Malaysia's government has initiated a comprehensive examination of how to better safeguard people who fall victim to cybercrime, with particular focus on recovering stolen funds and strengthening the consequences for those who commit online offences. Datuk Seri Azalina Othman Said, who serves as Minister in the Prime Minister's Department (Law and Institutional Reform), disclosed the study during remarks made at the National Cyber Security Summit (NCSS) 2026 in Putrajaya on July 7. The Legal Affairs Division (BHEUU) is spearheading the investigation into developing more robust mechanisms to support victims across a range of digital crimes and online harms.

The current approach in Malaysia predominantly emphasizes prosecution of offenders through existing legislation rather than comprehensive victim support. The Penal Code and Criminal Procedure Code remain the primary tools for holding cybercriminals accountable, but this framework leaves significant gaps when it comes to actually helping people recoup money lost to scams or other digital fraud. Azalina acknowledged that victims frequently have minimal recourse beyond filing police reports, and in numerous instances, they never recover their stolen funds. This reality has prompted the government to look beyond punishment-focused approaches toward more victim-centric solutions that address the practical aftermath of cybercrime.

One of the most significant areas under examination involves mandatory bank refunds for online scam victims, a practice already established in developed economies. The United Kingdom and Australia both operate systems where financial institutions reimburse customers who become victims of authorized fraud—essentially holding banks accountable for failing to prevent fraudulent transfers. Bank Negara Malaysia has not yet committed to implementing a comparable mechanism, but the framework is being seriously considered as part of the broader study. This potential shift would represent a meaningful change in how Malaysia approaches victim compensation, moving responsibility upstream to financial institutions to verify and protect transactions rather than leaving victims to absorb losses themselves.

The examination also extends to reviewing penalty structures for offenders across different jurisdictions. Singapore's criminal justice system permits caning as part of sentencing for certain crimes, a practice that stands in contrast to Malaysia's current approach of relying on fines and imprisonment. By studying what penalties other nations impose, the government aims to determine whether Malaysia's existing sentencing options adequately deter cybercriminals or whether additional measures should be introduced. This comparative analysis reflects a recognition that Malaysia's current penalty regime may not sufficiently reflect the severity or prevalence of cybercrime in the region.

The Legal Affairs Division's investigation encompasses a broad scope that goes well beyond simple fraud. The study examines victim protection across cybercrime generally, online harms, and digital offences—categories that have expanded considerably as technology becomes more embedded in daily life. This inclusive approach acknowledges that the term "cybercrime victim" now encompasses people experiencing identity theft, phishing attacks, ransomware targeting, sexual exploitation, defamation, and numerous other digital violations. A one-size-fits-all approach to victim protection may therefore prove inadequate, and the study may recommend tailored protections depending on the nature and severity of the harm.

Drawing lessons from international best practices represents a crucial component of Malaysia's research strategy. Rather than designing solutions entirely from first principles, the government recognizes that other nations have already grappled with similar challenges and developed evidence-based approaches. The study will scrutinize not only what mechanisms exist elsewhere but also assess their practical effectiveness and cultural compatibility with the Malaysian context. Some international models may not transplant easily into Malaysia's legal, institutional, or social environment, making careful evaluation essential before implementation.

The absence of a defined timeline for completing the study suggests that the government views this as a substantive undertaking rather than a superficial review. Complex questions about victim compensation, appropriate penalty levels, institutional responsibility, and legal framework modifications cannot be addressed hastily. The thoroughness of the examination will likely determine the quality and durability of any reforms that emerge, making the investment in research time justified from a policy perspective.

For Malaysian citizens, the implications are considerable. Growing engagement with digital platforms and e-commerce has created unprecedented exposure to online fraud. Scams targeting investment platforms, cryptocurrency schemes, and sophisticated phishing attacks have inflicted serious financial damage across the population. Students, elderly individuals, and professionals have all fallen victim to increasingly sophisticated digital crimes. The current legal framework, while addressing prosecution, offers little solace to those who have already lost substantial sums. A victim protection system that enables fund recovery or provides alternative compensation mechanisms would represent tangible progress in this space.

The potential implementation of bank refund schemes carries particular significance for Malaysia's financial sector and consumer confidence in digital banking. As Malaysia pushes toward greater financial digitalization and cashless transactions, consumer trust in the security of online transactions becomes essential infrastructure. If banks can be held liable for failing to detect or prevent fraudulent transactions, they have greater incentive to invest in sophisticated fraud detection systems and customer verification protocols. This alignment of institutional interests with consumer protection creates a virtuous cycle where security improvements benefit both banks and customers.

Regionally, Malaysia's initiative reflects broader Southeast Asian concern about the rising tide of cybercrime. Singapore, Thailand, Indonesia, and other regional neighbors face similar pressures from organized cybercriminal networks operating across borders. A more robust Malaysian framework could potentially inform regional cooperation on victim protection standards and penalty harmonization. The study's findings may contribute to regional dialogue on establishing minimum standards for cybercrime victim protection, much as ASEAN has developed frameworks in other areas of shared concern.

Azalina's framing of the study as examining both victim protection and offender deterrence demonstrates recognition that an effective cybercrime response requires multifaceted action. Strengthening consequences for offenders without supporting victims leaves communities vulnerable, while supporting victims without adequately deterring offenders fails to address the root problem. The government's holistic approach, therefore, represents a more sophisticated understanding of what comprehensive cybercrime policy requires than has historically characterized Malaysian law enforcement responses.