Bank Negara issues Policy Document on Currency Processing Business

The Currency Act 2020 (“the Act”) which provides, inter alia, for the management of currency of Malaysia, the regulation of currency processing business and currency processing activities came into operation on 1 October 2020. Thereafter, the Currency Registration Requirements Order 2021 [P.U.(A) 127/2021] (“CRR Order”) which, inter alia, sets out the requirements for the registration of “currency processing business1 was gazetted and came into operation on 24 March 2021.2
 
On 26 June 2024, Bank Negara Malaysia (“BNM”) issued the Policy Document on Currency Processing Business (“Policy Document”). The Policy Document applies to persons registered under section 26(1) of the Act to carry on currency processing business (individually an “RCP” and collectively “RCPs”).
 
The Policy Document comes into effect in two stages. Part A (Overview), Part B (Registration Requirements), Part D (Operational Requirements), Part E (Risk Management and Internal Control) and Part G (Other Requirements) came into effect on 1 July 2024, whilst Part C (Governance) and Part F (Information Technology (IT) Requirements) will come into effect on 1 January 2025.3
 
The Policy Document sets out the proposed standards and guidelines to be adhered to by RCPs to promote prudent practice, professionalism, integrity, accountability and transparency, and the recommended best practices to be followed by RCPs.
 
The key areas covered by the Policy Document are:
  • governance;
  • operational requirements;
  • risk management and internal control; and
  • information technology (IT) requirements.
Part B - Registration Requirements
 
An RCP is required to continuously comply with the CRR Order (as amended from time to time) when carrying on its currency processing business.4
 
Part C - Governance
 
Part C of the Policy Document sets out the governance responsibilities of the RCP and its board and senior management5.
 
The RCP
 
An RCP is required to establish appropriate governance arrangements which are effective and transparent to ensure continued integrity of its business. These include: (a) ensuring the board and senior management consist of people with calibre, credibility and integrity6; (b) clearly defining and documenting organisational arrangements, such as ownership and management structure7; and (c) segregating duties and control function8 to reduce the potential for mismanagement and fraud to occur9.
 
The board
 
The responsibilities of the board of an RCP include, among others, setting out the mandate, responsibilities and procedures of the board and its committees (if any), including the matters reserved for the board’s decision.10
 
The board of an RCP is to have overall responsibility for promoting sustainable business growth and financial soundness of the RCP and preventing mismanagement, fraud and abuse of the RCP for illegal purposes.11 In fulfilling this role, the board shall: (a) approve the risk appetite, business plans, and other initiatives which would, individually or collectively, have a material impact on the RCP’s risk profile12; (b) oversee the selection, appointment and performance of senior management in achieving the business objectives set by the board and in meeting the legal and fiduciary duties of the RCP13; (c) ensure that an effective oversight and risk management mechanisms are put in place and are periodically reviewed for continued effectiveness14; and (d) oversee the management of the RCP’s control function15.
 
An RCP and its board must comply with the requirements set out in the Policy Document relating to board appointments, board composition and board meetings.16
 
Senior management
 
An RCP shall only appoint as its senior management, a person who has been assessed to have complied with the fit and proper criteria requirements specified in paragraph 11.1 of the Policy Document.17
 
The senior management primarily responsible for managing the day-to-day business operations of the RCP must ensure that the operation of the RCP is carried out ethically, professionally and with integrity.18
 
The senior management shall: (a) consist of individuals with the appropriate skill set and experience to adequately support the RCP’s business19; and (b) ensure adequate allocation of resources as well as appropriately skilled and competent staff to support all critical functions20.
 
Fit and proper
 
An RCP shall: (a) assess and ensure that its directors and senior management are persons that fulfil the criteria as stipulated in the CRR Order21; and (b) notify BNM in writing together with the assessment made on any new appointment of directors or senior management within 14 days of such appointment, or existing appointment of its directors or senior management within 14 days from the effective date of the Policy Document22.
 
Part D - Operational Requirements
 
Opening and closing of cash processing centre
 
In relation to the opening of its cash processing centre (“CPC”), an RCP must: (a) ensure that the premises comply with the requirement outlined in the CRR Order23; and (b) provide BNM with the information prescribed in paragraph 12.1(b) of the Policy Document at least 30 calendar days before the opening of the CPC, together with attestation that premises to be opened has complied with the relevant requirements in the CRR Order24.
 
An RCP shall establish appropriate plans for the closing25 of its CPC and orderly exit, including its communication strategy with other relevant stakeholders, such as the RCP’s customers and local authorities, to mitigate any unintended consequences.26 It shall also notify BNM in writing and consult with BNM at least 30 calendar days before the closure of its CPC, together with information as set out in the Appendix to the Policy Document.27
 
Outsourcing arrangement
 
An RCP shall remain responsible and accountable for any services performed by an outsourced service provider (“OSP”).28
 
The responsibilities of an RCP in relation to an outsourcing arrangement are set out in paragraphs 13.2 to 13.7 of the Policy Document. Among others, they include: (a) ensuring availability of sufficient expertise within the RCP to oversee and manage the outsourcing relationship29; (b) ensuring the scope and nature of services and operations to be outsourced would not compromise the controls and risk management of the RCP30; (c) conducting appropriate due diligence of the OSP when considering new outsourcing arrangements or renewing or renegotiating existing outsourcing arrangements with the OSP31; and (d) exercising effective oversight on the OSP32.
 
Part E - Risk Management and Internal Control
 
Risk management framework
 
An RCP shall establish a risk management framework taking into account its size, scope and complexity of business to facilitate identification, measurement and continuous monitoring of all relevant and material risks.33 In doing so, the RCP must: (a) align the framework with its risk appetite34; (b) clearly assign responsibilities and accountabilities for risk decisions35; and (c) ensure the framework facilitates efficient decision making in crises36.
 
An RCP must also: (a) periodically review the framework for continued effectiveness and be supported by a robust management information system that facilitates the timely and reliable monitoring and reporting of risks37; and (b) establish risk monitoring and reporting requirements, which include periodic reporting to the board and senior management on the assessment of material risks affecting the RCP, to ensure risks are managed and mitigated in a timely manner. The reports must be readily available to the internal audit function of the RCP and BNM.38
 
An RCP is required to effectively manage and control all material risks associated with the conduct of currency processing business, taking into account the size, scope and complexity of its business activities.39
 
In addition, an RCP is required to establish appropriate and properly documented processes, systems and controls that are approved by the board to manage risks in its business, which are reviewed by the senior management and the board regularly to ensure its effectiveness.40
 
Internal control
 
In relation to internal controls, an RCP is required, among others, to: (a) put in place appropriate processes, systems and controls41; (b) maintain all relevant records and documents relevant to its currency processing business to provide a comprehensive view of the RCP’s financial standing, governance and operations for at least seven years42; (c) put in place proper segregation of duties and functions for critical operational functions, including cash processing, management and record keeping to prevent the likelihood of mismanagement or fraud43; (d) where a staff of a RCP undertakes several roles, to put in place dual controls so that the same person shall not be in charge of roles that could lead to potential conflicts of interest44; (e) establish control function that complies with prescribed requirements45; and (f) implement an effective business continuity management (BCM) framework within the RCP46.
 
Fraud risk management
 
An RCP is required to put in place an effective mechanism, processes and procedures for mitigating fraud risk and for facilitating fraud prevention, fraud detection and fraud monitoring which include, but are not limited to, the requirements prescribed in paragraphs 16.1(a) to 16.1(d) of the Policy Document.47
 
Part F - Information Technology Requirements
 
Technology risk management
 
An RCP is required to establish a Technology Risk Management Framework (“TRMF”) to safeguard the RCP’s information infrastructure, systems and data. The TRMF is to be an integral part of the RCP’s risk management framework in relation to its currency processing business.48
 
Technology operations management
 
The following are some of the technology operations management requirements imposed on an RCP under the Policy Document: (a) ensure proper management of data centres49; (b) ensure its network infrastructure is designed to be resilient, secure and scalable in a way that is proportionate to the RCP’s business risk and model50; (c) ensure network services supporting critical systems are designed and implemented to ensure the confidentiality, integrity and availability of data51; (d) implement appropriate access controls policy for identification, authentication and authorisation of users (internal and external users such as OSP)52; and (e) implement appropriate physical access control to the RCP’s IT equipment (e.g. physical access controls to its servers, firewalls, routers and switches) which include identification, authentication and authorisation of the user (internal and external users53) accessing the IT equipment54.
 
Technology Service Provider Management
 
An RCP that subscribes to services offered by an OSP shall establish the following controls to safeguard themselves in the service level agreement (“SLA”): (a) clearly define roles and responsibilities between the RCP and the OSP; (b) arrangements for disaster recovery and backup capabilities, where applicable; (c) written undertaking by the OSP on compliance with secrecy provisions under relevant legislation including survival of confidentiality provisions in the SLA after the engagement has ended; (d) clearly affirm the RCP’s ownership of its data stored on the OSP’s system; and (e) arrangements to secure business continuity in the event of exit or termination of the OSP.55
 
Patch and End-of-Life System Management
 
An RCP shall ensure that critical systems are not running on outdated systems with known security vulnerabilities or end-of-life (“EOL”) technology systems. In this regard, the RCP must clearly assign responsibilities to identified functions: (a) to continuously monitor and implement latest patch releases in a timely manner; and (b) identify critical technology systems that are approaching EOL for further remedial action.56
 
Part G - Other Requirements
 
Changes to business model
 
An RCP is required to notify BNM in writing at least 30 calendar days before implementing any proposed changes to its business or operating model which are significant or changes the risk profile of its business. If BNM communicates in writing to a RCP that the proposed change to its business model has the risk of impairing the quality or integrity of currency, the RCP shall adopt risk mitigating measures before implementing such change.57
 
Information and data submission
 
An RCP shall submit the following to BNM: (a) its annual audited financial statements not later than three months after its financial year end; (b) statistical report on the operation of its business on a monthly basis; and (c) any other information as required by BNM.58
 
Comment
 
The provisions in the Policy Document is substantially the same as those in the Exposure Draft of the Policy Document issued by BNM on 17 January 2024, except for several requirements which have been clarified or enhanced.
 
Article by Lee Ai Hsian (Partner) and Javene Fan (Associate) of the Banking and Finance Practice of Skrine.
 

1 The expression “currency processing business” means: (a) the business of: (i) collecting currency note or currency coin; (ii) sorting currency note or currency coin by authenticity and quality; and (iii) packing currency note or currency coin by quality, quantity and denomination, in each case by a person for or on behalf of another person; or (b) any activity declared as currency processing business under section 23 of the Act.
2 Our previous articles / alerts on the Act and the CRR Order, in particular, the currency processing business aspects thereof, can be accessed here, here, here and here.
3 Paragraph 4.1 of the Policy Document.
4 Paragraph 7.1 of the Policy Document.
5 The expression “senior management” refers to the Chief Executive Officer (CEO) and senior officers of an RCP.
6 Paragraph 8.1(a) of the Policy Document.
7 Paragraph 8.1(b) of the Policy Document.
8 The expression “control function” refers to a function that has a responsibility independent from business lines to provide objective assessments, reporting and assurance on the effectiveness of policies and operations, and its compliance with relevant laws. This includes the risk management function, the compliance function and the internal audit function or equivalent functions, by whatever name called.
9 Paragraph 8.1(c) of the Policy Document.
10 Paragraph 9.1 of the Policy Document.
11 Paragraph 9.2 of the Policy Document.
12 Paragraph 9.2(a) of the Policy Document.
13 Paragraph 9.2(b) of the Policy Document. Refer to sub-paragraphs (i) to (iii) of paragraph 9.2(b) for further details.
14 Paragraph 9.2(c) of the Policy Document. Refer to sub-paragraphs (i) to (v) of paragraph 9.2(c) for further details.
15 Paragraph 9.2(d) of the Policy Document. Refer to sub-paragraphs (i) to (iv) of paragraph 9.2(d) for further details.
16 Paragraphs 9.3 to 9.10 of the Policy Document.
17 Paragraph 10.1 of the Policy Document.
18 Paragraph 10.3 of the Policy Document. Refer to paragraphs 10.3(a) to 10.3(d) for further details.
19 Paragraph 10.4 of the Policy Document.
20 Paragraph 10.5 of the Policy Document.
21 Paragraph 11.1 of the Policy Document and paragraph 6 of the Schedule to the CRR Order.
22 Paragraph 11.2 of the Policy Document.
23 Paragraph 12.1(a) of the Policy Document.
24 Paragraph 12.1(b) of the Policy Document. Refer also to paragraphs 3 and 4 of the CRR Order.
25 The expression “closing” includes the relocation of a CPC outside of the original CPC’s state (Footnote 3 at page 11 of the Policy Document).
26 Paragraph 12.2 of the Policy Document.
27 Paragraph 12.3 of the Policy Document.
28 Paragraph 13.1 of the Policy Document.
29 Paragraph 13.2(b) of the Policy Document.
30 Paragraph 13.2(c) of the Policy Document. Refer to sub-paragraphs (i) to (iv) of paragraph 13.2(c) for further details.
31 Paragraph 13.3 of the Policy Document.
32 Paragraph 13.6 of the Policy Document. Refer to paragraphs 13.7(a) to 13.7(e) for further details.
33 Paragraph 14.1 of the Policy Document.
34 Paragraph 14.2(a) of the Policy Document.
35 Paragraph 14.2(b) of the Policy Document.
36 Paragraph 14.2(c) of the Policy Document.
37 Paragraph 14.3 of the Policy Document.
38 Paragraph 14.4 of the Policy Document.
39 Paragraph 14.5 of the Policy Document. Refer to paragraph 14.7 for examples of specific risks associated with conduct of currency processing business.
40 Paragraph 14.6 of the Policy Document.
41 Paragraph 15.1.1 of the Policy Document. Refer to sub-paragraphs (a) to (d) of paragraph 15.1.1 for further details.
42 Refer to paragraphs 15.2.1 to 15.2.4 of the Policy Document for details.
43 Refer to paragraph 15.3.1 of the Policy Document.
44 Refer to paragraph 15.3.2 of the Policy Document.
45 Refer to paragraphs 15.4.1 and 15.4.2 of the Policy Document for details.
46 Refer to paragraphs 15.5.1 to 15.5.8 of the Policy Document for details.
47 Paragraph 16.1 of the Policy Document.
48 Paragraph 17.1 of the Policy Document. Refer to paragraph 17.2 of the Policy Document for guidance on specific matters to be included in the TRMF.
49 Paragraph 18.1 of the Policy Document.
50 Paragraph 18.2 of the Policy Document.
51 Paragraph 18.5 of the Policy Document.
52 Paragraph 18.6 of the Policy Document.
53 “External users” include service providers and auditors (Footnote 15 at page 22 of the Policy Document).
54 Paragraph 18.9 of the Policy Document.
55 Paragraph 18.11 of the Policy Document.
56 Paragraph 18.12 of the Policy Document.
57 Paragraphs 19.1 and 19.2 of the Policy Document.
58 Paragraph 19.3 of the Policy Document.

This alert contains general information only. It does not constitute legal advice nor an expression of legal opinion and should not be relied upon as such. For further information, kindly contact skrine@skrine.com.