Regulation governing Payment Services Providers

Citation
Regulation 5 of 2018
Date
2 April 2018
Language
English
Type
Legislation
Rwanda

Regulation governing Payment Services Providers

Regulation 5 of 2018

Pursuant to Law N° 55/2007 of 30/11/2007 governing Central Bank of Rwanda, especially in articles 6, 9, 56, 57 and 58;Pursuant to Law N° 03/2010 of 26/02/2010 concerning Payment System, especially in articles 3, 5, 7 and 10;Having reviewed the Regulation N° 07/2015 of 13/11/2015 governing payment services providers;The National Bank of Rwanda hereinafter referred to as “the Central Bank decrees:

Chapter One
General provisions

Article One – Purpose and scope of this Regulation

This Regulation sets forth the rules governing the licensing of Payment Services Providers by the Central Bank.This regulation applies to payment transactions where both the payer’s payment service provider and the payee’s payment service provider are, or one of the payment service providers in the payment transaction is located in Rwanda;The regulation does not apply to the following:payment transactions made exclusively in cash directly from the payer to the payee, without any intermediary intervention;physical transport of banknotes and coins, including their collection, processing and delivery;payment transactions carried out within a payment or securities settlement system between settlement agents, central counterparties, clearing houses and/or central banks and other participants of the system, and payment service providers;services provided by technical service providers, which support the provision of payment services, without them entering at any time into possession of the funds to be transferred;services based on specific payment instruments that can be used only in a limited way, that meet one of the following conditions:(a)instruments allowing the holder to acquire goods or services only in the premises of the issuer or within a limited network of service providers under direct commercial agreement with the professional issuer;(b)instruments which can be used only to acquire a very limited range of goods or services;

Article 2 – Definitions

In this regulation, the following terms and expressions shall mean:1.agency agreement: a legal contract creating a fiduciary relationship whereby the "the principal" agrees that the “agent” acts for and on behalf of him or her. Actions of the agent binds the principal to later agreements made by the agent as if the principal had himself/herself personally made the that agreements.2.branchless banking: a distribution channel strategy used for delivering a range of financial services without relying on bank branches. It entails substantially the use of technology means, such as electronic, digital or similar device, either remotely or through the use of third-parties outlets to offer at least basic cash deposit and withdrawal in addition to transactional or payment services, backing of a financial institution and customers can use these banking services on a regular basis.3.supervised institutions: a bank, a non-bank financial institution or a micro-finance institution within the meaning of the Laws governing those institutions and duly supervised by the Central Bank;4.money remittances: a payment service where funds are received from an originator without any accounts being created in the name of the originator or the beneficiary, for the sole purpose of transferring a corresponding amount to a beneficiary or to another Payment Services Provider acting on behalf of the beneficiary;5.payment services: the following activities are payment services:(a)services enabling cash to be placed on, or withdrawn from a Payment Account as well as all the operations required for operating a Payment Account;(b)execution of payment transactions, including transfers of funds on a payment account with the user’s payment services provider or with another payment services provider, whether the funds are covered by a credit line for a payment service user:(i)execution of direct debits, including one-off direct debits;(ii)execution of payment transactions through a payment card or a similar device;(iii)execution of credit transfers, including standing orders.(c)issuing of payment instruments;(d)acquiring of payment transactions such as physical and online merchant acquisition services or payment aggregator;(e)money remittance;(f)payment initiation services;(g)issuance and management of e-money services in compliance with Regulation governing e-money issuers;6.payment initiation services (PIS): all services facilitating the authorization and/or validation of an electronic fund transfer, a card payment or otherwise facilitating the execution of electronic transactions. They include, but are not limited to management of gateways or payment terminals;7.payment account: an account opened by a customer with a payment services provider or its agents, which is used for the execution of payment transactions;8.payment aggregator: the intermediary collecting funds received from customers for payment to merchants using any electronic/online payment mode, for goods and services availed by them and subsequently facilitate the transfer of these funds to the merchants in final settlement of the obligations of the paying customers;9.payment gateway: a payment service facilitating the authorization of card or direct payments processing for e-businesses, online retailers, or the like. A payment gateway facilitates a payment transaction by the transfer of information between a payment portal (such as a website, mobile phone or interactive voice response service) and the front-end processor or acquiring bank.10.payment terminal: a device or channel which interfaces with payment cards or any other payment instruments to make electronic fund transfers.11.payment Service Provider (PSP): any entity providing services enabling cash deposits and withdrawals, execution of Payment Transactions, issuing and/or acquisition of Payment Instruments, Money Remittances and any other services functional to the transfer of money. The term does not include solely who provides online services or by telecommunication services or network access;12.payment instruments: an instrument enabling the holder/user to transfer funds, checks, electronic money, credit cards and debit cards or any other instrument through which persons can make payments, with the exception of banknotes and coins;13.payment Transaction: a transfer of funds between, or into or from accounts. A payment transaction may be either a credit or a debit transfer. It is initiated by means of a payment order, which may be written, electronic, digital or any other communication device, or by the use of a Payment Instrument;14.trust account: a separate bank account segregated from a payment service provider's own funds, in which the payment service provider is required to deposit all funds collected for clients;15.agent: a natural person or legal entity providing payment services to the customers of a payment service provider on behalf of the payment service provider under a valid agency agreement;17.financial institutions: institutions licensed under the law concerning organization of banking and the law concerning organization of Microfinance activities;[Please note: numbering as in original.]18.interoperability: a set of arrangements, procedures and standards that allow participants in different payment schemes to conduct and settle payments across systems while continuing to operate also in their own respective systems;19.Mobile Network Operators: mean companies that provide services relating to network, voice, and data services to subscribers;20.sub-agent: an agent recruited by the super-agent under a valid agreement;21.super-agent: an agent having well established owned retail outlets, or a distribution setup and responsible for managing and controlling sub-agents;22.capital: permanent shareholders equity in form of issued and fully paid-up shares of common stock plus all disclosed reserves, less goodwill and any other intangible assets (excluded computer software);23.sensitive payment data: data, including personalized security credentials which can be used to carry out fraud. For the activities of payment initiation service providers, the name of the account owner and the account number do not constitute sensitive payment data;24.relevant persons: in relation to Payment Service Provider (PSP) incorporated in Rwanda that is licensed by the Central Bank:(a)a substantial shareholder(b)a director;(c)a chief executive officer or deputy chief executive officer;(d)a chief financial officer;(e)a Manager in charge on e-money;(f)trustees where applicable;(g)any other officer by whatever name described, who has responsibilities or functions similar to any of the persons referred to in sub-paragraph (c) or (e), of the PSP.25.cloud computing: a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction;26.sandbox: a live, contained environment in which participants may test their product, service or solution subject to the requirements under this regulation;27.substantial shareholder: a shareholder who owns or acquires in a PSP, directly or indirectly, alone or in conjunction with others, represents at least five percent (5%) of the equity capital or voting rights, or that makes it possible to exercise a significant influence over the management of that PSP.

Chapter II
Licensing procedure

Article 3 – General principles

No person or entity may act as a Payment Services Provider, without holding a license for this purpose, granted by the Central Bank.Supervised Institutions providing payment services under their governing laws are exempted from the requirement to obtain a license from the Central Bank under this Regulation. However, they are subject to any relevant monitoring requirement imposed by the Central Bank.

Article 4 – Application for a license

In order to obtain a license, an institution not supervised by the Central Bank that wishes to provide payment services shall provide to the Central Bank an application letter for license.The information provided by applicants shall be true, complete, accurate, up to date and tailored and adjusted to the particular service or services the applicant intends to provide.The directors and the persons responsible for the management of the payment institution shall be of good repute and possess appropriate knowledge and experience to perform payment services, regardless of the institution’s size, internal organization and the nature, scope and the complexity of its activities and the duties and responsibilities of the specific position.All personal data requested under this regulation for licensing as payment services provider are needed for the assessment of the application and shall be treated in accordance with the professional secrecy obligations.

Article 5 – Documents to be submitted with the application letter

The application letter shall be at least accompanied by the following documentation:Programme of Operations which must contain the following information:(a)a description of the type of payment services envisaged, including an explanation on how the activities and the operations which will be provided are identified by the applicant as fitting into any of the categories of payment services listed in article 2;(b)a declaration on whether the applicant will enter or not into possession of funds;(c)a description of the execution of the different payment services, detailing all parties involved, and including for each payment service provided:(i)a diagram of flow of funds, unless the applicant intends to provide payment initiation services (PIS) only;(ii)settlement arrangements, unless the applicant intends to provide PIS only;(iii)draft contracts between all the parties involved, if applicable;(iv)a description of the different ways through which these services are provided;(v)flows of data and processing times.(d)a description of any ancillary services to payment services, if applicable;(e)a declaration on whether the applicant plans to provide payment services in other countries after the granting of the license;(f)an indication of whether the applicant intends to provide/already provides other business activities including a description of the type and nature of the activities, expected volume and business premises;business plan:A business plan including a forecast budget calculation for the first three (3) financial years, which demonstrates that the applicant is able to employ the appropriate and proportionate systems, resources and procedures to operate soundly;legal status and governance. Description of status, ownership and governance of the entity to obtain the license:(a)legal status and articles of association;(b)License to operate in the home/base country where the applicant is a subsidiary of a foreign company, accompanied with the letter of no objection from the home regulatory authority recommending the applicant to establish a company providing payment services in Rwanda;(c)list of the owners and the percentages of shares owned by each;(d)latest audited financial statements of a parent company, if any;(e)current tax compliance certificate from tax authorities in Rwanda;(f)the address of the head office. The applicant shall have, at the time of licensing and at all times, a fixed and identifiable place of business that is suitable in all respects for the business of provision of payment services as may be determined by the Central Bank.(g)the governance arrangements of the applicant and internal control mechanisms, including administrative, risk management and accounting procedures. These governance arrangements, control mechanisms and procedures shall be proportionate, appropriate, sound and adequate;(h)Internal control mechanisms, including IT infrastructure policies and procedures, which the applicant has established to comply with its anti-money laundering obligations.(i)Evidence that relevant persons meet the fit and proper criteria as set in the annex I of this Regulation.initial capital:Evidence that the applicant will hold initial capital as provided for in Article 11 of this Regulation. To comply with such requirement, the following shall be submitted:(a)for existing undertakings, an audited account statement or public register certifying the amount of capital of the applicant;(b)for undertakings in the process of being incorporated, a bank statement issued by a bank certifying that the funds are deposited on the applicant's bank account.outsourcing:A description, when relevant, of outsourcing arrangements consisting of:(a)the identity and geographical location of the outsourcing provider;(b)the identities of the persons that are responsible for each of the outsourced activities;(c)a detailed description of the outsourced activities and its main characteristics.(d)A copy of a draft outsourcing agreement.(e)Proof that the applicant complies with the Regulation of the Central Bank on outsourcing.IT features:A signed document detailing the features and operational modalities of all IT interfaces including the operating systems and software explaining at a minimum the following:(a)description (including diagrams) of the configuration of the institution’s electronic payment system and its capabilities showing:(i)how the electronic payment system is linked to other host systems or the network infrastructure in the institution;(ii)how transaction and data flow through the network, settlement process and timing;(iii)what types of telecommunication channels and remote access capabilities;(iv)what security controls/measures are installed;(b)a list of software and hardware components indicating the purpose of the software and hardware in the infrastructure;(c)how the system is interoperable with other existing electronic payment systems.security policy:A security policy document containing the following information:(a)a detailed risk assessment of the payment service(s) the applicant intends to provide, which must include risks of fraud and the security control and mitigation measures taken to adequately protect payment service users against the risks identified;(b)an exhaustive list of authorized connections from outside with partners, service providers, entities of the group and employees of the applicant working remotely, including the rationale for such connection;(c)for each of the connections listed under point b), the logical security measures and mechanisms in place, specifying the control the applicant will have over these accesses as well as the nature and frequency of each control, such as technical versus organizational, preventive vs detective; real-time monitoring vs regular reviews, such as the use of an Active Directory separate from the group, the opening/closing of communication lines, security equipment configuration, generation of keys or client authentication certificates, system monitoring, authentication, confidentiality of communication, intrusion detection, antivirus and logs;(d)the logical security measures and mechanisms that govern the internal access to IT systems, which should include:(i)the technical and organizational nature and frequency of each measure, such as whether it is preventive or detective or whether or not it is carried out in real time;(ii)how the issue of client environment segregation is dealt with in cases where the applicant’s IT resources are shared.(e)the physical security measures and mechanisms of the premises and the data centre of the applicant, such as access controls and environmental security;(f)the security of the payment processes, which shall include:(i)the customer authentication procedure used for both, consultative and transactional accesses, and for all underlying payment instruments;(ii)an explanation on how the safe delivery to the legitimate payment services user and the integrity of authentication factors such as hardware tokens and mobile application is ensured, at the time of both, initial enrolment time and renewal;(iii)a description of the systems and procedures that the applicant has in place for transaction analysis and identification of suspicious or unusual transactions.(iv)a detailed risk assessment in relation to its payment services, including fraud and with a link to the control and mitigations explained in the application file, demonstrating that the risks are addressed;(v)a list of the main written procedures in relation to the applicant’s IT systems or, for procedures that have not yet been formalized, an estimated date for their finalization;(vi)any other information relevant to the risks arising from the specific activities of the applicant.business continuity:Description of the business continuity arrangements consisting of the following information:(a)a business impact analysis, including the business processes and recovery objectives, such as recovery time objectives, recovery point objectives, and protected assets;(b)the identification of the back-up site, access to IT infrastructure, and its key software and data to recover from a disaster or disruption;(c)an explanation of how the applicant will deal with significant continuity events and disruptions, such as the failure of key systems; the loss of key data, inaccessibility of premises; and loss of key persons;(d)the frequency with which the applicant intends to test the Business Continuity and Disaster Recovery Plans, including how the results of the testing will be recorded;(e)a description of the mitigation measures to be adopted by the applicant, in case of termination of its payment services, to avoid adverse effects on payment systems and on payments services users ensuring execution of pending payment transactions and termination of existing contracts.agents:Criteria for the selection of agents, where applicable, in conformity with Regulation No 02/2017.10°AML/CFT:Proof of ability to comply with all applicable Anti-Money Laundering and Combating of Financing of Terrorism (AML/CFT) laws, standards and measures;11°customer protection:Details of the customer protection measures, including a description of the procedure in place to monitor, handle and follow incident related customer complaints, incidents reporting mechanism which takes consumer recourse mechanisms and consumer awareness program;12°data Protection:Details of data protection policy including a description of the process in place to file, monitor, track and restrict access to sensitive payment data;13°safeguard of customers funds:A description of the measures taken for safeguarding payment service users’ funds where applicable.14°additional requests by Central Bank:The applicant shall produce such other documents that the Central Bank may call for during the consideration of the application.

Article 6 – Further requirements for Electronic Money Issuers (EMI)

An institution not supervised by the Central Bank wishing to provide payment services under Regulation on e-money issuers (EMI) shall submit additional information to the Central Bank proving existence of a trust account with a licensed commercial bank in Rwanda to get a license.The terms and conditions of that account shall establish that the trust account cannot be accessed by the payment service provider for its non-payment services operations, and that the funds of each customer are always traceable and segregated from those of other customers.

Article 7 – License application for PIS providers

In order to obtain a license, PIS providers shall submit all documents described in Article 5 of this Regulation.Other requirements are the following:access to any relevant scheme or system and interoperability;evidence of professional indemnity insurance, or some other comparable guarantee against liability to ensure that the applicant can cover its liability.

Article 8 – Application for a license by Money Remittance Providers

In order to obtain a license, Money Remittance Providers shall submit all documents described in Article 5 of this Regulation.Other requirements are the following:evidence of the proposed location of the business premises from which the service is to be offered;copy of draft agency agreement between the international remittance service provider and the primary agent, when relevant;evidence that the international remittance service provider has legal permission to function as such in its home country;have an insurance policy covering at least a risk of an amount of 100,000,000 FRW as security of funds held in vaults.

Article 9 – Approval of relevant persons

No relevant persons as defined in the article 2 point 24, shall start the activities without being approved by the Central Bank.The Central Bank approves the authorities specified under paragraph one (1) after assessing their suitability.Where the trustee is a corporate entity, the Central Bank shall assess the suitability and approve director general, managers or other similar authorities of the corporate entity.For the purposes of assessing the suitability of relevant persons in control of a payment service provider, the Central Bank shall, have regard to the criteria prescribed under Annex I.The Central Bank may specify other criteria for assessing suitability when necessary.The Central Bank approval specified under the paragraph one (1) of this Article is not applicable to the Payment Services Providers that are licensed to work as a bank or microfinance institution.

Article 10 – Requirement for financial institutions supervised by the Central Bank

Any financial institution supervised by the Central Bank wishing to provide payment services shall provide to the Central Bank for approval, a detailed description of the payment services it intends to operate, at least one month before its effective operations, containing all documents listed in Article 5.

Article 11 – Initial capital requirements

A Payment Service Provider other than an institution regulated and supervised by the Central Bank as a Bank or Microfinance institution shall at the time of licensing and at all times, hold a capital as prescribed under this Article.Any other applicant wishing to provide the payment service as specified under point 5, e) of article 2 of this regulation, shall have a minimum initiation capital of not less than thirty million Rwandan Francs (30,000,000 RWF);Any other applicant wishing to provide the payment service as specified under point 5, f) of article 2 of this regulation, shall have a minimum initial capital of not less than fifty million Rwandan Francs (50,000,000 RWFs).Any other applicant wishing to provide only the payment service listed in points from 5, a) to 5, d) under article 2 of this regulation, shall have a minimum initial capital of not less than a hundred million Rwandan Francs (100,000,000 RWFs).Any other applicant wishing to provide the payment service as specified under point 5, g) of article 2 of this regulation, shall have a minimum initial capital of not less than two hundred million Rwandan Francs (200,000,000 RWFs).

Article 12 – Assessment of the completeness of the application

An application shall be deemed complete if it contains all the information needed by the Central Bank in order to assess the application in accordance with Article 5 of this Regulation.Where the information provided in the application is assessed to be incomplete, the Central Bank shall, within seven working days, notify, in paper format or by electronic means, a request to the applicant, indicating the missing information, and shall provide to the applicant the opportunity to submit the missing information.No further action shall be taken by the Central Bank unless the deficiencies are rectified within the period prescribed and a letter of acknowledgment is submitted to the applicant.Upon an application being assessed as complete, the Central bank shall inform the applicant of that fact, together with the date of receipt of the complete application or, as the case may be, the date of receipt of the information that completed the application.A notification of complete application shall constitute official notice that the documents submitted were found to be complete and that the processing or evaluation may commence.The Central Bank may require the applicant to provide clarification on the information for the purposes of assessing the application.Where an application contains information, or relies on information held by the Central Bank, which is no longer true, accurate or complete, an update to the application shall be provided to the Central Bank without delay.

Article 13 – Central Bank’s decision on granting a license or approval

The Central Bank shall, within one month after receipt of a complete application, investigate and prepare a response to the applicant.The investigation may require direct contacts and clarifications by the applicant, to be provided either in writing or verbally. In this second case, the Central Bank shall draft minutes of the meeting to be signed by the applicant.The response specified under the first (1) paragraph of this Article shall indicate whether the application satisfies all requirements as established by laws and/or regulations, as well as whether the granting of the license could be subject to the fulfillment of certain conditions that the Central Bank may deem necessary.The Central Bank shall inform the applicant, in writing, of its decision to grant or refuse to grant the license. A notice communicating the decision not to grant a license shall state the grounds upon which it is based.The applicant can resubmit the application after addressing any issue identified by the Central Bank.The Central Bank shall, upon receiving a complete application and all information required, and is satisfied that the applicant has met all the application requirements, and upon satisfaction of the post application procedures, advise the applicant to pay the prescribed license fees.

Article 14 – License fees

A license fee non-refundable shall become due and payable upon notification by the Central Bank to the applicant that the application for license meets the requirements.For Institutions not supervised by the Central Bank wishing to offer remittance services, the license fee amounts to One Million Rwandan Francs (1 000 000 FRW).For Institutions not supervised by the Central Bank wishing to offer any other payment service, the license fee shall amount to Five million Rwandan Francs (5 000 000 FRW).There shall be no proration of the license fee in case the license was issued in the course of the year.

Article 15 – Oversight fees

An annual oversight fee of One million Rwandan Francs (1,000,000 FRW) for remittances Service providers and five Million Rwandan Francs (5,000,000 FRW) for the others shall be payable every year not later than January.A licensee who fails to pay the prescribed oversight fees shall pay a double of the oversight fee, if payment is made within ninety (90) days after the deadline for provided under the paragraph one of this Article.A licensee, who fails to pay the oversight fee as prescribed under this Regulation, may have the license revoked after ninety days following the deadline provided under the paragraph one of this Article.

Article 16 – Nature of a license

The license granted by the Central Bank under this Regulation is perpetual unless revoked in accordance with this regulation. It shall not be transferable, assignable or encumbered in any way.

Article 17 – Withdrawal or suspension of the license

The Central Bank may at any time decide to withdraw or suspend the license granted to a payment service provider if:the payment service provider has not commenced operations within 12 months of the date on which the license was granted to it;the payment service provider has ceased providing the service for a period of more than one month;the payment service provider has obtained the license of the Central Bank through incorrect statements or any other irregular means;the conditions or requirements described in this Regulation are not met;in case the operations of payment service provider endanger the stability of the financial system of Rwanda;the payment service provider or a subsidiary of payment service provider is insolvent without possibility of recovery;the foreign payment service provider is undergoing liquidation in its country of origin;if in the opinion of the Central Bank, the service is no longer in the public interest or the service no longer represents the interest of the participants.The Central Bank shall, immediately after its decision on the withdrawal or suspension of the license, notify its decision to the payment service provider.The Central Bank shall, immediately after the withdrawal or suspension of the license, publish a public notice in such manner as it deems appropriate.A shareholder, a Board Member and a senior management or a trustee in control of a payment service provider whose license was revoked for administrative or operational reasons may be authorized to provide payment services after a period of five (5) years from the revocation of the license.

Article 18 – Discontinuing providing payment service

In case any service provider wishes to discontinue providing payment service or discontinue carrying on its business, such service provider shall notify in writing together with the report regarding the discontinuation of providing service or discontinuation of carrying on the business to the Central Bank sixty (60) days before it discontinues the payment services.

Article 19 – Action of the Central Bank

Upon receipt the notification of service provider specified under article 18, the Central Bank shall have power to order the service provider to take any action prior to discontinue providing service or discontinue carrying on its business.

Article 20 – Amalgamation and acquisition

Without prejudice to the provisions of the law governing companies, the Central Bank grants prior authorisation to a PSP on the following:amalgamation of PSPs;acquisition of a PSP;transfer of a substantial shareholding;The Central Bank shall request the applicant for the above transactions to submit relevant information thereon for the analysis of the application.

Article 21 – Return of the license

Any payment service provider wishing to discontinue providing service or discontinue carrying on its business or merger with others shall return its certificate of license to the Central Bank.The Central Bank shall, immediately after receiving the license as specified under paragraph one (1) of this Article, publish a public notice in such manner as it deems appropriate. The public notice shall indicate that the license of the person returning the license or merging with others is not valid from a specific date determined by the Central Bank.

Article 22 – Liquidation

The process of liquidation of a payment service provider shall be in conformity with the Law relating to companies and the law relating to commercial recovery and settling issues arising from insolvency.A payment service provider shall seek the non-objection from the Central Bank before it enters into the process of the voluntary liquidation.

Chapter III
Approval of new payment services

Article 23 – New payment service

New payment service refers to:a payment service that is being offered by a licensed payment service provider in Rwanda for the first time and includes a product/service which has never been offered by the payment service provider before in Rwanda, notwithstanding the fact that the payment service may have already been offered by other entities within the PSP’s group outside the Country;a combination of a payment service and any existing or new payment service, or variation to an existing payment service being offered by a payment service provider in Rwanda, that results in a material change to the structure, features or risk profile of the existing payment service.

Article 24 – Prerequisite to the introduction a new payment service

The supervised institution must meet the following requirements prior to introducing a new payment service:the new payment service must fall within the ambit of payment services as specified in this regulation;the payment service provider has the capacity to adequately manage and control the risks associated with the new payment service, including the financial capacity to support existing and new payment service lines;the PSP must not knowingly offer a new payment service that has been prohibited in other countries and which might potentially give rise to public concerns;In offering the new payment service, the payment service provider must comply with all necessary approvals and/or any other applicable legal and regulatory requirements issued by the Central Bank as well as regulatory requirements issued by other regulatory bodies where applicable notably the AML/CFT obligations.

Article 25 – Information requirements for new payment services

Unless otherwise notified by the Central Bank, a payment service provider that meets the requirements stipulated in article 24 shall submit the following documents to Central Bank for approval:a detailed payment service description, including its features, structure, target market customers, and distribution channel. Payment service illustrations shall also be included where appropriate.change in the pricing policy that indicates the review or the introduction of the fees and charges;Sample payment service term sheet;details of any arrangements (including distribution arrangements) with other parties/strategic alliances (if any) in offering the new payment service, including information about the strategic partner, associated risks and actions taken to minimise or mitigate the identified risks;description of the payment service’s key inherent risks from the PSP’s and customers’ perspectives and the systems and/or processes in place to manage the risks;Money Laundering and Terrorism Financing risk assessment for the new products/service;description of the IT Security policy highlighting the following:(a)an assessment of the IT-related risks and measures put in place to mitigate the risks;(b)detailed description on application security and application architecture diagram;(c)detailed IT and network security infrastructure arrangements;(d)Detailed network diagram (where applicable) depicting external linkages and control checkpoint.

Article 26 – Exemption

The submission requirement is not applicable to the following:payment services involving innovative structures that are being introduced in the Rwandan market for the first time as defined in the sandbox requirements as provided in this regulation;an approved payment service which involves the application of a new contract in the Rwandan market;a combination of two or more payment services that were previously approved on a stand-alone basis.

Chapter IV
Sandbox requirements

Article 27 – Innovative new products or services

In the event that a person intends to provide an innovative product or service within payment services but this does not clearly correspond to one of the services or products currently regulated, or represents a hybrid product, the person may apply for a sandbox to the Central Bank.

Article 28 – Eligibility criteria

An applicant seeking the Central Bank’s approval to participate in a sandbox must demonstrate the following:the product, service or solution is genuinely innovative with clear potential to:(a)address a significant problem or issue, or bring benefits to consumers or the industry;(b)improve accessibility, efficiency, security and quality in the provision of payment services;(c)enhance the efficiency and effectiveness of management of risks;(d)address gaps in or open up new opportunities for financing or investments in the country;the applicant has conducted an adequate and appropriate assessment to demonstrate the usefulness and functionality of the product, service or solution and identified the associated risks;the applicant has the necessary resources to support testing. This includes the required resources and expertise to mitigate and control potential risks and losses arising from offering of the product, service or solution;the applicant has a realistic business plan to deploy the product, service or solution on a commercial scale in the country after exit from the pilot phase; andthe applicant is led and managed by persons with credibility and integrity as defined in the Annex I of this Regulation.The sandbox may not be suitable when the proposed payment service is similar to those that are already being offered in Rwanda, unless the applicant can show that:a different technology is being applied;the same technology is being applied differently;The applicant has not demonstrated that it has done its due diligence, including testing the proposed payment service in a laboratory environment and knowing the legal and regulatory requirements for deploying the proposed payment service.

Article 29 – Application process

An applicant must submit to the Central Bank all relevant documents to describe the project as per the Annex II.The applicant must also include the key outcomes that the testing is intended to achieve and the appropriate indicators to a measure such outcomes.The Central Bank shall inform an applicant of its eligibility to participate in the pilot programme within fifteen (15) working days of receiving a complete application.Thereafter, the Central Bank shall engage the participants on the following:testing parameters such as the scope and duration of the test, regulatory flexibilities requested and frequency of reporting;specific measures to determine the success or failure of the test at the end of the testing period;an exit strategy should the test fail or be discontinued;a transition plan for the deployment of the product, service or solution on a commercial scale upon successful testing.

Article 30 – Reports

The participant must submit interim reports to the Central Bank on the progress of the test.This report must include information on the following:key performance indicators, key milestones and statistical information;key issues arising as observed from fraud or operational incident reports;actions or steps taken to address the key issues referred to in sub-paragraph (b).The frequency and specific details to be included in interim reports shall be agreed between the Central Bank and the participant, taking into account the duration, complexity, scale and risks associated with the test.The participants must submit a final report containing the following information to project piloting within 30 calendar days from the expiry of the testing period:key outcomes, key performance indicators against agreed measures for the success or failure of the test and findings of the test;a full account of all incident reports and resolution of customer complaints;in the case of a failed test, lessons learnt from the test.

Article 31 – Exhaustion of testing

The initial testing period shall not exceed 6 months from the start date of the sandbox.To extend the testing period, a written application must be submitted by the participants to the Central Bank no later than thirty (30) calendar days before the expiry of the testing period.The application shall state the additional time required and clearly explain reasons for requiring the extension.To minimise market distortion, the Central Bank shall not generally approve a protracted extension of the testing period unless the solution has tested positively in general and it can be demonstrated that the extended testing is necessary to respond to specific issues or risks identified during initial testing.Upon the completion of the testing, the Central Bank decides whether to allow the product, service or solution to be introduced in the market on a wider scale.Where allowed, participating entities intending to carry out regulated businesses are assessed based on applicable licensing criteria, as the case may be.The Central Bank may also prohibit deployment of the product, service or solution in the market upon the completion of the testing due to the following reasons:in the event of an unsuccessful testing based on agreed test measures;the product, service or solution has unintended negative consequences to the public and/or financial stability.

Article 32 – Revocation of approval

The Central Bank may revoke an approval to participate in the sandbox at any time before the end of the testing period if the participant:submits false, misleading or inaccurate information, or has concealed or failed to disclose material facts in the application;contravenes any applicable law administered by the Central Bank or any applicable law in the country or abroad which may affect the provider’s integrity and reputation in Rwanda;is undergoing or has gone into liquidation;breaches data security and confidential requirements;carries on business in a manner detrimental to customers or the public at large;fails to effectively address any technical defects, flaws or vulnerabilities in the product, service or solution which gives rise to recurring service disruptions or fraud incidents; orfails to effectively address and resolve customer complaints.

Chapter V
Outsourcing activities

Article 33 – Outsourcing requirements

The payment service provider may outsource parts of their payment services activities, so provided that this does not result in an increase in risk and a reduction in consumers’ protection.Where a payment service provider intends to enter into material outsourcing engagement, it shall apply for Central Bank approval.Outsourcing of important operational functions may not be undertaken in such way as to impair materially the quality of the payment service provider's internal control and the ability of the Central Bank to monitor the payment service provider's compliance with all obligations laid down in this regulation.For the purposes of the paragraph three (3), an operational function shall be regarded as important if a defect or failure in its performance would materially impair the continuing compliance with the requirements for the provision of payment services, in conformity with the requirements of its license, or its financial performance, or the soundness or the continuity of its activities.When an Operator outsources important operational functions, it complies with the following conditions:the outsourcing shall not result in the delegation by senior management of its responsibility;the relationship and obligations of the payment service provider towards the beneficiaries of services shall not be altered;none of the other conditions subject to which the license was granted shall be removed or modified.A Material Outsourcing Arrangement means an outsourcing arrangement:which, in the event of a service failure or security breach, has the potential to either materially impact a Provider’s:(a)business operations, reputation or profitability; or(b)ability to manage risk and comply with applicable laws and regulations, orwhich involves customer information and, in the event of any unauthorized access or disclosure, loss or theft of customer information, may have a material impact on an Provider’s customers.

Article 34 – Outsourcing agreements

Any outsourcing agreement shall be in writing and comprise at minimum of the following elements:definition of the rights, responsibilities and apportioning of liabilities between parties, stating how the parties plan to manage the issue of any expected risk;a. exact definition of the activities to be outsourced;mechanisms to ensure that the outsourced activities are subject to monitoring mechanisms by the institution and that regulatory review is permitted in order to grant to the Central Bank inspecting officers full and timely access to internal systems, documents, reports, and records;specify that the third party must ensure safekeeping of all relevant records, data and documents/files for at least ten years; or alternately, such record is shifted to the institution at regular pre-specified intervals which will then ensure safekeeping of this record for at least ten (10) years;state that all information/data that the third party collects in relation to payment services, whether from the customers or the institution or from other sources, is the property of the institution, and the institution will be provided with copies of related working papers/files it deems necessary, and any information pertaining to the institution must be kept confidential;establish a protocol for changing the terms of the service contract and stipulations for default and termination of the contract;state that staff of the third party is not considered staff of the institution;specify if agent is or not authorized to recruit sub-agents. In case of authorization, it shall be granted under terms and conditions established by the payment service provider;state that in case the agent recruits the sub-agents, the payment service provider shall have direct monitoring on the sub-agents;Institutions supervised by the Central Bank and providing banking services shall comply with the specific banking regulation on outsourcing.

Article 35 – Cloud computing

A Payment service provider wishing to outsource their services on cloud, shall take active steps to address the risks associated with data access, confidentiality, integrity, sovereignty, recoverability, regulatory compliance and auditing.In particular, payment services providers shall ensure that the cloud service provider possesses the ability to clearly identify and segregate customer data using strong physical or logical controls.

Chapter VI
Specific conditions relating to provision of payment services

Article 36 – Identification of customers

Prior to providing the payment services, a payment services provider shall respect customer due diligence (CDD) and Know Your Customer (KYC) procedures as determined from time to time by the Central Bank through Directives.The payment service providers including remittance money service providers shall identify and keep records of the identification of payer/sender and payee/receiver of the funds, without considering the geographic location of sender or receiver of transferred funds.

Article 37 – Assessment of products and technologies with regard to ML/FT

PSPs shall identify and assess the money laundering or terrorist financing risks that may arise in relation to:the development of new products and new business practices, including new delivery mechanisms, andthe use of new or developing technologies for both new and pre­-existing products.The risk assessment shall take place prior to the launch of the new products, business practices or the use of new or developing technologies.PSPs shall take appropriate measures to manage and mitigate those risks.

Article 38 – Interoperability

The payment services providers that are licensed under this Regulation shall use technologies complying with international standards as may be determined by the Central Bank through directives.Payment services providers shall be able to interoperate with other payment services provider in accordance with the requirements determined by the Central Bank directives.

Article 39 – Prohibition of exclusivity agreement

Contracts with exclusivity are not permitted by this regulation unless they are authorized by the Central Bank.

Article 40 – Reporting requirements

A payment services provider shall submit their returns to the Central Bank on-line or as directed in the prescribed format within 10 days following the month under report.The Central Bank by directive, shall determine the required reports and related formats.

Article 41 – Notification and approval for change

The payment services providers shall notify the Central Bank a month before the implementation of any changes or enhancements that shall expand the scope or change the nature of payment services as originally provided.These changes or enhancements include but are not limited to:additional capabilities of the branchless banking instrument, like access to new payment channels;engaging a new bank to hold trust accountchanges in commissions/prices structure;upgrade of the existing of the core system for the provision of payment services;In the event the changes or enhancements mentioned in paragraph one (1) of this Article, the payment services providers shall request for Central Bank approval to introduce the following changes:changes in selection criteria for agents;change of the core system for the provision of payment services;partnership with international and domestic money transfer service providers;expand the provision of payment services outside the borders of the Republic of Rwanda.

Article 42 – Sanctions

Any person or entity engaging in payment services without the proper authorization of the Central Bank shall be punished in accordance with the penal penal provisions.

Chapter VII
Final provisions

Article 43 – Repealing provision

The regulation n° 07/2015 of governing payment services providers and all prior regulatory provisions inconsistent with this Regulation are hereby repealed.

Article 44 – Drafting, consideration and approval of this Regulation

This Regulation was drafted considered and approved in English.

Article 45 – Commencement

This Regulation shall come into force on the date of its publication in the Official Gazette of the Republic of Rwanda.

Annex I

Fit and proper criteria

A. Criteria

A fit and proper person is expected to be any a relevant person who is competent, honest, has integrity and is of sound financial standing.1.Honesty, integrity and reputationThe factors set out in the following paragraphs are relevant to the assessment of the honesty, integrity and reputation of a relevant person. The factors include, but are not limited to whether the relevant person:a)has been refused the right or restricted in its or his right to carry on any trade, business, or profession for which a specific license, registration or other authorisation is required by law in any jurisdiction;b)has been issued a prohibition order under any Act administered by Project piloting or has been prohibited from operating in any jurisdiction by any financial services regulatory authority;c)has been censured, disciplined, suspended or refused membership or registration by the Central Bank, any other regulatory authority, an operator of a market, clearing facility, any professional body or government agency, whether in Rwanda or elsewhere;d)has been the subject of any complaint made reasonably and in good faith, relating to activities that are regulated by the Central Bank or under any law in any jurisdiction;e)has been the subject of any proceedings of a disciplinary or criminal nature or has been notified of any potential proceedings or of any investigation which might lead to those proceedings, under any law in any jurisdiction;f)has been convicted of any offence, or is being subject to any pending proceedings which may lead to such a conviction, under any law in any jurisdiction;g)has had any judgment (in particular, that associated with a finding of fraud, misrepresentation, or dishonesty) entered against the relevant person in any civil proceedings or is a party to any pending proceedings which may lead to such a judgment, under any law in any jurisdiction;h)has accepted civil liability for fraud or misrepresentation under any law in any jurisdiction;i)has had any civil penalty enforcement action taken against it or him by the Central Bank or any other regulatory authority under any law in any jurisdiction;j)has contravened or abetted another person in breach of any laws or regulations, business rules or codes of conduct, whether in Rwanda or elsewhere;k)has been the subject of any investigations or disciplinary proceedings or been issued a warning or reprimand by the Central Bank, any other regulatory authority, an operator of a market, clearing facility, any professional body or government agency, whether in Rwanda or elsewhere;l)has been refused a fidelity or surety bond, whether in Rwanda or elsewhere;m)has demonstrated an unwillingness to comply with any regulatory requirement or to uphold any professional and ethical standards, whether in Rwanda or elsewhere;n)has been untruthful or provided false or misleading information to the Bank or been uncooperative in any dealings with the Central Bank or any other regulatory authority in any jurisdiction;o)in addition to sub-paragraphs (a) to (n), where the relevant person is an individual:i.is or has been a director, partner, substantial shareholder or concerned in the management of a business that has been censured, disciplined, prosecuted, or convicted of a criminal offence, or been the subject of any disciplinary or criminal investigation or proceeding, in Rwanda or elsewhere, in relation to any matter that took place while the person was a director, partner, substantial shareholder or concerned in the management of the business;ii.is or has been a director, partner, substantial shareholder or concerned in the management of a business that has been suspended or refused membership or registration by the Central Bank, any other regulatory authority, an operator of a market or clearing facility, any professional body or government agency, whether in Rwanda or elsewhere;iii.has been a director, partner, substantial shareholder or concerned in the management of a business that has gone into insolvency, liquidation, or administration during the period when, or within a period of one year after, the relevant person was a director, partner, substantial shareholder or concerned in the management of the business, whether in Rwanda or elsewhere;iv.has been dismissed or asked to resign from office, employment, a position of trust or a fiduciary appointment or similar position, whether in Rwanda or elsewhere;v.is or has been subject to disciplinary proceedings by his current or former employer(s), whether in Rwanda or elsewhere;vi.has been disqualified from acting as a director or disqualified from acting in any managerial capacity, whether in Rwanda or elsewhere; andvii.has been an officer found liable for an offence committed by a body corporate as a result of the offence having proved to have been committed with the consent or connivance of, or neglect attributable to, the officer, whether in Rwanda or elsewhere;2.Competence and capabilityThe factors set out in the following paragraphs are relevant to the assessment of the competence and capability of a relevant person. The factors include but are not limited to:a)whether the relevant person has satisfactory past performance or expertise, having regard to the nature of the relevant person’s business or duties, as the case may be, whether in Rwanda or elsewhere;b)where the relevant person is an individual who is assuming concurrent responsibilities, whether such responsibilities would give rise to a conflict of interest or otherwise impair his ability to discharge his duties in relation to any activity regulated by the Central Bank under the relevant legislation;c)in relation to a relevant person whose activity is regulated by the Central Bank whether the representative of the relevant person has satisfactory educational qualification or experience, relevant skills and knowledge, whether in Rwanda or elsewhere, having regard to the nature of the duties they are required to perform.3.Financial soundnessThe factors set out in the following paragraphs are relevant to the assessment of the financial soundness of a relevant person. The factors include but are not limited to, whether the relevant person:a)is or has been unable to fulfil any of its or his financial obligations, whether in Rwanda or elsewhere;b)has entered into a compromise or scheme of arrangement with its or his creditors or made an assignment for the benefit of its or his creditors, being a compromise or scheme of arrangement or assignment that is still in operation, whether in Rwanda or elsewhere;c)is subject to a judgment debt which is unsatisfied, either in whole or in part, whether in Rwanda or elsewhere;d)in addition to sub-paragraphs (a) to (c), in the case where the relevant person is an individual:i.is or has been the subject of a bankruptcy petition, whether in Rwanda or elsewhere;ii.has been adjudicated a bankrupt and the bankruptcy is undischarged, whether in Rwanda or elsewhere;iii.is or has been subject to any other process outside Rwanda that is similar to those referred to in sub-paragraph (i) and (ii); ande)in addition to sub-paragraphs (a) to (c), in the case where the relevant person is a corporation:i.is or has been the subject of a winding up petition, whether in Rwanda or elsewhere;ii.is in the course of being wound-up or otherwise dissolved, whether in Rwanda or elsewhere;iii.is or has been subject to any other process outside Rwanda that is similar to those referred to in sub-paragraphs (i) to (ii).

B. Forms

[Editorial note: The forms have not been reproduced.]

Appendix II

Forms

[Editorial note: The forms have not been reproduced.]
▲ To the top

History of this document

02 April 2018 this version
Commenced
27 March 2018
Assented to