On May 7, 2026, Malaysia's National Registration Department (JPN) detailed the new-generation MyKad that begins rolling out June 1. According to director-general Datuk Badrul Hisham Alias, the polycarbonate card carries 53 security elements — up from 23 on the current card — including laser engraving, ultraviolet features, holograms, guilloche patterns, microtext, a QR code for authenticity verification, and an enhanced-encryption chip reported at 124–128KB. Notably, it drops the Touch 'n Go payments applet to stay, in JPN's framing, focused purely on identity and government verification.
The engineering here is unambiguously good. A polycarbonate body is the same substrate used in modern e-passports and bank cards; more anti-counterfeit features and a bigger crypto chip make the physical credential harder to forge. And the decision to strip payments is the right instinct — a national identity card should do one thing well, not accumulate functions until a breach in one compromises all. The hard questions are not about the card. They are about the system the card now anchors.
The card is the front end of a much larger stack
The new MyKad is the physical root of trust for MyDigital ID, Malaysia's single-sign-on identity layer that verifies citizens directly against the JPN database in real time. MyDigital ID is no longer a niche convenience. It reached roughly 10 million accounts by mid-February 2026 — up from 7.3 million at the end of 2025 and just 1.8 million a year earlier — and the operator targets 17 million by year-end (Biometric Update). It already plugs into more than 100 public- and private-sector applications, and Putrajaya wants 95% of federal services online by 2030.
The most consequential gate is connectivity. On February 26, 2026, the MCMC registered a Commission Determination on the Mandatory Standards for the Registration of End-users of Prepaid Public Cellular Services, issued under sections 55 and 104(1)(b) of the Communications and Multimedia Act 1998 (The Star). It requires biometric verification and MyDigital ID for self-registration, caps citizens and residents at five prepaid SIMs per operator, and limits non-citizens to two. In effect, your right to activate a mobile line is now bound to your national identity credential.
The case for binding SIMs to identity is real
It would be a mistake to wave this away as overreach. The strongest argument for SIM-identity binding is that anonymous prepaid numbers are the working capital of fraud, and Malaysia's fraud problem is genuinely severe. The National Cyber Security Agency recorded 5,159 e-financial fraud cases in 2025, against 1,812 in 2024 — and losses of RM458 million, up from RM65 million the year before. When scam syndicates rotate through disposable SIMs faster than enforcement can trace them, requiring a verified identity at the point of activation is a proportionate, internationally common countermeasure. MCMC has framed prepaid registration in exactly these terms since 2006, citing national security and crime prevention (MCMC). A five-SIM cap and a verified registrant are defensible policy, not surveillance for its own sake.
Where proportionality actually breaks
The problem is not the goal; it is the governance gap around the credential. Three issues turn a reasonable fraud measure into an open-ended risk.
First, accountability is asymmetric. Malaysia's Personal Data Protection Act 2010 explicitly does not apply to federal and state governments (Free Malaysia Today). A private telco can be fined for leaking your data; the agencies holding the master identity database cannot. A statutory compensation framework for state breaches is still only being studied.
Second, the track record is not reassuring. Malaysia has seen 46 million mobile subscriber records leaked in 2017, some 22.5 million MyKad records offered for sale in 2022, and the MySejahtera episode in which an approved account downloaded three million users' personal data. Funnelling every adult into one credential that gates SIMs, passports, housing and aid raises the blast radius of any single failure.
Third, "voluntary" is becoming a formality. When a digital ID is required to obtain a phone line and a growing list of essential services, enrolment is mandatory in everything but name. That is a legitimate design choice only if it is paired with hard guardrails and a genuine non-digital fallback for those who cannot or will not enrol.
Match the governance to the engineering
The fix is not to halt the rollout — it is to apply to the data the same discipline JPN applied to the card. That means extending PDPA obligations to government data controllers, legislating statutory liability and compensation for state breaches, mandating data minimisation and independent oversight of the identity database, and guaranteeing an offline route to SIMs and core services so connectivity is never conditioned on biometric enrolment alone.
Malaysia got the easy part right. The new MyKad is sound public infrastructure, and binding mobile lines to a verified identity is a reasonable response to a real fraud epidemic. But the country is making digital identity effectively compulsory faster than it is closing the accountability gap its own breaches exposed. The card dropped a function to stay focused; the policy framework around it should show the same restraint.