Back Custom print Link Text Only Rich Text Print

  • RM-1 RM-1 General Requirements

    • RM-1.1 RM-1.1 Risk Management

      • Board of Directors' Responsibility

        • RM-1.1.1

          The Board of Directors of licensees must take responsibility for the establishment of an adequate and effective framework for identifying, monitoring and managing risks across all its operations.

          October 2010

        • RM-1.1.2

          The CBB expects the Board to be able to demonstrate that it provides suitable oversight and establishes, in relation to all the risks the licencee is exposed to, a risk management framework that includes setting and monitoring policies, systems, tools and controls.

          October 2010

        • RM-1.1.3

          Although authority for the management of a firm's risks is likely to be delegated, to some degree, to individuals at all levels of the organisation, the overall responsibility for this activity should not be delegated from its governing body and relevant senior managers.

          October 2010

        • RM-1.1.4

          A licencees's failure to establish, in the opinion of the CBB, an adequate risk management framework will result in it being in breach of Condition 6 of the Licensing Conditions of Section AU-2.6. This failure may result in the CBB withdrawing or imposing restrictions on the licensee, or the licensee being required to inject more capital.

          October 2010

        • RM-1.1.5

          The Board of Directors must also ensure that there is adequate documentation of the licensee's risk management framework.

          October 2010

      • Systems and Controls

        • RM-1.1.6

          The risk management framework of licensees must provide for the establishment and maintenance of effective systems and controls as are appropriate to their business, so as to identify, measure, monitor and manage risks.

          October 2010

        • RM-1.1.7

          An effective framework for risk management should include systems to identify, measure, monitor and control all major risks on an on-going basis. The risk management systems should be approved and periodically reviewed by the Board as outlined in HC-1.1.5.

          October 2010

        • RM-1.1.8

          The systems and controls required by Paragraph RM-1.1.6 must be proportionate to the nature, scale and complexity of the firm's activities.

          October 2010

        • RM-1.1.9

          The processes and systems required must enable the licensee to identify the major sources of risk to its ability to meet its liabilities as they fall due, which include but are not limited to the following:

          (a) Counterparty Risk;
          (b) Liquidity Risk;
          (c) Market Risk; and
          (d) Operational Risk.
          October 2010

    • RM-1.2 RM-1.2 Counterparty Risk

      • RM-1.2.1

        Licensees must adequately document the necessary policies and procedures for identifying, measuring, monitoring and controlling counterparty risk. This policy must be approved and regularly reviewed by the Board of Directors of the licensee.

        October 2010

      • RM-1.2.2

        Among other things, the licensee's policies and procedures must identify the limits it applies to counterparties, how it monitors movements in counterparty risk and how it mitigates loss in the event of counterparty failure.

        October 2010

    • RM-1.3 RM-1.3 Liquidity Risk

      • RM-1.3.1

        Licensees must maintain a liquidity risk policy for the management of liquidity risk, which is appropriate to the nature, scale and complexity of its activities. This policy must be approved and regularly reviewed by the Board of Directors of the licensee.

        October 2010

      • RM-1.3.2

        Among other things, the licensee's liquidity risk policy must identify the limits it applies, how it monitors movements in risk and how it mitigates loss in the event of unexpected liquidity events.

        October 2010

    • RM-1.4 RM-1.4 Market Risk

      • RM-1.4.1

        Licensees must document their framework for the proactive management of market risk. This policy must be approved and regularly reviewed by the Board of Directors of the licensee.

        October 2010

    • RM-1.5 RM-1.5 Operational Risk

      • RM-1.5.1

        Licensees must document their framework for the proactive management of operational risk. This policy must be approved and regularly reviewed by the Board of Directors of the licensee.

        October 2010

      • RM-1.5.2

        Licensees must consider the impact of operational risks on their financial resources and solvency.

        October 2010

      • RM-1.5.3

        Licensees' business continuity planning, risk identification and reporting must cover reasonably foreseeable external events and their likely impact on the licensee and its business portfolio.

        October 2010

      • RM-1.5.4

        Business continuity management includes policies, standards, and procedures for ensuring that specified operations can be maintained or recovered in a timely fashion in the event of a disruption. Its purpose is to minimise the operational, financial, legal, reputational and other material consequences arising from a disruption. Effective business continuity management concentrates on the impact, as opposed to the source, of the disruption, which affords financial industry participants and financial authorities greater flexibility to address a broad range of disruptions. At the same time, however, licencees cannot ignore the nature of risks to which they are exposed.

        October 2010

      • Electronic Frauds

        • RM-1.5.5

          Licensees must implement enhanced fraud monitoring of movements in customers’ accounts to guard against electronic frauds using various tools and measures, such as limits in value, volume and velocity.

          Added: January 2021

        • RM-1.5.6

          Licensees must have in place customer awareness communications, pre and post registration process, using video calls, short videos or pop-up messages, to alert and warn natural persons using online channels or applications about the risk of electronic frauds, and emphasise the need to secure their personal credentials and not share them with anyone, online or offline.

          Added: January 2021

      • Secure Authentication

        • RM-1.5.7

          Licensees must take appropriate measures to authenticate the identity and authorisation of customers when the customer accesses the online or digital platform or when a transaction is initiated on the platform.

          Licensees must, at a minimum, establish adequate security features for customer authentication including the use of at least two different elements out of the following three elements:

          (a) Knowledge (something only the user knows), such as pin or password;
          (b) Possession (something only the user possesses) such as mobile phone, smart watch, smart card or a token; and
          (c) Inherence (something the user is), such as fingerprint, facial recognition, voice patterns, DNA signature and iris format.
          Added: July 2023

        • RM-1.5.8

          For the purpose of Paragraph RM-1.5.7, licensees must ensure that the authentication elements are independent from each other, in that the breach of one does not compromise the reliability of the others and are sufficiently complex to prevent forgery.

          Added: July 2023

        • RM-1.5.9

          For the purposes of Subparagraph RM-1.5.7 (b), where a customer’s mobile device is registered/marked as ‘trusted’ using knowledge, biometric or other authentication methods through the licensee’s application, the use of such mobile device would be considered as meeting the ‘possession’ element for authentication of future access or transactions using that device.

          Added: July 2023