Prudential Standard

This standard aims to ensure that ADIs implement proper measures to monitor and control the risks associated with their credit card activities.

  1. The Board of an ADI must ensure that the ADI has established a comprehensive risk management process for managing and monitoring the risks associated with its credit card activities.  This should include policies, systems and procedures for approving new merchants and credit card applicants, ongoing monitoring of their credit quality, and fraud control.
  2. The Board and senior management of an ADI should receive and review regular reports which detail risk management information on its credit card operations such as the number of new merchants and cardholders, account attrition, portfolio compositions, sales volumes, credit quality, chargebacks and frauds.

Credit Risk

3.             The primary risk to credit card issuers is credit risk.  Card issuers reimburse card acquirers for transactions on behalf of their cardholders and undertake the associated risk that the cardholder will not make payment as expected.  As a result, credit risk management is critical for credit card issuers.

4.             Issuing ADIs must establish prudent credit policies and procedures for approving new cardholders and determining credit line size (including

policies and procedures for approval of overlimits).  Where credit scoring models are used, the methodology and experience with these models must be kept under continual review.

5.             Issuing ADIs must have adequate policies, systems and procedures in place for measuring, reporting, monitoring, and provisioning for, delinquent accounts and bad and doubtful loans (see APS 220 – Credit Quality).

6.             Credit risk also arises for credit card acquirers where merchants fail to reimburse them for chargebacks (reversed transactions due to the return of faulty goods by cardholders, non-delivery of goods and services by merchants or merchant fraud).  To manage and monitor such risk, acquiring ADIs must establish prudent underwriting standards and procedures for approving new merchants as well as ongoing review processes for assessing the operational and financial condition of merchant customers.  There must be adequate policies, systems and procedures in place for monitoring merchant chargebacks.  Acquiring ADIs must monitor trends in chargebacks and merchant capacity to repay these chargebacks, and take appropriate risk management measures (e.g. posting of collateral, pre-funding, performance guarantees, etc) where risk concerns exist with particular merchants.

7.             Issuing and acquiring ADIs must establish policies, systems and controls to limit and monitor credit concentrations to particular customers (see APS 221 – Large Exposures), including merchant customers that are related entities of the acquiring ADIs (see APS 222 – Associations with Related Entities).  For large exposure and intra-group exposure purposes, aggregate exposure to individual cardholders or merchants includes both on- and off-balance sheet exposure (i.e. any credit card advances and unused credit lines for a cardholder or any advances to a merchant arising from chargebacks and potential chargeback exposures to the merchant).

Liquidity Risk

8.             Both credit card issuers and acquirers are exposed to liquidity risk.  Card issuers are obliged to settle payments with card acquirers for transactions on behalf of their cardholders within a short period of time (one or two business days), regardless of when payments are received from cardholders (which might be spread across several months).  Credit card acquirers may settle payments for credit card transactions with merchants before receiving payment from credit card issuers in respect of those transactions.  Liquidity risk also arises for card acquirers where chargebacks or refunds to cardholders reach a level that cannot be covered by the merchant’s transactional processing volume.  Issuing and acquiring ADIs must establish policies, systems and procedures for measuring, managing and reporting liquidity (see APS 210 – Liquidity) to ensure that sufficient liquidity is maintained to meet their obligations arising from credit card transactions.

9.             Specialist credit card institutions[1] (SCCIs) that issue credit cards must hold highly liquid assets (cash or cash equivalents) sufficient at all times to fully cover any incidental credit balances on credit card accounts.

10.        Acquiring SCCIs must separate funds awaiting settlement to merchants and any funds from merchants as performance bond in a trust account with an ADI authorised to accept deposits.

Operational Risk

11.        Both credit card issuers and acquirers are exposed to operational risk arising mainly from systems failure, outsourcing arrangements and fraudulent transactions.  Issuing and acquiring ADIs must implement policies, systems and procedures with respect to:

(a)          integrity of transaction data and timely processing of transactions;

(b)         appropriate back-up and disaster recovery plans and facilities, including real-time fail-over capacity of critical processing systems and regular testing of business continuity and disaster recovery arrangements;

(c)          controls against information security and physical security risks;

(d)         outsourcing risk management for any third-party and related service providers (see APS 231 – Outsourcing);

(e)          fraud risk management; and

(f)           compliance obligations regarding relevant laws and regulations, for example those relating to provision of consumer credit.

[1] For the purposes of this standard, “specialist credit card institution” means an ADI that engages in credit card issuing and/or credit card acquiring within the meaning of regulation 2(2) of the Banking Regulations 1966 and does not carry on any other form of banking business.