Back Custom print Link Text Only Rich Text Print

  • OM-3 OM-3 Electronic Money and Electronic Banking Activities

    • OM-3.1 OM-3.1 Board and Management Oversight

      • OM-3.1.1

        This section sets out the requirements related to systems risk management and controls relevant to services offered through electronic banking activities and electronic funds transfer. Such services are prone to technical complexity, operational and security issues.

        Added: January 2020

      • OM-3.1.2

        The Board of Directors, or a designated Board Committee and senior management must establish effective management oversight over the risks associated with activities involving e-banking and electronic funds transfer. The licensee must establish policies and procedures to manage these risks which include but are not be limited to the following:

        (a) The development and/or acquisition of the technology solutions;
        (b) Testing of application program interfaces;
        (c) Standards of communication and access and security of communication sessions, such as PCI-DSS compliance for cards;
        (d) Authentication of the users;
        (e) Processes and measures that protect customer data confidentiality consistent with Law No. 30 of 2018, Personal Data Protection Law (PDPL) issued on 12 July 2018;
        (f) The use of enhanced fraud monitoring of movements in customers’ accounts to guard against electronic frauds using various tools and measures, such as limits on value, volume and velocity; and
        (g) Security policy and risk management controls.
        Amended: January 2021
        Added: January 2020

      • OM-3.1.3

        The Board of Directors and senior management must ensure they possess the required competence, experience and skills to oversee, review and approve the key aspects of the licensee's security control process.

        Added: January 2020

      • OM-3.1.4

        The Board of Directors and senior management must establish a comprehensive and ongoing due diligence and oversight process for managing the licensee's outsourcing relationships and other third-party dependencies supporting e-banking.

        Added: January 2020

    • OM-3.2 OM-3.2 Secure Authentication

      • OM-3.2.1

        Licensees must take appropriate measures to authenticate the identity and authorisation of customers with whom it conducts business.

        Added: January 2020

      • OM-3.2.2

        Licensees must use predefined transaction authentication methods that promote non-repudiation and establish accountability for the transactions. Licensees must establish detailed procedures to effectively identify the person originating electronic funds transfer transactions and for 'call backs' when appropriate to avoid frauds in electronic fund transfers.

        Added: January 2020

      • OM-3.2.3

        The term 'authentication' as used in this Module refers to the techniques, procedures and processes used to verify the identity and authorisation of prospective and established customers.

        a) Identification refers to the procedures, techniques and processes used to establish the identity of a customer;
        b) Authorisation refers to the procedures, techniques and processes used to determine that a customer or an employee has legitimate access to the bank account or the authority to conduct associated transactions on that account.
        Added: January 2020

      • OM-3.2.4

        Licensees must have in place a strong customer authentication process for its e-banking activities which ensure the following:

        (a) no information on any of the elements of the strong customer authentication process can be derived from the disclosure of the authentication code;
        (b) it is not possible to generate a new authentication code based on the knowledge of any other code previously generated; and
        (c) the authentication code cannot be forged.
        Added: January 2020

      • OM-3.2.5

        The CBB will consider application of quantitative thresholds below which the strong customer authentication requirements may be simplified on a case-to-case basis.

        Added: January 2020

      • OM-3.2.6

        Licensees must establish adequate security features for customer authentication including the use of the following three elements:

        (a) an element categorised as knowledge (something only the user knows), such as length or complexity of the pin or password;
        (b) an element categorised as possession (something only the user possesses) such as algorithm specifications, key length and information entropy, and
        (c) for the devices and software that read, elements categorised as inherence (something the user is), i.e. algorithm specifications, biometric sensor and template protection features.
        Added: January 2020

    • OM-3.3 OM-3.3 Other Systems and Controls

      • OM-3.3.1

        Licensees must ensure that appropriate measures are in place to promote adequate segregation of duties within electronic funds transfer and e-banking systems, databases and applications.

        Added: January 2020

      • OM-3.3.2

        Licensees must ensure that proper authorisation controls and access privileges are in place for electronic funds transfer and e-banking systems, databases and applications.

        Added: January 2020

      • OM-3.3.3

        Licensees must ensure that appropriate measures are in place to protect the data integrity of all transactions, records and information.

        Added: January 2020

      • OM-3.3.4

        Licensees must ensure that clear audit trails exist for all electronic funds transfer and e-banking transactions.

        Added: January 2020

      • OM-3.3.5

        Licensees must establish and document the log retention requirements, including the identification of the source of each request, time synchronization of all related systems and all meta-data related to each request.

        Added: January 2020

      • OM-3.3.6

        Licensees must take appropriate measures to preserve the confidentiality of information. Measures taken to preserve confidentiality must be commensurate with the sensitivity of the information being transmitted and/or stored in databases.

        Added: January 2020

      • OM-3.3.7

        Licensees must ensure that adequate information is provided on their websites to allow potential customers to make an informed conclusion about the licensee's identity and regulatory status of the licensee prior to entering into e-banking transactions.

        Added: January 2020

      • OM-3.3.8

        Licensees must take appropriate measures to ensure adherence to customer privacy requirements applicable to the jurisdictions to which the licensee is providing e-banking products and services.

        Added: January 2020

      • OM-3.3.9

        Licensees must have effective capacity, business continuity and contingency planning processes to help ensure the availability of e-banking systems and services.

        Added: January 2020

      • OM-3.3.10

        Licensees must develop appropriate incident response plans to manage, contain and minimise problems arising from unexpected events, including internal and external attacks, that may hamper the provision of e-banking systems and services.

        Added: January 2020

      • OM-3.3.11

        Licensees must have in place customer awareness communications, pre and post onboarding process, using video calls, short videos or pop-up messages, to alert and warn natural persons applying to open current or saving accounts, credit, debit or prepaid cards or digital wallets about the risk of electronic frauds, and emphasise the need to secure their personal account details and not share them with anyone, online or offline.

        Added: January 2021