Important Note: This article is for general information and educational purposes only, and not legal advice. It draws on the written grounds of judgment dated 4 May 2026, as reported by Free Malaysia Today, Lowyat.net, The Vibes, and Fintech News Malaysia.
What a Bank’s Failure to Monitor a Customer’s Account Means for Financial Institutions
(Image for illustration only.)
Chan Yan Li had been a loyal Maybank customer for over twenty years, holding both a housing loan account and a savings account since 2000. In the span of just a few days in June and July 2021, RM166,000 vanished from her loan account. The money was transferred into her savings account and then swiftly moved out to unknown individuals in multiple transactions, some occurring as early as 5 a.m.
Chan said she did not receive any SMS alerts or push notifications for the transactions. She only discovered the losses later and sued Maybank for negligence. The bank claimed that it had sent the notifications, but the court would soon find contradictions between the bank’s own records and the telecommunications company’s data.
On 12 May 2026, the Sessions Court delivered a judgment that, while not binding on higher courts, sends an unmistakable signal to every financial institution operating in Malaysia: a bank’s duty to monitor its customers’ accounts is not passive. When a bank shuts its eyes to an obvious fact of dishonesty, it can be held liable for the losses.
The Sessions Court’s Findings
The court examined the sequence of events in detail. The RM166,000 was transferred out of Chan’s loan account in June and July 2021. The sudden spike in activity, the court observed, clearly indicated suspicious transactions that should have triggered further checks. The bank, however, did not intervene.
The central question was whether the bank had sent the alerts. Maybank argued that it had sent SMS alerts to Chan’s registered mobile number. But the court compared the bank’s transaction reports with the subscriber records from the telecommunications provider, Digi. The records did not match. The contradictions were sufficient for the court to conclude that Chan had not received the alerts she should have been sent.
Three other individuals linked to mule accounts involved in the transactions had already pleaded guilty to offences involving the concealment of stolen property and possession of stolen items. This did not excuse the bank. The court found that Maybank was partly liable because it “shuts its eyes to an obvious fact of dishonesty.”
The Sessions Court awarded Chan RM166,000 in losses and RM15,000 in costs.
The Duty of Care in Practice
This case does not set a new legal precedent. It is a Sessions Court decision and therefore carries limited weight as authority. But it illustrates what a bank’s duty of care looks like on the ground. The judgment draws a clear line: a bank is expected to use the tools at its disposal to protect its customers from unauthorised transactions, and when it fails to act on clear warning signs, it can be held responsible.
The judge noted that “the bank has the best technology available today to detect and prevent such unauthorised and fraudulent transactions.” This is significant. It means the standard of care is tied to the tools the bank itself possesses. A bank that falls short of using its own systems effectively may be found to have breached its duty of care.
The transactions occurred in mid‑2021. In the years that followed, Bank Negara Malaysia instructed banks to phase out SMS‑based TAC and OTP, and Maybank itself introduced its Kill Switch and Secure2u features in 2023. The case stands as a reminder of why those regulatory and technological changes were necessary, and of the liability that can arise when an institution’s monitoring falls short.
Practical Takeaways for Financial Institutions
For in‑house counsel, compliance officers, and risk management teams at banks, fintech companies, and other financial institutions, the Chan Yan Li case offers several clear lessons.
- Transaction monitoring is not optional. A sudden, unusual spike in account activity, especially transfers at odd hours, should trigger automated alerts and human follow‑up. The court treated the bank’s failure to act on those red flags as negligence.
- Notification systems must be reliable and verifiable. The contradictions between the bank’s transaction reports and the telco records were central to the court’s findings. Financial institutions should ensure their internal records can withstand external scrutiny, and that the notifications they claim to have sent are backed by objective evidence.
- A bank cannot rely on third‑party wrongdoing as a complete shield. Even though three individuals had pleaded guilty to criminal offences related to the mule accounts, the bank was still found partly liable. The existence of fraudsters does not absolve a financial institution of its own obligations.
- The standard of care is tied to the institution’s own technology. The court’s remark about the bank having “the best technology available” suggests that a failure to deploy and properly monitor existing security tools can itself constitute a breach of duty. The standard is not simply whether a bank possesses adequate systems, but whether it uses them to detect and prevent suspicious transactions as they occur.
- Sessions Court decisions are not binding but are influential. While this judgment does not set a precedent for higher courts, it offers a persuasive and detailed example of how a court approaches the duty of care in the context of unauthorised transactions. It is a warning that compliance teams should take seriously.
A Closing Thought
Chan Yan Li had been a customer for more than two decades. The RM166,000 she lost was not a minor sum, and the emotional and financial toll of unauthorised transactions is not something a court judgment can easily undo. It took nearly five years for her to obtain compensation.
For financial institutions, the lesson is straightforward. The systems, the alerts, and the monitoring are not simply operational matters to be handled by IT departments. They are legal obligations. When a bank turns a blind eye to what is plainly suspicious, the courts will hold it to account.