GXBank recently marked its second anniversary with more than one million Malaysians onboard, cementing its position as the country’s first and largest digital bank.
Built as a cloud-native banking platform from day one, GXBank has scaled rapidly without the constraints of legacy systems, while keeping cybersecurity, fraud prevention and AI-driven protection at the centre of its architecture.
As cyberattacks continue to evolve with new tactics, we spoke with GXBank’s Head of Data, Caroline Chong; Head of Product, Khuan Yew; and Head of Cybersecurity & Tech Risk, Gan Kee Lim, to understand what’s happening behind the scenes to keep users safe and how the bank balances seamless digital UX with strong security.
Cloud-native architecture: How GXBank scales differently from the rest
GXBank’s technology stack is fully cloud-native, built on Amazon Web Services (AWS) with no inherited legacy systems. This gives the digital bank the ability to scale almost instantly whenever demand surges, from onboarding spikes to transaction loads.
Without the constraints of ageing infrastructure, GXBank can push updates faster, deploy new security measures more efficiently and support millions of users with high resilience.
This agility also enables quicker threat response, allowing the bank to roll out new controls and monitoring rules across the entire platform whenever a new attack pattern emerges.
Cyberattacks come in waves, attackers hunt for “low-hanging fruit”
According to Gan, GXBank is also seeing cyberattacks on its infrastructure, similar to other banks. From the patterns observed so far, these are not targeted attacks but mostly sporadic attempts looking for potential vulnerabilities.
He added that based on the attacks detected, the cybercriminals did not manage to obtain anything and typically moved on to their next targets.
These attacks usually come in waves, and what GXBank must ensure is that its infrastructure remains resilient at all times. If new attack behaviours are detected, the bank strengthens its protections and applies the necessary tweaks.
Khuan Yew explained that to avoid ever becoming an easy target, GXBank employs multiple layers of detection. This begins from the moment a user downloads the app from the Apple App Store or Google Play Store. GXBank controls which countries the app is available in and checks the user’s location during the onboarding process.
When the app is launched, the system checks whether the device is jailbroken or rooted, whether malware is present and whether the user is on a VPN or unsecured Wi-Fi connection.
During sign-up, customers undergo eKYC (electronic Know Your Customer) checks. This process verifies liveness, compares the user’s face with their MyKad and requires a bank transfer from an account that has already been verified under the same name.
When a transaction is performed, GXBank checks the location of the transaction, and its fraud engines determine whether it is high or low risk. If flagged as high risk, the system performs step-up authentication to verify that the user is truly the one initiating the transaction.
After a payment goes through, GXBank applies transaction monitoring with ongoing due diligence performed daily, screening activities repeatedly.
AI vs AI: How GXBank fights fraud in real time
Fraudsters are increasingly turning to AI and automation to scale their attacks, from identity manipulation to sophisticated phishing attempts. Caroline says this makes traditional rules-based systems insufficient. As a digital bank with a lean workforce, GXBank has handled over 200 million transactions this year alone.
To stay ahead, GXBank has deployed AI across major areas of fraud prevention. While specifics, including fraud rules, are confidential, the bank confirms that it has deployed extensive Gen AI capabilities to scan and detect fraud across the massive volumes of transactions it handles daily.
She shared that fraudsters are becoming so sophisticated that humans can no longer detect fraud patterns quickly enough. As a result, GXBank is now using AI to fight AI within the fraud space and has been highly successful in developing solutions that detect fraudulent behaviour on the go while continuously self-improving at high speed.
Once GXBank develops a solution, fraudsters typically adapt and develop new methods, which is why this remains an area where the bank deploys significant resources.
Security vs seamless UX: Why GX uses “good friction” only when needed
GXBank’s app experience is known for being straightforward, and some may assume that simplicity equates to weaker security.
When asked how the bank balances a seamless experience with robust security, Caroline explained that while speed and customer experience are important, they would never make a decision that sacrifices security for convenience.
For onboarding, Khuan Yew shared that the bank can go as basic as capturing a photo or add extra requirements such as gestures. More steps lead to higher drop-off rates, and these trade-offs have been considered.
Reinforcing Caroline’s point, he said they would rather add a bit of friction, what they call “good friction”.
They aim to remove all bad friction, but good friction slows things down just enough to ensure only genuine users get through.
For example, if a high-risk or suspicious transaction is detected, the app may prompt the user to confirm whether they truly want to transfer to a third party. The goal is to make users pause and consider whether they know the recipient or if the transaction might be a scam.
GXBank uses multiple parameters to identify suspicious transactions, and these systems will evolve and become more adaptive as risks change.
The digital bank also admits to studying competitors’ user journeys to improve its own balance of convenience and protection.
Scams are still not going down and customer education remains key
Despite stricter Bank Negara Malaysia guidelines and industry-wide security upgrades, scams continue to rise. Gan notes that the majority of cases stem from phishing. He said the cost of launching a phishing attack is extremely low, while the potential return for scammers can be very high.
Fraudsters no longer attempt to breach bank systems. Instead, they prey on users emotionally and socially, tricking them into revealing credentials or approving transactions.
As a bank, GXBank is doing its part by educating users, and internally, it conducts email content filtering to ensure employees are protected from phishing.
While customers may not read every notification about scams, GXBank reaches out to them via multiple channels, including social media and pop-up alerts in the app.
GXBank also offers a digital insurance product in partnership with Zurich called Cyber Fraud Protect, designed to safeguard Malaysians from financial loss due to unauthorised transactions resulting from cybercrime and scam messages. Plans start from RM1 per month and cover all bank accounts, debit/credit cards and eWallets.
When will GXBank truly serve the completely unbanked?
One of the biggest roadblocks to serving unbanked Malaysians is the regulatory requirement to transfer funds from an existing bank account under the same name. This ensures identity verification but excludes customers who do not have a bank account.
GXBank says digital banks need support from regulators and the government to onboard the unbanked.
Khuan Yew said he has raised this multiple times and that Bank Negara Malaysia has been very receptive. Discussions are ongoing involving BNM and MyDigital ID to establish a framework where customers can prove their identity without requiring an existing bank account.
Once this barrier is removed, digital banks can finally serve the unserved.
Are Debit Cards secure? When will GXBank support Apple Pay?
There is a perception that debit cards are less secure than credit cards. GXBank says this perception is misplaced, as debit cards also offer fraud protection, chargeback policies and cyber-monitoring.
At this time, GXBank does not have plans to introduce a separate virtual debit card feature, although protection features already apply to the existing product.
When asked when GXBank will support mobile wallets such as Apple Pay, Google Pay and Samsung Pay, they said they want to, especially Apple Pay but cannot provide timelines. They shared that Apple Pay currently has the highest penetration in Malaysia.
Despite high Android smartphone usage, Google Pay adoption is not as strong but it is something they could enable. In fact, GXS Bank in Singapore has already enabled Google Pay for its debit card.
Will GXBank launch an AI chatbot like Ryt Bank?
Ryt Bank’s AI assistant, Ryt AI, has gained significant attention recently, but GXBank says it is deploying AI in different areas, particularly to enhance the efficiency of its customer support channels, which are labour-intensive.
Caroline said that when deploying AI, the solution must deliver tangible value either to customers or the bank. The question they ask internally is whether they want to be “sexy and shiny”, or whether they want to deliver solutions with measurable impact.
At this point, GXBank is prioritising AI deployments that offer tangible value, including fraud prevention and capabilities that can be quantified.
Khuan Yew added that competitors have done a good job introducing new AI features, but the interesting part will be seeing two things: whether this is truly the best way to do things, and whether the behaviour will stick from a user perspective.
