C. Risk Management and Security Standards
Chapter 10: Risk Management
Introduction
Risk management refers to the practice of identifying potential risks in advance to measure, evaluate, record, mitigate and monitor risks in order to reduce the impact of such risks on the business of a Licensed Person. The Risk Management function must recognize the range of risks associated with the business and must mitigate them effectively. This chapter provides standards regarding an effective Risk Management Framework to be implemented by a Licensed Person.
10.1 Risk Management Function
- 10.1.1The ultimate responsibility for the formulation and implementation of an effective risk management framework lies with the Board of Directors (or with the Owner/Partners where there is no Board of Directors);
- 10.1.2The Licensed Person must maintain a Risk Management Policy approved by the Board of Directors (or by the Owner/Partners where there is no Board of Directors);
- 10.1.3The Licensed Person must designate a Risk Officer who must be given the overall responsibility of the risk management function;
- 10.1.4Depending on the nature, size and complexity of the business, the Licensed Person may appoint a dedicated Risk Officer or combine this role with another suitable function subject to the conditions under Paragraphs 7.2.4 (a) of Chapter 7, 16.4.7 (a) and 16.5.1 (g) of Chapter 16; and
- 10.1.5The Risk Management Policy must be reviewed annually and updated if necessary.
10.2 Risk Register
- 10.2.1The Risk Register is the record where the results of risk analysis, whether qualitative or quantitative, are logged including the mitigating measures and risk ownerships;
- 10.2.2The Licensed Person must maintain a risk register in the appropriate format with the following information at a minimum:
- 10.2.3The Risk Register must be reviewed at least quarterly to ensure that it is updated with upcoming, relevant risks and appropriate mitigating measures; and
- 10.2.4Periodical reports on actions initiated to mitigate various risks must be submitted to the Board of Directors (or to the Owner/Partners where there is no Board of Directors).
10.3 Types of Risks
The risk management function at the Licensed Person must identify, evaluate, mitigate and monitor the following risks at a minimum:
- 10.3.1Operational Risk
- a)Operational risk is defined as the risk of loss, resulting from inadequate or failed processes, people and systems or from external events.
- 10.3.2Market Risk (Currency Rate Risk)
- a)Market risk is the risk that the value of an asset may decrease due to movements of market factors;
- b)The most important type of market risk for a Licensed Person is the risk of fluctuation in the foreign currency rates; and
- c)The Licensed Person must ensure that all market forces are continuously evaluated for prudent management of market risk.
- 10.3.3Counterparty Risk
- a)The risk that the other party to an agreement may default is the counterparty risk. The Licensed Person must identify, measure, monitor and control counterparty risk prior to establishing the business relationship; and
- b)Exposure limits assigned to counterparties must be continuously monitored.
- 10.3.4Compliance Risk
- a)Compliance risk is the exposure to legal penalties, financial penalties and material losses that the Licensed Person faces when it fails to act in accordance with applicable Laws, Rules, Regulations, Notices and the Standards.
- 10.3.5Reputational Risk
- a)Reputational risk is the risk of loss, resulting from damages to a Licensed Person’s reputation, such as loss of revenue or increased operating, capital or regulatory costs; and
- b)Reputational risk includes the risk to the country’s image resulting from unacceptable business practices of the Licensed Person.
- 10.3.6Security Risk
- a)Information security risk is caused by unauthorized access to the information or systems which can result in unauthorized use of such information or systems; and
- b)A Licensed Person must refer to Chapter 13 on General Security and Chapter 14 on Information Security for illustrative mitigating measures.
- 10.3.7Money Laundering/Terrorist Financing Risk
- a)Money laundering risk is the risk of the Licensed Person being involved in, whether deliberately or not, transforming the proceeds of a crime into apparently legitimate money or other assets. The risk on account of financing terrorism, directly or indirectly, is also included here; and
- b)Licensed Persons must refer to Chapter 16 on AML/CFT Compliance to understand the expectations of the Central Bank regarding measures to be implemented in order to prevent money laundering and to combat terrorist financing.
- 10.3.1Operational Risk
Chapter 11: Fraud Management
Introduction:
Fraud is a major challenge that the Licensed Person faces in its day to day operations. Fraud is an intentional deception for unfair or unlawful personal gain. Fraud is not always limited to obtaining cash and tangible benefits. This chapter outlines the minimum requirements of an Anti-Fraud Framework that every Licensed Person must introduce to prevent, detect, investigate and respond to fraud incidents.
11.1 Forms of Fraud
- 11.1.1Frauds are broadly classified into Internal and External Frauds which are defined below:
- a)Fraud carried out by individual(s) employed by the Licensed Person is called Internal Fraud; and
- b)Fraud committed by an external party against the business of the Licensed Person is referred to as External Fraud.
- 11.1.2Fraud normally includes the following acts, although the list is not exhaustive:
- a)Misappropriation;
- b)Misrepresentation:
- •Misrepresentation of Financial Statements; and
- •Misrepresentation of Non-Financial Statements.
- c)Corruption:
- •Bribery; and
- •Illegal gratuities.
- d)Misconduct:
- •Breach of internal policies and procedures; and
- •Breach of applicable Laws, Rules, Regulations, Notices and the Standards.
- e)Any other deliberate deception for unlawful personal gain.
- 11.1.3Throughout this chapter, the terminology “Fraud” includes all types of frauds mentioned under Paragraphs 11.1.1 and 11.1.2 of this Chapter.
- 11.1.1Frauds are broadly classified into Internal and External Frauds which are defined below:
11.2 Anti-Fraud Framework
- 11.2.1The Licensed Person must implement an appropriate Anti-Fraud Framework in order to prevent, detect, investigate and respond to fraud incidents; and
- 11.2.2The following are the four basic elements that must be included in the Anti-Fraud Framework at a minimum, depending on the nature, size and complexity of the Licensed Person:
Elements of an Anti-Fraud Framework - a)Preventive measures for reducing the risk of Fraud from occurring:
- •Tone at the top by the Board of Directors (or by the Owner/Partners where there is no Board of Directors) on zero tolerance of fraud;
- •Introduce Policies and Procedures including a Code of Conduct and a Fraud Prevention Policy;
- •Conduct Fraud Risk Assessment;
- •Appropriate access controls in sensitive areas, both physical and in IT systems;
- •Segregation of duties (e.g. introducing maker/checker controls);
- •Background screening before hiring employees;
- •Annual declaration completed by all employees to:
- oDisclose conflict of interest, if any; and
- oConfirm their understanding of the Code of Conduct.
- •Provide training to assist employees to prevent fraud and to maintain public confidence.
- b)Detection measures for discovering fraud when it occurs:
- •Accurate and timely account reconciliations;
- •Independent Audits/AUPs (e.g. by External Auditors);
- •Scrutinizing required documents prior to completing transactions;
- •System controls;
- •Systematic fraud detection tools (to be implemented only if the Licensed Person has more than 25 branches); and
- •Whistleblowing Policy (to be implemented only if the Licensed Person has more than 25 branches).
- c)Investigation Process that includes the following:
- •Laid down Procedures for investigating fraud incidents through research, followup, interviews or a formal procedure of discovery.
- d)Response
- •Immediate reporting of fraud incidents to the police authorities, FID and the Banking Supervision Department;
- •Recovery through legal action, insurance claim, criminal referrals, disciplinary action, etc.; and
- •Monitoring:
- oOngoing corrective actions to ensure that internal controls continue to operate effectively; and
- oOngoing updates to respective policies and procedures to reflect developments in the Licensed Person and its operational environment.
11.3 Roles and Responsibilities
- 11.3.1The Manager in Charge and the Board of Directors (or the Owner/Partners where there is no Board of Directors) of the Licensed Person have the overall responsibility to create a culture of zero tolerance to fraud and to oversee the implementation of the Anti-Fraud Framework;
- 11.3.2The Licensed Person must appoint or designate a Fraud Prevention Officer who must be responsible to design, implement and manage an appropriate Anti-Fraud Framework;
- 11.3.3Depending on the nature, size and complexity of the business, the Licensed Person may appoint a dedicated Fraud Prevention Officer or combine this role with another suitable function subject to the conditions under Paragraphs 7.2.4 (a) of Chapter 7, 16.4.7 (a) and 16.5.1 (g) of Chapter 16;
- 11.3.4The Licensed Person’s recruitment process must fulfil the requirements of Paragraph 8.2 of Chapter 8 at a minimum;
- 11.3.5Fraud investigations must be undertaken by a team that includes the Fraud Prevention Officer, Internal Auditor and the concerned functional head at a minimum. The Licensed Person must ensure that a person, who is suspected in relation to a fraud incident, is not involved in the investigation. The investigation report must be submitted to the Board of Directors (or to the Owner/Partners where there is no Board of Directors);
- 11.3.6The Licensed Person must consult the legal advisors (internal or external) before, during or after the investigation for guidance on civil and criminal proceedings and recovery of losses;
- 11.3.7The Human Resources Department of the Licensed Person must take disciplinary action against employees who are involved in perpetrating internal fraud;
- 11.3.8The Internal Auditor is responsible for:
- a)conducting Fraud Risk Assessments jointly with the Fraud Prevention Officer on an annual basis and submit the report to the Board of Directors (or to the Owner/Partners where there is no Board of Directors);
- b)reviewing the adequacy of related policies and procedures;
- c)confirming the availability of insurance cover to protect the interest of the Licensed Person;
- d)confirming the recruitment process is in line with Paragraph 8.2 of Chapter 8;
- e)confirming that appropriate anti-fraud trainings are given to employees; and
- f)confirming that fraud incidents are appropriately reported in accordance with Paragraph 11.4 of this Chapter.
11.4 Fraud Reporting
- 11.4.1All fraud incidents must immediately be reported to:
- 11.4.2Fraud incidents must be reported to the Board of Directors (or to the Owner/Partners where there is no Board of Directors) immediately when the amount of loss is equal to or above AED 50,000. A summary of other fraud incidents must be sent to the Board of Directors (or to the Owner/Partners where there is no Board of Directors) on a monthly basis, at a minimum.
11.5 Anti-Fraud Training
- 11.5.1The Licensed Person must ensure that:
- a)appropriate and documented anti-fraud training is provided to all employees;
- b)two such trainings are provided to employees during the first year of their employment and annual training is given thereafter;
- c)training is provided to prevent fraud incidents from taking place at the Licensed Person’s business;
- d)training covers fraud typologies, fraud detection, fraud prevention, the Licensed Person’s policies/procedures and reporting procedures at a minimum; and
- e)employees are assessed annually to test their understanding of fraud prevention measures.
- 11.5.2Anti-fraud training may be in-house, external/outsourced, web based or a combination of all these.
- 11.5.1The Licensed Person must ensure that:
11.6 Fraud Incidents Register
- 11.6.1The Licensed Person must maintain appropriate register to record the following information about fraud incidents and this register must be available for the verification by the Central Bank Examiners during an examination:
- a)Date of fraud incident;
- b)Brief description of the fraud incident;
- c)Parties involved;
- d)Amount of loss;
- e)Was the loss covered by insurance or not?
- f)Date of reporting to the police, FID and the Banking Supervision Department;
- g)Other actions taken; and
- h)Disciplinary actions taken, if applicable.
- 11.6.2A review of Fraud Incident Register must be carried out at the end of every financial year to identify the anti-fraud training needs of employees for the following year.
- 11.6.1The Licensed Person must maintain appropriate register to record the following information about fraud incidents and this register must be available for the verification by the Central Bank Examiners during an examination:
Chapter 12: Counterfeit Currency Reporting
Introduction
Counterfeit money is an imitation currency produced without any legal sanction of the Government. Producing, circulating or using counterfeit money is a form of fraud/forgery and is a criminal offence. This chapter provides the minimum standards that every Licensed Person must implement to detect counterfeit currencies and report such incidents to the competent authorities.
12.1 Procedures for Handling Counterfeit Currencies
- 12.1.1The Licensed Person must introduce robust procedures to detect counterfeit currencies and report such incidents to the competent authorities. Such procedures must include the following at a minimum:
- a)Methods of undertaking checks to detect counterfeit currencies;
- b)Usage of devices for checking currencies;
- c)Internal reporting procedures for counterfeit incidents;
- d)External reporting procedures (for reporting counterfeit incidents to the competent authorities such as police and to the Central Bank);
- e)Maintain appropriate registers to record counterfeit incidents; and
- f)Provide counterfeit detection training to relevant employees.
- 12.1.2The counterfeit currency procedures must be approved by the Manager in Charge; and
- 12.1.3The effectiveness of the counterfeit procedures must be reviewed at the end of every financial year and then the procedures must be updated if necessary.
- 12.1.1The Licensed Person must introduce robust procedures to detect counterfeit currencies and report such incidents to the competent authorities. Such procedures must include the following at a minimum:
12.2 Counterfeit Currency Detection Machines
- 12.2.1Each licensed premises must have counterfeit detection machines and ultraviolet lamps (i.e. UV lamps);
- 12.2.2Counterfeit detection machines must be programed to check five (5) major currencies, at a minimum, including the local currency; and
- 12.2.3The software programs of such machines must be regularly updated in order to ensure the effectiveness of the counterfeit detection process.
12.3 Counterfeit Identification Training
- 12.3.1The Licensed Person must ensure that:
- a)properly documented periodical training is provided to all employees handling cash;
- b)training is provided to detect counterfeits, both in local as well as in foreign currencies;
- c)the training material covers complete counterfeit detection procedures, internal/external reporting procedures and identification features of relevant currencies that the Licensed Person may usually buy or sell across its branches;
- d)two such trainings are provided to employees during the first year of their employment and annual training is given thereafter; and
- e)identification features of newly introduced currencies, whether local or foreign, must be communicated immediately to all relevant employees.
- 12.3.2Counterfeit identification training may be in-house, external/outsourced, web based or a combination of all these;
- 12.3.1The Licensed Person must ensure that:
12.4 Counterfeit Currency Reporting
- 12.4.1The Licensed Person must ensure that:
- a)all counterfeit incidents are reported to the police authorities of the respective Emirate where the incident has occurred;
- b)all counterfeit currency cases are reported to the FID as a fraud case via the STR reporting system;
- c)all local currency counterfeit incidents, irrespective of the value of counterfeits, must be immediately reported to the Banking Supervision Department using the “Counterfeit Incident Reporting (CIR) Form” (Refer to Appendix 5 for CIR Form); and
- d)foreign currency counterfeit incidents, where the total value of counterfeits in a single transaction or multiple transactions by the same person is equal to or above AED 36,000, must be reported immediately to the Banking Supervision Department using CIR Form (Refer to Appendix 5 for this Form).
- 12.4.1The Licensed Person must ensure that:
12.5 Counterfeit Currency Register and Annual Review
- 12.5.1The Licensed Person must ensure that:
- a)an appropriate register is maintained to log full details of every counterfeit currency incident; and
- b)a review of such Counterfeit Currency Register is carried out at the end of every financial year to identify the training needs of employees for the following year.
- 12.5.1The Licensed Person must ensure that:
12.6 Internal Audit
- 12.6.1The scope of internal audit must include the effectiveness of counterfeit detection, reporting and training procedures.
Chapter 13: General Security
Introduction
Security is an important aspect of Exchange Business and Licensed Persons must comply with below security standards at a minimum. Depending upon the nature, size and complexity of the business and the level of risk, the Licensed Person must introduce additional security measures wherever necessary. Further, the Licensed Person must ensure that it complies with all security requirements of the police or other competent authorities in the respective Emirate.
13.1 Entrance to the Licensed Premises
- 13.1.1The main door of the licensed premises must be well protected by appropriate metal shutters during closing hours;
- 13.1.2Where there are difficulties to use metal shutters as required under Paragraph 13.1.1 of this Chapter due to unavoidable leasing conditions (example: licensed premises inside an Airport or a Shopping Mall), the Licensed Person must introduce appropriate additional security measures to protect its assets; and
- 13.1.3Other external doors of the licensed premises must be protected with metal shutters.
13.2 Panic Alarm Systems
- 13.2.1Panic alarm systems and intrusion detection systems must be in place;
- 13.2.2Both panic alarm and intrusion detection systems must comply with all requirements of the police or any other competent authorities of the respective Emirate, at a minimum;
- 13.2.3Kick bars and/or hold up buttons for the panic alarm systems must be available throughout the cashier/teller areas, office room of the Manager in Charge and other back offices;
- 13.2.4Panic alarm systems and intrusion detection systems must be tested at regular intervals, at least once in a year; and
- 13.2.5The panic alarm systems and intrusion detection systems must be under an Annual Maintenance Contract from a recognised service provider in the respective Emirate.
13.3 Safe/Vault and Cash
- 13.3.1Cash, other than the amount required by tellers during working hours, must be held in the Safe/Vault;
- 13.3.2The Safe/Vault must be firmly secured on a solid floor;
- 13.3.3The Safe/Vault must always be kept out of sight of customers or general public;
- 13.3.4The Safe/Vault must be held/operated under joint custody of two people (i.e. under dual control) at all times, preferably, with one key and a code/biometric lock;
- 13.3.5Cash movements outside the licensed premises must be carried out through an approved Cash In Transit (CIT) agent;
- 13.3.6Customers, strangers or other outside parties must not be given access inside the teller areas, cash room where the banknotes are sorted/counted, Safe/Vault room and other back offices, etc. without having an appropriate justification; and
- 13.3.7Appropriate registers must be maintained to log the details of visitors who access teller areas, the cash room, Safe/Vault room and back offices.
13.4 CCTV
- 13.4.1Licensed premises must be under CCTV monitoring at all times. The CCTV system and cameras must meet requirements of the police or other competent authorities of the respective Emirate;
- 13.4.2CCTV recordings of immediately preceding ninety (90) calendar days must be available in the system, at a minimum. If the police or other competent authorities of the respective Emirate require more than ninety (90) calendar days of CCTV recordings, then the Licensed Person must comply with such requirements;
- 13.4.3CCTV cameras must cover, at a minimum:
- a)All entrances and exits;
- b)Customer service areas, such as reception, service counter, visitors’ sitting area, etc.;
- c)Cashier areas or cash room where the banknotes are sorted, counted and packed; and
- d)Safe/Vault area.
- 13.4.4A notice that “Premises Under Continuous CCTV Monitoring” must be displayed outside the licensed premises (i.e. on or closer to the main entrance) in addition to the customer service area;
- 13.4.5The CCTV system must be checked daily to confirm that it is properly recording before the opening as well as the closing of business hours and the results of such checks must be logged in a separate register; and
- 13.4.6The CCTV system must be under an Annual Maintenance Contract from a recognised service provider of the respective Emirate.
13.5 Insurance Policy
- 13.5.1The Licensed Person must at all times be fully covered by a valid insurance policy issued by an insurance company licensed within the UAE. The following insurance cover must be available, at a minimum:
- a)Various risks related to internal and external frauds (i.e. Bankers Blanket Bond Insurance/Crime Insurance). Employees infidelity/dishonesty, counterfeit incidents, theft and allied risks must be adequately covered including the cash in the Safe/Vault, cash with the teller and cash in transit;
- b)Electronic/Computer Crimes (ECC) and Cyber Crimes;
- c)Electronic Equipment;
- d)Fire, theft and other allied risks; and
- e)Third party liabilities.
- 13.5.1The Licensed Person must at all times be fully covered by a valid insurance policy issued by an insurance company licensed within the UAE. The following insurance cover must be available, at a minimum:
13.6 Branch Limits for Instant Money Transfers
- 13.6.1The Licensed Person must set branch wise daily limits for the total value of remittances that can be executed via an instant money transfer service provider;
- 13.6.2Such daily limits must be set in each instant money transfer application/system based on the expected daily activity of each branch of the Licensed Person;
- 13.6.3There must be a written procedure to increase such daily limits to meet the growing business requirements of each branch by introducing an escalation process seeking the approval of the Manager in Charge in such occasions;
- 13.6.4The daily limits must be reviewed on a regular basis to ensure that such limits are not disproportionately higher than the expected daily activity of each branch; and
- 13.6.5Internal Auditor must verify and confirm that the set daily limits are appropriate to the size of the business of each branch of the Licensed Person.
Chapter 14: Information Security
Introduction
Computer systems are used by Licensed Persons to process large numbers of transactions and provide quality service to its customers. While efficiency of processing transactions is the main objective of computerizing operations of a Licensed Person, the security of customer information and related transaction data is vital. Licensed Persons must not compromise in introducing information security measures appropriate to the complexity and size of their business. This Chapter contains a few illustrative (but not exhaustive) security measures which all Licensed Persons must implement at a minimum at all times. Additional measures must be introduced depending on the size and the complexity of the business and considering the results of penetration tests and IT audits by external experts.
14.1 Email Systems
- 14.1.1Independent email exchange systems must be in use for all official communications by the Licensed Person and its employees. Public emails (example: Yahoo, Gmail, etc.) must not be used under any circumstances;
- 14.1.2The Licensed Person must have a dedicated email ID styled cbuae@abcexchange.com or cbuae@abcexchange.ae for communicating with the Central Bank. The Central Bank will restrict sending or receiving communications only to/from such designated emails IDs;
- 14.1.3The Licensed Person must inform their designated email ID to the Banking Supervision Department in writing under the signature of its authorized signatory; and
- 14.1.4Employees must be prohibited from using office computer systems for accessing private emails, social networking sites or websites that are not related to the business, (example: Yahoo, Gmail, Hotmail, Facebook, etc.).
14.2 Information Security Policy
The Standards for the Regulations Regarding Licensing and Monitoring of Exchange Business - 14.2.1An Information security policy must be implemented prescribing controls on usage of emails, internet browsing, passwords, workstations, data communication, network security, etc.;
- 14.2.2The Information security policy must be approved by the Board of Directors (or by the Owner/Partners where there is no Board of Directors) and must be communicated to all employees and obtain their acknowledgement; and
- 14.2.3Information security policy must be reviewed annually at a minimum.
14.3 Users
- 14.3.1All User IDs in the Point of Sale system, email and computer systems must be created only by the designated IT person;
- 14.3.2A Separate user ID must be created for each employee and users shall not be allowed to share their User IDs in order to preserve the segregation of duties;
- 14.3.3“Administrator rights” must be restricted only to authorized IT persons and must be restricted in number;
- 14.3.4User names of employees who resign must be de-activated immediately upon them leaving the Licensed Person;
- 14.3.5Emails of an employee, who has resigned, may be diverted to another employee, if necessary, with the special approval of the Manager in Charge and this must be covered in the IT policy; and
- 14.3.6Privileges assigned to the users must be reviewed at regular intervals and ensure the timely removal of unnecessary privileges.
14.4 Passwords
- 14.4.1Work stations and all applications must have appropriate and needs based access controls with user names and passwords;
- 14.4.2The password must be of sufficient length, preferably eight digits or above, and must be alpha numeric with special characters;
- 14.4.3Mandatory “Password Change” settings must be activated in all systems and applications. The password change for normal users must be at least once in ninety (90) calendar days and thirty (30) calendar days in the case of Administrators; and
- 14.4.4“Auto Password Save” option must not be activated on any PC or in any work stations or for any applications.
14.5 Data Movement, Database and Back-up
- 14.5.1Where the data is shared outside of own network or when the data is related to any card transactions, the Licensed Person must use stronger encryption techniques to suitably encrypt such data;
- 14.5.2The customer and transaction database must be held/stored within the UAE;
- 14.5.3Outside parties must not be given access to the customer/transaction database which must be held completely proprietary at all times. Restricted access may be given to the IT service provider, in case the IT function is outsourced, to carry out maintenance of computer hardware, network or applications;
- 14.5.4Appropriate policies must be introduced for the back-up and off-site storage of back-up data of all enterprise servers, databases, network servers and system software;
- 14.5.5The Licensed Person must have a procedure for the back-up of systems that may include details of back-up frequency, information to be backed-up, storage media, back-up retention period, recirculation of the media and periodical testing of the back-up copies for data availability; and
- 14.5.6Disaster Recovery (DR) drills must be conducted at regular intervals to ensure that the DR set-up is functional.
14.6 Antivirus Solutions
- 14.6.1All computer systems including servers, work stations, personal computers (PCs), laptops and other handheld devices must have appropriate anti-virus solutions to prevent information loss due to viruses, Trojans, worms and bots;
- 14.6.2Anti-virus solutions on all computer systems must be updated automatically;
- 14.6.3Daily automated antivirus scanning must be activated for every computer system and at the network level;
- 14.6.4Anti-virus configuration settings must be comprehensive and robust to prevent vulnerabilities from all external interferences, malicious attacks and intrusions;
- 14.6.5Antivirus scanning must be undertaken automatically at regular intervals;
- 14.6.6All incoming and outgoing emails with files attached must be auto screened before the mail reaches the end user mail box. In case of doubt, the system must block such emails and automatically notify the IT team to carry out further investigation; and
- 14.6.7Users must not be given privileges to alter the settings of the antivirus solutions.
14.7 IT Training
- 14.7.1All employees must be given training related to Information Security and a copy of the Information Security Policy at the time of joining;
- 14.7.2Refresher training must be given annually at a minimum;
- 14.7.3Employees of the Information Security Department must be provided with specialized annual training to remain updated with recent trends, threats and required controls in information security; and
- 14.7.4The training plan, training registers, training materials, etc. must be held in the records for verification by the Central Bank.
14.8 System Changes
- 14.8.1All changes to the hardware, software, applications, databases, configuration, etc. must be subject to the formal change control procedures;
- 14.8.2Changes to the application systems must be carried out only in accordance with approved change request process and subject to a formal risk assessment process; and
- 14.8.3All changes must be tested under all possible scenarios before adding them into production.
14.9 Audit and Testing
- 14.9.1The Licensed Person must conduct internal and external vulnerability scanning and penetration tests on the network and systems on an annual basis at a minimum and take appropriate mitigating actions in order to address the issues identified during such tests; and
- 14.9.2The strength of the information security controls and IT Security controls must be audited by external experts at regular intervals, annually at a minimum, depending on the nature, size and complexity of the business.
14.10 General Requirements and Reporting Processes
- 14.10.1The privilege to download software (licensed and not free or pirated software) must be given only to the designated IT person. Users of computers must not be allowed to download any software to computers;
- 14.10.2The “Auto-logout” feature must be activated for all applications related to the business of the Licensed Person when they are not in use;
- 14.10.3The “Auto-lock” feature must be available by using a screen saver password on all work stations or operating systems when they are not in use;
- 14.10.4Appropriate Firewall systems and protection must be available for PCs, Servers, Operating Systems, Database and network equipment;
- 14.10.5All the Operating systems, server machines, hardware equipment, system software, applications, utility programs, anti-virus programs must be licensed by the respective vendor at all times along with valid agreements;
- 14.10.6The Licensed Person must review all warning notices issued by the Central Bank on cyber threats and take necessary actions immediately to ensure adequate protection to its computer systems against such threats; and
- 14.10.7Cyber fraud/crime incidents must be immediately reported to the Banking Supervision Department and police authorities.
Chapter 15: Business Continuity Management
Introduction
Business Continuity Management is to ensure timely resumption of the Licensed Person’s business in the event of a disruption by minimising the consequential damages. The Licensed Person must implement appropriate Business Continuity Management and comply with the following standards at a minimum.
15.1 Business Continuity Management
- 15.1.1The Licensed Person must identify, define and analyse all types of risk that may result in a business disruption and assess the impact thereof; and
- 15.1.2The Licensed Person must implement an appropriate Business Continuity Plan to ensure the continuity of the business during a disruption.
15.2 Business Continuity Plan (BCP)
- 15.2.1Business Continuity Plan must include:
- a)Identification and assessment of potential crises, disasters and risks including their impact on the business;
- b)Ways and means to deal with such crises, disasters and risks;
- c)Plans to provide protection to the Licensed Person and its employees in case of unforeseen disasters;
- d)Plans to avoid suspension of operations or plans to minimize the period of suspension of operations to minimise losses;
- e)Tools and processes for storing sensitive information and the recovery thereof to avoid loss of information during the occurrence of disasters; and
- f)Guidelines to contact relevant authorities and partners (i.e. the Central Bank, foreign correspondents, etc.) to inform them about the disaster and suspension of operations, if necessary.
- 15.2.2The Licensed Person must follow the below standards while implementing the Business Continuity Plan:
- a)A sufficient number of experienced employees must be available for the purpose of recovery and resumption of the business;
- b)Roles, responsibilities and powers of employees in relation to the Business Continuity Plan must be clearly defined;
- c)Resumption priorities must be clearly agreed and documented; and
- d)Appropriate training must be provided to employees for the effective implementation of the Business Continuity Plan.
- 15.2.1Business Continuity Plan must include:
15.3 BCP Testing
- 15.3.1Testing of the Business Continuity Plan must be undertaken at regular intervals in order to assess the capability of the Licensed Person to resume business after a disruption;
- 15.3.2Accordingly, the Licensed Person must:
- a)Test the Business Continuity Plan at least annually;
- b)Testing must also be undertaken considering any key changes in the business model, products, systems and relevant infrastructure; and
- c)Testing details and results must be documented for verification by the Central Bank Examiners during an examination.
- 15.3.3Testing results must be reviewed by the Manager in Charge and by the Board of Directors (or by the Owner/Partners where there is no Board of Directors); and
- 15.3.4The Business Continuity Plan must be reviewed and updated based on the results of such testing.