ELM 5.4 Systems and controls: e-money firms
Under SYSC 3.2.3 G and SYSC 3.2.4 G, a firm should carry out appropriate due diligence on any person to whom it outsources any function or task and keep the suitability of that person for that task or function under review. A firm should monitor the performance by that person of the outsourced tasks and functions.
A firm should, to the degree appropriate in the light of the factors listed in SYSC 3.1.2 G (1):
- (1)
authenticate the identity of customers with whom it transacts and the capacity and authority to act of persons with whom the firm deals;
- (2)
use transaction authentication methods that ensure that transactions in e-money to which it is a party do not have to be unwound or reversed;
- (3)
ensure that proper authorisation controls and access privileges are in place for all its systems, databases and applications;
- (4)
ensure that measures are in place to protect the data integrity of transactions in e-money to which it is a party and records and information about such transactions;
- (5)
ensure that measures are in place to prevent fraud;
- (6)
establish clear audit trails for all transactions in e-money to which it is a party; and
- (7)
ensure the confidentiality of customer and transaction information, having regard to the sensitivity of the information and any other relevant factor.
The risks of regulatory concern referred to in SYSC 3.2.11 G relating to e-money include the following risks:
- (1)
unauthorised creation, transfer or redemption of e-money;
- (2)
incorrect attribution of funds within the system for the creation, circulation and redemption of e-money issued by the firm or in which it transacts;
- (3)
loss of e-money within the system referred to in (2) and loss of function of any part of that system; and
- (4)
use of the system referred to in (2) for financial crime or in a way that may harm or misuse any part of the financial system.