Decision on Submitting Data on the Functioning of the Payment System

Based on Article 2, paragraph 3, point c), Article 7, point b), Articles 58, 68, and 70 of the Law on the Central Bank of Bosnia and Herzegovina ("Official Gazette of BiH", nos. 1/97, 29/02, 8/03, 13/03, 14/03, 9/05, 76/06, and 32/07) and Articles 5, 12, 14, and 21 of the Decision on the Supervision of the Functioning of Payment Systems ("Official Gazette of BiH", no. 76/22), the Governing Board of the Central Bank of Bosnia and Herzegovina, at its 12th session held on 14.08.2024, adopts

Decision on submitting data on the functioning of the payment system

Article 1. (Subject of the Decision) This Decision further regulates the content and manner of submitting reports, documents, and other data by supervised payment systems as determined by Article 2 of the Decision on the Supervision of the Functioning of Payment Systems ("Official Gazette of BiH", no. 76/22), or payment systems that the Central Bank of Bosnia and Herzegovina supports, establishes, and maintains in accordance with Article 2, paragraph 3, point c) of the Law on the Central Bank of Bosnia and Herzegovina, classified in accordance with Article 6 of the Decision on the Supervision of the Functioning of Payment Systems ("Official Gazette of BiH", no. 76/22).

Article 2. (Types of reports, documents, and data) The supervised payment system prepares and submits the following types of reports, documents, and data to the Central Bank:

• report on the functioning of the payment system;
• reports, documents, and data on performance, architecture, architectural changes, participants, and other significant aspects of the functioning of the payment system;
• incident reports in the payment system;
• reports on risk management in the payment system.

Article 3. (Report on the functioning of the payment system) (1) The supervised payment system is required to submit to the Central Bank a report on the functioning of the payment system that includes at least the following quantitative and qualitative data:

• list of participants (full name of the participant from the decision on registration of the legal entity);
• working days of the system in the reporting period (if the system did not operate on a day that is not prescribed as a non-working day by the system's operating rules, the reason must be stated);
• number and value of executed transactions per day;
• number and value of executed transactions for each participant per day;
• number and value of executed settlement transactions for systems that settle within the payment system per day;
• number and value of transactions on the day of highest traffic;
• number and value of transactions in the hour of highest traffic;
• number and value of transactions for intervals in BAM:
  • 0.01 – 10.00,
  • 10.01 – 100.00,
  • 100.01 – 500.00,
  • 500.01 – 2,000.00,
  • 2,000.01 – 5,000.00,
  • 5,000.01 – 10,000.00,
  • 10,000.01 – 20,000.00,
  • 20,000.01 – 100,000.00,
  • 100,000.01 – more;
• number and duration of interruptions in the operation of the payment system (enter data for each recorded interruption and in aggregate for the reporting period and time interval) and a description for each interruption;
• number and duration of extensions of the system's working day (enter data for each recorded extension and in aggregate for the reporting period and time interval) and a description for each extension;
• overview of unsettled payments per day and participant;
• overview of deferred payments per day and participant;
• use of additional sources due to settlement delays (number, value, and type of orders where a settlement delay occurred, and the value of mobilized additional funds);
• information on the recall of settlement (state the date, number, and value, and the reason for the recall of settlement).

(2) The report referred to in paragraph (1) of this Article is submitted monthly within three working days after the end of the reporting month.

Article 4. (Reports, documents, and data on performance, architecture, architectural changes, participants, and other significant aspects of the functioning of the payment system) (1) The supervised payment system is required to submit to the Central Bank all available reports, documents, and data on performance, architecture, architectural changes, participants, and other significant aspects of the functioning of the payment system as follows:

• current organization of payment system management (current versions of the organizational scheme and relevant information regarding responsibilities concerning the organization of the payment system);
• current versions of key documents related to the design and functioning of the system;
• a report containing relevant documentation confirming the operational capacity of the system, i.e., testing of scalability and adequacy of capacity to manage projected stress volumes;
• analyses of objectives serving as benchmarks for assessing the efficiency and effectiveness of the payment system;
• current versions of legal, organizational, and technical arrangements with service providers;
• current versions of audit reports;
• reports on participants in the payment system immediately upon occurrence, which include the exclusion of a participant, re-inclusion of a participant, inclusion of a new participant, and status changes of participants;
• contracts with participants, information, and reports on relevant correspondence with participants in the payment system regarding issues and documents significant for the functioning of the payment system (e.g., meeting minutes, feedback from participants, etc.);
• contracts, information, and reports on correspondence that the supervised payment system maintains with internal or external service providers;
• business continuity plans and crisis management plans;
• business continuity testing plans and crisis management testing plans immediately upon creation, and no later than the beginning of the calendar year to which the planning relates;
• reports on completed regular and emergency business continuity and crisis management tests immediately after the completion of the test, and no later than within three working days after the completion of the test;
• documentation and all other relevant information related to changes in the system's operating rules;
• documentation and all other relevant information related to changes in the system's architecture, which includes documents and reports confirming the notification of participants in the payment system about the change, and follow-up reports on conducted testing, and assessment of change risk, no later than within three working days after the occurrence of the change;
• documentation and all other relevant information related to changes concerning other systems immediately upon the occurrence of the change, and no later than within three working days after the occurrence of the change, except for changes determined by paragraph (3) of this Article;
• strategic and annual plans for changes in the payment system concerning the business model, management arrangements, as well as for major changes concerning technology or system capacity, including initial project documentation and feasibility studies for new projects immediately upon adoption, and no later than the beginning of the calendar year to which the planning relates.

(2) The supervised payment system is required to submit to the Central Bank reports, documents, and data:

• from points a), b), e), f), m) of paragraph (1) of this Article within 30 days from the date of occurrence;
• from points c), d), h), i), j) of paragraph (1) of this Article at least once a year;

(3) In the case of changes that may have a significant impact on the operation of the payment system in terms of compliance with principles and regulations adopted by the Central Bank, the supervised payment system is required to notify the Central Bank no later than 10 working days before the planned implementation of the change.

Article 5. (Incident reports in the payment system) (1) In the event of an incident in the payment system, the supervised payment system is required to notify the Central Bank no later than the next working day from the occurrence of the incident and provide all available data and information, and within three days from the occurrence of the incident, submit an incident report in the payment system.

(2) The incident report in the payment system referred to in paragraph (1) of this Article contains at least the following data:

• date and time of the occurrence of the incident,
• duration of the incident,
• impact on the service level of the payment system (with all available qualitative and quantitative data),
• impact on participants in the payment system,
• actions taken to notify and inform participants in the payment system, providers of critical services of the payment system, and, if necessary, other interested parties, primarily those with interconnected financial market infrastructures.

(3) The supervised payment system is required to submit to the Central Bank within 20 working days from the date of the occurrence of the incident a report with information on a comprehensive description of the incident, which includes identifying the main cause of the incident, and if possible, all details regarding corrective actions taken.

(4) If the Central Bank assesses that the report referred to in paragraph (3) of this Article is incomplete, the supervised payment system is required to report to the Central Bank every 90 days on the status of actions taken until the submission of a complete report as defined in paragraph (3) of this Article.

Article 6. (Report on risk management in the payment system) (1) The supervised payment system is required to submit to the Central Bank no later than 31.03. of the current year for the previous year a report on risk management in the payment system, which contains the methodological framework and all necessary information on identified risks, risk assessment, and actions taken.

(2) If a circumstance occurs that affects a change in the type or level of risk, or a change in the management of risks in the payment system, the supervised payment system is required to submit a report to the Central Bank on the circumstances, the impact of the change on the risk profile, and management, in the shortest possible time, and no longer than 30 days from the occurrence of the relevant circumstance.

Article 7. (Other reports, documents, and data) (1) The supervised payment system is required to submit, upon request of the Central Bank, emergency reports on the functioning of the payment system.

(2) The Central Bank determines the appearance, content, and deadlines for the submission of emergency reports.

Article 8. (Notification in case of inability to fulfill obligations) If the supervised payment system is unable to fulfill any obligation under this Decision within the established deadline, it is required to immediately notify the Central Bank of the reasons and the expected time for fulfilling the unfulfilled obligations.

Article 9. (Final Provisions) (1) This Decision enters into force on the eighth day from the date of publication on the intranet page of the Central Bank.

(2) This Decision will also be published on the internet page of the Central Bank.

Chairperson No.: UV-122-02-1-1505-4/24 Governing Board of the Central Bank Sarajevo, 14.08.2024 GOVERNOR dr. Jasmina Selimović