The Central Bank of Egypt (CBE) issued the final regulation and directives that deal with banks and payments technological services providers.
The CBE has prepared these rules driven by the pacing development in bills and service fees collecting and payment and the need for technical payment aggregators and facilitators. They are also aimed at enabling these companies to provide financial technologies to merchants and companies as well as provide contractual arrangements to improve access and spread electronic collection services through different channels. This, according to the CBE, will have a great impact on increasing acceptance of electronic payment methods in that category of companies and merchants.
Technical payment aggregator
The CBE defined the technical payment aggregator as those companies that have financial solvency and provide technological services to their subsidiaries on behalf of the bank through electronic distribution channels, including the provision of electronic collection services for invoices or the services provided.
According to the CBE, these companies will provide a range of services such as the establishment of a technology platform to collect the invoices or services for the subsidiary, while linking them with electronic collection methods, providing the bank with the data of the subsidiaries which will be listed, and providing the contractual mode with the subsidiary in accordance with the bank’s requirements.
Moreover, the companies can also offer the necessary technical support to subsidiaries on behalf of the bank, provide compulsory advertency to their subsidiaries on the financial services supplied on behalf of the bank, and present mandatory reports on their subsidiaries which include transactions they implemented.
The CBE defined payment facilitators as those with financial solvency, which deliver financial and technological services through the electronic distribution channels of the subsidiary companies contracted on behalf of the bank for electronic collection.
The services provided by these companies include the establishment of technological platforms for the subsidiary companies with their connection to the collection services, the creation of added value services to subsidiaries and linking them to electronic connection services, and provide the bank with data on the subsidiary, which the bank will collect.
The services of these companies include the contracting of companies on behalf of the bank to provide electronic collection services; receive financial settlements from the bank contracted on behalf of the listed companies; the financial settlements of the companies listed on behalf of the bank; providing the necessary technical support to the listed companies on behalf of the bank; to provide mandatory awareness of the listed companies with regard to the financial services to be provided on behalf of the bank, and to provide mandatory reports of listed companies for the financial operations that have been implemented through it.
Subsidiary of technical payment aggregators
The subsidiary companies of the technical payment aggregator were defined by the CBE as the sub-companies that have a valid legal entity. They contract with the technical payment aggregators and the bank, in accordance with the said contracting methods, to provide payment service to customers through electronic distribution channels of the technical payment aggregators.
The CBE stipulated the availability of several conditions in these companies, namely the existence of a bank account for the subsidiary company to be collected to and the transfer of the invoice or services paid, the presence of real headquarters inside Egypt, the availability of clear communication data about the company, including a telephone number inside Egypt and an e-mail addess.
Subsidiary of the payment facilitators
The CBE has defined the electronic payment facilitators’ subsidiary as the company with a legal entity and is contracting with the payment facilitator to provide electronic payment service to its customers through its own channels, such as the company’s website, the mobile application of the company, or the company’s branch.
Electronic distribution channels
The CBE has defined electronic distribution channels as electronic channels that allow electronic collection for customers through them, including but not limited to, the electronic points of sale, e-collection through online websites, and mobile wallets.
Responsibilities and obligations of the board of directors and senior management of banks
The CBE has set a number of responsibilities for the boards of directors and senior management of the banks in dealing with the technical payment aggregators and payment facilitators, where the CBE regulations stipulated that the board of directors shall be responsible for approving the strategy of work prepared by the senior management of the bank, as well as taking a clear strategic decision regarding the bank’s desire to deal with the aggregators and facilitators or not.
The CBE stressed that the board of directors of the bank must ensure that their plans are compatible with the aggregators and facilitators with the bank’s strategic targets and risk analysis of these services, as well as taking suitable procedures to monitor risks and curb their emergence.
The CBE has also committed the banks’ board of directors to continuously review the results of reliance on technical payment aggregators and payments facilitators as per the plans and set goals, and periodically inspect the aggregators and facilitators.
Furthermore, according to the CBE’s directives, they also include that banks should conduct due diligence in regard to the efficiency, infrastructure, and the financial solvency of the technical payment aggregators an payment facilitators before conducting any deals, along with preparing a due diligence and supervising the technical payment aggregators and payment facilitators including technical, financial, and reputation due diligence.
The CBE obliged banks to develop a risk policy for technical payment aggregators and payments facilitators, and to examine the risks associated with refunds, fraud, interception, and bankruptcy.
The Anti-Money Laundering, Countering Financing of Terrorism, and Cybersecurity
The rules of the CBE regulate the work of the technical payment aggregators and the payment facilitators of the electronic payment operations to comply with the Anti-Money Laundering Law promulgated by Law No 80 of 2002 and the executive regulations, as well as the banks’ controls regulation on Anti-Money Laundering and the Financing of Terrorism, due diligence procedures of 2011, and mobile wallets due diligence for 2016 and their subsequent amendments.
The CBE stressed that adequate attention should be given to the nature of the service to identify operations suspected of involving money laundering or terrorism financing, in accordance with the banking controls of AML / CFT issued by the CBE in 2008.
It pointed out that in the case of suspicion of any operations carried out by technical payment aggregators or electronic payment facilitators, the AML / CFT unit must be notified in accordance with the provisions of the Anti-Money Laundering Law promulgated by Law No 80 of 2002.
The CBE also stressed the importance of complying with any instructions issued later by the technical payment aggregators or payments facilitators, and the need to inform the Department of Information Security Center via e-mail to [email protected] and notify the Cyber Security Administration via e-mail to [email protected], as well as immediately notify the control and supervision sector of breaches of any data related to the technical payment aggregators or payments facilitators.
Setting information security policy
The CBE regulations stressed that the bank’s senior management must ensure that the information security policy applied by the bank is approved by the board of directors and updated periodically, and covers collection services through the technical payment aggregators and electronic payment facilitators.
It explained that this contributes to determining the policies, procedures, and controls required to protect banking operations from breaches and security violations. It also defines the individual responsibilities and clarifies the mechanisms of implementation and the measures that must be taken in case of violation of these policies and procedures.
According to the CBE’s regulations, the bank’s senior management is responsible for promoting and spreading the culture of security at the bank’s levels by emphasising their commitment to the highest standards of information security and spreading this culture to the bank’s employees.
General rules for banks to use technical payment aggregators and payment facilitators
The CBE has set general rules for banks to use technical payment aggregators and payment facilitators.
According to these rules, the contract with the technical payment aggregators and the facilitators of the electronic payment processes should include the clear identification of the contractual responsibilities of the parties to the agreements of employment, partnership or agency, so that the responsibilities of providing the information to the technical payment aggregators and payment facilitators are clear.
The contract should also include a non-disclosure agreement for third-party confidential information and a service level agreement, which includes defining the roles, responsibilities, time required to implement the service, procedures and statements of escalation and penalties in case of non-compliance and items that reserve the bank’s right to audit services or rely on audited reports issued by certified auditors.
The contract between the bank and the technical payment aggregators or electronic payment facilitators should provide for the possibility of suspending or cancelling any of the subsidiary companies. The bank shall establish the mechanism that enables it to stop any subsidiary immediately.
The controls also include the provision of systems and processes for collection services through technical payment aggregators and facilitators, which are carried out through the employment or agency contract for the risk management system and privacy and information security policies that comply with the bank’s standards.
It also includes the provision of all audit and evaluation reports to the inspectors of the supervision sector of the CBE, and that the procedures for termination of the contract are effective.
These procedures should ensure that business continuity, data integrity, transport, and disposal are maintained.
The regulations stressed that it is not permitted for technical payment aggregators or electronic payment facilitators to contract with other companies (third parties) in sub-contracting to carry out the work assigned to them by the bank through this contract, except with the written approval of the bank, with a list of the work assigned by the technical payment aggregators or payments facilitators to third parties.
The CBE’s instructions also stressed the need for the bank to develop appropriate contingency plans for collection services through the technical payment aggregators or e-payment facilitators, and that technical payment aggregators and electronic payment facilitators shall examine the documents of the sub-companies to be carefully included with them, in accordance with the condition stipulated in this approval in addition to the bank’s requirements.
The instructions also stressed the need for the bank to obtain the data and documents of each subsidiary company to be contracted according to the requirements of the bank, as well as the technical payment aggregators and the payment facilitators in order to obtain the approval of the bank before the incorporation of the subsidiary into the system of technical payment aggregators or facilitators.
According to the instructions, there must be a mechanism in place for the bank to allow it to fully control the acceptance or suspension of the settlement of the total daily receipts of the subsidiary companies in the technical payment aggregators or electronic payment facilitators, based on the value of the bank guarantee provided by the technical payment aggregator or facilitators.
The regulations also stipulate that the bank should establish an internal system that allows it to continuously monitor the operations carried out through the technical payment aggregators or electronic payment facilitators.
According to the CBE, it is necessary for the bank to ensure that sub companies are not on any negative lists prior to activating the service. The bank must also ensure lack of any suspicion of money laundering, terrorist financing or any crime in accordance with the provisions of the Anti-Money Laundering Law promulgated by Law No 80 of 2002.
The bank shall also implement a mechanism through which it can separate the electronic collection of the subsidiary companies of the technical payment aggregator or facilitators at the time of completion of the online payment process and the need for the bank to examine the transactions carried out by the subsidiary companies on a daily basis without relying on the aggregators or facilitators.
In accordance with the CBE’s instructions, the bank should also provide a system for the review of the transactions of the technical payment aggregators and payment facilitators, which enables the matching and review of all transactions carried out through it to all its subsidiary companies in an instantaneous or daily manner.
The bank should also ensure that technical payment aggregators and payment facilitators to have a system for checking and monitoring transactions for their subsidiaries to monitor and carefully examine their transactions.
The CBE instructions stressed the need for the bank to conduct periodical inspection campaigns on the headquarters and systems of the technical payment aggregators or electronic payment facilitators to ensure that the rules of work that are followed are in line with the rules issued by it and the rules issued by the bank and the need to include this in the contract between banks and technical payment aggregators or payments facilitators, in addition to the need for the bank to establish clear rules for resolving any disputes that may arise between the parties of the system in accordance with the used distribution channels.
Moreover, the CBE regulations also stipulate that the bank should ensure that the technical payment aggregators and e-payment facilitators are committed to providing a customer service centre to respond to any inquiries. The bank will also disseminate the necessary awareness to the subsidiary companies on how to use the system, extract the required reports, view certain transactions, fraud, interception, and means to be used and data to be secured for these transactions.
In addition, the CBE instructions prohibit the subsidiary companies listed in the technical payment aggregators or facilitators of electronic payment transactions from dealing in virtual currencies, pyramid or network marketing schemes, buying and selling of securities, sharing files, dating websites and mobile apps, buying and selling of gold and jewellery, gambling, and crowd funding.
According to the CBE, any company or activity that requires prior approval by the CBE cannot be entered into by the technical payment aggregators or payments facilitators without obtaining the approval of the CBE.
The instructions also stressed the need for the bank to maintain a bank guarantee from the payment facilitator to secure the transactions executed through it. This guarantee is equal to or greater than the value of the payment facilitator within three working days. The guarantee should be evaluated periodically. The collected transactions by the facilitator cannot at any given time exceed the value of the guarantee kept at the bank.
The bank shall ensure that the settlement account for the payment facilitator is only for the payment of the proceeds of its subsidiaries, without using such proceeds in any other business of the payment facilitator.
According to the CBE, payments facilitators’ transactions and its subsidiary companies, whether for authorisations, settlements, and clearings, are limited to the Egyptian pound currency only and do not extend to other currencies.
The CBE classified the subsidiary companies that share the system as having no more than the volume of their electronic revenues from all the electronic distribution channels used the amount of EGP 3m per year and gave the right to the CBE governor to alter these limits.
If the proceeds from any subsidiary increase beyond EGP 3m per year, the bank removes it from the system of the payment facilitator and signs a new direct contract as per the contractual procedures of the bank with `any companies. A tripartite contract can also be signed between the bank and subsidiary company and payment facilitator for use as an aggregator whilst maintaining all controls issued in this regard.
The CBE instructions also stressed the need for the bank to maintain a bank guarantee from the technical payment aggregators in orde to secure the transactions executed through it. Such guarantee shall be equal to or more than 50% of the value of what is collected from the technical payment aggregators on a daily basis. The guarantee shall be periodically assessed. In any case, the value of the transactions collected by the technical payment aggregators shall not exceed the value of the security held by the bank.
These instructions also include limiting the transactions of the technical payment aggregators and its subsidiaries, whether authorisations, settlements, or clearings to Egyptian pounds and do not extend to other currencies except after obtaining the approval of the CBE.
The CBE regulations stipulate that government agencies cannot operate under the system of technical payment aggregators unless they obtain the prior approval of the CBE.
Procedures for obtaining a license to provide the service
Banks wishing to contract with technical payment aggregators or payment facilitators should apply for the approval of the CBE.
According to the CBE’s regulations, the bank must, at the time of submitting this application, have a list of distribution channels that the bank wishes to use through the technical payment aggregators or e-payment facilitators, and the detailed work steps to be followed for each distribution channel.
The request should include the bank’s plan, the technical payment aggregators or the facilitators of the electronic payment processes for the inclusion of the subsidiary companies, such as the distribution channels to be used, the number of sub-companies to be contracted with, and the target number of transactions to be collected.
The CBE also stressed the need for a statement indicating any cases of partial or total non-compliance with the rules for contracting with the technical payment aggregators or electronic payment facilitators issued by the CBE, provided that all the issued rules are complied with no later than six months from date.
As well as conducting all necessary tests according to electronic distribution channels to be used by technical payment aggregators or electronic payment facilitators, and to report to the CBE indicating passing these tests.
The CBE instructions stressed the necessity of the bank’s commitment not to launch the service with the technical payment aggregators or payments facilitators before the completion of the report to the CBE to the penetration tests report on the actual working environment, which indicates that there are no high or medium risk vulnerabilities, and then obtain the approval of the CBE to activate the service, provided that the report is submitted not later than three months from the date of issue, making these test periodically, and stipulating the CBE’s approval in renewing the license.
According to the CBE, if the bank wishes to add any new collection channels to the technical payment aggregators or electronic payment facilitators, new approval must be obtained from the CBE.
The bank shall also provide the Payment and Information Technology Sector at the CBE with a paper or electronic report every three months.
According to the CBE, this report should include a statement of the number of subsystems listed by the technical payment aggregators or electronic payment facilitators, according to the electronic distribution channels used, and the total number and value of operations of the subsidiary companies of the technical payment aggregators or electronic payment facilitators.
The CBE has also tightened its commitment to comply with any reports or rules issued by the CBE in respect of technical payment aggregators or e-payment facilitators, as well as the bank’s commitment to activate the services of payment service providers or electronic payment facilitators within six months of receiving the license from the CBE.
In accordance with the CBE;s instructions, the CBE shall have the right to inspect any part of the system to ensure that it conforms to the standards and specifications reported by the CBE. Failure to facilitate the CBE’s function in this regard shall be in violation of these rules by the bank managing the system. The CBE has the right to the imposition of appropriate sanctions in accordance with the provisions of Article 135 of the Law of the CBE and banking system No 88 of 2003 and its amendments.