A consumer group's number that the statute book can't reach
On May 19, 2026, the Persatuan Pengguna Islam Malaysia (PPIM) escalated Malaysia's scam-fraud debate with a specific, arresting figure: fine negligent telcos up to RM1 billion per company. PPIM chairman Datuk Nadzim Johan made the demand after national scam losses hit RM2.77 billion in 2025, up from RM1.57 billion in 2024, and after PPIM documented a case in which a 68-year-old retiree, Suhaimi Shuib, discovered 18 phone lines fraudulently registered under his name following a botched phone-purchase scam that cost him RM21,000 (The Malaysian Reserve via PPIM, May 19, 2026).
The number lands with force because it is roughly a thousand times larger than what Malaysian law currently allows. Under the Communications and Multimedia (Amendment) Act 2025, in force since February 11, 2025, the Malaysian Communications and Multimedia Commission's (MCMC) general penalty ceiling for corporate non-compliance rose to RM1 million — itself a large jump from the prior RM300,000–RM500,000 range (Law Partnership analysis of Act 588 amendments; MCMC's Act 588 legislation page). PPIM is not asking MCMC to use an existing power more aggressively — it is asking Parliament to legislate a fine regime an order of magnitude beyond anything on the books.
The steelman: telcos are the choke point, and the status quo isn't working
PPIM's underlying grievance deserves a fair hearing before it gets a rebuttal. Telcos are the only actors positioned to stop fraudulent SIM issuance at its source — banks can flag suspicious transfers, but by the time money moves, the scam call or SMS has already reached the victim through a line the telco activated. A retiree accumulating 18 unauthorized lines without triggering any internal telco alert is not a hypothetical edge case; it is evidence of an identity-verification system that failed repeatedly, not once. And the scale of harm is real and rising: Malaysia's scam losses nearly doubled year-on-year, and separate Home Ministry figures for the same year put the total even higher, at RM2.97 billion (Malay Mail, June 24, 2026). When the instrument of harm runs through a licensed, regulated industry, proportionate deterrence is a legitimate regulatory goal, and Parliament is entitled to decide the current ceiling is too low.
Where the demand overshoots
The problem is that PPIM's ask conflates two different failures — telco negligence and criminal fraud — and prices the penalty as if telcos were the primary offender rather than an intermediary that criminals actively defraud. Scammers who used a stolen or forged identity document to open 18 lines exploited the registration process, not a telco's indifference to it; MCMC's own investigation into the underlying registration failures, published January 28, 2026, was the direct trigger for the new Mandatory Standard for the Registration of End Users of Public Cellular Prepaid Services, registered February 26, 2026 under Sections 55 and 104(1)(b) of the Communications and Multimedia Act 1998 (Bernama, February 2026; Malaysia MADANI government portal). That standard already requires biometric verification via MyKad fingerprint readers or MyDigital ID for self-registration, caps citizens at five prepaid SIMs per provider and non-citizens at two, bars registration for children under 12, and mandates parental consent for minors aged 12–17. This is the proportionate response: it targets the actual point of failure — weak identity verification — rather than imposing a headline-grabbing fine that a court would almost certainly strike down as punitive rather than compensatory, given no comparable regulator anywhere ties a single corporate fine to national GDP-scale figures for what is fundamentally a shared-liability harm.
There is also a structural tension PPIM's proposal doesn't resolve: fines calibrated to make headlines create an incentive for telcos to over-verify defensively, which is precisely the justification MCMC used to mandate biometric collection and MyDigital ID linkage for every prepaid subscriber. A RM1 billion fine regime, paired with a biometric mandate rolling out over the coming months, would push telcos toward maximal data collection and retention as legal self-defense — expanding the surveillance footprint of an already-mandatory national digital identity system, with weaker justification than the original scam-prevention rationale supplied.
The better lever is enforcement, not escalation
MCMC has already used its existing powers meaningfully: in 2020 it fined five telcos a combined RM750,000 for registering prepaid SIMs without proper verification, well below even the pre-amendment cap (SoyaCincau, December 2020). PPIM's own proposal — channeling a share of collected fines back to victims like Suhaimi Shuib — is sound policy regardless of the fine's size, and MCMC should adopt it. But the fix for scam losses is enforcing the new biometric standard rigorously and fining telcos at the real RM1 million ceiling when they fail audits, not manufacturing a penalty figure that exists mainly to generate headlines. Malaysia's telcos should face consequences proportionate to their actual negligence — and Malaysians deserve a SIM registration regime that closes fraud loopholes without becoming, by default, a mandatory biometric identity ledger justified by a fine no court will ever impose.