WIXLIB

Merchant Acquiring ServicesPage 6 of 66“payment instrument network” refers to a payment system that enablespayment to be made using a payment instrument under its brand and providesclearing and/or settlement services for its members namely issuers and/oracquirers;“physical merchant” refers to merchant that sells or offers goods or servicesphysically over the counter (i.e. brick-and-mortar/face-to-face business);“point-of-sale (POS) terminal” refers to an electronic device located in or at amerchant’s premise that enables a customer to effect a transaction for thepurchase of goods or services using a payment instrument;“prescribed institution” means a development financial institution prescribedunder the Development Financial Institutions Act 2002;“production data centre” refers to any facility which hosts active criticalproduction application systems irrespective of location;“senior management” refers to the CEO and senior officers;“service provider” refers to an entity, including an affiliate, providing services toan acquirer under an outsourcing arrangement. This may include third partyservice provider as used in Part D of this policy document;“small acquirers” refer to acquirers with an actual or projected amount of averageMTV of less than RM10,000,000 (where for the purpose of calculation of averageMTV, the actual amount is calculated based on a 12-month moving average, whilethe projected amount is calculated based on an estimation of the average monthlyamount for the next 12-month period);Issued on: 15 September 2021

Merchant Acquiring ServicesPage 7 of 66“SME” refers to small and medium enterprises as defined in the Notification onDefinition of Small and Medium Enterprises (SMEs) 4 issued by Bank NegaraMalaysia (the Bank) and as may be updated from time to time;“sub-contractor” refers to an entity, including an affiliate, which performs thewhole or a part of the outsourced activity for the primary service provider;“third party acquirer” refers to an entity that is appointed by an acquirer toperform merchant acquiring services on behalf of the acquirer, but does not fulfilthe criteria in paragraph 2.1; and“third party service provider” as used in Part D of this policy document refers toan internal group affiliate or external entity providing technology-related functionsor services that involve the transmission, processing, storage or handling ofconfidential information pertaining to the acquirer or its customers. This includescloud computing software, platform and infrastructure service providers.6.Related Legal Instruments and Policy Documents6.1This policy document must be read together with other relevant legal instrumentsand policy documents that have been issued by the Bank, in particular –(a)the policy document on the Risk-Based Authentication for Online PaymentCard Transaction;(b)the policy document on the Payment Card Reform Framework;(c)the policy document on the Management of Customer Information andPermitted Disclosures; and(d)4the policy document on Interoperable Credit Transfer Framework.Issued on 27 December 2017.Issued on: 15 September 2021

Merchant Acquiring Services7.Policy Documents Superseded7.1This policy document supersedes the requirements listed below –(a)Page 8 of 66Paragraph 33 – Specific requirements for acquirers in policy document onCredit Card issued on 2 July 2019;(b)Paragraph 34 – Specific requirements for acquirers in policy document onCredit Card-i issued on 2 July 2019;(c)Paragraph 23 – Specific requirements for acquirers in policy document onDebit Card issued on 2 December 2016;(d)Paragraph 25 – Specific requirements for acquirers in policy document onDebit Card-i issued on 2 December 2016;(e)Paragraph 30 – Specific requirements for acquirers in policy document onCharge Card issued on 2 December 2016; and(f)Paragraph 32 – Specific requirements for acquirers in policy document onCharge Card-i issued on 2 December 2016.Issued on: 15 September 2021

Merchant Acquiring ServicesPART BSPage 9 of 66GOVERNANCE8.Effective Governance and Oversight8.1Acquirers shall establish adequate governance arrangements which are effectiveand transparent to ensure the continued integrity of its merchant acquiring serviceswhich include, among others, the following –(a)a board of directors (board) and senior management that consists of peoplewith calibre, credibility and integrity;(b)clearly defined and documented organisational arrangements, such asownership and management structure; and(c)segregation of duties and internal control arrangements to reduce thechances of mismanagement and fraud.Board roles and responsibilitiesS8.2The board shall have a board charter that sets out the mandate, responsibilities andprocedures of the board and its committees (if any), including the matters reservedfor the board’s decision.S8.3The board shall have the overall responsibility in ensuring the sustainable growth,financial soundness and reliability of the acquirer’s merchant acquiring serviceswhich include –(a)determining, reviewing and approving strategies, business plans andsignificant policies, including its risk appetite and monitoring management’sperformance in implementing them;(b)setting corporate values and clear lines of responsibility and accountabilitythat are communicated throughout the organisation;(c)ensuring adequate assessment is conducted on key responsible persons(KRP);(d)ensuring selection of competent senior management;(e)ensuring that the operations of the business are conducted prudently, andwithin the framework of relevant laws and policies;Issued on: 15 September 2021

Merchant Acquiring Services(f)Page 10 of 66ensuring that comprehensive risk management policies, processes andinfrastructure, and effective operationalisation of the risk controls to managethe various types of risks, are in place and effective; and(g)S8.4establishing an effective compliance and internal audit functions.The board shall ensure that an effective oversight and risk management mechanismis in place, which includes the following –(a)an effective oversight and governance structure to manage the day-to-dayoperations of the acquirer;(b)risk management and control framework on the following areas –(i)technology risk management and cyber resilience;(ii)mitigation of fund settlement risk to merchants;(iii)mitigation of fraud or illegal activities;(iv) merchant recruitment and monitoring;(v)(c)outsourcing arrangement with service providers; andappropriate and timely reporting or escalation of issues that may impact thesafety, security or operational reliability of the merchant acquiring operations.S8.5The board shall ensure that the risk management and control framework isperiodically reviewed for continued effectiveness. This includes ensuring an audit byan independent party is conducted with reasonable frequency to detect weaknessesand enable corrective measures to be taken in a timely manner.S8.6The board and its committees (if any) shall be of a size that promotes effectivedeliberation and encourages the active participation of all directors. The board shallmeet sufficiently whereby the number and frequency of board meetings shallcommensurate with the size and complexity of the acquirer’s operations, to reviewthe acquirer’s performance, including the status of its compliance with regulatoryrequirements and to deal with any issues pertaining to the operations of merchantacquiring services.Issued on: 15 September 2021

Merchant Acquiring ServicesS8.7Page 11 of 66The board shall ensure that clear and accurate minutes of board meetings aremaintained to record the decisions of the board, including the key deliberations,rationale for each decision made, and any significant concerns or dissenting views.S8.8With regard to the management of technology and cybersecurity risks, the boardshall –(a)establish and approve the technology risk appetite which is aligned with theacquirer’s risk appetite statement. In doing so, the board shall approve thecorresponding risk tolerances for technology-related events and ensure keyperformance indicators are in place to monitor the acquirer’s technology riskagainst its approved risk tolerance. The board shall ensure the seniormanagement of the acquirer provides regular updates on the status of theseindicators, key technology risks and critical technology operations to facilitatestrategic decision-making; and(b)ensure and oversee the adequacy of the acquirer’s IT and cybersecuritystrategic plans covering a period of no less than three (3) years. These plansshall address the acquirer’s requirements on infrastructure, control measuresto mitigate IT and cyber risk as well as financial and non-financial resources,which are commensurate with the complexity of the acquirer’s operations andchanges in the risk profile as well as the business environment. These plansshall be periodically reviewed, at least once every three (3) years.G8.9Given the rapidly evolving cyber threat landscape, the board should allocatesufficient time to discuss cyber risks and related issues, including the strategic andreputational risks associated with a cyber-incident. This should be supported byinput from external experts as appropriate. The board should also ensure itscontinuous engagement in cybersecurity preparedness, education and training.S8.10The board shall be responsible for ensuring the effectiveness of the audit functionincluding technology audit. The board shall review and ensure the appropriate auditscope, procedures and frequency of audits. The board shall also ensure effectiveIssued on: 15 September 2021

Merchant Acquiring ServicesPage 12 of 66oversight over the prompt closure of corrective actions to address any issues orcontrol gaps.Senior ManagementS8.11The senior management of acquirers shall be responsible for ensuring the following–(a)effective policies and procedures are established and implemented for,among others, the following areas –(i)risk management and appropriate controls to manage and monitorrisks, including those under paragraph 8.4(b);(ii)due diligence and oversight to manage outsourced arrangementssupporting the merchant acquiring operations;(iii)(b)sufficient and timely reporting or escalation of issues to the board;overseeing the formulation and effective implementation of any business orstrategic plan, including the strategic technology plan and associatedtechnology policies and procedures; and(c)a robust assessment is conducted to approve any deviation from policies andprocedures, including technology-related policies. Material deviations shall bereported to the board.S8.12The senior management shall consist of individuals with the appropriate skill setand experience to adequately support the merchant acquiring services. Thisincludes individuals from technology functions to provide guidance on theacquirers’ technology plans and operations.S8.13The senior management shall ensure adequate allocation of resources as well asappropriately skilled and competent staff to support all critical functions of themerchant acquiring services, including to ensure maintenance of robust technologysystems and management of technology risk.G8.14For large acquirers, the senior management should embed appropriate oversightarrangements within the technology function to support the enterprise-wideIssued on: 15 September 2021

Merchant Acquiring ServicesPage 13 of 66oversight of technology risk. These arrangements should provide for designatedstaff responsible for the identification, assessment and mitigation of technologyrisks who do not engage in day-to-day technology operations.PART CSOPERATIONAL REQUIREMENTS9.Minimum Capital Funds Requirements for Non-Bank Acquirers9.1Small non-bank acquirers are required to maintain, at all times, minimum capitalfunds of RM300,000.S9.2Large non-bank acquirers are required to maintain, at all times, minimum capitalfunds of RM1,000,000.S9.3Non-bank acquirers shall maintain the required minimum capital funds inaccordance with the computation specified in Appendix 1.S10.Settlement Risk Management10.1Acquirers shall be responsible to process the payment of funds to its merchants ina proper and timely manner to manage settlement risk. For the purpose of thisparagraph, settlement risk is described as the risk of acquirers’ inability to honourthe obligation to transfer funds arising from a transaction as a result of clearing, atan agreed-upon time to the merchants.S10.2Acquirers shall ensure timely and complete funds settlement to merchants as perthe terms agreed in the contractual agreement with merchants.S10.3Acquirers shall ensure that the settlement period commensurate with themerchants’ business models and needs.G10.4Acquirers should ensure that the settlement period is no longer than two (2) andfive (5) working days from the date of funds received from the payment instrumentIssued on: 15 September 2021

Merchant Acquiring ServicesPage 14 of 66network, for physical merchants and e-commerce merchants, respectively.Notwithstanding this, acquirers should strive for a shorter settlement period and if amerchant requests for a shorter settlement period, the acquirer should assess thefeasibility of accommodating such requests accordingly.S10.5Acquirers shall deposit the funds received for settlement to merchants in adedicated deposit account (i.e. designated account) with licensed banks, licensedIslamic banks or prescribed institutions, separately from their own funds. The fundsin the dedicated deposit account shall only be used for settlement purposes to themerchants and/or chargebacks to issuers of payment instruments less theMerchant Discount Rate (MDR) charged or any other applicable charges to themerchant.S10.6In the event settlement by acquirers to SME merchants takes more than two (2)working days from the date of funds received from the payment instrumentnetwork, the acquirer shall ensure the funds are safeguarded as follows –(a)place the settlement funds in a trust account with a licensed bank, licensedIslamic bank or prescribed institution in accordance with the Trustee Act1949; or(b)adopt direct settlement method to merchants; or(c)secure a bank guarantee from a licensed bank, licensed Islamic bank orprescribed institution on such settlement funds or outstanding amount forsettlement.S10.7Acquirers shall be liable to provide the funds settlement to merchants in the eventthe issuer, including foreign issuers of payment instruments, or any other partiesinvolved in the handling of such funds, fail to fulfil its settlement obligations.Issued on: 15 September 2021

Merchant Acquiring Services11.Page 15 of 66Merchant ManagementMerchant recruitmentS11.1Acquirers shall establish prudent underwriting criteria and procedures to ensureproper due-diligence for on-boarding of a merchant. The assessment criteria shallinclude the following –(a)relevant background information on the merchant (e.g. financial history suchas bankruptcy/insolvency check, nature of business, etc.);(b)legitimacy of the merchant’s business, with no involvement in or associationwith any fraudulent or illegal activities including business activities intendedto deceive consumers such as “scratch and win” and “get-rich-quick”schemes; and(c)the merchant has not been blacklisted by any authorities or other acquirersfor any suspected fraudulent or illegal activities.S11.2Acquirers shall verify the merchants’ identity using reliable documents, informationor any other measures that acquirers deem appropriate, taking into considerationthe nature and size of the business of the respective merchants, beforeestablishing any acquiring relationship with the merchants.G11.3For purposes of paragraph 11.2 –(a)the verification method may include site visits, website/channel checking orcompany screening; and(b)documents and information to be used for verification may include thebusiness name, address, website/channel, contact, proof of existence (e.g.business registration number, identification number, etc.), owner details,business nature and products/services offered.S11.4Merchants shall not be on-boarded via

Merchant acquiring services have also adapted toconstant evolution of technological advancements to cater for needs of users and enhance efficiency. All of the above changes ha increaseve d the complexity and the number of players along the payment chain before payment reaches the merchants. 1.3 Due to the increasingly important role played by .