Warta
4notify Malaysia · Federal Gazette
OFFICIAL · BNM · PayNet · DuitNow
Warta No
WTA-MY-001
Date
2026-05-27
Status
In force
Section
Banking & payments

Strong customer authentication for DuitNow and MyDuitNow QR: OTP delivery to Malaysian banking customers across Maxis, Celcom Digi, U Mobile and Yes

Bank Negara Malaysia (BNM) supervises the Malaysian financial system; PayNet operates the DuitNow real-time payments rail and MyDuitNow QR. Every mobile-banking session and every above-threshold DuitNow transfer requires a second factor. 4notify delivers one-time codes with P50 < 4 seconds across Maxis, Celcom Digi, U Mobile and Yes (YTL Communications) using direct tier-1 connections. Sabar sikit, kod dah sampai — the code arrives before the window closes.

SMSPushE-mail
Preamble

Whereas, in exercise of the powers conferred by section 25 of the Communications and Multimedia Act 1998 and the Financial Services Act 2013, this Warta is issued concerning the delivery of strong-customer-authentication one-time codes over Malaysian mobile networks for DuitNow and MyDuitNow QR transactions.

Statutory basis
Financial Services Act 2013 (Act 758)

Empowers Bank Negara Malaysia to issue standards on payment systems, electronic banking and strong customer authentication.

BNM RMiT — Risk Management in Technology

Mandatory technology risk and online-banking authentication baseline for licensed financial institutions.

Payment Systems Act / PayNet operating rules

Governance of the DuitNow scheme, MyDuitNow QR, and obligations on participants for authentication and dispute resolution.

Implementation
01

MCMC notification + tier-1 carrier contracts

4notify is a notified A2P provider with MCMC and operates direct tier-1 SMS interconnects with Maxis, Celcom Digi, U Mobile and Yes — no grey-route aggregation is used for authentication traffic.

02

OTP generated inside the bank's HSM

The one-time code is generated inside the bank's hardware security module; 4notify ever sees only the hash and the destination MSISDN.

03

60-second window + cascade fallback

SMS is delivered inside 60 seconds; if the DLR fails, the cascade falls through to push and then to e-mail. Grey-route latency is avoided by routing only on tier-1.

04

Five-year audit custody

Each delivery is hash-signed and retained for five years to satisfy BNM RMiT, AMLA record-keeping and PDPA evidentiary requirements.

Delivery envelope
json
{
  "event": "bank.duitnow.otp",
  "bank_id": "MY-XXXX",
  "transaction_id": "TX-2026-05-27-948210",
  "amount": 450.00,
  "currency": "MYR",
  "delivery": {
    "channel": "sms",
    "fallback": ["push", "email"],
    "window_seconds": 60,
    "template": "duitnow_otp_my_v3"
  },
  "audit_signature": "https://4notify.net/sig/bank/948210"
}
Sample message
SMS

Maybank: your code to authorise DuitNow transfer of RM450.00 to A. Tan is 482193. Valid for 5 minutes. Do not share this code with anyone.

Compliance checklist
  • MCMC notification as a recognised A2P delivery provider current
  • Direct tier-1 interconnects with Maxis, Celcom Digi, U Mobile and Yes active
  • OTP P50 ≤ 4 seconds measured every quarter
  • Five-year audit custody documented for BNM RMiT review
The 4notify difference

4notify is the only A2P provider with simultaneous direct tier-1 reach into Maxis, Celcom Digi, U Mobile and Yes, signed five-year audit custody and a DuitNow / MyDuitNow QR template library aligned with BNM RMiT and PayNet scheme rules.

Frequently asked
Does 4notify route directly to Malaysian carriers or via an aggregator?

Direct tier-1 interconnects with Maxis, Celcom Digi, U Mobile and Yes (YTL Communications). No grey-route aggregation is used for authentication traffic.

Do push notifications count as a second factor?

Yes — push tied to a registered device is a recognised possession factor. Because the device cannot guarantee a durable medium, we always pair it with SMS or e-mail in the cascade.

Published
4notify Operations Department
2026-05-27 · WTA-MY-001

Start free

14 days, no card required. English support across ASEAN business hours.

Other entries in this edition