Management System Requirements for Providers of Financial Payment Services (NBU Regulation No. 123)
This guide is part of the documentation available in SecBoard. It summarises the Regulation on requirements for the management system of a provider of financial payment services, approved by the Resolution of the Board of the National Bank of Ukraine of 10 October 2024 No. 123 (the Regulation / Положення). It explains scope, the four-stage implementation schedule, and how SecBoard modules help payment institutions (except small), e-money institutions, postal operators with the right to provide financial payment services, and branches of foreign payment/e-money institutions implement and demonstrate compliance. Use SecBoard Framework Compliance and Document Register for policies, procedures, and evidence; use other SecBoard modules for risk, compliance, incidents, continuity, and governance.
What is the Regulation (No. 123)?
The Regulation sets requirements for the management system of providers of financial payment services: corporate governance, internal control (including risk management, compliance, and internal audit), and related reporting to the NBU. It is based on the Law on the NBU, the Law on Payment Services, and the Law on Financial Services and Financial Companies. The Regulation defines the three lines of defence, obligations of the board (rada), executive body, risk management unit (or CRO), compliance unit (or CCO), and internal audit unit (or auditor), as well as requirements for risk appetite declaration, risk limits, operational and cyber/security risk, and continuity of payment services. Providers must bring their activity into compliance within the deadlines set in the annex to the Resolution (phased schedule).
Scope: Payment institutions (except small payment institutions), e-money institutions, postal operators that have the right to provide financial payment services, and branches of foreign payment institutions and branches of foreign e-money institutions (together, providers of financial payment services). Branches of foreign payment institutions may have specific organisational options under the Regulation. Small payment institutions are excluded from the scope of the Regulation.
Implementation schedule (four stages)
The annex to the Resolution sets deadlines for phased implementation. Providers must also submit information to the NBU on completion of each stage.
Align organisational structure of internal control: create compliance unit (or assign to responsible person), risk management unit (or CRO), internal audit unit (or auditor); define distribution of functions, duties, accountability and subordination of the board, executive body, heads of control units; ensure checks and balances. Report to NBU by 01.12.2024.
Develop/adopt and implement: code of conduct (ethics); conflict of interest policy; regulation on internal control system; regulation on risk unit / CRO job description; regulation on compliance unit / CCO job description; regulation on internal audit / auditor job description. Report to NBU by 01.12.2024.
Risk management documents: risk policy (including risk limits), policy for individual risk types, compliance regulation, risk strategy, reporting order/forms/frequency, methods for managing identified risks. Operational risk: operational risk policy; cyber and security risk policy; methodology for continuity of payment services (including continuity policy, business impact analysis procedure, continuity plan). Report to NBU by 16.12.2024.
Develop, adopt and implement risk appetite declaration (by 16.12.2024). Develop/adopt by the board other internal documents on risk management and other requirements of the Regulation (by 25.12.2024). Report to NBU by 31.12.2024.
Main requirement areas
| Area | Requirements (summary) |
|---|---|
| Corporate governance | General meeting, board (committees: audit, risk, remuneration/appointments), executive body, key persons. Clear distribution of powers, accountability, checks and balances. Board approves organisational structure, internal control and risk/compliance/audit structures, strategic goals, risk appetite declaration, internal documents. |
| Three lines of defence | 1st line: business and support units (operations, first-level controls); 2nd line: risk management and compliance (monitoring, limits, compliance); 3rd line: internal audit (independent assessment). Independence of 2nd and 3rd lines; no conflict of interest. CRO and CCO may have veto rights on certain executive decisions. |
| Risk management | Risk appetite declaration; risk limits; risk strategy and policies (including per risk type); operational risk policy; cyber and security risk policy; risk culture; reporting to board/committees; methods for managing identified risks. Risk unit or CRO; adequate resources. |
| Compliance | Compliance with legislation, market standards, payment system rules, internal documents. Compliance unit or CCO; code of conduct; conflict of interest policy and procedures; compliance regulation. Compliance risk as a risk type. |
| Internal audit | Internal audit unit or auditor; assessment of 1st and 2nd line and overall effectiveness of internal control; reports to board; independence. No other positions in the same provider (with exceptions). |
| Continuity | Methodology for continuity of payment services; continuity policy; business impact analysis procedure; continuity plan. Control measures for integrity, availability, backup/recovery, access control, change control (acquisition, development, support of ICT). |
| Incidents | Operational, cyber and security incidents; criticality levels (e.g. non-critical, low, medium, high, critical, extreme). Security incident: event affecting confidentiality, integrity, availability of information and/or continuity of payment services. Material technical failure: inability to provide services for 24 consecutive hours. Incident management and reporting. |
How SecBoard modules support the Regulation (No. 123)
SecBoard helps document policies, map controls, collect evidence, and track implementation. Use the modules below in line with your entity type and NBU deadlines.
| SecBoard module | Regulation area | How it helps |
|---|---|---|
| Framework Compliance | All (controls, evidence) | Create a Custom or Local framework (e.g. “NBU 123 – Management system for payment service providers”). Map control categories and controls to corporate governance, three lines, risk management, compliance, internal audit, continuity, incidents. Attach evidence (policies, procedures, reports), assign owners and review dates. Use for schedule tracking and NBU reporting. Dashboard shows status. |
| Document Register / Legislative docs | Policies, procedures | Store and version internal documents: code of conduct, conflict of interest policy, regulation on internal control, regulations on risk/compliance/internal audit units, risk policy, operational/cyber/security risk policies, compliance regulation, continuity policy, BIA procedure, continuity plan, risk appetite declaration. Link to Framework Compliance. Legislative docs for official Regulation (No. 123). Mandatory Processes for recurring controls and reviews. |
| Risk Assessment | Risk management | Document risk identification, assessment and treatment; link to risk appetite and limits. Use for operational, cyber and security risk evidence. Support risk strategy and reporting. Evidence for Framework Compliance. |
| Incident Register | Operational, cyber, security incidents | Record and manage operational, cyber and security incidents; support classification by criticality. Use for incident management process and reporting evidence. Link to Framework Compliance. |
| Cabinet | Governance, roles | Document organisational structure, roles (board, executive, CRO, CCO, internal auditor), and accountability. Use Org Structure and Cabinet Users for “distribution of functions, duties, responsibility, subordination” and three lines of defence. Cabinet Users Guide and Org Structure Guide available. |
| Asset management | Resources, ICTS | Maintain inventory of critical resources and information infrastructure. Support continuity and backup/restore scope. Asset Guide available. |
| SOC / Wazuh | Cyber/security, continuity | Support logging, monitoring and control of ICT for continuity and cyber/security risk. Evidence for control of systems and access. FIM Dashboard Guide available. Attach reports in Framework Compliance. |
| Study / Training | Risk culture, awareness | Deliver and track training on risk management, compliance and code of conduct. Support risk culture and staff awareness. Use for training records. |
| TPRM | Third parties | Where third parties are involved in payment services or support, use Vendor and VendorAssessment for due diligence and contract evidence. Link to Framework Compliance where relevant. |
| Configuration | Scope by entity | Define entities (e.g. payment institution, branch). Use to scope compliance and align Framework Compliance instances. |
Quick mapping: Regulation area → SecBoard
| Regulation area | SecBoard modules to use |
|---|---|
| Corporate governance, three lines | Framework Compliance, Cabinet (Org Structure, Users), Document Register. |
| Risk management, risk appetite | Framework Compliance, Risk Assessment, Document Register. |
| Compliance, code of conduct, conflict of interest | Framework Compliance, Document Register, Study (training). |
| Continuity (policy, BIA, plan) | Framework Compliance, Document Register, Asset, SOC. |
| Incidents (operational, cyber, security) | Framework Compliance, Incident Register, Document Register. |
| Reporting to NBU | Framework Compliance (evidence), Document Register (approved documents, copies). |
Getting started with the Regulation in SecBoard
- Create a framework: In Framework Compliance, create a Custom framework (e.g. “NBU 123 – Management system for payment service providers”). Add control categories and controls for governance, three lines, risk, compliance, internal audit, continuity, incidents. Align with the four-stage schedule.
- Stage I–II: Document organisational structure and roles in Cabinet. Store code of conduct, conflict of interest policy, regulation on internal control, and regulations/job descriptions for risk, compliance and internal audit in Document Register. Link to Framework Compliance. Prepare information and copies of approval for NBU (by 01.12.2024).
- Stage III: Store risk policy (with limits), risk strategy, compliance regulation, operational risk policy, cyber and security risk policy, and continuity methodology (continuity policy, BIA procedure, continuity plan) in Document Register. Use Risk Assessment for risk identification and treatment. Link evidence to Framework Compliance. Report to NBU by 16.12.2024.
- Stage IV: Adopt risk appetite declaration and remaining internal documents (board approval). Store in Document Register. Report to NBU by 31.12.2024.
- Ongoing: Use Incident Register for operational, cyber and security incidents; use SOC and Asset for continuity and ICT controls. Keep documents and evidence up to date for annual review and NBU control.
NBU Regulation No. 123 and SecBoard
This guide is part of the documentation available in SecBoard. The Regulation on requirements for the management system of a provider of financial payment services (Положення, NBU Board Resolution 10.10.2024 No. 123) applies to payment institutions (except small), e-money institutions, postal operators with the right to provide financial payment services, and branches of foreign payment/e-money institutions. It requires corporate governance, internal control (three lines of defence), risk management (including risk appetite declaration, operational and cyber/security risk), compliance, internal audit, and continuity of payment services. Implementation is phased (four stages, Nov–Dec 2024) with reporting to the NBU. Use SecBoard Framework Compliance and Document Register for policies and evidence; use Risk Assessment, Incident Register, Cabinet, Asset, SOC, and Study to support risk, incidents, governance, continuity, and training.
Meet the schedule deadlines and keep internal documents and evidence ready for NBU control and annual review.
Frequently asked questions
What is the Regulation (No. 123)? — The NBU Board Resolution of 10 October 2024 No. 123 approved the Regulation on requirements for the management system of a provider of financial payment services. It sets requirements for corporate governance, internal control (three lines of defence), risk management (including risk appetite declaration, operational and cyber/security risk), compliance, internal audit, and continuity of payment services. Providers must comply within the deadlines in the annex (four stages, Nov–Dec 2024).
Who must comply? — Payment institutions (except small), e-money institutions, postal operators that have the right to provide financial payment services, and branches of foreign payment institutions and branches of foreign e-money institutions.
What are the three lines of defence? — First line: business and support units (operations and first-level controls). Second line: risk management and compliance (monitoring, limits, compliance). Third line: internal audit (independent assessment of effectiveness). Second and third lines must be independent; CRO and CCO may have veto on certain executive decisions.
What documents are required by the schedule? — Stage II: code of conduct, conflict of interest policy, regulation on internal control, regulations/job descriptions for risk, compliance and internal audit. Stage III: risk policy (with limits), risk strategy, compliance regulation, operational risk policy, cyber/security risk policy, continuity methodology (policy, BIA procedure, continuity plan). Stage IV: risk appetite declaration and other board-approved documents.
How do I use SecBoard for NBU 123? — Store all required internal documents in Document Register; map controls and attach evidence in Framework Compliance; document structure and roles in Cabinet; use Risk Assessment for risk management; use Incident Register for operational, cyber and security incidents. Submit information and copies of approved documents to the NBU by the dates in the annex.