Bank Negara Malaysia (“BNM“), the Central Bank of Malaysia, has on 15 December 2021 issued an exposure draft of the Payment System Operator policy document (“PSO Exposure Draft“). The PSO Exposure Draft is intended to apply to all approved operators of a payment system under the Malaysian Financial Services Act 2013 and Malaysian Islamic Financial Services Act 2013 (“PSO“). The objectives of the PSO Exposure Draft are to:
- ensure the safety, efficiency and reliability of payment systems;
- preserve public confidence in the payment systems and the use of payment instruments; and
- ensure payment systems are aligned with relevant international standards.
- Under the PSO Exposure Draft, PSOs, will:
- be subject to enhanced obligations and requirements in relation to corporate governance, risk management and operational requirements and access and participation rule requirements; and
- have to ensure that they maintain liquid net assets of at least six months of their current operating expenses.
- The PSO Exposure Draft will also affect other participants in the payment chain and persons who deal with PSOs, including direct and indirect participants of payment systems and outsourced service providers, to the extent that obligations are passed on to them by the PSOs.
- PSOs should immediately undertake a gap analysis to begin planning for compliance with the final policy document as the PSO Exposure Draft does not contemplate a transitional period before it comes into force.
- For further information and to discuss what this development might mean for you, please get in touch with us.
In more detail
The key requirements and standards that BNM is proposing to introduce are set out below.
|No.||Subject||Key Requirements and Standards|
|1.||Corporate Governance||The Board of a PSO is generally tasked with establishing policies that promote safety, efficiency, and reliability of payment systems. This entails having to implement control functions (e.g., risk management, compliance) that are competently staffed with reporting measures in place.The Board must include an appropriate combination of personnel with calibre and independent directors.|
|2.||Risk Management and Operational Requirements||PSOs are required to establish and implement risk management frameworks (including a technology risk management framework, liquidity risk management framework, credit risk management framework and cyber resilience framework), risk monitoring and reporting requirements, collateral management practices, management and control systems to mitigate operational risks, a business continuity plan and a disaster recovery plan.These frameworks and plans should address:controls in safeguarding the confidentiality, integrity and availability of information;maximum tolerable downtime and recovery time objectives for all critical business functions; andand identification of scenarios that may prevent its ability to provide its critical operations and services with the appropriate plans for its recovery or orderly wind-down.|
|3.||Adequate Capital and Liquid Net Assets Requirement||At the minimum, PSOs must maintain liquid net assets equivalent to at least six (6) months of current operating expenses.PSOs are also required to maintain:adequate liquid resources in all relevant currencies to ensure smooth settlement under normal or stress scenarios; andsufficient financial resources to cover its credit exposure to each participant.|
|4.||Outsourcing Arrangements and Interlinkages||PSOs will be accountable for services provided by an outsourced service provider.PSOs must ensure appropriate due diligence is undertaken on the provider.PSOs will need to ensure that it monitors the service providers and allow BNM to exercise its regulatory and supervisory powers including have unrestricted access to their systems, information and documents.PSOs must have contingency plans to secure business continuity.|
|5.||Access and Participation Rules||Access criteria to a PSO’s payment system should be fair, open, objective, transparent and risk-based, to commensurate with the risk profile of the participants. Procedures on suspension or orderly exit upon breach of, or inability to meet, participation requirements should be clearly outlined and disclosed.Rules and procedures established by PSOs must be clear, comprehensive, up-to-date and fully disclosed to its participants. Processes for proposing, implementing and communicating changes to rules and procedures must also be clear and fully disclosed.PSOs must publicly disclose their fees and relevant information that would allow participants to assess the total cost of participating in the payment system and/or services offered by a PSO. PSOs must provide a timely notice to their participants of any changes to its fees.Under a tiered-participation arrangement (i.e., where an indirect participant relies on services provided by a direct participant of a PSO to access a PSO’s payment system), PSOs shall:establish rules and procedures with the direct participants to enable the PSO to obtain information on the indirect participants to identify and monitor risk;identify the significant dependencies between direct and indirect participants that may adversely affect the PSO; andregularly review the risks associated with the tiered-participation arrangements and institute appropriate mitigating measures.|
The PSO Exposure Draft will have far reaching implications on PSOs. Changes will need to be made to their operational day-to-day requirements and interactions with participants across the payment infrastructure as well as their service providers. It is imperative for PSOs to undertake a gap analysis to determine the refinements that it will need to make to comply with the requirements of the PSO Exposure Draft.
For further information and to discuss what this development might mean for you, please get in touch with your usual Baker McKenzie contact.
This client alert was issued by Wong & Partners, a member firm of Baker McKenzie International, a global law firm with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a “partner” means a person who is a partner or equivalent in such a law firm. Similarly, reference to an “office” means an office of any such law firm. This may qualify as “Attorney Advertising” requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.