Malaysia has positioned itself as Southeast Asia's preferred destination for AI investment and development, and its governance architecture reflects that ambition: voluntary principles for broad market guidance, sector-specific binding obligations through BNM and the Securities Commission, and a recently strengthened Personal Data Protection Act. For global operators entering the Malaysian market or managing AI deployments that affect Malaysian users, the compliance picture requires understanding all three layers and recognising how they interact with extraterritorial obligations under the EU AI Act.

Key takeaways

  • MDEC's AI Principles for Malaysia (2024) are voluntary guidance across six dimensions: accountability, transparency, privacy and data governance, safety and reliability, fairness, and human-centricity. Non-adoption carries no direct statutory penalty, but they serve as the reference framework for government procurement and are increasingly referenced in enterprise contracts.
  • Bank Negara Malaysia's Responsible AI Framework for Financial Institutions (RAFT, 2024) is supervisory guidance rather than a prudential standard, but BNM examines AI governance in its risk-based supervisory reviews. BNM-regulated entities that lack documented AI governance frameworks face supervisory risk.
  • The Personal Data Protection Act 2010 (PDPA), as amended in 2024, requires that personal data processing in commercial transactions meets accuracy, purpose limitation, and accountability standards. Automated processing that significantly affects data subjects requires transparency and accountability measures consistent with the Act.
  • Malaysia's National AI Roadmap 2021-2025 is nearing its end point. The government is expected to publish an updated strategy in late 2026, which is expected to introduce more structured compliance frameworks, including possible sectoral AI regulations beyond financial services.
  • The EU AI Act (Regulation (EU) 2024/1689) applies to any operator whose AI outputs affect EU persons, regardless of where the operator is incorporated. Malaysian companies with EU customers or EU-facing AI deployments are within the EU Act's extraterritorial scope.

Malaysia's position in regional AI governance

Malaysia's approach to AI governance is shaped by two strategic priorities that sit in productive tension. The first is the ambition to become a leading AI hub in Southeast Asia, attracting hyperscaler data centres (Microsoft, Google, and Amazon have all announced or expanded major Malaysian data centre investments since 2023), AI talent, and AI-enabled enterprise activity. The second is the need to protect consumers and maintain market integrity as AI penetration deepens across financial services, healthcare, manufacturing, and public administration.

The governance response has been layered. At the national level, voluntary principles provide a framework for responsible development without imposing compliance costs that deter investment. At the sector level, binding supervisory guidance from BNM and the Securities Commission creates real compliance obligations for regulated entities. At the data layer, the PDPA creates baseline privacy obligations that constrain automated processing of personal data.

This architecture is broadly similar to Singapore's approach, which the regional AI governance literature describes as the "ASEAN soft law model." The key difference is that Malaysia has invested more heavily in sectoral binding guidance (particularly through RAFT) and is at a more advanced stage of PDPA reform than several of its neighbours. Comparison with Singapore's Model AI Governance Framework and MAS FEAT is useful for organisations operating across both markets. See our Singapore AI governance guide for a parallel analysis.

National AI Roadmap 2021-2025 and the regulatory direction of travel

The Malaysia National AI Roadmap 2021-2025, published by the Malaysia Digital Economy Corporation (MDEC) with oversight from the Ministry of Communications and Digital, set out four strategic pillars: governance and ethics, talent and education, adoption and industry transformation, and research and innovation. The governance and ethics pillar called for the development of AI ethics principles, a national AI governance framework, and sector-specific AI guidelines.

The roadmap has largely delivered on its governance commitments. MDEC published AI Principles for Malaysia in 2024. BNM published RAFT in 2024. The Securities Commission published AI and technology governance expectations for capital markets participants. The PDPA was amended in 2024 to strengthen accountability obligations.

With the roadmap period ending in 2025, the Malaysian government is expected to publish an updated AI strategy in late 2026. Public consultation documents circulated in early 2026 indicated that the updated strategy would consider more structured compliance requirements, including possible mandatory AI impact assessments for high-risk deployments in critical sectors, and a regulatory sandbox mechanism for novel AI applications. Operators planning Malaysian market entry or expansion should monitor the new strategy for governance obligations that may shift from voluntary to mandatory.

MDEC AI Principles: the voluntary framework

The Malaysia Digital Economy Corporation published the AI Principles for Malaysia in 2024 as the primary national AI ethics framework. The principles are aligned with the OECD AI Principles (updated 2024) and the G7 Hiroshima AI Process outcomes, reflecting Malaysia's participation in multilateral AI governance processes.

The six principles are as follows.

Accountability. Organisations developing or deploying AI must accept responsibility for the decisions, actions, and impacts of their AI systems. Accountability requires clear ownership of AI systems at the organisational level, documented governance structures, and the ability to explain and justify AI decisions when questioned by affected parties or regulators.

Transparency. AI systems should be understandable and explainable to the extent necessary for their use context. For consumer-facing AI, transparency requires that individuals know they are interacting with an AI system and understand the basis on which AI-assisted decisions affecting them are made. For regulated AI, transparency requires documentation of the system's logic and limitations sufficient to support supervisory review.

Privacy and Data Governance. AI systems must be developed and deployed in compliance with the PDPA and with internationally recognised data governance standards. This principle specifically addresses training data governance: organisations must be able to demonstrate that training data was lawfully collected, appropriately representative, and subject to data minimisation principles.

Safety and Reliability. AI systems must perform as intended and must be tested for performance across the range of conditions in which they will be deployed. This principle requires documented testing, monitoring, and incident response processes. For AI systems deployed in critical sectors (healthcare, financial services, infrastructure), safety and reliability requirements are amplified by sector-specific guidance.

Fairness. AI systems must not produce discriminatory outcomes or systematically disadvantage individuals on the basis of protected characteristics. Fairness requires bias testing during development, monitoring during deployment, and mechanisms for affected individuals to contest AI-influenced decisions.

Human-Centricity. AI systems should serve human interests and should preserve meaningful human control over decisions that significantly affect individuals. This principle addresses the level of automation in consequential decisions: AI should augment rather than displace human judgment in high-stakes contexts.

The principles are voluntary. MDEC does not have enforcement powers over private sector organisations for non-compliance with the principles alone. However, compliance with the principles is increasingly referenced in Malaysian government procurement requirements, and large enterprises operating in Malaysia have begun incorporating MDEC principle alignment into their AI governance reporting.

BNM Responsible AI Framework for Financial Institutions (RAFT)

Bank Negara Malaysia published the Responsible AI Framework for Financial Institutions (RAFT) in 2024 as supervisory guidance for banks, development financial institutions, insurers, takaful operators, payment system operators, and money service businesses regulated under the Financial Services Act 2013 and the Islamic Financial Services Act 2013.

RAFT is structured around five governance pillars: accountability, fairness, responsible use of data, security and robustness, and transparency. Each pillar sets out supervisory expectations for how BNM-regulated institutions should manage AI risk in that dimension.

Under the accountability pillar, RAFT requires that BNM-regulated institutions designate senior management ownership of AI governance, maintain a register of material AI applications, and implement documented approval and review processes for deploying new AI applications. This is not dissimilar to the model risk management requirements that BNM and equivalent regulators globally apply to quantitative models in credit and market risk: AI models in financial institutions are now expected to meet model governance standards comparable to traditional actuarial and risk models.

Under the fairness pillar, RAFT requires that institutions assess AI applications for discriminatory outcomes, particularly in credit, insurance, and employment decisions. This mirrors the approach taken by the Monetary Authority of Singapore through the Veritas Initiative: quantitative fairness assessment methodology for specific high-stakes use cases is expected to become best practice across the ASEAN financial services sector.

Under the transparency pillar, RAFT requires that customers who are subject to AI-assisted decisions receive sufficient information to understand the basis of those decisions and to seek human review where appropriate. This overlaps with PDPA obligations but is more specific in its application to financial services contexts.

RAFT compliance is examined through BNM's risk-based supervisory process. Institutions that lack documented AI governance frameworks, that cannot demonstrate model validation for material AI applications, or that cannot show evidence of fairness assessment for AI used in consumer-facing decisions are exposed to adverse supervisory findings and potential supervisory action. The framework does not specify monetary penalties for non-compliance, but BNM has broad enforcement powers under the Financial Services Act including the ability to impose corrective action requirements, management action plans, and in extreme cases licence conditions or revocation.

Securities Commission: AI and technology governance in capital markets

The Securities Commission Malaysia (SC) has issued technology risk management and governance guidance that applies to capital markets licence holders, including investment banks, fund managers, and licensed financial advisers. The guidance addresses the use of algorithmic trading, automated advisory systems (robo-advisers), and AI-assisted research and recommendation systems.

SC-regulated entities using AI in client-facing functions are expected to maintain documentation of the systems' logic, testing, and performance monitoring. Robo-advisers and automated investment management services must comply with the SC's Guidelines on Digital Investment Management, which require clear disclosure to clients that investment recommendations are generated by an automated system and provide the client with the option to request explanation or human review.

The SC's approach reflects the same pattern as BNM RAFT: sector-specific binding guidance through existing regulatory relationships, rather than a standalone AI regulation. For capital markets operators, this means AI governance is embedded in existing technology risk management obligations rather than requiring a separate compliance programme.

Personal Data Protection Act 2010 and the 2024 amendments

The Personal Data Protection Act 2010 (PDPA) applies to the processing of personal data in commercial transactions by data users in Malaysia. The Act was significantly amended in 2024 by the Personal Data Protection (Amendment) Act 2024, which introduced new obligations including data portability rights, mandatory data breach notification within 72 hours, and strengthened accountability requirements for data processors.

The PDPA's original seven data protection principles remain the foundation of the framework: General Principle (lawfulness and consent), Notice and Choice Principle, Disclosure Principle, Security Principle, Retention Principle, Data Integrity Principle, and Access Principle. The 2024 amendments added a data portability right and explicitly extended the accountability obligation to require that data users ensure their data processors (including third-party AI service providers) comply with the Act's requirements.

For AI deployments, the relevant PDPA obligations cluster around three areas. First, the General Principle requires that personal data used to train or operate AI systems was collected with appropriate consent or a lawful basis. Training an AI model on Malaysian customer data without appropriate consent or legitimate purpose creates a breach of the General Principle. Second, the Data Integrity Principle requires that personal data used in automated processing is accurate and up to date. This applies to AI systems that make decisions based on customer profiles: stale or inaccurate data in an AI model can create a PDPA compliance issue independent of the accuracy of the model itself. Third, the Notice and Choice Principle requires that data subjects are informed about how their data will be processed. Where personal data is used in AI systems that generate decisions affecting the data subject, the notice must be sufficiently specific to cover that automated processing.

Enforcement of the PDPA is the responsibility of the Personal Data Protection Commissioner (PDPC). Fines under the Act reach MYR 500,000 (approximately EUR 100,000) for serious breaches, and the 2024 amendments included enhanced enforcement powers. For multinational organisations, the PDPA extraterritoriality analysis mirrors GDPR in one important respect: the Act applies to data users in Malaysia and to data processors processing personal data on behalf of data users in Malaysia. A foreign company that processes personal data of Malaysian individuals as part of an AI-enabled service delivered to a Malaysian business may be within scope as a data processor.

Comparison with the EU AI Act

The structural contrast between Malaysia's framework and the EU AI Act (Regulation (EU) 2024/1689) is similar to the contrast with other jurisdictions in the region: Malaysia relies on voluntary principles plus sector-specific binding guidance, while the EU Act is comprehensive cross-sector legislation with substantial fines and explicit extraterritorial reach.

For global operators, the EU AI Act will drive the highest compliance overhead. A Malaysian company that deploys AI products or services in the EU market, or whose AI systems generate outputs affecting EU persons, is subject to the EU Act regardless of where the company is incorporated. The relevant obligations depend on the risk classification of the system under the Act: prohibited uses under Article 5, mandatory conformity assessments for high-risk systems under Annex III, and transparency obligations under Article 50 apply based on the nature and deployment context of the AI system.

Malaysian companies entering the EU market should read this as requiring a formal EU AI Act compliance programme, not as an extension of their Malaysian governance posture. The documentation requirements of Articles 9 to 17 (risk management, data governance, technical documentation, logging, transparency, human oversight, accuracy and robustness, and cybersecurity) are substantially more prescriptive than anything in the Malaysian voluntary framework or RAFT. A full analysis of EU AI Act obligations for deployers is available at agentliability.eu.

Conversely, a European company operating in Malaysia faces a lighter compliance environment than at home: voluntary principles, sector-specific guidance for regulated entities, and PDPA obligations for personal data processing. The PDPA obligations overlap substantially with GDPR requirements, though the Malaysian framework does not include the same explicit automated decision-making rights as GDPR Article 22. European companies that have built GDPR-compliant personal data governance will generally satisfy Malaysian PDPA obligations with targeted adjustments for the Malaysian notice and consent framework.

Operator compliance priorities for Malaysia in 2026

The following priorities reflect the compliance structure as of June 2026.

For BNM-regulated financial institutions: RAFT compliance is the primary obligation. This requires designated AI governance ownership at senior management level, a register of material AI applications, documented model validation for AI systems used in credit, insurance pricing, or consumer-facing recommendations, and customer-facing transparency mechanisms for AI-assisted decisions. For institutions also operating in the EU, RAFT obligations are complementary to but less prescriptive than EU AI Act obligations. Build one documentation framework that satisfies both.

For capital markets licence holders: SC technology risk management guidance governs AI and algorithmic systems. Robo-adviser deployments require client disclosure and the option for human review under the Guidelines on Digital Investment Management. Maintain model governance documentation consistent with SC expectations and with any international parent-company standards.

For organisations processing personal data of Malaysian individuals: PDPA compliance requires review of data collection consent and purpose specifications for any personal data used in AI systems. The 2024 amendments introduce data breach notification requirements and enhanced processor accountability: contracts with AI service providers must include appropriate data processing provisions, and the data user retains accountability for the processor's compliance.

For general commercial operators: MDEC AI Principles are the reference framework. Voluntary adoption is increasingly expected in government procurement contexts and in enterprise due diligence. Aligning your AI governance programme with the six MDEC principles provides documentation that is useful across procurement, investor due diligence, and regulatory engagement. The Agent Certified framework at agentcertified.eu maps closely to these principles and provides a structured evidence trail for the accountability, transparency, and safety dimensions.

For organisations with EU market exposure: The EU AI Act applies regardless of Malaysian incorporation. Assess which AI systems are in scope of the EU Act, classify them under the risk categories in Annex III, and build the documentation required by Articles 9 to 17 for any high-risk systems. Malaysian domestic compliance does not substitute for EU Act compliance. Coverage for EU AI Act regulatory defence costs is available from carriers including Armilla: details at agentinsured.eu.

Frequently asked questions

What are Malaysia's MDEC AI Principles?

The Malaysia Digital Economy Corporation published AI Principles for Malaysia in 2024 covering six dimensions: accountability, transparency, privacy and data governance, safety and reliability, fairness, and human-centricity. The principles are voluntary guidance aligned with OECD AI Principles and the G7 Hiroshima AI Process. They serve as the reference framework for government AI procurement and are increasingly cited in enterprise AI governance programmes. Non-adoption carries no direct statutory penalty but creates reputational and procurement risk as the framework becomes embedded in the market.

Does Malaysia's PDPA apply to automated AI decisions?

The PDPA 2010 (as amended in 2024) applies to the processing of personal data in commercial transactions. While the Act does not include an explicit automated decision right equivalent to GDPR Article 22, the PDPC's guidance treats automated processing affecting data subjects as subject to the Act's accountability, accuracy, and notice requirements. The 2024 amendments strengthened processor accountability, extending the data user's obligations to their AI service providers as data processors. For organisations with GDPR experience, Malaysian PDPA compliance requires targeted adjustments but follows broadly similar principles.

What are BNM's RAFT guidelines on AI in financial services?

BNM's Responsible AI Framework for Financial Institutions (RAFT), published in 2024, covers five pillars: accountability, fairness, responsible use of data, security and robustness, and transparency. It applies to all BNM-regulated entities including banks, insurers, takaful operators, and payment service providers. RAFT is supervisory guidance examined through BNM's risk-based review process. Financial institutions without documented AI governance frameworks face supervisory risk. RAFT is broadly compatible with Singapore's MAS FEAT framework, facilitating a single governance programme for organisations operating in both markets.

How does Malaysia's AI governance compare with the EU AI Act?

Malaysia relies on voluntary principles and sector-specific binding guidance. The EU AI Act is comprehensive cross-sector legislation with mandatory conformity assessments for high-risk systems, substantial fines, and explicit extraterritorial application. For organisations operating in both markets, the EU Act drives the higher compliance overhead. Malaysian PDPA obligations overlap substantially with GDPR and require targeted adjustments rather than a separate compliance programme for organisations already GDPR-compliant.

Does the EU AI Act apply to Malaysian companies operating in Europe?

Yes. The EU AI Act applies to any provider placing an AI system on the EU market and to any deployer operating an AI system whose outputs affect EU persons. A Malaysian company with EU-based customers or EU-facing AI deployments is within the Act's extraterritorial scope. The risk classification of the system under Annex III determines which obligations apply, including conformity assessments, technical documentation, post-market monitoring, and transparency requirements under Article 50.

References

  1. Malaysia Digital Economy Corporation (MDEC). AI Principles for Malaysia. 2024. Kuala Lumpur: MDEC.
  2. Malaysia Digital Economy Corporation (MDEC). National AI Roadmap 2021-2025. 2021. Kuala Lumpur: MDEC.
  3. Bank Negara Malaysia. Responsible AI Framework for Financial Institutions (RAFT). 2024. Kuala Lumpur: BNM.
  4. Securities Commission Malaysia. Guidelines on Digital Investment Management. 2021 (with 2023 updates). Kuala Lumpur: SC.
  5. Malaysia. Personal Data Protection Act 2010 (Act 709), as amended by the Personal Data Protection (Amendment) Act 2024.
  6. Personal Data Protection Commissioner. Enforcement guidance on AI and automated processing. 2024-2025.
  7. OECD. OECD Principles on Artificial Intelligence. 2024 revision. OECD Publishing, Paris.
  8. G7. Hiroshima AI Process: Comprehensive Policy Framework. October 2023.
  9. European Parliament and Council. Regulation (EU) 2024/1689 on Artificial Intelligence (EU AI Act). Official Journal of the European Union, 12 July 2024.
  10. Ministry of Communications and Digital Malaysia. Malaysia Digital Economy Blueprint (MyDIGITAL). 2021.