(1) A payment service provider shall establish a framework with appropriate mitigation measures and control mechanisms to manage the operational and security risks, relating to the payment services that it provides.
(2) As part of the framework referred to in paragraph (1), a payment service provider shall establish and maintain effective incident management procedures, including for the detection and classification of major operational and security incidents.
(3) A payment service provider shall provide to the Bank on an annual basis, or at shorter intervals as determined by the Bank, an updated and comprehensive assessment of -
(a) the operational and security risks relating to the payment services provided by the payment service provider, and
(b) the adequacy of the mitigation measures and control mechanisms implemented in response to those risks.