Table of contents
Prudential standard
APS 610 Prudential Requirements for Providers of Purchased Payments Facilities
-
Current11 May 2023
Prudential framework pillars
About this standard
This standard requires a purchased payment facility provider to meet requirements in line with its risk profile. Purchased payment facility providers must also meet other prescribed requirements.
This standard forms part of the Financial Resilience Pillar. It applies to purchased payment facility providers.
Objectives and key requirements of this Prudential Standard
This Prudential Standard requires authorised deposit-taking institutions (ADIs) that have obtained an authority to provide purchased payment facilities (PPFs) to meet prudential requirements commensurate with their risk profile. These ADIs form a class of known as purchased payment facility providers (PPF providers). They are not authorised to conduct general banking business.
This Prudential Standard sets out the ADI prudential standards that apply to PPF providers, as well as additional requirements applying to PPF providers that have at risk.
The key requirements of this Prudential Standard for PPF providers with stored value at risk are:
- a PPF provider must maintain Common Equity Tier 1 Capital above its prudential capital requirement (PCR) at all times;
- a PPF provider with stored value at risk must hold, at all times, high quality liquid assets equal to its ; and
- a PPF provider with stored value at risk must meet certain operational risk requirements.
ADI
ADI has the meaning given in subsection 5(1) of the Act.
stored value
stored value - means the balance of funds represented on purchased payment facility (PPF) devices or PPF accounts held by beneficiaries for the purpose of making payments; and
stored value liabilities
stored value liabilities - means the aggregate liabilities of a PPF provider to beneficiaries to complete payments made with PPF devices or PPF accounts, and the outstanding obligations to payees for payments made but not yet settled.
Preamble
Banking (prudential standard) determination No. 3 of 2023
Prudential Standard APS 610 Prudential Requirements for Providers of Purchased Payment Facilities
Banking Act 1959
I, Clare Gibney, a delegate of :
under subsection 11AF(3) of the Banking Act 1959 (the Act) REVOKE Banking (prudential standard) determination No. 6 of 2014, including Prudential Standard APS 610 Prudential Requirements for Providers of Purchased Payment Facilities made under that determination; and
under subsection 11AF(1) of the Act DETERMINE Prudential Standard APS 610 Prudential Requirements for Providers of Purchased Payment Facilities, in the form set out in the schedule, which applies to ADIs that are providers.
This instrument commences upon registration on the Federal Register of Legislation.
Dated: 11 May 2023
Clare Gibney
Executive Director
Policy and Advice Division
Interpretation
In this instrument:
APRA means the Australian Prudential Regulation Authority.
ADI has the meaning given in subsection 5(1) of the Act.
purchased payment facility has the meaning given in section 7 of the Payment Systems (Regulation) Act 1998.
Schedule
Prudential Standard APS 610 Prudential Requirements for Providers of Purchased Payment Facilities comprises the document commencing on the following page.
Prudential Standard APS 610
Prudential Requirements for Providers of Purchased Payment Facilities
Authority
This Prudential Standard is made under section 11AF of the Banking Act.
Application
This Prudential Standard applies to purchased payment facility providers (PPF providers).
APRA
APRA means the Australian Prudential Regulation Authority.
purchased payment facility
purchased payment facility has the meaning given in section 7 of the Payment Systems (Regulation) Act 1998.
Applicable ADI prudential standards
Prudential standards that apply to PPF providers are:
until 30 June 2025, Prudential Standard CPS 231 Outsourcing (CPS 231);
until 30 June 2025, Prudential Standard CPS 232 Business Continuity Management (CPS 232);
on and from 1 July 2025, Prudential Standard CPS 230 Operational Risk Management;
Interpretation
Terms that are defined in Prudential Standard APS 001 Definitions appear in bold the first time they are used in this Prudential Standard.
Where this Prudential Standard provides for APRA to exercise a power or discretion, this power or discretion is to be exercised in writing.
In this Prudential Standard, unless the contrary intention appears, a reference to an Act, Regulations or Prudential Standard is a reference to the Act, Regulations or Prudential Standard the instrument as in force from time to time.
Definitions
The following definitions are used in this Prudential Standard:
stored value - means the balance of funds represented on purchased payment facility (PPF) devices or PPF accounts held by beneficiaries for the purpose of making payments; and
stored value liabilities - means the aggregate liabilities of a PPF provider to beneficiaries to complete payments made with PPF devices or PPF accounts, and the outstanding obligations to payees for payments made but not yet settled.
Adjustments and exclusions
APRA may adjust or exclude a specific prudential requirement in this Prudential Standard in relation to one or more specified PPF providers.
Previous exercise of discretion
A PPF provider must contact APRA if it seeks to place reliance, for the purposes of complying with this Prudential Standard, on a previous exemption or other exercise of discretion by APRA under a previous version of this Prudential Standard.
Prudential requirements for PPF providers with stored value at risk
The remainder of this Prudential Standard sets out requirements that apply to all PPF providers with stored value at risk.
Stored value at risk
A PPF provider is deemed not to have stored value at risk if the PPF provider can satisfy APRA that:
the PPF provider does not itself have any stored value liabilities; or
the PPF provider has stored value liabilities but:
the funds received in exchange for stored value on PPF devices or in PPF accounts are deposited in an account held with an ADI until settlement to payees occurs; and
the PPF provider has no operational control of the account; and
no creditors aside from the beneficiaries or payees of the stored value can have legal recourse to the assets held in this account in the event the PPF provider becomes insolvent or is wound-up.
Responsibility for capital adequacy
The Board of Directors (Board) of a PPF provider must ensure that the PPF provider maintains an appropriate level of capital commensurate with the level and extent of risks to which the PPF provider is exposed from its activities. To this end, the PPF provider must:
have adequate systems and procedures in place to identify, measure, monitor and manage the risks arising from its activities to ensure that capital is held at a level consistent with the PPF provider’s risk profile; and
maintain and implement a capital management plan, consistent with the overall business plan, for managing its capital levels on an ongoing basis. The plan must set out:
the PPF provider’s strategy for maintaining capital resources over time, for example, by outlining its capital needs for supporting the degree of risks involved in the PPF provider’s business, how the required level of capital is to be met, as well as the means available for sourcing additional capital where required; and
actions and procedures for monitoring the PPF provider’s compliance with minimum capital adequacy requirements, including the setting of trigger ratios to alert management of, and avert, potential breaches to the minimum capital required by APRA.
Minimum capital adequacy requirements
A PPF provider must maintain Common Equity Tier 1 Capital above its prudential capital requirement (PCR) at all times. The minimum PCR for a PPF provider is 4 per cent of total outstanding stored value liabilities. APRA may change a PPF provider’s PCR at any time, including on account of a supervisory review. APRA may express a PCR as a minimum dollar amount. A PPF provider must not publicly disclose its PCR.
Examples of Common Equity Tier 1 Capital include paid-up ordinary shares and retained earnings. Prudential Standard APS 111 Capital Adequacy: Measurement of Capital details the criteria financial instruments must meet to be classified as Common Equity Tier 1 Capital.
A PPF provider must continuously monitor its stored value liabilities. If a PPF provider is unable to do so, it must determine if paragraph 14 applies by using the highest value of stored value liabilities held over the preceding six month period, measured in a manner approved by APRA.
Liquidity and asset requirements
A PPF provider must hold at all times high quality liquid assets equal to its stored value liabilities. High quality liquid assets must be free from encumbrances (except where approved for a prudential purpose by APRA). Eligible assets include:
cash;
securities eligible for repurchase transactions with the Reserve Bank of Australia;
bank bills and CDs issued by ADIs provided the issue is rated at least ‘investment grade’ (refer to Attachment C to Prudential Standard APS 116 Capital Adequacy: Market Risk);
deposits (at call and any other deposits readily convertible into cash within two business days) held with other ADIs; and
any asset approved by APRA (subject to any conditions imposed by APRA) as a high quality liquid asset for the purposes of this Prudential Standard.
Operational risk
The Board and senior management of a PPF provider must develop, implement and maintain a risk management framework to address operational risk that is appropriate to the size, complexity and business mix of the PPF provider.
The management of operational risk must include, but is not limited to, the risks associated with:
the integrity of transaction data and timely processing of transactions;
appropriate back-up and disaster recovery plans and facilities, including resilient critical processing systems (refer to CPS 232);
regular testing of business continuity and disaster recovery arrangements (refer to CPS 232);
outsourcing risk management to any third-party service providers (refer to CPS 231);
internal and external fraud risk management, which must include the following elements:
risk identification and assessment;
internal controls and mitigation strategies;
segregation of duties at both an operational level and in relation to functional reporting lines;
financial accounting controls; and
staff training and awareness;
controls against information security and physical security risks; and
compliance obligations regarding relevant laws and regulations, for example those relating to licensing requirements under the Corporations Act.
A PPF provider must have in place effective management information systems and monitoring mechanisms to assist with early detection and correction of deficiencies in procedures for managing operational risk.
A PPF provider must consider the imposition of a limit on the amount of stored value that can be loaded, stored or paid on a device or account purchased from the PPF provider. APRA will closely examine any facility that allows a purchaser to load, store, or pay sizeable amounts of money to ensure that the integrity of the facility is not compromised. Where a PPF provider is involved with this type of facility, it must ensure that it has in place adequate systems for the identification of purchasers and the recording and tracing of transaction data.
A PPF provider must not be involved in providing PPFs that do not have a reasonable limit on the amount that can be loaded, stored or paid on a device or account, or provide an audit trail of purchaser and transaction information. Australia’s anti-money laundering regulator and specialist financial intelligence unit is the Australian Transaction Reports and Analysis Centre (AUSTRAC), and a PPF provider must comply with all anti-money laundering requirements, including customer due diligence, as administered by AUSTRAC.
Notification requirements
A PPF provider must comply with section 62A of the Banking Act in respect of any breach of a requirement of this Prudential Standard, including:
any breach of the minimum capital adequacy requirements (refer to paragraph 14) and any potential breach of these requirements (e.g. breaches of trigger ratios set under paragraph 13(b)(ii)), including remedial actions taken/planned to deal with the problem; and
any breach of its minimum liquidity holdings, or concerns over the adequacy of its liquidity holdings.