Central Bank of Tunisia Circular No. 2024-5 of February 13, 2024

Tunis, February 13, 2024 Central Bank of Tunisia Circular No. 2024-5 of February 13, 2024 Subject: Rules governing the activity of payment and securities settlement system operators.

The Governor of the Central Bank of Tunisia, Having regard to Organic Law No. 2004-63 of July 27, 2004, on the protection of personal data; Having regard to Law No. 94-117 of November 14, 1994, on the reorganization of the financial market, as amended and supplemented by subsequent texts; Having regard to the Commercial Companies Code, as amended and supplemented by subsequent texts; Having regard to Law No. 2005-51 of June 27, 2005, on the electronic transfer of funds; Having regard to Law No. 2016-35 of April 25, 2016, establishing the status of the Central Bank of Tunisia, particularly Articles 8, 17, and 42; Having regard to Law No. 2016-48 of July 11, 2016, on banks and financial institutions; Having regard to Decree-Law No. 2023-17 of March 11, 2023, on cybersecurity; Having regard to Government Decree No. 2018-417 of May 11, 2018, on the publication of the exclusive list of economic activities subject to authorization and the list of administrative authorizations for project implementation, including related provisions and their simplification, as amended and supplemented by Presidential Decree No. 2022-317 of April 8, 2022; Having regard to the Minister of Finance's Order of January 12, 2016, approving the Financial Market Council's regulation on the central securities depository; Having regard to Opinion No. 5 of the Compliance Control Committee dated February 9, 2024, as provided for in Article 42 of Law No. 2016-35 of April 25, 2016; Decides:

TITLE I: GENERAL PROVISIONS Article 1: This circular aims to establish the rules governing the activity of payment and securities settlement system operators, particularly those relating to minimum governance and risk management requirements. Its objectives are:

• To promote efficient, secure, and resilient payment and securities settlement systems with respect to risks, particularly systemic risks, in order to facilitate transaction settlement and preserve financial stability;
• To protect participants of payment and securities settlement systems and their users;
• To enhance the technical and institutional capacities of national online payment and securities settlement systems in line with international standards to facilitate their integration into regional payment systems;
• To establish the conditions for healthy, transparent, and efficient competition in the activity of managing payment systems.

Article 2: For the purposes of this circular, the following terms are defined as:

• Payment system: Refers to the set of instruments, procedures, rules, technical platforms, and networks enabling the processing, clearing, settlement, and transfer of funds between participants based on a contractual commitment with the system operator.
• Securities settlement system: Refers to the complete set of institutional arrangements and predefined multilateral rules enabling the confirmation, clearing, and settlement of securities transactions between participants, primarily through delivery versus payment (DVP) mechanisms.
• Clearing: The process of netting obligations between participants in the clearing arrangement, thereby reducing the number and amount of payments required to settle a set of transactions.
• Real-Time Gross Settlement (RTGS): A continuous settlement mechanism, without netting, of fund or securities transfer orders or other obligations between participants on a case-by-case basis upon receipt.
• Deferred Net Settlement (DNS): A net settlement mechanism that settles obligations between participants on a netted basis at the end of a predefined settlement cycle.
• Delivery versus Payment (DVP) mechanism: A securities settlement mechanism that links the transfer of securities and the transfer of funds to ensure that securities are delivered if, and only if, the corresponding payment occurs.
• System operator: Refers to the entity responsible for managing a payment or securities settlement system, particularly through: ✓ The mobilization of technical infrastructure equipped with an adequate risk management framework tailored to the system's activity, ensuring the transfer of funds or securities settlement arising from processing and clearing obligations between participants; ✓ The establishment of adequate operational rules and standardized procedures suited to the system; ✓ The establishment of formalized conditions for joining the managed system.
• Systemically important system: A system whose partial or total malfunction may cause business continuity disruptions or transmit difficulties to participants or the financial system, thereby impacting financial stability.
• Participant: Any duly authorized or licensed institution under prevailing legislation to provide financial services, the provision of which requires participation in a payment or securities settlement system while complying with the rules governing the system's activity.
• Direct participant: A participant that connects directly to the system to perform its clearing and settlement operations.
• Indirect participant: A participant that relies on a direct participant to provide it with clearing and settlement operations.
• Stakeholders: The system operator's stakeholders encompass all actors participating in its economic life, including the regulatory authority, participants, and service providers.
• Independent director: An independent director is any person who: ✓ Does not hold, directly or indirectly, through themselves, their spouse, or first-degree ascendants and descendants, a direct or indirect shareholding in the capital of the system operator, its subsidiaries, or its participants; ✓ Has not been an employee of the system operator for at least the three years preceding their appointment as independent director; ✓ Does not act on behalf of a participant, supplier, or service provider of the system operator; ✓ Does not have service contracts concluded directly by them or through an intermediary with the system operator or with any company linked to the system operator.
• Management body: The executive board or general management of the system operator.
• Board: The supervisory council or board of directors of the system operator.
• Multi-tier participation arrangement: An arrangement where certain indirect participants rely on services provided by other direct participants to use the centralized services of a payment or securities settlement system.
• Final settlement: The extinction of an obligation through the irrevocable and unconditional transfer of funds and/or securities.
• Legal risk: The risk of losses due to the application of legal or regulatory provisions that do not align with expectations, or the inability to enforce a contract.
• Business/Activity risk: The potential deterioration of the financial situation of the payment or securities settlement system operator linked to a decrease in revenues and/or an increase in expenses related to its commercial strategy, resulting in a loss charged to equity.
• Operational risk: The risk that malfunctions in information systems, internal processes, human errors, or disruptions from external events lead to a reduction, deterioration, or interruption of services provided by a payment or securities settlement system.
• IT and Cyber risk: The risk resulting from inadequacy or failure affecting the organization, operation, change management, or security of the information system of a payment or securities settlement system. This risk is part of operational risk.
• Financial risks: Credit and liquidity risks.
• Credit risk: The risk that a participant in the payment or securities settlement system fails to fully meet a financial obligation by its due date or subsequently.
• Liquidity risk: The risk that a participant in the payment or securities settlement system is unable to partially or fully meet an obligation at its due date. Liquidity risk does not imply participant insolvency, provided the participant can meet said obligation at a subsequent unspecified date.

TITLE II: AUTHORIZATION FOR THE EXERCISE OF PAYMENT SYSTEM OPERATOR ACTIVITY Chapter 1: Conditions for Access to Payment System Operator Activity Article 3: Any person wishing to exercise the activity of payment system operator must, prior to commencing operations, obtain an authorization for this purpose. The authorization to exercise the activity of payment system operator is granted by the Central Bank of Tunisia, in accordance with the conditions set forth by Presidential Decree No. 2022-317 of April 8, 2022 (supra) and this circular, including:

• The viability of the payment system to be managed, its prospects for integrating into the payments ecosystem, and its capacity to meet financial stability objectives as well as system security and efficiency;
• The capital structure of the payment system operator, particularly the quality of direct and indirect shareholders, their reputation, financial capacity, and predisposition to promote system efficiency and security while preserving stability;
• The sustainability of the activity program proposed by the payment system operator. The program must detail the business plan, business model in terms of services to be provided, target participants, and projected investments for technical infrastructure and development prospects;
• The efficiency level of the payment system and its capacity to develop a user-friendly service offering meeting market needs and economic operators' requirements;
• The adequacy of financial and human resources made available to the payment system operator, including capital and financial resources allocated to necessary technical infrastructure investments to ensure financial equilibrium and cover participant default risks;
• The approach to managing the various payment system risks, particularly risk governance, policies, planned procedures, and mechanisms for identifying, measuring, and controlling these risks in compliance with this circular;
• The technical and organizational capacities of the payment system to ensure: ✓ Security, efficiency, and transparency of operations and data; ✓ Protection of participants' assets and payment service users; ✓ Business continuity, and where applicable, the handling of discontinuity incidents through emergency plans that preserve financial stability and participant/user confidence; ✓ Interconnection with all participants and other payment systems enabling interoperability of services provided to users.
• The compliance level of the governance framework to be deployed by the payment system operator with the governance rules set forth in this circular;
• The reputation, integrity, competence, and experience of the board members and management body;
• The organizational and administrative structure, human resources, and internal control framework of the payment system, and their adequacy to the activity and efficiency/security requirements;
• The payment system's policies enabling equitable, fair, and transparent access for direct and indirect participants as well as other payment systems in accordance with the rules set forth in this circular;
• The agreement of the competent authority of the country of origin for: ✓ The payment system operator, in case it manages another system abroad; ✓ The financial institution with its registered office abroad to participate in the capital of the payment system operator company to be established.

Article 4: Any payment system operator must take the form of a joint-stock company (société anonyme). The capital of the payment system operator company must not be less than 10 million Tunisian dinars.

Article 5: The payment system operator may only exercise activities other than those for which it was authorized on an exceptional basis and in limited proportions relative to the main activity.

Chapter 2: Authorization Procedures for Payment System Operator Activity Article 6: Any person wishing to obtain authorization to exercise the activity of payment system operator must submit to the Central Bank of Tunisia an application addressed to the Governor, accompanied by a file as detailed in Annex I of this circular.

Article 7: The Central Bank of Tunisia may request the applicant, within one month from the submission of their application, to provide all supplementary information and documents necessary for file processing. Any authorization request that fails to satisfy the required information and documents within three months from the date of its submission by the Central Bank of Tunisia is considered null. The Central Bank of Tunisia renders its decision granting or refusing the authorization within a maximum period of four months, from the date all required information and documents are satisfied. It notifies the applicant of the outcome of their application and provides reasons in case of refusal.

Article 8: The preliminary authorization specifies, among other things, the category of the payment system, the nature of authorized operations, the participant category, initial capital, identity of the reference shareholder and principal shareholders, and sets forth the conditions to be met for granting definitive authorization, including:

• Completion of incorporation procedures;
• Provision of necessary resources;
• Confirmation of the identity of board members, management body, and risk control/management officers;
• Implementation of technical and logistical infrastructure;
• Establishment of policies, procedures, and operational mechanisms necessary for the payment system's functioning and any other requirements to ensure compliance with authorization conditions. The applicant must satisfy the prescribed conditions within a period not exceeding six months from the notification date of this preliminary authorization. Exceptionally, this period may be extended by three months upon reasoned request.

Article 9: The Central Bank of Tunisia issues the definitive authorization within two months from receiving a request from the applicant proving satisfaction of the conditions stipulated in the preliminary authorization. Any authorization request that fails to satisfy the required information and documents within one month from the date of its submission by the Central Bank of Tunisia is considered null. The Central Bank of Tunisia grants definitive authorization or issues a refusal decision within a maximum period of two months, from the date all required information and documents are satisfied.

Article 10: The Central Bank of Tunisia is authorized to take necessary measures if:

• The payment system operator no longer satisfies the conditions on which the authorization was granted; and
• The business continuity of the payment system is likely to adversely affect financial stability.

Chapter 3: Changes in Circumstances and Outsourcing Operations in the Exercise of Payment System Operator Activity Article 11: Any change to one of the elements or conditions on which the authorization to operate and manage a payment system was granted is subject to approval by the Central Bank of Tunisia, including:

• Any change the payment system operator intends to make to the category or nature of the previously authorized activity;
• Any change in the approved technical infrastructure for a payment system's activity, including modernization, restructuring, or opening to interoperability with other local or foreign payment systems;
• Any merger between payment system operators;
• Any temporary, partial, or total suspension of the payment system operator's activity;
• The transfer of assets or liabilities of the payment system operator resulting in a radical change to its financial structure or a change in category/nature of activity;
• Any change to the governance framework of a payment system operator regarding governance mode, structure, and designated or authorized personnel;
• Outsourcing operations, particularly technical ones, having an impact on business continuity, security, and the efficient functioning of the payment system.

Article 12: The authorization provided by the preceding article is granted within the timeframes and conditions set forth in Article 9 of this circular.

Article 13: The payment system operator must submit any outsourcing agreement to the Central Bank of Tunisia prior to its signature.

Article 14: Outsourcing operations must not:

• Deviate from or alter the conditions under which the payment system operator satisfies this circular's requirements;
• Result in the delegation of the payment system operator's responsibility to comply with this circular;
• Result in a modification to the relationship, rights, and obligations of the payment system operator with its participants.

TITLE III: GOVERNANCE FRAMEWORK Chapter 1: General Governance Obligations Article 15: The system operator must establish formalized objectives focused on the security and efficiency of the system, explicitly supporting financial stability and taking into account the interests of direct and indirect participants, their clients, and other stakeholders. It must adopt a formalized, clear, and transparent governance framework that promotes the achievement of the objectives cited in Article 1 of this circular.

Article 16: The system operator must implement a governance framework that defines, among other things:

• The governance model;
• Governance structures, their compositions, attributions, operating rules, interrelationships, and relationships with operational entities;
• Governance policies, including clear and direct levels of responsibility and accountability;
• The internal control and risk management framework, as well as mechanisms to ensure the independence of control functions;
• The system operator's relationships with the ecosystem, particularly system participants and measures to ensure equitable and open access for said participants.

Chapter 2: Governance Bodies Article 17: The board ensures the efficient and secure functioning of the system to guarantee its sustainability and preserve financial stability. It also ensures that the overall strategy, rules, decisions, and system design appropriately consider the interests of participants, service users, and other stakeholders. It must ensure that the organizational, human, financial, and technical resources made available are aligned with its missions.

Article 18: The board, within the exercise of its duties, ensures that it:

• Defines the system's development strategy ensuring a balance between performance and risk management;
• Establishes a governance framework adequate to the nature, complexity of activities, and associated risks;
• Establishes an internal control framework adequate to the system's activity, including monitoring tools to ensure the effectiveness and independence of control functions;
• Defines and establishes a sound risk management framework enabling risk identification, monitoring, and control;
• Ensures the coherence of IT and cybersecurity policies as well as sound management of IT and cyber risks;
• Defines and implements appropriate nomination, remuneration, and succession policies for key function managers, particularly control functions;
• Defines and implements a compliance policy;
• Monitors the management body in the effective implementation of the system's strategy and operational conduct;
• Defines and implements admission rules based on the principle of fair and equitable treatment of participants;
• Defines and implements a communication and disclosure policy towards stakeholders and the public.

Article 19: The board, within the framework of monitoring the management body, ensures that it:

• Evaluates decisions taken by the management body regarding system management, particularly concerning continuity, security, and efficiency;
• Controls the compliance of the management body's actions with approved strategies and policies, particularly in risk management;
• Defines quantitative and qualitative performance monitoring indicators for the system.

Article 20: The system operator must ensure that...