Title
Outsourcing rules for E-Money issuers
Law
Bsp Circular No. 704, S. 2010
Decision Date
Dec 22, 2010
The Bangko Sentral ng Pilipinas establishes guidelines for Electronic Money Issuers to outsource services to Electronic Money Network Service Providers, ensuring compliance with operational standards, risk management, and consumer protection in the delivery of financial services to underserved populations.
outsourcing
electronic money
financial services

Policy, purpose, and risk basis

  • BSP aims to achieve a truly inclusive financial system (Section 1).
  • BSP recognizes electronic money (E-money) as an instrument to facilitate delivery of financial services affordably to the low-income, unbanked or underserved segments, especially in non-urbanized areas (Section 1).
  • BSP recognizes that EMI business models may require outsourcing arrangements due to specialized operational and technological requirements (Section 1).
  • BSP recognizes that outsourcing introduces operational and reputational risks that must be properly managed (Section 1).
  • BSP issues the Circular to govern outsourcing of E-money related services (Section 1).

Core definitions and covered network

  • An Electronic Money Network Service Provider (EMNSP) is a non-financial institution that provides automated systems and network infrastructure, including a network of accredited agents using those systems (Section 2).
  • An EMNSP enables an EMI’s clients to convert cash to E-money and monetize E-money (Section 2).
  • An EMNSP enables clients to transfer funds from one electronic wallet to another (Section 2).
  • An EMNSP enables clients to use E-money as a means of payment for goods and services (Section 2).
  • An EMNSP also enables other similar and/or related E-money activities/transactions (Section 2).

Who may outsource and required submission

  • An Electronic Money Issuer (EMI) intending to outsource services contemplated under Section 2 must limit the outsource entity to an EMNSP (Section 3).
  • The EMI must follow the outsourcing procedures for information technology systems/processes under Subsection X162.2 (formerly X169.2) of the Manual of Regulations for Banks (MORB) (Section 3).
  • In addition to documentary requirements under Subsection X162.2 of the MORB, an EMI must submit a certification signed by its President or an officer of equivalent rank and function (Section 3).
  • The certification must certify that due diligence review was conducted and that the selected EMNSP met the minimum requirements under Section 5 (Section 3).

EMI duties when outsourcing services

  • An EMI must conduct due diligence review on the EMNSP in accordance with Section 5 (Section 4).
  • An EMI must ensure the relationship is supported by a written contract containing, at a minimum, the requirements under Subsection X162.2 of the MORB (Section 4).
  • The contract must require the EMNSP to allow the BSP to access and examine:
    • the E-money system,
    • network infrastructure,
    • the operation of the network of accredited agents,
    • and all operations related to E-money services outsourced by the EMI,
    • for purposes of assessing confidentiality, integrity, and reliability and determining compliance with BSP rules and regulations (Section 4).
  • The contract must require that the EMNSP shall not further outsource or subcontract the activity being outsourced to the EMNSP (Section 4).
  • The contract must limit EMNSP interconnection with other networks to networks of other EMNSPs and BSP-recognized ATM consortia (Section 4).
  • An EMI must ensure the EMNSP performs outsourced activities with a high degree of professional care, as if performed by the EMI itself (Section 4).
  • An EMI must ensure the EMNSP uses monitoring and control procedures to ensure compliance at all times with applicable BSP rules and regulations (Section 4).
  • An EMI must ensure the EMNSP has an accreditation process for the selection of agents for retail network conversion and monetization of cash to E-money (Section 4).
  • An EMI must ensure the EMNSP has mechanisms to manage sufficient liquidity in its system/network (Section 4).
  • An EMI must ensure the EMNSP enforces a program requiring all cash-in and cash out agents to undergo AML trainings and re-trainings every two (2) years (Section 4).
  • An EMI must comply with all laws and BSP rules on the outsourced activities, especially on compliance with anti-money laundering (AML) requirements (Section 4).

Due diligence and continuing operational review

  • Prior to entering an outsourcing arrangement, an EMI should conduct appropriate due diligence review of the EMNSP’s capability to perform the outsourced service (Section 5).
  • Due diligence must consider both qualitative and quantitative factors, including:
    • the EMNSP’s financial condition and results of operation for the previous year/s,
    • risk management practices,
    • technical expertise, including monitoring the velocity of e-money transactions and aggregation of monthly limits,
    • market share,
    • reputation of the company and its stockholders,
    • compliance with anti-money laundering requirements and BSP rules and regulations (Section 5).
  • An EMI must ensure the EMNSP adheres to international standards on IT governance, information security, and business continuity in performing outsourced activities (Section 5).
  • An EMI should endeavor to obtain independent reviews and market feedback to supplement its findings (Section 5).
  • An EMI must conduct operational review of the EMNSP at least on an annual basis as part of risk management (Section 5).
  • Operational review must be documented as part of the EMI’s monitoring and control process (Section 5).

Responsibility delineation and customer accountability

  • The EMI and EMNSP must identify, delineate, and document the responsibilities and accountabilities of each party regarding the outsourcing arrangement, including contingency planning (Section 6).
  • Even if the EMI and EMNSP contractually agree on sharing of responsibility, the EMI remains responsible to its customers, without prejudice to further recourse the EMI may have against the EMNSP (Section 6).

Confidentiality, security, and business continuity

  • An EMI must regularly review and monitor the EMNSP’s security practices and control processes (Section 7).
  • An EMI must commission or obtain periodic expert reports on the adequacy of security to maintain the confidentiality and integrity of data and compliance with internationally-recognized standards (Section 7).
  • When an EMNSP serves more than one EMI, an EMI must ensure records pertaining to its transactions are segregated from those of other EMIs (Section 7).
  • The EMI and EMNSP must identify the circumstances under which each party has the right to change security requirements (Section 7).
  • An EMNSP must report immediately any security breaches to the EMI (Section 7).
  • An EMNSP must have documented business continuity plans that are periodically reviewed and tested, with no significant test findings (Section 7).
  • An EMNSP must provide the EMI with timely and adequate notification of any adverse development that may impact the EMNSP’s performance and delivery of service to the EMI (Section 7).

EMI-Others becoming EMNSPs

  • An EMI-Others intending to become an EMNSP due to specialized technical expertise must comply with the EMNSP requirements under the Circular (Section 8).
  • An EMI-Others must undertake risk-mitigating measures to ensure liquidity corresponding to the outstanding balance of E-money issued by the EMI-Others and maintained pursuant to Circular No. 649 is insulated from risks arising from its liabilities as an EMNSP (Section 8).
  • Risk-mitigating measures may include ringfencing the liquid assets through an escrow or trust account in a financial institution acceptable to BSP (Section 8).

Sanctions for outsourcing violations

  • Violations by EMIs involving outsourcing of activities to EMNSPs are subject to monetary penalties graduated under Circular No. 496 and/or other non-monetary sanctions under Section 37 of Republic Act No. 7653 (Section 9).

Transitory authority and compliance timeline

  • EMIs granted authority to outsource E-money activities to an EMNSP may continue exercising that authority (Section 10).
  • Continued authority is subject to conformity with the Circular’s provisions within six (6) months from the Circular’s effectivity (Section 10).

Analyze Cases Smarter, Faster
Jur helps you analyze cases smarter to comprehend faster, building context before diving into full texts. AI-powered analysis, always verify critical details.

About Privacy Terms