Regulation on the Organization of Work with Payment Agents

‘Approved’ Central Bank of the Republic of Azerbaijan Resolution № 02/1 17 January 2024 Regulation on the organization of work with payment agents

1. General provisions 1.1. This Regulation has been developed in accordance with Article 9 of the Law of the Republic of Azerbaijan ‘on Payment services and payment systems’ (hereinafter – the Law) and establishes the requirements for involvement of a payment agent (hereinafter – the agent) by a bank, a payment institution and an electronic money institution (hereinafter – the institution) in the Republic of Azerbaijan, the provision of payment services by the agent, including the conditions of the agreement concluded with the agent. 1.2. The institution may engage an agent only within the country to provide the services provided for in this Regulation. In this case, the institution is fully responsible for the activities performed by its agents on relevant services as per the Law. 1.3. The agent may not engage in payment services without being entered to the register kept by the Central Bank of the Republic of Azerbaijan (hereinafter - the Central Bank) as per the law. 1.4. The agent may not impose a service fee in addition to service fees applied by the payment service institution or request any other form of payment. 1.5. The agent may act on behalf of one or more institutions. This right of the agent may not be directly or indirectly restricted. 1.6. The definitions used in this Regulation bear the meanings specified in the Law.

2. Payment services provided by agents 2.1. Acting on behalf of the institution, agents may engage in the following payment services (hereinafter – services): 2.1.1. cash crediting and/or debiting of funds on the payment accounts 2.1.2. execution of payment operations with credit transfer, direct debiting, payment cards or other similar payment instruments. 2.1.3. money remittances. 2.1.4. the sale of and repayment of residual value of electronic money. 2.2. Only domestic transactions may be conducted through an agent (except for the cases when the institutions specified in Articles 3.3.2-3.3.6 of the Law function as agents) 2.3. The institution may set limits on services provided through agents in its internal rules as part of the risk management system.

3. Requirements for engagement of and provision of services by an agent 3.1. The institution should have internal rules on the organization of work with agents approved by the competent management body. The internal rules define at least rules and procedures for conducting transactions related to each service provided through an agent, rules for monitoring the agent's activity and instances of changing and canceling the agreement with the agent. The internal rules should be reviewed at least once every six months and changes should be made, if necessary. 3.2. The institution should include the agents it engages in its internal control program outlined in Article 10 of the Law of the Republic of Azerbaijan ‘on Prevention of the legalization of criminally obtained property and the financing of terrorism’ and monitor compliance of the agents with the actions arising from the program. 3.3. The agent should have necessary communication channels for interaction with the institution, the appropriate infrastructure, and human resources capable of working with that infrastructure. 3.4. The institution takes measures to ensure security during the provision of services through the agent, prevent risks, avoid situations that may endanger the reputation of the institution and create a single database of violations, including cases of fraud. 3.5. The institution appoints a person responsible for managing complaints and resolving disputes related to the services provided through the agent. 3.6. The institution should conduct training for agent's employees at the start of operations and periodically as necessary to align services provided by the agent and relations with the institution to the requirements of the legislation in the field of payment services and other legal acts regulating financial markets. 3.7. The institution publishes a list of contracted agents and at least the following information on the agents on its official website: 3.7.1. agent's name, legal address, TIN, addresses where it will provide services for the institution and/or domain names of Internet information resources. 3.7.2. agent’s business hours. 3.7.3. limits on services to be provided through the agent (if applicable). 3.7.4. service fees on services to be provided through the agent. 3.7.5. a procedure for making complaints about the services provided through the agent. 3.8. The agent should provide the following information to customers at the addresses and/or internet information resources where it will provide services for the institution: 3.8.1. agent’s name, legal address, TIN and contact facilities (contact number, e-mail address (if any), etc.). 3.8.2. the name, legal address, TIN, license number and means of communication (phone number, e-mail address, etc.) of the institution on whose behalf the services are provided. 3.8.3. the name and address of the Central Bank as a supervisory authority.

4. Requirements for the agreement concluded with the agent 4.1. The agent provides services based on the agreement signed with the institution. 4.2. The agreement signed between the institution and the agent specifies at least:

4.2.1. agent's name, legal address, e-mail address (if any) and addresses where it will provide services for the institution and/or domain names of Internet information resources. 4.2.2. rights and responsibilities of the parties. 4.2.3. services and limits (if applicable) to be provided by the agent. 4.2.4. means of providing services (physically providing services by an agent (employee) in any location, payment terminals, Internet information resources, etc.). 4.2.5. rules and procedures for the conduction of transactions related to each service provided through an agent, and the rules for organizing the work with cash. 4.2.6. the procedure for informing payment service users that the agent acts on behalf of the institution. 4.2.7. order of information sharing and settlements between the institution and the agent. 4.2.8. the procedure for ensuring data security, as well as requirements for the protection of data of payment service users, including sensitive payment data and personal data. 4.2.9. the order of storage of documents and information. 4.2.10. the procedure for monitoring the agent’s activity on institution-defined services. 4.2.11. if applicable, requirements for guaranteeing fulfillment of obligations by the agent (deposit placement by the agent, provision of a bank guarantee, civil liability insurance, etc.) 4.2.12. requirements for agent's software and payment terminals (if services are provided through payment terminals). 4.2.13. agent's reporting to the institution, including reports on frauds and suspicious transactions. 4.2.14. fees payable to the agent under the agreement. 4.2.15. liability of the parties for non-performance or improper performance of contractual obligations. 4.2.16. the complaint handling and dispute resolution procedure. 4.2.17. circumstances and procedure for changing and canceling the agreement. 4.3. If the agreement between the institution and the agent is terminated, the agent should hand over all documents related to the provision of services to the institution. 5. Requirements for information sharing between the institution and the agent 5.1. Data integrity and confidentiality should be ensured during information sharing between the agent and the institution. 5.2. Information sharing between the institution and agents should meet at least the following requirements: 5.2.1. transactions executed by the agent should be processed in real time and transmitted to the institution. 5.2.2. to ensure information security, information sharing should be conducted via encrypted channels. 5.2.3. the information transmitted by the institution and the agent should be protected against external intrusions, unauthorized disclosure, and modifications. 5.2.4. the institution and the agent should register actions that may affect information security, with appropriate logging, and provide ongoing monitoring to detect unauthorized intrusions.