Operational professionalism

Principle #7

Implementation guidance

7.1 Sound risk management


Identify key risks for the company and its customers and manage them on an ongoing basis. Implement adequate measures for risk mitigation.

A provider must conduct their business with due skill, care and diligence, and manage key risks. 

Identify and measure key risks for both your businesses and your customers:

  • financial risks (settlement risks, counterparty risks)
  • operational risks (risks arising from errors or fraud)
  • legal and compliance risks.

Establish internal controls:

  • Monitor and manage key risks on an ongoing basis, perhaps by creating a risk register and undertaking regular risk assessments and/or reviews of compliance with policies.
  • You should put risk governance structures in place, with scheduled discussions of key risks at board meetings.

Minimise your risks:

  • Implement operational risk controls, covering responsibilities, policies, processes and procedures, as well as IT systems.
  • Introduce ‘separation of duties’ and ‘four eyes’ principles, which require two independent people to complete certain activities. This helps to prevent or mitigate fraud and significant operational errors.
  • Ensure that ‘separation of duties’ and ‘four eyes’ principles are always used for high-risk activities, such as money transfers and physical deliveries.

7.2 Physical security


Ensure adequate physical protection of assets. In addition to the safekeeping of valuables, this includes physical protection of IT infrastructure, as well as sensitive information, such as customer data.

Ensure adequate physical security for:

  • your company’s employees 
  • customers visiting your office
  • valuables such as gold or cash held by the company or on behalf of your customers
  • sensitive infrastructure, such as IT systems and customer data.

Put plans in place to prevent:

  • robberies at your offices or during deliveries
  • break-ins at your company’s offices or at storage facilities
  • unauthorised access and harm done by employees, e.g. misappropriation of assets or access to customer data.

Instigate protection measures:

  • Implement physical burglary or robbery protection, e.g. locks and security doors or windows.
  • Install alarm systems.
  • Limit access by unauthorised employees through access controls and monitoring.

7.3 Reliable information technology


Invest in adequate information technology systems and processes so that sensitive data is protected. Implement cyber-security best practices and be prepared for IT emergencies, including system failures.

Implement effective data protection and storage:

  • Protect customer data and adhere to applicable data privacy laws.
  • Encrypt all sensitive data.
  • Keep records and audit trails of all relevant data and activities.
  • Maintain backups.
  • Implement business continuity and disaster recovery strategies.

Protect cyber security:

  • Put strong authentication techniques in place to reduce the risk of unauthorised money transfers.
  • Implement firewalls, network monitoring, patch maintenance and intrusion detection processes.
  • Conduct penetration testing and vulnerability scans.
  • Implement personnel access management procedures.

Prepare documentation and contingency management:

  • Keep IT policies and documentation up to date.
  • Maintain contingency plans and forensics to investigate any issues.

Invest in reliable resources:

  • Employ qualified personnel and provide regular skills training.
  • Work with reliable service providers. 

7.4 Diligent outsourcing


Choose third-party service providers and contractual terms carefully and monitor providers closely. Disclose information on key service providers, such as vault operators, to customers if they can significantly affect customer experience or pose material risks

Minimise outsourcing risks:

  • Conduct due diligence on third-party service providers and select only trustworthy and reliable partners.
  • Agree on the quality and quantum of services to be provided and document these in Service Level Agreements (SLAs).
  • Minimise and manage risks by focusing on correct procedures in areas such as contractual terms or insurance requirements.

Introduce ongoing monitoring:

  • Regularly review the quality of the services provided, as well as the providers themselves.

Disclose key information:

  • Share the names of key service providers, such as vault operators, with your customers.