Financial Services (Information Management Requirements for Banks) Directive 2018

GOVERNMENT NOTICE No. 30

FINANCIAL SERVICES ACT  
(CAP. 44:05)  
FINANCIAL SERVICES (INFORMATION MANAGEMENT REQUIREMENTS FOR BANKS) DIRECTIVE, 2018  
ARRANGEMENT OF PARAGRAPHS  

PARAGRAPH  
PART I—PRELIMINARY  
1. Citation  
2. Interpretation  

PART II—OBJECTIVE  
3. Objectives  

PART III—RESPONSIBILITY OF THE BOARD AND SENIOR MANAGEMENT  
4. Board and management responsibility  

PART IV—OBLIGATIONS OF A BANK  
5. Identification of information resources of business value  
6. Protection of information resources of business value  
7. Record keeping  
8. Supporting methodologies  
9. Back-up  

---

368  
27th April, 2018  

PARAGRAPH  
10. Inspection  
11. Record keeping period  
12. Disposal of information  
13. Dormant accounts  

PART IV—ENFORCEMENT  
14. Monetary penalties  
15. Administrative penalties  
16. Revocation  

IN EXERCISE of the powers conferred by Section 34 (2) (k) of the Financial Services Act, I, DR. DALITSO KABAMBE, Registrar of Financial Institutions, make the following Directive—  

PART I—PRELIMINARY  
Citation  
1. This Directive may be cited as the Financial Services (Information Management Requirements for Banks) Directive, 2018.  

Interpretation  
2. In this Directive unless the context otherwise requires—  
“Act” means the Financial Services Act;  
“account” means any facility or arrangement by which a bank does any of the following—  
(a) accepts deposits;  
(b) allows withdrawals of currency or transfers of currency into or out of the account; or  
(c) pays cheques or payment orders drawn on the banking institution by, or collects cheques or payment orders on behalf of a person other than the banking institution;  
(d) supplies a facility or an arrangement for a safe deposit box;  

Cap. 44:01  
“bank” has the same meaning ascribed that term in the Banking Act;  
“correspondent banking” means the provision of banking services by one bank (the “correspondent bank”) to another bank (the “respondent bank”);  
“customer” means any person or entity that maintains an account with the bank or those on whose behalf an account is maintained (i.e. beneficial owners); the beneficiaries of transactions conducted by professional intermediaries; and any person or entity connected with a financial transaction who can pose a significant reputational or other risk to the bank;  
“financial institution” has the same meaning ascribed to that term in the Act;  

---

27th April, 2018  
369  

“information management” means a resource management function through which information resources of business value are created, acquired, captured, managed or stored in the bank and used as a strategic asset to support effective decision making and facilitate ongoing operations and delivery of products and services; and  
“Registrar” means the Registrar of Financial Institutions appointed under the Act.  

PART II—OBJECTIVE  
3. The objectives of this Directive are to ensure—  
(a) implementation of effective information management practices that enable banks manage records in a manner that can be easily reconstructed; and  
(b) the protection of information of business value.  

PART III—RESPONSIBILITY OF THE BOARD AND SENIOR MANAGEMENT  
4.—(1) The Board of Directors of a bank shall adopt and ensure implementation by management, of a written policy on information management.  
(2) The written policy shall at a minimum—  
(a) take into account the requirements stipulated in this Directive; and  
(b) be reviewed at least annually to ensure that the policy remains appropriate and prudent.  
(3) Senior management of a bank shall ensure that record keeping is an integral part of the bank’s overall information management program.  

PART IV—OBLIGATIONS OF A BANK  
5. A bank shall identify and protect its information resources of business value based on analysis of its departmental functions and activities.  
6.—(1) A bank shall keep a record of—  
(a) a customer’s account;  
(b) transactions carried out by a customer;  
(c) correspondence relating to the transactions that enables a transaction to be readily reconstructed at any time by the Registrar; and  
(d) any other transaction that a bank carries out in the course of its business.  

---

370  
27th April, 2018  

Record keeping  
7. The records shall be—  
(a) sufficient to enable a transaction to be readily reconstructed at any time;  
(b) stored electronically or otherwise; and  
(c) maintained in a manner that will enable a bank to comply immediately with requests for information from the Registrar.  

Supporting methodology  
8. A bank shall establish key methodologies, mechanisms and tools to support the bank’s record keeping and these shall include—  
(a) identifying, establishing, implementing and maintaining repositories in which information resources of business value are stored or preserved in electronic format; and  
(b) establishing, using and maintaining classification structures to facilitate storage, search and retrieval of information resources of business value in all formats to comply with information requests from all stakeholders including the Registrar.  

Back-up  
9. A bank shall ensure that appropriate backup and recovery procedures are in place for all information of business value.  

Inspection  
10. The records referred to in paragraph 7 (1) shall be subject to inspection from time to time and without notice, by the Registrar.  

Record keeping period  
11. A bank shall preserve the records and information, required to be kept under this Directive for a period of at least seven (7) years.  

Disposal of information  
12. A bank shall develop and implement a documented disposal process for all information resources and ensure that the disposal process is performed after the retention period.  

Dormant accounts  
13.—(1) A bank account shall be classified as a dormant account where there has not been any transaction on the bank account for twelve (12) months after the last transaction.  
(2) A bank shall, as soon as practicable, transfer a dormant account to a separate register of dormant accounts maintained in the books of the bank and a notice of the transfer shall be given to a depositor at his last known address or through a Notice published in a newspaper of wide circulation.  
(3) A bank shall cease to charge service fees or any other form of fees or charges on the dormant account transferred in subparagraph (2) immediately from the date of the transfer.  

PART IV—ENFORCEMENT  
Monetary penalties  
14.—(1) The Registrar shall impose the following monetary penalties for violations of this Directive—  
(a) for banks, up to fifty million Kwacha (K50,000,000); and  
(b) for natural persons who are members of the Board of Directors or senior management, up to ten million Kwacha (K10,000,000).  

---

27th April, 2018  
371  

(2) With respect to banks, the Registrar shall—  
(a) debit the penalty in subparagraph (1) (a) from the main account of the bank maintained at the Reserve Bank of Malawi; and  
(b) notify the bank in writing prior to debiting the account.  

(3) With respect to natural persons or where the bank does not maintain an account with the Reserve Bank of Malawi, the natural person or the bank shall pay the penalty through a bank certified cheque or electronic transfer payable to the Reserve Bank of Malawi within ten (10) working days after being notified by the Registrar.  

Administrative penalties  
15. In addition to the monetary penalties imposed in paragraph 14 (1), the Registrar may impose directions, administrative penalties and enforcement action as provided for under the Act and the Banking Act.  

Revocation of G.N. 35/2012  
16. The Financial Services (Record Keeping Requirements for Banks) Directive, 2012 is hereby revoked.  

Made this 3rd day of April, 2018.  
D. KABAMBE, PhD  
Registrar of Financial Institutions  

(FILE NO. FIN/PFSPD/03/04)