Law No. 2017-018 Governing the Integrated Information System of Banky Foiben'i Madagasikara

REPUBLIC OF MADAGASCAR

PRESIDENCY OF THE REPUBLIC

Law No. 2017-018 Governing the Integrated Information System of Banky Foiben'i Madagasikara

STATEMENT OF MOTIVES

To achieve strong and inclusive growth for development, the establishment of a developed and resilient financial system is required.

Furthermore, to promote an environment conducive to financial inclusion, the development of financial infrastructure constitutes one of its major conditions.

In this context, the Integrated Information System (SII) managed by Banky Foiben'i Madagasikara (BFM) serves as an instrument to make necessary information available to economic actors to achieve the aforementioned objectives.

Moreover, within the framework of its statutory missions, BFM is called upon to conduct all useful studies and analyses for its information purposes.

To this end, BFM is authorized to establish structures, such as the SII, enabling it to collect from all entities including companies and professional associations, public administration, credit institutions, as well as other economic agents, the data essential to fulfilling its statutory missions.

However, given the sensitive nature of this data, which may pertain to legal or natural persons, an appropriate legal framework is necessary to ensure respect for the rights of data holders and the purposes of processing. This framework must also prescribe data security measures while guaranteeing their quality to enable BFM to achieve its objectives under the best conditions.

This is the purpose of this law.

---

PRESIDENCY OF THE REPUBLIC

Law No. 2017-018 Governing the Integrated Information System of Banky Foiben'i Madagasikara

The National Assembly and the Senate adopted this law in their respective sessions on November 2, 2017, and November 21, 2017.

THE PRESIDENT OF THE REPUBLIC

• Having examined the Constitution;
• Having examined Decision No. 21-HCC/D3 of December 12, 2017 by the Constitutional Court,

HEREBY PROMULGATES THE LAW WHOSE TEXT FOLLOWS:

Article 1 – OBJECT This law aims to establish the general regime and principles for the creation, organization, and operation of the Integrated Information System, abbreviated SII. The SII is a set of mechanisms:

• for data collection, centralization, processing, and exploitation; and
• for managing resulting monetary, economic, financial, and commercial information. The administration and management of the SII fall under Banky Foiben'i Madagasikara, abbreviated BFM.

Article 2 – DEFINITIONS For the purposes of this law, the following terms are understood as:

• "Economic Agents": any natural and/or legal person of public or private law, such as the State, local authorities, credit institutions, financial institutions, and enterprises;

• "Archiving Period": the period during which data and information are no longer intended for use, beyond which they will be deleted;

• "Retention Period": the period during which information remains accessible and consultable by any user in accordance with this law;

• "Data": any representation of facts or concepts in a form suitable for computer processing;

• "Data Providers": all entities obliged to provide the required data according to the forms, nature, periodicity, structures, and procedures established;

• "Payment Incidents": any offense related to the use of payment instruments;

• "Information": data that have undergone processing;

• "Aggregated Information": grouped, synthetic, or sectoral information that does not allow identification of the concerned natural or legal persons and may be made available to the public on BFM's website or in paper form upon written request;

• "Nominative Information": all information allowing identification of the concerned natural or legal person;

• "Consultable Information": all nominative or non-nominative information made available exclusively to the data providers of this law in exchange for their contribution to feeding the SII;

• "Identifying Information": all details relating to a company, including identity or corporate name, nature of activity, share capital, address or registered office, directors or managers, auditors, partners or shareholders, as well as any event or transaction affecting the company's life;

• "Quotation System": the process by which BFM assigns a rating to an enterprise or other designated entity based on its ability to meet financial obligations for a specified period;

• "Users": any credit institution or other entity authorized by BFM to access information from the SII.

Article 3 – PURPOSES OF THE SII The SII is an analytical tool for BFM in fulfilling its statutory mission, a support for supervising credit institutions, and a source of information serving any authorized entity, subject to this law. The data collected under the SII are used exclusively for the needs and purposes specified in the preceding paragraph and cannot serve directly or indirectly for other purposes.

Article 4 – DATA SOURCES Throughout the territory of the Republic of Madagascar, and for the purpose of feeding the SII, BFM is authorized to collect all data from the following listed data providers:

• all credit institutions;
• all public bodies;
• all private or public enterprises;
• all professional associations, private or public; or
• all economic agents. Data and information related to specific domains governed by legislative texts may also be utilized as sources of information for the SII.

Article 5 – STRUCTURE OF THE SII The SII groups various interconnected Information Centers, including:

• the Accounts Center, which records all bank accounts and similar accounts of any kind;
• the Payment Incidents Center, which records payment incidents on checks, bills of exchange, and all payment instruments used in Madagascar;
• the Risks Center, which records data related to credits granted to legal and natural persons;
• the Balance Sheets Center, which collects financial data from enterprises in Madagascar with the purpose of establishing a quotation system;
• the Corporate Identifying Information Center, which records general information on enterprises. The information from these Centers is destined for authorized users.

Article 6 – COMMUNICATION OF INFORMATION The data and information intended to feed the SII or issued from it are transmitted according to practical procedures established by BFM instruction or agreement. The communication of data to BFM may be permanent or occasional. The transmission is carried out in compliance with quality and security requirements pursuant to Articles 7 and 8 of this law. The communication of information issued from the SII may be subject to pricing by BFM.

Article 7 – DATA QUALITY Every data provider must ensure the accuracy, consistency, completeness, and sincerity of communicated data.

It is their responsibility to carry out necessary prior verifications and, where applicable, prove the reliability of transmitted data. BFM cannot in any case be held responsible for inaccuracies in the data it receives. It may request clarifications or supplementary information when data are unclear, inconsistent, or do not comply with SII requirements.

Article 8 – SYSTEM SECURITY BFM takes and prescribes all appropriate measures to protect data, programs, and equipment against all risks of altering the confidentiality, integrity, and availability of collected data, processed data, and information disseminated within the SII.

Article 9 – NATURE OF INFORMATION BFM ensures the communication of information from the SII, which may be nominative or aggregated. The nominative information contained in the SII is neither accessible nor transmissible except to data providers, according to the principle of reciprocity. This limitation does not apply to nominative information made public under applicable regulations.

Article 10 – OBLIGATIONS OF DATA PROVIDERS Data providers must inform the concerned natural or legal person of their rights prior to transmitting their data to the SII, namely:

• the identity of the processing responsible party;
• the nature of information transmitted to the SII;
• the purposes of data processing;
• the recipients of the data;
• the right to receive free of charge from data providers a copy of information concerning them;
• the existence of a right of access and rectification to their data. This provision does not apply to information made public under applicable regulations.

Article 11 – RIGHTS OF CONCERNED PERSONS Any person registered in one or more SII centers may request, through data providers, consultation and rectification of data in case of error or updating of information concerning them in the SII. BFM establishes by instruction, vis-à-vis data providers, the application procedures for these rights.

Article 12 – PROFESSIONAL SECRECY Every person involved in data processing and information dissemination, as well as those having access to consultable SII information, are bound by professional secrecy under penalty of applicable criminal sanctions. The compliance with professional secrecy, to which data providers under this law are bound, is not opposable to BFM in the context of collecting data intended to feed the SII, pursuant to this law. The obligation to respect professional secrecy is not opposable either to the person concerned by the information, nor to data providers, nor to Authorities acting under prevailing law.

Article 13 – RETENTION AND ARCHIVING The retention period for centralized data and information from the SII is five (5) years from the date of the last declared information. The archiving period is five (5) years from the date of the last retained information.

Article 14 – PROTECTION OF PERSONAL DATA The data of natural persons collected at the SII must comply with provisions established by the law on personal data protection.

Article 15 – GRANT OF MANDATE BFM is solely authorized to grant, by written mandate, the execution by other entities of all or part of the SII mechanisms mentioned in Article 5 of this law. The confidentiality rules for data and information processing, as well as all security devices, must be respected according to this law.

Article 16 – APPROVAL OF ENTITIES RESPONSIBLE FOR CREDIT DATA SHARING In the execution of its statutory missions, BFM is the authorized Authority to approve private entities engaged in credit data sharing. The application procedures for these provisions are established by regulatory means.

Article 17 – SANCTIONS Without prejudice to criminal sanctions provided by prevailing legislation, the following are subject to a prison term of 2 to 6 months and a fine of 10,000,000 to 40,000,000 Ariary, or one of these two penalties only:

• any person who has diverted data and information intended for or issued from the SII from their purpose;
• any person who has knowingly communicated inaccurate and incomplete data and information to the SII;
• any person who has knowingly concealed information intended for the SII;
• any person who has disclosed confidential information in violation of this law;
• any unauthorized person who has fraudulently acquired information from the SII with the aim of harming the concerned person. Without prejudice to administrative and/or criminal sanctions provided by prevailing legislation, any credit institution violating this law is subject to a penalty whose amount is fixed by BFM instruction.

Article 18 – TRANSITIONAL AND FINAL PROVISIONS Until the establishment of the Malagasy Commission for Informatics and Liberties (CMIL), provided by Law No. 2014-038 of January 9, 2015 on personal data protection, all disputes regarding data processed at the SII fall under the jurisdiction of the Civil Court. Regulatory texts will be issued to implement this law. The present law shall be published in the Official Journal of the Republic of Madagascar. It shall be executed as a law of the State.

Promulgated in Antananarivo on December 19, 2017

RAJAONARIMAMPIANINA Hery Martial

TRUE COPY (AMPLIATION CONFORME)

Antananarivo, January 2, 2018 THE GENERAL SECRETARY OF THE GOVERNMENT

FARATIANA Tsihoara Eugène