Resolution No. SB-2023-02416 of the Superintendency of Banks

On November 21, 2023, the Administrative Resolution No. SB-2023-02416 which resolves as the sole article to add the CHAPTER VI “Standard of Qualification, Supervision and Control for the Technological Financial Services Entities; and, of the Issuance of the License for the Exercise of Fintech Activities of the Specialized Electronic Deposit and Payment Companies”, of Title II “Of the constitution and issuance of the authorization for the exercise of financial activities and permits for the operation of the entities of the public and private financial sectors”, Book I “Control Norms for the entities of the public and private financial sectors”, of the Codification of the Norms of the Superintendency of Banks, referring to the secondary regulations of the Fintech Law”. This chapter has 12 sections, 47 articles, 3 general provisions and 1 final provision.

Its objective is to establish the requirements, policies, processes, corporate governance and risk management procedures, including cybersecurity and information security aspects, applicable to financial technology services entities; and, to the Specialized Electronic Deposit and Payment Companies (SEPES), for their qualification and issuance of the license, as applicable.

The following are the most relevant most relevant elements of this Resolution:

SECTION II. ON TECHNOLOGICAL FINANCIAL SERVICES ENTITIES FOR THE DIGITAL GRANTING OF CREDIT.

Incorporation – Entities that grant digital credits shall be incorporated as a Public Limited Company (Sociedad Anónima SA). (Art. 3) Its corporate purpose is specifically and exclusively to carry out technological financial activities. (Art. 4) Excepts crowdfunding. Its corporate name must specifically state “digital credit granting entity”. (Art. 5)

Prohibition of intermediation – Digital credit granting products offered through electronic platforms should not involve the capture of resources from the public for intermediation purposes. (Art. 6) Credit granting entities may only grant products of: (i) granting of direct credit and (iii) issuance of credit cards. (Art. 7)

SECTION III. ON SPECIALIZED ELECTRONIC DEPOSIT AND PAYMENT COMPANIES (SEDPES).

Incorporation –The SEDPES will be incorporated with requirements and procedures already established by the Monetary Board (JPRM). (Art. 10)

Auxiliary Payment System Administrators (ASAP) – in order to render their services to a controlled financial institution and obtain the qualification, they must comply with the provisions of Chapter IV, Title II, Book I of the Codification of the Rules of the Superintendency of Banks and the Operational Risk Rule. (Art.11)

Rating in force – the entities controlled by the Superintendency of Banks that contract with the SEDPES or ASAP must verify that their rating remains in force. (Art.12)

The Superintendency of Banks may revoke the license of the SEDPES and ASAP when: (i) repeatedly fails to provide its services, (ii) affect the rights of the financial user, (iii) fails to comply with the control regulations in force (Art.13)

SECTION IV. ON THE ECONOMIC-FINANCIAL FEASIBILITY STUDY AND TECHNOLOGICAL INNOVATION MODEL FOR FINANCIAL-TECHNOLOGICAL SERVICES ENTITIES AND SEDPES

Pre-constitution requirements – prior to the application for qualification or issuance of the license, the following must be submitted: (Art.14)

  1. Economic-Financial Feasibility Study: An economic-financial feasibility study considering interest rates and tariffs established by the Junta Financiera (JPRF) and Junta Monetaria (JPRM).
  2. Innovation Model: The updated technology innovation and credit technology model.
  3. Strategic Plan: Detail of the strategic plan including (i) market research and competitive position (ii) risk management model, (iii) services and products to be offered (iv) organizational-functional administrative structure,
  4. Contracts: In the case of SEDPES, they must submit the contracts of the channels to be used, consumer and financial services and their risk management and business continuity rules. (Art. 16)

The entities must include and accredit within the Study and Model: (Art.15)

  1. Alternative transaction system (ACD): must contain quotations and operations to be performed in systems or infrastructure, the conditions of access, operation and settlement, and the interruption mitigation strategy.
  2. Order routing: must contain the access and operating conditions of your system and infrastructure, and the outage mitigation strategy.
  3. Credit management model: it must contain the criteria for the treatment of conflicts, the variables, methods, criteria or general guidelines for the evaluation process, and the technology-based innovation model.
  4. Information security, including cybersecurity: should contain ISO/IEC 27000 standards or other international standards that replace it, and clarity in the determination of responsible parties and functions to be fulfilled.

The Superintendency of Banks will transfer the observations of the feasibility study for them to be corrected within 60 days; if they are not corrected, the application for qualification or license will be filed. (Art.17)

SECTION V. COMMON REQUIREMENTS FOR THE QUALIFICATION AND ISSUANCE OF LICENSES – COMMON REQUIREMENTS FOR THE QUALIFICATION AND ISSUANCE OF LICENSES

Once the economic-financial feasibility study and innovation model have been approved, the entities must submit the following common requirements for (i) the qualification of entities of Digital Credit Concession Technology Services and (ii) the issuance of a License for Specialized Electronic Deposit and Payment Companies (Art. 18):

  1. Application – Request for qualification signed by the company’s legal representative or attorney-in-fact. *managers must have at least 4 years of experience in the financial system.
  2. Form – Qualification form published on the web site (Annex 1)
  3. Shareholders’ List – Certified copy of the Company’s shareholders’ list as of the date of filing of the application.
  4. Certificate from the UAFE – Certificate from the Financial and Economic Analysis Unit (UAFE)
  5. Deed of incorporation – Notarized copy of the deed of incorporation containing the articles of incorporation and reason for registration in the Commercial Registry.
  6. Appointment – Notarized copy of the current appointment of the legal representative or attorney-in-fact registered in the Commercial Registry.
  7. SRI and SCVS Certificate – Certificate of compliance with obligations granted by the SRI and the Superintendence of Companies, valid at the date of filing of the application.
  8. Financial statements – Historical financial statements for at least one fiscal year, when applicable, and two-year projected financial statements for new or existing entities. (Annex 2)
  9. Business plan – Business plan with the structure defined and published on the web page of the Superintendency of Banks (Annex 3).
  10. Technological infrastructure – Documentation detailing the technological infrastructure, its capacity and performance, operational risk management methodology and operational risk matrix (Annex 4).
  11. Information security – Plans, policies, processes, procedures and measures for information security management (including cybersecurity).
  12. Business continuity – Business continuity management plans, policies, processes and procedures for the services offered.
  13. Policies and processes – Policies and processes to be implemented to offer digital concession services.
  14. Credit scoring model – Credit scoring model to be applied, with the support of the variables and tests performed,
  15. Projections – Two-year projections of liquidity, solvency and technical equity
  16. Digital processes – Digital processes used for tracking and monitoring of loans granted.

SECTION VI. QUALIFICATION AND LICENSE ISSUANCE PROCESS

Once the Superintendency of Banks receives the application for qualification or license, it will admit it for processing if it meets the aforementioned requirements, and will proceed to verification (Art.19). The Superintendency may require any additional document or information to verify compliance with the requirements, for which the applicant has a term of 10 days to comply, otherwise it will be filed (Art. 20). Prior to the issuance of the qualification resolution, the Superintendency may order the amendment of the bylaws and the increase of the paid-in capital of the applicant entity. (Art. 21). The Superintendency of Banks will resolve the qualification within a maximum term of 60 days from the presentation of all documents. (Art. 22)

SECTION VII. INTERNAL POLICIES AND PROCESSES

SECTION VIII. PROCEDURE FOR THE DIGITAL GRANTING OF CREDITS

Digital credit granting entities shall:

  1. Customer identification and authentication procedures – Implement security mechanisms in its platforms in accordance with the Codification of the Rules of the Superintendency of Banks and protection of personal data. (Art. 29)
  2. Scoring and risk modeling procedures – Implement scoring and risk modeling systems to assess the creditworthiness and credit risk of applicants. (Art. 30)
  3. Collection Management Procedures – Establish collection management procedures. (Art. 31)
  4. Reporting Procedures – Maintain procedures for the generation of accounting reports. (Art. 32)

SECTION IX. CORPORATE GOVERNANCE

SECTION X. RISK MANAGEMENT AND ADMINISTRATION

  1. Risk assessment and rating – entities applying for qualification or licensing must carry out a risk assessment. (Art.37)
  2. Cybersecurity and information security risk assessment – technological entities must implement mechanisms to monitor their platforms. (Art. 38)
  3. Operational risk monitoring and control – financial technology services entities must implement monitoring and control mechanisms for their platforms. (Art.39)
  4. Money laundering risks – digital credit granting entities must implement mechanisms, processes and procedures in accordance with the Codification of Rules of the Superintendency of Banks. (Art. 40)

SECTION XI. CYBERSECURITY AND INFORMATION SECURITY.

The entities that carry out Technological Financial Services activities, as well as the SEDPES and the ASAPs, must comply with the provisions of Articles 24, 25 and 26 of Section VIII, Chapter V, Title IX, Book I. (Art. 41).

These entities shall: (i) Implement data security policies and procedures. (ii) Establish measures to protect against cyber threats. (iii) Develop a security incident response plan that establishes clear procedures for the identification, notification, containment and recovery of security incidents. (iv) Provide ongoing cybersecurity training to its personnel. (v) Conduct periodic information security audits and vulnerability testing. (Art. 42)

SECTION XII. ACCOUNTING TREATMENT-

The technological financial services entities will apply the accounting regime issued by the Superintendency of Banks. (Art. 47)

If you are interested in setting up and certifying a financial technology activity, a SEPDES or an ASAP. We recommend you to schedule a meeting with our team to review the outline of the new requirements and raise guidelines on the procedure to follow to successfully achieve it according to the standard.

If you are interested in setting up and certifying a financial technology activity, a SEPDES or an ASAP. Contact us at
ateran@heka.com.ec

Noticias relacionadas

Leave A Reply