PD-eMoney-202302 (1) PDF - Electronic Money
Document Details
Uploaded by UsefulComputerArt
2022
Tags
Summary
This document outlines the requirements for approved issuers of electronic money (e-money) in Malaysia. It covers various aspects, including governance, operational and risk management, and information technology (IT) requirements, aiming to ensure the safety and reliability of e-money and maintain public confidence in its use.
Full Transcript
Electronic Money (E-Money) Applicable to: Approved issuers of e-money Issued on: 30 December 2022 BNM/RH/PD 029-57 Electronic Money TABLE OF CONTENTS PART A OVERVIEW...............................................................
Electronic Money (E-Money) Applicable to: Approved issuers of e-money Issued on: 30 December 2022 BNM/RH/PD 029-57 Electronic Money TABLE OF CONTENTS PART A OVERVIEW.................................................................................................. 1 1 Introduction.................................................................................................. 1 2 Applicability.................................................................................................. 1 3 Legal provisions........................................................................................... 2 4 Effective date............................................................................................... 2 5 Interpretation................................................................................................ 2 6 Related legal instruments and policy documents......................................... 7 7 Policy documents superseded..................................................................... 8 PART B GOVERNANCE............................................................................................ 9 8 Governance arrangements.......................................................................... 9 9 Board of directors......................................................................................... 9 10 Senior management....................................................................................12 11 Control function...........................................................................................14 12 Shariah governance....................................................................................17 13 Fit and proper..............................................................................................18 PART C OPERATIONAL AND RISK MANAGEMENT REQUIREMENTS.............. 19 14 Local incorporation......................................................................................19 15 Minimum capital funds for non-bank EMI....................................................19 16 Safeguarding of funds.................................................................................19 17 Business continuity management...............................................................20 18 Outsourcing arrangement...........................................................................21 19 Fraud risk management..............................................................................26 20 Account management.................................................................................29 21 White labelling.............................................................................................31 22 Other business or activity............................................................................32 23 Specific requirements for registered merchant acquirers............................34 24 Exit plan......................................................................................................34 25 Winding down or cessation of e-money business.......................................36 26 Prohibitions.................................................................................................37 PART D INFORMATION TECHNOLOGY (IT) REQUIREMENTS............................ 38 27 Technology risk management.....................................................................38 28 Technology operations management..........................................................39 29 Cybersecurity management........................................................................55 30 Technology audit.........................................................................................60 31 Internal awareness and training..................................................................61 Issued on: 30 December 2022 Electronic Money PART E REGULATORY PROCESS........................................................................ 62 32 Approval and notification.............................................................................62 33 Submission requirements............................................................................62 34 Membership in the Financial Ombudsman Scheme....................................63 APPENDICES............................................................................................................. 64 Appendix 1 Criteria for eligible EMI......................................................................64 Appendix 2 Limited purpose e-money..................................................................65 Appendix 3 Responsibilities of board committees................................................67 Appendix 4 Computation of capital funds.............................................................68 Appendix 5 Examples of arrangements excluded from the scope of outsourcing.69 Appendix 6 Minimum requirements on the outsourcing agreement......................70 Appendix 7 Other exit triggers..............................................................................72 Appendix 8 Storage and transportation of sensitive data in removable media.....73 Appendix 9 Control measures on mobile application and devices........................74 Appendix 10 Control measures on QR code..........................................................75 Appendix 11 Control measures on cybersecurity...................................................76 Issued on: 30 December 2022 Electronic Money 1 of 76 PART A OVERVIEW 1 Introduction 1.1 E-money serves as a payment instrument that can be used to make payments for purchases of goods and services to merchants who accept e-money as a mode of payment. E-money users may also send or receive funds to or from another user’s e-money or bank account, respectively, through person-to-person (P2P) fund transfer service if the e-money issuer (EMI) is allowed to offer such service. 1.2 Over the past decade, e-money has evolved and grown significantly due to the proliferation of mobile technology such as Quick Response (QR) codes and mobile applications (apps), digitalization of financial services and shift in consumer behaviour. In addition, the form of e-money has evolved from the traditional stored value cards to network-based solutions such as online accounts or e-wallets. 1.3 Due to the growing prominence of e-money in the financial landscape, enhancements to the e-money regulatory framework are needed to ensure e- money continues to be a safe and reliable payment instrument amid the advancement in functionalities and evolution in the enabling technology. This is important to ensure the safety of the e-money funds1 and the soundness of EMI to manage potential risk of loss to customers, hence fostering continued public confidence in the use of e-money. 1.4 This policy document outlines requirements aimed to– (a) ensure the safety and reliability of e-money issued by EMI; and (b) preserve customers’ and merchants’ confidence in using or accepting e- money for the payment of goods and services. 2 Applicability 2.1 This policy document is applicable to EMI as defined in paragraph 5.2. 2.2 Notwithstanding paragraph 2.1, an EMI that only issues e-money described in Appendix 2 (known as limited purpose EMI) is not subject to this policy document except for paragraph 15, Policy Document on Anti-Money Laundering, Counter Financing of Terrorism and Targeted Financial Sanctions for Financial Institutions (AML/CFT and TFS for FIs) as well as relevant requirements pursuant to FSA and IFSA. 1 As reflected in the outstanding e-money liabilities. Issued on: 30 December 2022 Electronic Money 2 of 76 3 Legal provisions 3.1 The requirements in this policy document are specified pursuant to– (a) sections 47(1), 123(1) and 143 of the FSA; and (b) sections 29(2), 57(1), 135(1) and 155 of the IFSA. 3.2 The guidance in this policy document is issued pursuant to section 266 of the FSA and section 277 of the IFSA. 4 Effective date 4.1 This policy document comes into effect on 30 December 2022, except for paragraphs 15, 16.2 to 16.4, 18, 19.6 to 19.15, 27, 28, 29, 30 and 31 which come into effect on 30 December 2023. 5 Interpretation 5.1 The terms and expressions used in this policy document shall have the same meanings assigned to them in the FSA or IFSA, as the case may be, unless otherwise defined in this policy document. 5.2 For the purpose of this policy document– “S” denotes a standard, an obligation, a requirement, specification, direction, condition and any interpretative, supplemental and transitional provisions that must be complied with. Non-compliance may result in enforcement action; “G” denotes guidance which may consist of statements or information intended to promote common understanding and advice or recommendations that are encouraged to be adopted; “active politician” refers to an individual who- (a) is a member of any national or state legislative body; or (b) is an office bearer of, or holds any similar position in a political party, in or outside Malaysia; “affiliate”, in relation to an entity, refers to any corporation that controls, is controlled by, or is under common control with, the entity; “Bank” refers to Bank Negara Malaysia; Issued on: 30 December 2022 Electronic Money 3 of 76 “banking institution” refers to a licensed bank, a licensed Islamic bank, and a prescribed institution as defined under the Development Financial Institutions Act 2002 (DFIA); “business continuity management” or “BCM” refers to an enterprise-wide framework that encapsulates policies, processes and practices that ensure the continuous functioning of an EMI during an event of disruption. It also prepares the EMI to resume and restore its operations and services in a timely manner during an event of disruption, thus minimising any material impact to the EMI; “control function” refers to a function that has a responsibility independent from business lines to provide objective assessments, reporting and assurance on the effectiveness of an EMI’s policies and operations, and its compliance with legal and regulatory obligations. This includes the risk management function, the compliance function, and the internal audit function; “counterparty information” refers to any information relating to the affairs or the account of any counterparty of the EMI; “credit transfer” refers to a payment service which allows a payor to instruct the institution at which the payor’s bank account or e-money account is held to transfer funds to a beneficiary in another bank account or e-money account, irrespective of any underlying obligation between the payor and the beneficiary. For the avoidance of doubt, any reference to “credit transfer” in this policy document shall include a reference to both a fund transfer transaction and a purchase transaction regardless of the technology used to facilitate the transaction including QR code; “critical system” refers to any application system that supports the provision of EMI services, where failure of the system has the potential to significantly impair the EMI’s provision of financial services to customers or counterparties, business operations, financial position, reputation, or compliance with applicable laws and regulatory requirements; “cross-selling” refers to an act of an EMI offering to its customers either complementary or related financial products or services. This includes an EMI acting as an agent to provide the financial products or services; “customer” or “user” refers to any person to whom e-money has been issued or any person who uses e-money to make payment or any other transaction allowed by EMI; Issued on: 30 December 2022 Electronic Money 4 of 76 “customer information” refers to any information relating to the affairs or the account of any customer of the EMI in whatever form including in the form of a record, book, register, correspondence, other document or material; “cyber resilience” refers to the ability of people, processes, IT systems, applications, platforms or infrastructures to withstand adverse cyber events; “cyber risk” refers to threats or vulnerabilities emanating from the connectivity of internal technology infrastructure to external networks or the Internet; “digital services” refers to the provision of payment services delivered to customers via electronic channels and devices including internet and mobile devices, self-service terminals and point-of-sale terminals; “electronic money” or “e-money” refers to any payment instrument or Islamic payment instrument, whether tangible or intangible, that– (a) stores funds electronically in exchange of funds paid to the issuer; and (b) is able to be used as a means of making payment to any person other than the issuer; “eligible EMI” refers to an EMI described in Appendix 1; “e-money issuer” or “EMI” refers to any person approved by the Bank under section 11 or section 15(1)(e) of the FSA or section 11 of the IFSA to issue e- money; “executive director” refers to a director of an EMI who has management responsibilities in the EMI or any of its affiliates; “Financial Ombudsman Scheme (FOS)” refers to a scheme that functions as an alternative dispute resolution channel to resolve disputes between financial institutions and consumers. The Ombudsman for Financial Services (OFS) is the operator of the FOS approved by the Bank pursuant to section 126(2) of the FSA and section 138(2) of the IFSA; “independent director” refers to a director who is described as being independent in accordance with paragraph 9.14; “internal control framework” refers to the set of rules and controls governing an EMI’s organisational and operational structure, including reporting processes and control functions; Issued on: 30 December 2022 Electronic Money 5 of 76 “licensed bank” refers to any person licensed under section 10 of the FSA to carry on banking business; “licensed Islamic bank” refers to any person licensed under section 10 of the IFSA to carry on Islamic banking business and includes a licensed international Islamic bank; “limited purpose EMI” refers to an EMI that issues e-money described in Appendix 2; “material outsourcing arrangement” refers to an outsourcing arrangement which– (a) in the event of a service failure or security breach, has the potential to significantly impact EMI’s provision of financial services to customers, business operations, financial position, reputation, or compliance with applicable laws and regulatory requirements; (b) involves customer information where in the event of unauthorised access, disclosure, modification, loss or theft of the information, has a material impact on the customer or EMI; or (c) where the arrangement involves control functions or customer funds management. “material technology project” refers to projects which involve critical systems, the delivery of essential services to customers or counterparties, or compliance with regulatory requirements; “merchant” refers to a person or an entity that accepts e-money for sale of goods or services; “non-bank EMI” refers to an EMI which is not a licensed bank, licensed Islamic bank, or a prescribed institution as defined under the DFIA; “OTP” or “one-time password” refers to an alphanumeric or numeric code represented by a minimum of six characters or digits which is valid only for single use to validate a specific transaction; “outsourcing arrangement” refers to an arrangement in which a service provider performs an activity on behalf of EMI on a continuing basis2, where the activity would otherwise be undertaken by the EMI but does not include activities set out in Appendix 5; 2 For the avoidance of doubt, an agreement which is time-bound does not preclude the activity from being considered as being performed on a continuing basis. Issued on: 30 December 2022 Electronic Money 6 of 76 “outstanding e-money liabilities” refers to– (a) the unutilised amount of e-money which has been issued; and (b) the utilised amount of e-money which is pending payment to merchants; “payment instrument” refers to any instrument, whether tangible or intangible, that enables a person to obtain money, goods or services or to make any payment; “production data centre” refers to any facility which hosts active critical production application systems irrespective of location; “purchase transaction” refers to any transaction between a customer and a merchant for the purchase of goods and services; “registered merchant acquirer” refers to any person who is registered by the Bank pursuant to sections 17(1) and 18 of the FSA to provide merchant acquiring services and fulfils the criteria under paragraph 2.1 of the policy document on Merchant Acquiring Services as amended from time to time; “risk-based authentication” refers to a dynamic and data-driven authentication method, where information about each transaction is evaluated to determine the transaction’s risk in order to prevent fraud and provide better customer experience; “senior management” refers to the Chief Executive Officer (CEO) and senior officers; “senior officer” refers to a person, other than the CEO or a director, having authority and responsibility for planning, directing or controlling the activities of an EMI, including the Chief Operating Officer, Chief Financial Officer, members of decision-making committees and other persons performing key functions such as risk management, compliance or internal audit; “service provider” refers to an entity, including an affiliate, providing services to an EMI under an outsourcing arrangement; “shareholder” refers to any person who holds an aggregate of 5% or more interest in shares 3 of an EMI; 3 Interest in shares shall be construed as set out in section 2(1) and Schedule 3 of the FSA or IFSA. Issued on: 30 December 2022 Electronic Money 7 of 76 “Shariah compliant e-money” refers to any designated Islamic payment instrument that is structured based on appropriate Shariah contracts, whether tangible or intangible, that– (a) stores funds electronically in exchange of funds paid to the issuer; and (b) is able to be used as a means of making payment to any person other than the issuer; “standard EMI” refers to an EMI other than an eligible EMI; “sub-contractor” refers to any entity, including an affiliate, which performs the whole or a part of the outsourced activity for the primary service provider; “technology service provider” refers to a group affiliate or external entity providing technology-related functions or services that involve the transmission, processing, storage or handling of confidential information pertaining to the EMI or its customers. This includes cloud computing software, platform and infrastructure service providers; “wallet limit” refers to the maximum monetary value that can be stored in an e- money; and “white labelling” refers to an arrangement between an EMI and a partner or other entity to allow such partner or entity to offer e-money to their customers under their own brand, while the ultimate responsibility remains with the EMI in managing the e-money funds and operations. 6 Related legal instruments and policy documents 6.1 This policy document must be read together with other relevant legal instruments, policy documents and guidelines issued by the Bank, as amended from time to time, in particular– (a) Policy Document on Anti-Money Laundering, Counter Financing of Terrorism and Targeted Financial Sanctions for Financial Institutions (AML/CFT and TFS for FIs); (b) Guidelines on Complaints Handling; (c) Policy Document on Fair Treatment of Financial Consumers; (d) Policy Document on Fit and Proper Criteria for Approved Person; (e) Guidelines on Product Transparency and Disclosure; (f) Policy Document on Management of Customer Information and Permitted Disclosures; (g) Policy Document on Interoperable Credit Transfer Framework; (h) Policy Document on Merchant Acquiring Services; Issued on: 30 December 2022 Electronic Money 8 of 76 (i) Policy Document on Risk-Based Authentication for Online Payment Card Transaction; (j) Policy Document on Payment Cards Framework; (k) Policy Document on Risk Management in Technology (RMiT); (l) Policy Document on Electronic Know-Your-Customer (e-KYC); (m) Policy Document on Business Continuity Management; (n) Policy Document on STATsmart Reporting Requirements on Data Submission for Reporting Entities; (o) Policy Document on Wakalah; (p) Policy Document on Wadi’ah; (q) Policy Document on Qard; and (r) Shariah Advisory Council of Bank Negara Malaysia (SAC) Ruling on E- Money as a Shariah Compliant Payment Instrument. 7 Policy documents superseded 7.1 This policy document supersedes the following documents on the corresponding dates shown below– Documents Date superseded Guideline on Electronic Money (E-money) issued on 31 30 December July 2008 (except paragraphs 8.5 to 8.8 and 10.2 (a), (b), 2022 (c), (d), (e), 10.3 and 10.4). Paragraphs 8.5 to 8.8, 10.2 (a), (b), (c), (d), (e), 10.3 and 30 December 10.4 of the Guideline on Electronic Money (E-money) 2023 issued on 31 July 2008. Paragraph 11.2 and paragraph 12 of the policy document 30 December on Interoperable Credit Transfer Framework issued on 23 2022 (only as December 2019. much as it is applicable to non- bank EMIs) Issued on: 30 December 2022 Electronic Money 9 of 76 PART B GOVERNANCE 8 Governance arrangements S 8.1 An EMI shall establish appropriate governance arrangements, which are effective and transparent, to ensure the continued integrity of its e-money scheme, which include, among others, the following– (a) a board of directors (the board) and senior management that consists of people with calibre, credibility and integrity; (b) clearly defined and documented organisational arrangements, such as ownership and management structure; and (c) segregation of duties and control function to reduce potential mismanagement and fraud. 9 Board of directors S 9.1 The board responsibilities outlined in this policy document shall be read together with section 56 of the FSA and section 65 of the IFSA. S 9.2 The board must have a board charter that sets out the mandate, responsibilities and procedures of the board and its committees (if any), including the matters reserved for the board’s decision. S 9.3 The board has the overall responsibility for promoting the sustainable growth and financial soundness of an EMI, and for ensuring reasonable standards of fair dealing, without undue influence from any party. This includes consideration of the long-term implications of the board’s decisions on the EMI and its customers, employees, officers and the general public. In fulfilling this role, the board must– (a) approve the risk appetite, business plans and other initiatives which would, individually or collectively, have a material impact on the EMI’s risk profile 4; (b) oversee the selection, performance, remuneration and succession plans of the CEO, control function heads and other members of senior management, such that the board is satisfied with the collective competence of senior management to effectively lead the operations of the EMI; (c) oversee the implementation of the EMI’s governance framework and internal control framework, and periodically review whether these remain appropriate in light of material changes to the size, nature and complexity of the EMI operations; 4 This would include initiatives, which affect the financial soundness, reputation or key operational controls of the EMI. Issued on: 30 December 2022 Electronic Money 10 of 76 (d) promote, together with senior management, a sound corporate culture within the EMI, which reinforces ethical, prudent and professional conduct and behaviour; (e) oversee and approve business continuity plans, as well as exit plan, and ensure such plans are updated, particularly as and when there are material changes to the size, nature and complexity of the EMI operations that can significantly affect the said plans; and (f) promote timely and effective communication between the EMI and the Bank on matters affecting or that may affect the safety and soundness of the EMI. S 9.4 The chairman, in leading the board, is responsible for the effective overall functioning of the board. In fulfilling this role, the chairman must– (a) ensure that appropriate procedures are in place to govern the board’s operations; (b) ensure that decisions are taken on a sound and well-informed basis, including by ensuring that all strategic and critical issues are considered by the board, and that directors receive the relevant information in a timely manner; (c) encourage healthy discussion and ensure that dissenting views can be freely expressed and discussed; and (d) lead efforts to address the board’s developmental needs. S 9.5 For the board of an EMI approved by the Bank under section 15(1)(e) of the FSA or section 11 of the IFSA, the overall responsibility outlined in paragraph 9.3 includes the responsibility to promote Shariah compliance in accordance with requirements set out under paragraph 12 and to ensure its integration with the EMI business and risk strategies. Board appointments S 9.6 A director must fulfil the minimum requirements set out in paragraphs 9.7 to 9.8 at the time of his appointment and on a continuing basis throughout the appointment period. S 9.7 An EMI shall only appoint as its director, a person who is not disqualified under section 59(1) of the FSA or section 68(1) of the IFSA, and has been assessed by the EMI to have complied with the fit and proper requirements specified by the Bank. S 9.8 A director of an EMI must not be an active politician. Issued on: 30 December 2022 Electronic Money 11 of 76 Composition of the board S 9.9 The board and its committees (if any) must be of a size and composition that promotes effective deliberation and encourages active participation of all directors. S 9.10 An EMI shall ensure board members collectively possess the necessary skill sets or business knowledge required to effectively support the board. These criteria and skill sets shall be reviewed regularly by the board to ensure alignment with the strategic direction of, and emerging challenges faced by the EMI. S 9.11 The chairman of the board must be a non-executive director. S 9.12 An EMI 5 shall ensure no less than two-thirds of the board members are non- executive directors. S 9.13 For an eligible EMI, no less than one-third of the board members shall be independent directors. S 9.14 The board must determine whether an individual to be appointed as an independent director is independent in character and judgment, and free from associations or circumstances that may impair the exercise of his independent judgment. An individual must not be considered to be an independent director if he– (a) is or had been an executive director in the EMI or any of its affiliates in the last two (2) years; (b) is a substantial shareholder, or acting on behalf of the substantial shareholder, of the EMI or any of its affiliates; or (c) had a significant business or other contractual relationship with the EMI or any of its affiliates in the last two (2) years. S 9.15 For the purpose of paragraph 9.14, the board must clearly define what constitutes a “significant business or other contractual relationship”, taking into account the nature, size and complexity of the EMI’s operations. Board meetings S 9.16 The board must meet regularly, whereby the number and frequency of board meetings must commensurate with the size and complexity of the EMI’s operations, to review the EMI’s performance, including the status of its compliance with regulatory requirements and to deal with any issues pertaining to the operations of the EMI. 5 For the avoidance of doubt, this requirement applies to all eligible and standard EMI. Issued on: 30 December 2022 Electronic Money 12 of 76 S 9.17 A director must devote sufficient time to prepare for and attend board meetings and maintain a sound understanding of the business of the EMI, as well as, relevant market and regulatory developments. S 9.18 In respect of the quorum for board meetings, an EMI must require at least half of the board members to be present. S 9.19 The board must ensure that clear and accurate minutes of board meetings are maintained to record the decisions of the board, including key deliberations, rationale for each decision made, and any significant concerns or dissenting views. The minutes must indicate whether any director abstained from voting or excused himself from deliberating on a particular matter. S 9.20 For eligible EMIs, a director must attend at least 75% of the board meetings held in each financial year. Board committees (applicable to eligible EMIs only) S 9.21 At a minimum, an eligible EMI shall establish the following board committees– (a) board audit committee; and (b) board risk management committee. G 9.22 An eligible EMI may combine its board audit committee and board risk management committee. S 9.23 Each board committee shall– (a) not be chaired by the chairman of the board; (b) have at least three (3) directors of the EMI as members of the board committee; (c) have at least one-third of independent directors of the EMI as members of the board committee; and (d) be chaired by an independent director. S 9.24 For purposes of paragraphs 9.23(b) and (c), the directors shall be among those who have the skills, knowledge and experience relevant to the responsibilities of the board committee. S 9.25 Each board committee shall have its Terms of Reference and shall assume the specific responsibilities enumerated for it in Appendix 3. 10 Senior management S 10.1 An EMI shall only appoint as its senior management, a person who is not disqualified under section 59(1) of the FSA or section 68(1) of the IFSA, and has Issued on: 30 December 2022 Electronic Money 13 of 76 been assessed by the EMI to have complied with the fit and proper requirements specified by the Bank. S 10.2 An eligible EMI shall not appoint its substantial shareholder as its senior management. This serves to preserve an appropriate separation between ownership and management of an EMI in line with the broader responsibilities of EMIs towards its customers and merchants. S 10.3 A CEO must devote the whole of his professional time to the service of the EMI and shall have his principal or only place of residence within Malaysia unless the Bank approves otherwise in writing under section 55(3) of the FSA and section 64(3) of the IFSA. S 10.4 An EMI that is involved in other business or activity, other than issuing e-money, shall appoint a dedicated senior officer with relevant expertise and experience to assume the role of the Head of e-money business. S 10.5 The senior management of an EMI is responsible for ensuring the following– (a) effective policies and procedures are established and implemented for, among others, the following areas– (i) risk management and appropriate controls to manage and monitor risks; (ii) due diligence and oversight to manage arrangements with service providers supporting the e-money operations; (iii) sufficient and timely reporting or escalation of issues to the board; (b) overseeing the formulation and effective implementation of any business or strategic plan, including the strategic technology plan and associated technology policies and procedures; (c) robust decision making processes with adequate consideration on customers’ interests; and (d) a robust assessment is conducted to approve any deviation from policies and procedures, including technology-related policies. Material deviations must be reported to the board. S 10.6 The senior management shall consist of individuals with the appropriate skill set and experience to support and manage the e-money business. This includes individuals with technology background to provide guidance on the EMI’s technology plans and operations. S 10.7 For the purpose of paragraph 10.6, an eligible EMI shall ensure that a designated staff who does not engage in day-to-day technology operations shall be responsible for the identification, assessment and mitigation of technology risks. Issued on: 30 December 2022 Electronic Money 14 of 76 11 Control function G 11.1 The board and senior management are encouraged to create an environment, which- (a) ensures that the EMI and its officers comply with legal and regulatory requirements; (b) adopts relevant risk management practices; and (c) encourages ethical conduct that underlies the legal and regulatory requirements. S 11.2 The board is responsible for overseeing the management of an EMI’s control function. The board shall– (a) ensure an effective risk management framework that is appropriate to the nature, scale and complexity of its activities is in place; (b) ensure that the control functions are established and sufficiently resourced, with the officers 6 accorded with appropriate stature, authority and independence; (c) ensure the appointment of officers who have adequate working knowledge in e-money business and the legal and regulatory framework, and can effectively support the EMI’s internal control framework; (d) provide the relevant officers with direct and unimpeded access to the board; and (e) where the risk management officer and compliance officer is the same person or performs the responsibilities of other control functions except for internal audit, be satisfied that a sound overall control environment will not be compromised by the combination of responsibilities performed by the officer. S 11.3 The senior management is collectively responsible for the effective management of an EMI’s internal control framework. In discharging this responsibility, senior management shall– (a) establish a written policy for the control function and ensure that it is kept up to date; (b) establish a control function commensurate with the size, nature of operations and complexity of the EMI, having regard to the requirements in paragraphs 11.4 to 11.17; (c) provide sufficient resources for the control function, including officers with the appropriate competencies and experience; (d) ensure that the person performing the control function is kept informed of any organisational developments to facilitate the timely identification of compliance risk; 6 Compliance, risk management and internal audit officer. Issued on: 30 December 2022 Electronic Money 15 of 76 (e) report to the board regularly on compliance or risk issues, and promptly on any material incidents of non-compliance; and (f) report to the board at least annually on the effectiveness of the EMI’s overall compliance and risk management. S 11.4 An EMI shall organise its control function in a manner that allows compliance and risk management to be managed effectively, taking into account the size, nature of operations and complexity of the EMI’s business. S 11.5 The control function must be independent of business lines in order to carry out its role effectively. As such, an EMI must ensure that the control function is not placed in a position where there are real or potential conflicts in respect of its scope of responsibilities, reporting lines or remuneration. S 11.6 Where two or more control function responsibilities (excluding internal audit) are performed by one officer, senior management must ensure that officer has the capacity and expertise to deliver his broader mandates while providing adequate focus to his control function responsibilities. S 11.7 Where two or more control function responsibilities (excluding internal audit) are performed by one officer, the said officer must ensure that his independence, ability to provide sufficient time, focus and commitment to his responsibilities in respect of the control function are not impaired. Compliance S 11.8 The compliance officer shall identify and assess the compliance risk associated with an EMI’s activities. This requires the compliance officer to have adequate knowledge and exposure to key business processes of the EMI and keep up to date with material changes in the EMI’s business. S 11.9 The compliance officer must report to senior management on a regular basis the findings and analyses of compliance risk. The report shall include at a minimum– (a) the results of the compliance risk assessment undertaken during the assessment period, highlighting key changes in the compliance risk profile of an EMI, as well as, areas where greater attention by senior management would be needed; (b) a summary of incidents of non-compliance and deficiencies in the management of compliance risk in various parts of the EMI; (c) an assessment of the impact (both financial and non-financial) of such incidents of non-compliance and deficiencies on the EMI (for example, fines, administrative enforcement or disciplinary actions taken by any regulatory authority against the EMI or its officers); Issued on: 30 December 2022 Electronic Money 16 of 76 (d) recommendations of corrective measures to address incidents of non- compliance and deficiencies in the management of compliance risk; and (e) a record of corrective measures already taken and an assessment of the adequacy and effectiveness of such measures. S 11.10 The compliance officer shall ensure that the reports referred to in paragraph 11.9 are readily available to the internal audit function of the EMI, the Bank and other relevant regulatory authorities upon request. Risk management S 11.11 An EMI shall establish a risk management framework that enables the identification, measurement, and continuous monitoring of all relevant and material risks. The framework shall be supported by a robust management information system (MIS) that facilitates timely and reliable reporting of risks. S 11.12 An EMI shall establish risk monitoring and reporting requirements, which include the development and use of key risk indicators to provide early warnings on adverse risk developments to ensure the EMI is able to manage and mitigate its risks in a timely manner. S 11.13 The risk management officer must report to the board and senior management on a regular basis on the assessment of material risks affecting the EMI and ensure the material risks are mitigated and periodically monitored. The report must be readily available to the internal audit function of the EMI, the Bank and other regulatory authorities upon request. Internal Audit S 11.14 An EMI shall ensure that there is clear separation of the internal audit function and other control functions, e.g. compliance and risk management function. S 11.15 Compliance and risk management functions and the framework for such functions shall be included in the risk assessment methodology of the internal audit function, and an audit programme that covers the adequacy and effectiveness of the compliance and risk management functions’ responsibilities shall be established, including testing of controls commensurate with the perceived level of risk. S 11.16 The internal audit function shall report regularly to the board and senior management on the effectiveness and adequacy of the risk management and compliance functions and assess whether the said functions are working effectively. Issued on: 30 December 2022 Electronic Money 17 of 76 S 11.17 The internal audit function shall inform senior management, including the compliance or risk management officer, of any incidents of non-compliance or material risks that it discovers. 12 Shariah governance S 12.1 Paragraphs 12.2 to 12.8 shall only apply to EMIs approved by the Bank under section 15(1)(e) of the FSA or section 11 of the IFSA. S 12.2 An EMI that issues Shariah compliant e-money shall comply with the rulings of the Shariah Advisory Council of Bank Negara Malaysia and relevant Shariah standards issued by the Bank. S 12.3 The board shall be responsible for ensuring the EMI’s Shariah compliant e- money complies with Shariah at all times. S 12.4 Senior management shall ensure the operationalisation of Shariah compliant e-money complies with Shariah at all times. S 12.5 An EMI that issues Shariah compliant e-money shall appoint a qualified individual, a company or an existing Shariah committee 7 within its group affiliate as a Shariah advisor, who is responsible to provide objective and sound advice to ensure that the EMI complies with Shariah at all times. S 12.6 For purposes of paragraph 12.5, the individual Shariah advisor or the representative of a company appointed as the Shariah advisor of an EMI shall– (a) be a Muslim individual; (b) not be an active politician; (c) hold a bachelor’s degree in Shariah, which includes study in Usul Fiqh (principles of Islamic jurisprudence) or Fiqh Muamalat (Islamic transaction/commercial law); and (d) possess solid knowledge in Shariah with reasonable knowledge and experience in Islamic finance. S 12.7 An EMI shall notify the Bank in writing on– (a) new appointment of the Shariah advisor within fourteen (14) days from the date of such appointment; or (b) existing appointment of the Shariah advisor within fourteen (14) days from the effective date of this policy document. S 12.8 An EMI must ensure the robustness of its internal control functions for effective management of Shariah non-compliance risk. This shall include, but is not limited to, the EMI conducting an annual assessment on the compliance of its 7 Which has been approved by the Bank under section 31 of the IFSA. Issued on: 30 December 2022 Electronic Money 18 of 76 Shariah compliant e-money issued by it with the relevant Shariah requirements. 13 Fit and proper S 13.1 An EMI shall ensure its directors, CEO and individual Shariah advisor are people with calibre, credibility, integrity, and fulfil the fit and proper criteria as stipulated in the policy document on Fit and Proper Criteria for Approved Person as amended from time to time 8. S 13.2 Where the Shariah advisor appointed is a company, an EMI shall ensure that the company’s executive director, senior management and representative of a company appointed as the Shariah advisor of an EMI fulfil the fit and proper criteria as stipulated in the policy document on Fit and Proper Criteria for Approved Person as amended from time to time. 8 For the avoidance of doubt, references to “key responsible persons” in the policy document on Fit and Proper Criteria for Approved Person as amended from time to time, shall be deemed to include references to a “Shariah Advisor” for purposes of this policy document. Issued on: 30 December 2022 Electronic Money 19 of 76 PART C OPERATIONAL AND RISK MANAGEMENT REQUIREMENTS 14 Local incorporation S 14.1 An EMI shall be a company incorporated under the Companies Act 2016. 15 Minimum capital funds for non-bank EMI S 15.1 A non-bank EMI shall maintain the required minimum amount of capital funds as prescribed by the Bank under section 12(1) of the FSA and IFSA. S 15.2 For purposes of paragraph 15.1, the required minimum capital funds shall be computed in accordance with Appendix 4. 16 Safeguarding of funds S 16.1 An EMI shall ensure any funds collected in exchange of e-money issued are maintained separately in a separate account from other funds be it the EMI’s working capital or any funds maintained for the EMI’s other business or activity. S 16.2 A non-bank EMI shall deposit the funds collected in exchange of e-money issued in a trust account with a banking institution after receiving it from a customer in accordance with the following requirements– (a) the trust account shall be established in accordance with the Trustee Act 1949; (b) the funds can only be used for the following– (i) refund to customers; (ii) payment to merchants for settlement of transaction conducted by the customer, including for repayment of any advance settlement by relevant intermediaries (e.g. payment system operator, acquirer) involved in making the payment to merchants; or (iii) payment to another e-money account or bank account arising from a credit transfer transaction conducted by the customer. (c) the funds can only be invested in high quality liquid ringgit assets, which are limited to– (i) deposits placed with banking institutions; (ii) debt securities issued or guaranteed by the Federal Government or the Bank; (iii) Cagamas debt securities; and (iv) other instruments as may be specified by the Bank; Issued on: 30 December 2022 Electronic Money 20 of 76 (d) any revenue earned from the investment of the funds in the trust account can only be used for activities specified under paragraph 16.2(b) unless the funds are in excess of the total outstanding e-money liabilities; and (e) payment for any costs, charges and expenses incurred in connection with the administration of the trust account can be made from the trust account only if the balance in the trust account after deduction of the cost, charges and expenses is sufficient to cover all outstanding e-money liabilities. S 16.3 A non-bank EMI shall ensure that funds in the trust account are at all times sufficient to cover the total outstanding e-money liabilities. G 16.4 Where a non-bank EMI’s total outstanding e-money liabilities are greater than the funds in the trust account, a non-bank EMI is encouraged to deposit funds into the trust account within one (1) working day to ensure paragraph 16.3 is complied with. G 16.5 Notwithstanding paragraph 16.2, a non-bank EMI with total outstanding e- money liabilities of less than RM1 million may safeguard the funds collected in exchange of e-money issued using– (a) a bank guarantee; or (b) other methods subject to the following conditions: (i) effectiveness of the method must be at par with a bank guarantee or trust account; and (ii) the non-bank EMI obtains the Bank’s prior written approval. G 16.6 An EMI is recommended to spread out the placement of the funds received in exchange of e-money issued, in bank accounts maintained at several banking institutions to mitigate risk exposure to any single banking institution. S 16.7 A non-bank EMI shall ensure that it has sufficient liquidity for its daily operations. At a minimum, an EMI shall maintain a liquidity ratio 9 of one (1). 17 Business continuity management10 S 17.1 The board and senior management are responsible for ensuring identification and implementation of an effective BCM framework within the EMI. S 17.2 An EMI must undertake a structured risk assessment process to– (a) identify potential threats that could cause material business disruptions, resulting in inability to fulfil business obligations; and 9 Liquidity ratio refers to current ratio of the EMI (i.e. current asset / current liabilities). 10 For the avoidance of doubt, eligible EMIs and EMIs that are banking institutions shall comply with the requirements under the policy document on Business Continuity Management as amended from time to time. Issued on: 30 December 2022 Electronic Money 21 of 76 (b) assess the likelihood of the identified threats occurring and determine the impact on the EMI. G 17.3 For purposes of paragraph 17.2, the EMI is encouraged to carry out a business impact analysis (BIA) on an annual basis and whenever there are material changes to the EMI’s business activity, as this forms the foundation of developing the business continuity plan (BCP). S 17.4 An EMI shall determine the maximum tolerable downtime (MTD) and recovery time objectives (RTO) for each critical business function. The goal is to develop a BCP that details the procedures and the minimum level of resources required to recover the critical business functions within the recovery timeframe and maintain services at an acceptable level. S 17.5 An EMI shall develop an effective BCP and disaster recovery plan (DRP) for at least all critical business functions. S 17.6 To ensure the comprehensiveness of its BCM, an EMI shall ensure its service provider has an effective BCP and DRP, and implements relevant safeguards to ensure continuity of the material outsourcing arrangements, with the objective to minimise the EMI’s business disruptions. S 17.7 The BCP and DRP of an EMI and its service provider must be tested regularly to ensure the functionality and effectiveness of the recovery strategies and procedures, preparedness of staff and other recovery resources. 18 Outsourcing arrangement S 18.1 An EMI shall remain responsible and accountable for any services outsourced to a service provider under an outsourcing arrangement. S 18.2 An EMI shall obtain the Bank’s prior written approval before– (a) entering into a new material outsourcing arrangement; or (b) making material changes to an existing material outsourcing arrangement. S 18.3 For the purpose of paragraph 18.2, in assessing whether an outsourcing arrangement is material, an EMI shall take into consideration the following factors: (a) significance of the outsourcing activity in facilitating the EMI to achieve its strategic and business objectives; (b) impact on the EMI’s continuing ability to meet its obligations to its customers and counterparties in the event the service provider fails to provide the service or encounters a breach of data confidentiality or security; Issued on: 30 December 2022 Electronic Money 22 of 76 (c) aggregate exposure to a particular service provider in cases where the EMI, including any affiliates, outsources multiple activities to the same service provider; or (d) complexity of the outsourcing arrangement and number of parties involved, in particular where the service is sub-contracted or where more than one service provider collaborates to deliver an end-to-end outsourcing solution. S 18.4 The board shall review and approve any new material outsourcing arrangement considered by the EMI or any material changes to an existing material outsourcing arrangement, before the proposal is submitted to the Bank for approval. S 18.5 Prior to entering into any outsourcing arrangement, an EMI shall, at a minimum, ensure the following– (a) availability of sufficient expertise within the EMI to oversee and manage 11 the outsourcing relationship; and (b) the scope and nature of services and operations to be outsourced would not compromise the controls and risk management of the EMI services. An EMI shall ensure the following– (i) the outsourcing of such processes does not take away the critical decision making function of the EMI; (ii) the outsourcing of such processes does not threaten strategic flexibility and internal control framework of the EMI; (iii) the outsourcing of such processes would not impair the reputation, integrity and credibility of the EMI; and (iv) processes are in place for the EMI to retain the continuous ability to comply with the regulatory and supervisory requirements on the outsourced functions. S 18.6 An EMI shall have a contingency plan or arrangements to secure business continuity in the event the outsourcing arrangement is suddenly terminated. This is to mitigate any major business disruption that may occur as a result of the termination of the outsourcing arrangement. The contingency plan shall be reviewed from time to time to ensure that the plan is current and ready for implementation in the event of sudden termination of the outsourcing arrangement. 11For the avoidance of doubt, an EMI may leverage on group resources to meet this requirement provided there is a clear mandate that the function of the shared group service includes the oversight of affiliates’ outsourcing arrangements, and that access to these group resources is always available upon the EMI’s request for internal use or for supervisory purposes. Issued on: 30 December 2022 Electronic Money 23 of 76 S 18.7 An EMI shall require the service provider to report to the EMI and the EMI shall monitor the service provider to ensure that the integrity and quality of work conducted by the service provider is maintained. S 18.8 An EMI shall ensure periodic independent reviews are conducted on the outsourced arrangement to monitor the performance of service providers. The reviews shall be done either by the EMI’s internal and/or external auditors, or independent reports shall be made available by the service providers, with the same scope of review as if the said operations are conducted in-house. S 18.9 An EMI shall ensure that any weaknesses highlighted during the review under paragraph 18.8 are well documented and promptly rectified by the service provider, especially where such weaknesses may affect the integrity of the internal controls of the EMI. Assessment of service provider S 18.10 An EMI shall conduct appropriate due diligence of a service provider at the point of considering new outsourcing arrangements, and upon renewing or renegotiating existing arrangements. The due diligence must cover, at a minimum– (a) capacity, capability, financial strength and business reputation. This includes an assessment whether the service provider is a going concern and has strong governance structures to manage the outsourced activity throughout the duration of the arrangement; (b) risk management and internal control capabilities, including physical and IT security controls, and BCM. This includes the ability of the service provider to respond to service disruptions or problems resulting from natural disasters and physical or cyber-attacks, within an appropriate timeframe; (c) the location of the outsourced activity (e.g. city and country), including primary and back-up sites; (d) access rights of the EMI and the Bank to the service provider; (e) measures and procedures to ensure data protection and confidentiality; (f) reliance on sub-contractors, if any, in particular where the sub-contracting adds further complexity to the operational chain of the outsourcing arrangement; (g) undue risks 12 resulting from similar business arrangements, if any, between the service provider and the EMI; (h) the extent of concentration risk to which the EMI is exposed with respect to a single service provider and mitigation measures to address this 12 For instance, concentration risk to a systemic service provider in the industry or where the service provider’s fee structure or relationship with the EMI may create potential conflict of interest issues. Issued on: 30 December 2022 Electronic Money 24 of 76 concentration. This does not apply to a service provider that is an affiliate and is supervised by a financial regulatory authority; and (i) ability of the service provider to comply with relevant laws, regulations and requirements in this policy document. S 18.11 In performing due diligence on an affiliate, an EMI shall make an objective assessment of the affiliate’s ability to perform the outsourced activity guided by the considerations listed in paragraph 18.10. S 18.12 An EMI shall ensure that the outcomes of the due diligence process are well- documented and included in the outsourcing arrangement proposal to the board, for approval. Outsourcing agreement S 18.13 An EMI shall ensure that the outsourcing arrangement is governed by a written agreement that is legally enforceable and shall include the minimum requirements specified in Appendix 6. S 18.14 The outsourcing agreement must also contain provisions which– (a) enable the Bank to have direct, timely and unrestricted access to the systems and any information or documents relating to the outsourced activity; (b) enable the Bank to conduct on-site supervision of the service provider where the Bank deems necessary; (c) enable the Bank to appoint an independent party to perform a review of the relevant systems, information or documents of the service provider relating to the outsourced activity, where the Bank deems necessary; and (d) allow the EMI the right to modify or terminate the arrangement when the Bank issues a direction to the EMI to that effect under the FSA or IFSA, as the case may be. Protection of data confidentiality S 18.15 An EMI shall ensure that appropriate controls are in place and are effective in safeguarding the security, confidentiality and integrity of any information shared with the service provider. In meeting this requirement, an EMI shall ensure that– (a) information disclosed to the service provider is limited to the extent necessary to provide the contracted service, and only on a need-to-know basis; (b) all locations (e.g. city and country) where information is processed or stored by the service provider, including back-up locations, are made known to the EMI; Issued on: 30 December 2022 Electronic Money 25 of 76 (c) where the service provider is located, or performs the outsourced activity outside Malaysia, the service provider is subject to data protection standards that are at a minimum comparable to Malaysia; (d) where the service provider provides services to multiple clients, the EMI’s information must be segregated 13 from the information of other clients of the service provider; (e) the service provider maintains compliance with applicable security requirements and established security standards 14 at all times; and (f) the service provider undertakes measures to safeguard customer information of the EMI at all times and reports any customer information breach to the EMI within an agreed timeframe. Outsourcing outside Malaysia S 18.16 In conducting the due diligence process in respect of outsourcing arrangements where the service provider is located or performs the outsourced activity outside Malaysia, an EMI shall ensure that such assessment addresses the added dimensions of risks associated with outsourcing outside Malaysia, and the ability of the EMI or service provider to implement appropriate responses to emerging risk events in a timely manner. S 18.17 An EMI shall ensure that the outsourcing arrangements undertaken outside Malaysia are conducted in a manner which does not affect– (a) the EMI’s ability to effectively monitor the service provider and execute its BCM; (b) the EMI’s ability to promptly recover data in the event of the service provider’s failure, having regard to the laws of the particular jurisdiction; and (c) the Bank’s ability to exercise its supervisory powers, in particular the Bank’s timely and unrestricted access to systems, information or documents relating to the outsourced activity. Outsourcing involving cloud services S 18.18 In relation to the EMI’s ability to conduct audits and inspections on the cloud service provider and sub-contractors, an EMI may rely on third party certification and reports made available by the cloud service provider for the audit, but such certifications or reports shall not substitute the EMI’s right to conduct on-site inspections where necessary. This is provided that such reliance must be supported by an adequate understanding and review of the scope of the audit and methods employed by the third party, and access by the 13 Either logically or physically. 14 Any relevant local or international standards commonly applied by the relevant industry. Issued on: 30 December 2022 Electronic Money 26 of 76 EMI to the said third party and cloud service provider to clarify matters relating to the audit. S 18.19 In relation to the testing of a cloud service provider’s BCP, an EMI must be able to access information on the state of robustness of the controls instituted by such cloud service providers arising from the BCP testing. 19 Fraud risk management S 19.1 An EMI shall ensure risk management processes, procedures, systems and controls are in place to enable effective fraud risk mitigation and management. S 19.2 An EMI shall establish effective procedures on fraud detection, analysis, investigation and reporting, which include– (a) fraud detection and transaction monitoring that can facilitate timely identification and mitigation of suspicious transactions; (b) regular analysis to understand fraud trends and modus operandi. This includes the ability to be vigilant of evolving trends and taking into account material changes in the business strategy, which may increase exposure to potential fraud risk; and (c) reporting of fraud incidents to senior management and the board on a regular basis. S 19.3 An EMI shall conduct periodic reviews on the adequacy of its fraud risk mitigation measures. S 19.4 In the event of fraud occurrences, the EMI shall take appropriate and immediate corrective measures to address gaps and vulnerabilities in order to strengthen the security features of its e-money scheme. S 19.5 An EMI shall implement relevant safeguards to prevent unauthorized reloading and usage of an e-money account, in particular if auto reloading and peer-to- peer transfer services are allowed. Risk-based authentication for online payment transactions S 19.6 An EMI shall authenticate its customer for online payment transactions using strong authentication methods, such as multi-factor authentication (MFA) 15, to mitigate the risk of fraudulent online payment transactions. G 19.7 Notwithstanding paragraph 19.6, an EMI may adopt risk-based authentication for low risk online payment transactions. 15 Based on three (3) basic authentication factors, namely, something the user knows (e.g. PIN, personal information), something the user possesses (e.g. identity card, registered mobile number) and something the user is (e.g. biometric characteristics) which are mutually exclusive. Issued on: 30 December 2022 Electronic Money 27 of 76 S 19.8 For the purpose of paragraph 19.7, low risk online payment transactions shall consist of the following– (a) online payment transactions below RM250 per transaction; or (b) recurring or card-on-file 16 transactions below RM10,000 17 per transaction, where an EMI has authenticated its customer using strong authentication for first time use. S 19.9 In applying risk-based authentication for low risk online payment transactions under paragraph 19.7, an EMI shall– (a) ensure the use of effective risk analysis tools and establish a set of criteria or factors that appropriately reflect the nature, size and characteristics of the online payment transactions. Such criteria or factors must be consistent with the EMI’s risk appetite and tolerance level; and (b) periodically review the risk assessment criteria or factors to ensure its continued relevance, having regard to latest developments in cybersecurity risks and authentication technologies, as well as, fraud trends and incidents. G 19.10 An EMI is encouraged to identify a tolerable aggregate amount of low risk online payment transactions eligible for risk-based authentication to mitigate against high fraud losses. S 19.11 An EMI shall notify the Bank at least fourteen (14) days prior to first-time implementation of risk-based authentication for low risk online payment transactions under paragraph 19.7. S 19.12 Where an EMI adopts risk-based authentication that enables customers to make unauthenticated online payment transactions, the EMI shall– (a) provide customers with an option to opt-out or disable the function that allows unauthenticated online payment transactions, and the option shall be made available through convenient means; (b) set a maximum daily cumulative limit for both the amount and number of unauthenticated online payment transactions for a customer; (c) ensure that customer uses a strong authentication method once the online payment transactions exceed the maximum daily cumulative limit; and (d) not hold a customer liable for fraud losses arising from unauthenticated online payment transactions in situations where the EMI has decided not to apply authentication methods, unless the EMI can prove with sufficient evidence that the customer has acted fraudulently. 16 Refers to a transaction where the cardholder has authorised the merchant to store the cardholder’s card payment information securely for future purchases. 17 For open third party fund transfer and open payment transactions with a value of RM10,000 and above, an EMI shall deploy multi-factor authentication solutions with stronger security controls as per paragraph 28.71 to 28.73 of this policy document. Issued on: 30 December 2022 Electronic Money 28 of 76 S 19.13 An EMI shall provide convenient means to customers to reduce the limits applied under paragraphs 19.8 or the maximum daily cumulative limit as set under paragraph 19.12(b). S 19.14 An EMI shall undertake efforts to raise awareness among customers on an on- going basis to ensure customers understand the functionalities of risk-based authentication, potential risks of unauthenticated transactions, as well as, measures that may be taken by customers to limit such risks (e.g. opt-out). Such efforts shall be made using– (a) mediums or channels which enable communications to be displayed prominently and easily accessible to customers, such as in mobile phone applications, e-mails and application notifications; and (b) communication methods that can facilitate easy understanding by customers such as by being multi-lingual, publishing frequently-asked- questions and providing clarity in explanation by call-centres. S 19.15 An EMI shall immediately provide transaction alerts to customers, including customers with foreign-registered mobile numbers after every successful online payment transaction that is not authenticated as per paragraph 19.6. Contactless verification requirement S 19.16 Paragraphs 19.17 to 19.20 shall only apply to an EMI that issues international scheme prepaid cards. S 19.17 An EMI shall set a maximum amount for each contactless transaction, as well as, an appropriate cumulative limit for contactless transactions, which do not entail any customer verification. S 19.18 To promote confidence in the use of contactless prepaid cards, an EMI shall provide customers with the ability to manage the cumulative transaction limit by undertaking the following– (a) provide customers with convenient means to set a lower cumulative transaction limit for contactless transactions; (b) provide customers with convenient means to turn off the contactless functionality in contactless prepaid cards; and (c) raise awareness among customers about the facilities set out in paragraphs (a) and (b), at a minimum via the EMI’s websites and product disclosure sheet. Issued on: 30 December 2022 Electronic Money 29 of 76 Opt-in requirement for card-not-present and overseas transactions S 19.19 An EMI must by default disable customers from making– (a) any card-not-present transaction that is not authenticated via a strong authentication method such as a dynamic password; and (b) any overseas transaction using a prepaid card, and inform the customers on the risks of such transactions. S 19.20 An EMI shall only allow customers to make the transactions listed in paragraph 19.19 where the customers have expressly opted-in to conduct such transactions. Where customers have opted-in to conduct such transactions, the EMI shall provide the customers with the option to disable such transactions. G 19.21 Notwithstanding paragraph 19.16, an EMI that facilitates cross-border payment via its network-based e-money is also encouraged to observe the requirements in paragraphs 19.19 (b) and 19.20, where relevant. 20 Account management S 20.1 An EMI shall ensure all e-money transactions in Malaysia are in ringgit. S 20.2 An EMI shall ensure e-money transactions comply with the prevailing foreign exchange rules, including but not limited to those related to investments in foreign currency assets by residents and payment in foreign currency between residents, through the implementation of robust internal controls and procedures. S 20.3 An EMI shall ensure any physical cash withdrawal outside Malaysia using e- money, is undertaken in foreign currency only. S 20.4 An EMI that facilitates withdrawal of e-money balances into a bank account shall ensure any withdrawal of funds from the e-money account is paid into the customer’s own bank account with a banking institution only, unless the EMI participates in the Real-time Retail Payments Platform (RPP) and offers credit transactions where withdrawal of e-money balances18 may be made to other bank or e-money accounts. S 20.5 An EMI shall ensure proper recording, management and monitoring of the accounts of all its customers, at all times. 18 Subject to compliance with the relevant AML/CFT requirements. Issued on: 30 December 2022 Electronic Money 30 of 76 Wallet limit S 20.6 An EMI shall ensure the wallet limit adopted for its e-money is commensurate with the purpose and size of customer transactions. S 20.7 An EMI shall ensure adequate security and operational safeguards are in place to mitigate any risks associated with the use of e-money within the specified wallet limit. S 20.8 An EMI shall obtain the Bank’s prior written approval if the increase in wallet limit will result in the following– (a) the wallet limit to be RM5,000 or more; or (b) changes in the functionality and product features of the e-money. S 20.9 An EMI shall notify the Bank at least fourteen (14) days prior to any increase in wallet limit below the RM5,000 threshold and where the increase does not involve any changes in functionality and product features of the e-money. Refund of e-money balances S 20.10 An EMI shall provide refunds of e-money balances in its customers’ accounts in the event a customer decides to close their account, was wrongly charged or due to disputed transactions. S 20.11 The refund shall be made without any additional costs and shall be done within fourteen (14) days from the date the claim is made by the customer except for complex refund cases. G 20.12 Notwithstanding paragraph 20.11, in cases where a customer requests for the refund of e-money balances to be remitted overseas, an EMI may charge the customer the actual costs incurred by the EMI. The EMI is encouraged to also disclose clearly in the terms and conditions of the e-money product, the circumstances under which a fee will be imposed for the refund of e-money balances and the applicable fee. S 20.13 For complex refund cases that cannot be completed within fourteen (14) days, the EMI shall communicate the reason for such delays to customers in a timely manner and complete the cases within thirty (30) days. S 20.14 An EMI shall provide customers with options for the method of refund and shall not limit refunds only via the crediting of funds back into the customer’s e- money account. Issued on: 30 December 2022 Electronic Money 31 of 76 Unclaimed e-money balances S 20.15 An EMI shall manage any unclaimed e-money balances in accordance with the Unclaimed Moneys Act 1965. 21 White labelling S 21.1 An EMI shall obtain the Bank’s prior written approval before– (a) entering into a white labelling arrangement for the first time; or (b) making material changes to existing white labelling arrangements. S 21.2 After obtaining the Bank’s written approval under paragraph 21.1(a), an EMI shall notify the Bank on any subsequent white labelling arrangement, at least fourteen (14) days prior to entering into the said arrangement. S 21.3 Prior to obtaining the Bank’s approval, the board shall review and approve the EMI’s plan to offer the white labelling arrangement and ensure that the EMI has sufficient resources and capacity to offer such solution. This includes, but is not limited to, having in place a framework, policy and operational procedures, manpower and system infrastructure to support the white labelling solution offered to the partner or other entity. S 21.4 Senior management shall ensure adequate oversight on the implementation of the EMI’s white labelling arrangement. S 21.5 By providing white labelling solutions to the partner or another entity, it does not absolve the EMI’s responsibility to ensure that the said solution complies with the requirements under this policy document and other applicable standards including those specified in paragraph 6.1. S 21.6 An EMI must not engage in white labelling arrangements with a partner or entity with dubious or illegal activities. S 21.7 At a minimum, an EMI that provides white labelling of its e-money shall ensure– (a) proper due diligence is conducted on the partner or entity that it plans to offer the white labelling solution to, which includes assessments on their credibility and capability; (b) an agreement with the partner or entity involved in the white-labelling arrangement is in place and clearly indicates the following– (i) the rights and responsibilities of each party; (ii) responsibilities of the partner or entity on controls and measures to ensure information security; (iii) dispute resolution process in the event of default or non- performance of obligations, including remedies and indemnities where relevant; Issued on: 30 December 2022 Electronic Money 32 of 76 (iv) ability of the EMI and its external auditor19 to conduct audits and on- site inspections on the partner or entity in relation to the white labelling arrangement; (c) partner or other entity involved in the white-labelling arrangement provide adequate system safeguards for the installation and use of the white labelling solution; and (d) partner or other entity involved in the white-labelling arrangement have appropriate policies and procedures for customer and merchant on- boarding. S 21.8 The EMI shall provide clear and prominent disclosure to customers on the roles and responsibilities of the partner or entity, as well as, the EMI for the e-money issued, including in managing any disputes or issues faced by the customers. S 21.9 The EMI shall disclose the name and brand of the partner and other entity that is using its white labelling solution on the EMI’s website and any other relevant platform. S 21.10 The EMI shall maintain proper records with appropriate level of granularity of funds tagged to each partner or entity and their individual customers, including but not limited to, records of funds collected from customers, the e-money transactions, complaints and resolutions, as well as, refunds made to its customers or payment to its merchants. S 21.11 For purposes of paragraph 21.10, a non-bank EMI shall ensure that the trustee who manages the trust account as required under paragraph 16.2 also has clarity on the funds tagged to the customer and merchants of each partner or entity to ensure proper distribution of funds. 22 Other business or activity Promoting or cross-selling financial products or services S 22.1 A non-bank EMI shall not use its e-money platform or system to promote or cross-sell any financial products or services 20 except with the Bank’s prior written approval. S 22.2 The board shall review and approve any arrangement to promote or cross-sell any financial products or services before the proposal is submitted to the Bank for approval. 19 Including an agent appointed by the EMI. 20 For the avoidance of doubt, this shall include any financial products or services regardless if it is offered by a regulatee of the Bank or otherwise. Issued on: 30 December 2022 Electronic Money 33 of 76 S 22.3 Prior to entering into any arrangement to promote or cross-sell any financial products or services on its e-money platform or system, a non-bank EMI shall, at a minimum, ensure the following– (a) the scope and nature of such arrangement would not significantly increase the risk exposure to the non-bank EMI and would not impair the reputation, integrity and credibility of the non-bank EMI; and (b) the necessary controls and risk management are in place to manage any risks from such arrangement. S 22.4 A non-bank EMI shall ensure the agreement to promote or cross-sell any financial products or services on its e-money platform or system clearly sets out the accountabilities of each party in the arrangement. S 22.5 A non-bank EMI shall provide clear communication to its customers on the demarcation of roles between the non-bank EMI for the e-money business and the provider of the products or services promoted or cross-sold on its e-money platform or system. S 22.6 A non-bank EMI shall inform customers on who is responsible to manage complaints or disputes pertaining to the products or services promoted or cross- sold on its e-money platform or system, including appropriate avenues for customers to seek redress. S 22.7 A non-bank EMI shall notify the Bank at least fourteen (14) days prior to entering into an arrangement to promote or cross-sell non-financial products or services. Other business of EMI S 22.8 A non-bank EMI that carries on any other business or activity within the same entity, which is not in connection with or for the purposes of its e-money business, shall– (a) establish clear segmentation between the e-money business and the other business or activity, which shall include but is not limited to, establishing and maintaining segmented financial reports 21 on e-money business; (b) establish clear segregation of policies and procedures between the e- money business and the other business or activity; (c) establish clear roles, responsibilities and accountability of the board, senior management and staff for each business or activity; (d) ensure no comingling of e-money funds with its working capital or funds of the other business or activity; and 21 May be segmented in the management accounts. Issued on: 30 December 2022 Electronic Money 34 of 76 (e) demonstrate a strong financial position to mitigate the potential that the other business or activity may pose higher risk to the sustainability of the non-bank EMI. S 22.9 A non-bank EMI shall notify the Bank in a timely manner on the following– (a) prior to operationalising other business or activities that may potentially be of high risk, the potential impact of such business or activities on the financial viability or reputation of the non-bank EMI; and (b) if there is potential risk or issues arising from its existing non-e-money business or activities which may significantly impact the financial viability or reputation of the non-bank EMI. 23 Specific requirements for registered merchant acquirers S 23.1 An EMI that acquires merchants for the purpose of accepting payment instruments including its own e-money shall be registered pursuant to section 17(1) and 18 of the FSA. S 23.2 For the purpose of paragraph 23.1, the EMI which is a registered merchant acquirer shall also refer to the requirements specified in the policy document on Merchant Acquiring Services as amended from time to time. 24 Exit plan S 24.1 A non-bank EMI shall be prepared to exit the e-money business in the event its business proves to be unsustainable or can no longer support its operations in a reliable manner. S 24.2 A non-bank EMI shall maintain an exit plan, which will enable the non-bank EMI to unwind its business operations voluntarily without any regulatory intervention and in an orderly manner without causing disruption to its customers, merchants and the payment ecosystem where it operates. S 24.3 For the purpose of paragraph 24.2, a non-bank EMI shall establish an exit plan valid for a three (3)-year period, which can be operationalised, if needed. At a minimum, the exit plan must include the following– (a) plausible internal triggers 22 for exiting the business, which demonstrate unsustainable business, inability to fulfil the value proposition for its e- money business or materialisation of risks beyond the non-bank EMI’s own risk appetite; 22Refer to paragraph 24.4 (b). Issued on: 30 December 2022 Electronic Money 35 of 76 (b) likely options and related measures to be taken for exit that minimises disruption to its customers, merchants and the payment ecosystem23 where it operates; (c) potential impediments to the execution of identified exit options and measures to mitigate the impact of such impediments; (d) sources of funding and liquidity for exit (in addition to safeguarding customer funds) and the estimated timeframe to exit the business; (e) the necessary capabilities required to extract and aggregate data on customers and/or merchants in a timely manner, upon request, including up-to-date contact information and refund/payment mechanism; and (f) the necessary capabilities and resources required to ensure continuity of services throughout the implementation of the exit plan, including the continuity of services under outsourcing arrangements. S 24.4 In relation to paragraph 24.3, a non-bank EMI shall provide to the Bank, a comprehensive description of its exit plan which includes the following– Table 1: Content of an exit plan Requirement Details (a) Governance to support Well-defined roles and responsibilities of informed decision the board, senior management and making in the business unit. activation of exit plan Policies, procedures and MIS to inform and support decision-making and smooth execution of exit plan. (b) Exit triggers Identification of exit triggers, i.e. factors and indicators/thresholds that will prompt activation/execution of the exit plan. The exit triggers at a minimum shall include compliance-related indicators, in particular on minimum capital funds, liquidity ratio and the safeguarding of customer funds. Processes for continuous monitoring of factors and indicators/thresholds. (c) Measures to enable an Identification of possible actions that can orderly exit from the be undertaken under different scenarios. business while Identifica