Cairo, In a groundbreaking move, the Financial Regulatory Authority (FRA) has issued three pivotal decisions – decision no. 139, 140, and 141 of 2023 – nearly a year after the enactment of Law no. 5 of 2022 Regulating and Developing the Use of Financial Technology in Non-Banking Financial Activities (“Fintech Law”). These new Decisions have been crafted to enforce the Fintech Law, marking the advent of a new digital era for non-banking financial services.
Decision no. 139 of 2023: Technological Infrastructure and Information Systems for Fintech in Non-Banking Financial Sector
This decision targets companies seeking licenses from the FRA to operate in non-banking financial activities through fintech under the Fintech Law’s ambit. It also covers companies and authorities already licensed for non-banking financial activities under other laws, but now wish to undertake such activities through fintech or outsourcing technology service providers under the Fintech Law. Additionally, companies aiming to offer outsourcing technology services in the fintech sector for non-banking financial activities fall within this decision’s scope.
The decision outlines the required equipment for the technological infrastructure and information system, including database servers, application servers, and web servers. Several obligations and controls have been set forth for the addressees, such as maintaining customer databases within Egypt’s geographical borders, promptly notifying the FRA of any headquarters or data center relocation, establishing a 24/7 customer service center, and signing service level agreements with customers. The decision also includes vital annexes concerning information technology governance, technology risk management, and cybersecurity.
Decision no. 140 of 2023: Digital Identity, Digital Contracts, and Authentication Requirements
All companies planning to provide non-banking financial services through fintech must adhere to the provisions in this decision. It introduces key definitions, including Digital Identity, Digital Contracts, and Digital Record. The decision categorizes digital identity authentication into three levels and outlines the necessary requirements for each level. Digital contracts, which encompass rights and obligations of contracting parties in a digital form, are also addressed, including the possibility of “smart contracts.”
Requirements for digital identity authentication encompass various elements such as usernames, passwords, identity documents, emails, mobile phone numbers, e-payment accounts, digital signatures, and biometrics. The decision further specifies relevant sectors for companies engaging in fintech activities and imposes obligations for verification, customer satisfaction, and digital storage of contracts. Addressees of this decision mirror those in Decision no. 139 of 2023.
Decision no. 141 of 2023: Outsourcing Technology Service Providers Registry
This decision introduces the Outsourcing Registry, a mandatory registration for outsourcing service providers engaging in fintech activities. Entities must be registered in the Outsourcing Registry to provide any outsourcing services.
The decision outlines the conditions and requirements for registration, including taking the form of a joint-stock company or converting into one within 12 months of registration. Registered entities must have the technology to secure customer data and confidential information, along with an insurance policy covering technological and professional liability, accompanied by a fee of EGP 25,000 per sector.
The registration duration is one year, subject to renewal. A one-month grace period for renewal has been granted by the FRA. The decision details registration procedures, conditions for continuity, and administrative measures for violations.
With these decisions now in effect, Egypt’s non-banking financial sector is poised to embark on an exciting journey into the digital realm. The Fintech Law, bolstered by these recent measures, promises to unlock innovative opportunities while safeguarding customer interests and data security.
The decision further specifies the conditions and requirements for registration in the Outsourcing Registry, which include most importantly the following:
- Taking the form of a joint stock company or any other form provided that such form is converted to a joint stock company within a maximum period of 12 months upon the date of registration in the Outsourcing Registry.
- To have the needed technology to secure customer’s data and confidential information and to have a suitable remedy measure in case of any deficiency.
- To conclude an insurance policy against technological and professional liability along with settling a fee amounting to EGP 25,000 for each sector.
The decision has detailed the registration procedures along with the conditions for continuity of registration as well as the administrative measures in case of any violation.