LogoRegulatory Alerts
2018-01-01

Financial Services (Information Management Requirements for Banks) Directive 2018

The Registrar of Financial Institutions issued this directive to establish comprehensive information management requirements for banks, mandating the adoption of written policies and the identification, protection, and electronic storage of records with business value. Banks must implement supporting methodologies, including classification structures and back-up procedures, while maintaining all relevant information for a minimum of seven years. The directive revokes the 2012 Record Keeping Directive, grants the Registrar unannounced inspection rights, and enforces compliance through monetary penalties of up to K50 million for institutions and K10 million for senior management.

Reserve Bank of Malawi logo

Malawi

Reserve Bank of Malawi

Click to view thumbnail
# GOVERNMENT NOTICE No. 30

## FINANCIAL SERVICES ACT  
(CAP. 44:05)  

### FINANCIAL SERVICES (INFORMATION MANAGEMENT REQUIREMENTS FOR BANKS) DIRECTIVE, 2018  
### ARRANGEMENT OF PARAGRAPHS

| PARAGRAPH | PART I—PRELIMINARY |
|------------|---------------------|
| 1. Citation | |
| 2. Interpretation | |
| | PART II—OBJECTIVE |
| 3. Objectives | |
| | PART III—RESPONSIBILITY OF THE BOARD AND SENIOR MANAGEMENT |
| 4. Board and management responsibility | |
| | PART IV—OBLIGATIONS OF A BANK |
| 5. Identification of information resources of business value | |
| 6. Protection of information resources of business value | |
| 7. Record keeping | |
| 8. Supporting methodologies | |
| 9. Back-up | |

---

## PART I—PRELIMINARY

### 1. Citation
This Directive may be cited as the Financial Services (Information Management Requirements for Banks) Directive, 2018.

### 2. Interpretation
In this Directive unless the context otherwise requires:
- “Act” means the Financial Services Act;
- “account” means any facility or arrangement by which a bank does any of the following:
  - (a) accepts deposits;
  - (b) allows withdrawals of currency or transfers of currency into or out of the account; or
  "c) pays cheques or payment orders drawn on the banking institution by, or collects cheques or payment orders on behalf of a person other than the banking institution; or
  - (d) an arrangement for a safe deposit box.
- “bank” has the same meaning ascribed to that term in the Banking Act;
- “correspondent banking” means the provision of banking services by one bank (the “correspondent bank”) to another bank (the “respondent bank” and “respond likely
- “customer” means any person or entity that maintains an account with the bank, those on whose behalf an account is maintained (i.e., beneficial owners), the beneficiaries of transactions conducted by professional intermediaries, and any person or entity connected with a financial transaction who can pose a correspondent banking relationship.
- “financial institution” has the definitions ascribed to that term in the Act.

---

## PART II—OBJECTIVE

### 3. Objectives
The objectives of this Directive are to ensure:
- (a) implementation of effective information management practices that enable banks to manage records in a manner that can be easily reconstructed; and
- (b) the protection of information of business value.

---

## PART III—RESPONSIBILITY OF THE BOARD AND SENIOR MANAGEMENT

### 4. Board and management responsibility
(1) The Board of Directors of a bank shall adopt and ensure implementation by management, of a written policy on information management.

(2) The written policy shall at a minimum:
- (a) take into account the requirements stipulated in this Directive; and
- (b) be reviewed at least annually to ensure that the policy remains appropriate and prudent.

(3) Senior management of a bank shall ensure that record keeping is an integral part of the bank’s overall information management program.

---

## PART IV—OBLIGATIONS OF A BANK

### 5. Identification of information resources of business value
A bank shall identify and protect its information resources of business value based on an analysis of its departmental functions and activities.

### 6. Protection of information resources of business value
A bank shall protect its information resources of business value.

### 7. Record keeping
The records shall be:
- (a) sufficient to enable a transaction to be readily reconstructed at any time;
- (b) stored electronically or otherwise; and
- (arranged in a manner that will enable a transaction to be readily reconstructed at any FINANCIAL SERVICES (INFORMATION MANAGEMENT REQUIREMENTS FOR BANKS) DIRECTIVE, 2018
- (c) maintained in a manner that will enable a PARTICULAR transaction to (a) accept deposits;
- (arranged in Arrangement of Paragraphs, the arrangement of paragraphs is listed as follows:

### 8. Supporting methodologies
A bank shall establish key methodologies, mechanisms and tools to support the bank’s record keeping and these shall include:
- (a) identifying, establishing, implementing and maintaining repositories in which information resources of business value are stored or preserved in electronic format; and
- (b) establishing, using and maintaining classification structures to facilitate storage, search and retrieval of information resources of business value in all formats to comply with the Financial Services (Information information resources of business business value in all formats to comply with information requests from the Registrar.

### 9. Back-up
A bank shall ensure that appropriate back-up and recovery procedures are in place for all information of business value.

---

## PART V—ENFORCEMENT

### 10. Inspection
The records referred to in paragraph 7 (a) shall be subject to inspection from time to time and without notice, by the Registrar.

### 11. Record keeping period
A bank shall preserve the records and information required to be kept under this Directive for a period of at least seven (7) years.

### 12. Disposal of information
A bank shall develop and implement a documented disposal process for all information resources, and ensure that the disposal process is performed after the retention period.

### 13. Dormant accounts
(1) A bank account shall be classified as a dormant account where there has been no transaction on the bank account for twelve (12) months after the last transaction.

(2) A bank shall, as soon as practicable, transfer a dormant account to a separate register of dormant accounts maintained in the books of the bank and a notice of the transfer shall be given to the depositor at his last known address or through a newspaper of wide circulation.

(3) A bank shall cease to charge service fees or any other form of fees or charges on the dormant account transferred in sub-paragraph (2) immediately from the date of transfer.

---

## PART V—ENFORCEMENT

### 14. Monetary penalties
The Registrar shall impose the following monetary penalties for violations of this Directive:
- (a) for banks, up to fifty million Kwacha (K50,000,000); and
- (b) for natural persons who are members of the financial institution's Board of Directors or senior management, up to ten million Kwacha (K10,000, 00
### 15. Administrative penalties
In addition to the monetary penalties imposed in paragraph  revocation of the Financial Services (Record Keeping Requirements for Banks) Directive, 2012.
### 16. Revocation
The Financial Services (Record Keeping Requirements for Banks) Directive, 2012 is hereby revoked.

**Made this 3rd day of April, 371  
**FILE NO. FIN/FPSPD/03/04**

D. KABAMBE, PhD  
Registrar of Financial Institutions
Share