Article (36): Business Continuity
2/2024 Issued on 14/6/2024| 1. | In this Article (36), “Payment Token Service Provider” refers to a Licensee or a Registree, with the exception of Registered Foreign Payment Token Issuers. | ||||||||||
| 2. | A Payment Token Service Provider shall have in place an adequate business continuity management program to ensure continuation, timely recovery, or in extreme situations orderly scale-down of critical operations in the event of major disruptions caused by different contingent scenarios. An adequate business continuity management program comprises business impact analysis, recovery strategies, a business continuity plan and alternative sites for business and IT recovery. | ||||||||||
| 3. | A Payment Token Service Provider shall put in place a set of recovery strategies to ensure that all critical business functions identified in a business impact analysis can be recovered in accordance with the predefined recovery timeframe. These recovery strategies shall be clearly documented, thoroughly tested and regularly reviewed to ensure achievement of recovery targets. | ||||||||||
| 4. | A Payment Token Service Provider shall put in place effective measures to ensure that all business records, in particular Customer records, can be timely restored in case they are lost, damaged, or destroyed. A Payment Token Service Provider shall also allow Customers to access their own records in a timely manner. A Payment Token Service Provider shall notify Customers of any loss in their records through an operational failure or through theft, and make reasonable effort to ensure that personal records so lost are not used wrongfully. | ||||||||||
| 5. | A Payment Token Service Provider shall develop a business continuity plan based on the business impact analysis and related recovery strategies. A business continuity plan shall comprise, at a minimum:
| ||||||||||
| 6. | A Payment Token Service Provider shall conduct testing of its business continuity plan at least annually. Its Senior Management, primary and alternate relevant personnel shall participate in the annual testing to familiarize themselves with their recovery responsibilities. | ||||||||||
| 7. | A Payment Token Service Provider shall review all business continuity planning-related risks and assumptions for relevance and appropriateness as part of the annual planning of testing. Formal testing documentation, including a test plan, scenarios, procedures and results, shall be produced. A post mortem review report shall be prepared for formal sign-off by Senior Management. |
Business exit plan
| 8. | With a view to minimizing the potential impact that a failure, disruption, or exit of a Payment Token Service Provider would have on Customers and the payment systems in the UAE, a Payment Token Service Provider is required to maintain viable plans for an orderly exit of its business and operations should other options be proven not possible. | ||||||||||
| 9. | Among other things, a business exit plan must:
| ||||||||||
| 10. | A Payment Token Service Provider must review the plan on an annual basis to ensure its relevance and workability. |