Article (13): Business Conduct and Customer Protection
C 6/2020 Effective from 30/10/2020
The SVF schemes must be operated prudently and with competence in a manner that will not adversely affect the interests of the Customer or potential Customer of the Licensee. All Licensees must also comply with the existing regulatory requirements for consumer protection of the Central Bank.
The business conduct and Customer protection requirements set out in this Article also apply to licensed banks that carry out the SVF business in the State.
Standard of conduct and business practices
A Licensee must ensure that its business is operated in a responsible, honest and professional manner. A Licensee must treat all Customers, as well as merchants, equitably, honestly and fairly at all stages of their relationship with the Licensee. A Licensee must also act in a manner that will not adversely affect the interests of the Customer or potential Customer or the stability of any payment system in the State.
A Licensee must be responsible for the acts or omissions of its employees, service providers and agents in respect of the conduct of its business. Employees and agents of a Licensee must be properly trained and qualified.
A Licensee must ensure that it adopts and if needed, develops good business practices that can demonstrate its standard of conduct, including:
5.1. Due diligence must be performed by a Licensee to ensure that all promotional materials it issues are accurate and not misleading;
5.2. A Licensee may use its websites and mobile apps to provide links to e-commerce portals and other online merchants. When providing such links, the Licensee must carry out due-diligence on the e-commerce portals and merchants acquired to ascertain they are bona fide companies conducting legitimate business so as to manage reputation risk; and
5.3. Websites or apps of a Licensee may only provide hyper-links to other websites which offer advisory and/or sale of financial products and services provided that the Licensee has sought external legal opinion to ensure that the arrangements comply with all relevant legal and regulatory requirements.
Schemes and Operating Rules
The Operating Rules of an SVF scheme must be fair to all parties concerned. A Licensee must operate its SVF scheme in strict accordance with the relevant Operating Rules.
If a Licensee intends to engage business partners (e.g. merchant acquirers to procure merchants), it must ensure that the arrangement with business partners will not compromise its obligations under this Regulation in respect of ensuring safe and efficient operation of the SVF scheme, in particular:
7.1. The Licensee must conduct due diligence on business partners to carefully assess the risks involved before engaging the business relationship, and to put in place adequate control mechanism to mitigate the risks identified;
7.2. The Licensee must be satisfied that the contractual relationship between itself and business partners (e.g. merchants) is clearly constructed and enforceable with well-defined division of duties and liabilities supported by well-documented service level agreements, and that there are necessary safeguards in its contractual relationship with the business partners to ensure the operational safety and efficiency of the SVF scheme;
7.3. The Licensee must impose appropriate controls and oversight over the business arrangements with its business partners (e.g. in case of merchant acquirers), to ensure that they have proper systems in place for settlement of funds with the merchants and for mitigation of any potential money laundering and terrorist financing risks; and
7.4. The Licensee must ensure that the arrangement of engaging business partners is compliant with relevant personal data privacy/protection requirements and also observes this Regulation and the relevant supervisory guidelines on data protection in order to safeguard the interest of its Customers.
The Operating Rules of an SVF scheme must provide that the amount of funds received by a Licensee or its agent from a Customer will be credited to the account of the Customer and made available for use by the Customer in a timely manner according to the Operating Rules.
Whilst the Central Bank will not establish a hard limit on the maximum amount of the value stored in each type of Customer accounts under an SVF scheme, a reasonable limit, supported by business justifications and control measures, must be set for the maximum amount that can be stored in each type of Customer accounts under an SVF scheme. Different storage limits can be set for different types of Customer accounts according to their respective features. All limits must be set out in the Operating Rules. The Central Bank may request a Licensee to change the limits on a case-by-case basis if the Central Bank considers it appropriate to apply such limits or the business justifications and control measures put up by the Licensee are considered unsatisfactory.
10. A Licensee must set out and explain clearly the key features, risks, terms and conditions, and applicable fees, charges and commissions of its schemes, facilities, services and products. Such details must be effectively communicated and made available to the relevant Customers, as well as merchants. Additional disclosures, including appropriate warnings, must be developed to provide information commensurate with the nature, complexity and risks of the schemes, facilities, services and products.
A Licensee is solely responsible for the robustness of its SVF scheme and as such it must bear the full loss of the value stored in a Customer account where there is no fault on the part of the Customer. In general, a Customer of the Licensee must not be responsible for any direct loss suffered by him/her as a result of unauthorized transactions conducted through his/her account.
Anti-fraud framework
A Licensee must implement an anti-fraud framework. Such framework must include duties and obligations of chief executive officer, Compliance Committee, and fraud reporting and follow-up mechanism. Appropriate and documented anti-fraud training must be provided to all employees.
Security advice for Customers
The Licensee should provide easy-to-understand, prominent and regularly reviewed advice from time to time via effective methods and multiple channels to its Customers on security precautionary measures.
A Licensee must manage the risk associated with fraudulent emails, websites and mobile applications, which are designed to trick customers into revealing sensitive user information such as login identifiers, passwords and one-time passwords.
Business exit plan
With a view to minimizing the potential impact that a failure, disruption, or exit of a Licensee would have on Customers and the payment systems in the State, a Licensee is required to maintain viable plans for an orderly exit of its business and operations should other options be proven not possible.
Among other things, a business exit plan should (a) identify a range of remote but plausible scenarios which may render it necessary for a Licensee to consider an exit; (b) develop risk indicators to gauge the plausibility of the identified scenarios; (c) set out detailed, concrete, and feasible action steps to be taken upon triggering the exit plan; (d) assess the time and cost required to implement the exit plan in an orderly manner; and (e) set out clear procedures to ensure that sufficient time and financial resources are available to implement the exit plan. The plan should be reviewed on an annual basis to ensure its relevancy and workability.
Systems interoperability
A Licensee should ensure that its SVF systems are interoperable with other major payment systems in the State to allow connectivity of all key payment services. This is important for building a cost effective and efficient digital payment ecosystem in the State.
The Central Bank expects Licensees to adopt a risk-based approach and refrain from adopting practices that would result in financial exclusion, particularly in respect of the need for bona fide businesses and individuals to have access to SVF products and services.
The risk assessment processes should be able to differentiate the risks of individual Customers within a particular segment or grouping through the application of a range of factors, including country risk, business risk, product/service risk and delivery/distribution channel risk. It is inappropriate for Licensees to adopt a one-size-fits-all approach.
Book traversal links for Article (13): Business Conduct and Customer Protection