The Central Bank of Malaysia, known as Bank Negara Malaysia ("BNM"), released a new Policy Document on Electronic Money (”New Guidelines”) on December 30th, 2022. These New Guidelines replace the previous Guidelines on Electronic Money that BNM issued on July 31st, 2008. It went into effect on December 30th, 2022, except for certain paragraphs that will be implemented on December 30th, 2023.
The recently introduced Policy Document has brought about several modifications to the regulatory framework concerning e-money. These changes comprise:
- a re-categorization of e-money issuers,
- stricter corporate governance standards,
- updated requirements for operational and risk management; and
- increased information technology requirements
For the purpose of this article, our attention is focused on the legal considerations in relation to an E-Money Issuer’s (EMI) outsourcing activities.
Outsourcing to Service Providers
At the outset, it must be noted that an EMI retains the duty and liability for any services delegated to a service provider through an outsourcing arrangement.
BNM’s approval is required to be obtained when an EMI intends to enter into a new material outsourcing arrangement or make changes to its existing material outsourcing arrangements. “Material” in this sense is where:
the outsourcing arrangement is significant in allowing the EMI to realise its strategic and business goals;
the negative impact on the end-users arising from a failed outsourcing arrangement is huge;
the exposure to the EMI is huge as a result of the complexity and nature of the outsourcing arrangement
Outsourcing Agreements An EMI must ensure that the outsourcing agreement is governed by a legally binding written contract, which should encompass the essential stipulations outlined in Appendix 6 of the New Guidelines.
Key provisions to be included in such outsourcing agreements includes (inter alia):
Responsibilities and performance standards of Service Providers
Duties of the service provider, accompanied by clearly outlined and quantifiable standards for risk and performance concerning the delegated task. The financial conditions linked to the service provider's performance must not encourage them to undertake undue risks that could impact the EMI;
Establishment of proper controls
Measures to guarantee the continuous security of any shared information with the service provider, encompassing at least: (i) the service provider's duties concerning information security; (ii) the extent of information bound by security prerequisites; (iii) arrangements for reimbursing the EMI for losses and associated liability stemming from a security breach caused by the service provider; (iv) stipulations for reporting security breaches; (v) the relevant laws of the jurisdiction;
Uninterrupted and comprehensive access for the EMI to its data retained by the service provider in case of a dispute with the service provider or the termination of the agreement Enabling BNM to possess immediate, timely, and unobstructed entry to the systems and any pertinent information or records connected to the outsourced activity;
Measures that the service provider will put in place to guarantee the uninterrupted progession of the outsourced activity should there be an operational disturbance or malfunction caused by the service provider;
Frequent testing of the service provider's Business Continuity Plan (BCP), which encompasses particular assessments needed to assist the EMI's own BCP testing. A condensed version of the test outcomes must be furnished to the EMI concerning the outsourced activity;
Events that might result in the termination of the agreement, the termination entitlements of the contractual parties, and a specified minimum duration for carrying out the termination clauses. This timeframe should allow ample time for an orderly transfer of the outsourced activity to the EMI or an alternative entity;
Conditions regulating the primary service provider's capacity to delegate to sub-contractors. Sub-contracting must not diminish the primary service provider's ultimate responsibility to the EMI concerning the outsourcing agreement, and the EMI must possess transparent oversight of all sub-contractors;
Enable BNM to:
Other points to take note An EMI is mandated to conduct a due diligence on a service provider when considering new outsourcing arrangements or renewing an existing outsourcing arrangement. The due diligence must cover, amongst other matters, the following:
measures and procedures put in place by the service provider to ensure data protection and confidentiality;
reliance on sub-contractors, if any, in particular where the sub-contracting adds further complexity to the operational chain of the outsourcing arrangement.
The aforesaid requirements introduced in the New Guidelines is a result of the increasing prominence of the use of E-Money and the proliferation of mobile tech such as Quick Response (QR) codes. The mandatory ‘BNM Access’ provisions to be included in an outsourcing agreement also reflect BNM’s keenness in taking proactive measures to ensure the EMI’s activities are conducted with integrity and in strict compliance to laws and guidelines.
Pertinently, an EMI is not allowed to enter into/renew any outsourcing arrangement without first establishing the competence and capability of the service provider. A legal due diligence (amongst others) may need to be carried out on a service provider to ensure that data protection and confidentiality procedures in place are in compliance with the Personal Data Protection Act 2010 and other applicable laws. Further, agreements between the service providers and its counter parties may have to be reviewed to assess the extent to which the functions of such service provider have been further outsourced, so as to not add any complexity to the outsourcing arrangement between an EMI and such service provider.
If you have any questions on this topic or on E-Money in Malaysia as a whole, please feel free to contact us for a complementary consultation.