Skip to main content

Article (10): On-Going Requirements

C 15/2021 Effective from 6/6/2021

Corporate Governance

  1. Payment Service Providers must comply with the below requirements on corporate governance.
     
  2. Payment Service Providers must have and maintain effective, robust and well-documented corporate governance arrangements, including a clear organizational structure with well-defined, transparent and consistent lines of responsibility.
     
  3. The corporate governance arrangements referred to in paragraph (2) must be comprehensive and proportionate to the nature, scale and complexity of the Retail Payment Services provided, and shall contain, at a minimum:
     
    1. 3.1. an organization chart showing each division, department or unit, indicating the name of each responsible individual accompanied by a description of the respective function and responsibilities;
       
    2. 3.2. controls on conflicts of interest;
       
    3. 3.3. controls on integrity and transparency of the Payment Service Provider’s operations;
       
    4. 3.4. controls to ensure compliance with applicable laws and regulations;
       
    5. 3.5. methods for maintaining confidentiality of information; and
       
    6. 3.6. procedures for regular monitoring and auditing of all corporate governance arrangements.
       

Risk Management

  1. Payment Service Providers must have and maintain robust and comprehensive policies and procedures to identify, manage, monitor and report the risks arising from the provision of Retail Payment Services to which they are or might become exposed, and adequate internal control mechanisms, including sound administrative and accounting procedures.
     
  2. Payment Service Providers’ risk management policies and procedures shall be:
     
    1. 5.1. kept up-to-date;
       
    2. 5.2. reviewed annually; and
       
    3. 5.3. proportionate to the nature, scale and complexity of the Retail Payment Services provided.
       
  3. Payment Service Providers must establish a risk management function, an internal audit function and a compliance function.
     

Accounting and Audit

  1. Payment Service Providers must appoint an Auditor to audit on an annual basis:
     
    1. 7.1. the financial statements or consolidated financial statements of the Payment Service Provider prepared in accordance with the accepted accounting standards and practices; and
       
    2. 7.2. the systems and controls of the Retail Payment Services provided by the Payment Service Provider, separately from any audit on non-Retail Payment Services.
       
  2. Upon request by the Central Bank, the appointed Auditor shall submit, directly or through the Payment Service Provider, a report of the audit in a form and within a timeframe acceptable to the Central Bank.
     
  3. In addition to the report of audit, the Central Bank may request from the Auditor to:
     
    1. 9.1. submit any additional information in relation to the audit, if the Central Bank considers it necessary;
       
    2. 9.2. enlarge or extend the scope of the audit;
       
    3. 9.3. carry out any other examination.
       

Record Keeping

  1. Payment Service Providers shall keep all necessary records on Personal and Payment Data for a period of (5) years from the date of receipt of such data, unless otherwise required by other applicable laws or the Central Bank.
     

Notification Requirements

  1. Where any material change affects the accuracy and completeness of information provided in an Application, the Applicant or Payment Service Provider, as the case may be, shall immediately notify the Central Bank of such change and provide all necessary information and documents.
     
  2. A Payment Service Provider shall immediately notify the Central Bank of any violation or potential violation of a Major Regulatory Requirement of this Regulation or Level 2 Acts.
     
  3. A Payment Service Provider shall immediately notify the Central Bank if it becomes aware that any of the following events have occurred or are likely to occur:
     
    1. 13.1. any event that prevents access to or disrupts the operations of the Payment Service Provider;
       
    2. 13.2. any legal action taken against the Payment Service Provider either in the State or in a Third Country;
       
    3. 13.3. the commencement of any insolvency, winding up, liquidation or equivalent proceedings, or the appointment of any receiver, administrator or provisional liquidator under the laws of any country;
       
    4. 13.4. any disciplinary measure or sanction taken against the Payment Service Provider or imposed on it by a regulatory body other than the Central Bank, whether in the State or in a Third Country;
       
    5. 13.5. any change in regulatory requirements to which it is subject beyond those of the Central Bank, whether in the State or in a Third Country; and
       
    6. 13.6. any other event specified by the Central Bank.
       

Professional Indemnity Insurance

  1. Payment Service Providers providing Payment Initiation and Payment Account Information Services shall hold a professional indemnity insurance whose amount shall be decided upon by the Central Bank.
     
  2. The professional indemnity insurance of Payment Service Providers providing Payment Initiation Services referred to in paragraph (14) shall cover these Payment Service Providers’ liabilities for Unauthorized Payment Transactions and non-execution, defective or late execution of Payment Transactions.
     
  3. The professional indemnity insurance of Payment Service Providers providing Payment Account Information Services referred to in paragraph (14) shall cover these Payment Service Providers’ liability vis-à-vis the Payment Service Provider providing Account Issuance Services or the Retail Payment Service User resulting from non-authorized or fraudulent access to or non-authorized or fraudulent use of Payment Account information.