• OB-1 OB-1 Risks, Systems and Controls

    • OB-1.1 OB-1.1 Risks, Systems and Controls

      • Internal Controls

        • OB-1.1.1

          The Board of Directors or equivalent authority must take responsibility for the establishment and oversight of effective risk management and internal controls.

          Added: December 2018

        • OB-1.1.2

          Account information service providers (AISPs) and payment initiation service providers (PISPs) must use technology solutions which are capable of interfacing with software and systems used by licensees maintaining customer accounts with no material modifications to their systems.

          Added: December 2018

        • OB-1.1.3

          Consistent with Module PB: Principles of Business, Paragraph, PB-1.1.10, AISPs and PISPs must establish adequate internal controls to safeguard the business, its customers and licensees to which they have online access to.

          Added: December 2018

        • OB-1.1.4

          The internal controls must include, but not be limited to, those relating to the following:

          (a) The development and or acquisition of the technology solutions to conduct the activity;
          (b) Testing of the solutions and application program interfaces;
          (c) Standards of communication and access and security of communication sessions;
          (d) Safe authentication of the users;
          (e) Processes and measures that protect customer data confidentiality and personalised security credentials consistent with Law No. 30 of 2018, Personal Data Protection Law (PDPL) issued on 12 July 2018;
          (f) Tools and measures to prevent frauds and errors;
          (g) Security policy;
          (h) Information security testing including web applications testing, configuration reviews, penetration testing and smart device application testing
          (i) Risk management controls;
          (j) Prevention of anti-money laundering (AML) and combating terrorist financing (CTF);
          (k) Record keeping and audit trails; and
          (l) Operational and financial controls.
          Added: December 2018

      • Operational Risks

        • OB-1.1.5

          AISPs and PISPs must document the process by which they identify, prioritise and manage their operational risks.

          Added: December 2018

        • OB-1.1.6

          Operational risk in AISPs' and PISPs' activities include the risk of loss of confidential customer data, financial loss or reputational loss resulting from inadequate or failed internal processes, people, technology and systems, or from external events including risks of internal and external frauds and cyber threats. In assessing potential operational risk, the following are some of the factors that may affect the licensee's risk exposure:

          (a) Lack of governance, board and management oversight;
          (b) Inadequate internal controls;
          (c) Insufficient transaction monitoring;
          (d) Failure of information technology through breakdown, incompatibility of legacy systems and poor scalability, poor security, etc.;
          (e) Failure or insufficient cyber and information security controls;
          (f) Failure of processes and procedures;
          (g) Internal and external fraud;
          (h) Legal risks;
          (i) Outsourcing risk;
          (j) Business continuity and disaster recovery; and
          (k) Reputational risks.
          Added: December 2018

        • OB-1.1.7

          AISPs and PISPs must establish comprehensive procedures for monitoring, handling and following up on security and fraud incidents and related customer complaints including but not limited to the following:

          a) organisational measures and tools for the prevention of such incidents;
          b) details of the individual(s) and bodies responsible for assisting customers in cases of the incidents and technical issues and/or claim management;
          c) reporting lines in cases of such incidents;
          d) the contact point for customers, including a name and email address;
          e) the procedures for the reporting of incidents, including the communication of these reports to internal or external bodies, including notification of major incidents to national competent authorities; and
          f) the monitoring tools used and the follow-up measures and procedures in place to mitigate security and fraud risks.
          Added: December 2018

        • OB-1.1.8

          AISPs and PISPs must maintain an up to date security policy document containing the following information:

          a) A detailed documentation of the technology architecture and of the systems and the network elements providing:
          i. a description of the business IT systems supporting the business activities;
          ii. the type of authorised connections from outside, such as with partners, service providers, entities of the group and employees working remotely, including the rationale for such connections;
          iii. for each of the connections, the logical security measures and mechanisms in place, specifying the control the licensee will have over such access as well as the nature and frequency of each control,
          iv. process for the opening/closing of communication lines, and description of security equipment configuration, generation of keys or client authentication certificates, system monitoring, authentication, confidentiality of communication, intrusion detection, antivirus systems and logs;
          b) the logical security measures and mechanisms that govern the internal access to IT systems;
          c) the physical security measures and mechanisms of the premises and the data centre of the licensee, such as access controls and environmental security;
          d) the security of the account information and payment initiation processes, which should include:
          i. the customer authentication procedures used for both consultative and transactional access, and for all underlying payment instruments;
          ii. an explanation of how safe delivery of tokens to the legitimate customer; and
          iii. a description of the integrity of authentication factors, tokens and online and mobile applications at the time of both initial enrolment and renewal.
          Added: December 2018

        • OB-1.1.9

          AISPs and PISPs must ensure they have an up to date business continuity plan and arrangements consisting of the following information:

          a) a business impact analysis, including the business processes and recovery objectives, such as recovery time objectives, recovery point objectives and protected assets;
          b) the identification of the back-up site, access to IT infrastructure, and the key software and data to recover from a disaster or disruption;
          c) an explanation of how the licensee will deal with significant continuity events and disruptions, such as the failure of key systems; the loss of key data; the inaccessibility of the premises; and the loss of key persons; and
          d) the frequency with which the licensee intends to test the business continuity and disaster recovery plans, including how the results of the testing will be recorded.
          Added: December 2018

        • OB-1.1.10

          AISPs and PISPs must appoint a third party specialist to conduct vulnerability assessments against cyber-attacks and penetration testing on the specific API security standards every 6 months. The specialist's report must be submitted to the CBB, along with the licensee's related action plan to resolve any issues identified. All relevant threat profiles referenced in the security standards including the risk of social engineering must be considered for the reviews.

          Added: December 2018

        • OB-1.1.11

          AISPs and PISPs must ensure that their overall systems and controls including but not limited to the business continuity, disaster recovery, information security testing, web-applications testing, smart device application testing, and cyber resilience are evaluated and independently tested by an external consultant:

          a) initially upon implementation of this Module;
          b) when there are any material changes to the systems and controls; and
          c) at least once every 3 years.
          Added: December 2018

        • OB-1.1.12

          A PISP must establish procedures to ensure:

          (a) that it will not store a customer's personalised security credentials, such as customer’s KYC and biometric information and that such data are:
          i. not accessible to other parties, with the exception of the issuer of the credentials; and
          ii. transmitted through safe and efficient channels;
          (b) that any other information about a customer is not provided to any person except a payee, and is provided to the payee only with the customer's explicit consent;
          (c) that each time a PISP initiates a payment order on behalf of its customer, the PISP identifies itself to the licensee with whom the customer maintains the account in a secure way;
          (d) [This Sub-paragraph was deleted in July 2021];
          (e) that it will not access, use or store any information for any purpose except for the provision of a payment initiation service explicitly requested by a payer, however, it may store payment details initiated by the customer such as payment amounts, payment accounts, payment reference number, payment execution dates, time and payee’s IBAN number;
          (f) that it cannot and does not change the amount, the payee or any other feature of a transaction notified to it by the customer.
          (g) that any data accessed and stored is encrypted in transit and at rest and, must not be accessible to any unauthorised person within the licensee’s organisation.
          Amended: July 2021
          Added: December 2018

        • OB-1.1.13

          An AISP must establish procedures to ensure:

          (a) it does not provide account information services without the customer's explicit consent;
          (b) that it will not store the customer's personalised security credentials such as customer’s KYC and biometric information and that such data are:
          i. not accessible to other parties, with the exception of the issuer of the credentials; and
          ii. transmitted through safe and efficient channels;
          (c) for each communication session, communicate securely with licensee and the customer in accordance with the regulatory requirements of this Module;
          (d) that it does not access any information other than information from designated accounts;
          (e) it will not access, use or store any information for any purpose except for the provision of the account information service explicitly requested by the customer;
          (f) that any data accessed and stored is encrypted in transit and at rest and, must not be accessible to any unauthorised person within the licensee’s organisation; and
          (g) that customer information accessed must not be stored in a form which permits identification of customer once the customer consent is withdrawn.
          Amended: July 2021
          Added: December 2018