Skip to main content

Article (36): Business Continuity

2/2024 Effective from 21/8/2024

1.

In this Article (36), “Payment Token Service Provider” refers to a Licensee or a Registree, with the exception of Registered Foreign Payment Token Issuers.

2.

A Payment Token Service Provider shall have in place an adequate business continuity management program to ensure continuation, timely recovery, or in extreme situations orderly scale-down of critical operations in the event of major disruptions caused by different contingent scenarios. An adequate business continuity management program comprises business impact analysis, recovery strategies, a business continuity plan and alternative sites for business and IT recovery.

3.

A Payment Token Service Provider shall put in place a set of recovery strategies to ensure that all critical business functions identified in a business impact analysis can be recovered in accordance with the predefined recovery timeframe. These recovery strategies shall be clearly documented, thoroughly tested and regularly reviewed to ensure achievement of recovery targets.

4.

A Payment Token Service Provider shall put in place effective measures to ensure that all business records, in particular Customer records, can be timely restored in case they are lost, damaged, or destroyed. A Payment Token Service Provider shall also allow Customers to access their own records in a timely manner. A Payment Token Service Provider shall notify Customers of any loss in their records through an operational failure or through theft, and make reasonable effort to ensure that personal records so lost are not used wrongfully.

5.

A Payment Token Service Provider shall develop a business continuity plan based on the business impact analysis and related recovery strategies. A business continuity plan shall comprise, at a minimum:

a)

detailed recovery procedures to ensure full accomplishment of the service recovery strategies;

b)

escalation procedures and crisis management protocol (e.g. set up of a command centre, timely reporting to the Central Bank, etc.) in case of severe or prolonged service disruptions;

c)

proactive communication strategies (e.g. Customer notification, media response, etc.);

d)

updated contact details of key personnel involved in the business continuity plan; and

e)

assignment of primary and alternate personnel responsible for recovery of critical systems.

6.

A Payment Token Service Provider shall conduct testing of its business continuity plan at least annually. Its Senior Management, primary and alternate relevant personnel shall participate in the annual testing to familiarize themselves with their recovery responsibilities.

7.

A Payment Token Service Provider shall review all business continuity planning-related risks and assumptions for relevance and appropriateness as part of the annual planning of testing. Formal testing documentation, including a test plan, scenarios, procedures and results, shall be produced. A post mortem review report shall be prepared for formal sign-off by Senior Management.

 

Business exit plan

8.

With a view to minimizing the potential impact that a failure, disruption, or exit of a Payment Token Service Provider would have on Customers and the payment systems in the UAE, a Payment Token Service Provider is required to maintain viable plans for an orderly exit of its business and operations should other options be proven not possible.

9.

Among other things, a business exit plan must:

a)

identify a range of remote but plausible scenarios which may render it necessary for a Payment Token Service Provider to consider an exit;

b)

develop risk indicators to gauge the plausibility of the identified scenarios;

c)

set out detailed, concrete, and feasible action steps to be taken upon triggering the exit plan;

d)

assess the time and cost required to implement the exit plan in an orderly manner; and

e)

set out clear procedures to ensure that sufficient time and regulatory capital and other financial resources are available to implement the exit plan.

10.

A Payment Token Service Provider must review the plan on an annual basis to ensure its relevance and workability.