The Malaysian government is moving to bolster its approach to safeguarding cybercrime victims through a comprehensive institutional review, recognising that the country's current legal protections fall short of what many affected individuals require. Datuk Seri Azalina Othman Said, the Minister in the Prime Minister's Department (Law and Institutional Reform), outlined this initiative during a press conference in Putrajaya following the National Cyber Security Summit (NCSS) 2026, signalling a shift towards victim-centred policymaking in an increasingly digitalised society facing mounting online fraud threats.
The Legal Affairs Division (BHEUU) has been tasked with developing a more robust framework that addresses multiple dimensions of cybercrime harm. Beyond merely prosecuting offenders, the study will examine pathways for victims to recover financial losses—a critical gap in Malaysia's current system where many individuals who fall prey to online scams receive little assistance in retrieving stolen funds. This represents a significant acknowledgement that criminal justice alone cannot resolve the full scope of cybercrime's impact on ordinary Malaysians.
The Azalina-led initiative will also investigate international penalty structures that might deter potential offenders more effectively than Malaysia's present approach. Singapore's use of caning as a supplementary punishment for cybercriminals has been flagged as a potential model worthy of study, though the minister noted that Malaysia's framework currently relies on fines and custodial sentences. The comparative analysis will help policymakers determine whether enhanced deterrence mechanisms could be adapted to the Malaysian legal context while respecting constitutional and human rights considerations.
A particular focus will be placed on victim recovery mechanisms that have proven effective in Commonwealth nations and beyond. The United Kingdom and Australia operate systems in which banks assume responsibility for refunding customers who fall victim to online scams, provided certain conditions are met. Such an arrangement would represent a fundamental departure from Malaysia's current practice, where financial losses typically remain the individual's burden. Bank Negara Malaysia has not yet committed to such a framework, but the government's willingness to examine it signals openness to innovative solutions that shift responsibility toward the financial institutions that facilitate these transactions.
Malaysia's existing legal apparatus, anchored primarily in the Penal Code and Criminal Procedure Code, emphasises prosecutorial action rather than victim support. Azalina acknowledged this structural imbalance, noting that while the government possesses tools to pursue offenders, the mechanisms available to assist those who have already suffered loss remain underdeveloped. This distinction is crucial: a victim who has lost money has different needs than the state's interest in punishment, and current Malaysian law conflates these separate concerns.
The scope of BHEUU's examination extends beyond traditional cybercrime to encompass the broader landscape of online harms and digital offences. This holistic approach reflects an understanding that threats in the digital sphere take multiple forms, from conventional financial fraud to harassment, identity theft, and other harmful activities that may not neatly fit existing offence categories. By casting a wide net, policymakers hope to develop principles and protections that can adapt as threats evolve.
The absence of clear timelines for completing the study underscores the complexity of the undertaking. Policymakers cannot simply transplant foreign legal mechanisms without understanding their cultural, institutional, and constitutional contexts. Singapore's caning provisions, for instance, operate within a vastly different sentencing framework and social tolerance for corporal punishment than Malaysia possesses. Similarly, the refund mechanisms in the UK and Australia function within specific banking regulatory environments and consumer protection regimes that do not have precise Malaysian equivalents.
For Malaysian cybercrime victims, the implications of this review could be transformative. Currently, those who lose money to online scammers often find themselves isolated, with police focused on investigation and prosecution rather than asset recovery, and banks typically unwilling to reimburse transactions the victim authorised, even if under deception. A victim-centred legal framework could introduce mandatory bank liability for certain categories of scams, establish dedicated victim support units within law enforcement, and create pathways to compensation through proceeds of crime legislation.
From a regional perspective, Malaysia's move towards comprehensive victim protection aligns with broader Southeast Asian concerns about cybercrime's accelerating prevalence. As the region's digital economy expands and more citizens conduct financial transactions online, the volume of potential victims grows correspondingly. Countries that develop effective protective mechanisms may provide models that others can adapt, creating a positive feedback loop of institutional innovation across the region.
The study also touches on a fundamental tension in cybercrime policy: the balance between criminal deterrence and victim assistance. Harsher penalties may discourage some would-be offenders, but they do nothing for those already victimised. A truly comprehensive approach requires investment in both areas simultaneously, along with prevention through public education and technical security measures. Malaysia's decision to examine all three dimensions—victim support, offender deterrence, and international best practice—suggests a maturing recognition that cybersecurity requires multifaceted solutions rather than criminal law alone.
Bank Negara's pending decision on refund mechanisms will prove pivotal. If the central bank endorses responsibility-shifting to financial institutions for certain categories of online fraud, it would represent a watershed moment in Malaysian consumer protection. Banks typically resist such liability, arguing it creates moral hazard by removing victim incentive to exercise caution. However, banks also possess superior ability to detect and prevent fraudulent transactions through technology and expertise. The balancing of these considerations will shape how Malaysia's eventual victim protection framework distributes responsibility between individuals, banks, and government.
As the BHEUU proceeds with its investigation, stakeholders across law enforcement, the banking sector, victim advocacy groups, and civil society will likely demand input into the process. The eventual recommendations will need to satisfy multiple constituencies with competing interests: victims seeking compensation, banks concerned about cost and liability, prosecutors focused on enforcement, and policymakers weighing budgetary constraints. How Malaysia navigates these tensions will determine whether the resulting framework represents genuine progress or merely cosmetic reform.
