Operations Documents For MoneyServices Business
To safeguard the Money Service Business (MSB) industry from being abused as a channel to commit financial crime and to promote the integrity of money services activities, Bank Negara Malaysia, on 1 July 2022, issued the Policy Document on Governance, Risk Management, and Operations for MSB which is applicable to licensees under the Money Services Business Act 2011.
Recently, Bank Negara Malaysia (BNM) issued the Policy Document on Governance, Risk Management, and Operations for Money Services Business (MSB Operations Documents). This guide is helpful to licence holders governed under the Money Services Business Act 2011.
This guide outlines the minimal requirements that Money Service Business (MSB) licensees must observe in employing effective governance, appropriate risk management and robust internal control systems for their business. The aim is to protect customer’s interest while policing the MSB industry from being utilised as a tool in commission of financial crime specifically in money laundering or terrorism financing.
Some of the requirements listed in the MSB Operations Document are as follows:
A. Governance Requirements
MSB is required to establish an effective and transparent governance framework to preserve the integrity and professionalism in its business. This includes, among others, appointing board of directors and senior management of calibre with relevant experience and qualifications. MSB must also establish the necessary internal control which inculcate good corporate culture that reinforces ethical, prudent and professional behaviour. The overall responsibility of the board of directors is to promote sustainable business growth and financial soundness of the MSB, ensuring fair and honest dealings with consumers and preventing mismanagement, fraud and abuse of the MSB for illegal purposes.
The guide also provides the means of doing so which include approving the risk appetite, approving business plan that has substantial influence on the MSB’s risk profile, and ensuring the management provides adequate reporting to the board on a timely basis. The reporting is to cover the MSB’s overall business performance including the compliance with MSB regulatory and AML/CFT requirements.
In the case of medium and large MSBs:
a) Each director is required to personally (and not by proxy) attend at least 75% of the board meetings held in a financial year and the quorum for board meetings shall be represented by at least half of the board members.
b) The board shall ensure that at least one third of board members are independent from day-today management of the MSB business.
c) The board shall establish a code of ethics to ensure proper conduct of business at all times, appoint a dedicated Compliance Officer to perform the compliance function for the MSB and ensure the board remain up-to-date on good risk management practices which includes participating in the Money Services Business Directors’ Education Program (MSBDEP) or similar programs as specified by the BNM.
The Chief Executive Officer (CEO) is responsible in managing the day-to-day business operations of the MSB and has a key role in ensuring that the operations of the MSB is carried out ethically and professionally with integrity. This includes ensuring employees are competent and provided with relevant training, monitoring closely the staff’s performance, ensuring compliance with applicable regulatory requirements and laws and undertaking appropriate measures to ensure the MSB is protected from legal and reputational risks.
B. Operational Requirements
MSBs must be incorporated under the Companies Act 2016 and must provide money services business activities in accordance with the requirements under its license. An MSB must open its own account under its name with banking institutions.
MSB must display in its office a notice informing its customers to request for a receipt and this must be serialised according to sequential order. An MSB who appoints an agent must ensure its agent displays the certificate of appointment at its premises to facilitate the customers’ verification. Online MSBs must not display the full copy of its license digitally to avoid forgery.
Exchange rates quotation must be based on the prevailing market rates and in setting the dealings spread, an MSB must comply with the requirements of the Competition Act 2010 and is prohibited from undertaking predatory pricing or colluding with other MSBs. The exchange rate used for the final transaction shall not be less favourable than the exchange rate disclosed to customers.
An MSB must provide adequate information on how customers can lodge a complaint for its service and procedures for cancellation of transactions. An MSB must obtain the BNM’s written approval to implement or significantly change its material outsourcing arrangements. An MSB must ensure that customer’s funds can always be reconciled with the total liabilities to its remittance business. A MSB which carries out remittance business must ensure that its remittance system is robust with features that fulfils the requirements prescribed in the Remittance Regulations and has the ability that such remittance system can capture end-to-end transaction information. For wholesale currency business, MSBs can only receive payment for the settlement of its import and export of currency via banking institutions or licensed remittance service providers.
C. Risk Management And Internal Controls
An MSB must establish a risk management framework and the officer who is responsible for risk management must update to board and senior management on a regular basis in the assessment of material risks. Additionally, an MSB must have its own written internal policies and procedures which includes the standard operating procedures for the MSB operations, mechanism for monitoring and reporting of the business performance of its branches to head office and policies to guarantee effective cash management at all its company premises. The establishment of complaints handling functions is required proportionate to the nature, scale and complexity of the MSB. To prevent fraud and improper administration of jobs, an MSB must optimise effective division of labour for essential operational tasks.
In addition, an MSB must set up control functions that guarantee compliance and risk management are managed successfully. A strong business continuity plan must be set out which include contingency arrangement to ensure the continuity of critical business functions. The plan shall include the procedure for the regular back up of customer information and clear policies required for staff to respond to system and operational failures.
D. IT Requirements
An MSB must establish a sound internal technology risk framework, IT policies and procedures as well as control to mitigate technology risks to systems, online portals and mobile applications. There must be controls to mitigate technology risk to (among others) prevent malware, phishing or data leakage namely firewall protection for internal network, up to date anti-virus for all servers, latest secure encryption communication channel and effective security patch management. For online portal and mobile platform, an MSB must establish a mechanism to authenticate system users based on the MSB’s technology risk appetite, mechanism to notify customers via SMS of all online transactions performed and mechanism to clear webbrowser cache. Management information systems of MSBs must be able to detect any alterations made to the information maintained and record details of transactions.
The MSB Operations Document contains updates to the regulatory requirements for the MSB industry especially on governance, risk management, operational requirements, and information technology requirements. It replaces the 13 guidelines, circulars, and notifications listed in Appendix 1 of the MSB Operations Document. The legal papers and policy documents listed in paragraph 6.1 of the MSB Operations Document shall continue to be relevant to MSB licensees when appropriate. The requirements contained in the 13 superseded guidelines, circulars and notices are now combined into a single policy document.
Authored by Shohidah Ramlee, an associate and Jay Kam Jia Yang, a pupil from the firm’s Corporate practice.
14 November 2022