Published for Public Comments: Directives for Payment Companies Regarding Corporate Governance, Compliance and Risk Management, and Regarding Outsourcing
24 April 2024
Dear Clients and Friends,
We would like to bring to your attention that on April 18, 2024, the Israeli Securities Authority (the “Authority“) published for public comments two drafts:
- A draft directive for payment companies regarding corporate governance, compliance, and risk management, aimed at establishing guidelines and principles that will enable a payment company to manage its risks in a proportionate manner that corresponds to the nature, scope, and complexity of its activities (the “Corporate Governance Draft“).
- A draft directive for payment companies regarding outsourcing, which aims to ensure that the use of outsourcing providers by payment companies, particularly when the use of outsourcing is for a significant process, service, or activity, is subject to mechanisms that ensure that aspects of responsibility and control shall remain with the payment companies, to enable effective oversight on outsourcing (the “Outsourcing Draft“).
The Corporate Governance Draft:
The proposed provisions regarding corporate governance, compliance, and risk management, based on the principles of the European directives: PSD2 and EMD (the “European Regulation“), are intended to ensure the proper management of license holders and the protection of customer interests, alongside the establishment of guidelines and principles to ensure a minimum and uniform level of corporate governance, compliance, and risk management. Regarding compliance obligations, due to the lack of a detailed regulatory framework by the EBA or the FCA regarding payment companies, the provisions on this subject are mainly based on parallel regulatory provisions in Israel – Proper Conduct of Banking Business Directives by the Bank of Israel and the TASE Companies Rules and Regulations – TASE member’s guide.
The draft’s chapters detail and address, among other things, the following topics:
- Chapter A – Definitions: placing an emphasis on risk, the Corporate Governance Draft defines, among other things, the terms “Risk Management Framework”; “Risk Map”; “Risk Management”; “Risks”; and “Risk Appetite”.
- Chapter B – Corporate Governance – General: the chapter states that a payment company shall maintain corporate governance arrangements that are suitable for its various characteristics in order to protect its customers and ensure the reliability of the payment services.
- Chapter C – Compliance:
- Section A – The Board of Directors: the board of directors shall be responsible for supervising the company’s compliance with the applicable compliance regulations.
- Section B – Compliance Policy: the payment company shall develop a compliance policy which incudes, at the very least, topics such as: the authority and responsibilities of the compliance officer; the tools and means, including work procedures, that will support compliance with compliance regulations; reporting mechanisms to be made available to the compliance officer; actions to be taken against employees who violate compliance regulations; and the format and frequency of reports to be submitted to the CEO and the board of directors.
- Section C – Compliance Officer: the CEO of the payment company shall appoint a compliance officer that reports directly to him. The compliance officer shall not hold an additional position that may conflict with his role as compliance officer. In addition, the compliance officer shall have the authority and resources to fulfill his role effectively, and the ability to always access the payment company’s units, departments and offices. The board of directors shall be responsible for deciding whether to transfer the compliance officer from his position.
- Section D – Compliance Officer’s Work Plan: the compliance officer shall operate according to an annual work plan approved by the board of directors, detailing his planned activities.
- Chapter D – Risk Management:
- Section A – General: the payment company shall ensure that the range of inherent risks in providing payment services by it are managed and monitored continuously, according to its characteristics.
- Section B – The Board of Directors: the board of directors shall be responsible in the context of risk management over the risk management framework (its review and approval); the formulation of risk management policy and supervision; receipt of reports from the risk management officer and approval of the risk map as well as the approval of new and significant services and products.
- Section C – Risk Management Framework: the CEO shall develop and implement a risk management framework to be approved by the board of directors.
- Section D – Risk Management Officer: the CEO shall appoint a risk management officer that reports directly to him, who shall be independent and separate from the business activities of the payment company.
- Chapter E – Extreme Scenario Testing: a payment company shall conduct at least once a year an extreme scenario test in order to examine its exposure to a variety of extreme events that may affect the company’s operations and its customers, as well as macroeconomic aspects such as the impact of exchange rate fluctuations. Extreme scenario tests shall be tailored to the characteristics of the payment company.
- Chapter F – Payment Service Suspension Plan: the payment company shall develop a payment suspension plan that will examine how its operations will be suspended or reduced under various scenarios and how liquidity risks and operational risks will be managed in such cases. The payment suspension plan shall be tailored to the characteristics of the payment company who shall examine its suspension plan at least once a year. A payment company that uses outsourcing providers, including when it is a part of a group, shall ensure that its payment suspension plan refers, among other things, to how it will manage liquidity risks and operational risks in a variety of insolvency scenarios.
The Outsourcing Draft:
The Outsourcing Draft is based on the core principles of the European Regulation, with some reduction in the actions that can be outsourced, alongside a reduction in the scope of the clauses required in an outsourcing agreement and the extent of detail regarding the documentation of outsourcing arrangements, whilst considering the parallel regulation in Israel. The purpose of the Outsourcing Draft is to ensure that the use of outsourcing providers by payment companies, especially when the use of outsourcing is for a process, service, or activity (“Function“) that is significant, is subject to mechanisms that ensure that the responsibility and control remain with the payment company for effective supervision of outsourcing activities.
The chapters of the draft specify and address, among other things, the following topics:
- Chapter A – Definitions.
- Chapter B – The Board of Directors: The board of directors bears overall responsibility regarding outsourcing activities in the payment company.
- Chapter C – Outsourcing Policy: The payment company shall develop a written outsourcing policy that defines principles, responsibilities, and procedures regarding outsourcing. The policy shall include the involvement of control bodies in outsourcing arrangements; risk assessment management; a due diligence of relevant outsourcing providers; business continuity planning; implementation of control and management of outsourcing arrangements; and exit strategies to ensure that the payment company can withdraw from outsourcing arrangements without significant impact on its business activities and compliance with different law provisions.
- Chapter D – Restrictions on Function Outsourcing: The payment company shall engage in actual payment service activities in a manner that ensures compliance with compliance directives and maintains the ability to supervise significant outsourcing functions. The payment company is fully responsible for any actions of its employees, agents, or any entity performing outsourcing activities on its behalf. Additionally, the payment company shall not outsource the roles of the board of directors and senior management, specifically: determining strategy and policy; determining the company’s risk appetite; performing control and oversight of outsourcing; opening or closing customer accounts; and any decision related to providing interest to customers or providing credit alongside a payment transaction.
- Chapter E – Preliminary Examinations for Entering into Outsourcing Arrangements: Before entering into an outsourcing arrangement, payment companies shall meet several obligations: conduct due diligence on the outsourcing provider; ensure that compliance with the directives will not be compromised, and that risks related to outsourcing are managed and minimized in accordance with the Corporate Governance Draft; ensure the outsourcing provider’s ability to maintain information security and privacy protection; and evaluate whether the outsourcing arrangement may lead the outsourcing provider to perform activities under conflict of interest.
- Chapter F – Evaluation of Outsourcing Risks: Before entering an outsourcing arrangement, a payment company shall examine the impact and potential risks associated with outsourcing, on the payment company. In this regard, a payment company must consider, among other things, operational risks, information technology risks, legal risks, compliance and integrity risks, supervision restrictions of the payment company related to countries from which the outsourcing service is provided, and the location where the information is stored or may be stored, as well as other additional risk aspects.
- Chapter G – Contracting with Outsourcing Providers: a payment company wishing to receive services from an outsourcing provider must contract with it in writing, clearly specifying the rights and obligations of the payment company and the outsourcing provider. When it comes to an agreement on outsourcing a significant Function, the payment company should consider including several additional topics.
- Chapter H – Business Continuity Plan: The payment company must ensure that its business continuity plan also relates to significant Functions in outsourcing. In addition, it should consider the possibility of a major impact on the quality of the significant Function provided by the outsourcing provider, as well as the potential impact of default or any other impairment of the outsourcing provider’s ability to operate as required.
Comments on the Corporate Governance Draft and the Outsourcing Draft can be submitted until May 19, 2024.
To view the Corporate Governance Draft (in Hebrew) >> Click here
To view the Outsourcing Draft (in Hebrew) >> Click here
Our office has extensive expertise and many years of experience in the field of financial services in all its aspects. We accompany and monitor all regulatory developments in this field, assisting and advising leading financial institutions in Israel and worldwide.
We would be happy to assist you with any issue in these areas, including regarding the above publications and with providing comments on them, as well as any question or clarification.