Following-up on their exposure draft issued in June 2021, Bank Negara Malaysia ("BNM") has recently issued a Policy Document on the requirements and guidance applicable to approved issuers of electronic money ("EMI").1 Serving a twofold purpose, the Policy Document aims to:
- Ensure the safety and reliability of E-money issued by EMI; and
- Preserve customers' and merchants' confidence in using or accepting E-money for the payment of goods and services.
The usage of E-money has grown exponentially in recent times. Based on BNM's data, the average number of digital payment transactions per capita has more than quadrupled over the last 10 years, increasing from 49 transactions per capita in 2011, to over 221 transactions per capita in 2021. In 2020, the nation saw 3 million new mobile banking service subscriptions, largely due to the COVID-19 pandemic. In light of our increasing reliance on Emoney, it is of utmost importance that the integrity of E-money payment systems is duly safeguarded.
The Policy Document is divided into 5 parts –
- Part A – Overview;
- Part B – Governance;
- Part C – Operational and Risk Management Requirements;
- Part D – Information Technology (IT) Requirements; and
- Part E – Regulatory Process.
This Update will focus on Part D of the Policy Document, which sets out the IT requirements imposed by BNM. With over 20 pages dedicated to IT Requirements, the Policy Document imposes extensive risk assessment and management obligations, including:
- Establishing a Technology Risk Management Framework ("TRMF") to safeguard the EMI's information infrastructure, systems and data as an integral part of the EMI's risk management framework;
- Establishing an independent enterprise-wide technology risk management framework for implementing the TRMF as well as a Cyber Resilience Framework ("CRF");
- Appointing a Chief Information Security Officer ("CISO") to be responsible for the technology risk management function of the EMI;
- Establishing an Enterprise Architecture Framework that provides a holistic view of technology systems and functions of the EMI;
- Establishing clear risk management policies and practices for key phases of the system development cycle ("SDLC");
- Establishing proper management of data infrastructures, authorisation procedures to ensure confidentiality, integrity and availability of data;
- Conducting a comprehensive risk assessment prior to cloud adoption which considers the inherent architecture of cloud services;
- Implementing an appropriate and robust access control policy for logical and physical technology access controls;
- Implementing additional controls for high-risk transactions or transactions above RM10,000.00; and
- Ensuring that technology systems and applications are properly audited.
In devising and implementing risk management measures for all technology functions in an EMI, the Policy Document further provides that the following factors should be considered:
- Risk measures adopted should be proportional to the size of the operations of the EMI;
- Periodic and rigorous testing of the efficacy of risk measures;
- Ensuring that proper authorisation procedures and adequate measures are adopted when sensitive data is involved;
- Identifying risks that could lead to a broader impact on the EMI's operational capabilities;
- Appointing technically competent external technology service providers to assess and improve on risk management measures; and
- Ensuring that the implementation of risk assessment measures is properly recorded, and that it is available upon request by BNM.
With an overarching theme of accountability, it is clear that BNM expects key personnel, comprising of the Board of Directors and Senior Management, to be actively involved in monitoring the efficacy of the IT risk management measures. As set out in the Policy Document, the engagement of technology service providers, including engagements for independent assessment, does not in any way reduce or eliminate the EMI's principal accountabilities and responsibilities over the security and reliability of technology functions and systems. Further, the risk management measures implemented by the EMI must be properly documented and made available upon BNM's request.
Thus, key players in the industry must actively assess and improve on their EMI's IT risk management measures and carry out robust due diligence on third party service providers. These steps are crucial in minimizing the risk of technology functions disrupting an EMI's operations. Though extensive and rather onerous, it is imperative that EMIs implement the requirements in the Policy Document in a timely manner. This will serve to enhance the integrity of their payment systems and avoid the risk of enforcement actions by BNM.
See also our previous publications on related matters:
1. This Policy Document was issued by BNM pursuant to s. 11 of the Financial Services Act 2013 or the Islamic Financial Services Act 2013. This Policy Document will supersede the BNM guidelines on E-money issued in 2008.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.