Published for Public Comments: Rules for License Applications and a Directive Regarding Technological Means and Information Security
4 March 2024
Dear Clients and Friends,
We would like to bring to your attention that on February 26, 2024, the Israeli Securities Authority (the “Authority“) published for public comments a draft “Licensing Rules for Payment Services or Basic Initiation Services, 2024”, which proposes rules to determine the details and documents that an entity applying for a payment services license or a payment initiation license must submit to the Authority (the “Draft Licensing Rules“), in accordance with the Authority’s authority under the Regulation of Payment and Payment Initiation Services Law, 2023 (the “Law“).
In addition, the Authority published for public comments a draft directive for license holders or approval holders, of payment services or basic initiation services, regarding technological means and information security, which aims to regulate the requirements that license holders or approval holders (the “Licensees“) must comply with regarding technological means, information security, cyber protection, and business continuity (the “Draft Directive“).
The proposed Draft Licensing Rules and Draft Directive are based on the Law’s requirements and the regulations issued thereunder, as well as on equivalent European and British regulations.
The Draft Licensing Rules:
The proposed rules apply to applicants for payment services license including payment account management services, issuance of payment instruments, processing of payment transaction or advanced initiation services, as well as to applicants for basic initiation licenses. However, certain requirements in the proposed rules stipulate different requirements depending on the type of license or type of payment service, due to the different characteristics of the various types of services for which a license is sought and the different risks that may arise from them.
According to the Draft Licensing Rules, an applicant for a payment services license or an initiation license must include in the application details regarding the applicant; type of license and type of service; credibility of the applicant, its controlling shareholders, its senior officers, or its controlling shareholder’s senior officers; organizational structure; technological means; business continuity (required for payment services only); business plan; existence of financial means (required for payment services only); equity; professional liability insurance or deposit (required for basic and advanced initiation services only); customer fund safeguarding (required for payment services except for advanced initiation); corporate governance and internal control mechanisms; declaration regarding compliance with the specified conditions; request of a foreign service provider; signatures of authorized signatories on the application; and obligation to report changes in the application details.
The Draft Licensing Rules also addresses a foreign service provider who wishes to seek exemption from one of the requirements specified in Section 21 of the Law, according to which it shall submit an application in which it will detail:
- Which foreign law regulates its provision of payment services or basic initiation services.
- What license or foreign registration does he hold.
- Who is the foreign regulator that supervises it.
- Which license requirements does it seek an exemption from.
- The applicable regulations and supervisory authorities the foreign regulator has that sufficiently address the matters regulated in the provisions it seeks an exemption from.
- Authorizations and approvals from the foreign regulator regarding the license or registration it holds.
The Draft Directive:
The purpose of the Draft Directive is to regulate the requirements that will apply to Licensees regarding technological means, information security, cyber protection, and business continuity. The Draft Directive establishes a model with three control cycles aimed at ensuring the implementation of the objectives of this draft, including reducing information technology and information security risks (“Information Technology Risks“), including cyberattacks, on the Licensees.
The first control cycle includes the roles in the company dealing with information technology who are entrusted with the systems, processes, and information security activities (such as information technology and operations units); the second control cycle includes the officer responsible for information security and cyber protection; and, the third control cycle includes the auditor whom the Licensee must contact for the purpose of conducting an independent audit regarding the implementation of this draft’s requirements by the Licensee. In addition to the above cycles, the board of directors of the Licensee is responsible for Information Technology Risks and is required to approve and supervise the implementation of this draft’s requirements by the Licensee.
The Draft Directive’s chapters address the following topics:
- Chapter A – Definitions.
- Chapter B – Corporate governance and requirement for distribution of responsibility among the Licensee regarding Information Technology Risks.
- Chapter C – The Licensee’s obligation to develop an information technology strategy.
- Chapter D – The Licensee’s obligation to manage and reduce Information Technology Risks through an independent information security officer. In addition, the Licensee is required to maintain an up-to-date mapping of business processes and their classification based on confidentiality, reliability, and availability of information. Therefore, the Licensee must assess the operational risks related to Information Technology Risks.
- Chapter E – Requirements regarding information security held in information technology systems, including requirements for implementing effective information security measures; preparation and implementation of an information security policy; Integration and verification of information security measures; and preparation of training programs for all employees of the Licensee and third parties.
- Chapter F – Establishing general principles for managing information technology operations.
- Chapter G – Requirements regarding managing changes in information technology, including developing and acquiring information systems.
- Chapter H – Requirements regarding managing business continuity and developing a response and recovery plan so that the Licensee will have effective communication means during a crisis.
- Chapter I – Requirements regarding managing the relationship between the Licensee and customers, including requirements to allow the customer to disable specific payment functions and provide an option, to customers interested in it, regarding notifications about attempted payment transactions or failed attempts to initiate payment transactions, as well as providing support regarding information security and privacy questions.
- Chapter J – Requirements for compliance with the Privacy Protection Law and regulations thereunder, which will apply to Licensees, and stipulating that communication between a Licensee and a body containing sensitive information must be conducted using a standard protocol and encrypted traffic according to the latest technology available in the market.
Comments on the Draft Licensing Rules and the Draft Directive can be submitted until March 31, 2024.
To view the Draft Licensing Rules (in Hebrew) >> Click here
To view the Draft Directive (in Hebrew) >> Click here
Our office has extensive expertise and many years of experience in the field of financial services in all its aspects. We accompany and monitor all regulatory developments in this field, assisting and advising leading financial institutions in Israel and worldwide.
We would be happy to assist you with any issue in these areas, including regarding the above publications and with providing comments on them, as well as any question or clarification.