1.

In this Article (34), “Payment Token Service Provider” refers to a Licensee or a Registree, with the exception of Registered Foreign Payment Token Issuers.

2.

A Payment Token Service Provider must have and maintain robust and comprehensive policies and procedures to identify, manage, monitor and report the risks arising from the provision of Payment Token Services to which it is or might become exposed, and adequate internal control mechanisms, including sound administrative and accounting procedures.

3.

A Payment Token Service Provider’s risk management policies and procedures shall be:

4.

A Payment Token Service Provider must establish a risk management function, an internal audit function and a compliance function.

5.

A Payment Token Service Provider must implement an effective process for managing its capital adequacy. This process must monitor capital adequacy over time and include forward-estimations of the level of capital and the capital requirement, and ensure that the Payment Token Service Provider at a minimum complies at all times with the capital requirements set out in this regulation.

6.

A Payment Token Service Provider must establish and implement an effective process for managing liquidity risk that is appropriate for the size and complexity of its operations. The objective is to ensure that the Payment Token Service Provider will have sufficient liquidity to meet different financial obligations arising from its day-to-day operations as well as redemption requests under all plausible circumstances.

7.

A Payment Token Service Provider must put in place a robust internal control system to promote effective and efficient operation, safeguard assets, provide reliable financial and management information, enable prevention or early detection of irregularities, fraud and errors, and ensure compliance with relevant statutory and regulatory requirements and internal policies.

8.

A Payment Token Service Provider must put in place a comprehensive business strategy and plan, including details on the strategic goals and roadmap. A business plan must normally cover proposed business in terms of geographical scope of operations, target markets and Customer breakdown, client types and base size, product and services offering, delivery channels, pricing strategy, and promotion and marketing activities.

9.

A Payment Token Service Provider must appoint one or more External Auditor(s) to audit, on an annual basis:

10.

Upon request by the Central Bank, the appointed External Auditor shall submit, directly or through the Payment Token Service Provider, a report of the audit in a form and within a timeframe acceptable to the Central Bank.

11.

In addition to the report of audit, the Central Bank may request the External Auditor to:

12.

A Payment Token Service Provider must maintain effective compliance and internal audit functions; to ensure compliance with all applicable legal and regulatory requirements as well as its own policies, procedures and controls. Among other factors, the quality of a Payment Token Service Provider’s compliance and internal audit functions will be assessed by the Central Bank based on its:

13.

A Payment Token Service Provider must at least annually perform a risk assessment by its own risk management.

14.

A Payment Token Service Provider must submit any assessment under Article (34)13 to the Central Bank after it has been approved by the Board, accompanied by an executive summary highlighting the key risks, most important findings and the actions for rectifying the issues.

15.

Arising from the findings of the annual risk assessment, a Payment Token Service Provider that is unable to meet its obligations must immediately report this to the Central Bank.

16.

A Payment Token Service Provider shall establish and implement an effective process for managing reputational risk that is appropriate for the size and complexity of its operations.

17.

Payment Token Service Providers shall keep all necessary records of Personal Data and Payment Data for a period of five (5) years from the date of receipt of such data, unless otherwise required by other applicable laws or the Central Bank.