| 6.3.1 | Banks must establish lines of responsibility for managing risks related to new products and services.
|
| 6.3.2 | Banks must conduct a full risk assessment of new products and services which form the basis on whether or not to introduce them to the market taking into account reviewing all the associated risk throughout the life cycle of the products and services.
|
| 6.3.3 | Banks must have risk management standards for developing and launching any new products and services to the market. These include, inter alia, adequate due diligence and approvals, procedures to identify, measure, monitor, report, and mitigate risks, effective change management processes and technologies, ongoing performance monitoring and review mechanisms.
|
| 6.3.4 | Banks must have risk classification process for each product and service that the bank intend to launch. The classification process must result with an overall risk classification for the product or service (for example: high, medium or low risk).
|
| 6.3.5 | Banks must have a risk management, controls and monitoring processes in respect of third party risks management, where the bank’s products and services are offered in partnership with Fintech companies, agents or similar entities.
|
| 6.3.6 | The risk management function must have internal organizational and operational capacity i.e. effective controls, monitoring and reporting systems and procedures in place, to monitor and manage potential risks of the proposed new products and services poses to the bank's own financial health, as well as to the financial well-being of the customers and overall market stability.
|
| 6.3.7 | The risk management function must document, review and approve risk profile (associated risks) of new products and services before its launch. Risk profile of the new products and services must include at least detailed description of all associated risks i.e. identification, quantification (if possible), assessment, classification and its mitigation plan.
|
| 6.3.8 | The risk management function must perform comprehensive fraud risk assessment covering fraudulent events across different channels and assessment of prevention, detection, and investigation capabilities from people, process and technology perspective taking into consideration emerging technologies. The risk assessment must also include evaluation of all possible scenarios and dynamic fraud techniques such as social engineering, phishing. that ensures safety and soundness of the bank against dynamic fraudulent scenarios. In addition, the bank must enforce defense in depth mechanism in their environment to ensure deep protection for the customers such as using multichannel technique to ensure customer identity and confirmation of the financial service/transaction for example: registration and activation/approval of services from different channels whenever applicable.
|
| 6.3.9 | The risk management function must conduct comprehensive risk assessment which cover cyber resilience and data privacy including evaluating threats, vulnerabilities and weaknesses needed to be analyzed for potential impact on the bank that leads to improve member organizations cyber posture.
|
| 6.3.10 | The risk management function must assure that its people, systems and processes have the ability to adequately capture and report risks and financial commitments relating to its new products and services in a timely manner.
|
| 6.3.11 | The risk management function must assure that all material risks posed by the introduction of new products and services or by the modification of existing products and services are identified, assessed, monitored and managed appropriately; and must be regularly reviewed in light of the changing market conditions not previously factored.
|
| 6.3.12 | The risk management function must assess how new products and services will affect the bank's current and projected financial and capital positions.
|
