Nation by 2030. Businesses developing, deploying or procuring AI systems should monitor the proposed AI Bill closely, as it will likely introduce new governance, accountability and risk management obligations. With the Malaysian Cabinet consideration of these issues expected in June 2026, organisations should begin assessing their AI practices against emerging legal and regulatory expectations.
_________________________________________
[1]https://www.freemalaysiatoday.com/category/nation/2026/02/09/ai-governance-bill-to-be-tabled-in-parliament-this-year;
Public Consultation Papers Issued under the Online Safety Act 2025 (ONSA)
Following the coming into force of the Online Safety Act 2025 (“ONSA“) on 1 January 2026, the Malaysian Communications and Multimedia Commission (“MCMC“) conducted two parallel public consultations from 12 February to 31 March 2026: (i) the proposed regulatory framework for the Online Safety Plan (“OSP“); and (ii) the draft Risk Mitigation Code (“RMC“) and Child Protection Code (“CPC“).
The proposed OSP framework establishes a structured, outcome-based approach for licensed service providers (“Service Providers“) to manage online safety risks systematically. Under the proposed framework, Service Providers are required to prepare, publish and submit an OSP to MCMC within 90 days of the commencement of the relevant regulations, with annual submissions thereafter. The OSP must address six key components: (i) risk mitigation; (ii) content management and moderation; (iii) user empowerment and controls; (iv) child protection; (v) transparency and reporting; and (vi) governance and accountability. Service Providers must also designate an appropriate contact point responsible for overseeing compliance and engaging with MCMC on online safety matters.
The draft RMC, developed under section 13 of the ONSA, requires Service Providers to conduct suitable and sufficient harmful content risk assessments, taking into account service design; user demographics; emerging online behaviour trends; and heightened-risk situations such as national crises. Based on these assessments, providers must implement reasonable and proportionate risk mitigation measures, including (i) content management and moderation systems; (ii) user empowerment tools; (iii) safe service design; and (iv) clear safety policies. Separately, the draft CPC, developed under section 18 of the ONSA, focuses on protecting child users through five key areas: (i) age verification measures requiring users aged 16 and above to verify their age against government-issued records; (iii) content moderation to prevent children’s access to harmful material; (iii) parental controls; (iv) privacy and safety settings set to restrictive defaults; and (v) safe search and recommendation systems.
The ONSA, together with the proposed OSP framework and the draft codes, reflects Malaysia’s commitment to responding to the evolving digital landscape, with a particular emphasis on strengthening protections for children against online harm.
Launch of New SC Capital Markets Masterplan 2026-2030
In March 2026, the Securities Commission Malaysia (“SC“) unveiled its Capital Market Masterplan 2026-2030 (“CMP”), subtitled “Reshape and Recalibrate”. The CMP is the fourth iteration of the SC’s capital market masterplan series, following CMP1 (2001–2010), CMP2 (2011–2020) and CMP3 (2021–2025), which have guided the development of Malaysia’s financial architecture since 2001. Notably, the CMP departs from its predecessors by adopting, for the first time, a dual-horizon structure: a 20-year vision to 2045, supplemented by rolling five-year implementation cycles, with the 2026–2030 period constituting the first such cycle.
The CMP is anchored on four strategic outcome themes: (i) a vibrant capital market driving economic prosperity; (ii) an inclusive capital market for all Malaysians; (iii) a capital market supporting national sustainability goals; and (iv) a capital market as a gateway to regional opportunities. These are reinforced by Islamic capital market leadership, guided by the principles of Maqasid al-Shariah as a differentiator, and underpinned by regulatory and governance excellence as a critical foundation.
Key targets under the CMP include (i) growing total market size to. between RM5.8 trillion and RM6.3 trillion by 2030 (from RM4.3 trillion in 2025); (ii) channelling RM90 billion to RM100 billion cumulatively towards environmental and social financing needs; and (iii) anchoring RM100 billion to RM110 billion of assets with foreign underlying.
Notable implementation priorities under the CMP include (i) optimising equity market valuation and the value proposition of bonds and sukuk; (ii) accelerating the growth of venture capital and private equity; (iii) facilitating the development of a private credit ecosystem; (iii) broadening financial literacy and access; (iv) mobilising capital for sustainability-related projects; and (v) positioning Malaysia as a regional fundraising and investment destination. The CMP also signals the SC’s intention to undertake structured reviews of capital market laws and guidelines in line with the Government Service Efficiency Commitment Act 2025, and to expand regulatory coverage to new categories of intermediaries and service providers.
BNM Issues New Technology Requirements for Payment Service Regulatees
On 12 March 2026, Bank Negara Malaysia (“BNM“) issued the Policy Document on Technology Requirements for Payment Services Regulatees (BNM/RH/PD 040-1) (“TR PD“), setting out minimum standards on technology risk management, cybersecurity, operational resilience, and governance for non-bank payment services regulatees (“PSR“). The TR PD applies to four categories of regulatees: (i) approved issuers of electronic money; (ii) registered merchant acquirers; (iii) licensed money service businesses; and (iv) operators of designated payment systems.
The requirements under the TR PD are applied through a tiering framework (Tiers 1 to 4) – determined with reference to annual transaction values or volumes – to cater for the diverse risk profiles among PSRs. The TR PD is a notable development as it brings non-bank payment services players closer to the technology and cybersecurity standards that BNM already imposes on banks and larger financial institutions under the Risk Management in Technology Policy Document (“RMiT PD“). Larger PSRs already subject to the RMiT PD only need to comply with a few additional provisions, while smaller PSRs will face the full set of new requirements, scaled according to their size and risk profile.
The TR PD comes into effect on 12 March 2027, one year after the issuance of the TR PD by BNM. In the meantime, all PSRs are required to perform a gap analysis of existing practices in managing technology risk against the requirements in the TR PD; and develop an action plan with a clear timeline and key milestones to address the gaps identified. The gap analysis and action plan must be submitted to BNM no later than 90 days after the issuance of the TR PD.
Coming into Force of Consumer Credit Act 2025
The Consumer Credit Act 2025 (Act 873) (“CCA“) came into force on 1 March 2026, except for Part V covering licensing and registration, which will come into force on 1 June 2026. The coming into force of the CCA is important to Malaysia’s financial regulatory landscape as it introduces a new statutory framework for the regulation of the consumer credit industry, particularly in relation to non-bank credit providers and credit service providers. The CCA is part of a move towards a more comprehensive, integrated and effective framework for regulating the conduct of the consumer credit industry in Malaysia, while also strengthening protection for credit consumers.
A key section of the new regime is Part V, which introduces the licensing and registration requirements that will take effect from 1 June 2026. According to the Ministry of Finance, the businesses affected include credit providers such as buy-now-pay-later scheme companies; leasing companies and factoring companies; credit service providers such as debt collection agencies, and impaired loan or financing acquisition companies; and debt counselling and management agencies. This is the aspect of the CCA that many industry players are likely to be monitoring most closely.
The phased commencement is significant because the Ministry of Finance has announced that affected industry players will have a six-month transition period from 1 June 2026 to apply for the relevant licence or registration. Accordingly, although the CCA is already in force, businesses operating in the non-bank consumer credit space should now be assessing whether their activities fall within this scope and whether preparatory compliance steps are required ahead of the commencement of Part V.
The Price of Talent: Malaysia's New Employment Pass Salary Thresholds and What Employers Must Do Now
The Ministry of Home Affairs (“MOHA“) has announced a significant revision to Malaysia’s Employment Pass (“EP“) framework, effective 1 June 2026. Following Cabinet approval on 17 October 2025, minimum salary thresholds for EP Categories I, II, and III will be substantially increased.
The revised salary thresholds are as follows:
- EP Category I: Minimum salary increased from RM10,000 to RM20,000 (up to 10 years);
- EP Category II: Minimum salary increased from RM5,000-RM9,999 to RM10,000-RM19,999 (up to 10 years, with a succession plan); and
- EP Category III: Minimum salary increased from RM3,000-RM4,999 to RM5,000-RM9,999 (up to five years, with a succession plan).
In addition to this, fixed employment duration limits have been introduced for each category, and EP Categories II and III will now require a structured succession plan, subject to monitoring and periodic assessment by the relevant authorities. Notably, Dependant Pass eligibility has also been extended to EP Category III holders, subject to prevailing immigration requirements.
The policy is aligned with the Thirteenth Malaysia Plan objectives which prioritise local talent development and reduced reliance on foreign labour.
MOHA has indicated that further engagement and consultation sessions will be held to clarify implementation details. Employers may wish to start identifying EP holders who may be impacted on renewal, and commence succession planning, based on the Category of the EP.
Please note that whilst the information in this Update is correct to the best of our knowledge and belief at the time of writing, it is only intended to provide a general guide to the subject matter and should not be treated as a substitute for specific professional advice
