Appendix 98

GUIDELINES ON OUTSOURCING OF SERVICES BY ELECTRONIC MONEY ISSUERS (EMIs) TO ELECTRONIC MONEY NETWORK SERVICE PROVIDERS (EMNSP)
(Appendix to Sec. 702 on Outsourcing of Services by EMIs to EMNSP)

I.  Statement of Policy. It is the goal of the Bangko Sentral to achieve a truly inclusive financial system. In line with achieving this goal, the Bangko Sentral recognizes the potential of electronic money (E-Money) as an instrument to facilitate delivery of financial services affordably to the low-income, unbanked or undeserved segments of the population, particularly in non-urbanized areas. The Bangko Sentral likewise recognizes that efficient and effective delivery of financial services may necessitate Electronic Money Issuers (EMI) to develop business models that utilize outsourcing arrangements, considering the specialized operational and technological requirements in an E-money business. Outsourcing, however may introduce an EMI to certain operational and reputational risks that need to be properly managed. The Bangko Sentral hereby issues the following guidelines to govern the outsourcing of E-Money related services.

II.  Definition. An Electronic Money Network Service Provider (EMNSP) shall refer to a non-financial institution that provides automated systems, network infrastructure, including a network of accredited agents utilizing the systems, to enable clients of an EMI to perform any or all of the following:

a. Convert cash to E-money and monetize e-money;

b. Transfer funds from one electronic wallet to another;

c. Use E-money as a means of payment for goods and services; and

d. Conduct other similar and/or related e-money activities/transactions.

III.  Application to outsource. An EMI intending to outsource the services contemplated under Item “2” shall limit itself to an EMNSP as an outsource entity, and shall follow the procedures for outsourcing information technology systems/processes as provided under Sec. 112. In addition to the documentary requirements under said Section, an EMI should also submit a certification signed by its President or any officer of equivalent rank and function certifying that a due diligence review had been conducted and that the selected EMNSP has met the minimum requirements provided under Item “V”.

IV.  Responsibilities of an EMI. Relative to the outsourcing of services to an EMNSP, it shall be the responsibility of an EMI to:

a. Conduct due diligence review on an EMNSP in accordance with Item “V”;

b. Ensure that the relationship/ arrangement with an EMNSP is supported by a written contract that should contain, at a minimum, the requirements prescribed under Sec. 112. The contract should also stipulate that:

(1) the EMNSP shall allow the Bangko Sentral to have access and to examine the E-money system, network infrastructure, operation of the network of accredited agents and all operations related to E-money services being outsourced by the EMI for the purpose of assessing the confidentiality, integrity, and reliability of the E-money system and determining compliance with Bangko Sentral rules and regulations;

(2) that the EMNSP shall not further outsource or subcontract the activity being outsourced to the EMNSP; and

(3) that interconnection by the EMNSP with other networks shall be limited to networks of other EMNSPs and the Bangko Sentral – recognized ATM consortia.

c. Ensure that the EMNSP employs a high degree of professional care in performing the outsourced activities as if these were conducted by the EMI itself. This would include, among others, making use of monitoring and control procedures to ensure compliance at all times with applicable Bangko Sentral rules and regulations;

d. Ensure that the EMNSP has an accreditation process in the selection of agents participating in the retail network for the conversion of cash to E-money and its monetization and that the EMNSP has instituted mechanism to manage sufficient liquidity in the system/network.

e. Ensure that the EMNSP enforces a program that requires all cash-in and cash out agents under its network to undergo AML trainings and re-trainings every two (2) years; and

f. Comply with all laws and Bangko Sentral rules and regulations covering the activities outsourced to the EMNSP, especially on compliance with anti-money laundering (AML) requirements.

V.  Due Diligence and Continuing Operational Review. Prior to entering into an outsourcing arrangement with an EMNSP, an EMI should conduct appropriate due diligence review to assess the capability of an EMNSP in performing the service to be outsourced. The due diligence should take into consideration both qualitative and quantitative factors affecting the performance of the outsourced service, such as the financial condition and results of operation for the previous year/s, risk management practices, technical expertise which involve monitoring the velocity of e-money transactions and aggregation of monthly limits, among others, market share, reputation (both the company and its stockholders) and compliance with anti-money laundering requirements and Bangko Sentral rules and regulations.

An EMI should make sure that the EMNSP adheres to international standards on IT governance, information security, and business continuity in the performance of its outsourced activities. An EMI should endeavor to obtain independent reviews and market feedback on the EMNSP to supplement its own findings.

Operational review by an EMI of the EMNSP should be undertaken at least on an annual basis as part of risk management. This review should be documented as part of an EMI’s monitoring and control process.

VI.  Delineation of Responsibilities. The EMI and EMNSP shall identify, delineate and document the responsibilities and accountabilities of each party as regards the outsourcing arrangement, including planning for contingencies. Notwithstanding any contractual agreement between an EMI and an EMNSP on the sharing of responsibility, the EMI shall be responsible to its customers, without prejudice to further recourse, if any, by the EMI to the EMNSP.

VII.  Confidentiality and Security. An EMI should review and monitor the security practices and control processes of the EMNSP on a regular basis, including commissioning or obtaining periodic expert reports on adequacy of security to maintain the confidentiality and integrity of data, and compliance with internationally- recognized standards in respect to the operations of the EMNSP. Considering that the EMNSP may service more than one EMI, the EMI should ensure that records pertaining to its transactions are segregated from those of other EMIs.

The EMI and EMNSP shall identify circumstances under which each party has the right to change security requirements. An EMNSP should be required to report immediately any security breaches to the EMI.

In addition, the EMI should make sure the EMNSP have documented business continuity plans in place and that said plan periodically reviewed and tested with no significant test findings. An EMNSP shall provide the EMI with timely and adequate notification on any adverse development that may impact the former’s performance and delivery of service to the EMI.

VIII.  EMI-Others intending to be an EMNSP. An EMI-Others that intend to be an EMNSP because of its specialized technical expertise shall comply with the requirements for an EMNSP. In addition, an EMI-Others shall undertake risk- mitigating measures to ensure that liquid assets, corresponding to the outstanding balance of E-money issued by the EMI-Others and maintained pursuant to Sec. 702, be insulated from risks arising from its liabilities as EMNSP. These measures may include ring fencing the liquid assets through an escrow or trust account in a financial institution acceptable to Bangko Sentral .

IX.  Sanctions. Violations committed by EMIs pertaining to outsourcing of activities to EMNSP shall be subject to monetary penalties as graduated under Appendix 24 and/or other non-monetary sanctions under Section 37 of RA No. 7653.

X.  Transitory Provisions. EMIs that were granted an authority to outsource their E-Money activities to an EMNSP may continue to exercise such authority provided that they have to conform to this guidelines within a six (6)-month period from date of its effectivity.