| CONTACT: |
| Supreme Court of the Philippines Library Services, Padre Faura, Ermita, Manila, Philippines 1000 |
| (632) 8524-2706 |
| libraryservices.sc@judiciary.gov.ph |
(NAR) VOL. 22 NO. 1, JANUARY - MARCH 2011
[ BSP CIRCULAR NO. 704, S. 2010, December 22, 2010 ]
GUIDELINES ON OUTSOURCING OF SERVICES BY ELECTRONIC MONEY ISSUERS (EMIS) TO ELECTRONIC MONEY NETWORK SERVICE PROVIDERS (EMNSP)
Section 1. Statement of Policy. It is the goal of the Bangko Sentral ng Pilipinas (BSP) to achieve a truly inclusive financial system. In line with achieving this goal, the BSP recognizes the potential of electronic money (E-money) as an instrument to facilitate delivery of financial services affordably to the low-income, unbanked or underserved segments of the population, particularly in non-urbanized areas. The BSP likewise recognizes that efficient and effective delivery of financial services may necessitate Electronic Money Issuers (EMI) to develop business models that utilize outsourcing arrangements, considering the specialized operational and technological requirements in an E-money business. Outsourcing, however, may introduce an EMI to certain operational and reputational risks that need to be properly managed. The BSP hereby issues the following guidelines to govern the outsourcing of E-money related services.
Section 2. Definition. An Electronic Money Network Service Provider (EMNSP) shall refer to a non-financial institution that provides automated systems, network infrastructure, including a network of accredited agents utilizing the systems, to enable clients of an EMI to perform any or all of the following:
Section 3. Application to outsource. An EMI intending to outsource the services contemplated under Section 2 shall limit itself to an EMNSP as an outsource entity, and shall follow the procedures for outsourcing information technology systems/processes as provided under Subsection X162.2 (formerly X169.2) of the Manual of Regulations for Banks (MORB). In addition to the documentary requirements under said Subsection, an EMI should also submit a certification signed by its President or any officer of equivalent rank and function certifying that a due diligence review had been conducted and that the selected EMNSP has met the minimum requirements provided under Section 5 of this Circular.
Section 4. Responsibilities of an EMI. Relative to the outsourcing of services to an EMNSP, it shall be the responsibility of an EMI to:
Section 5. Due Diligence and Continuing Operational Review. Prior to entering into an outsourcing arrangement with an EMNSP, an EMI should conduct appropriate due diligence review to assess the capability of an EMNSP in performing the service to be outsourced. The due diligence should take into consideration both qualitative and quantitative factors affecting the performance of the outsourced service, such as the financial condition and results of operation for the previous year/s, risk management practices, technical expertise which involve monitoring the velocity of e-money transactions and aggregation of monthly limits, among others, market share, reputation (both the company and its stockholders) and compliance with anti-money laundering requirements and BSP rules and regulations.
An EMI should make sure that the EMNSP adheres to international standards on IT governance, information security, and business continuity in the performance of its outsourced activities. An EMI should endeavor to obtain independent reviews and market feedback on the EMNSP to supplement its own findings.
Operational review by an EMI of the EMNSP should be undertaken at least on an annual basis as part of risk management. This review should be documented as part of an EMI’s monitoring and control process.
Section 6. Delineation of Responsibilities. The EMI and EMNSP shall identify, delineate and document the responsibilities and accountabilities of each party as regards the outsourcing arrangement, including planning for contingencies. Notwithstanding any contractual agreement between an EMI and EMNSP on the sharing of responsibility, the EMI shall be responsible to its customers, without prejudice to further recourse, if any, by the EMI to the EMNSP.
Section 7. Confidentiality and Security. An EMI should review and monitor the security practices and control processes of the EMNSP on a regular basis, including commissioning or obtaining periodic expert reports on adequacy of security to maintain the confidentiality and integrity of data, and compliance with internationally-recognized standards in respect to the operations of the EMNSP. Considering that the EMNSP may service more than one EMI, the EMI should ensure that records pertaining to its trans- actions are segregated from those of other EMIs.
The EMI and EMNSP shall identify circumstances under which each party has the right to change security requirements. An EMNSP should be required to report immediately any security breaches to the EMI.
In addition, the EMI should make sure the EMNSP have documented business continuity plans in place and that said plan is periodically reviewed and tested with no significant test findings. An EMNSP shall provide the EMI with timely and adequate notification on any adverse development that may impact the former’s performance and delivery of service to the EMI.
Section 8. EMI-Others intending to be an EMNSP. An EMI-Others that intend to be an EMNSP because of its specialized technical expertise shall comply with the re- quirements for an EMNSP under this Circular. In addition, an EMI-Others shall undertake risk-mitigating measures to ensure that liquid assets, corresponding to the outstanding balance of E-money issued by the EMI-Others and maintained pursuant to Circular No. 649, be insulated from risks arising from its liabilities as EMNSP. These measures may include ringfencing the liquid assets through an escrow or trust account in a financial institution acceptable to BSP.
Section 9 Sanctions. Violations committed by EMIs pertaining to outsourcing of activities to EMNSP shall be subject to monetary penalties as graduated under Circular No. 496 and/or other non-monetary sanctions under Section 37 of Republic Act No. 7653.
Section 10. Transitory provisions. EMIs that were granted an authority to out- source their E-money activities to an EMNSP may continue to exercise such authority provided that they have to conform to the provisions of the Circular within a six-month period from date of its effectivity.
Section 11. Effectivity Clause. This Circular shall take effect fifteen (15) days following its publication in the Official Gazette or any newspaper of general circulation.
Adopted: 22 December 2010
FOR THE MONETARY BOARD:
(SGD.)AMANDO M. TETANGCO, JR.
Governor
Section 2. Definition. An Electronic Money Network Service Provider (EMNSP) shall refer to a non-financial institution that provides automated systems, network infrastructure, including a network of accredited agents utilizing the systems, to enable clients of an EMI to perform any or all of the following:
- Convert cash to E-money and monetize e-money;
- Transfer funds from one electronic wallet to another;
- Use E-money as a means of payment for goods and services; and
- Conduct other similar and/or related e-money activities/transactions.
Section 3. Application to outsource. An EMI intending to outsource the services contemplated under Section 2 shall limit itself to an EMNSP as an outsource entity, and shall follow the procedures for outsourcing information technology systems/processes as provided under Subsection X162.2 (formerly X169.2) of the Manual of Regulations for Banks (MORB). In addition to the documentary requirements under said Subsection, an EMI should also submit a certification signed by its President or any officer of equivalent rank and function certifying that a due diligence review had been conducted and that the selected EMNSP has met the minimum requirements provided under Section 5 of this Circular.
Section 4. Responsibilities of an EMI. Relative to the outsourcing of services to an EMNSP, it shall be the responsibility of an EMI to:
- Conduct due diligence review on an EMNSP in accordance with Section 5 of this Circular;
- Ensure that the relationship/arrangement with an EMNSP is supported by a written contract that should contain, at a minimum, the requirements prescribed under Subsection X162.2 of the MORB. The contract should also stipulate that (1) the EMNSP shall allow the BSP to have access and to examine the E-money system, network infrastructure, operation of the network of accredited agents and all operations related to E-money services being outsourced by the EMI for the purpose of assessing the confidentiality, integrity, and reliability of the E-money system and determining compliance with BSP rules and regulations; (2) that the EMNSP shall not further outsource or subcontract the activity being outsourced to the EMNSP; and (3) that interconnection by the EMNSP with other networks shall be limited to networks of other EMNSPs and BSP-recognized ATM consortia.
- Ensure that the EMNSP employs a high degree of professional care in performing the outsourced activities as if these were conducted by the EMI itself. This would include, among others, making use of monitoring and control procedures to ensure compliance at all times with applicable BSP rules and regulations;
- Ensure that the EMNSP has an accreditation process in the selection of agents participating in the retail network for the conversion of cash to E-money and its monetization and that the EMNSP has instituted mechanisms to manage sufficient liquidity in its system/network.
- Ensure that the EMNSP enforces a program that requires all cash-in and cash out agents under its network to undergo AML trainings and re-trainings every two (2) years; and
- Comply with all laws and BSP rules and regulations covering the activities outsourced to the EMNSP, especially on compliance with anti-money laundering (AML) requirements.
Section 5. Due Diligence and Continuing Operational Review. Prior to entering into an outsourcing arrangement with an EMNSP, an EMI should conduct appropriate due diligence review to assess the capability of an EMNSP in performing the service to be outsourced. The due diligence should take into consideration both qualitative and quantitative factors affecting the performance of the outsourced service, such as the financial condition and results of operation for the previous year/s, risk management practices, technical expertise which involve monitoring the velocity of e-money transactions and aggregation of monthly limits, among others, market share, reputation (both the company and its stockholders) and compliance with anti-money laundering requirements and BSP rules and regulations.
An EMI should make sure that the EMNSP adheres to international standards on IT governance, information security, and business continuity in the performance of its outsourced activities. An EMI should endeavor to obtain independent reviews and market feedback on the EMNSP to supplement its own findings.
Operational review by an EMI of the EMNSP should be undertaken at least on an annual basis as part of risk management. This review should be documented as part of an EMI’s monitoring and control process.
Section 6. Delineation of Responsibilities. The EMI and EMNSP shall identify, delineate and document the responsibilities and accountabilities of each party as regards the outsourcing arrangement, including planning for contingencies. Notwithstanding any contractual agreement between an EMI and EMNSP on the sharing of responsibility, the EMI shall be responsible to its customers, without prejudice to further recourse, if any, by the EMI to the EMNSP.
Section 7. Confidentiality and Security. An EMI should review and monitor the security practices and control processes of the EMNSP on a regular basis, including commissioning or obtaining periodic expert reports on adequacy of security to maintain the confidentiality and integrity of data, and compliance with internationally-recognized standards in respect to the operations of the EMNSP. Considering that the EMNSP may service more than one EMI, the EMI should ensure that records pertaining to its trans- actions are segregated from those of other EMIs.
The EMI and EMNSP shall identify circumstances under which each party has the right to change security requirements. An EMNSP should be required to report immediately any security breaches to the EMI.
In addition, the EMI should make sure the EMNSP have documented business continuity plans in place and that said plan is periodically reviewed and tested with no significant test findings. An EMNSP shall provide the EMI with timely and adequate notification on any adverse development that may impact the former’s performance and delivery of service to the EMI.
Section 8. EMI-Others intending to be an EMNSP. An EMI-Others that intend to be an EMNSP because of its specialized technical expertise shall comply with the re- quirements for an EMNSP under this Circular. In addition, an EMI-Others shall undertake risk-mitigating measures to ensure that liquid assets, corresponding to the outstanding balance of E-money issued by the EMI-Others and maintained pursuant to Circular No. 649, be insulated from risks arising from its liabilities as EMNSP. These measures may include ringfencing the liquid assets through an escrow or trust account in a financial institution acceptable to BSP.
Section 9 Sanctions. Violations committed by EMIs pertaining to outsourcing of activities to EMNSP shall be subject to monetary penalties as graduated under Circular No. 496 and/or other non-monetary sanctions under Section 37 of Republic Act No. 7653.
Section 10. Transitory provisions. EMIs that were granted an authority to out- source their E-money activities to an EMNSP may continue to exercise such authority provided that they have to conform to the provisions of the Circular within a six-month period from date of its effectivity.
Section 11. Effectivity Clause. This Circular shall take effect fifteen (15) days following its publication in the Official Gazette or any newspaper of general circulation.
Adopted: 22 December 2010
(SGD.)AMANDO M. TETANGCO, JR.
Governor