No.

Subject

Key Requirements and Standards

1.        

Corporate Governance

• The Board of a PSO is generally tasked with establishing policies that promote safety, efficiency, and reliability of payment systems. This entails having to implement control functions (e.g., risk management, compliance) that are competently staffed with reporting measures in place.
• The Board must include an appropriate combination of personnel with calibre and independent directors.

2.        

Risk Management and Operational Requirements

• PSOs are required to establish and implement risk management frameworks (including a technology risk management framework, liquidity risk management framework, credit risk management framework and cyber resilience framework), risk monitoring and reporting requirements, collateral management practices, management and control systems to mitigate operational risks, a business continuity plan and a disaster recovery plan.
• These frameworks and plans should address:
  1. controls in safeguarding the confidentiality, integrity and availability of information;
  2. maximum tolerable downtime and recovery time objectives for all critical business functions; and
  3. and identification of scenarios that may prevent its ability to provide its critical operations and services with the appropriate plans for its recovery or orderly wind-down.

3.        

Adequate Capital and Liquid Net Assets Requirement

• At the minimum, PSOs must maintain liquid net assets equivalent to at least six (6) months of current operating expenses.
• PSOs are also required to maintain:
  1. adequate liquid resources in all relevant currencies to ensure smooth settlement under normal or stress scenarios; and
  2. sufficient financial resources to cover its credit exposure to each participant. 

4.        

Outsourcing Arrangements and Interlinkages

• PSOs will be accountable for services provided by an outsourced service provider.
• PSOs must ensure appropriate due diligence is undertaken on the provider.
• PSOs will need to ensure that it monitors the service providers and allow BNM to exercise its regulatory and supervisory powers including have unrestricted access to their systems, information and documents.
• PSOs must have contingency plans to secure business continuity.

5.        

Access and Participation Rules

• Access criteria to a PSO's payment system should be fair, open, objective, transparent and risk-based, to commensurate with the risk profile of the participants. Procedures on suspension or orderly exit upon breach of, or inability to meet, participation requirements should be clearly outlined and disclosed.
• Rules and procedures established by PSOs must be clear, comprehensive, up-to-date and fully disclosed to its participants. Processes for proposing, implementing and communicating changes to rules and procedures must also be clear and fully disclosed.
• PSOs must publicly disclose their fees and relevant information that would allow participants to assess the total cost of participating in the payment system and/or services offered by a PSO. PSOs must provide a timely notice to their participants of any changes to its fees.
• Under a tiered-participation arrangement (i.e., where an indirect participant relies on services provided by a direct participant of a PSO to access a PSO's payment system), PSOs shall:
  1. establish rules and procedures with the direct participants to enable the PSO to obtain information on the indirect participants to identify and monitor risk;
  2. identify the significant dependencies between direct and indirect participants that may adversely affect the PSO; and
  3. regularly review the risks associated with the tiered-participation arrangements and institute appropriate mitigating measures.