Central Bank of Tunisia Circular No. 2018-61 dated December 31, 2018

Tunis, December 31, 2018 CIRCULAR OF THE CENTRAL BANK OF TUNISIA NO. 2018-61 Subject: Rules governing the activity and operation of payment institutions.

The Governor of the Central Bank of Tunisia, Having regard to Organic Law No. 2004-63 of July 27, 2004 on the protection of personal data; Having regard to Organic Law No. 2015-26 of August 7, 2015 on the fight against terrorism and the repression of money laundering; Having regard to Law No. 2004-5 of February 3, 2004 on computer security; Having regard to Law No. 2005-51 of June 27, 2005 on the electronic transfer of funds; Having regard to Law No. 2016-35 of April 25, 2016 establishing the status of the Central Bank of Tunisia and notably its Article 8; Having regard to Law No. 2016-48 of July 11, 2016 on banks and financial institutions and notably its Articles 20 and 21; Having regard to Circular No. 91-22 of December 17, 1991 regulating banking conditions, Having regard to Circular No. 2006-19 of November 28, 2006 on internal control; Having regard to Circular No. 2017-08 of September 19, 2017 on internal control rules for managing money laundering and terrorism financing risks, as amended by Circular No. 2018-09 of October 18, 2018; Having regard to Decision No. 2017-04 of the Approval Commission dated July 31, 2017 on approval filing procedures;

Having regard to Opinion No. 2018-14 of the Compliance Control Committee dated December 31, 2018, as provided for in Article 42 of Law No. 2016-35 of April 25, 2016 establishing the status of the Central Bank of Tunisia. Decides:

Article 1: This circular aims to set the implementation conditions for Articles 20 and 21 of Law No. 2016-48 on banks and financial institutions. It defines, in particular, the conditions for exercising the activity of payment institutions, specific governance and internal control rules, rules governing payment accounts, conditions for using agents, and the consumer protection framework.

Title I: Conditions of Exercise Article 2: Payment institutions are authorized, in accordance with Articles 10 and 20 of the aforementioned Law No. 2016-48, to provide the following services on behalf of their individual and corporate clients: a- As primary activities:

• the opening of payment accounts at levels 1, 2, and 3 as defined in Article 14 of this circular,
• cash deposits and withdrawals,
• direct debits,
• cash payment transactions,
• fund transfer operations,
• the execution of payment transactions by any remote communication means, including electronic payments; and
• the marketing of prepaid electronic money instruments issued by banks or the Tunisian Post. b- As ancillary activities, manual foreign exchange operations in accordance with the prevailing foreign exchange regulations.

Payment services must be provided exclusively in Tunisian dinars and within the territory of the Tunisian Republic. To this end, payment institutions must directly participate in the appropriate payment and clearing systems relevant to their activity.

Article 3: In accordance with the fifth paragraph of Article 21 of Law No. 2016-48, payment institutions must contract professional civil liability insurance or a bank guarantee of sufficient amount commensurate with their own funds to cover their liability when providing payment services. The minimum amount of the insurance policy or bank guarantee must be determined by payment institutions based on the following criteria:

• the institution's risk profile,
• the type of activity and payment services provided by the institution; and
• the volume of the institution's activity. Payment institutions must establish a methodological approach for calculating the insurance policy or bank guarantee and submit this approach to the prior approval of the Central Bank of Tunisia. Payment institutions are required to review once a year, and modify if necessary, the minimum amount of their insurance policy or guarantee.

Article 4: Payment institutions may perform fund reception operations from abroad via transfer, and make them available to their clients after obtaining the status of approved intermediary in accordance with prevailing foreign exchange regulations.

Title II: Governance Rules Article 5: Payment institutions must establish an effective governance system, adapted to the nature and size of their activities, to ensure sound and prudent management that guarantees their sustainability while protecting the interests of shareholders, creditors, and clients. The governing body determines the development strategy and risk policy of the institution. It ensures effective supervision of the management body and also ensures that the institution permanently maintains a good reputation capable of preserving public confidence and regulatory authority trust. For the purposes of this circular, the following are considered:

• governing body: Board of Directors or Supervisory Board
• management body: General Management or Executive Committee

Article 6: Payment institutions managed by a Board of Directors may combine the functions of Chairman of the Board and General Manager. The number of members of the governing body must be adapted to the nature, complexity, and volume of the payment institution's activity and its risk profile. Members of the governing body and management body must permanently satisfy professional honorability conditions and adequate expertise, particularly in electronic payments, to properly perform their duties.

Article 7: The payment institution must establish at least one specialized committee "of audit and risk" emanating from the governing body, responsible in particular for:

• assisting the governing body in designing and implementing an internal control system;
• reviewing the annual management report and financial statements before their approval by the governing body;
• monitoring the activities of internal audit and risk structures; and
• proposing a risk management policy adapted to the nature of payment activity and monitoring its implementation.

Article 8: Payment institutions are subject to the provisions of Central Bank of Tunisia Circular No. 2006-19 of November 28, 2006 on internal control. To this end, they must establish an internal control system adapted to the nature, size, and complexity of their activities and associated risks.

Article 9: Payment institutions must be equipped with:

• an information system commensurate with the nature and complexity of payment operations;
• an operational security device ensuring perfect traceability of executed payment transactions and collected funds, recording performed operations, providing the position of all open payment accounts, and preventing intrusion risks and fraud-related risks through organizational measures and prevention tools;
• a real-time payment operation recording and processing system at both the level of payment institutions themselves and their agent networks defined in Title IV;
• an adequate data processing and protection device for client personal data in accordance with prevailing legal and regulatory provisions;
• an adequate liquidity risk, operational risk, and cyber risk management device; and
• a Business Continuity Plan (BCP) that must be formalized and tested.

Article 10: Payment institutions must submit their IT systems to an annual computer security audit and provide the Central Bank of Tunisia with a copy of this audit report. They must conduct tests to analyze the security status of their IT systems and evaluate their capacity to effectively cope with attacks targeting said systems. To this end, payment institutions ensure that tests do not present operational disruption risks and do not compromise the continuity of their IT system services. Payment institutions set intervention deadlines and schedules and ensure that their business continuity plans include adequate measures to be taken in case of disruption due to performance or availability of their IT systems caused by tests or cyberattacks. Payment institutions must immediately inform the Central Bank of Tunisia and the National Agency for Computer Security (ANSSI) of all attacks, intrusions, and other disruptions likely to hinder the operation of their IT systems. In such cases, payment institutions are required to comply with measures established by the National Agency for Computer Security to resolve these disruptions. The Central Bank of Tunisia must be informed without delay of the measures taken.

Article 11: Payment institutions are subject to the provisions of Central Bank of Tunisia Circular No. 2017-08 of September 19, 2017 on internal control rules for managing money laundering and terrorism financing risks. They must, therefore, adapt their internal control systems to the nature, complexity, diversity, and volume of their activities and the risks to which they are exposed. Without prejudice to the provisions of the first paragraph of this article, payment institutions are required to apply client identification rules provided by Article 14 of this circular.

Article 12: Payment institutions must maintain payment operation registers, which must be retained for a period of at least 10 years from the execution of said operations.

Article 13: Payment institutions are subject to specific and regular reporting, the procedures for which are established by the Central Bank of Tunisia.

Title III: Rules on Opening and Operation of Payment Accounts and the Global Account Article 14: Payment institutions are authorized to open payment accounts at three levels "level 1 account", "level 2 account", and "level 3 account". Each level of payment account must correspond to: • limits by balance cap and total daily fund withdrawal amount from the payment account. • client identification rules as defined in this circular. The aforementioned limits and rules are set as follows:

• Level 1 payment account: The balance of this account is capped at 500 dinars, provided that the total daily fund withdrawal amount from the payment account does not exceed 250 dinars. Opening this account requires the client to have a national mobile phone number and a copy of an official valid identity document bearing their photograph, issued by a competent Tunisian authority or a recognized foreign authority.
• Level 2 payment account: The balance of this account is capped at 1,000 dinars, provided that the total daily fund withdrawal amount from the payment account does not exceed 500 dinars. Opening this account requires the establishment of a simplified identification form in accordance with Annex 1 of this circular, containing client identification information supported by any valid official identity document bearing the client's photograph, issued by a competent Tunisian authority or a recognized foreign authority, with a copy attached to said form.
• Level 3 payment account: The balance of this account is capped at 5,000 dinars, provided that the total daily fund withdrawal amount from the payment account does not exceed 1,000 dinars. Opening this account requires the physical presence of the client and necessitates the establishment of a detailed identification form in accordance with Annex 2 of this circular, containing all relevant information for client identification supported by any valid official identity document bearing the client's photograph, issued by a competent Tunisian authority or a recognized foreign authority, with a copy attached to said form.

Article 15: Payment institutions may open level 1 and level 2 accounts without requiring the physical presence of the client, provided that the opening occurs via a secure technological process ensuring verification of the authenticity of identity documents' photos transmitted by the client and the confidentiality of their personal data, as well as remote entry of identification forms provided in Article 14. The conditions set forth in this article constitute minimum requirements for client identification, without prejudice to the application of more stringent conditions by payment institutions.

Article 16: The opening of a payment account is subject to a written agreement between the payment institution and the account holder, a copy of which must be delivered to them. The agreement must include general conditions for account opening, operation, and closure; treatment of deceased persons' accounts; dormant or inactive accounts; conditions for freezing and reactivating a payment account; rights conferred by the account; list of services available to the client and their description; and applicable commission amounts. When the online account opening service is offered in accordance with the requirements of Article 15, the payment institution must allow the client:

• online access at any time to the agreement content;
• online acceptance of the agreement terms after consultation; and
• online request for account closure.

Article 17: Any payment account opening results in the issuance of a payment account number with the same coding as a bank account, used exclusively to provide payment services as defined in Article 2.

Article 18: It is prohibited for any payment institution to open more than one single payment account for the same individual or corporate person.

Article 19: Payment institutions are prohibited from granting credit facilities on the payment account and/or funding a payment account balance with telephone recharge units or any other currency other than central bank money. The payment account must not at any time present a debit position.

Article 20: Funds credited to payment accounts must be distinctly identified in the accounting records of payment institutions. These funds must be deposited into a single global account opened by the payment institution with an authorized deposit-taking bank, no later than the next business day following receipt.

Article 21: The global account must satisfy the following conditions:

• Be subject to a "global account agreement," duly signed by the payment institution and a depositary bank, which sets at minimum the operational modalities of the global account, fund management by the bank, information modalities for the payment institution regarding movements affecting the global account, and applicable remuneration;
• Have a balance corresponding to the sum of balances of all payment accounts opened with the payment institution;
• Be limited in use, excluding any use of funds lodged therein for financing the payment institution's operational needs; and
• Be independent and separate from accounts that a payment institution may open for its own needs. The payment institution must have at all times the breakdown of the global account by account holder. The Central Bank of Tunisia may take all measures it deems necessary to guarantee the application and compliance with the aforementioned provisions.

Article 22: Every payment institution is required to take necessary measures to reconcile the balance of the global account with the sum of balances of payment accounts recorded in its registers.

Article 23: Commissions received by the payment institution for payment services must not be accounted for at the level of the global account.

Title IV: Use of Payment Agent Networks Article 24: Payment institutions may, under their responsibility and for their own account, subject to restrictions provided by this circular, mandate legal or natural persons with merchant status in order to offer payment services.

Article 25: Payment institutions must establish a policy for using payment agents covering, in particular, the selection, training, control, and profile of these agents (natural or legal persons, their targeted activity sectors, and geographical locations…).

Article 26: Payment institutions are required to notify the Central Bank of Tunisia of any proposed mandate agreement with a payment agent.

Article 27: Payment institutions may mandate two categories of payment agents: a- Primary payment agents who can only provide the following services:

• opening of level 1 and 2 payment accounts as defined in Article 14;
• cash payment transactions;
• cash deposits and withdrawals on a payment account; and
• fund transfer operations. b- Retail payment agents who can only provide the following services:
• opening of level 1 payment accounts as defined in Article 14;
• cash deposits and withdrawals on a payment account; and
• cash payment transactions. Payment institutions may not mandate agents for remote opening of payment accounts.

Article 28: Primary and retail payment agents may offer payment services on behalf of a single or multiple payment institutions.

Article 29: Before entering into relations with primary and retail payment agents, the payment institution must ensure:

• their honorability and absence of disqualifying cases preventing merchant activity;
• the adequacy of their human, technical, and financial resources; and
• their capacity to comply with regulatory provisions regarding the provision of payment services for which they are mandated. The payment institution must permanently ensure that primary and retail payment agents apply the same level of client identification requirements as the payment institution itself. The payment institution using agents remains fully responsible vis-à-vis the Central Bank of Tunisia for acts performed by its agents during payment service provision.

Article 30: The payment institution must conclude an agreement with its primary and retail agents setting at minimum:

• the payment services offered by payment agents;
• the legal and financial liability of payment agents;
• the obligations of the payment institution towards payment agents regarding training, implementation of procedures, documents, support, and technical means necessary for providing mandated payment services;
• the control modalities performed by the payment institution on payment agents;
• remuneration modalities for services offered by payment agents on behalf of the payment institution; and
• the prohibition for a primary or retail payment agent to delegate or transfer their mandate to another agent or any other person.

Article 31: The payment institution may only mandate payment agents who open an "agent payment account" in its books, which operates according to the following rules:

• the agent payment account must be used exclusively to execute the payment services listed in Article 27;
• credit facilities granted by the institution on the agent payment account are prohibited; and
• the agent payment account must not at any time present a debit position. The payment institution takes necessary measures to ensure that the payment services listed in Article 27 are executed only within the limit of the available credit balance on the agent payment account. The capping rules listed in Article 14 do not apply to the agent payment account.

Article 32: Payment institutions must ensure that the payment agent publicly displays their status as an agent of one or more payment institutions.

Title V: Customer Protection Device and Complaint Handling Article 33: Payment institutions are required to establish client information rules as follows: a- Pre-execution transaction information: regarding the status of this transaction, its amount, and applicable commissions and taxes; b- Post-execution transaction information: regarding the status of this transaction, its amount, applicable commissions and taxes, as well as the new balance of their payment account and the cash.