Principal Requirements

1. The SO and/or SI of a designated RPS, are required to ensure compliance with the following:
    
   1. 1.1. RPS must comply with any instructions issued by the Central Bank and any relevant international standards (e.g. PFMI), and ensure proper and continued functioning of the designated RPS; and
       
   2. 1.2. RPS must provide the information required by the Central Bank or where SO and/or SI consider it appropriate for achievement of the Central Bank objectives.
       
2. The Central Bank may exempt the SO and/or SI or a Participant Person of a designated RPS in a general or specific manner, from the provisions of this Regulation.
    
3. The Central Bank may appoint experts and advisors specialized in Financial Infrastructure Systems to assist the Central Bank in performing its duties and functions in accordance with this Regulation.
    

Detailed requirements

Principal requirements

4. Upon designation, a designated RPS is required to comply with the ongoing requirements imposed under this Regulation and the relevant provisions of PFMI (see Article (9) for detail). Failure to comply with any of those requirements would expose the concerned party to possible sanctions provided for under the Central Bank Law. The principal requirements include: -
    
   1. 4.1. Submission of particulars – the Central Bank requires any SO and/or SI of a newly designated RPS to inform the Central Bank in writing of the designation particulars within fourteen (14) working days after the notification of designation, including the name, place of business, postal address and electronic mail address, as well as the aspects of the management or operations of the system. For any SO and/or SI which is a corporation, the names and personal particulars of the directors, chief executive (if any) and shareholders of the corporation are similarly required to be submitted to the Central Bank. Details of any subsequent change in any of those particulars are to be notified to the Central Bank in writing within fourteen (14) days of the change taking effect.
       
   2. 4.2. Compliance with safety and efficiency requirements - the general requirements include safe and efficient operation of the RPS, the establishment of appropriate Operating Rules, the existence of adequate compliance arrangements, and the availability of appropriate financial resources.
       
   3. 4.3. Submission of information or documents - the Central Bank may request information or documents relating to a designated RPS from the SO and/or SI of, or the Participant Person in, the RPS when performing the oversight functions under this Regulation. The SO and/or SI of, or the Participant Person in the designated RPS to whom a request is made is required to submit the information or documents within the period specified in the request.
       
   4. 4.4. The Central Bank may, at any time, with a short prior notice to the SO and/SI concerned, examine any books, accounts or transactions of the SO and/or SI of a designated RPS when performing the oversight functions.
       
   5. 4.5. The Central Bank may require the SO and/or SI of, or the Participant Person in, a designated RPS to submit to the Central Bank a report prepared by one or more auditors on matters that the Central Bank requires for discharging or exercising its duties and powers under this Regulation.
       
   6. 4.6. The Central Bank may direct the SO and/or SI of a designated RPS to take any action necessary to bring the RPS into compliance with any of the requirements under this Regulation. Such a direction will specify the Central Bank’s concerns and the action(s) to be taken, include a statement of the respect in which the Central Bank considers the designated RPS not be in compliance with a requirement under this Regulation and specify the period within which the direction is to be complied with.
       
   7. 4.7. The Central Bank may, by notice in writing, direct the SO and/or SI of a designated RPS to take any action the Central Bank considers necessary to bring the RPS into compliance with any of the requirements under this Regulation.
       

Obligation of SO and SI to notify the Central Bank of certain events

5. The SO and/or SI of a designated RPS must notify the Central Bank of the occurrence of any of the following events as soon as practicable after that occurrence:
    
   1. 5.1. An event or irregularity that impedes or prevents access to, or impairs the usual operations of, the designated RPS or its settlement operations.
       
   2. 5.2. Any material function of the SO and/or SI that is outsourced.
       
   3. 5.3. Any civil or criminal proceeding instituted against the SO and/or SI, whether in the State or elsewhere.
       
   4. 5.4. The SO and/or SI being unable to meet any of the financial, statutory, contractual or other obligations of the SO and/or SI.
       
   5. 5.5. Any disciplinary action taken against the SO and/or SI by any regulatory authority, whether in the State or elsewhere.
       
   6. 5.6. Any change of the chief executive officer or senior management of the SO and/or SI.
       

Governance arrangements

6. The SO and/or SI of the designated RPS must have clearly defined and documented organizational arrangements, such as ownership and management structure. Each should operate with appropriate segregation of duties and internal control arrangements so as to reduce the risk of mismanagement and fraud.
    
7. The SO and/or SI of the designated RPS must have effective measures and controls to ensure compliance with this Regulation. Appropriate processes must be in place to ensure that rules and procedures as well as the contractual relationships with its Participant Persons are valid and enforceable. These include clear rules and procedures to govern transfer, clearing and settlement for both domestic and cross-border transactions (if applicable).
    

Compliance

8. The SO and/or SI of the designated RPS are required to perform a periodic self-assessment or independent assessment of its compliance with this Regulation and the relevant principles of the PFMI set out in Article (9) of this Regulation. Such assessment must be done at least every 24 months. Its internal auditors, internal compliance officer or appointed independent assessor should perform such assessment as part of their on-going duties and provide the Central Bank with a copy of their compliance report. Assessment reports submitted to the Central Bank by the SO and/or SI of the designated RPS are confidential and shall not be disclosed to any third party unless the approval of the Central Bank is obtained.
    

Financial requirement

9. The financial condition of the SO and/or SI of the designated RPS must be sound and viable, and subject to ongoing review and monitoring by the senior management of the SO and/or SI.
    

Participation criteria

10. The SO and/or SI of the designated RPS must have an established process for considering applications to become its Participant Person. The SO and/or SI of the designated RPS must have procedures in place to allow prospective Participant Persons to access or obtain the information necessary to determine whether to apply to become a Participant Person.
     
11. The general eligibility and participation criteria should be disclosed to genuine applicants upon request.
     

Transparency, interoperability and competition

12. The SO and/or SI of the designated RPS shall not establish or impose any operational policies, procedures and arrangements that will prevent operational transparency or interoperability among Payment Systems, and competition among market players. The SO and/or SI of the designated RPS must observe and comply with all relevant laws, codes of practice and guidelines applicable to their payment activities and services in the State.
     
13. If the Central Bank considers the interoperability between the RPS and other Payment System(s) would be in the interest of the public or the Participant Persons of systems involved, it may direct the SO and/or SI of the RPS involved to enter into arrangements to enable the interoperability among the systems involved or to adopt any common standards.
     
14. The relevant fees and charges must be documented and communicated clearly to the Participant Persons.
     
15. The SO and/or SI of the designated RPS must inform affected Participant Persons of changes to its operational procedures and arrangements that materially affect such parties’ financial risk, operational risk, data security risk and legal risk in the State.
     

Rules and procedures

16. The SO and/or SI of the designated RPS must have proper Operating Rules to enable its Participant Persons to obtain sufficient information regarding their respective rights and obligations associated with their participation in the RPS. Such rights and obligations must be clearly defined and disclosed to the Participant Persons.
     
17. Operating Rules of the RPS must be complete, up-to-date and readily available to all Participant Persons. Participant Persons must also be duly informed of any relevant changes in the Operating Rules.
     
18. The SI must establish rules and procedures to enable final settlement to take place no later than the end of the intended settlement date. The related rules and procedures must also ensure certainty in terms of circumstances under which Transfer Orders effected through the RPS are to be regarded as settled for the purposes of the RPS.
     
19. The liabilities of Participant Persons for any loss arising from unauthorized use of the RPS and the arrangements to handle any disputes over Participant Persons’ liability with respect to unauthorized transactions must be clearly set out in the rules and procedures.
     

Operational efficiency

20. The SO and/or SI of the designated RPS should provide convenient and efficient payment services to its Participant Persons, and ensure that the RPS can process transactions at a speed which is efficient and complies with the RPS’ committed service level.
     

Operational reliability and business continuity

21. The SO and/or SI of the designated RPS must have sound and prudent management, administrative, accounting and control procedures managing the financial and non-financial risks to which it reasonably considers it may be exposed.
     
22. The SO and/or SI of the designated RPS must conduct risk analysis on new payment activity or service. In addition, where it reasonably believes that there has been a change of relevant circumstances, the SO and/or SI of the designated RPS should perform a review on the risk profile of existing activities and services to assess risks relating to security and business continuity.
     
23. The SO and/or SI of the designated RPS must seek to ensure that it has an adequate number of properly trained and competent personnel to operate its system at a level it considers appropriate in all situations that it considers are reasonably foreseeable.
     
24. The SO and/or SI of the designated RPS should provide its Participant Persons with information it reasonably considers relevant to fraud awareness in the context of the operation of its payment activities and services. The SO and/or SI of the designated RPS should provide Participant Persons with education it reasonably considers relevant to fraud awareness and the proper use or processing of the RPS to reduce the risk of fraud so that the Participant Persons can educate and promote the awareness of their customers accordingly.
     
25. The SO and/or SI of the designated RPS must have comprehensive, rigorous and well-documented operational and technical procedures to address reasonable operational reliability, the integrity of its network and the timeliness of transactions in the face of malfunctions, system interruption and transmission failures or delays. The SO and/or SI of the designated RPS must also have in place a reasonable, effective, well-documented and regularly-tested business contingency plan addressing system functionality in the event of unforeseen interruption.
     
26. The SO and/or SI of the designated RPS must have a thorough due diligence and management oversight process for managing its outsourcing relationships, if any, that it considers may impact the operation of its payment activities and services. The liabilities and responsibilities between the SO and/or SI of the designated RPS and its outsourcing service providers must be clearly defined.
     
27. The SO and/or SI of the designated RPS must design its technical system for payment activities and services with sufficient capacity to enable its ongoing operations, which should be monitored periodically and upgraded on a periodic basis.
     
28. The SO and/or SI of the designated RPS must have sufficient clearing and settlement arrangements to enable efficient, reliable and secure operation of the RPS.
     
29. The SO and/or SI of the designated RPS must review periodically its security objectives, policies and operational services.
     
30. The SO and/or SI of the designated RPS must develop well-defined procedures to respond to payment activity or service security-related incidents. The procedures should encompass a consistent and systematic approach in handling an incident.
     
31. As a follow-up to each security-related incident materially affecting the Participant Persons, the SO and/or SI of the designated RPS should initiate a confidential post-incident assessment of the situation by the parties it considers appropriate having regard to the nature and the root cause of the incident, weaknesses leading to the incident and other potentially vulnerabilities underlying the incident.
     

Safety

32. The SO and/or SI of the designated RPS must adopt appropriate and commercially reasonable technical security measures and procedural safeguards to protect the security of its system. The SO and/or SI of the designated RPS should also consider adopting international technical security standards where appropriate.
     
33. The required measures must include the building and maintenance of a secure network, including conditions to install and maintain firewalls to protect data, and a change of vendor-supplied default system passwords and other security passwords.
     
34. The implemented measures must protect data through the entire life cycle of a transaction, particularly on control measures to access data, procedures for storing Participant Persons’ transaction data, and disposal of Participant Persons’ transaction information after use.
     
35. The designated RPS must use and regularly update anti-virus software to maintain secure systems and applications, and take proper measures to manage cyber security risk effectively, including the capability to keep pace with the trends of cyber attacks.
     
36. In addition, the SO and/or SI of the designated RPS must have mechanisms which enable them to monitor on an ongoing basis attempted security breaches that may compromise its systems and data. There should be measures to control access and to regularly monitor and test the operation networks. There must be a policy that addresses information security for all related parties, such as employees and contractors.
     
37. The SO and/or SI of the designated RPS must conduct periodic security reviews of its system. Such reviews could be performed either by the SO and/or SI of the designated RPS or, at its (or the Central Bank’s) discretion, by an independent party appointed by it.
     

Data Security and Integrity

38. The SO and/or SI of the designated RPS are responsible for the security and integrity of all payment data and records maintained or controlled by it. The SO and/or SI of the designated RPS should ensure that the Participant Persons have, rules and procedures to safeguard the necessary confidentiality of all data and records in its control, including customer and transaction information. The SO and/or SI of the designated RPS should adopt generally accepted industry and international data security standards that it considers to be applicable to its operations.
     
39. The SO and/or SI of the designated RPS must establish and maintain policies and procedures for the recovery of transaction data that is necessary for its daily operation in the event of system failure.
     

Incident Reporting

40. The SO and/or SI of the designated RPS must report to the Central Bank of any incident (such as data security breaches) that may have a material and adverse impact on its operation or other Systematically Important Payment Systems in the State.
     
41. Where action has been taken under Default Arrangements of a designated RPS by the SO and/or SI in respect of a Participant Person in the RPS, the Central Bank may direct the SO and/or SI of a designated RPS to give information relating to the default to any official nominated by the Central Bank. The nominated official is responsible for assessing and examining any matter arising out of or connected with the default of the Participant Person in that RPS. The liabilities of Participant Persons for any loss arising from the default of the Participant Person and the arrangements to handle any disputes over Participant Persons’ liability with respect to default transactions should be clearly set out in the rules and procedures.