RM-1.5 RM-1.5 Operational Risk
RM-1.5.1
Licensees must document their framework for the proactive management of operational risk. This policy must be approved and regularly reviewed by the Board ofDirectors of thelicensee .October 2010RM-1.5.2
Licensees must consider the impact of operational risks on their financial resources and solvency.October 2010RM-1.5.3
Licensees' business continuity planning, risk identification and reporting must cover reasonably foreseeable external events and their likely impact on thelicensee and its business portfolio.October 2010RM-1.5.4
Business continuity management includes policies, standards, and procedures for ensuring that specified operations can be maintained or recovered in a timely fashion in the event of a disruption. Its purpose is to minimise the operational, financial, legal, reputational and other material consequences arising from a disruption. Effective business continuity management concentrates on the impact, as opposed to the source, of the disruption, which affords financial industry participants and financial authorities greater flexibility to address a broad range of disruptions. At the same time, however,
licencees cannot ignore the nature of risks to which they are exposed.October 2010Electronic Frauds
RM-1.5.5
Licensees must implement enhanced fraud monitoring of movements in customers’ accounts to guard against electronic frauds using various tools and measures, such as limits in value, volume and velocity.Added: January 2021RM-1.5.6
Licensees must have in place customer awareness communications, pre and post registration process, using video calls, short videos or pop-up messages, to alert and warn natural persons using online channels or applications about the risk of electronic frauds, and emphasise the need to secure their personal credentials and not share them with anyone, online or offline.Added: January 2021Secure Authentication
RM-1.5.7
Licensees must take appropriate measures to authenticate the identity and authorisation of customers when the customer accesses the online or digital platform or when a transaction is initiated on the platform.Licensees must, at a minimum, establish adequate security features forcustomer authentication including the use of at least two different elements out of the following three elements:(a) Knowledge (something only the user knows), such as pin or password;(b) Possession (something only the user possesses) such as mobile phone, smart watch, smart card or a token; and(c) Inherence (something the user is), such as fingerprint, facial recognition, voice patterns, DNA signature and iris format.Added: July 2023RM-1.5.8
For the purpose of Paragraph RM-1.5.7,
licensees must ensure that the authentication elements are independent from each other, in that the breach of one does not compromise the reliability of the others and are sufficiently complex to prevent forgery.Added: July 2023RM-1.5.9
For the purposes of Subparagraph RM-1.5.7 (b), where a customer’s mobile device is registered/marked as ‘trusted’ using knowledge, biometric or other authentication methods through the
licensee’s application, the use of such mobile device would be considered as meeting the ‘possession’ element for authentication of future access or transactions using that device.Added: July 2023