Actions Needed Replies and Comments Timelines

1. Execute and submit a new Board-approved letter Details of the Letter of Commitment containing the actions Done
of commitment (LOC) containing concrete actions and the related timelines were discussed in the BOD
with defined timelines, to address the following meeting last April 24, 2019.
directives and submit quarterly updates until full
completion.
A. Fully comply with the following provisions of the
Letter of Commitment dates 24 August 2015 to:
i. Implement corporate governance
reform plans to enhance Board oversight
and to conduct the affairs of the
corporation with a high degree of
integrity, to include
a. Assessing the performance of the We have drafted the Board of Directors Performance Done
Board as individuals, that of key Review Framework last 2016. We have also prepared a
officers and the existing committee BOD performance report for June 2016 to June 2017. We June 30, 2019
will engage the Corporate Governance Committee on
drafting the Performance Review of the BOD of Directors
for June 2017 to June 2018.
b. Ensuring the Audit Committee This item will be discussed to the Board of Directors to September 30, 2019
effectively performs it mandate ensure that the Audit Committee is empowered to perform
its function and mandate.
ii. Formulate and implement business
improvement plans, to include
a. Conducting continuous training and We have created a Member Profile Form which will September 31, 2019
implementing re-accreditation facilitate the re-accreditation of our subscribers. This
process for subscribers includes financial analysis, business legitimacy, transaction
profiling etc.

Training for subscribers will be scheduled in the later part

of 2019.
 b. Undertaking a comprehensive risk Nationlink will be hiring a Risk Officer which will be December 31, 2019
assessment process and effectively primarily responsible for the implementation of the
implementing the operational risk operational risk management.
management
iii. Enhance the risk management This will also be the responsibility of the Risk Officer that December 31, 2019
framework by providing continuing will be hired.
education and training programs to
auditors and IT personnel
iv. Improve business continuity This will also be the responsibility of the Risk Officer that December 31, 2019
management by aligning the results of will be hired.
business impact analysis and risk
assessment exercises with identified
mission-critical applications and
resources.
B. Ensure compliance with BSP rules and regulations
on electronic banking/electronic money products
and services, particularly on the following:
i. Quarterly submissions of the Report on Nationlink will be hiring a Compliance Officer and June 30, 2019 (submission of
Electronic Money Transactions to the validation and submission of BSP reports will be one of the updated report)
Supervisory Data Center of the Financial responsibilities of said personnel.
Supervision Sector. December 31, 2019 (Hiring of
However, preparation and submission will be undertaken Compliance Officer)
accordingly.
ii. Maintaining accurate and complete A formal KYC process is in place to ensure that details December 31, 2019
record of the identity of e-money holders required for identification of e-money holders will be
available and entered in to the system accurately
iii. Conducting periodic and comprehensive An additional internal audit personnel with sufficient December 31, 2019
audit of e-money operations and review knowledge and expertise will be hired by Nationlink to
of the security control environment and cover not only emoney systems but other aspects of
critical e-money systems operations such as IT generals controls for IT audit.
iv. Maintaining sufficient and The current and separate accounts payable / liability in the Done
unencumbered liquid assets equal to the books of Nationlink is more than the current balance of
 amount of outstanding e-money issued. outstanding emoney issued.

C. Strengthen the internal audit function by

i. Identifying and defining the audit This will be covered by the development of the audit plan December 31, 2019
universe (both for IT and non-IT related where all aspects of operations will be part of the audit
activities) universe. This will be handled by the internal audit
complement that will be hired by the company
ii. Conducting a risk assessment to Nationlink will be hiring a Risk Officer which will be December 31, 2019
describe and analyze the risks inherent in primarily responsible for the implementation of the
a given line of business and drive the operational risk management. With the results of the
scope and frequency of audits operational risk assessment, only high risk areas will
require more audit activities.
iii. Developing an annual audit plan, The development of the audit plan will be the December 31, 2019
including IT audit plan responsibility of the internal audit complement that will be
hired by the company.
iv. Establishing a well-planned and properly To effectively conduct its functions, the current internal December 31, 2019
structured IT and non-IT audit work audit personnel and the internal audit complement that
programs will be hired will be required to document their audit work
program to detail the objectives, procedures, scopes, tests
and results of their internal audit work.
2. Strengthen the compliance functions by adopting This will be part of the responsibility of the Compliance December 31, 2019
an appropriate compliance program and enhancing Officer that will be hired by the company. However,
the scope of monitoring and testing to ensure its management is also currently assessing the possibility of
effective implementation and ensure compliance combining the compliance function to an existing job
with BSP rules and regulations on electronic money description provided that there will be no incompatible
products and IT risk management functions that will be assigned to said personnel
3. Establish an effective Information Security (IS)
management system by
A. Appointing a full-time and independent Management is actively looking for an Information Security December 31, 2019
Information Security Officer (ISO) who has sufficient Officer with the right expertise to drive the information
knowledge, background, training and organizational security operations of Nationlink to ensure that
position to oversee the implementation of the confidentiality, integrity and availability of the application
 organization’s IS program systems as well as the operations are properly maintained.
Management may consider hiring a head hunter or put
classified adds to expedite the process of hiring critical
functions such as the Information Security Officer, Risk
Officer, Compliance Officer and Internal Audit Personnel.
B. Performing independent and periodic review of A work program has been developed for the current December 31, 2019
access rights, system logs, and activities of user internal audit personnel to perform the access review
with privileged access procedures.
C. Establishing the minimum-security requirements Baselines on all operating systems, software and database December 31, 2019
to safeguard operating systems, system software, will be part of the responsibility on the information
and databases security officer. As soon as baselines are established, the IT
operations personnel will be briefed to operationalize and
configure the said components to comply with the
established baselines.
D. Conducting an inventory of all information assets A template has been developed to facilitate the inventory December 31, 2019
and performing a comprehensive and periodic IS of all information assets. Once established, this will be
risk assessment to identify and understand risks to forwarded to the information security officer and risk
confidentiality, integrity and availability of the officer to initially conduct the is risk assessment to
institution’s information and IT Systems determine the risk management plan for those risks that
are currently not acceptable to management
4. Strengthen IT Governance and Operations
Management by
A. Enhancing reports to ensure that significant The general manager already created a General Managers Done
matters are escalated to and appropriately Report and regularly reported this to the BOD since 2017.
discussed in Board and Management Meetings The general manager’s report contains information such as
liquidity, settlement, updates on projects and budget vs
actual on the strategic plans that the Board of Directors
approved.
B. Developing a formal capacity planning process that This has been elevated to the Board of Directors and IT has December 31, 2019
takes into account future requirements on platform been instructed to develop a formal framework and
processing speed, core storage, data storage and operationalize the framework to ensure that the company’s
data communication bandwidth IT infrastructure is equipped to handle current and future

5. Strengthen business continuity management
(BCM) process
A. Performing a thorough business impact analysis
and risk assessment to serve as basis for prioritizing
recovery of business processes and to identify
acceptable recovery time and point objectives
B. Conducting a comprehensive and full scale BCP
test that covers all critical processes and
applications
volumes.
Nationlink is considering hiring a third party consultant to December 31, 2019
conduct orientation and assists Nationlink personnel in
conducting the business impact analysis and the business
continuity plan.
As soon as the BCP is established with the current business
prioritization and related disaster recovery procedures, a
BCP test will be conducted.