MALAYSIA continues to lose billions of ringgit to digital scams each year, yet still hesitates to implement a simple but effective safeguard that could save thousands of victims — a mandatory cooling-off period for suspicious digital transactions.
What makes this delay more frustrating is that the idea was first proposed here. Malaysian Communications and Multimedia Commission (MCMC) commissioner Derek Fernandez mooted the policy more than a year ago.
When Tan Sri Annuar Musa served as the Minister of Communications and Multimedia from August 2021 to November 2022, Fernandez advocated for a 48-hour “float” for first-time transfers to unknown accounts. He later supported a shorter 12-hour period as an initial step, but the urgency of his call has only grown with time.
Now, Singapore has taken the lead by introducing a 24-hour cooling-off safeguard for high-risk digital transactions. The irony is clear — Malaysia came up with the idea first, but Singapore has implemented it faster and more decisively.
Recent statistics reveal the scale of the problem. In 2024, over 35,000 scam cases were reported by the PDRM’s Commercial Crime Investigation Department, with financial losses exceeding RM1.6 billion, compared to RM1.2 billion the year before.
In just the first quarter of 2025, 12,110 online fraud cases resulted in losses of RM573.7 million, involving e-commerce, investment scams, and fake loans.
The Malaysian Cyber Security Agency (MyCERT) also recorded a 29 per cent increase in data breach incidents in early 2025. These figures are not just numbers; they represent destroyed livelihoods and shattered trust in the banking system.
Fernandez’s proposal aimed to give consumers a fighting chance. A short pause before completing a transfer could allow a victim to realise they have been tricked, report the transaction, and stop the transfer before it disappears into a mule account.
He also suggested making banks bear the losses when fraud occurs without customer negligence and called for the establishment of a national reporting structure for online harms.
The advantages of such a safeguard are clear. It provides time for intervention, reduces scam-related losses, and strengthens public confidence in digital banking. It also forces banks to invest in better fraud monitoring and detection systems while signalling stronger government protection for consumers.
Of course, there are drawbacks. Delays in legitimate payments could frustrate users and businesses. Banks would need to overhaul internal systems and risk algorithms, which involves cost and potential customer complaints. Yet, in a country where billions are lost to deception, a brief delay is a small price to pay for safety.
It’s understood that banks have been reluctant to act because of cost, liability and convenience. Their payment systems are designed for instant transfers, and they fear upsetting customers if legitimate transactions are delayed.
There is also competition from digital wallets and fintech platforms that promise faster payments. Without a regulatory push, few banks will voluntarily introduce measures that may affect profit margins or expose them to additional responsibility.
Bank Negara Malaysia reported that the financial sector prevented RM399 million in fraudulent transactions in 2024 through improved security controls.
However, these improvements focus mainly on authentication and device registration, not comprehensive cooling-off procedures. Singapore’s new framework goes much further by requiring banks to delay or reject suspicious transfers, notify customers immediately, and hold them for review within 24 hours.
If Singapore can operationalise this at a national level, Malaysia certainly can too. The question is whether the country has the political will to act. As Fernandez wrote in his Online Safety and Consumer Protection paper presented at the International Regulators Forum 2024 in Bangkok,
“Those who profit the most from digitalisation owe the greatest responsibility to protect their customers.”
Malaysia now needs that sense of accountability. The longer Bank Negara and the financial sector hesitate, the more ordinary Malaysians will suffer.
A minimum 24-hour cooling-off period should be made mandatory for high-risk or first-time transfers, and banks should share responsibility for losses that are not due to customer fault.
Cybersecurity must be treated as public infrastructure — not a cost burden but an investment in national security and consumer confidence. Singapore’s example shows that it can be done when institutions put people before profit.
Malaysia has the blueprint, the expertise, and the evidence. What it lacks is urgency. Every day of delay allows scammers to steal more. It is time for Bank Negara Malaysia and the government to act — not for the sake of policy pride, but for the protection of the public. – October 14, 2025
Sandru Narayanan is a reporter at Scoop