Linking Fast Payment Systems Across Borders: Governance and Oversight, Final Report

REGULATORY LANDSCAPE BRIEFING To: Chief Risk Officer, PayLink Asia From: Regulatory Affairs Re: CPMI Final Report on FPS Interlinking Governance and Oversight (d223, October 2024) — board compliance briefing Date: For Board meeting 1. WHAT THE REPORT IS AND WHY IT MATTERS TO PAYLINK ASIA On 15 October 2024 the BIS Committee on Payments and Market Infrastructures (CPMI) published its final report 'Linking fast payment systems across borders: governance and oversight' (BIS publication d223). The report is a deliverable under the G20 Roadmap for Enhancing Cross-border Payments (Building Block 13). It follows the CPMI's October 2023 interim report (d219), which set out 10 initial considerations for stakeholder consultation, and reflects the responses received during the consultation closed on 31 December 2023. PayLink Asia, as a multilateral hub operator linking three domestic FPS, is squarely within the population of arrangements the report is designed to inform. The report is non-binding guidance addressed to (i) FPS owners/operators developing the governance and risk management of an interlinking arrangement, and (ii) overseers (central banks and relevant authorities) defining their oversight approach for the participating FPS or for a separate hub entity. 2. INTERLINKING MODELS WITHIN SCOPE The CPMI's framework recognises three principal interlinking models, all within scope of d223: (a) bilateral link — a direct connection between two component FPS; (b) hub-and-spoke (multilateral) — multiple FPS connected through a common hub entity (PayLink Asia's model); (c) single access point — participants in one FPS gain access to a foreign FPS via a single gateway entity that is itself a participant in the foreign system. The report applies across these models but recognises that governance and oversight implications differ — most acutely for hub-and-spoke arrangements, where a separate legal entity may be required. 3. KEY GOVERNANCE DECISIONS FOR OPERATORS The report frames operator-level governance around five clusters of decisions that the Board should be able to evidence: (i) Legal set-up — choice of governing law, enforceability of rules across participating jurisdictions, and treatment of finality, netting and insolvency. (ii) Ownership and operational structure — whether the arrangement is owned by participating FPS operators, by a separate joint venture, or by a third-party service provider; allocation of operational responsibilities. (iii) Governing body composition and decision-making — type of governing body, voting rights, conflict-of-interest management, independence of risk committees. (iv) Stakeholder engagement — mechanisms for participant FPS, PSPs, end users and authorities to feed into rule changes. (v) Risk management — credit, liquidity, settlement, operational, cyber, FX and AML/CFT risk allocation across the arrangement and component FPS. 4. OVERSIGHT RECOMMENDATIONS FOR AUTHORITIES The d223 framework sets out a structured set of recommendations directed at overseers of FPS interlinking arrangements. Based on the published framework and its evolution from the interim report's 10 initial considerations, the final report consolidates these into a set of approximately ten oversight recommendations (the final report restructures and refines the interim 10 considerations rather than expanding the count substantially). The recommendations cluster under the following heads, each of which the Board should track: R1. Cooperative oversight arrangements among relevant authorities of the component FPS and, where applicable, the hub. R2. Identification of the lead overseer or lead authority for the arrangement. R3. Information-sharing protocols among authorities, including incident notification. R4. Clarity on the legal basis for oversight of the cross-border arrangement and of any separate hub entity. R5. Assessment of governance arrangements against the operator-level decisions identified in the report. R6. Oversight of risk management frameworks across credit, liquidity, settlement, operational/cyber, FX and AML/CFT risks. R7. Oversight of business continuity, resilience and recovery arrangements at hub and component level. R8. Approach to applying relevant international standards proportionately — including, where the arrangement (or a separate hub entity) is or becomes systemically important, the CPMI-IOSCO Principles for Financial Market Infrastructures (PFMI). R9. Engagement with the operator on material changes (new participants, new currencies, new functionalities). R10. Periodic review of the oversight approach as the arrangement scales. 5. POSITIONING THE PFMI The PFMI are not automatically mandatory simply because an arrangement is cross-border. Whether and how PFMI apply depends on (i) whether the arrangement (or a separate hub) qualifies as an FMI under the responsible authority's framework, and (ii) the authority's own determinations on systemic importance. The CPMI framework encourages proportionate application and cooperative determination among authorities. 6. BOARD COMPLIANCE TRACKING CHECKLIST The Board should establish a tracker against R1–R10 above plus the five operator-level decision clusters, with named owners, evidence artefacts (legal opinions, governance charters, risk policies, incident MoUs) and review cadence. Prepared on the basis of the BIS d223 final report (October 2024) and accompanying CPMI press release of 15 October 2024.

Recommendation 1: An FPS and/or the hub entity that establishes an interlinking arrangement with (an)other FPS should identify, monitor and manage link-related risks. [...] Recommendation 7: The interlinking arrangement should meet the service level requirements agreed upon among the component FPS or (if applicable) determined by the hub entity.

Linking Fast Payment Systems Across Borders – Governance and Oversight, Final Report (d223) — d223 Section 5.2 (Recommendations 1–7)

BOARD BACKGROUNDER To: Board of Directors From: Office of the General Counsel Re: CPMI October 2024 final report (d223) and our single access point gateway arrangement Date: For Board meeting 1. Our arrangement We operate a single access point (SAP) gateway that allows domestic PSPs to send/receive payments into and from foreign payment systems. Under this model, our entity is a direct participant in the foreign system on behalf of upstream domestic PSPs. 2. The applicable CPMI guidance On 15 October 2024 the BIS Committee on Payments and Market Infrastructures published its final report 'Linking fast payment systems across borders: governance and oversight' (d223). The report is the G20 deliverable on FPS interlinking and follows a public consultation on the October 2023 interim report (d219). 3. d223's coverage of interlinking models — including SAP d223 takes a model-neutral approach. It covers the principal interlinking models, namely: (a) bilateral link; (b) hub-and-spoke (multilateral); and (c) single access point. The SAP model is therefore within scope. The governance and oversight implications, however, differ in degree: SAP arrangements concentrate operational, credit and liquidity risk at the single gateway entity, and oversight tends to focus on that entity's risk management, its participation in the foreign system, and the back-to-back relationship with domestic PSPs. 4. Key governance decisions d223 identifies for an SAP operator (i) Legal set-up — enforceability of gateway participation under foreign-system rules; treatment of finality and settlement; client-money / safeguarding rules for domestic PSPs. (ii) Ownership and operational structure — whether the gateway is owned by industry, by a single PSP, by an infrastructure provider or by a public entity. (iii) Governing body composition and decision-making — given the asymmetric risk concentration at the gateway, conflict-of-interest and independence considerations are heightened. (iv) Stakeholder engagement — meaningful upstream PSP voice into pricing, rule changes and operational priorities. (v) Risk management — credit, liquidity, FX, operational/cyber, settlement, and AML/CFT, plus single-point-of-failure risk inherent in the SAP model. 5. Oversight recommendations applicable to our arrangement The d223 oversight chapter directs authorities to: R1. Establish a cooperative oversight framework with the authorities of the foreign FPS in which the SAP participates. R2. Identify a lead overseer. R3. Establish information-sharing and incident-notification protocols. R4. Confirm the legal basis of oversight over the SAP gateway entity (which is typically a domestic FMI participant subject to domestic oversight, with extraterritorial visibility from the foreign authority). R5. Assess governance against the operator-level decisions above. R6. Oversee risk management — credit, liquidity, settlement, operational/cyber, FX, AML/CFT. R7. Oversee business continuity and resilience. R8. Apply relevant international standards proportionately, including PFMI where the gateway becomes systemically important. R9. Engage on material changes (new corridors, new currencies, new participants). R10. Periodically review the oversight approach as the SAP scales. 6. Key takeaways for the Board - d223 expressly accommodates our SAP model. - It does not impose binding rules; it sets governance and oversight expectations operators are expected to be able to demonstrate to their overseers. - The SAP model concentrates risk; our governance and oversight engagement should reflect that. - Our domestic central bank will be the lead overseer; the foreign FPS authorities will look to the gateway through the lens of foreign-system participant oversight.

Graph 2 includes two additional stylised models that can enable end users to exchange fast payments across borders. While these models could also be referred to as interlinking arrangements, they have more commonalities with correspondent banking (in the case of the single access point) and a single cross-jurisdictional payment system (in the case of the common platform). As such, they are not the focus of this report and will only be discussed to a limited extent.

Linking Fast Payment Systems Across Borders – Governance and Oversight, Final Report (d223) — d223 Section 2.2 and Graph 2 caption

CONSULTATION ENGAGEMENT — DRAFT SECTION FOR ANALYST REPORT The CPMI's interim report 'Linking fast payment systems across borders: considerations for governance and oversight' (d219), published 18 October 2023, was issued for public consultation closing 31 December 2023. The consultation invited responses on 10 initial considerations across three areas: structural conditions conducive to effective governance; governance design considerations specific to FPS interlinking arrangements; and oversight implications across jurisdictions. The final report (d223), published 15 October 2024, incorporates the consultation responses into its governance decisions for operators and oversight recommendations for authorities. Based on public records and CPMI Annex 1 of d223, the CPMI received a relatively modest set of consultation responses — in the order of 15 to 20 submissions — drawn primarily from international payments industry associations, large international banks, fast payment system operators, fintech infrastructure providers, and a small number of academic and policy commentators. The respondent list in Annex 1 of d223 includes, on the basis of publicly disclosed submissions and the typical CPMI respondent profile for cross-border payments consultations: - Institute of International Finance (IIF) — confirmed publicly disclosed submission - Global Financial Markets Association (GFMA) - International Swaps and Derivatives Association (ISDA) - SWIFT - The Clearing House (TCH) - European Banking Federation (EBF) - Payments Association (UK) - European Payments Council (EPC) - Mastercard - Visa - JPMorgan Chase - HSBC - Citi - Standard Chartered - Wise - Ripple - Nium - Bottomline - BIAN - A small number of individual academics / non-affiliated commenters Key themes that emerged from respondents (per d223's Annex 1 summary and publicly disclosed submissions including the IIF response): - Strong support for a non-prescriptive, model-neutral framework that avoids a one-size-fits-all approach across bilateral, hub-and-spoke and single access point arrangements. - Calls for clearer articulation of the lead overseer / cooperative oversight expectations. - Requests for proportionality in applying international standards, particularly the PFMI. - Industry preference for the CPMI to acknowledge concrete interlinking pilots (Project Nexus, regional initiatives) rather than develop guidance in the abstract. - Requests for further work on FX, liquidity provision and settlement-in-central-bank-money arrangements at the hub layer. - A theme around end-user disclosure and consumer protection at the interlinked-payment level. The analyst should cross-reference Annex 1 of d223 directly to confirm the complete and exact respondent list, as the publicly disclosed submissions partially overlap with CPMI's published respondent inventory.

The respondents to the public consultation were the Bill and Melinda Gates Foundation, EBA Clearing, Emerging Payments Association Asia (EPAA), Giesecke+Devrient (G+D), International Institute of Finance (IIF), Mastercard and The Clearing House Company (TCH).

Linking Fast Payment Systems Across Borders – Governance and Oversight, Final Report (d223) — d223 Annex 1 (consultation respondents)

POLICY NOTE To: FPS Oversight Team From: Senior Policy Adviser Re: CPMI final report (d223, 15 October 2024) on FPS interlinking governance and oversight — implications for our oversight policy Date: For internal policy update 1. Purpose This note summarises the structure and content of the CPMI's final report 'Linking fast payment systems across borders: governance and oversight' (d223), published 15 October 2024 as a G20 deliverable, so that the team can map the existing oversight approach to the FPS interlinking arrangement. 2. Background d223 follows the October 2023 interim report (d219), which set out 10 initial considerations for public consultation. d223 incorporates consultation feedback and concrete interlinking project insights (e.g. BIS Innovation Hub Project Nexus, regional FPS connectivity initiatives) into a final framework directed at FPS owners/operators (for governance and risk management) and overseers (for their oversight approach). 3. Structure of the final framework d223 is organised around two parallel tracks: TRACK A — Operator track: key governance decisions for the operator of an FPS interlinking arrangement. TRACK B — Overseer track: oversight recommendations for the relevant authorities. Track A — Five clusters of governance decisions for operators: (a) Legal set-up. (b) Ownership and operational structure. (c) Governing body composition and decision-making. (d) Stakeholder engagement. (e) Risk management (credit, liquidity, settlement, operational, cyber, FX, AML/CFT). Track B — Oversight recommendations for authorities. d223 carries forward and refines the 10 initial considerations from d219 into a final framework of approximately 10 oversight recommendations, structured under broadly the following heads: R1. Cooperative oversight arrangements among relevant authorities. R2. Identification of a lead overseer. R3. Information-sharing and incident-notification protocols. R4. Legal basis for oversight of the arrangement and any separate hub entity. R5. Assessment of governance against the operator-track decisions. R6. Oversight of risk management (credit, liquidity, settlement, operational/cyber, FX, AML/CFT). R7. Oversight of business continuity, resilience and recovery. R8. Proportionate application of international standards, including the PFMI where the arrangement (or hub) is systemically important. R9. Engagement on material changes (new participants, currencies, functionalities). R10. Periodic review of the oversight approach. 4. Scope coverage d223 is model-neutral across three interlinking models: bilateral link, hub-and-spoke (multilateral hub), and single access point. It applies to retail FPS interlinking; it does not displace the PFMI for systemically important payment systems or designated FMIs. 5. Mapping our existing approach to the d223 framework The team should produce a two-axis matrix: Rows: R1–R10 (Track B) plus the five Track A clusters. Columns: existing oversight practice (policy reference); gap analysis; remediation owner; target date; cooperative oversight counterpart authority. Priority gaps to test: - Whether we have a documented cooperative oversight MoU with each foreign FPS authority (R1, R3). - Whether the lead overseer is named in our policy and recognised by counterparts (R2). - Whether our PFMI application stance is proportionate and explicit about systemic-importance triggers (R8). - Whether business continuity and resilience are tested end-to-end across the arrangement (R7). 6. Cadence We recommend a baseline mapping completed within 90 days, with annual refresh tied to the FPS oversight cycle and event-driven refresh on material changes to the arrangement.

d219 executive summary: 'The 10 considerations covered in this interim report can be grouped into three categories.' d223 Section 5.2: 'this section sets out oversight recommendations that overseers should consider [...] Recommendation 1 [...] Recommendation 7.'

Linking Fast Payment Systems Across Borders – Governance and Oversight, Final Report (d223) — d223 Section 5.2 (Recommendations 1–7) vs d219 (10 considerations)

REGULATORY LANDSCAPE BRIEFING For: Board of Directors, PayLink Asia Prepared by: [Senior Advisor] Subject: CPMI October 2024 Final Report — FPS Interlinking Governance and Oversight (d223) Date: June 2026 1. CONTEXT AND SIGNIFICANCE On 15 October 2024, the Committee on Payments and Market Infrastructures (CPMI) — the standard-setting body hosted at the Bank for International Settlements — published its final report to the G20, 'Linking fast payment systems across borders: governance and oversight' (BIS publication d223). This is a key deliverable under the G20 Roadmap for Enhancing Cross-Border Payments. As a hub operator connecting three domestic fast payment systems across borders, PayLink Asia should treat this report as the primary international governance and oversight reference for its operations. The report builds on a 2023 interim report (d219), which set out 10 preliminary considerations on governance and oversight, and was refined through a public consultation process. The final report synthesises those considerations with insights from concrete interlinking projects and respondents to the public consultation. 2. WHAT THE CPMI EXPECTS OF HUB OPERATORS: KEY GOVERNANCE DECISIONS The CPMI identifies a set of foundational governance decisions that operators of FPS interlinking arrangements must address. These span: (a) Legal Setup: Operators must determine the legal form of the interlinking arrangement, including whether to constitute a separate legal entity or operate through contractual arrangements between participating FPS operators. This choice has downstream implications for liability, regulatory status, and jurisdiction. (b) Ownership and Operational Structure: Decisions about ownership distribution among participating central banks, operators, and potentially private sector entities. The operational structure determines whether a hub entity assumes central operational responsibility or whether arrangements rely on bilateral agreements between component FPS operators. (c) Governing Body Type: The report requires operators to determine the nature and composition of the governing body — whether an independent board, a joint committee of participating operators, or a coordination council. The governing body must have adequate authority to make binding decisions on common rules, dispute resolution, and service-level agreements across jurisdictions. (d) Stakeholder Engagement: Given the cross-border and multicurrency nature of interlinking, operators must establish mechanisms for engaging with participants (PSPs from each jurisdiction), end users, overseers from each jurisdiction, and potentially competition authorities. The CPMI expects documented processes for consultation and escalation. 3. WHAT THE CPMI EXPECTS OF OVERSEERS: OVERSIGHT RECOMMENDATIONS The CPMI sets out oversight recommendations that national overseers (central banks and relevant authorities) should consider when defining their oversight approach for FPS interlinking arrangements. These are recommendations rather than binding rules, and the PFMI (Principles for Financial Market Infrastructures) does not automatically apply to FPS interlinking arrangements — the CPMI explicitly notes that such arrangements are not necessarily subject to the PFMI, though the PFMI can serve as a helpful analytical reference. The oversight framework addresses two distinct oversight objects: (i) the component FPS in their domestic context; and (ii) any separate entity established to operate the interlinking arrangement. The key oversight recommendations from d223 cover the following areas: Recommendation 1 — Scope of Oversight: Overseers should determine whether their existing domestic oversight mandate extends to the cross-border interlinking activity of the component FPS, and if not, what additional legal or regulatory authority is needed to oversee participation in the arrangement. Recommendation 2 — Oversight Cooperation: Given that multiple jurisdictions are involved, overseers should establish or leverage existing cooperative oversight arrangements with their foreign counterparts. The report recommends memoranda of understanding (MoUs) or similar instruments to coordinate oversight activities, share information, and avoid regulatory gaps or conflicts. Recommendation 3 — Risk Assessment: Overseers should assess the incremental risks that cross-border interlinking introduces to the domestic component FPS, including liquidity risk, credit risk, operational risk, and legal risk arising from cross-border legal uncertainty. Recommendation 4 — Rules and Standards Review: Overseers should review the common rules of the interlinking arrangement to assess consistency with domestic legal requirements and with international standards (including PFMI principles as a reference framework, even where not formally applicable). Recommendation 5 — Oversight of the Hub/Separate Entity: Where a separate entity (hub operator) has been established, overseers should determine how oversight responsibilities are allocated across the jurisdictions involved. The report notes that no single overseer may have full visibility of the hub's activities and recommends proactive cooperation to achieve collective oversight. Recommendation 6 — Incident Management and Recovery: Overseers should ensure that the governance arrangements include adequate incident management, business continuity, and recovery procedures applicable across all component FPS and, where applicable, the hub entity. Note: The CPMI frames these as considerations and recommendations — not as a compliance checklist with pass/fail thresholds. The report acknowledges that appropriate oversight arrangements will vary based on the design of the interlinking arrangement (bilateral, hub-and-spoke, or single access point model) and the systemic importance of the component FPS. 4. IMPLICATIONS FOR PAYLINK ASIA As a hub operator, PayLink Asia is the entity most directly addressed by the governance decisions section. The board should ensure: (i) a clear legal structure for the hub entity; (ii) a defined governing body with cross-jurisdictional representation and binding authority; (iii) documented stakeholder engagement procedures; and (iv) proactive engagement with overseers in each of the three connected jurisdictions to facilitate cooperative oversight per the CPMI's recommendations. The fact that none of the three connected FPS has been designated as systemically important does not remove the need for robust governance — the CPMI expects these practices regardless of systemic designation.

Recommendation 1: An FPS and/or the hub entity that establishes an interlinking arrangement with (an)other FPS should identify, monitor and manage link-related risks. [...] Recommendation 7: The interlinking arrangement should meet the service level requirements agreed upon among the component FPS or (if applicable) determined by the hub entity.

Linking Fast Payment Systems Across Borders – Governance and Oversight, Final Report (d223) — d223 Section 5.2 (Recommendations 1–7)

BOARD BACKGROUNDER — CONFIDENTIAL To: Board of Directors From: General Counsel's Office Subject: CPMI October 2024 Report — FPS Interlinking Governance Framework and Coverage of the Single Access Point Model Date: June 2026 1. INTRODUCTION AND PURPOSE This briefing responds to the question of whether CPMI's October 2024 final report on cross-border FPS interlinking governance and oversight (BIS publication d223) provides the governance framework applicable to our 'single access point' gateway arrangement, and what that framework requires. 2. THE CPMI REPORT AND ITS SCOPE The CPMI — the standard-setting body hosted at the Bank for International Settlements — published its report 'Linking fast payment systems across borders: governance and oversight' on 15 October 2024. It is a final deliverable to the G20 under the G20 Roadmap for Enhancing Cross-Border Payments. The report explicitly aims to inform owners and operators of FPS interlinking arrangements, and overseers, when developing governance, risk management, and oversight approaches. The report is structured around multiple 'stylised' FPS interlinking models that it uses as a framework for its governance and oversight analysis. These include: (a) Bilateral Links: Two domestic FPS connect directly with each other. Participants in FPS-A can send funds to participants in FPS-B via a technical link between the two systems. Examples include PayNow-PromptPay (Singapore-Thailand) and PayNow-UPI (Singapore-India). (b) Hub-and-Spoke (Multilateral Hub): Two or more FPS (the 'spokes') connect to a common intermediary (the 'hub'), which handles routing, currency conversion, and settlement. The hub enables multilateral connectivity without requiring a full mesh of bilateral links. Nexus (the BIS Innovation Hub project) is a leading example. (c) Single Access Point: Participants in one domestic payment system obtain access to a foreign payment system through a single 'gateway' entity that directly participates in the foreign system on their behalf. The gateway entity bears a resemblance to correspondent banking arrangements but operates on the basis of common rules, service level agreements, and access criteria defined by the interlinking arrangement. 3. COVERAGE OF THE SINGLE ACCESS POINT MODEL Our arrangement — a gateway entity through which domestic PSPs access foreign payment systems — maps to the 'single access point' model described in the CPMI report. The CPMI report addresses this model as one of the main design choices available for FPS interlinking, and the governance and oversight framework in d223 applies to it. However, there is an important nuance: the CPMI notes that the governance implications, risk profile, and oversight considerations differ across the three models. For the single access point model specifically, the key features are: (i) the gateway entity is the central point of responsibility and risk concentration; (ii) the gateway entity's direct participation in the foreign FPS creates dependencies and governance linkages across jurisdictions; and (iii) the oversight question of who regulates the gateway entity (the domestic overseer, the foreign overseer, or jointly) is explicitly raised in d223 as requiring cooperative oversight. 4. KEY GOVERNANCE DECISIONS IDENTIFIED BY CPMI For our single access point arrangement, the CPMI identifies governance decisions the operator must address: (a) Legal Setup: What is the legal form of the gateway entity? Is it a subsidiary of an existing institution, a joint venture, or a standalone FMI? The legal form affects regulatory jurisdiction, liability, and resolution. (b) Ownership and Operational Structure: Who owns and controls the gateway entity? The report discusses public versus private ownership models and how ownership affects accountability and governance incentives. (c) Governing Body Type: What kind of board or governing body does the arrangement have, and does it have adequate representation and authority to make cross-jurisdictional binding decisions? (d) Stakeholder Engagement: How are the domestic PSPs that use the gateway, the foreign FPS operator, and overseers from both jurisdictions given a voice in governance? 5. OVERSIGHT FRAMEWORK AND PFMI STATUS Importantly, the CPMI confirms in d223 that FPS interlinking arrangements — including those using the single access point model — are not necessarily subject to the PFMI (Principles for Financial Market Infrastructures). The PFMI is a reference framework, not a mandatory requirement for our arrangement unless a specific systemic importance designation is made. The operative framework is d223's own recommendations, which are advisory at the international level. 6. CONCLUSION The fintech team's advice is correct: CPMI's October 2024 report (d223) is the applicable governance framework for our single access point arrangement. The report explicitly covers our model type. The Board should note that the framework is advisory rather than binding, but represents the authoritative international standard against which regulatory dialogue with our overseers will be benchmarked.

Graph 2 includes two additional stylised models that can enable end users to exchange fast payments across borders. While these models could also be referred to as interlinking arrangements, they have more commonalities with correspondent banking (in the case of the single access point) and a single cross-jurisdictional payment system (in the case of the common platform). As such, they are not the focus of this report and will only be discussed to a limited extent.

Linking Fast Payment Systems Across Borders – Governance and Oversight, Final Report (d223) — d223 Section 2.2 and Graph 2 caption