New Regulations Ahead: Reporting Obligations for Payment Companies and License Holders
The Israel Securities Authority recently published a draft of a new directive for payment companies and holders of basic initiation licenses or approvals regarding reporting to the Authority. According to the Draft, payment companies and holders of basic initiation licenses or approvals are required to submit annual, semi-annual, quarterly, and immediate reports on various topics, such as audited or reviewed financial data, operational data, compliance with capital requirements, technological measures, corporate governance, compliance etcetera.
The reporting obligations will apply to these companies immediately upon receiving a payment company license from the ISA.
Request for Public Feedback
Alongside the publication of the Draft for public comments, the ISA also invited specific feedback on several proposed obligations that are expected to impose a regulatory burden on payment companies, particularly those with small to medium-scale operations. Feedback is requested by October 9, 2024.
The Draft is based on reporting guidelines established by the FCA in England and the EBA in Europe. Additionally, the ISA seeks to expand the reporting obligations in some cases, particularly regarding the frequency of required reports. The reporting obligations, if accepted as proposed, will be broader than those to which companies supervised under the Supervision of Financial Services Law are accustomed.
Key Points of the Draft:
Annual Reports
Payment companies and holders of basic initiation licenses or approvals are required to submit annual reports by March 31 each year, which will include the following:
- Activity Data Report – including:
- Number of customers and data on the scope of activity;
- Number of payment accounts managed by the company and their balances;
- Details of the five largest customers, including their activity relative to the company’s total activity;
- Audited annual financial statement.
- Capital Requirements Report – including:
- Credit portfolio;
- Amount of equity, detailed calculation, and its composition;
- Data on the company’s activity according to the capital requirement directive.
- Technological and Information Security Measures Report – including:
- Auditor’s opinion based on an annual audit plan according to the information security directive;
- Risk assessment, including a list of business processes, risk assessments, and risk mitigation measures.
- Corporate Governance Report – including:
- Updated details on senior officers, organizational structure, and company holdings.
- Compliance and Risk Management Report – including:
- The annual report of the compliance officer and the updated risk map.
- Outsourcing Report – regarding new outsourcing arrangements.
Quarterly Reports
The ISA also requires quarterly reports beyond what is standard in other countries, and public feedback is specifically requested on this matter.
- Activity Data Report – including:
- Number of customers and data on the scope of activity;
- Number of payment accounts managed by the payment company, their balances as of the report submission date, and information on changes during the reporting period;
- Number of payment accounts to which access has been given for purposes of the provision of initiation services, the number of initiation instructions performed, and their total value;
- Characteristics of the five largest customers, their activity relative to the company’s total activity, and the percentage of this activity in relation to the company’s total activity;
- Total interest accrued from holding customer funds and total interest paid to customers, including information about future interest payments and the sources for these payments, as well as the average and range of interest rates paid during the reporting period.
- For payment companies providing credit services, reporting on credit activity is required, including the total credit provided during the reporting period, the credit balance at the end of the reporting period, the unused credit limit, the average credit transaction amount etcetera.
- Payment companies providing currency exchange services, ATM services, or any other regulated financial activity must report the scope of such activities, both as a percentage and in value, relative to the company’s total payment services, including details on revenue from these activities. For currency exchange services, information on the types of currencies held must also be provided.
- Equity, Insurance, and Other Securities:
- Credit portfolio and its calculation method;
- Amount of equity, detailed calculation, and its composition, including the primary capital amount, total equity, additional capital amount, and equity breakdown by tiers;
- Data on the company’s activity, according to the capital requirement directive, categorized by the type of payment service and activity multiplier.
- Payment companies providing credit services, interest-bearing services, and those with significant activity (over 100 million NIS annually or over 150 million NIS for account management services) must submit quarterly reports on equity, insurance, or other securities based on a reviewed quarterly financial report, along with the report itself.
- Assets Where Customer Funds are Held – including:
- Balance of assets as of the last day of the reporting period, categorized by asset type, quantity, and currency;
- Details of the fund custodians with which the payment company has entered into agreements, the scope of assets held with each of them, and the company’s accounts with them.
Semi-Annual Reporting
The Draft requires semi-annual reporting on abuse, which will include details on the number of payment orders executed during the course of the abuse, their relative share, and their financial value.
Immediate Reporting
The Draft also requires immediate reporting in the following instances:
- Events specified in Section 20(a) of the Law;
- Events with a material impact on the license holder, their clients, or payment services;
- Changes in contact information or other details provided when submitting the license application;
- Significant changes in the business of the license holder or senior officers;
- Realization or high probability of operational or information security failures.
Feedback can be submitted to the ISA until October 9, 2024, after which the final rules are expected to be published.
Click here for more updates in the field of Regulation.
Our Regulation Department is at your service for questions on this topic and others.
We are available for any questions, comments, or feedback as mentioned above.