The Currency Act 2020 (“the Act”) which provides, inter alia, for the management of currency of Malaysia, the regulation of currency processing business and currency processing activities came into operation on 1 October 2020. Thereafter, the Currency Registration Requirements Order 2021 [P.U.(A) 127/2021] (“CRR Order”) which, inter alia, sets out the requirements for the registration of “currency processing business”¹ was gazetted and came into operation on 24 March 2021.
 
Our previous articles / alerts on the Act and the CRR Order, in particular, the currency processing business aspects thereof, can be accessed here, here, here and here.
 
On 17 January 2024, Bank Negara Malaysia (“BNM”) issued an exposure draft of the Policy Document on Currency Processing Business (“Exposure Draft”) seeking feedback on the proposals set out therein.
 
When the Policy Document arising from the Exposure Draft is issued (“Policy Document”), it will apply to persons registered under section 26(1) of the Act to carry on currency processing business (individually an “RCP” and collectively “RCPs”).
 
The Exposure Draft sets out the proposed standards and guidelines to be observed by RCPs in order to ensure prudent practice, professionalism, integrity, accountability and transparency of currency processing business.
 
The key areas covered by the Exposure Draft are:

Part B - Registration Requirements
 
An RCP is required to continuously comply with the CRR Order (as amended from time to time) when carrying on its currency processing business.²
 
Part C - Governance
 
The Exposure Draft sets out the responsibilities of the RCP and the board and senior management of an RCP.
 
The RCP
 
An RCP is required to establish appropriate governance arrangements which are effective and transparent to ensure continued integrity of its business. These include: (a) ensuring the board and senior management consist of people with calibre, credibility and integrity³; (b) clearly defining and documenting organisational arrangements, such as ownership and management structure⁴; and (c) segregating duties and control function⁵ to reduce potential mismanagement and fraud⁶.
 
The board
 
The responsibilities of the board of an RCP include, among others, setting out the mandate, responsibilities and procedures of the board and its committees (if any), including the matters reserved for the board’s decision.⁷
 
The board of an RCP is to have overall responsibility for promoting sustainable business growth and financial soundness of the RCP and preventing mismanagement, fraud and abuse of the RCP for illegal purposes.⁸ In fulfilling this role, the board shall: (a) approve the risk appetite, business plans, and other initiatives which would, individually or collectively, have a material impact on the RCP’s risk profile⁹; (b) oversee the selection, appointment and performance of senior management in achieving the business objectives set by the board and in meeting the legal and fiduciary duties of the RCP¹⁰; (c) ensure that an effective oversight and risk management mechanism is put in place and is periodically reviewed for continued effectiveness¹¹; and (d) oversee the management of the RCP’s control function¹².
 
An RCP and its board must comply with the requirements set out in the Exposure Draft relating to board appointments, board composition and board meetings.¹³
 
Senior management
 
An RCP shall only appoint as its senior management, a person who has been assessed to have complied with the fit and proper criteria requirements specified in paragraph 11.1 of the Exposure Draft.¹⁴
 
The senior management primarily responsible for managing the day-to-day business operations of the RCP must ensure that the operation of the RCP is carried out ethically and professionally with integrity.¹⁵
 
The senior management shall: (a) consist of individuals with the appropriate skill set and experience to adequately support the RCP’s business¹⁶; and (b) ensure adequate allocation of resources as well as appropriately skilled and competent staff to support all critical functions¹⁷.
 
Fit and proper
 
An RCP shall: (a) assess and ensure that its directors and senior management are persons that fulfil the criteria as stipulated in the CRR Order¹⁸; and (b) notify BNM in writing together with the assessment made on any new appointment of directors or senior management within 14 days of such appointment, or existing appointment of its directors or senior management within 14 days from the effective date of the Policy Document¹⁹.
 
Part D - Operational Requirements
 
Opening and closing of cash processing centre
 
In relation to the opening of its cash processing centre (“CPC”), an RCP must: (a) ensure that the premises is in compliance with the requirement outlined in the CRR Order²⁰; and (b) provide BNM with the information prescribed in paragraph 12.1(b) of the Exposure Draft within 30 days together with attestation that the newly opened premises complies with the relevant requirements in the CRR Order²¹.
 
An RCP shall establish appropriate plans for the closing of its CPC and orderly exit, including its communication strategy with other relevant stakeholders, such as the RCP’s customers and local authorities, to mitigate any unintended consequences.²² It shall also notify BNM in writing and consult with BNM for such closure of CPC together with information as required in the Appendix of the Exposure Draft.²³
 
Outsourcing arrangement
 
An RCP shall remain responsible and accountable for any services performed by an outsourced service provider (“OSP”).²⁴
 
The responsibilities of an RCP in relation to an outsourcing arrangement are set out in paragraphs 13.2 to 13.7 of the Exposure Draft. Among others, they include: (a) ensuring availability of sufficient expertise within the RCP to oversee and manage the outsourcing relationship²⁵; (b) ensuring the scope and nature of services and operations to be outsourced would not compromise the controls and risk management of the RCP²⁶; (c) conducting appropriate due diligence of the OSP when considering new outsourcing arrangements or renewing or renegotiating existing outsourcing arrangement with the OSP²⁷; and (d) exercising effective oversight on the OSP²⁸.
 
Part E - Risk Management and Internal Control
 
Risk management framework
 
An RCP shall establish a risk management framework taking into account its size, scope and complexity of business to facilitate identification, measurement and continuous monitoring of all relevant and material risks.²⁹ In doing so, the RCP must: (a) align the framework with its risk appetite³⁰; (b) clearly assign responsibilities and accountabilities for risk decisions³¹; and (c) ensure the framework facilitates efficient decision making in crises³².
 
An RCP must also: (a) periodically review the framework for continued effectiveness and be supported by a robust management information system that facilitates the timely and reliable monitoring and reporting of risks³³; and (b) establish risk monitoring and reporting requirements, which include periodic reporting to the board and senior management on the assessment of material risks affecting the RCP, to ensure risks are managed and mitigated in a timely manner. The reports must be readily available to the internal audit function of the RCP and BNM.³⁴
 
An RCP is required to effectively manage and control all material risks associated with the conduct of currency processing business, taking into account the size, scope and complexity of its business activities.³⁵
 
In addition, an RCP is required to establish appropriate and properly documented processes, systems and controls that are approved by the board to manage risks in its business, which are reviewed by the key responsible persons and the board regularly to ensure its effectiveness.³⁶
 
Internal control
 
In relation to internal controls, an RCP is required, among others, to: (a) put in place appropriate processes, systems and controls³⁷; (b) maintain detailed business records to provide a comprehensive view of its operations and financial standing³⁸; (c) put in place proper segregation of duties and functions for critical operations to prevent likelihood of mismanagement and avoid conflicts of interest³⁹; (d) establish control function that complies with prescribed requirements⁴⁰; and (e) implement an effective business continuity management (BCM) framework within the RCP⁴¹.
 
Fraud risk management
 
An RCP is required to put in place an effective mechanism, process and procedures on mitigation of fraud risk, fraud prevention, fraud detection and fraud monitoring which include, but are not limited to, the requirements prescribed in paragraphs 16.1(a) to 16.1(d) of the Exposure Draft.⁴²
 
Part F - Information Technology Requirements
 
Technology risk management
 
An RCP is required to establish a Technology Risk Management Framework (“TRMF”) to safeguard the RCP’s information infrastructure, systems and data. The TRMF is to be an integral part of the RCP’s risk management framework in relation to its currency processing business.⁴³
 
Technology operations management
 
The following are some of the technology operations management requirements imposed on an RCP under the Exposure Draft: (a) ensure proper management of data centres⁴⁴; (b) ensure its network infrastructure is designed to be resilient, secure and scalable proportionate to the RCP’s business risk and model⁴⁵; (c) ensure network services supporting critical systems are designed and implemented to ensure the confidentiality, integrity and availability of data⁴⁶; (d) implement appropriate access controls policy for identification, authentication and authorisation of users (internal and external users such as OSP)⁴⁷; and (e) implement appropriate physical access control to the RCP’s IT equipment (e.g. physical access controls to its servers, firewalls, routers and switches) which include identification, authentication and authorisation of the user (internal and external users) accessing the IT equipment⁴⁸.
 
Technology Service Provider Management
 
An RCP that subscribes to services offered by an OSP shall establish the following controls to safeguard themselves in the service level agreement (“SLA”): (a) clearly define roles and responsibilities between the RCP and the OSP; (b) arrangements for disaster recovery and backup capabilities, where applicable; (c) written undertaking by the OSP on compliance with secrecy provisions under relevant legislation including survival of confidentiality provisions in the SLA after the engagement has ended; (d) clearly affirm the RCP’s ownership of its data stored on the OSP’s system; and (e) arrangements to secure business continuity in the event of exit or termination of the OSP.⁴⁹
 
Patch and End-of-Life System Management
 
An RCP shall ensure that critical systems are not running on outdated systems with known security vulnerabilities or end-of-life (“EOL”) technology systems. In this regard, the RCP must clearly assign responsibilities to identified functions: (a) to continuously monitor and implement latest patch releases in a timely manner; and (b) identify critical technology systems that are approaching EOL for further remedial action.⁵⁰
 
Part G - Other Requirements
 
Changes to business model
 
An RCP is required to notify BNM in writing of any proposed changes to its business or operating model which are significant or changes the risk profile of their business. If BNM considers the proposed change to business model will cause risk to quality and integrity of currency, it may require the RCP to implement risk mitigating measures before implementing such change.⁵¹
 
Information and data submission
 
An RCP shall submit the following to BNM: (a) its annual audited financial statements not later than three months after its financial year end; (b) statistical report on the operation of its business on a monthly basis; and (c) any other information as required by BNM.⁵²
 
Effective date
 
The Policy Document is intended to come into effect in two stages. Parts A (Overview), Part B (Registration Requirements), Part D (Operational Requirements), Part E (Risk Management and Internal Control) and Part G (Other Requirements) will come into effect first whilst Part C (Governance) and Part F (Information Technology (IT) Requirements) are to come into effect at a later stage.⁵³
 
Deadline for comments
 
The deadline for submission of responses to BNM on the Exposure Draft is 15 March 2024.
 
Article by Lee Ai Hsian (Partner) and Javene Fan (Associate) of the Banking and Finance Practice of Skrine.

---