By Luciano Fantin – This article complements the previous one that I wrote about the payment card industry as of January 24 2014.
As cited in my last article about this subject as of January 24 2014, Federal Law 12,865 as of October 9, 2013, as well as all connected regulations issued by the Monetary Council and Brazilian Central Bank, brought significant changes to the payment card industry, especially to the non-financial institutions, which are the focus of this text.
The market is commenting a lot about which are going to be the impacts on cost, complexity, governance, processes etc. for the institutions adaptation to the new demands. Many owners of payment schemes (brands) and payment institutions (card issuers and acquirers) are currently not subject to the ruling and supervision of the Brazilian Central Bank, and are now concerned with the variety of controls and processes to which they will now be subject to.
Each case has to be analyzed individually. In order to be able to precisely estimate the impact to which each institution will be subject to, a gap analysis has to take place. Which are the existing organizational and functional structures, as well as levels of governance and systemic and processes infrastructure that can cater for the new demands? Which ones will have to be reinforced or even created? As I mentioned, each case has to be analyzed individually. The deadline is 360 days for the owners of payment schemes and 270 for the payment institutions to adapt themselves respectively, as of issuance date back in November 4 2013.
In spite of the necessity of a gap analysis, follows below an inventory extracted from all rules issued so far, which demonstrates typical demands that are in force to financial institutions, to which non-financial payment institutions and brands are now subject. This inventory enables a more concrete vision of potential impacts:
- The Brazilian Central Bank is empowered now to discipline and supervise the payment card industry (Federal Law 12,865, Article 9);
- Payment institutions became now part of the Brazilian Payment System (Federal Law 12,865, Article 6);
- Non-compliance to Federal Law 12,865 and connected rules issued by the Brazilian Monetary Council and Brazilian Central Bank subject payment institutions and its officers to sanctions, amongst others, foreseen in Federal Law 4,595/64, Chapter V, Article 44:
- Reprimand;
- Fine;
- Temporary suspension of the officer’s function;
- Definitive suspension of the officer’s function;
- Withdrawal of the business authorization;
- Payment Institutions are subject to the Temporary Special Management Regime (“RAET”) – Federal Law 12,865, Article 13;
- Payment institutions must observe Circular Letter 3,361/09, on anti-money laundering activities, according to Federal Law 9,613/98, except for static data aspects, which are covered by Circular Letter 3,680/13;
- Payment institutions must send information on pre-paid account owners to the National Financial System ‘Client Static Data System’ (“CCS”), according to Circular Letter 3,347/07 (Circular Letter 3,680/13);
- Payment institutions and brands must comply with Resolution 2,554/98 in relation to the implementation of an internal control system (Circular Letter 3,681/13 and 3,682/13);
- Payment institutions must observe the structure and processes related to the National Financial System Chart of Accounts – “COSIF” (Circular Letter 3,681/13);
- Payment institutions which are credit card issuers must send to the Brazilian Central Bank information to feed the ‘Credit Information System’ (“SCR”) according to Resolution 3,658/08 (Circular Letter 3,681/13);
- Payment institutions have to comply with Resolution 3,694/09 on suitability of products and services offered, as well as on integrity and safety of transactions, also in light of the modifications brought by Resolution 4,283/13 related to Article 1 (Circular Letter 3,681/13);
- Payment institutions have to create an ombudsman function (Circular Letter 3,681/13);
- Payment institutions must assign a director who will be in charge of risk management. He or she will be allowed to exercise other functions except for third parties asset management and transactions subject to credit risk (Circular Letter 3,681/13);
- Risk management at payment institutions is detailed out in Circular Letter 3,681/13, as per following examples:
- Payment institutions must have a risk management structure observing following aspects:
- Compatible with the nature of the institution’s activities and its complexity;
- There has to be an integrated and non-stop risk management process as regards to operational, liquidity and credit risks;
- The risk related policies have to be at least annually updated.
- On Operational Risk:
- A contingency plan has to be established;
- Testing is mandatory and it should ensure that all measures involving IT security and data sensitiveness are effectively implemented;
- On Liquidity Risk:
- A liquidity management process has to be in place, also during the day;
- A contingency funding plan has to be implemented;
- Payment institutions have to publish at least on an annual basis a report on the liquidity management and must divulge, together with the financials disclosure, a summary of the liquidity risk management structure.
- On Credit Risk:
- Transactions subject to credit risk have to respect defined limits, and shall be subject to monitoring processes.
- On Governance:
- Payment institutions must implement governance policies containing aspects such as risk management, equity management and preservation of value and liquidity of the issued electronic credits. These policies have to be reviewed at least on an annual basis.
- Brands who wish to get an authorization for the implementation of a payment scheme will have to identify the shareholder’s control group and those who detain a qualified shareholding participation, according to Resolution 4,122, Article 6 (Circular Letter 3,682/13);
- The authorization process for the creation, modification, etc. of payment institutions is quite similar to the rules of Resolution 4,122/12, which apply to financial institutions;
- A director who will be in charge of the compliance to the rules surrounding payment accounts has to be assigned (Circular Letter 3,680/13).
- Payment institutions must have a risk management structure observing following aspects:
As made explicit by the new regulatory framework, payment institutions shall not execute activities, which are exclusive to financial institutions (Federal Law 12,865, Article 6, Paragraph 2).