Oversight and role of new technologies in conducting oversight

Morocco’s experience

The Global Payments Week 3-7 December, 2018

Kuala Lumpur, Malaysia

FMIs in Morocco: Overview and Oversight framework

AGENDA

Monitoring Cyber Risks and incidences

New challenges

2

1

3

OVERVIEW OF MOROCCO

Morocco

Capital: Rabat

Population: 34,2 millions

Currency: Dirham

Urbanization ratio: 61,9%

Rating:Fitch Ratings : BBB-/stable outlook

Standard & Poor's : BBB-/A-3

Internet penetration rate : 63,67%

Mobile penetration rate: 126%Key rate (interest rate): 2,25%

Bank account penetration rate: 56%

Economic Growth: 4%

Gross Domestic Product:109,1 billion $

Inflation rate: 0,2%

Investment ratio : 33,3% of GDP

* Data of 2017. Sources: HCP, ANRT, BAM

FMIs in Morocco: Overview and Oversight framework

AGENDA

Monitoring Cyber Risks and incidences

New challenges

2

1

3

OVERVIEW OF FMIs IN MOROCCO

5

MAROCLEAR (1997)

Central Depository and Securities Settlement System

SRBM (2006)Real Time

Gross Settlement

* Card-based transactions was managed by Interbank Electronic Payment Center (CMI) since 2004

Casablanca Stock Exchange (BVC) (1929)

Securities settlement system

FutureCCPBVC was designated the managing

company of the futures market

SIMT (2004)

Clearing system of retail payment means (excluding cards)

ElectronicPayment Switch (2017) *

Domestic Electronic Switch

Role of Bank Al-Maghrib in financial market infrastructures (FMIs)

ROLE OF BANK AL-MAGHRIB IN FMIs

6

Oversight of Maroclear, BVC and the future CCP isconduct also by the Capital Markets Autority (AMMC)

A memorandum of understanding is beingestablished between both parties to clarify theaspects of oversight of each authority, to avoiddouble control of the post market infrastructures,and to define the practical arrangements for thejoint oversight of this FMIs.

Operator

> Operator of RTGS

Overseer

> Ensure the resilency of FMIs

Catalyst

> Promote and encourage the development ofFMIs and initiate the necessary changes anddevelopments (text reforms, launching initiativesor others).

User

> Use the technical and functional platforms ofretail payment system and the other FMIs likeother members.

LEGAL AND REGULATORY FRAMEWORK

7

Lega

l Fra

mew

ork

> Article 10 of the law on statutes entrusts BAM to ensure

missions:

- The smooth running of payment systems;

- The efficiency of payment systems;

- Security of means of payment.

Multilateral Convention on the supervision of payment systems

January 2009

Cont

ract

ual F

ram

ewor

k > Multilateral Convention on the oversight of payment

systems (signed by ancillary systems in January 2009)

which sets:

- The obligations of operators of payment systems;

- The arrangements for overseeing payment systems;

- Sanctions and other various provisions.

Strengthening the powers of the supervisory authority of BAM and align the Moroccan legislation on international standards in this area

NEW PAYMENT SYSTEM PROJECT LAW

A working group has been established for the drafting of a law on the monitoring of financial markets andissuers of means of payment

The law details the institutional framework , the conditions of exercise , the obligations of the FMI and BAMoversight modalities.

Disciplinary and penal sanctions applied in case of non-compliance with legal and regulatory requirements

8

Maintain public confidence in non-cash means of payment

Developing financial inclusion thanks to the resiliency and modernization of FMIs

Contribute to financial stability: prevention of systemic risk and reduction of contagion risks

FMIs OVERSIGHTOBJECTIVES & MODALITIES

A

B

C

Limitation of this non-risk-based oversight methodology. The need to develop a new approach, through the implementation of a tool to support the rating of FMIs.

OBJECTIVES

01

Notification of systemicimportance to the systemoperator and settingrequirements and obligationsto be met.

CLASSIFICATION OVERSIGHTNOTIFICATION FOLLOWING UP

Classification of paymentsystems according to theirdegree of systemicimportance taking intoaccount the nature andvolume of operations, thenumber of participants,the interdependencebetween this system andother systems.

• Oversight on documents• On-site assessment based

on an annual controlprogram taking into accountthe above parameters:

- Anteriority rule: 3 yearsfor systemic FMIs and 5years for others;

- Taking into accountrecommendations frominternational bodies(BIS, FSAP, ...).

Follow-up the implementationof recommendations andactions plan.

02 03 04

RISK BASED ASSESSMENT TOOL

The assessment tool serves a dual purpose:>Micro-prudential supervision and effective planning of controls.>Evaluation of the pillar "resilience of FMIs" as part of the work on financial stability

RIsk Based Assessment Tool, developed in-house, is inspired by the ORSOMsystem of the FEDand has been validated by the World Bank.

1

9

2

RIBATis basedonfivecategoriesissuedonBISprincipalsfor FMIs:

OrganizationP1: Legal basisP2: GovernanceP3: Framework for comprehensivemanagement of risks

Risk ManagementP4: Credit riskP5: CollateralP6: MarginP7: Liquidity riskP14: Segregation and portabilityP15: General business riskP16: Custody and investment riskP19: Tiered participation arrangementsP20: FMIs links

SettlementP8: Settlement finalityP9: Money settlementP10: Physical deliveriesP11: Central securities depositoriesP12: Exchange of value settlement systemsP13: Participant default rules and procedures

Operational riskP17: risque opérationnel

Market Support, Access and TransparencyP18: Access and participation requirementsP21: Efficiency and effectivenessP22: Communication procedures and standardsP23: Disclosure of rules, key procedures, and market dataP24 : Disclosure of market data by traderepositories

RIBAT

RISK BASED ASSESSMENT TOOL

10

> Evaluation of theimportance of eachessential considerationKC (a principle consistingof a set of KC), on ascale of 1 to 3 with regardto the impact of its non-observation on theresilience of the MFI

> Obtained by the ratingof the conformity ofeach KC constitutingeach domain, weightedby their degree ofimportance (step 0).=>weighted average ofKC ratings.

Methodology of scoring

Evaluation of theimportanceof KCs0 Rating of KCcompliance1

> Rating of KCcompliance on a 1 to 5risk scale based on themonitoring work of MFIsagainst BIS principles(PFMIs).

Rating of domains2 Rating of FMI risks3

> Obtained from thearithmetic mean ofdomain ratings, andbased on expertjudgment.

1: Low

2: Moderate

3: Critical

Low

risk

Hiig

h ris

k

BIS Evaluation Scale Risk scale

Observed 1 (Very low)

Globally observed 2 (Lcw)

Partially observed3 (Moderate)

4 (High)

Not observed 5 (Critical)

> Establishing nextyear’s supervisory plan.> Following an extensivesupervisory approach tosensitive areas.> Submit an annualsynthesis of the RIBATresult to the FMI.

Output4

> Rating of the FMI pillar“Resilience of FMIs” tocontribute to theassessment of risksrelated to financialstability.> This rating representsthe average of domainsratings of the all FMIs.

This rating is validated by an Executive Committee who did not contribute to the oversight.

Financial Stability5

FMIs in Morocco: Overview and Oversight framework

AGENDA

Monitoring Cyber Risks and incidences

New challenges

2

1

3

•12

ROLE OF THE CENTRAL BANK IN CYBER-SECURITY

Paid close attention to the associated risks, particularly those related to cyber-resilienceand transaction security.

Invite the various players in the payments market to reinforce the security of theirinformation systems against cyber attacks and to strengthen the capacities of theirhuman resources and implement strong tools and methods of detection of intrusions.

Identify critical infrastructures to maintain the cyber-resilience of financial marketinfrastructures (FMIs).

DIGITAL TRANSFORMATION IN THE PAYMENT MARKET

NEW PLAYERS

OVERSIGHT OF CYBER-SECURITY

Bring sensitive information systems into compliance with legal and regulatoryrequirements.

Participate to seminars and workshops to share best practices with the banking sectoroperators (Instutions and infrastructures).

LEGAL AND REGULATORY FRAMEWORK OF CYBER-SECURITY National Directive of Information Systems Security

Decree related to protection of sensitive information systems of critical infrastructure (N°2-15-712)

Law No. 09-08 on the protection of individuals with regard to the processing of personal data

Law No. 53-05 relating to electronic exchange of legal data

1

2

3

4

In 2016, BAM was appointed as a coordinator, with the InformationSystems Security Departement, for the banking sector (By Decree)

5

ACTUAL ACHIEVEMENTS

03

Report any Cyber-security incident to ma-Cert ;Ma-Cert: Moroccan Computer Security Incident Response Team within the National DefenseMinistry

Identify its sensitive information systems according to the ISSND principles;Host sensitive Data on the national territory

Classify its SIS based on the « Impact Scale » that is well established by the decree.

Implement a Business Continuity Plan.

Conceive a robust cyber-security framework for risk identification and incident management.

Notified FMIs have to

Based on the decree and the NSSID, Bank Al Maghrib has identifyand notify the FMIs that represent a Vital importance caracter.

02

01

04

05

An infrastructure is critical in case ofone of This conditions :

> It’s the only payment system in thecountry that can operate a certaintransactions

> Gross revenu Payment system (Bigfinancial impact)

> Financial market infrastructure forclearing and setteling market transaction

> Payment system which is releated tomany other systems (Risk of contagion)

15

FMIs in Morocco: Overview and Oversight framework

AGENDA

Monitoring Cyber Risks and incidences

New challenges

2

1

3> Payment Institutions

> National mobile payment solution

> Instant payment

> Crypto-assets regulation

> New digital strategy of Bank Al Maghrib

17

PAYMENTINSTITUTIONS

TherevisedBankinglaw(2015) hasbeenextendedto includenewtypeof paymentservicesproviders:Paymentinstitutions

Advantages

increased competition Lower costs than traditional services

Product diversification Cash reduction Increased awareness offinancial services

Accessto Moroccopaymentschemesfor PaymentInstitutions

The chosen mode of participation in RTGS and SIMT was indirect participation to benefit from lower participation costs andlight requirements and to control the risk related to these payment institutions.

18

m-walletSwitch

Issuer Receiverm-wallet M-payment platform

M-payment platform

Mobile Channels (USSD, Data) Electronic payment channels (type ISO 8583)

Project scope

Routing table

The solution is structured around a decentralized architecture allowing each establishment to independently manage its products and servicesInfrastructure hosting mobile payment in Morocco

Technical specifications

Ensuring interoperability of mobile transactions

Minimizing impact on transaction fees

Minimizing IT impact on banks and payment institutions

Capitalizing on existing infrastructure to launch mobile payment quickly1

2

3

4

A new regulation issued by central bank to insure a smooth functioning of mobile payment

Defining several rules about in particular dispute

management/Incident Management/Marketing …

Defining measures to insure the protection of users of this

payment instrument

Enhancing the existing exchange protocol.

Specific pricing by limiting the fees for mobile payment.

1

2

3

4

NATIONALMOBILE PAYMENT SOLUTION

Specification of technical and functional rules and interfaces

ICO> Not prohibited (exceptChina, Spain, Australia)

Platforms for buying and selling crypto-assets against fiduciary flat money> Are not prohibited

Blockchain / DLT> Several countries recognizethe potential of Blockchain/ DLT

19

SmartContrats>Are not prohibited

Custodyand and storage> Are not prohibited

Mining> Not prohibited (except China)

Crypto-asset tradingplatforms> Are not prohibited

Payment by crypto-assets> Not allowed in mostjurisdiction

CRYPTO-ASSETS REGULATION

Crypto-assetValue Chain

Draw up a road map of theworking group between centralbank and otherauthorities/stakeholders toaddress the following issues :

- Assign a legal qualificationto crypto-assets;

- Reflect/discuss on theappropriate regulation ofCrypto-asset taking intoaccount the entire value chain.

Roadmap for Crypto-assets regulation

INSTANT PAYMENT

Transmission of the payment message and the availability of fundsto the end user in real time, on a 24/ 7basis.

Increase of direct credit New channels Strategy

increase of the number of transfers exchanged via

the GSIMT42.2% of total exchanges

Emergence of new technologies facilitating instantaneous transfers

Credit transfers have been set up as a strategic focus

for central banks

Interbank payment period relatively long

j + 1 for the direct credit

Mot

ivat

ions

Reduction of cash and the substitution, in the long

term, of the check

Implementation of a working group with banks and GSIMT to study the functional, regulatory andtechnical prerequisites for the implementation of instant payment at the domestic level.

A concept note is being developed by GSIMT to determine the technical and financial issues of theproject, legal and regulatory aspects, and the necessary adjustments to the SRBM settlementprocesses.

20

21

NEW DIGITAL STRATEGY OF BANK AL MAGHRIB

A central bank model in terms of digital transformation at the service of its fundamental missions

Automation Agile & smart Opening Purpose driven

> Reengineering supportprocesses to better makeits core business

> Streamline internalprocesses serving theecosystem

> Adopt a more flexibleorganizational andgovernance model

> Open to digital and agilework mode

> Smart proportional riskregulation

> Dialogue and adapt tothe needs of theecosystem

> To work for a smartregulation

> Mobilization ofexternal expertise anda Lab

> Prioritize digitalinitiatives according totheir impact onBAM's fundamentalmissions

> Make digitizationefficient

Culture and Skills

Explore the opportunity of usingdigital innovations such asRegTech and SupTech (whichincludes data collection andanalysis) to improve theeffectiveness of oversight.

22

IT SOLUTION FOR FMIs MONITORING

Data related to the FMIs monitoring arecommunicated to Bank Al Maghrib by email andare developed manually. That involve many riskssuch as:

Delays in submission of data Incomplete data Low quality of data Human error

BAM has included, in its triennial strategic plan 2016-2018, a project to setup an IT solution for FMIs monitoring. The functional specifications of thissolution have already been developed during the first semester of 2018.

To facilitate the collection and management of data qualityand reliability, Bank Al Maghrib is studying the possibility ofdirectly using standardized interfaces such as APIs for theimplementation of this solution.

Current state

Some Advantages of APIs

Allow FMIs to submit high-quality, granular data digitally and automatically to BAM withhigher frequency;

Enable BAM staff to make data validation faster and analysis sharper by generatingcustomized reports for supervisory and policy development purposes in different formatsand near-real time;

API-based compliance reporting can make high-quality financial and data available topower policy simulation engines.

THANK YOU FOR YOUR ATTENTION