A Licensee must have in place appropriate risk management policies and procedures for managing the risks arising from the operation of its SVF business that are commensurate with the scale and complexity of the scheme.
The corporate governance requirements set out in this Article do not apply to licensed banks that carry out the SVF business. Banks are required to adhere to the Central Bank regulation and standards for corporate governance at banks.
Responsibilities of the board of directors
A Licensee is required to have in place sound governance arrangements for the purpose of effective decision-making and proper management and control of the risks of its business and operations. Such arrangements should include a clear organizational structure with well-defined, transparent and consistent lines of responsibility. There should also be clear documentation on decision-making procedures, reporting lines, internal reporting and communication process.
As part of a sound governance arrangement, a Licensee should put in place a code of conduct which lays down the standards of integrity and probity expected of its management and employees. The Licensee should also have adequate systems for enforcing the code of conduct, including regular assessments of the relevancy and effectiveness of the code.
The board of directors is responsible for the sound and prudent management of the Licensee’s SVF business operations.
The board of directors should have an adequate number and appropriate composition of members to ensure sufficient checks and balances and collective expertise for effective and objective decision-making. The size and composition of the board of directors will vary from institution to institution depending on the size of the Licensee and the nature and scope of its activities.
The board of directors should document and clearly define appropriate internal governance practices and procedures for the conduct of its own work and have in place the means to ensure that such practices are followed and periodically reviewed with a view to ongoing improvement.
Effective arrangements should be put in place such that the board of directors can assess the performance of the Senior Management and hold them accountable for their performance.
Fitness and propriety of officers and Controlling Shareholder
A person must not become a chief executive or director of a Licensee except with the Central Bank’s approval. The Central Bank’s approval must be obtained for a person to become Controlling Shareholder of a Licensee. In considering the fitness and propriety of the chief executive, directors and Controlling Shareholder of a Licensee, the Central Bank will take into account factors including, among others, the integrity, willingness to uphold professional ethics and industry good practices, and competence of the person concerned. Set out below are the Central Bank’s general expectations in relation to the fitness and propriety of chief executives, directors and the Controlling Shareholders of licensees.
Directors and chief executives
Given the leadership role of directors and chief executives, fitness and propriety will be assessed taking into consideration their integrity and competence, which will generally be assessed in terms of relevant knowledge, experience, judgement as well as leadership. Their commitment and ability to devote sufficient time and attention to the SVF business will also be assessed. The standards required from persons in these respects will vary, depending on the scale and complexity of a Licensee’s operations.
Controlling Shareholder
In assessing the fitness and propriety of the Controlling Shareholder, a key consideration is the influence that the Controlling Shareholder could potentially have on the interests of the Customers and potential Customers of the scheme concerned. This has to be assessed in the context of the circumstances of individual cases. The general presumption is that the greater the influence on the Licensee, the higher the standard will be for the Controlling Shareholder to fulfil the criterion.
Outsourcing
A Licensee may outsource activities and processes to service providers, including independent third parties, or companies within the Licensee’s group. Such outsourcing must be approved by the Central Bank.
A Licensee is ultimately responsible for the adequacy, service levels, quality and security of the outsourced activities and processes, including the reliability, robustness, stability and availability, of the outsourced activities and processes as well as the integrity and protection of the information held by the service providers.
Prior to outsourcing an activity or process, a Licensee must:
14.1. Conduct a comprehensive independent risk assessment, identifying all risks involved, and ensuring that all material risks, including business interruption risk, and controls over Customer data protection, are adequately managed. The assessment should identify any additional risks or increases in risks caused by the outsourcing;
14.2. Perform an appropriate due diligence regarding not just the cost and quality of the services offered, but also on the provider’s financial soundness, reputation, managerial skills, technical and operational capacity to meet the Licensee’s requirements in the longer run, ability to meet the regulatory requirements with regard to the services offered, familiarity with the payment industry, and capacity to keep pace with innovation in the market.
14.3. Prior to outsourcing any process or activity: (a) perform an appropriate due diligence to ensure that the services to be rendered fully meet the performance and relevant regulatory requirements, (b) executing appropriate outsourcing agreements with the service providers to set out clearly the outsourcing arrangements and the related rights and obligations, and (c) carrying out proper transfer of the related operations or functions to ensure smooth transition; and
14.4. Properly manage the outsourcing arrangements on an ongoing basis by performing appropriate regular audits and/or quality reviews of the outsourced operations or services.
The outsourcing agreement must set out clearly:
15.1. The type and level of services to be provided and the related performance standards of the service provider, including its contingency arrangements in respect of daily operational and systems problems;
15.2. The contractual obligations and liabilities of the service provider;
15.3. The rights and obligations of the Licensee including the relevant fees and charges payable by the Licensee and the rights of the Licensee to access, retrieve and retain on a timely basis accurate and up-to-date records and make those records available for inspection by the relevant authorities including the Central Bank or an independent assessor appointed by the Licensee or the Central Bank, if required; and
15.4. Data handling controls and arrangements relating to the storage, backup, protection and confidentiality, and data removal and transfer arrangements upon termination or expiry of the contract. The right for the Licensee, the Central Bank and/or an independent assessor appointed by the Licensee or Central Bank to conduct an on-site inspection and off-site review of the operations and controls of the service provider. This includes access by the Central Bank or an appointed independent assessor to the premises, systems, record and documents relevant to the outsourced activity or process.
A Licensee should ensure that it has an adequate understanding of its service provider’s contingency plan and consider the implications for its own business continuity planning in the event that an outsourced service is disrupted due to failure of the service provider’s system. Such contingency plans should be tested by the licensee and its service providers regularly.
A Licensee should ensure that its outsourcing arrangements comply with the relevant personal data privacy/protection requirements and any relevant codes of practice, guidelines and best practices issued by the Central bank and relevant authorities.
Location of Senior Management
The chief executive and the alternate chief executive should be individuals who are ordinarily resident in the State. Licensees must ensure that this requirement is being complied with on an ongoing basis. Furthermore, the Senior Management team and the key personnel responsible for scheme operation, system support, risk management and compliance of the Licensee must be based in the State. Depending on the nature, scale, complexity of business, and the organization structure of the Licensee, the Central Bank may approve different arrangements.
Book traversal links for Article (8) Corporate Governance Requirements