THE BANGKO SENTRAL ng Pilipinas (BSP) has approved a regulatory framework for merchant payment acceptance activities to protect both customers and merchants from risks.
“The Bangko Sentral recognizes that enabling merchants to accept different forms of payments for the sale of goods and/or services in a safe and efficient manner is vital in facilitating the smooth flow of funds in the economy and contribution to the wide adoption of digital payments in the country,” it said in a circular.
The Monetary Board approved the framework in a resolution dated July 11. New sections will be added to the Manual of Regulations for Payment Systems.
Under the circular, merchant payment acceptance activities (MPAA) are defined as the set of services provided to a merchant to receive payment for sale of goods and/or services.
“In general, services include merchant acquisition; providing the means to accept various payment instruments and collect, secure, transmit and process payment information; and providing support services related to the payment,” it added.
Operators of payment systems (OPS) engaged in or planning to engage in MPAA are expected to comply with the requirements of the framework and must also observe governance and risk management measures commensurate to the activities they perform, according to the circular.
“For digital payments to thrive, minimum standards and good practices must be established to safeguard the funds received from customers of merchants; and protect the rights and interests of end users (i.e., merchants) that deal with operators of payment systems that engage in MPAA.”
It also seeks to mitigate risks related to settlement, operations, information technology, anti-money laundering and countering terrorism and proliferation financing, and end-user protection.
Operators of payment systems must also secure authority from the BSP prior to engaging in merchant acquisition.
However, banks and electronic money issuers-nonbank financial institutions that intend to engage in merchant acquisition as part of their normal or allowed business operations do not need to apply for a separate license from the BSP.
The rules also set the minimum required capital for operators granted a merchant acquisition license (MAL) at P5 million if the average monthly value of collected funds transferred to merchants in the applicable period is less than P100 million.
If the average monthly value is P100 million and above, the minimum required capital is at P10 million.
“The minimum required capital shall be computed as paid-in capital stock plus additional paid-in capital, deposit for stock subscription, retained earnings, and undivided profits, less intangible assets,” it added.
The framework also sets rules for the governance of merchant acquisition services, including merchant due diligence, risk assessment, monitoring, and dispute resolution, among others.
Operators must also ensure “timely and complete funds settlement” with merchants.
“The settlement period shall be agreed upon by the OPS-MAL and the merchant, but shall not be longer than two business days from the day the funds are received by the OPS-MAL for transfer to a merchant,” it said.
“In the event that the payment cycle stated in the merchant agreement is more than the agreed maximum number of days as stated above, an OPS-MAL shall submit justification, including supporting documentation, to the appropriate supervising department, subject to prior approval of the Bangko Sentral,” it added.
Pricing mechanisms must be “reasonable, transparent, market-based and proportional to the cost of services offered in order to sustain the business operations of parties involved,” the BSP said.
The framework also details the reportorial requirements for operators, including annual audited financial statements and other documents.
Operators must also create an information technology risk management system that is “risk-based, commensurate with the size, nature, types of products and services, and complexity of its information technology operations.”
“There shall be a robust and effective information technology and security risk management framework and process, including corresponding governance structures and controls, to ensure financial stability, operational resilience, and end-user protection,” it added. — Luisa Maria Jacinta C. Jocson
