The Exposure Draft of the Policy Document on Electronic Money (e-Money) (‘Draft’) is a solid 81 pages of document that seeks to replace and supersede the current Bank Negara of Malaysia (‘BNM’)’s Guideline on Electronic Money (2008 Guidelines) which is currently used as the primary guidelines applicable for e-money business in Malaysia.
The full Draft can be obtained on BNM’s website here.
Introduction
The Draft sets out a list of comprehensive requirements reflecting the regulator’s expectations to be satisfied by the existing e-money issuers including future applicants seeking to be approved as an e-money issuer.
The Draft consists of 5 separate parts. Part A of the Draft sets out an overview of the current e-money landscape in Malaysia and a set of definitions to be applied throughout the document. Part B sets out the governance aspect of the operations of an e-money entity which would commensurate against the issuer’s market presence. Part C sets out extensive requirements on the ‘day to day’ operations of an e-money business from managing capital funds, managing risks to winding down or ceasing the business.
Part D is the most detailed and extensive section that sets out the regulator’s expectations on the issuer’s IT infrastructures that need to be in place to operate an e-money business. Finally, Part E discusses the ongoing requirements for an existing issuer to notify the regulator on key changes and appointments (eg, board member, chairman, CEO, auditor) and other ongoing compliance obligations as an e-money issuer.
Different types of e-money issuers (EMI) defined
In Part A (Overview), it is crucial to read the Draft’s definitions section carefully to understand key differentiating factors on how the different EMIs are defined in the Draft for considerations.
1.Definition of “issuer of e-money”. An “EMI” is an ‘issuer of e-money’. Note that the phrase EMI is used throughout the document. For consistency, we will maintain the same referencing for EMI in this article.
2. Different “EMI” categories. An “EMI” can be categorised into 4 categories, namely: (i) an “eligible EMI”; (ii) a “standard EMI”; (iii) a “non-bank EMI”; (iv) or a “limited purpose EMI”. Anyone reading the Draft will have to carefully distinguish the different requirements which may be applicable (to such EMI) and may also overlap (eg, a standard EMI which may also be a non-bank EMI) depending on the applicable EMI’s category.
3. An “eligible EMI”. An eligible EMI is an EMI that fulfils either 1 of the 3 proposed criteria, namely: (i) having at least 500,000 users with at least 1 transaction a month for 6 consecutive months; (ii) or 5% market share of the total e-money transaction volume or value for a given year since 2017; or (iii) 5% market share of outstanding e-money liabilities for a given year since 2017.
Considering the relevant criteria above for an eligible EMI, the regulator is expecting an eligible EMI to abide by additional regulatory standards and compliance requirements.
4. A “standard EMI”. If an existing EMI does not fulfil the criteria set out above as an “eligible EMI”, such EMI will be deemed as a “standard EMI”. A standard EMI generally will need to maintain a lower capital funds requirements (more on this below).
5. A “non-bank EMI”. A “non-bank EMI” is an existing EMI that is not a licensed institution (eg, not a bank). According to BNM’s website, there are currently 48 EMIs which are non-banks EMIs, whereas only 6 EMIs are operated by banks.
6. A “limited purpose EMI”. A “limited purpose EMI” is an EMI that is exempted from the legal requirements to be approved as an EMI under the law. The examples of limited purpose EMIs include: (i) e-money used in a ‘closed-loop network’ (eg, a network of merchants, a single premise or closed community); (ii) e-money used for cash rewards or loyalty points; (iii) e-money used for refund purposes or (iv) mobile prepaid airtime used to buy digital contents. For ease of reference, the list of various criteria can be found in Appendix 2 of the paper.
Enhanced governance requirements
Part B (Governance) of the Draft sets out the regulator’s expectations when it comes to the human resources aspect of an EMI operation. The requirements range from the composition of the EMI’s board to hiring senior management roles (eg, CEO, COO, CFO including those in the risk management, compliance or internal audit).
1. Board charter. The board needs to have a ‘board charter’ in place that sets out the roles and procedures of the board and what matters that needs to be dealt with by the board.
2. Minimum board meetings. As an EMI director, a director needs to devote sufficient time to attend board meetings and the quorum must be at least 50% of the board members present.
3.Chairman’s role. The new paper also sets out the chairman’s role and duties including ensuring governance when conducting board meetings.
4. No active politician allowed. The new policy also restricts an EMI to appoint an ‘active politician’ (which is defined as either an elected politician or someone holding a role in a political party).
5. Independent directors (for eligible EMI). For an eligible EMI, the regulator has sought feedback on whether an eligible EMI should have at least one third independent directors as board members. Additionally, an eligible EMI also needs to form at least 2 additional board committees, namely: (i) board audit committee; and (ii) board risk management committee. The proposed terms of reference for the respective board committees are also set out in the Draft in Appendix 3.
6. Shariah compliant e-money. The new Draft also incorporates additional requirements for an EMI seeking to issue Shariah compliant e-money. An EMI needs to onboard a Shariah advisor to give the necessary advice to ensure e-money operations are Shariah compliant (eg, structured based on appropriate Shariah contracts) and annual assessment to ensure continuous compliance including promoting Shariah compliance by the EMI’s board. Additionally, the EMI will need to abide by the current Shariah Advisory Council rulings and other applicable standards from time to time.
7. ‘Fit and proper’ senior management team. An EMI’s CEO needs to have a full time role and be domiciled in Malaysia. Additionally ,the senior management needs to set up internal policies and procedures to manage risks, due diligence and implementing business plans, and so on. For an eligible EMI, the regulator is seeking to restrict a substantial shareholder to hold a senior role with the aim of separating ownership and management. Also, such eligible EMI needs to have a designated person tasked to handle technology risks.
8. Compliance functions (eg, risk management and internal audit). In addition to compliance officer’s roles to highlight compliance risks, an EMI also needs to set up a risk management framework and internal audit function (which is to be separated from other control functions). These functions shall report to the board and senior management team regularly on any material risks.
Operational and risk management requirements
Part C of the Draft sets out additional conditions to be satisfied by a non-bank EMI (in this case, either a standard EMI or an eligible EMI) such as maintaining a minimum capital funds.
1. Minimum capital funds. For non-bank EMIs, a standard EMI needs to maintain at least RM1 mil capital funds or 8% of the EMI’s current outstanding e-money liabilities (whichever is higher). But for an eligible EMI, such EMI will need to maintain at least RM5 mil capital funds or 8% of the EMI’s current outstanding e-money liabilities (whichever is higher).
The “capital funds requirements” computation can be found in Appendix 4 of the paper (which is substantially similar to the current application form to be approved as an e-money issuer). The only revision of the computation now incorporates “irredeemable non-cumulative preference shares” to be included as part of the “share capital” of an EMI.
2. Funds to be held in a trust account. An EMI will have to place the funds received in exchange for e-money issued in a separate trust account (eg, a licensed custodian). Additionally, the EMI is encouraged to have several funds placed in different bank accounts to manage downside risk exposure from a single bank entity.
3. Business continuity management. The board and senior management team of an EMI will need to put in place a business continuity framework including coming up with maximum tolerable downtime (MTD) and recovery time objective (RTD) for critical business functions.
4. Outsourcing risk management. While acknowledging the role of outsourcing the regulator expects an EMI to seek prior approval from the regulator before onboarding any new ‘material outsourcing arrangement’ such as conducting due diligence on the proposed service provider to ensure EMI’s services will not be compromised. This obligation extends throughout the life cycle of the outsourcing (eg, new, renewing or negotiating existing outsourcing agreements).
5. Outsourcing agreement. Legal counsels advising EMIs should be relieved that the regulator has also now incorporated a set of provisions that needs to be in place when an EMI engages a service provider as set out in Appendix 6 of the Draft which is akin to a “checklist” of clauses that needs to be included in such an outsourcing agreement.
6. Outsourcing outside Malaysia. An EMI seeking to outsource to a service provider needs to ensure that it is able to monitor the third party’s performance and recover data in the event of any failure (by such third party). An EMI also needs to ensure that the regulator is able to access the EMI’s system outside Malaysia.
7. White labelling. An EMI can also offer white labelling to third parties so long as the EMI can demonstrate that it has taken steps to ensure that a due diligence has been done on such a third party including having the necessary internal policies and resources in place to offer white labelling solutions. Also, an EMI continues to be responsible for managing the funds and operations. A white label agreement between the EMI and the third party needs to cover the respective duties and rights between both EMI and the customer including managing disputes, tagging of funds received, and other ‘day to day’ operations.
8. Promoting or cross selling. A non-bank EMI that wants to promote or cross sell financial products or services needs to obtain the regulator’s prior approval.
9. Exit plan. A non-bank EMI needs to maintain an ‘exit plan’ in place which needs to be valid for a 3 year period. The ‘exit plan’ needs to set out the ‘plausible internal triggers’ for exiting the e-money business including executing the identified exit options where needed to ensure fundings are in place in an exit scenario.
Enhanced IT requirements
The substantial part of the Draft in Part D (IT Requirements) appears to be generally applicable to standard EMIs. In the Draft remark, it appears that eligible EMIs may need to fulfil the Risk Management in Technology, an IT policy which is a more stringent requirement applicable to financial institutions (eg, banks).
An EMI needs to have a solid ‘Technology Risk Management Framework (TRMF)’ in place to safeguard the EMI’s information infrastructure, systems and data. The requirements include internal policies governing EMI’s technology projects, systems structure and acquisition strategies, cryptography controls, data centre infrastructures and operations. Other requirements include ensuring network resilience, cloud services risk management, access control policy, patch and end of life system management, and security of digital services.
To summarise, the regulator allows flexibility for an EMI to adopt its own applicable IT framework that will commensurate with its current requirements.
Other requirements include having a cybersecurity policy in place including conducting regular technology audits and conducting internal awareness and training for all EMI’s staff in their respective roles.
Continuous obligations of an EMI
The final Part E (Regulatory Process) sets out the continuous obligations on an EMI including making prior notifications to the regulator on any change of office within or outside Malaysia, appointment of senior roles (eg, chairman, director or CEO) and the auditor.
Additionally, existing EMIs need to submit regular periodical reports (eg, monthly statistics, audited financial statements) and independent audit reports with additional auditor’s statements on the EMI’s treatment of the customer funds.
An EMI also needs to be a member of the Financial Ombudsman Scheme to allow for financial disputes involving EMI and the customer to be resolved by the scheme.
Conclusion
The Draft is a comprehensive document that sets out the regulator’s expectations for existing EMIs incumbents including for future applicants seeking to be approved as an EMI.
Any feedback on the Draft can be made to the regulator by 31st July 2021.
This post is for general information only and is not a substitute for legal advice.