Part 9
Article (33): Corporate Governance
1. In this Article (33), “Payment Token Service Provider” refers to a Licensee or a Registree, with the exception of Registered Foreign Payment Token Issuers. 2. A Payment Token Service Provider must have and maintain effective, robust and well-documented corporate governance arrangements, including a clear organizational structure with well-defined, transparent and consistent lines of responsibility. 3. The corporate governance arrangements referred to in Article (33)2 must be comprehensive and proportionate to the nature, scale and complexity of the Payment Token Services provided, and shall contain, at a minimum:
a) an organization chart showing each division, department or unit, indicating the name of each responsible individual accompanied by a description of the respective function and responsibilities; b) controls on conflicts of interest; c) controls on integrity and transparency of the Licensed Payment Token Service Provider’s operations; d) controls to ensure compliance with applicable laws and regulations; e) methods for maintaining confidentiality of information; and f) procedures for regular monitoring and auditing of all corporate governance arrangements. Article (34): General Risk Management & Internal Control Systems
1. In this Article (34), “Payment Token Service Provider” refers to a Licensee or a Registree, with the exception of Registered Foreign Payment Token Issuers. 2. A Payment Token Service Provider must have and maintain robust and comprehensive policies and procedures to identify, manage, monitor and report the risks arising from the provision of Payment Token Services to which it is or might become exposed, and adequate internal control mechanisms, including sound administrative and accounting procedures. 3. A Payment Token Service Provider’s risk management policies and procedures shall be:
a) kept up-to-date; b) reviewed annually; and c) proportionate to the nature, scale and complexity of the Payment Token Services provided. 4. A Payment Token Service Provider must establish a risk management function, an internal audit function and a compliance function. Capital adequacy and capital planning
5. A Payment Token Service Provider must implement an effective process for managing its capital adequacy. This process must monitor capital adequacy over time and include forward-estimations of the level of capital and the capital requirement, and ensure that the Payment Token Service Provider at a minimum complies at all times with the capital requirements set out in this regulation. Liquidity risk management
6. A Payment Token Service Provider must establish and implement an effective process for managing liquidity risk that is appropriate for the size and complexity of its operations. The objective is to ensure that the Payment Token Service Provider will have sufficient liquidity to meet different financial obligations arising from its day-to-day operations as well as redemption requests under all plausible circumstances. Internal controls
7. A Payment Token Service Provider must put in place a robust internal control system to promote effective and efficient operation, safeguard assets, provide reliable financial and management information, enable prevention or early detection of irregularities, fraud and errors, and ensure compliance with relevant statutory and regulatory requirements and internal policies. 8. A Payment Token Service Provider must put in place a comprehensive business strategy and plan, including details on the strategic goals and roadmap. A business plan must normally cover proposed business in terms of geographical scope of operations, target markets and Customer breakdown, client types and base size, product and services offering, delivery channels, pricing strategy, and promotion and marketing activities. Accounting and External Audit
9. A Payment Token Service Provider must appoint one or more External Auditor(s) to audit, on an annual basis:
a) the financial statements or consolidated financial statements of the Payment Token Service Provider prepared in accordance with the accepted accounting standards and practices; and b) the systems, controls and technology (including any ‘smart contracts’) of the Payment Token Services provided by the Payment Token Service Provider, including the results of any penetration or cyber-attack simulation testing performed pursuant to Article (35)17, separately from any audit of non-Payment Token Services. 10. Upon request by the Central Bank, the appointed External Auditor shall submit, directly or through the Payment Token Service Provider, a report of the audit in a form and within a timeframe acceptable to the Central Bank. 11. In addition to the report of audit, the Central Bank may request the External Auditor to:
a) submit any additional information in relation to the audit, if the Central Bank considers it necessary; b) enlarge or extend the scope of the audit; c) carry out any other examination. Compliance and internal audit functions
12. A Payment Token Service Provider must maintain effective compliance and internal audit functions; to ensure compliance with all applicable legal and regulatory requirements as well as its own policies, procedures and controls. Among other factors, the quality of a Payment Token Service Provider’s compliance and internal audit functions will be assessed by the Central Bank based on its:
a) clear governance framework with Board level accountability to ensure effective policies and sufficient authorities to perform the functions; b) relevant professional knowledge and experience; c) independence from business units; d) direct and unfettered access to the Board; e) coverage, comprehensiveness and effectiveness of compliance and internal audit programs; and f) ability to take timely and pro- active rectifying actions upon identifying non-compliance or other control deficiencies. 13. A Payment Token Service Provider must at least annually perform a risk assessment by its own risk management.
a) If the results of the risk assessment suggest that a detailed independent assessment is necessary, the Payment Token Service Provider must conduct such assessment and cover the following key areas:
(i) business model assessment; (ii) corporate governance and risk management; (iii) Reserve of Assets management; (iv) technology risk management; (v) security management; (vi) business continuity management; (vii) business conduct and consumer protection; (viii) business exit plan; and (ix) AML/CFT controls systems. b) If the Payment Token Service Provider has an independent function elsewhere in its Group, with the relevant knowledge and experience, an independent assessment can be conducted by its internal function. Otherwise the assessment must be carried out by an independent third party. 14. A Payment Token Service Provider must submit any assessment under Article (34)13 to the Central Bank after it has been approved by the Board, accompanied by an executive summary highlighting the key risks, most important findings and the actions for rectifying the issues. 15. Arising from the findings of the annual risk assessment, a Payment Token Service Provider that is unable to meet its obligations must immediately report this to the Central Bank. Reputation Risk Management
16. A Payment Token Service Provider shall establish and implement an effective process for managing reputational risk that is appropriate for the size and complexity of its operations. Record Keeping
17. Payment Token Service Providers shall keep all necessary records of Personal Data and Payment Data for a period of five (5) years from the date of receipt of such data, unless otherwise required by other applicable laws or the Central Bank. Article (35): Technology Risk and Information Security
1. In this Article (35), “Payment Token Service Provider” refers to a Licensee or a Registree, with the exception of Registered Foreign Payment Token Issuers. 2. Payment Token Service Providers are expected to take into account international best practices and standards when designing and implementing the technology and specific risk management systems and processes. 3. A Payment Token Service Provider shall establish an effective technology and cyber security risk management framework to ensure the adequacy of IT controls, cyber resilience, the quality and security, including the reliability, robustness, stability and availability, of its computer systems, and the safety and efficiency of the operations of Payment Token Services. The framework shall be fit for purpose and commensurate with the risks associated with the nature, size, complexity and types of business and operations, the technologies adopted and the overall risk management system of the Payment Token Service Provider. Consideration shall be given to adopting recognized international standards and practices when formulating such risk management framework. 4. A Payment Token Service Provider’s effective technology risk management framework shall comprise proper IT governance, a continuous technology risk management process and implementation of sound IT control practices. 5. Payment Token Service Provider shall apply and meet at a minimum the UAE Information Assurance Standards, as amended. 6. Licensed Payment Token Issuers must maintain policies and procedures on how to respond to ‘forking’ events or adverse governance actions affecting the Distributed Ledger Technology in which their Payment Tokens are issued, including by establishing a process to ensure that redemption rights are afforded in accordance with Article (21)6(c), and to prevent redemption by Persons who are not Tokenholders. Such policies and procedures must address each blockchain in which a Payment Token is issued. 7. Licensed Payment Token Issuers which hold any Payment Tokens which they have issued (on their own behalf) must maintain a safeguarding and security policy setting out the manner in which the security of those Payment Tokens shall be ensured. IT Governance
8. A Payment Token Service Provider shall establish a proper IT governance framework. IT governance shall cover various aspects, including a clear structure of IT functions and the establishment of IT control policies. While there could be different constructs, the major functions shall include an effective IT function, a robust technology risk management function, and an independent technology audit function. 9. The Board, or a committee designated by the Board shall be responsible for ensuring that a sound and robust risk management framework is established and maintained to manage technology risks in a manner that is commensurate with the risks posed by the Payment Token Service Provider’s Payment Token Services. Security Requirements
10. A Payment Token Service Provider must clearly define its security requirements in the early stage of system development or acquisition as part of the business requirements and these must be adequately built-in during the system development stage. 11. A Payment Token Service Provider that develops or provides an application programming interface (API) shall establish safeguards to manage the development and provision of the API to secure the interaction and exchange of data between various software applications. Network and Infrastructure Management
12. A Payment Token Service Provider shall clearly assign overall responsibility for network management to individuals who are equipped with expertise to fulfil their duties. Network standards, design, diagrams and operating procedures shall be formally documented, kept up-to-date, communicated to all relevant network staff and reviewed periodically. 13. A Payment Token Service Provider shall establish a security administration function and a set of formal procedures for administering the allocation of access rights to system resources and application systems, and monitoring the use of system resources to detect any unusual or unauthorized activities. 14. A Payment Token Service Provider shall exercise due care when controlling the use of and access to privileged and emergency IDs. The necessary control procedures include:
a) changing the default password; b) implement strong password control, with minimum password length and history, password complexity as well as maximum validity period; c) restricting the number of privileged users; d) implementing strong controls over remote access by privileged users; e) granting of authorities that are strictly necessary to privileged and emergency IDs; f) formal approval by appropriate senior personnel prior to being released for usage; g) logging, preserving and monitoring of the activities performed by privileged and emergency IDs (e.g. peer reviews of activity logs); h) prohibiting sharing of privileged accounts; i) proper safeguard of privileged and emergency IDs and passwords (e.g. kept in a sealed envelope and locked up inside the data centre); and j) changing of privileged and emergency IDs’ passwords immediately upon return by the requesters. Cyber Security Risk
15. A Payment Token Service Provider shall ensure that its cyber security risks are adequately managed through its technology risk management process. The Payment Token Service Provider shall also commit adequate skilled resources to ensure its capability to identify the risk, protect its critical services against the attack, contain the impact of cyber security incidents and restore the services. 16. A Payment Token Service Provider shall establish a cyber incident response and management plan to swiftly isolate and neutralize a cyber threat and to resume affected services as soon as possible. The plan shall describe procedures to respond to plausible cyber threat scenarios. 17. A Payment Token Service Provider shall regularly assess the necessity to perform penetration and cyber-attack simulation testing, based on a risk-based assessment of the likelihood of a cyber-attack and its impact (considering amongst other things the size and nature of its business). Coverage and scope of testing shall be based on the cyber security risk profile, cyber intelligence information available, covering not only networks (both external and internal) and application systems but also social engineering and emerging cyber threats. A Payment Token Service Provider shall also take appropriate actions to mitigate the issues, threats and vulnerabilities identified in penetration and cyber-attack simulation testing in a timely manner, based on the impact and risk exposure analysis. The Central Bank may request evidence of the risk-based assessment referred to in this paragraph, and may direct that further or alternative penetration and cyber-attack simulation testing measures be adopted. Customer Authentication
18. A Payment Token Service Provider shall select and implement reliable and effective authentication techniques to validate the identity and authority of its Customers or Tokenholders. Multi-factor authentication shall be required. 19. End-to-end encryption shall be implemented for the transmission of Customer passwords so that they are not exposed at any intermediate nodes between the Customer mobile application or browser and the system where passwords are verified. Login Attempts and Session Management
20. A Payment Token Service Provider shall implement effective controls to limit the number of login or authentication attempts (e.g. wrong password entries), implementing time-out controls and setting time limits for the validity of authentication. If one-time passwords are used for authentication purposes, a Payment Token Service Provider shall ensure that the validity period of such passwords is limited to the strict minimum necessary. 21. A Payment Token Service Provider shall have processes in place ensuring that all Payment Token Transfers occurring in the context of its Payment Token Services are logged with an appropriate audit trail. Fraud Detection Systems
22. Payment Transaction monitoring mechanisms designed to prevent, detect and block fraudulent Payment Transactions must be operated by a Payment Token Service Provider, in a manner which is proportionate based on a risk-based assessment of the likelihood of fraudulent Payment Transactions and their impact (considering amongst other things the size and nature of its business). Suspicious or high-risk transactions must be subject to a specific screening, filtration and evaluation procedure. The Central Bank may request evidence of such risk-based assessment, and may direct that further or alternative monitoring mechanisms be adopted. Security advice for Customers
23. A Payment Token Service Provider must provide easy-to-understand, prominent and regularly reviewed advice from time to time via effective methods and multiple channels to its Customers and Tokenholders on security precautionary measures. 24. A Payment Token Service Provider must manage the risk associated with fraudulent emails, websites and mobile applications, which are designed to trick customers into revealing sensitive user information such as login identifiers, passwords and one-time passwords. Security incident reporting
25. Payment Token Service Providers shall report major security and operational incidents including downtimes to the Central Bank, either immediately or in such form and on such basis as the Central Bank may direct from time to time, or as set out in CBUAE Regulations. Article (36): Business Continuity
1. In this Article (36), “Payment Token Service Provider” refers to a Licensee or a Registree, with the exception of Registered Foreign Payment Token Issuers. 2. A Payment Token Service Provider shall have in place an adequate business continuity management program to ensure continuation, timely recovery, or in extreme situations orderly scale-down of critical operations in the event of major disruptions caused by different contingent scenarios. An adequate business continuity management program comprises business impact analysis, recovery strategies, a business continuity plan and alternative sites for business and IT recovery. 3. A Payment Token Service Provider shall put in place a set of recovery strategies to ensure that all critical business functions identified in a business impact analysis can be recovered in accordance with the predefined recovery timeframe. These recovery strategies shall be clearly documented, thoroughly tested and regularly reviewed to ensure achievement of recovery targets. 4. A Payment Token Service Provider shall put in place effective measures to ensure that all business records, in particular Customer records, can be timely restored in case they are lost, damaged, or destroyed. A Payment Token Service Provider shall also allow Customers to access their own records in a timely manner. A Payment Token Service Provider shall notify Customers of any loss in their records through an operational failure or through theft, and make reasonable effort to ensure that personal records so lost are not used wrongfully. 5. A Payment Token Service Provider shall develop a business continuity plan based on the business impact analysis and related recovery strategies. A business continuity plan shall comprise, at a minimum:
a) detailed recovery procedures to ensure full accomplishment of the service recovery strategies; b) escalation procedures and crisis management protocol (e.g. set up of a command centre, timely reporting to the Central Bank, etc.) in case of severe or prolonged service disruptions; c) proactive communication strategies (e.g. Customer notification, media response, etc.); d) updated contact details of key personnel involved in the business continuity plan; and e) assignment of primary and alternate personnel responsible for recovery of critical systems. 6. A Payment Token Service Provider shall conduct testing of its business continuity plan at least annually. Its Senior Management, primary and alternate relevant personnel shall participate in the annual testing to familiarize themselves with their recovery responsibilities. 7. A Payment Token Service Provider shall review all business continuity planning-related risks and assumptions for relevance and appropriateness as part of the annual planning of testing. Formal testing documentation, including a test plan, scenarios, procedures and results, shall be produced. A post mortem review report shall be prepared for formal sign-off by Senior Management. Business exit plan
8. With a view to minimizing the potential impact that a failure, disruption, or exit of a Payment Token Service Provider would have on Customers and the payment systems in the UAE, a Payment Token Service Provider is required to maintain viable plans for an orderly exit of its business and operations should other options be proven not possible. 9. Among other things, a business exit plan must:
a) identify a range of remote but plausible scenarios which may render it necessary for a Payment Token Service Provider to consider an exit; b) develop risk indicators to gauge the plausibility of the identified scenarios; c) set out detailed, concrete, and feasible action steps to be taken upon triggering the exit plan; d) assess the time and cost required to implement the exit plan in an orderly manner; and e) set out clear procedures to ensure that sufficient time and regulatory capital and other financial resources are available to implement the exit plan. 10. A Payment Token Service Provider must review the plan on an annual basis to ensure its relevance and workability.