Skip to main content

Article (34): General Risk Management & Internal Control Systems

2/2024 Effective from 21/8/2024

1.

In this Article (34), “Payment Token Service Provider” refers to a Licensee or a Registree, with the exception of Registered Foreign Payment Token Issuers.

2.

A Payment Token Service Provider must have and maintain robust and comprehensive policies and procedures to identify, manage, monitor and report the risks arising from the provision of Payment Token Services to which it is or might become exposed, and adequate internal control mechanisms, including sound administrative and accounting procedures.

3.

A Payment Token Service Provider’s risk management policies and procedures shall be:

a)

kept up-to-date;

b)

reviewed annually; and

c)

proportionate to the nature, scale and complexity of the Payment Token Services provided.

4.

A Payment Token Service Provider must establish a risk management function, an internal audit function and a compliance function.

 

Capital adequacy and capital planning

5.

A Payment Token Service Provider must implement an effective process for managing its capital adequacy. This process must monitor capital adequacy over time and include forward-estimations of the level of capital and the capital requirement, and ensure that the Payment Token Service Provider at a minimum complies at all times with the capital requirements set out in this regulation.

 

Liquidity risk management

6.

A Payment Token Service Provider must establish and implement an effective process for managing liquidity risk that is appropriate for the size and complexity of its operations. The objective is to ensure that the Payment Token Service Provider will have sufficient liquidity to meet different financial obligations arising from its day-to-day operations as well as redemption requests under all plausible circumstances.

 

Internal controls

7.

A Payment Token Service Provider must put in place a robust internal control system to promote effective and efficient operation, safeguard assets, provide reliable financial and management information, enable prevention or early detection of irregularities, fraud and errors, and ensure compliance with relevant statutory and regulatory requirements and internal policies.

8.

A Payment Token Service Provider must put in place a comprehensive business strategy and plan, including details on the strategic goals and roadmap. A business plan must normally cover proposed business in terms of geographical scope of operations, target markets and Customer breakdown, client types and base size, product and services offering, delivery channels, pricing strategy, and promotion and marketing activities.

 

Accounting and External Audit

9.

A Payment Token Service Provider must appoint one or more External Auditor(s) to audit, on an annual basis:

a)

the financial statements or consolidated financial statements of the Payment Token Service Provider prepared in accordance with the accepted accounting standards and practices; and

b)

the systems, controls and technology (including any ‘smart contracts’) of the Payment Token Services provided by the Payment Token Service Provider, including the results of any penetration or cyber-attack simulation testing performed pursuant to Article (35)17, separately from any audit of non-Payment Token Services.

10.

Upon request by the Central Bank, the appointed External Auditor shall submit, directly or through the Payment Token Service Provider, a report of the audit in a form and within a timeframe acceptable to the Central Bank.

11.

In addition to the report of audit, the Central Bank may request the External Auditor to:

a)

submit any additional information in relation to the audit, if the Central Bank considers it necessary;

b)

enlarge or extend the scope of the audit;

c)

carry out any other examination.

 

Compliance and internal audit functions

12.

A Payment Token Service Provider must maintain effective compliance and internal audit functions; to ensure compliance with all applicable legal and regulatory requirements as well as its own policies, procedures and controls. Among other factors, the quality of a Payment Token Service Provider’s compliance and internal audit functions will be assessed by the Central Bank based on its:

a)

clear governance framework with Board level accountability to ensure effective policies and sufficient authorities to perform the functions;

b)

relevant professional knowledge and experience;

c)

independence from business units;

d)

direct and unfettered access to the Board;

e)

coverage, comprehensiveness and effectiveness of compliance and internal audit programs; and

f)

ability to take timely and pro- active rectifying actions upon identifying non-compliance or other control deficiencies.

13.

A Payment Token Service Provider must at least annually perform a risk assessment by its own risk management.

a)

If the results of the risk assessment suggest that a detailed independent assessment is necessary, the Payment Token Service Provider must conduct such assessment and cover the following key areas:

(i)

business model assessment;

(ii)

corporate governance and risk management;

(iii)

Reserve of Assets management;

(iv)

technology risk management;

(v)

security management;

(vi)

business continuity management;

(vii)

business conduct and consumer protection;

(viii)

business exit plan; and

(ix)

AML/CFT controls systems.

b)

If the Payment Token Service Provider has an independent function elsewhere in its Group, with the relevant knowledge and experience, an independent assessment can be conducted by its internal function. Otherwise the assessment must be carried out by an independent third party.

14.

A Payment Token Service Provider must submit any assessment under Article (34)13 to the Central Bank after it has been approved by the Board, accompanied by an executive summary highlighting the key risks, most important findings and the actions for rectifying the issues.

15.

Arising from the findings of the annual risk assessment, a Payment Token Service Provider that is unable to meet its obligations must immediately report this to the Central Bank.

 

Reputation Risk Management

16.

A Payment Token Service Provider shall establish and implement an effective process for managing reputational risk that is appropriate for the size and complexity of its operations.

 

Record Keeping

17.

Payment Token Service Providers shall keep all necessary records of Personal Data and Payment Data for a period of five (5) years from the date of receipt of such data, unless otherwise required by other applicable laws or the Central Bank.