G.N.

5043

PAYMENT SYSTEMS AND STORED VALUE

FACILITIES ORDINANCE

Guideline on
Supervision of Stored Value Facility
Licensees

A Guideline issued by the Monetary Authority

under Section 54(1A)(b)

September 2016
Structure
1. INTRODUCTION ..................................................................................................................... 1

2. PRINCIPAL BUSINESS AND FINANCIAL RESOURCES ................................................. 2

3. CORPORATE GOVERNANCE .............................................................................................. 4

4. GENERAL RISK MANAGEMENT AND INTERNAL CONTROL SYSTEMS ................10

5. INFORMATION AND ACCOUNTING SYSTEMS..............................................................12

6. MANAGEMENT OF FLOAT AND SVF DEPOSIT .............................................................14

7. SPECIFIC RISK MANAGEMENT ........................................................................................17

8. BUSINESS PRACTICES AND CONDUCT...........................................................................21

Guideline on Supervision of Stored Value Facility Licensees

1. Introduction

1.1. The Guideline on Supervision of Stored Value Facility Licensees (the

Guideline) is issued by the Hong Kong Monetary Authority (HKMA)
pursuant to section 54(1A)(b) of the Payment Systems and Stored Value
Facilities Ordinance (PSSVFO). It aims to set out the high level
supervisory principles that the HKMA adopts in assessing whether certain
requirements imposed on stored value facility (SVF) licensees are
complied with.

1.2. In order to fulfil the relevant statutory obligations or other relevant

provisions of the PSSVFO, SVF licensees should strive to adhere to those
supervisory principles as set out in the Guideline. They should not only
comply with the letter but, more importantly, the spirit of the various
provisions of the PSSVFO as illustrated or explained by the Guideline.

1.3. To help SVF licensees in better understanding the standards by which the
principles set out in the Guideline should be applied, the HKMA will
issue Practice Notes and Frequently Asked Questions as and when
necessary to provide SVF licensees with additional guidance in respect of
specific sections or paragraphs of the Guideline.

September 2016 Page 1

Guideline on Supervision of Stored Value Facility Licensees

2. Principal Business and Financial Resources

2.1. Introduction

2.1.1. Paragraph 1 of Part 2 of Schedule 3 of the PSSVFO stipulates that the

principal business of a licensee must be the issue of SVF or the facilitation
of the issue of SVF under a licence. Paragraph 2 of Part 2 stipulates the
minimum licensing criteria in relation to financial resources for operating
an SVF scheme. This chapter sets out the high level principle
requirements a licensee must comply in relation to these two aspects.

2.2. Principal business requirement

2.2.1. A licensee can generally engage in activities that add values to its
principal business or provide better services to SVF users. To ensure
that such activities will not significantly disrupt or distract attention to its
principal business, a licensee should conduct appropriate risk assessment
to ensure that it can effectively identify, monitor and manage all relevant
risks and that the safety and efficiency of the SVF as well as the interest
of its SVF users are not compromised. Documentation of the risk
assessment should be properly maintained for periodic review by
independent parties such as Internal Auditor, External Auditors, or the
HKMA. Where a licensee expects that a new activity may draw public
attention or may have potential reputational implications, it should notify
the HKMA about its plan.

2.2.2. For the avoidance of doubt, a licensee is not allowed to carry on financial
intermediation. A licensee is also not allowed to conduct regulated
activities under the Securities and Futures Ordinance, the Mandatory
Provident Fund Schemes Ordinance, or the Insurance Companies
Ordinance. Other types of non-payment finance-related activities (such
as lending and financial intermediary activities) are generally not allowed.

2.3. Financial resources requirements

2.3.1. A licensee must satisfy the Monetary Authority (MA ) that it has:

September 2016 Page 2

Guideline on Supervision of Stored Value Facility Licensees

(i) paid-up share capital of not less than HK$25,000,000 or an

equivalent amount in any other currency approved by the MA; or

(ii) other financial resources are equivalent to or exceed

HK$25,000,000.

2.3.2. The criteria on financial resources as stated in the PSSVFO are only
meant to be a minimum requirement. As a general principle, a licensee
should be able to demonstrate that its financial resources are sufficient for
implementing its business model in a safe, efficient and sustainable
manner, without compromising the interests of SVF users.

2.3.3. In order that the interests of SVF users can be protected at all times, a
licensee should demonstrate that should it decide to exit the SVF business
it will be able to maintain sufficient financial resources to facilitate an
orderly exit, including a smooth refunding process.

2.3.4. The HKMA may impose a higher financial resources requirement if,
taking into account the scale and complexity of a licensee’s business, it
considers such a requirement important in ensuring that the licensee
concerned has the ability to fulfil its regulatory obligations under the
PSSVFO.

2.3.5. The proportion of the financial resources of a licensee equivalent to the

financial resources requirement (i.e. the minimum financial resources
requirement of HK$25,000,000 but if a higher financial resources
requirement is imposed by the HKMA, the higher requirement) should
only be used for the purposes of its business activities and should not be
used for any dealing with its related companies or parties, including
shareholders, directors and senior management staff.

September 2016 Page 3

Guideline on Supervision of Stored Value Facility Licensees

3. Corporate Governance

3.1. Introduction

3.1.1. Section 8O(1) of the PSSVFO requires a licensee to ensure that the
operation of any SVF issued is conducted in a safe and efficient manner.
Section 8Q of the PSSVFO requires a licensee to ensure that all the
minimum criteria set out in Schedule 3 of the PSSVFO are fulfilled.
Paragraph 5 of Part 2 of Schedule 3 stipulates that a licensee must have in
place appropriate risk management policies and procedures for managing
the risks arising from the operation of its SVF business that are
commensurate with the scale and complexity of the scheme.

3.2. Corporate governance

3.2.1. A licensee is required to have in place sound governance arrangement for

the purpose of effective decision-making and proper management and
control of the risks of its business and operations. Such arrangement
should include, among others, clear organizational structure with
well-defined, transparent and consistent lines of responsibility. There
should also be clear documentations on decision making procedures,
reporting lines, internal reporting and communication process.

3.2.2. A licensee’s board should be ultimately responsible for the sound and
prudent management of a licensee’s SVF business operations. As such,
the responsibilities, organization, functioning, and composition of the
licensee’s board of directors must be clearly defined and documented.

3.2.3. The board should have an adequate number and appropriate composition
of members to ensure sufficient checks and balances and collective
expertise for effective, objective decision-making. The size and
composition of the board will vary from institution to institution
depending on the size and complexity of the licensee and the nature and
scope of its activities. As a general benchmark for demonstrating
sufficiency of checks and balances, normally one-third of their board
members should be independent non-executive directors (INED).

September 2016 Page 4

Guideline on Supervision of Stored Value Facility Licensees

3.2.4. The board should clearly define appropriate internal governance practices
and procedures for the conduct of its own work and have in place the
means to ensure that such practices are followed and periodically
reviewed with a view to ongoing improvement.

3.2.5. Whilst the board is ultimately responsible for the overall soundness of a
licensee, the appointment of competent management is key to achieving
the objective of a soundly and efficiently run licensee. The board works
with a senior management team (senior management) to achieve this and
senior management remains accountable to the board.

3.2.6. Senior management are responsible and accountable for running the
business of a licensee effectively and prudently in accordance with the
business strategies, policies, risk appetite, as well as delegation of
authorities set down by the board.

3.3. Fitness and propriety of officers and controllers

3.3.1. Section 8ZZV of the PSSVFO stipulates that a person must not become a
chief executive or director of a licensee except with the MA’s consent.
Sections 8ZZF and 8ZZG of the PSSVFO stipulate that the MA’s consent
must be obtained for a person to become controller of a licensee.
Paragraph 3 and 4 of Part 2, Schedule 3 of the PSSVFO stipulate the
requirements concerning the fitness and propriety of the chief executive,
directors, controllers and managers, as well as relevant knowledge and
experience of officers responsible for implementing the SVF scheme or
the day-to-day management of the scheme. In considering the fitness
and propriety of the chief executive, directors, controllers and managers of
a licensee, the HKMA will take into account factors including, among
others, the integrity, willingness to uphold professional ethics and industry
good practices, and competence of the person concerned. Paragraphs
3.3.2 to 3.3.4 below set out the HKMA’s general expectations in relation
to the fitness and propriety of chief executives, directors, controllers and
managers of a licensee. It should be noted that the onus is on the
applicant to make out a case that he is fit and proper for the position
concerned.

September 2016 Page 5

Guideline on Supervision of Stored Value Facility Licensees

3.3.2. Directors and chief executives

3.3.2.1. Given the leadership role of directors and chief executives, fitness and
propriety will be assessed taking into consideration of their integrity and
competence, which will generally be assessed in terms of relevant
knowledge, experience, judgment as well as leadership. Their
commitment and ability to devote sufficient time and attention to the SVF
business will also be assessed. The standards required of persons in these
respects will vary considerably, depending on the scale and complexity of a
licensee’s operations.

3.3.3. Controllers

3.3.3.1. In assessing the fitness and propriety of controllers, a key consideration is

the influence that a controller could potentially have on the interests of the
users and potential users of the scheme concerned. This has to be assessed
in the context of the circumstances of individual cases. The general
presumption is that the greater the influence on the licensee, the higher the
standard will be for the controller to fulfil the criterion. Willingness and
ability to work collaboratively with other controllers and the management
team will also be a key factor of consideration.

3.3.3.2. Pursuant to section 3(1) of Schedule 3 to the PSSVFO, a licensee should

have in place appropriate and adequate systems of control to ensure that the
HKMA is kept informed of the identity of each of its controller.

3.3.4. Managers

3.3.4.1. Similar principles as set out for directors and chief executives will be
applied for assessing the fitness and propriety of managers, but assessment
will be made in the context of the specific businesses or control areas of the
managers. Pursuant to section 3(3) of Schedule 3 to the PSSVFO, a
licensee should have in place appropriate and adequate systems of control
to ensure that each of its managers is a fit and proper person to hold the
position concerned.

3.3.4.2. A licensee should have in place appropriate and adequate systems of control

September 2016 Page 6

Guideline on Supervision of Stored Value Facility Licensees

to ensure that the HKMA is notified of, among other things: (a) the date of
appointment of a manager; (b) particulars of the affairs or business of the
licensee in relation to which the person has been appointed as a manager;
and (c) any subsequent changes. The notification must be made within 14
days after the date on which a person became a manager of the licensee or
ceased to be a manager of the licensee or any changes associated with such
appointments.

3.4. Outsourcing

3.4.1. In the context of good governance, while a licensee may outsource its
operations to service providers (including independent third parties,
affiliates or companies within the licensee’s group), the licensee,
including its board members, chief executive, and relevant managers and
officers, remains solely responsible for meeting its regulatory obligations
under the PSSVFO and other relevant regulatory requirements, including
guidelines, prescribed by the HKMA from time to time.

3.4.2. A licensee should be ultimately responsible for the quality and security,
including the reliability, robustness, stability and availability, of the
outsourced activity as well as the integrity and protection of the
information held by the service providers to ensure the operation of the
SVF is conducted in a safe and efficient manner. A licensee should
retain ultimate control of the outsourced activities and obligations to its
users.

3.4.3. When outsourcing any of its operations or functions, a licensee should

(a) properly plan for the outsourcing arrangements by conducting a
comprehensive risk assessment to identify and evaluate all risks involved
and structuring the outsourcing arrangements to ensure that all material
risks identified (including business interruption risk) have been adequately
managed before launch and that the outsourcing arrangements will not
impair the effectiveness of its internal controls or compromise the interest
of the SVF users; (b) properly implement the outsourcing arrangements by
performing appropriate due diligence on the service providers, conducting
appropriate testing to ensure that the services to be rendered fully meet the
agreed performance standards, executing appropriate outsourcing

September 2016 Page 7

Guideline on Supervision of Stored Value Facility Licensees

agreements with the service providers to set out clearly the outsourcing
arrangements and the related rights and obligations, and carrying out
proper transfer of the related operations or functions to ensure smooth
transition; and (c) properly manage the outsourcing arrangements on an
on-going basis by performing appropriate regular quality review of the
outsourced operations or functions to ensure that the services being
rendered continue to meet the agreed performance standards in full and all
deficiencies identified are duly rectified, conducting appropriate regular
risk assessment to ensure that all material risks are duly identified,
evaluated and adequately managed on an on-going basis, and reviewing
the outsourcing agreements at appropriate intervals to assess whether the
agreements should be renegotiated and renewed to bring them in line with
current market standards and to cope with changes in the licensee’s
business strategies.

3.4.4. A licensee should ensure that its outsourcing arrangements comply with
the Personal Data (Privacy) Ordinance (“PDPO”) and any relevant codes
of practice, guidelines and best practices issued by the Office of the
Privacy Commissioner for Personal Data (“PCPD”) from time to time.

3.4.5. Access to data by the relevant authorities’ examiners and the licensee’s
internal and external auditors should not be impeded by outsourcing. A
licensee should ensure that adequate and effective arrangements are in
place to facilitate the on-site examinations or off-site reviews, both
announced and unannounced by authorized third parties (e.g. licensee’s
internal auditors, external auditors/assessors and the HKMA).

3.5. Location of senior management

3.5.1. Section 8ZZU(2) of the PSSVFO requires the chief executive and the
alternate chief executive to be individuals who are ordinarily residents in
Hong Kong. Licensee should ensure that this requirement is being
complied with on an on-going basis. Furthermore, the senior
management team and the key personnel responsible for scheme operation,
IT systems, financial management, control and risk management functions,
compliance and internal audit of the licensee should basically be based in
Hong Kong. Nevertheless, depending on the nature, scale, complexity of

September 2016 Page 8

Guideline on Supervision of Stored Value Facility Licensees

business, and the organization structure of the licensee, part of the senior
management team may be based outside Hong Kong, provided that proper
arrangement is made to timely respond to the HKMA.

September 2016 Page 9

Guideline on Supervision of Stored Value Facility Licensees

4. General Risk Management and Internal Control

Systems

4.1. Introduction

4.1.1. Paragraph 5 of Part 2, Schedule 3 of the PSSVFO stipulates that the

licensee must have in place appropriate risk management policies and
procedures for managing the risks arising from the operation of its SVF
scheme that are commensurate with the scale and complexity of the
scheme. This chapter sets out the high level principles on the
requirements on a licensee’s general risk management and internal control
systems.

4.2. Risk management

4.2.1. A licensee should have in place effective risk management framework that
is commensurate with the nature, scale and complexity of their operations
to help ensure proper identification, monitoring and management of
various risks. The risk management framework should be approved by
the Board. A licensee should demonstrate that it has dedicated staff
resources with sufficient professional knowledge, experience, and
independence to oversee the quality of its risk management and internal
control processes.

4.3. Internal controls

4.3.1. A robust internal control system must be put in place to promote effective
and efficient operation, safeguard assets, provide reliable financial and
management information, enable prevention or early detection of
irregularities, fraud and errors, and ensure compliance with relevant
statutory and regulatory requirements and internal policies.

4.4. Compliance and internal audit functions

4.4.1. A licensee should maintain effective (i) compliance function; and (ii)

September 2016 Page 10

Guideline on Supervision of Stored Value Facility Licensees

internal audit function to ensure compliance with all applicable legal and
regulatory requirements as well as its own policies, procedures and
controls. Among other factors, the quality of a licensee’s compliance
and internal audit functions will be assessed based on its (i) clear
governance framework with board level support to ensure effective
policies and sufficient authorities to perform the functions; (ii) relevant
professional knowledge and experience; (iii) independence from business
units; (iv) direct and unfettered access to the board; (v) coverage,
comprehensiveness and effectiveness of compliance and internal audit
programs; and (vi) ability to take timely and pro-active rectifying actions
upon identifying non-compliance or other control deficiencies.

4.4.2. The compliance function should not be substituted by the internal audit
function. In exceptional cases where a licensee’s scale of operations may
not justify having a separate function, the licensee should propose to the
satisfaction of the HKMA effective alternative arrangements (e.g. hire of
external services for internal audit function) that do not compromise the
effectiveness of controls.

4.5. Reporting to regulators

4.5.1. A licensee should have effective procedures to ensure submission of data

and information requested by the HKMA in a timely and accurate manner.

4.5.2. A licensee should have in place effective policies and procedures to

ensure timely reporting to the HKMA on (i) incidents having a material
adverse impact on its business, operation, assets, risks or reputation; and
(ii) breach of any statutory and regulatory requirements by the licensee or
its officers or employees.

September 2016 Page 11

Guideline on Supervision of Stored Value Facility Licensees

5. Information and Accounting Systems

5.1. Introduction

5.1.1. Section 8O of the PSSVFO stipulates that a licensee must ensure that its
SVF operation is conducted in a safe and efficient manner calculated to
minimize the likelihood of any disruption to the functioning of the facility.
This chapter sets out the high level principle requirements on a licensee’s
information and accounting systems which are essential to the smooth
operation of a licensee’s SVF scheme.

5.2. Information and accounting systems

5.2.1. A licensee should have in place robust information and accounting

systems to (i) record all business activities in a timely and accurate
manner; (ii) provide quality management information to enable effective
and efficient management of business and operations; and (iii) maintain
appropriate audit trails to demonstrate effectiveness of controls.

5.2.2. A licensee should properly maintain books and accounts and prepare
financial statements and returns in compliance with all applicable
regulatory reporting requirements and accounting standards in Hong
Kong.

5.2.3. A licensee should put in place sufficient back up facilities and disaster
recovery arrangements for their information and accounting systems.

5.3. Record keeping

5.3.1. A licensee should have in place adequate record keeping policies and
systems for maintaining accurate and sufficient records of its books,
accounts, management decisions and business activities, including
transactions of users. Such records should be maintained for a sufficiently
long period, taking into account relevant statutory and regulatory
requirements.

September 2016 Page 12

Guideline on Supervision of Stored Value Facility Licensees

5.4. Data protection

5.4.1. A licensee should have in place adequate policies, measures and

procedures to protect their information and accounting systems, databases,
books and accounts, and other records and documents from unauthorized
access, unauthorized retrieval, tampering and misuse.

5.5. Information and accounting systems located outside Hong

Kong

5.5.1. A licensee with operations, information and accounting systems located

outside Hong Kong should have in place effective arrangements to enable
the regular and ad hoc review of the system, either on-site or off-site, by
authorized parties including the HKMA. The arrangements should allow
unrestricted access to the licensee’s premises and systems outside Hong
Kong, and that necessary prescribed consent to the arrangements should
be obtained from the local authorities, if any, in the relevant jurisdictions.

September 2016 Page 13

Guideline on Supervision of Stored Value Facility Licensees

6. Management of Float and SVF Deposit

6.1. Introduction

6.1.1. Section 7 of Part 2 of Schedule 3 of the PSSVFO sets out the minimum
criteria regarding protection and management of float and SVF deposit
which licensees must fulfill. This chapter sets out the high level
principles and requirements in respect of protection and management of
the float and SVF deposit.

6.2. General principle

6.2.1. A licensee should have in place an effective and robust system to protect
and manage the float and SVF deposit to ensure that all funds are
deployed for prescribed usage only, that funds belonging to SVF users are
protected against claims by other creditors of SVF issuers in all
circumstances, and that funds are protected from operational and other
relevant risks.

6.3. Protection of float and SVF deposit

6.3.1. A licensee should put in place an effective trust arrangement to ensure the
legal right and priority claim of the float and SVF deposit by users in the
event of insolvency of a licensee. If justifications are provided by a
licensee, an effective bank guarantee and/or insurance coverage may be
used as an alternative or supplementary arrangement. For the avoidance
of doubt, money in transit arising from an SVF user choosing direct debit
from his/her bank account or credit card account instead of his/her SVF
user account are treated as float received from the SVF user and should
accordingly be accorded the same level of protection.

6.3.2. Where circumstances warrant a trigger to refund the float and SVF deposit
to users, the trust arrangement should operate to the effect that proper
legal positions and authorisations are in place to ensure a smooth and
efficient refund process.

September 2016 Page 14

Guideline on Supervision of Stored Value Facility Licensees

6.3.3. A licensee should ensure that there are sufficient funds for the refund of
the float and SVF deposit to all SVF users at all times and there are
sufficient additional funds to pay for the costs of distributing the float and
SVF deposit to all SVF users in case of need.

6.3.4. A licensee should ensure that all user accounts in the SVF scheme users
ledger are maintained in an accurate and timely manner and that the
aggregate balance of all user accounts in the ledger accurately reflects the
total amount of the float and SVF deposit of the SVF scheme at all times.

6.3.5. The assets, including cash and bank deposits, in which the float and SVF
deposit of an SVF scheme are held should be segregated from the
licensee’s own funds as well as funds received for the licensee’s other
business activities.

6.3.6. A licensee should put in place effective internal control measures and
procedures, which constitute an integral part of the licensee’s overall
robust internal control system, to protect the float and SVF deposit from
all operational risks, including the risk of theft, fraud and
misappropriation.

6.4. Management of float and SVF deposit

6.4.1. Float and SVF deposit of an SVF scheme should be managed mainly for
the purpose of liquidity management to ensure that there will always be
sufficient funds for redemption. A licensee should put in place effective
liquidity management policies, guidelines and control measures
commensurate with the mode of operation of the SVF scheme in respect
of the assets in which the float and SVF deposit are held.

6.4.2. A licensee should not adopt a business model that takes investment returns
from float management as a significant source of income. A licensee
proposes to hold a proportion of the float and SVF deposit in low risk
financial assets other than cash or bank deposits should obtain the
HKMA’s prior written consent by demonstrating to the HKMA that the
float and SVF deposit will be adequately protected from all relevant risks,
including investment risk, market risk, concentration risk and liquidity

September 2016 Page 15

Guideline on Supervision of Stored Value Facility Licensees

risk, etc. The licensee seeking the HKMA’s prior consent should at least
put in place adequate investment policies and guidelines and effective
control measures to protect the float and SVF deposit from all relevant
risks.

6.4.3. Unless effective currency risk management policies, guidelines and

control measures are put in place, mismatch between the currency
denomination of the float or SVF deposit and that of the assets in which
the float and SVF deposit are held is generally not allowed except for the
mismatch between HK dollar and US dollar positions.

6.5. Additional regulatory requirements

6.5.1. Additional requirements in respect of the protection and management of

float and SVF deposit may be imposed if the circumstances of the licensee
concerned so require, e.g. when there are inherent insufficiencies in the
control environment of the licensee concerned.

6.6. Reporting to the HKMA

6.6.1. In respect of the protection and management of float and SVF deposit, any
material non-compliance with any regulatory requirements or internal
policies, procedures and controls as well as any material unresolved
discrepancies identified in any reconciliation should be reported to the
HKMA immediately through the established communication channels.

September 2016 Page 16

Guideline on Supervision of Stored Value Facility Licensees

7. Specific Risk Management

7.1. Introduction

7.1.1. Paragraph 5 of Part 2 of Schedule 3 of the PSSVFO stipulates that the

licensee must have in place appropriate risk management policies and
procedures for managing the risks arising from the operation of its SVF
scheme that are commensurate with the scale and complexity of the
scheme. This chapter sets out the high level principles on the
requirements in relation to specific risk management for the purpose of
complying with the relevant statutory requirements.

7.2. Technology risk management

7.2.1. A licensee should establish an effective technology risk management

framework to ensure (i) the adequacy of IT controls, (ii) the quality and
security, including the reliability, robustness, stability and availability, of
its computer systems, and (iii) the safety and efficiency of the operations
of the SVF. The framework should be “fit for purpose”, i.e.
commensurate with the risks associated with the nature, size, complexity
and types of business and operations, the technologies adopted and the
overall risk management systems of the licensee. A licensee should
allocate its technology resources between business development and risk
management appropriately to ensure that sufficient resources are devoted
to the latter.

7.2.2. Given that the risk of IT operational incidents (e.g. service interruptions)
cannot be completely eliminated, a licensee should establish an incident
management framework with sufficient management oversight to ensure
effective incident response and management capability to deal with
significant incidents properly. This includes (i) timely reporting to the
HKMA of any confirmed IT-related fraud cases or major security breaches,
including cyber attacks, cases of prolonged disruption of service, and
systemic incidents where users suffer from monetary loss or frustrating
user experience (e.g. data leakage) and (ii) a communication strategy to
address the concerns of any stakeholders may have arising from the

September 2016 Page 17

Guideline on Supervision of Stored Value Facility Licensees

incidents and restore the reputational damage that the incidents may
cause.

7.2.3. A licensee should have in place adequate measures to maintain

appropriate segregation of databases for different purposes to prevent
unauthorized or unintended access or retrieval and that robust access
controls are enforced to ensure the confidentiality and integrity of the
databases. In respect of any personal data of users, including merchants,
a licensee should at all times comply with the PDPO as well as any
relevant codes of practice, guidelines or best practice issued by the Office
of the PCPD from time to time.

7.3. Payment security management

7.3.1. A licensee should put in place a robust payment security management

framework that is commensurate with the scale and nature of payment
security risks associated with its SVF schemes to effectively monitor,
identify, evaluate, respond and mitigate the payment security risks arising
from the operation of the SVF schemes.

7.3.2. A licensee should have adequate policies and procedures on the ownership,
classification, storage, transmission, processing and retention of
information collected from users through registration of SVF service and
execution of payment transactions to ensure confidentiality and integrity
of the information.

7.3.3. A licensee should implement adequate security measures to protect each

payment channel (including cards and user devices) provided to users for
using its SVF against all material vulnerabilities and attacks.

7.3.4. A licensee should implement adequate payment security controls to ensure

the authenticity and traceability of payment transactions and detect
fraudulent transactions.

7.3.5. A licensee should authenticate the identity of SVF users before they can
administer their SVF accounts and initiate high-risk transactions. Timely
notification should be sent to users after these activities.

September 2016 Page 18

Guideline on Supervision of Stored Value Facility Licensees

7.3.6. A licensee should provide advice and assistance to users on the secure use
of SVF through an effective communication channel.

7.3.7. A licensee should guard against current and upcoming cyber security risks
associated with its SVF by monitoring the trends in cyber threats,
implementing adequate protective measures and performing periodic
security testing.

7.3.8. A licensee should provide efficient and reliable SVF payment services
which are commensurate with the mode of operation of its SVF.

7.4. Business continuity management

7.4.1. A licensee should have in place adequate business continuity management

(BCM) programs to ensure continuation, timely recovery, or in extreme
situations orderly scale-down of critical operations in the event of major
disruptions caused by different contingent scenarios.

7.4.2. The board and senior management of a licensee have the ultimate
responsibility for BCM and the effectiveness of their business continuity
plans. It should ensure that BCM programs are duly implemented and
taken seriously by all levels of staff and that sufficient resources are
devoted to implementing the plan.

7.5. Reputation risk management

7.5.1. A licensee should establish and implement an effective process for

managing reputation risk that is appropriate for the size and complexity of
its operations. A licensee should integrate into its business processes
proper due diligence work to (i) critically assess the potential reputational
implications of its plans and activities for itself and for the industry; (ii)
take proactive actions to avoid or contain the identified risks; and (iii)
respond swiftly to mitigate the potential impact should such risks
materialise. A licensee should also devote appropriate resources to
conduct surveillance work with a view to identifying any issues with
reputational implications for its operations. The objective is to protect
the licensee from potential threats to its reputation and, should there be a

September 2016 Page 19

Guideline on Supervision of Stored Value Facility Licensees

reputation event, minimize the effects of such an event.

7.5.2. In implementing reputation risk management process, licensees should

ensure that the relevant process is capable of detecting and responding
swiftly to new and emerging threats to reputation, monitoring the
changing status of risks, providing early warning of potential problems to
enable remedial actions to be taken, and providing assurance that the risks
affecting reputation are under control. A licensee should notify the
HKMA promptly of any incident which, in its view, may have significant
implications for its reputation.

7.6. Liquidity risk management

7.6.1. A licensee should establish and implement an effective process for

managing liquidity risk that is appropriate for the size and complexity of
its operations. The objective is to ensure that the licensee will have
sufficient liquidity to meet different financial obligations arising from its
day-to-day operations as well as redemption requests under all plausible
circumstances.

September 2016 Page 20

Guideline on Supervision of Stored Value Facility Licensees

8. Business Practices and Conduct

8.1. Introduction

8.1.1. Section 10(2)(b) of Part 2 of Schedule 3 of the PSSVFO stipulates that the
SVF schemes must be operated prudently and with competence in a
manner that will not adversely affect the interests of the user or potential
user of the SVF. This chapter sets out the high level principles and
requirements applicable to a licensee’s business practices and conduct for
the purpose of complying with the relevant statutory requirements.

8.2. Standard of conduct and business practices

8.2.1. A licensee should ensure that its business is operated in a responsible,

honest and professional manner. A licensee should treat all users,
including merchants, equitably, honestly and fairly at all stages of their
relationship with the licensee. A licensee should also act in a manner that
will not adversely affect the interests of the user or potential user or the
stability of any payment system in Hong Kong.

8.2.2. A licensee should be responsible for the acts or omissions of its employees,
service providers and agents in respect of the conduct of its business.
Employees and agents of a licensee should be properly trained and
qualified.

8.2.3. A licensee should ensure that it adopts, and if needed develops, good
business practices that can demonstrate its standard of conduct.

8.2.4. A licensee is not allowed to provide interest payment or interest-like

incentive scheme based on the volume of float.

8.3. Schemes and operating rules

8.3.1. The operating rules of an SVF scheme should be fair to all parties
concerned. A licensee should operate its SVF scheme in strict
accordance with the relevant operating rules.

September 2016 Page 21

Guideline on Supervision of Stored Value Facility Licensees

8.3.2. The operating rules of an SVF scheme should provide that a value of an
amount no less than the amount of funds received by a licensee or its
agent from a user will be credited to the account of the user and made
available for use by the user in a timely manner according to the operating
rules.

8.3.3. A reasonable limit, supported by business justifications and control

measures, should be set for the maximum amount that can be stored in
each type of user accounts under a scheme. Different storage limits can
be set for different types of user accounts according to their respective
features. All limits should be set out in the operating rules. The
HKMA may request a licensee to change the limits if the business
justifications and control measures put up by the licensee is considered
unsatisfactory.

8.3.4. A licensee should set out and explain clearly the key features, risks, terms
and conditions, and applicable fees, charges and commissions of its
schemes, facilities, services and products. Such details should be
effectively communicated and made available to the relevant users,
including merchants. Additional disclosures, including appropriate
warnings, should be developed to provide information commensurate with
the nature, complexity and risks of the schemes, facilities, services and
products. In particular, the related contract with a user under a scheme
should state clearly and prominently the amount of the fee and charge
payable and the circumstances in which the fee and charge becomes
payable.

8.3.5. A licensee should be solely responsible for the robustness of its SVF
scheme and as such it should bear the full loss of the value stored in a user
account where there is no fault on the part of the user.

8.3.6. Except for anonymous cards, a licensee should have in place convenient
and timely means to enable users to (i) report and/or disable lost cards;
and (ii) report that the SVF has been compromised. Such means should
be effectively communicated to users. A licensee on being advised of a
loss, theft or possible misuse of a card/SVF should take prompt action to
prevent further use of the card/SVF. A licensee should give clear and

September 2016 Page 22

Guideline on Supervision of Stored Value Facility Licensees

prominent notice to users if they may have to bear a loss when a card has
been used for an unauthorized transaction before the user has reported
and/or disabled lost cards/compromised SVF.

8.3.7. A licensee should, where technically feasible, provide timely transaction

notifications to users and, to a reasonable extent, make available to users
transaction records with sufficient details and the outstanding stored value
of user accounts. A licensee should provide a service to users who need
to obtain records of their transactions with sufficient details for a
reasonable time period.

8.3.8. A licensee should have in place fair and effective rules and mechanisms to
deal with alleged unauthorized transactions claimed by users and
effectively communicated such rules and mechanisms to users.

8.4. Complaints handling

8.4.1. A licensee should have in place an effective complaint management

system to ensure that complaints from SVF users are fully and promptly
handled and resolved in a satisfactory manner.

8.4.2. The complaint management system of a licensee should be comprehensive,

transparent, accessible to SVF users and easy to invoke, fair and impartial,
consistent in its approach to the provision of redress, flexible and efficient,
and able to maintain appropriate confidentiality, keep sufficient records,
resolve complaints, identify and remedy the problems revealed by the
complaints and provide appropriate feedback to the HKMA.

8.5. Business exit plan

8.5.1. With a view to minimizing the potential impact that a failure, disruption,
or exit of a licensee would have on SVF users and the payment systems in
Hong Kong, a licensee is required to maintain viable plans for an orderly
exit of its business and operations should other options be proven not
possible.

8.5.2. Among other things, a business exit plan should (i) identify a range of

September 2016 Page 23

Guideline on Supervision of Stored Value Facility Licensees

remote but plausible scenarios which may render it necessary for a

licensee to consider an exit; (ii) develop risk indicators to gauge the
plausibility of the identified scenarios; (iii) set out detailed, concrete, and
feasible action steps to be taken upon triggering the exit plan; (iv) assess
the time and cost required to implement the exit plan in an orderly manner;
and (v) set out clear procedures to ensure that sufficient time and financial
resources are available to implement the exit plan.

8.5.3. A licensee’s business exit plans should form part of the operating rules of
the SVF scheme and the arrangement should where appropriate be
reflected in the terms and conditions of the SVF schemes and made
known to SVF users. A licensee should ensure that its business exit
plans have made sufficient provisions for financial and administrative
resources to meet the float redemption and other relevant administrative
processes.

8.5.4. A licensee is required to discuss with the HKMA in devising and

introducing changes to its business wind-down plans.

September 2016 Page 24