On June 1, 2026, the Malaysian Communications and Multimedia Commission (MCMC) brought its Risk Mitigation Code (RMC) into force under the Online Safety Act 2025 (ONSA), alongside a parallel Child Protection Code. The RMC requires licensed platforms to label AI-generated and manipulated media, verify advertisers against government records, run periodic safety risk assessments, and upgrade their reporting and moderation systems. MCMC has described the package as the country's strongest measures yet against online scams and misinformation.
What is notable is what the RMC mostly does not do. Read carefully, it is less a censorship regime than a transparency-and-verification regime — and that distinction is the whole ballgame for whether it helps or harms Malaysia's open internet.
The strongest case for acting
The regulator's case is genuinely strong, and worth stating plainly before contesting any of it. Malaysians are drowning in platform-borne fraud. MCMC reported removing 41,394 AI-generated disinformation posts between January 2022 and August 2023, including over a thousand deepfake investment-scam posts impersonating public figures. Scams now ride on the same trusted apps people use for banking, messaging and maps — a dynamic Rest of World documented across South Asia in June 2026. When a deepfake of a finance minister endorses a fake crypto fund, the harm is concrete, the victims are real, and "platform discretion" has demonstrably failed to contain it. A government elected to protect its citizens has a legitimate interest in forcing platforms to internalise costs they have spent years externalising.
The RMC's design reflects that the smarter instinct is to regulate process, not speech. Rather than handing MCMC a list of banned posts, it obliges providers to conduct detailed, regularly updated risk assessments of how their features, algorithms and recommendation systems expose users — children especially — to harm, and to keep written records of them. This is systemic-risk regulation in the mould of the EU's Digital Services Act: the state audits the safety machinery, not the individual message.
Where transparency is the right tool
The RMC's two headline duties — labelling AI-generated content and verifying advertisers — are the kind of intervention pro-innovation policy should welcome, because they expand the information available to users rather than shrinking the universe of permitted speech.
Labelling a deepfake does not delete it; it lets a citizen judge it. Verifying that the entity behind a paid political or investment ad is who it claims to be does not silence advocacy; it attaches accountability to money spent to amplify a message. Per analysis by Rahmat Lim & Partners, the code requires platforms to check advertisers against government-issued records — MyKad, business registration documents, passports — before sponsored content runs. For a country heading toward state elections where AI-cloned candidate videos are a live threat, advertiser provenance is among the least speech-restrictive tools available. It targets the deception about who is speaking, which even free-speech maximalists concede is not protected expression.
Where the risks live
The danger is not the code as drafted but the enforcement discretion bolted onto it. Non-compliance can trigger a financial penalty of up to RM10 million (about US$2.5 million), and MCMC may issue binding "directions" whose breach carries further fines — up to RM1 million, plus RM100,000 for each day a violation continues. Penalties of that magnitude, attached to vaguely bounded duties like mitigating exposure to "harmful content," create a powerful incentive for platforms to over-remove. When the cheapest way to avoid an eight-figure fine is to delete first and adjudicate never, lawful speech becomes collateral damage. That is the classic failure mode of intermediary-liability regimes worldwide, and Malaysia's history of using the Communications and Multimedia Act against critics makes the concern more than theoretical.
The parallel Child Protection Code sharpens the point. It bars under-16s from holding social media accounts and forces platforms with at least eight million Malaysian users to verify ages, with a transition window of up to six months. Age verification at national scale is a privacy hazard: it pushes platforms toward collecting identity documents or biometric estimates on the entire adult population to gate the minority of minors — exactly the data-honeypot architecture that fuels the scam ecosystem the RMC is meant to fight.
The test ahead
The right posture is conditional support. Malaysia has, on paper, chosen a more proportionate path than outright takedown mandates: disclosure, provenance and systemic audit beat blacklists. The RMC will deserve its "strongest measures yet" billing only if MCMC enforces it as a transparency regime — penalising platforms that fail to build labelling and verification systems, not platforms that decline to remove lawful but disfavoured speech.
Three guardrails would tell us which way it breaks. First, MCMC should publish the risk-assessment templates and enforcement decisions so the standard is predictable rather than discretionary. Second, the RM10 million ceiling should be reserved for systemic failures, not deployed as leverage over individual content disputes. Third, age verification should permit privacy-preserving methods — on-device, zero-knowledge attestation — rather than mandating ID upload. Get those right and Malaysia offers a genuinely exportable model for the Global South: fight fraud by adding information and accountability, not by subtracting speech. Get them wrong and the RMC becomes one more lever for a state to lean on platforms — with a child-safety label affixed.