List of Requirements
a) Overview of the Company including its history, date it was founded, registered business address in Ghana (Including digital address), registration documents from the Registrar General’s Department , a synopsis of the service to be offered;
b) Details of External Auditors/ Accountants, and Bankers and all third party service providers.
a) Profile of shareholders indicating respective percentage shareholding and nationality
b) Shareholders Agreement and copies of share certificate
c) Attestation from a notary public confirming ultimate beneficial owner(s) with 10% or more of total share ownership or voting rights
d) Number and profile of Board of Directors as required by the Payment Systems and Services Act, 2019 (Act 987), and Key Management Personnel
e) Organisational Chart
f) Profile of promoters where applicable.
a) Covering business overview, market analysis, products and services to be offered including transactional limits, on-boarding process and Fees or Commissions to be charged where applicable
b) Five-year financial projections for the proposed business.
Systems and Technology
a) Information, Communication and Technology (ICT) Systems to be deployed
b) ICT Architecture diagram highlighting Security and Control
c) ICT Policy Framework
d) Security and Control (Including: Transaction Monitoring Tool, Fraud Monitoring and Detection Tool and at least two factor Authentication)
e) Business Continuity Program (including Disaster Recovery Plan)
f) Data Protection Certificate
g) ISO 27001 Certification and Compliance where applicable
h) PCI DSS Certification and Compliance where applicable
i) EV-SSL Tool where Applicable
j) Vulnerability Assessment/ Penetration Test
k) ICT Risk Assessment and Mitigation Measures.
Enterprise Risk Management
a) Risk and Mitigation Measures covering Operational, Market, Liquidity, Fraud, Legal, Credit and Funding Risks where applicable
b) Business Impact Assessment (BIA)
c) Anti-Money Laundering / Combating the Financing of Terrorism (AML/CFT) Policy.
Consumer Protection Policy
The Policy should be guided by the Consumer Recourse Mechanism Guidelines for Financial Service Providers (2017)
I. Regulations of Incorporation:
- Regulations of Incorporation for DEMIs should include a provision that electronic money owed to the customers are held in trust and shall not be encumbered in case of insolvency or liquidation.
- Business object in the Regulation of Incorporation should read “Dedicated Electronic Money Issuer, Payment Service Provider or Payment and Financial Technology Service Provider”.
II. Submission of copies of Service Level Agreement (SLA) with all partnering institutions.
III. Shareholders, Directors and Key Management Personnel are required to complete Personal Questionnaire Forms (Available on the Bank of Ghana website with the reference “BOG/FIO-001”)
IV. Eligibility Criteria for Shareholders and Directors of applicant companies:
- A shareholder should not have been convicted of an offence involving a financial transaction by a court of competent jurisdiction within the past ten years;
- A shareholder should not have filed for personal bankruptcy;
- A shareholder should not have been disqualified from practising a profession by a professional body;
- A shareholder should not have been involved in a past or present managerial function of a body corporate or other undertaking that have been a subject of insolvency or liquidation proceedings;
- The information provided by a shareholder in support of an application should not be false or misleading;
- A Significant Shareholder is required to provide evidence of the source of funds;
- The directors of the company must meet the fit and proper persons requirements (Fit and Proper Directive July 2018, available for download on the Bank of Ghana website).
V. Minimum of three Directors
VI. Key Management Directors refers to:
- Chief Executive Officer
- Technology and Systems Manager
- Compliance and Risk Manager
- Finance Manager
VII. In the case of an existing business, up to three years audited financial statement and management accounts for the current year and immediate past year.
VIII. ICT Policies should include:
- Data Protection Policy
- ICT Acceptable Use Policy
- ICT Monitoring Policy
- ICT Information and Cyber Security Policy
- Remote Working Policy
- Data Collection and Sharing Policy
- Data Security Incident Procedure
IX.PSP Medium Licence Applicants are required to be ISO 27001 compliant.
X.PCI DSS standards applies to any organisation that holds, processes, or passes cardholder information from any card branded with the logo of any of the card brands. PSP Medium applicants are required to be PCI DSS compliant where applicable.
XI. PSP Standard Licence Applicants require Simple SSL where applicable.
XII. Risk and Mitigation Measures should be specific to the operations of the company.
XIII. In line with Anti Money Laundering Act 2020 (Act 1044) and AML/CFT guidelines 2018.
XIV. Available for download on the Bank of Ghana website (www.bog.gov.gh).