NBU Updates Procedure for Payment Infrastructure Oversight in Ukraine

The National Bank of Ukraine (NBU) has updated the procedure for payment infrastructure oversight in compliance with the Law of Ukraine On Payment Services enacted this August, in order to ensure the reliable and uninterrupted functioning of the payment infrastructure. 

The updated procedure is based on the international standards of payment systems oversight adopted by the Bank for International Settlements and the approaches of the European Central Bank to payment instruments oversight.

The overseen entities of the payment infrastructure are as follows:

• payment system entities: payment systems operators, participants in payment systems, technical service providers, settlement banks
• payment services providers, regarding use by them of payment instruments, payment schemes, electronic money, interaction with the other participants of the payment market 
• e-money issuers, in terms of the issuing and use of e-money.

In addition, the NBU:

1) set the requirements to payment systems entities established by residents, regarding the following:

• ensuring business continuity 
• performing control over participants and technical service providers by a payment system operator
• safekeeping the information on transactions with payment instruments, creating electronic archives 
• publishing the information on websites and payment devices, etc.

2) provided for the annual categorization of payment systems by the regulator, depending on importance (according to the established criteria): systemically important and important

3) set the enhanced requirements for operators of systemically important and important payment systems taking into account the international standards of oversight, regarding risk management and ensuring settlement finality for operators of payment systems established by residents and nonresidents 

4) provided for operators of the payment systems established by residents the necessity to:

• develop the Action Plan on Business Continuity  
• define goals and tasks on cyber resilience, operational targets  
• manage collateral in payment system to mitigate the credit risk  
• define in documents the division between the implementation of operational target, targets related to risk management, and internal audit within the payment system, etc.

5) established additional requirements for resident systemically important payment systems concerning:

• recovery of operation no later than two hours from the emergency 
• provision of services during emergency at the level not lower than the planned operational performance indicators
• performing settlements in real time mode or ensuring completion of all settlements within the transaction day 
• availability of a reserve operational area, etc.

6) established the requirements for new overseen entities of the resident payment services providers and e-money issuers regarding:

• ensuring business continuity 
• performing control over technology operators providing services to those overseen entities 
• safekeeping the information on transactions with payment instruments, creating electronic archives 
• publishing the information on websites and payment devices, etc.

7) provided for the annual classification of the overseen entities (participants of payment systems, payment services providers, electronic money issuer, technology operators) by the regulator to categories of importance (based on their performance)

8) established the procedure and criteria to define important overseen entities and the enhanced requirements for those on:

• risk management: operational, cyber, legal, and financial risks 
• information exchange taking into account the international standards 
• organizational and technical measures to ensure the operational continuity. etc.

9) provided for the assessing the compliance with the international standards of oversight and laws by the following:

• payment system: comprehensive assessment of systemically important and important payment systems; assessment of certain aspects of payment systems operations (targeted assessment); assessment of a payment system as of the moment of entering the market (residents and nonresidents)
• payment schemes: for important payment services providers and important e-money issuers

10) provided for giving recommendations to the overseen entities by results of assessment to improve their activities and approach the international standards of oversight

11) improved the procedure of the overseen entities assessment, in particular regarding establishment of a level of the payment system/scheme compliance with each international principle (standard)

12) introduced the definition and criteria for “substantial incident of an operational continuity breach,” which means the inability of an overseen entity to perform its activities on time and efficiently for two hours and more

13) established the procedure for reporting by the overseen entities on substantial incidents of an operational continuity breach

14) within joint oversight, provided for the regulator’s right to exchange information on activities of the overseen entities established by nonresidents with central banks of other states, international organizations, and executive bodies.

The respective provisions are included into a new Regulation No. 187 On the Oversight of Payment Infrastructure in Ukraine approved by NBU Board Resolution dated 24 August 2022 (hereinafter Resolution No. 187).

Resolution No. 187 comes into effect on 27 August 2022. Regulation On Payment Systems and Settlement Systems Oversight in Ukraine approved by NBU Board Resolution No. 755 dated 28 November 2014 ceases to have effect on the same date.