The Malaysian government has initiated a comprehensive examination of how to better shield cybercrime victims from financial loss and legal limbo, with the Legal Affairs Division (BHEUU) spearheading efforts that could reshape the nation's approach to digital crime. Speaking at the National Cyber Security Summit 2026 in Putrajaya on July 7, Minister in the Prime Minister's Department (Law and Institutional Reform) Datuk Seri Azalina Othman Said outlined the scope of the inquiry, which extends beyond simply punishing offenders to creating substantive remedies for those who fall prey to online scams and related offences.

The current Malaysian legal infrastructure, while robust in its capacity to prosecute cybercriminals under statutes such as the Penal Code and Criminal Procedure Code, has long treated victim recovery as secondary to criminal enforcement. This gap in the system leaves many Malaysians who lose money to online fraud with few practical recourse mechanisms beyond filing police reports and hoping insurance or their banks might intervene voluntarily. Azalina acknowledged this structural weakness, noting that existing protections remain inadequate and that victims frequently surrender to permanent financial loss without meaningful institutional support or compensation pathways.

The BHEUU's investigation will examine multiple dimensions of victim protection, beginning with mechanisms that could facilitate the return of stolen funds to defrauded individuals. This represents a significant pivot toward victim-centric justice, moving beyond the traditional criminal law paradigm that prioritizes offender punishment over restitution. The study will also assess whether Malaysia should adopt harsher sentencing frameworks, including corporal punishment such as caning, which some neighbouring jurisdictions like Singapore have incorporated into their cybercrime penalties. The minister indicated that Malaysia's current punishment regime relies on fines and custodial sentences, suggesting that policymakers see potential merit in exploring additional deterrents.

International comparative analysis forms a cornerstone of this inquiry. Azalina specifically flagged the United Kingdom and Australia as models worth examining, particularly their approaches to bank-led refund mechanisms for online scam victims. In these countries, financial institutions bear responsibility for compensating customers who fall victim to authenticated fraud, creating a powerful incentive for banks to invest in fraud prevention while simultaneously ensuring that victims do not bear the full financial burden of criminal activity. Such systems fundamentally reorder the relationship between banks, customers, and law enforcement, positioning financial institutions as frontline defenders rather than neutral transaction processors.

Malaysia's central bank, Bank Negara, has not yet committed to a similar compensatory framework, though the BHEUU study will evaluate whether such a mechanism could work within the local banking ecosystem. The absence of a mandatory bank refund policy in Malaysia reflects both regulatory conservatism and concerns about moral hazard—the fear that guaranteed compensation might reduce customers' vigilance in protecting their credentials and account information. However, as online fraud losses mount across the country and consumer confidence in digital banking erodes, pressure on Bank Negara to reconsider this position will likely intensify.

The study's timeline remains undefined, suggesting that policymakers recognize the complexity of redesigning victim protection systems. Implementing international best practices requires careful calibration to the Malaysian legal, financial, and technological context. Regulators must balance victim protection against concerns that overly generous compensation schemes could increase fraud attempts or drive up banking costs, which banks might pass to consumers through higher fees. Additionally, Malaysia's diverse population and varying levels of digital literacy mean that any protection framework must be accessible and understandable across different demographic groups.

Cybercrime has emerged as one of Southeast Asia's most pressing security challenges, with Malaysia recording some of the region's highest losses to online fraud. The country's rapid digital transformation, accelerated by pandemic-era adoption of e-commerce and digital payments, has expanded the attack surface available to criminals while creating millions of potential victims with varying degrees of cybersecurity awareness. The government's decision to undertake this systematic review reflects acknowledgment that reactive policing and prosecution alone cannot contain the problem.

The study also addresses a broader victim rights concern that extends beyond financial restitution. BHEUU will examine how Malaysia can strengthen protections for victims of online harms and digital offences more generally, including concerns around harassment, defamation, and privacy violations in digital spaces. This holistic approach suggests that policymakers view cybercrime victim protection as part of a larger framework for digital rights and responsibilities rather than an isolated financial compensation question.

For Malaysian citizens and businesses, the implications are significant. A strengthened victim protection regime could encourage greater adoption of digital financial services among those currently wary of online fraud risk, thereby supporting Malaysia's digital economy aspirations. For businesses operating in the fintech and digital payment sectors, clarity on victim protection obligations and bank liability will be essential for business model planning and capital allocation. Regional competitors in Singapore, Thailand, and Indonesia are similarly grappling with cybercrime victim protection, making Malaysia's decisions part of a broader Southeast Asian regulatory convergence that will shape how digital commerce develops across the region.

The study represents more than bureaucratic procedure; it signals a philosophical shift toward recognizing cybercrime victims as rights-holders deserving of institutional protection rather than merely unfortunate individuals who should have exercised greater caution. As Azalina indicated, the government is moving beyond the assumption that victims bear sole responsibility for their misfortune and toward a model where banks, regulators, law enforcement, and technology platforms share responsibility for preventing fraud and compensating those who suffer despite reasonable precautions. Whether this approach ultimately materializes into concrete legislative changes will depend on the BHEUU's findings and political will to implement reforms that may impose costs on the banking sector.