LogoRegulatory Alerts
2011-11-23

Instruction No. 2011-I-17 amending the application form for the approval of payment institutions

The Prudential Control Authority issued Instruction No. 2011-I-17 to amend the application dossier required for the approval of payment institutions under the Monetary and Financial Code. The modifications update specific sections of the form to require detailed disclosures regarding capital adequacy calculations, internal control procedures, and the management of third-party agents. Furthermore, the instruction expands requirements for anti-money laundering risk classifications, technical architecture descriptions, and comprehensive risk analysis regarding payment instruments and information systems.

Autorite de Controle Prudentiel et de Resolution logo

France

Autorite de Controle Prudentiel et de Resolution

Click to view thumbnail

Prudential Control Authority

Instruction No. 2011-I-17 amending the application form for the approval of payment institutions

The Prudential Control Authority,

Having regard to the Monetary and Financial Code, in particular Articles L. 522-1, L. 522-6, L. 612-24, and R. 612-21;

Having regard to the Order of 29 October 2009 on the prudential regulation of payment institutions, in particular Articles 2 and 3;

Having regard to the opinion of the Consultative Committee on Combating Money Laundering dated 21 September 2011;

Having regard to the opinion of the Consultative Committee on Prudential Affairs dated 4 November 2011;

Decides:

Article 1

The file provided for in Article 2 of the aforementioned Order is amended as follows:

a) On page 36, the paragraph "Nature of envisaged resources" is supplemented by:

"Calculations are based on the figures from the previous financial year. Thus, to calculate the capital requirements for year N, the relevant indicator must be that of year N-1. For the first year of activity, the indicator corresponds to that of the current year; for the second year, the indicator is identical but must be weighted by a pro-rata temporis factor to provide representative data if year N is incomplete."

b) On page 37, the first paragraph, "Organisation," is supplemented by:

"

  • Clarify in this context the procedures and means implemented for the control of agents defined in Articles L. 523-1 and following of the Monetary and Financial Code to which the institution has recourse.
  • Clarify, where applicable, the procedures and means implemented for the control of any other form of service provision as defined in Article 4(q) of Regulation No. 97-02 relating to internal control. "

Instruction No. 2011-I-17 amending the application form for the approval of payment institutions

c) Page 37 is then supplemented by:

"B. Periodic Control (Regulation 97-02 amended by the Committee for Banking and Financial Regulation)

Name of the person responsible for periodic control:

Organisation: clarify the system provided for to comply with Regulation No. 97-02 amended.

  • Specify in particular the periodic control program, the internal and external resources planned to carry out periodic control tasks.
  • Clarify in this context the procedures and means implemented for the control of agents defined in Articles L. 523-1 and following of the Monetary and Financial Code to which the institution has recourse.
  • Clarify, where applicable, the procedures and means implemented for the control of any other form of service provision as defined in Article 4(q) of Regulation No. 97-02 relating to internal control.

➢ Outsourcing: in the event of outsourcing the tasks of carrying out permanent or periodic controls defined in Article 6 of Regulation No. 97-02, provide the draft contract providing for the supply of this essential service under conditions compliant with the provisions of said Regulation regarding outsourcing."

d) On page 38, the terms "and prohibited lotteries, games, and betting" are removed from the title of paragraph D. Obligations relating to combating money laundering, financing of terrorist activities, and prohibited lotteries, games, and betting (Title VI of Book V of the Monetary and Financial Code, Regulations No. 97-02 amended of 21/02/1997 and No. 2002-01 of 18/04/2002 of the Committee for Banking and Financial Regulation), which is supplemented by:

" ➢ Provide a classification of money laundering and terrorist financing risks, in particular the risk of money laundering and terrorist financing related to fund transfer operations, in accordance with Article 11.7 of Regulation No. 97-02 amended, relating to internal control.

➢ Provide the essential elements of the systems provided for to combat money laundering and terrorist financing, in particular:

  • the methods for identifying and verifying the identity of clients and, where applicable, beneficial owners;

  • the information elements collected and analyzed, among those listed in the Order of 2 September 2009 taken in application of Article R. 561-12 of the Monetary and Financial Code, for the purpose of customer knowledge based on a risk-based approach;

  • the methods for monitoring customers with regard to the obligation of constant vigilance under Article L. 561-6 of the Monetary and Financial Code;

  • the procedures implementing complementary vigilance, in particular for politically exposed persons;

  • the methods for implementing reporting obligations to Tracfin;

Prudential Control Authority 2

Instruction No. 2011-I-17 amending the application form for the approval of payment institutions

  • indicate the person responsible for implementing the system for combating money laundering and terrorist financing;

  • the system adopted for compliance with restrictive measures, in particular obligations related to the freezing of assets.

➢ When the institution intends to use the services of agents as defined in Articles L. 523-1 and following of the Monetary and Financial Code, describe the specific procedures for implementing anti-money laundering and terrorist financing vigilance obligations with these agents and the conditions under which the latter transmit to the institution any information useful for this fight.

➢ Indicate the methods for training and informing staff (including agents) on combating money laundering and terrorist financing.

➢ Describe the procedures allowing for the distinction between business relationships with occasional clients.

➢ Describe the systems for analyzing, alerting, and monitoring money laundering and terrorist financing risks on client operations based on predetermined amounts justifying a request for additional information regarding customer knowledge and/or the rejection of operations."

e) On pages 37 and 38, paragraphs B, C, D, E, F are redesignated respectively by the letters C, D, E, F, and G.

f) On page 40, the title of the paragraph General description of the technical architecture implemented becomes General description of the activity and the technical architecture implemented and the content of the paragraph is modified as follows:

  • an item "a) Logical diagram of the dynamics of operations (creation of user profile, collection and control of client data, creation and provision of a payment instrument to the client, use of the payment instrument, execution of payment operations, collection of transactions, presentation for settlement, dispute of payment operations, etc.)" is added.

  • in the new b), "detailed" is added after "Technical architecture diagram" and "(including servers, firewalls, databases, client workstations, etc.)" is added after "payment service provision".

  • in c), "(characteristics of the direct debit mandate, presence of a chip on the payment card, etc.)" is added after "each payment instrument".

  • d) becomes "Diagram of financial flows for each payment operation."

  • in e), "precise description of the activity carried out by the subcontractor." is added after "identification of subcontractors,".

g) On page 40, the title of the paragraph Security of technical means implemented becomes Risk analysis and security of technical means implemented, and the content of the paragraph is replaced by:

"Based on a risk analysis: a) Identify risks on the instrument and/or the payment operation. For example: fraud risks (loss/theft, impersonation, diversion, forgery, recovery of personal data, etc.). b) Identify logical and physical risks on the information system, notably regarding confidentiality, information integrity, and service availability. For example: intrusion (external or internal), denial of service, fire, etc.

Prudential Control Authority 3

Instruction No. 2011-I-17 amending the application form for the approval of payment institutions

c) Identify internal fraud risks. For example: generation of a payment order, modification of information allowing an employee to take control of a user profile, etc. d) Evaluate identified risks based on their probability of occurrence and the impact generated. The rating scale used must be provided. e) Presentation of solutions aimed at reducing identified risks. A re-evaluation of risks (probability and/or impact), once measures are applied, must be provided."

h) On page 41, the paragraph Human and organizational resources intended to ensure the proper functioning of the payment service is modified as follows in item a):

  • In ii. "of measures" is replaced by "of the policy";

  • The following point is added: "iv. Define an annual plan of permanent and periodic controls regarding the security of the information system, including with regard to subcontracting."

Article 2

The file thus modified is annexed to this Instruction.

Paris, 23 November 2011

The President of the Prudential Control Authority,

[Christian NOYER]

Prudential Control Authority 4

Share