[IMAGE]

CENTRAL BANK OF MADAGASIKARA

BANKING AND FINANCIAL SUPERVISION COMMISSION

INSTRUCTION NO. 003/2018-CSBF ON THE GOVERNANCE AND CONTROL OF ELECTRONIC MONEY INSTITUTIONS

---

The Banking and Financial Supervision Commission (CSBF),

Having regard to Law No. 2016-056 of 2 February 2017 on electronic money and electronic money institutions, known as the Electronic Money Law,

Having regard to Law No. 95-030 of 22 February 1996 on the activity and supervision of credit institutions, as amended,

Having regard to Law No. 2016-004 of 27 July 2016, supplemented by Law No. 2016-057 of 2 February 2017, establishing the Statutes of the Central Bank of Madagascar,

Having regard to Decree No. 2014-1684 of 29 October 2014 appointing the Governor of Banky Foiben'i Madagascar,

Having regard to Decree No. 2016-151 of 8 March 2016 partially repealing Decree No. 2013-559 of 23 July 2013 and Decree No. 2017-917 of 10 October 2017 appointing the members of the Banking and Financial Supervision Commission,

Having regard to Instruction No. 002/2017-CSBF of 29 September 2017 on the approval of electronic money institutions,

DECIDES

Article 1: This Instruction aims to establish the rules governing the governance and control of electronic money institutions, hereinafter referred to as "EMIs".

Without prejudice to general legal rules arising from their legal form, EMIs shall incorporate into their articles of association the minimum rules defined by this Instruction.

---

SECTION 1: GOVERNANCE

Article 2: EMIs are required to establish a minimum governance structure with a well-defined, transparent, and coherent division of responsibilities. This structure comprises:

• a General Assembly of Shareholders;
• a Board of Directors;
• the General Management.

General Assembly of Shareholders

Article 3: The organizational and operational procedures of the General Assembly are detailed in Articles 4 to 5 of this Instruction, supplementing the EMI's statutory provisions.

The General Assembly of Shareholders is the supreme decision-making body of the institution.

Article 4: The Ordinary General Assembly:

• approves the articles of association and decides on any subsequent amendments thereto;
• approves the Board of Directors' report on the institution's activities;
• rules on the financial statements and deliberates on the allocation of profits;
• appoints or removes members of the Board of Directors;
• sets the remuneration of Board of Directors members;
• grants the Board of Directors necessary authorizations.

The Ordinary General Assembly meets at least once a year, upon convocation by the Board of Directors, within three months following the closing of each financial year.

Article 5: The Extraordinary General Assembly:

• decides on any changes to the provisions of the articles of association;
• approves the modification of the share capital amount;
• approves the recovery plan proposed by the Board of Directors in case of institutional difficulties;
• authorizes mergers, demergers, transformations, and partial asset transfers or contributions;
• decides on the early dissolution of the institution.

---

Board of Directors

Article 6: The administrative body of the EMI is the Board of Directors (BoD), which ensures compliance with good governance and the effectiveness of the control system.

The organizational procedures of the Board of Directors are detailed in Articles 7 to 12 of this Instruction, supplementing the EMI's statutory provisions.

Article 7: The Board of Directors:

• defines the general policy and strategic directions for the development of the institution;
• approves, upon proposal by the General Management:
  • the organizational chart of the institution, accompanied by a clear description of responsibilities assigned to each component;
  • the code of ethics, code of conduct, and internal regulations;
  • the internal audit plan covering organizational, financial, and IT aspects;
  • the business continuity plan;
• appoints and removes members of the General Management in compliance with statutory provisions;
• monitors the implementation of the management strategy by the General Management and management acts conferred by legal, regulatory, and statutory provisions;
• ensures compliance with the legal and regulatory framework, articles of association, procedures, and all other reference documents governing the institution;
• approves the audit report and the statutory auditors' report;
• approves the annual management and governance report prepared by the General Management;
• takes measures provided for in the articles of association and internal regulations in case of non-compliance with the legal and regulatory framework;
• defines and submits to the Extraordinary General Assembly the recovery plan proposed by the General Management in case of institutional difficulties.

Article 8: The Board of Directors is composed of members elected by the Ordinary General Assembly according to statutory provisions. Any BoD member must demonstrate integrity, expertise, and the required skills to perform their mission.

At least one member must possess in-depth technical skills regarding the EMI's electronic money activity.

---

Article 9: EMIs must notify the CSBF General Secretariat within one month of any subsequent change in the composition of the Board of Directors, attaching:

• a copy of the decision attesting to the appointment,
• the documents required regarding members of corporate bodies as stipulated by the instruction on EMI approval.

Article 10: The Board of Directors establishes an Audit Committee, which supports it in compliance control and validation of audit and statutory auditors' reports, through supervision of work performed by the internal audit function. Its members are drawn from the BoD and designated by it for their expertise in control and audit. The Committee may also engage other individuals chosen for their specific competencies.

Article 11: The BoD verifies at least once a year, through the Audit Committee, whether the institution has an internal control system adapted to its activities and associated risks.

The BoD annually reports to the Ordinary General Assembly on the institution's activities.

Article 12: Any change in the composition of the Audit Committee must be notified within one month of the decision to the CSBF General Secretariat. To this end, the EMI communicates:

• a copy of the decision attesting to the appointment,
• the documents required regarding members of corporate bodies as stipulated by the instruction on EMI approval.

General Management

Article 13: The General Management of the EMI is held by at least two natural persons, who must be residents.

These individuals are appointed by the Board of Directors. They are bound to the institution by an employment contract for a duration fixed by the EMI's articles of association.

---

These executives must meet the following conditions, which shall be incorporated into the EMI's articles of association:

• be at least 25 years of age;
• not be subject to the prohibitions set forth in Article 18 of the Electronic Money Law;
• hold a university degree or equivalent Master's degree in one of the following fields: management, accounting, finance, business law, or computer science;
• demonstrate at least three years of relevant experience in one or more of the aforementioned fields;
• not be members of the Board of Directors nor employees of another EMI or credit institution.

Article 14: The General Management is responsible for the day-to-day management of the institution. In this capacity, it:

• develops and proposes to the Board of Directors for approval:
  • the organizational chart of the institution, accompanied by a clear description of responsibilities assigned to each component;
  • the code of ethics, code of conduct, and internal regulations;
  • the annual management and governance report;
  • the business continuity plan;
  • the institution's recovery plan, in case of difficulty.
• implements the administrative, accounting, and financial management strategies defined by the Board of Directors for the institution's development, in compliance with procedural manuals and other reference documents in force;
• establishes:
  • the institution's procedural manuals;
  • the internal control system, including risk management policies and mechanisms to which the institution is exposed;
• represents the institution in its relations with third parties.

The General Management reports to the Board of Directors at least quarterly on the evolution of the institution's activities. It acts with prudence, diligence, loyalty, and honesty, and respects professional secrecy in the performance of its duties.

Article 15: In the event of a change in the persons holding the General Management positions, the EMI must transmit to the CSBF General Secretariat within one month from the decision:

• a copy of the decision attesting to the appointment,
• the documents required regarding executives as stipulated by the instruction on EMI approval.

---

SECTION 2: CONTROL

Article 16: EMIs are equipped with a control system comprising both internal and external control. This system is documented in writing and regularly updated.

Internal Control

Article 17: EMIs implement an internal control system consisting of a set of measures, which, under the responsibility of the General Management, enable the institution to:

• conduct business in an orderly and prudent manner, guided by well-defined objectives;
• utilize available resources efficiently;
• adequately identify and manage risks to preserve assets;
• have comprehensive and reliable financial and management information;
• comply with laws and regulations as well as general policies, plans, and internal procedures.

This system is adapted to the actual or prospective activities of each institution, considering the nature, size, and complexity of these activities and associated risks.

To this end, the EMI implements an internal control system and an internal audit function, in accordance with Articles 18 to 26.

Internal Control System

Article 18: The internal control system aims to prevent, detect, manage, monitor, and control risks inherent to the institution's activities.

To this end, EMIs must maintain:

• a detailed organizational chart of the institution highlighting the separation of incompatible functions (operational, administrative and accounting, control), the positioning, and the hierarchical reporting of each function. This chart is accompanied by:
  • a clear description of the mission and duties of each component reflecting a clear division of powers and responsibilities;
  • and a detailed job description for each function;
• framework documents governing the various functions and activities, including at least:
  • the articles of association;
  • the internal regulations;
  • the code of ethics;
  • procedural manuals on (i) transaction processing, from commitment to accounting, (ii) anti-money laundering measures, (iii) customer treatment and consumer protection, (iv) business continuity plan, (v) information system.

---

• a monitoring and follow-up mechanism for:
  • the management information system, master account, technical platform, and electronic money transactions intended to (i) ensure data integrity, authentication, confidentiality, transaction traceability, consumer protection, (ii) early detection of any computer intrusion, internal or external fraud or attempted fraud, and any misappropriation;
  • the activities of distribution agents to ensure compliance with legal, regulatory, and contractual provisions;
• a security system intended to:
  • prevent hardware incidents and alteration of programs or data, including backup and recovery procedures to ensure operational continuity in case of incident or system failure;
  • protect assets (securing operations, values, goods, and personnel against all types of losses such as waste, fraud, abuse, and deterioration due to weather or fire);
• and an internal audit function.

Article 19: The internal control system is documented in writing and subject to regular updates based on the institution's development and the evolution of associated risks.

Internal Audit Function

Article 20: The internal audit function of an EMI covers financial audit, organizational audit, and IT audit.

Article 21: The internal audit function is tasked with ensuring:

• compliance with and implementation of the institution's internal control system, as provided for in Article 17 of this Instruction;
• the effectiveness and efficiency of the implemented internal control system.

To this end, the internal audit function is specifically responsible for:

• evaluating (i) the compliance of existing internal control mechanisms with the legal and regulatory framework, (ii) the ability of the information and management system to provide comprehensive and reliable accounting and financial information, (iii) the capacity of the IT system to limit operational, financial, and reputational risks associated with the institution's IT activities, particularly those related to the master account and electronic money portfolios, (iv) the compliance, effectiveness, and actual application of internal control procedures;

---

• developing the institution's audit plan as well as that of distribution agents;
• conducting periodic audits of distribution agents in accordance with the audit plan, to ensure they comply with their commitments under the mandate contract linking the parties;
• proposing all measures contributing to the improvement of the internal control system based on weaknesses identified during its evaluation.

Article 22: The internal audit function maintains regular consultation with the Audit Committee on:

• risk areas within the institution;
• risk management by the institution;
• measures taken by the institution to address identified shortcomings.

Article 23: The internal audit function may be performed by a dedicated individual or structure. It reports directly to the Audit Committee to guarantee its independence from the General Management.

It is equipped with adequate resources to properly perform its mission, including:

• sufficient, qualified, and competent personnel relative to the specificities of the institution's activities. They must master in particular internal audit professional standards, risks related to electronic money activities, new information technologies, and IT tools;
• and appropriate material resources.

Article 24: The internal audit function may access, within the institution at any time, all data and information, as well as their respective sources, that it deems useful in performing its mission.

The internal audit function also operates with distribution agents within the limits of control work to be performed by the institution, in accordance with the mandate contract provisions linking the parties.

Article 25: The internal audit function:

• communicates to the General Management all anomalies or irregularities identified following its control work, along with related recommendations;
• annually presents to the Audit Committee an internal audit and control activity report comprising essentially:
  • a review of the main risks to which the institution is exposed, along with their significance level;
  • a presentation of the means and mechanisms for risk prevention, control, and management;

---

• modifications made to these control mechanisms, considering the evolution of the institution's activities and the nature and significance of associated risks;
• a synthesis of the results of control work carried out by the CSBF and the