Chapter 2 Design and Implementation of Internal Control System
A specialized electronic payment institution shall establish an internal audit system, self-inspection system, regulatory compliance system, and risk management mechanism to maintain the effective and proper operation of its internal control system.
The internal control system of a specialized electronic payment institution shall contain the following components:
1. Control environment: The control environment is the basis for the design and implementation of the internal control system of a specialized electronic payment institution. The control environment encompasses the integrity and ethical values of the institution, governance oversight responsibility of its board of directors and supervisors or audit committee, organizational structure, assignment of authority and responsibility, human resources policy, performance measures and reward and discipline. The board of directors and management shall prescribe internal standards of conduct, including the adoption of code of conduct for directors and employees.
2. Risk assessment: A precondition to risk assessment is the establishment of objectives, linked at different levels of a specialized electronic payment institution, and with the suitability of the objectives for the institution taken into consideration. The management shall consider the impact of possible changes in the external environment and within its own business model, and likely fraud scenarios that may occur. The risk assessment results may be used to assist the institution in designing, correcting, and implementing necessary controls in a timely manner.
3. Control activities: Control activities are the actions of adopting appropriate policies and procedures by a specialized electronic payment institution based on its risk assessment results to limit relevant risks within an acceptable range. Control activities shall be performed at all levels of the institution, at various stages of business processes, and over the technology environment, and shall include supervision and management over subsidiaries, appropriate delegation of responsibilities and not assigning conflicting responsibilities to management and employees.
4. Information and communication: Information and communication means that a specialized electronic payment institution gathers, generates, and uses relevant and quality information from both internal and external sources to support the ongoing functioning of other components of internal control, and ensure effective communication within the organization and between the institution and external parties. The internal control system must have mechanisms to generate information necessary for planning, implementation, and monitoring, provide information to those who need it in a timely manner, and ensure the retention of complete financial, operational and compliance information. An effective internal control system shall have effective communication channels in place.
5. Monitoring activities: Monitoring activities means ongoing evaluations, separate evaluations, or some combination of the two used by a specialized electronic payment institution to ascertain whether each of the components of internal control is present and continuously functioning. Ongoing evaluations means routine evaluations built into the course of operations at different levels of the institution. Separate evaluations are evaluations of other personnel conducted by internal auditors, supervisors or audit committee, or the board of directors. Findings of deficiencies of the internal control system shall be communicated to the management of appropriate levels, the board of directors, and supervisors or audit committee, and improvements shall be made in a timely manner.
The minimum requirement for directors’ code of conduct specified in Subparagraph 1 of the preceding paragraph shall incorporate that, the directors must not only take adequate actions promptly when the specialized electronic institution are found to face foreseeable material damages, but also have to notify the audit committee or independent directors or supervisors, and the board as well as instruct the said institution to report to the competent authority.
The internal control system shall cover all business activities, including the following appropriate policies and procedures, and shall be reviewed and revised in a timely manner:
1. Organizational rules and processes, or management rules, including a clear organizational system, functions of various units, scope of operations for each unit, and well-defined measures for authorizations and hierarchical delegation of responsibilities.
2. Related business rules and procedural manuals, including:
(1) Management of data confidentiality of users and contracted institutions.
(2) Management of the adoption of the International Financial Reporting Standards (IFRSs), workflow of preparing accounting and financial statements, management of general affairs, information, and personnel affairs
(3) Management of operations for disclosing information externally.
(4) Management of financial examination reports.
(5) Management of protection of financial consumers.
(6) Management of outsourcing operations.
(7) Management of identity verification for users and contracted institutions.
(8) Management of the businesses of collecting and making payments for real transactions as an agent, accepting deposits of funds as stored value funds, and domestic and foreign small-amount remittances.
(9) Management of information system and security management operations.
(10) Management of delineation of responsibilities between information unit and information system user units.
(11) Mechanisms for dealing with material contingencies.
(12) Mechanisms and compliance framework for anti-money laundering and counter the financing of terrorism (AML/CFT), including mechanisms for identifying, measuring, and monitoring risks associated with money laundering and financing of terrorism.
(13) Other business rules and operating procedures.
Where a specialized electronic payment institution has an audit committee established, its internal control system shall also include the management of the audit committee meeting procedures.
Where necessary, the compliance, internal audit, risk management units and other relevant units of a specialized electronic payment institution shall participate in the establishment, revision or cancellation of operational and management rules mentioned in Paragraph 1 hereof.