What Is Malaysia's Open Finance Framework and How Will It Affect Your Bank Data?

Malaysia’s Open Finance Framework gives you the right to share your own bank and financial data with third-party apps, on your terms, using a secure and standardised API channel. Under the framework proposed by Bank Negara Malaysia (BNM) in November 2025, no institution can share your financial information without your explicit, time-limited consent, and you can revoke that consent at any time through a real-time dashboard.

This is a significant shift from today’s situation, where your bank data sits locked inside each individual bank and you have no regulated way to share it with, say, a budgeting app or a competing lender that wants to offer you a better rate.

What Open Finance Actually Means

Open Finance builds on the concept of Open Banking, but goes further. Where Open Banking typically covers only current and savings accounts, Open Finance spans a broader slice of your financial life: current accounts, savings accounts, fixed deposits, and potentially insurance and investment data as more product types are added over time.

The core idea is simple. You own your financial data. Any institution that holds it, your bank, your insurer, your e-money issuer, must be able to share it with another licensed party if you instruct them to, using a secure, standardised Application Programming Interface (API). No screen-scraping, no sharing your login credentials with third-party apps.

The BNM Exposure Draft: Key Details

BNM released its Exposure Draft on Open Finance on 18 November 2025. Public consultation closed on 1 March 2026. A final policy document is expected in the second half of 2026, with mandatory rollout beginning in January 2027. (Source: BNM, 2025)

What data must be shared?

Under the current proposal, financial institutions are required to share only two categories of mandated data when you give consent:

Data Category	Scope
Transaction history	Most recent 12 months: date, description, and value of each transaction
Account balance	Current outstanding balance of the account

Institutions may share additional data, such as product features or credit information, only if you give explicit consent and if the technical standards allow it.

Who is covered?

BNM is proposing a phased rollout by institution size:

Phase	Who	Start Date
Phase 1	Banks with more than 1 million customers	1 January 2027
Phase 2	Banks with more than 100,000 customers	1 January 2028
Phase 3	Development financial institutions (100,000+ customers) and e-money issuers (5 million+ active users)	1 January 2029

This means the largest banks, including Maybank, CIMB, Public Bank, and RHB, will be first to comply. Smaller institutions and e-money operators have more time to build the required infrastructure.

Who builds the pipes?

PayNet, Malaysia’s national payments network operator, is leading the technical infrastructure work. A pilot group of seven banks and the Employees Provident Fund (EPF/KWSP) began technical development in 2025, with the aim of having infrastructure ready as early as mid-2026. (Source: BNM, 2025)

The consent model is the most consumer-facing part of the framework, and BNM has been deliberate about making it strong.

Consent must be explicit. You must take an affirmative action, ticking a box or clicking “I Agree.” Silence or inaction does not count as consent. If you do nothing, nothing is shared.

Consent is time-bound. Each consent grant has a maximum validity of six months. After six months, the sharing arrangement automatically expires. You will receive a notification before expiry so you can renew if you still want the service. If you do not renew, sharing stops.

Consent is revocable at any time. You can withdraw consent instantly through a dashboard provided by either the data provider (your bank) or the data consumer (the app or institution receiving your data). Revocation must take effect in real time.

Consent is granular. You specify what information is shared, for what purpose, with whom, and for how long. You are not making a blanket, open-ended permission.

This consent architecture is meaningfully different from the current norm, where fintech apps often ask you to share your banking login credentials directly with them. That practice carries real risk because it is unregulated and unmonitored.

What Changes for Consumers in Practice

The shift may feel invisible at first, but over time it should change what you can do with your financial data in concrete ways.

Better loan applications

A lender can, with your consent, pull 12 months of verified transaction history directly from your bank via API. This replaces manually downloading and emailing PDF statements. It is faster, less prone to fraud, and may benefit borrowers who have thin credit files but strong transaction histories.

Smarter budgeting and financial apps

Most Malaysian personal finance apps today rely on manually entered data or risky credential-sharing. Under Open Finance, apps connect to your accounts through a regulated, standardised channel. You grant one consent and the app gets the data it needs securely.

Switching and comparison

Open Finance makes it easier for a comparison platform to access your actual account data rather than relying on self-reported estimates. That creates real competitive pressure on pricing and service quality across banks.

EPF data integration

EPF/KWSP is part of the PayNet pilot. This opens the door to scenarios where a financial planner or retirement tool can, with your permission, view both your bank transaction history and your EPF contribution balance in one place, a holistic picture that is currently impossible to assemble through regulated channels.

Open Finance vs Open Banking: What Is the Difference?

These terms are sometimes used interchangeably, but they are not the same.

Feature	Open Banking	Open Finance
Data scope	Mainly current and savings accounts	Banks, insurers, EPF, e-money issuers
Regulatory driver	BNM (narrower mandate)	BNM (broader, whole-of-system approach)
API standardisation	Partial, inconsistent	Mandated, standardised via PayNet
Consent framework	Ad hoc or absent	Formal, time-bound, revocable
Consumer dashboard	Not required	Real-time, mandatory

Malaysia never had a formal Open Banking regulation, so it is going directly to Open Finance, which is a more ambitious starting point.

What You Should Watch Out For

Open Finance creates new opportunities but also new surfaces for risk. Here is what consumers should keep in mind:

Phishing and impersonation. Scammers may impersonate open finance platforms and ask you to “grant consent” through fake screens. Always initiate consent from your bank’s own verified app or website, never from a link in an email or WhatsApp message.

Consent fatigue. The six-month expiry is a protection feature, but it means you will get renewal requests regularly. Read them before renewing; if you no longer use the service, let the consent lapse.

Third-party data security. Apps receiving your data must be licensed as data consumers under the framework. Still, check what each party says it will do with your data before granting consent.

Scope creep. The mandated dataset covers only transaction history and balance. If an app asks for more, you are agreeing to voluntary additional sharing. Know what you are signing up for.

Key Takeaways

BNM’s Open Finance Exposure Draft was released on 18 November 2025; the final policy is expected in the second half of 2026.
Mandatory rollout begins 1 January 2027 for the largest banks, scaling to smaller institutions and e-money issuers by 2029.
Your bank must share your last 12 months of transaction history and your current balance if you give explicit consent.
Consent is capped at six months per grant and can be revoked at any time through a real-time dashboard.
PayNet is building the technical infrastructure, with seven banks and EPF already in the pilot.
Open Finance is broader than Open Banking: it will eventually cover insurance, EPF, and e-money data alongside bank accounts.
No credential sharing: you never hand your login details to a third party under this framework.

Frequently Asked Questions

Do I have to participate in Open Finance?

No. Open Finance is opt-in for consumers. Financial institutions are required to build the infrastructure and honour consent requests, but you decide whether to share your data and with whom. If you do nothing, your data stays within your bank as it does today.

No. Under the proposed framework, any sharing of mandated data requires your explicit affirmative consent. Institutions cannot share your data based on inaction, buried terms and conditions, or pre-ticked boxes.

What happens if a data consumer misuses my data?

Licensed data consumers are regulated by BNM and subject to enforcement action. The framework requires them to use your data only for the purpose you consented to. If you believe your data has been misused, you can file a complaint with BNM through its financial consumer alert and complaint channels.

Is this the same as the banking API portal BNM already runs?

Not quite. BNM’s existing API Kijang portal publishes public economic and financial data, such as exchange rates and OPR decisions. Open Finance is about sharing your personal account data, which is a different and more sensitive category that requires your consent.

When will I actually see a difference as a consumer?

The earliest you are likely to encounter Open Finance features in everyday apps is 2027, when Phase 1 banks go live. Licensed fintech apps will need time to build compliant products, so the real shift in consumer experience will become visible between 2027 and 2029 as more institutions come online.

Educational content only, not financial advice. Verify current figures with official sources.