7.1 Sound risk management

A provider must conduct their business with due skill, care and diligence, and manage key risks. 

Identify and measure key risks for both your businesses and your customers:

• financial risks (settlement risks, counterparty risks)
• operational risks (risks arising from errors or fraud)
• legal and compliance risks.

Establish internal controls:

• Monitor and manage key risks on an ongoing basis, perhaps by creating a risk register and undertaking regular risk assessments and/or reviews of compliance with policies.
• You should put risk governance structures in place, with scheduled discussions of key risks at board meetings.

Minimise your risks:

• Implement operational risk controls, covering responsibilities, policies, processes and procedures, as well as IT systems.
• Introduce ‘separation of duties’ and ‘four eyes’ principles, which require two independent people to complete certain activities. This helps to prevent or mitigate fraud and significant operational errors.
• Ensure that ‘separation of duties’ and ‘four eyes’ principles are always used for high-risk activities, such as money transfers and physical deliveries.

7.2 Physical security

Ensure adequate physical security for:

• your company’s employees 
• customers visiting your office
• valuables such as gold or cash held by the company or on behalf of your customers
• sensitive infrastructure, such as IT systems and customer data.

Put plans in place to prevent:

• robberies at your offices or during deliveries
• break-ins at your company’s offices or at storage facilities
• unauthorised access and harm done by employees, e.g. misappropriation of assets or access to customer data.

Instigate protection measures:

• Implement physical burglary or robbery protection, e.g. locks and security doors or windows.
• Install alarm systems.
• Limit access by unauthorised employees through access controls and monitoring.

7.3 Reliable information technology

Implement effective data protection and storage:

• Protect customer data and adhere to applicable data privacy laws.
• Encrypt all sensitive data.
• Keep records and audit trails of all relevant data and activities.
• Maintain backups.
• Implement business continuity and disaster recovery strategies.

Protect cyber security:

• Put strong authentication techniques in place to reduce the risk of unauthorised money transfers.
• Implement firewalls, network monitoring, patch maintenance and intrusion detection processes.
• Conduct penetration testing and vulnerability scans.
• Implement personnel access management procedures.

Prepare documentation and contingency management:

• Keep IT policies and documentation up to date.
• Maintain contingency plans and forensics to investigate any issues.

Invest in reliable resources:

• Employ qualified personnel and provide regular skills training.
• Work with reliable service providers. 

7.4 Diligent outsourcing

Minimise outsourcing risks:

• Conduct due diligence on third-party service providers and select only trustworthy and reliable partners.
• Agree on the quality and quantum of services to be provided and document these in Service Level Agreements (SLAs).
• Minimise and manage risks by focusing on correct procedures in areas such as contractual terms or insurance requirements.

Introduce ongoing monitoring:

• Regularly review the quality of the services provided, as well as the providers themselves.

Disclose key information:

• Share the names of key service providers, such as vault operators, with your customers.