CIRCULARS FOR REGULATING THE ELECTRONIC PAYMENT OF FUNDS A. Circular No. (2/BS/IBS/475/2021) to all Local Banks and Electronic Payment Infrastructure Providers (EPIPs) regarding the Card Fraud Report. B. Circular to all E-Payment Infrastructure Providers (EPIPs) and their Agents Prohibiting Collection of Fees and Charges from Customers (The End User). C. Circular No. (2/BS, IBS, PS/520/2023) to all Local Banks and Electronic Payment Infrastructure Providers (EPIPs) and their Agents regarding the Electronic Payment Links for Individual Clients. D. Circular No. (2/BS, IBS, FS, IFS, PS/525/2023) to all Local Banks, Financing Companies and Large Electronic Money Service Providers regarding the Controls of Buy Now Pay Later Services (BNPL). E. Circular No. (2/PS/526/2023) to all E-Payment Service Providers, E-Money Service Providers, and E-Payment Service Operators regarding Controls of Appointing Leadership Positions. F. Circular No. (2/PS/527/2023) to All E-Payment Service Providers and E￾Money Service Providers regarding the Instructions on Minimum Cybersecurity and Business Continuity Requirements. G. Circular No. (2/PS/528/2023) to all E-Payment Service Providers and E￾Money Service Providers regarding the Rules and Procedures for Engaging in the Activity outside the State of Kuwait. H. Circular No. (2/PS/529/2023) to All E-Payment Service Providers and E￾Money Service Providers regarding AML/CFT Instructions. I. Circular No. (2/BS, IBS, PS/531/2023) to all Local Banks, E-Payment Service Operators, E-Payment Service Providers and E-Money Service Providers regarding MCC Codes and Description of Payment Transactions. J. Circular No. (2/PS/532/2023) to E-Payment Service Operators, E-Payment Service Providers, and E-Money Service Providers regulating the Provision of POS and Soft POS Devices to Exhibition Organizers. K. Circular to all E-Payment Service Providers, E-Money Service Providers and E-Payment Service Operators regarding Access to KwFIU Website to update the Suspicion Indicators that aid in Monitoring Suspicious Transactions

L. Circular No. (2/BS, IBS/534/2023) to all Local Banks regarding Measures for Protection of Customers from Electronic Fraud. M. Circular No. (2/BS, IBS/535/2023) to all local Banks on Linking with the Shared Electronic Banking Services Company (KNET) for the Apple Pay Service. N. Circular to all Local Banks regarding Fees and Commissions for E-Payment Services. O. Regulations applicable to Non-resident Companies for providing Buy Now Pay Later Services in the State of Kuwait. P. Circular to all E-Payment Service Providers, E-Money Service Providers and Limited Purpose E-Money Providers Emphasizing the Necessity of Adhering to the Provisions of Article no. (24) on the Instructions regulating Electronic Payment of Funds issued in May 2023. Q. Circular No. (2/BS, IBS, PS/547/2024) to all Local Banks, E-Payment Service Providers, E-Money Service Providers, and E-Payment Service Operators regarding the Electronic Payment Links. R. Circular No. (2/BS, IBS /546/2024) to all Kuwaiti Banks regarding “Instant Payment” Project. S. Circular No. (2/PS/557/2024) to all E-Payment Service Providers, E-Money Service Providers, and E-Payment Service Operators regarding Company Managers’ Tasks Assigning During Absence T. Circular No. (2/PS/558/2024) to all E-Payment Service Providers, E-Money Service Providers, and E-Payment Service Operators regarding the required Documents for Partners and Members of the Board of Directors when Applying for Registration. U. Circular No. (2/PS/559/2024) to all Local Banks, E-Payment Service Providers, E-Money Service Providers, and E-Payment Service Operators regarding the Statement of Development of the required National Labor Ratio by Main Jobs and the Company’s Economic Activity. V. Circular No. (2/PS/554/2024) to all E-Payment Service Providers and E￾Money Service Providers regarding Opening a Current Account with CBK. W. Circular No. (2/BS, IBS, PS/561/2024) to all Local Banks, E-Payment Service Providers, E-Money Service Providers regarding the Pilot Launch Requirements.

X. Circular No. (2/PS/564/2024) to all E-Payment Service Providers, E-Money Service Providers, and E-Payment Service Operators regarding the Submission of Financial Statements. Y. Circular No. (2/PS/565/2024) to all E-Payment Service Providers, E-Money Service Providers, and E-Payment Service Operators regarding the Required Reports and the Mechanism for Submission. Z. Circular No. (2/BS, IBS/566/2024) to all Local Banks regarding Security Controls on Card Tokenization. AA. Circular No. (2/BS, IBS/567/2024) to all Local Banks regarding Financial Limits on Bank Cards and Payment Transactions.

CHAPTER TWO: Supervisory & Regulatory Instructions & Controls for E-Payment Service Providers Circulars for Regulating the Electronic Payment of Funds. A. Circular No. (2/BS/IBS/475/2021) to all local Banks and Electronic Payment Infrastructure Providers (EPIPs) Regarding the Card Fraud Report. 1 The Executive Director Sha’ban 03, 1442 H March 16, 2021 The Chairman, Circular No. (2/BS/IBS/475/2021) to all Local Banks and Electronic Payment Infrastructure Providers (EPIPs) regarding the Card Fraud Report With reference to the Circular issued on November 21, 2019 to all local banks for filling out the card fraud form, we would like to inform that all local banks and Electronic Payment Infrastructure Providers (EPIPs) must fill out the attached form of the Card Fraud Report on a monthly basis to supersede that mentioned under the aforesaid circular. The following should also be adhered to:

1. The completed form shall be emailed to epsu@cbk.gov.kw.
2. The controls stated in the Card Fraud Report Guide must be observed.
3. The form must be submitted within a period not exceeding 5 working days from the end of the reporting month. In addition, a clear icon must be added on the main page of your official website to help customers report any fraud as per your preset mechanism/process, and awareness materials on the subject should be available. Best Regards, The Executive Director Waleed M. Al-Awadhi

CHAPTER TWO: Supervisory & Regulatory Instructions & Controls for E-Payment Service Providers Circulars for Regulating the Electronic Payment of Funds. A. Circular No. (2/BS/IBS/475/2021) to all local Banks and Electronic Payment Infrastructure Providers (EPIPs) Regarding the Card Fraud Report. 2 Card Fraud Report Guide

---

Document Name Fraud Report Guide Document Version Version 2.0 Issue Date November 2021

CHAPTER TWO: Supervisory & Regulatory Instructions & Controls for E-Payment Service Providers Circulars for Regulating the Electronic Payment of Funds. A. Circular No. (2/BS/IBS/475/2021) to all local Banks and Electronic Payment Infrastructure Providers (EPIPs) Regarding the Card Fraud Report. 3 Contents I. Introduction.................................................................................................. 4 II. Applicability ................................................................................................ 4 III. Card Fraud Report structure ........................................................................ 5 IV. Resolved cases related to previous year ...................................................... 8 V. Mandatory considerations............................................................................ 9 VI. Review and Update...................................................................................... 9 VII. Acronyms................................................................................................... 10

CHAPTER TWO: Supervisory & Regulatory Instructions & Controls for E-Payment Service Providers Circulars for Regulating the Electronic Payment of Funds. A. Circular No. (2/BS/IBS/475/2021) to all local Banks and Electronic Payment Infrastructure Providers (EPIPs) Regarding the Card Fraud Report. 4 I. Introduction The purpose of the Card Fraud report Guide is to provide guidance in the process of completing and submitting the Card Fraud Report. The objective of the Card fraud report is to: • Enhance card fraud monitoring mechanism for a stronger consumer protection. • Improve data collection and Analysis process to improve the forecasting reports. • Analyze fraud trends and patterns to develop more relevant awareness campaigns. • Unify the fraud reporting process to improve the comparability of the data and ensure all fraud cases are being reported by the bank. • Ensure uniformity, accuracy and timeliness in the data collected. II. Applicability The Card Fraud Report is required to be completed and submitted by the following regulated entities:

• All Electronic Payment Infrastructure Providers (EPIPs) registered in the CBK EPIPs, and EPAs register.
• All local banks. The (EPIPs) and the Local banks should fill all fields accordingly; exception of any field is subject to CBK’s approval. If any of the above￾mentioned regulated entities require an exception of any field, they must submit an official request that is subject to CBK’s approval.

CHAPTER TWO: Supervisory & Regulatory Instructions & Controls for E-Payment Service Providers Circulars for Regulating the Electronic Payment of Funds. A. Circular No. (2/BS/IBS/475/2021) to all local Banks and Electronic Payment Infrastructure Providers (EPIPs) Regarding the Card Fraud Report. 5 III. Card Fraud Report structure The fraud related data for each card type is broken down into two types of transactions, Card present (CP) and Card-Not-Present (CNP). The transaction type is further broken down into the channels in which the fraudulent transaction was executed. Card Present channels are POS and ATM. On the other hand, the channels for the (CNP) transactions are internet/mobile banking and Payment gateway. Moreover, the Fraud types for each channel are as represented in the above fraud management process overview diagram. The total value and the total number of transactions for each type of fraud is further geographically sub-divided into domestic and cross-border, depending on where did the fraudulent transaction occur. The bellow chart is the definition and specifications for each field in the report.

Field Definition/specification

1 Debit Card A card enabling its holders to make purchases and/or withdraw cash and have these transactions directly and immediately charged to their accounts, whether these are held with the card issuer or not. 2 Credit Card A card that enables cardholders to make purchases and/or withdraw cash up to a prearranged credit limit. The credit granted may be either settled in full by the end of a specified period, or settled in part, with the balance taken as extended credit (on which interest is usually charged). Card type Debit Credit Prepaid Transaction type CP CNP Channel POS ATM Internet/Mobile banking Payment Gateway Fraud Type Lost and stolen cards Card not received Counterfeit Tapping wearable device ATM false claims Trapping Others Vishing Smishing Phishing Hacking Fraudulent or compromised Website/Application Others

CHAPTER TWO: Supervisory & Regulatory Instructions & Controls for E-Payment Service Providers Circulars for Regulating the Electronic Payment of Funds. A. Circular No. (2/BS/IBS/475/2021) to all local Banks and Electronic Payment Infrastructure Providers (EPIPs) Regarding the Card Fraud Report. 6

Field Definition/specification

3 Pre-Paid card A card on which a monetary value can be loaded in advance and stored either on the card itself or on a dedicated account on a computer. Those funds can then be used by the holder to make purchases. 4 Transactions Total Value The total amount in Kuwaiti Dinar of all transactions on all (Debit, credit or Prepaid) cards issued by the bank. Total No. of transactions: The total whole numbers of all transactions on all (debit, credit or prepaid) cards issued by the bank. 5 CP When a credit, debit or prepaid card is used to make an unauthorized transaction in a face-to-face setting. This type of fraud may involve the use of the actual stolen card or a fraudulent duplicated card made using a card number and magnetic stripe information. 6 POS Fraudulent transactions performed at Points of Sale using a (debit, credit or prepaid) card issued by the bank or a Counterfeit card. 7 ATM Fraudulent transactions processed at the Automated teller machines using a (debit, credit or prepaid) card issued by the bank or a counterfeit card. 8 Lost & Stolen Cards Fraudulent transactions using physical cards either a lost or a stolen card. 9 Card Not Received When a new or replacement card is stolen from the mail, never reaches its rightful owner. 10 Counterfeit When counterfeit c copies the data held on the magnetic stripe of a legitimate credit or debit card and uses this data to create a fake plastic card, which contains the real cards details. 11 Trapping A type of ATM security attack, where the cyber-criminals trap a user's credit or debit card to obtain the card details. The criminals install a device inside the card acceptance slot of an ATM, to trap the ATM cards inside the cardholder. 12 Tapping wearable devices Using a fraudulently obtained wearable device (such as, watches, rings or phones) to pay at POS or perform a transaction at an ATM.

CHAPTER TWO: Supervisory & Regulatory Instructions & Controls for E-Payment Service Providers Circulars for Regulating the Electronic Payment of Funds. A. Circular No. (2/BS/IBS/475/2021) to all local Banks and Electronic Payment Infrastructure Providers (EPIPs) Regarding the Card Fraud Report. 7

Field Definition/specification

13 ATM false claims When a customer falsely claims that he/ she did not receive the cash from the ATM after performing a withdrawal transaction, or claiming that they deposited an amount that was not debited to their account although they didn’t really deposit any cash. 14 Other Any other fraud cases using cards that do not apply to the previously described categories. Kindly provide a short explanation of the cases in the “Notes” column. 15 CNP Any transaction where either the card, the cardholder, or the merchant are not present in the same place at the time of the instruction of the payment for the transaction by the cardholder. For example: mail order, telephone order, basic and secure electronic commerce, mobile on debit cards issued by the bank. 16 Internet Banking An electronic payment system that enables the customer of a bank or a financial institution to make financial or non-financial transactions online via the internet. This service gives online access to almost every banking service, traditionally available through a local branch including fund transfers, deposits, and online bill payments to the customers. 17 Mobile Banking A service provided by a bank or other financial institution that allows its customers to conduct financial transactions remotely using a mobile device such as a smartphone or tablet. 18 Payment Gateway A payment gateway is a merchant service provided by an e￾commerce application service provider that authorizes credit card or direct payments processing for e-businesses or online retailers. 19 Phishing A cybercrime in which one or multiple targets are contacted by email by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords. 20 Vishing A cybercrime where a fraudster uses voice messages or phone calls to try to steal identities, and financial information like a client PIN, card details and Digipass code. 21 Hacking When a hacker invades a computer system operated by places such as (retailers, restaurants, hotels, banks, school… etc.) in order to clone credit cards, commit CNP frauds or sell the cards information on the dark web.

CHAPTER TWO: Supervisory & Regulatory Instructions & Controls for E-Payment Service Providers Circulars for Regulating the Electronic Payment of Funds. A. Circular No. (2/BS/IBS/475/2021) to all local Banks and Electronic Payment Infrastructure Providers (EPIPs) Regarding the Card Fraud Report. 8

Field Definition/specification

22 Smishing A form of phishing, Smishing is a technique used by criminals to steal bank or credit card information using text messages. In such an incident, the mobile device user receives a fake text message that appears to be from a bank. The text message may request that the consumer call a phone number to provide card or account information to a criminal posing as a bank employee. 23 Fraudulent or Compromised Website/Application The illegal practice of stealing credit/ debit card information by setting up a fake website or phone application and encouraging people to input their card information to purchase a certain product or service. 24 Domestic Fraudulent transaction occurred in Kuwait. 25 Cross-border Fraudulent transaction outside Kuwait. 26 Total Complaints Total Value The total amount in Kuwaiti Dinar of all claims on all (debit, credit or Prepaid) cards issued by the bank. Total No. of Cases The total number of all cases of claims on all (debit, credit or prepaid) cards issued by the bank. IV. Resolved Cases Related to Previous Year

CHAPTER TWO: Supervisory & Regulatory Instructions & Controls for E-Payment Service Providers Circulars for Regulating the Electronic Payment of Funds. A. Circular No. (2/BS/IBS/475/2021) to all local Banks and Electronic Payment Infrastructure Providers (EPIPs) Regarding the Card Fraud Report. 9 V. Mandatory Considerations When completing and submitting the Card Fraud report, the following must be applied:

• The report should be submitted via the email: epsu@cbk.gov.kw
• All data should be in English
• Reports should be submitted no later than five working days post the end of the month.
• File name should start with the bank code (All CAPS) followed by the year and month for which the file is being sent. Ex.: o Current year file: BANKCODE_YYYYMM_CURRENT o Amounts recovered in the current year but related to previous year: BANKCODE_YYYYMM_PREVIOUS_1 VI. Review and Update This document shall be reviewed at regular intervals or as per business requirements for any amendments or updates.

CHAPTER TWO: Supervisory & Regulatory Instructions & Controls for E-Payment Service Providers Circulars for Regulating the Electronic Payment of Funds. A. Circular No. (2/BS/IBS/475/2021) to all local Banks and Electronic Payment Infrastructure Providers (EPIPs) Regarding the Card Fraud Report. 10 VII. Acronyms Term Definition EPIP Electronic Payment Infrastructure Provider CBK Central Bank of Kuwait CP Card Present CNP Card-Not-Present ATM Automated Teller Machine POS Point of Sale PG Payment Gateway

CHAPTER TWO: Supervisory & Regulatory Instructions & Controls for E-Payment Service Providers Circulars for Regulating the Electronic Payment of Funds. B. Circular to all E-Payment Infrastructure Providers (EPIPs) and their Agents Prohibiting Collection of Fees and Charges from Customers (The End User). 11 The DEPUTY GOVERNOR Jumada Al-Oula 11,1444 H December 05, 2022 The Chief Executive Officer, Circular to all E-Payment Infrastructure Providers (EPIPs) and their Agents With reference to the Circular No. (2/BS, IBS/477/2021) dated April 11, 2021 to all EPIPs and their agents defining appropriate mechanism for fees and commissions associated with the business activity of the electronic payment and settlement systems 1 , all EPIPs and their agents may not collect any fee or commission from the customer (The End User) for all e-payment services, and must update all contractual agreements accordingly. Best Regards, The Deputy Governor Sahar A. Al-Rumaih 1 This circular has been revoked by virtue of the Circular dated 05/12/2023 included under Item (B) of this chapter.

CHAPTER TWO: Supervisory & Regulatory Instructions & Controls for E-Payment Service Providers Circulars for regulating the Electronic Payment of Funds. C. Circular No. (2/BS, IBS, PS/520/2023) to all Local Banks and Electronic Payment Infrastructure Providers (EPIPs) and their Agents regarding the Electronic Payment Links for Individual Clients 12 THE GOVERNOR Ramadhan 14, 1444 H April 05, 2023 Circular No. (2/BS, IBS, PS/520/2023) to all Local Banks and Electronic Payment Infrastructure Providers (EPIPs) and their Agents1 regarding the Electronic Payment Links for Individual Clients The Chairman, As the Central Bank of Kuwait (CBK) is keen to ensure the sound supervision over the e-payment activities in the State of Kuwait in light of the recently detected increase of fraud in e-payment services, and in order to reduce the risks arising from these transactions taking into consideration the AML/CFT requirements, the following must be complied with when providing payment services through e-payment links (Quick Pay) to individual customers:

1. Including in the bank statement the link originator (sender) or the link payer (the recipient), and the full name of the other party, the bank’s name as per the information on the card issued to them, and the purpose of the payment.
2. The validity of the payment link shall not exceed 24 hours.
3. Setting a ceiling on the daily/monthly limits for the value of transactions that a single customer can carry out using the payment link taking into account that limits should be proportionate to the level of risks associated with customers. CBK’s prior approval on those limits must be obtained.
4. Including the full name of the originator and the purpose of payment in the link. 1 As per the Instructions regulating the Electronic Payment of Funds included under Item 2 of Chapter One of the Electronic Payment of Funds Guide, the Title “Electronic Payment Infrastructure Providers and their Agents” has been replaced by “E-Payment Service Provider, E-Money Service Provider, and E-Payment Service Operator”

CHAPTER TWO: Supervisory & Regulatory Instructions & Controls for E-Payment Service Providers Circulars for Regulating the Electronic Payment of Funds. A. Circular No. (2/BS/IBS/475/2021) to all local Banks and Electronic Payment Infrastructure Providers (EPIPs) Regarding the Card Fraud Report. 13 5. Continuous monitoring of the transactions processed using the payment links, developing processes, procedures and controls to detect fraudulent transactions, and activating continuous supervision through anti-fraud systems and increasing the awareness campaigns through various communication channels. Best Regards, The Governor Basel A. Al-Haroon

CHAPTER TWO: Supervisory & Regulatory Instructions & Controls for E-Payment Service Providers Circulars for Regulating the Electronic Payment of Funds. D. Circular No. (2/BS, IBS, FS, FS, PS/525/2023) to all local Banks, Financing Companies and Large Electronic Money Service Providers regarding the Controls of Buy Now Pay Later Services (BNPL). 14 THE GOVERNOR Thul-Hijjah 17, 1444 H July 05, 2023 The Chairman, Circular No. (2/BS, IBS, FS, IFS, PS/525/2023) to all Local Banks, Financing Companies, and Large Electronic Money Service Providers regarding the Controls of Buy Now Pay Later (BNPL) Services Reference is hereby made to the CBK Board of Directors’ Decision No. (45/471/2023) regarding issuance of the Instructions regulating the Electronic Payment of Funds, which state under Article (25) thereof: “Activity service providers authorized to provide BNPL service must provide the CBK with a work plan that includes the measures for protecting customers’ rights, a disputes settlement and return of purchases, in accordance with the CBK’s relevant instructions and controls”. Thereupon, we would like to inform you that the CBK Board of Directors approved, in its meeting held on 26/06/2023, the controls for BNPL applicable to local banks, financing companies, and large electronic money service providers, as attached. Best Regards, The Governor Basel A. Al-Haroon

CHAPTER TWO: Supervisory & Regulatory Instructions & Controls for E-Payment Service Providers Circulars for Regulating the Electronic Payment of Funds. D. Circular No. (2/BS, IBS, FS, FS, PS/525/2023) to all local Banks, Financing Companies and Large Electronic Money Service Providers Concerning Regulations for Buy Now Pay Later Services (BNPL). 15 Controls for Buy Now Pay Later (BNPL) Services for Local Banks, Financing Companies, and Large Electronic Money Service Providers Within the regulatory and supervisory role of the Central Bank of Kuwait vis a vis the banking and finance sector, virtue of “Law No. (32) of 1968 Concerning Currency, the Central Bank of Kuwait, and the Regulation of Banking” and amendments thereof, and based on the Instructions Regulating the E-Payment of Funds issued within decision (45/471/2023), and Article (25) in particular regarding the controls for Buy Now Pay Later (BNPL) services for Local Banks, Financing Companies, and Large Electronic Money Service Providers, and in line with implementation of global customer protection controls and standards, and in keenness to ensure that regulatory instructions and systems are abreast with developments in the banking and finance business environment, and guided by regional and international best practices in the field of regulatory standards for this type of business, the CBK Board of Directors has decided in its meeting convened 26/6/2023 to issue these controls for Buy Now Pay Later (BNPL) services for Local Banks, Financing Companies, and Large Electronic Money Service Providers. I. Scope of Implementation These controls are binding for Local Banks, Financing Companies, and Large Electronic Money Service Providers that offer Buy Now Pay Later (BNPL) services, to be referred to in this document as “service providers”. II. Buy Now Pay Later (BNPL) Requirements Before the initiation of BNPL service, CBK shall be provided with the following:

1. A Work Plan that includes, as a minimum, the following: A. A guidebook on business procedures for provision of the service which includes procedures for payment, settlement, installment payment, and measures for deducting fees and commissions, as well as measures for inquiring about customer credit limit and for reporting extended amounts. B. The conditions and regulations pertaining to BNPL services, including, as a minimum, the types of products and services permitted for purchase, targeted customer segment, number of installments, the maximum amount extended, and the maximum repayment period, as well as fines (if any) imposed on the customer for payment delays, etc.

CHAPTER TWO: Supervisory & Regulatory Instructions & Controls for E-Payment Service Providers Circulars for Regulating the Electronic Payment of Funds. D. Circular No. (2/BS, IBS, FS, FS, PS/525/2023) to all local Banks, Financing Companies and Large Electronic Money Service Providers Concerning Regulations for Buy Now Pay Later Services (BNPL). 16 C. The policy on limits on BNPL extended, where CBK has the right to reduce the amount as it deems appropriate. 2. Customer Protection Measures: A. Dispute settlement mechanism: a suitable mechanism shall be specified to guarantee settlement of any dispute that may take place between service providers and customers, and it shall be explicit enough to ensure effective implementation. B. The customer complaints service shall be linked with CBK whereby the (individual) customers lodge their complaints and grievances directly to CBK against the CBK-registered banks/companies that provide BNPL services. C. Return of purchases: a mechanism shall be specified to regulate return of purchases between the BNPL beneficiary and the service provider, which shall cover the time-frame permitted for returns, settlement of transaction sums, and the Service Level Agreement. III. Service Execution Controls

1. Maximum amount extended per customer by all service providers is KWD 500.
2. Repayment period for the client should not exceed four months, unless prior permission is obtained from CBK indicating otherwise.
3. A service provider may not deduct any profits, revenues or interest from the customer in exchange for the BNPL service.
4. A link is required with the Credit Information Network Company (Ci￾Net) to facilitate inquiries about customers’ credit limit, as well as reporting of amount granted to the customer through BNPL service. It is imperative measures be taken to guarantee that sums granted a single customer by all service providers does not exceed the maximum permitted, indicated above.
5. In the event of any dispute between the service provider and customers, the mechanism approved by CBK for service providers in this regard must be implemented. The service provider against whom a complaint is lodged shall present a reply in writing within 15 business days of the date of complaint. The reply must indicate whether remedial action had been taken regarding the issue of complaint, or whether it was found that the

CHAPTER TWO: Supervisory & Regulatory Instructions & Controls for E-Payment Service Providers Circulars for Regulating the Electronic Payment of Funds. D. Circular No. (2/BS, IBS, FS, FS, PS/525/2023) to all local Banks, Financing Companies and Large Electronic Money Service Providers Concerning Regulations for Buy Now Pay Later Services (BNPL). 17 service provider was following proper procedure on the subject matter. If the customer is not satisfied with the reply, he may present a grievance to CBK attaching the reply and supporting documentation requesting that the bank examines the case and determine whether the service provider had taken proper procedure or was at fault. 6. Both beneficiary of BNPL service and the service provider must abide by the Service Level Agreement, and an item must be included that specifically addresses exchange of information, purchase returns, and the time-frame within which the beneficiary of the BNPL service is to inform the service provider of the details of the return to enable settlement and return of funds to the customer, as well as measures required in this regard. 7. No delay fees shall be imposed on the customer by the service provider if the return takes place prior to the date the installment is due. 26/06/2023

CHAPTER TWO: Supervisory & Regulatory Instructions & Controls for E-Payment Service Providers Circulars for Regulating the Electronic Payment of Funds. E. Circular No. (2/PS/526/2023) to all E-Payment Service Providers, E-Money Service Providers, and E-Payment Service Operators regarding Controls of Appointing Leadership Positions. 18 THE GOVERNOR Thul Hijjah 17, 1444 H July 05, 2023 The Chairman, Circular No. (2/PS/526/2023) to all E-Payment Service Providers, E-Money Service providers, and E-Payment Service Operators regarding Controls of Appointing Leadership Positions With reference to the CBK Board of Directors’ Decision No. (45/471/2023) regarding issuance of the Instructions regulating the Electronic Payment of Funds, which state under Article (36) thereof: “The CBK’s approval must be obtained for candidates of the Board of Directors and executive management positions with the Activity services provider, and/or any other jobs determined by CBK in accordance with the requirements under its instructions issued regarding appointment of executive positions”, I would like to inform you that the CBK Board of Directors approved, in its meeting held on 26/6/2023, controls for appointing leadership positions with all E-Payment Service Providers, E-Money Service Providers, and E-Payment Service Operators, as attached. Best Regards, The Governor Basel A. Al-Haroon

CHAPTER TWO: Supervisory & Regulatory Instructions & Controls for E-Payment Service Providers Circulars for Regulating the Electronic Payment of Funds. E. Circular No. (2/PS/526/2023) to all E-Payment Service Providers, E-Money Service Providers, and E-Payment Service Operators regarding Controls of Appointing Leadership Positions. 19 Controls of Appointing Leadership Positions for all E-Payment Service Providers, E-Money Service Providers, and E-Payment Service Operators We refer to the CBK Board of Directors’ Decision No. (45/471/2023) issued in its meeting convened 14/5/2023 regarding issuance of the Instructions regulating the Electronic Payment of Funds, which state under Article (36): “CBK approval must be obtained for candidates of the Board of Directors and executive management positions with the activity services provider, and/or any other jobs determined by CBK in accordance with the requirements under its instructions issued regarding appointment of executive positions”. Thereupon, the following requirements shall be met by E-Payment Service Providers, E-Money Service Providers, and E-Payment Service Operators nominees for membership in the Board of Directors and leading executive management positions:

1. The nominee shall have no prior conviction for a crime involving breach of honor or integrity: a testimony issued by the Criminal Execution Prosecution Department at the Ministry of Justice shall be attached for all partners, Board of Directors nominees (for share-holding companies), the post of Chief Executive Director, and other positions indicated by CBK.
2. For Board of Directors nominees (for share-holding companies): The nominees must have prior professional competence and expertise working for a banking, financial, or technology institution, and documentation to that effect must be attached.
3. As for appointing partners to the position of the General Manager for limited liability companies, other officials, or those in other jobs or positions connected to the company’s activities: A. The General Manager: Must be a university graduate in any economic, legal, administrative, or technical specialization, and with a five-year expertise in a banking, finance, or technology institution, or a university degree and a seven￾year expertise in any of these fields. B. Those appointed to other important jobs or positions connected to the company’s activities:

CHAPTER TWO: Supervisory & Regulatory Instructions & Controls for E-Payment Service Providers Circulars for Regulating the Electronic Payment of Funds. E. Circular No. (2/PS/526/2023) to all E-Payment Service Providers, E-Money Service Providers, and E-Payment Service Operators regarding Controls of Appointing Leadership Positions. 20 Must have a university degree in any field of a strong connection to the responsibilities of the position in question, as well as a three-year expertise in the same field. The term “other jobs”, also subject to the conditions above, are jobs connected to company activity such as those to do with internal auditing, risk, information technology, finance, operations, etc. 26/6/2023

CHAPTER TWO: Supervisory & Regulatory Instructions & Controls for E-Payment Service Providers Circulars for Regulating the Electronic Payment of Funds. F. Circular No. (2/PS/527/2023) to all E-Payment Service Providers and E-Money Service Providers Concerning the Instructions on Minimum Cybersecurity and Business Continuity Requirements. 21 THE GOVERNOR Thul-Hijjah 17, 1444 H July 05, 2023 The Chairman, Circular No. (2/PS/527/2023) to All E-Payment Service Providers and E￾Money Service Providers regarding the Instructions on Minimum Cybersecurity and Business Continuity Requirements We hereby refer to the CBK Board of Directors’ decision No. (45/471/2023) regarding issuance of the Instructions regulating the Electronic Payment of Funds, which state under Article (28) thereof: “Activity Services Providers must:

• Implement the instructions issued by CBK in relation to cybersecurity.
• Implement the instructions issued by CBK in relation to the business continuity, crisis management and disaster recovery plans.” Thereupon, we would like to inform you that the CBK Board of Directors approved, in its meeting held on 26/6/2023, the minimum cybersecurity and business continuity requirements for E-Payment Service Providers and E-Money Service Providers, as attached. Best Regards, The Governor Basel A. Al-Haroon

CHAPTER TWO: Supervisory & Regulatory Instructions & Controls for E-Payment Service Providers Circulars for Regulating the Electronic Payment of Funds. F. Circular No. (2/PS/527/2023) to all E-Payment Service Providers and E-Money Service Providers Concerning the Instructions on Minimum Cybersecurity and Business Continuity Requirements. 22 Instructions on Minimum Cybersecurity and Business Continuity Requirements for E-Payment Service Providers and E-Money Service Providers Within the regulatory and supervisory role of the Central Bank of Kuwait vis a vis the banking and finance sector, virtue of “Law No. (32) of 1968 Concerning Currency, the Central Bank of Kuwait, and the Regulation of Banking” and amendments thereto, and based on the Instructions regulating the Electronic Payment of Funds issued in May 2023 by virtue of the Decision No. (45/471/2023), in particular Article (28) with respect to cybersecurity and business continuity, and implementation of global controls and standards related to safeguarding confidentiality of customers’ banking, financial, and personal data, and in line with regional and global best practices in the field of regulatory standards for such business, the CBK Board of Directors decided in its meeting held on 26/6/2023 to issue these instructions, which represent the minimum cybersecurity and business continuity requirements for E-Payment Service Providers and E-Money Service Providers. The aforementioned instructions include an integrated system aimed at reducing cyber risks associated with E-Payment Services and E-Money Services, and the negative effects that these risks may have on business continuity. Scope of Instructions These instructions apply to all E-Payment Service Providers and E-Money Service Providers, both current and newly established. Instructions Controls E-Payment Service Providers and E-Money Service Providers shall abide by the following:

1. Separation shall be maintained between “cybersecurity” and “information technology” tasks, and an “information security” job position shall also be created that is independent of information technology (to avoid conflict of interest) for Large E-Payment Service Providers and Large E-Money Service Providers. As an alternative, the position could be given necessary autonomy in the organizational structure to enable the tasks to be completed in full for Small E-Payment Service Providers and Small E-Money Service Providers.
2. Information security policy, as well as business continuity and crisis management policy, measures, and plans must be formulated, approved and signed/stamped by service provider’s higher management (Chief Executive Director or Board of Directors), and the interval for its initial or regular review by an independent auditor must also be specified.

CHAPTER TWO: Supervisory & Regulatory Instructions & Controls for E-Payment Service Providers Circulars for Regulating the Electronic Payment of Funds. F. Circular No. (2/PS/527/2023) to all E-Payment Service Providers and E-Money Service Providers Concerning the Instructions on Minimum Cybersecurity and Business Continuity Requirements. 23 3. In cases where the service provider keeps record of or processes bank card data, Payment Card Industry Data Security Standard (PCI-DSS) certification must be obtained, approved by a third party, and renewed regularly to ensure continued validity with the approving authority. Should the certification be revoked or fail to be renewed for any reason, the CBK must be notified. 4. Comprehensive security assessment tests for the product/service must be conducted by a third party – and all observations in the assessment report must be addressed according to a clear plan compatible with the service provider’s risk management prior to launch of service. Service providers shall also maintain compliance with standard practices such as ISO security standards certificates in a manner that guarantees running of their business in an environment that is compliant with global information security standards. 26/6/2023

CHAPTER TWO: Supervisory & Regulatory Instructions & Controls for E-Payment Service Providers Circulars for Regulating the Electronic Payment of Funds. G. Circular No. (2/PS/528/2023) to all E-Payment Service Providers and E-Money Service Providers regarding the Rules and Procedures for Engaging in the Activity outside the State of Kuwait. 24 THE GOVERNOR Thul-Hijjah 17, 1444 H July 05, 2023 The Chairman, Circular No. (2/PS/528/2023) to all E-Payment Service Providers and E-Money Service Providers regarding the Rules and Procedures for Engaging in the Activity outside the State of Kuwait Reference is hereby made to the CBK Board of Directors’ Decision No. (45/471/2023) regarding issuance of the Instructions regulating the Electronic Payment of Funds, which state under Article (26) thereof: “Activity service providers may not open a branch or a subsidiary company outside the State of Kuwait or initiating any procedures in this regard before obtaining the prior written approval of the CBK in accordance with the instructions CBK issues in this regard”. Thereupon, I would like to inform you that the CBK Board of Directors approved, in its meeting held on 26/6/2023, the rules and procedures applicable to the E￾Payment Service Providers and E-Money Service Providers for engaging in the activity outside the State of Kuwait, whether by opening branches or subsidiary companies, as attached. Best Regards, The Governor Basel A. Al-Haroon

CHAPTER TWO: Supervisory & Regulatory Instructions & Controls for E-Payment Service Providers Circulars for Regulating the Electronic Payment of Funds. G. Circular No. (2/PS/528/2023) to all E-Payment Service Providers and E-Money Service Providers regarding the Rules and Procedures for Engaging in the Activity outside the State of Kuwait 25 Regulations and Procedures for Engaging in the Activity outside the State of Kuwait by E-Payment Service Providers and E-Money Service Providers, whether through Opening of Branches or Subsidiary Companies Within the regulatory and supervisory role of the Central Bank of Kuwait vis a vis the banking and finance sector, virtue of “Law No. (32) of 1968 Concerning Currency, the Central Bank of Kuwait, and the Regulation of Banking Business” and amendments thereof, and based on the Instructions regulating the Electronic Payment of Funds issued within decision (45/471/2023), and Article (26) in particular which states that, “Activity service providers are prohibited from opening a branch or subsidiary company outside the State of Kuwait or initiating any procedures in this regard before obtaining the prior written approval of the CBK in accordance with the instructions it issues in this regard.” E-Payment Service Providers and E-Money Service Providers “activity service providers” desiring to open branches or subsidiary companies shall comply with the following: I. Procedures for opening branches or subsidiary companies outside the State of Kuwait:

1. The service provider be directly offering the service for a minimum period of three years in the State of Kuwait.
2. CBK must be informed prior to initiating any communication with financial or banking regulatory authorities in any other jurisdiction for opening a branch or a subsidiary company abroad.
3. The service provider must directly submit to CBK an application for the establishment of a branch or subsidiary company outside the State of Kuwait, attaching a comprehensive feasibility study comprised of all the necessary elements, most important of which: A. Justification for creation of a branch or subsidiary company and the expected benefit. B. The nature of business that it is to be engaged in. C. Financial estimates for the expected business volume of the branch or subsidiary company, cost of establishment, and cost and outcome of the activity over a suitable period no less than three years. D. The extent to which the automated systems are connected to the proposed branch via the Headquarters or other branches – if any.

CHAPTER TWO: Supervisory & Regulatory Instructions & Controls for E-Payment Service Providers Circulars for Regulating the Electronic Payment of Funds. G. Circular No. (2/PS/528/2023) to all E-Payment Service Providers and E-Money Service Providers regarding the Rules and Procedures for Engaging in the Activity outside the State of Kuwait 26 E. Any other matters taken in consideration upon taking the decision to opt for establishing a branch or subsidiary company. II. Activity service providers shall present to CBK reports, information, and data related to their branches or subsidiaries abroad, including the information below:

1. Any unusual losses, immediately as they materialize, and any significant events that affect the branch or subsidiary’s financial position.
2. Any violations or penalties imposed on a branch or subsidiary in a host state.
3. Informing CBK of any intention by a branch or subsidiary company to expand operation beyond the host state.
4. Any other data or information of relevance CBK may request. III. CBK issues an initial approval of an application by an activity service provider with a one-year validity. The service providers shall, immediately upon issuance of the approval, initiate and seek to conclude necessary measures for opening of the branch or subsidiary company prior to the expiry of said validity period. Should the service provider fail to inaugurate the branch or subsidiary within this one￾year period, an application is to be presented to CBK for an extension of the validity, within the initial period including the justifications for the requested extension. In case of failure to do so, the validity expires on initial expiry date. IV. CBK shall be provided with an approval from the host-state supervisory authority, if available, on opening the branch or subsidiary company. V. The branch or subsidiary company may not initiate operation before registration with CBK, which must be obtained 15 days prior to launch date, attaching proof that necessary permits and approvals had been secured from all relevant authorities. 26/06/2023

CHAPTER TWO: Supervisory & Regulatory Instructions & Controls for E-Payment Service Providers Circulars for regulating the Electronic Payment of Funds. H. Circular No. (2/PS/529/2023) to All E-Payment Service Providers and E-Money Service Providers regarding AML/CFT Instructions. 27 THE GOVERNOR Thul-Hijjah 17, 1444 H July 05, 2023 The Chairman, Circular No. (2/PS/529/2023) to All E-Payment Service Providers and E￾Money Service Providers regarding AML/CFT Instructions We hereby refer to the CBK Board of Directors’ Decision No. (45/471/2023) regarding issuance of the Instructions regulating the Electronic Payment of Funds, which state under Article (27) thereof: “Activity services providers must comply with AML/CFT requirements set forth under the Law No. 106 of 2013 regarding Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) and its Executive Bylaw, the related ministerial resolutions, the requirements under the international standards issued by the Financial Action Task Force (FATF), and any instructions issued by CBK or the related supervisory authorities” Thereupon, we would like to inform you that the CBK Board of Directors approved, in its meeting held on 26/6/2023, the AML/CFT instructions to E￾Payment Service Providers and E-Money Service Providers, as attached. Best Regards, The Governor Basel A. Al-Haroon

CHAPTER TWO: Supervisory & Regulatory Instructions & Controls for E-Payment Service Providers Circulars for Regulating the Electronic Payment of Funds. H. Circular No. (2/PS/529/2023) to All E-Payment Service Providers and E-Money Service Providers regarding AML/CFT Instructions. 28 AML/CFT Instructions to E-Payment Service Providers and E-Money Service Providers Within the framework of compliance by E-Payment Service Providers and E￾Money Service Providers with Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) instructions in line with Law No. (106) of 2013 (later referred to as The Law), its executive bylaws, relevant ministerial decisions, requirements included in the global standards issued by the Financial Action Task Force (FATF), and based on the Instructions regulating the Electronic Payment of Funds issued in resolution No. (45/471/2023), and particularly Article (27) thereof which states, “Activity services providers must comply with AML/CFT requirements set forth under the Law No. 106 of 2013 regarding Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) and its Executive Bylaw, the related ministerial resolutions, the requirements under the international standards issued by the Financial Action Task Force (FATF), and any instructions issued by CBK or the related supervisory authorities.”, E-Payment Service Providers and E-Money Service Providers shall abide by the following: I. Assessment of AML/CFT Risk: E-Payment Service Providers and E-Money Service Providers must produce an assessment of AML/CFT risk connected to the activity they are to engaged in and update said assessment every two years, and the study shall address the nature of risk connected to the following elements: • The Various types of customers whom will be dealt with. • Product or service, whether it’s currently being offered or to be offered in the future • The level of risk the E-Payment Service Providers and E-Money Service Providers are exposed to according to both elements above, where it is to be classified under the three risk levels (Low, Moderate, and High). All due diligence measures shall also be in place while managing these elements to limit their impact on the activity. II. Due Diligence Requirements: According to the outcome of the risk assessment that was conducted to assess the AML/CFT risk, appropriate due diligence measures are to be defined and followed by the E-Payment Service Providers and E-Money Service Providers with regards to the following:

CHAPTER TWO: Supervisory & Regulatory Instructions & Controls for E-Payment Service Providers Circulars for Regulating the Electronic Payment of Funds. H. Circular No. (2/PS/529/2023) to All E-Payment Service Providers and E-Money Service Providers regarding AML/CFT Instructions. 29 • Type of documents to be provided for each risk level connected to transactions and customers. • Information that would be requested from the customer according to the risk associated with each. • Additional measures to be taken towards implementation of enhanced due diligence in case of “high risk” associated with a customer. • Due care must be taken when updating data and information concerning customers which is required to be undertaken at intervals befitting the level of risk associated with said customers (within a year or less for high-risk customers, within two years or less for moderate risk customers, and within three years for low-risk customers). III. Verifying Customer’s Identity: E-Payment Service Providers and E-Money Service Providers must not initiate a business relation with any customers without ascertaining the full name of the customer and that he/she is the beneficial owner of the service provided. Furthermore, the customer’s identity shall be ascertained based on legal documentation issued by an official authority in the State of Kuwait, which shall be valid, in line with the following: • A civil ID card for Kuwaitis and non-Kuwaitis (residents), issued by the Public Authority for Civil Information (PACI). • Using the Mobile ID application, provided by PACI. • A copy shall be maintained of all documents gathered to verify customers identity. IV. Compliance Control: A. Concerning companies registered with CBK among Small E-Payment Service Providers or Small E-Money Service Providers: An institution’s organizational structure shall include a compliance control position, and the job description and tasks associated with the post shall be indicated. A company’sstaff-member shall be assigned to the post who is of sufficient expertise in the concerned area in line with the relevant Law/s.

CHAPTER TWO: Supervisory & Regulatory Instructions & Controls for E-Payment Service Providers Circulars for Regulating the Electronic Payment of Funds. H. Circular No. (2/PS/529/2023) to All E-Payment Service Providers and E-Money Service Providers regarding AML/CFT Instructions. 30 B. Concerning companies registered with CBK among Large E￾Payment Service Providers or Large E-Money Service Providers: • An independent compliance supervisor must be assigned on higher management level to ascertain the company’s compliance with the provisions of the law. The staff member appointed in this position must have suitable qualifications and expertise in the areas of countering money laundering and financing of terrorism that enable him/her to successfully perform the concerned tasks. Furthermore, CBK shall be provided with all information concerning the compliance supervisor and those to serve in their place while they are on leave, and this shall include the name, qualifications, phone numbers, and email address, and the CBK shall be apprised of any/all changes to this information. • The company shall have in place a specific job description for the post of compliance supervisor and assistants – if any – that includes all tasks that come with the position. V. Continued Monitoring of Customer Transactions: Procedures and systems shall be in place to guarantee continued monitoring by the E-Payment Service Providers or E-Money Service Providers of all transactions carried out for each customer, to ensure that all transactions executed are in line with available customer data and its risk assessment. VI. Saving Customer Information (KYC): The E-Payment Service Provider or E-Money Service Provider must ascertain all data concerning the customer and the identity of the beneficial owner through completion of the (Know Your Customer [KYC] form), and this includes as a minimum all information related to the type and volume of the activity, as well as the purpose of dealing with the service provider, in addition to the number and value of expected transactions, and the limit for transactions that could be executed (daily, weekly, monthly). There must also be a disclosure if the customer is currently serving, or had in the past served, in a political position, whether locally or internationally, and documentation presented to this end must be saved and the validity thereof verified for as long as the business relation with the customer lasts. VII. General Requirements: • Where there is doubt a given transactions involves proceeds of a crime or is in any way connected to money laundering or financing of terrorism,

CHAPTER TWO: Supervisory & Regulatory Instructions & Controls for E-Payment Service Providers Circulars for Regulating the Electronic Payment of Funds. H. Circular No. (2/PS/529/2023) to All E-Payment Service Providers and E-Money Service Providers regarding AML/CFT Instructions. 31 an examination and gathering of information shall be conducted without informing any of the parties or giving them any suspicion, that such an inquiry is taking place. And all supporting documentation shall be maintained ready to be presented upon request. The Kuwait Financial Intelligence Unit (KwFIU) must be notified of the incident within two business days, should the inquiries conclude there is indeed suspicion of or existence of funds connected to money laundering or financing of terrorism. • It must be verified that none of the customers served are listed in the sanction lists, whether those issued by the UN Security Council (UNSC) sanction committees or by the Foreign Ministry’s committee (the local committee) concerned with implementation of UNSC resolutions, and no business may be engaged in with any customer whose name is on any of these lists. • All documentation, data, and information, whether on the transactions executed or those gathered in line with due diligence measures must be maintained for 5 years minimum of the date of end of business with the customer, and all studies conducted on risk associated with money laundering and financing of terrorism, and updates thereof, must also be maintained. • Internal procedures must be in place to update customer data at a frequency commensurate with the level of risk, and documents saved and gathered as part of due diligence must continue to be valid. • Appropriate training and knowhow must be provided for all concerned staff of E-Payment Service Providers and E-Money Service Providers in the area of verifying compliance with AML/CFT instructions, in a manner that guarantees they are capable of meeting their tasks. • No E-Payment Service or E-Money Service may be provided to any individuals or institutions without licensing from the competent authorities. • Policies, business procedures, and internal systems and controls must be drawn up and implemented for countering money laundering and the financing of terrorism.

CHAPTER TWO: Supervisory & Regulatory Instructions & Controls for E-Payment Service Providers Circulars for Regulating the Electronic Payment of Funds. H. Circular No. (2/PS/529/2023) to All E-Payment Service Providers and E-Money Service Providers regarding AML/CFT Instructions. 32 VIII. Penalties and Legal Action: Penalties indicated in Article (15) of Law No. (106) of 2013 on Anti-Money Laundering and Countering the Financing of Terrorism measures (AML￾CFT) shall apply to E-Payment Service Providers and E-Money Service Providers should they be found in violation of any of these instructions. 26/6/2023

CHAPTER TWO: Supervisory & Regulatory Instructions & Controls for E-Payment Service Providers Circulars for Regulating the Electronic Payment of Funds. I. Circular No. (2/BS, IBS, PS/531/2023) to all Local Banks, E-Payment Service Operators, E-Payment Service Providers and E-Money Service Providers regarding MCC Codes and Description of Payment Transactions. 33 The Executive Director Safar 07, 1445 H August 23, 2023 The Chief Executive Officer, Circular No. (2/BS, IBS, PS/531/2023) to all Local Banks, E-Payment Service Operators, E-Payment Service Providers and E-Money Service Providers regarding MCC Codes and Description of Payment Transactions In line with the CBK’s roles of regulation and oversight over the banking and financial sector, as mandated under the Law No. 32 of 1968 concerning Currency, the Central Bank of Kuwait and the Regulation of Banking and its amendments, and the Instructions regulating the Electronic Payment of Funds issued in May 2023, we would like to inform that you are required, when providing E-Payment services, whether through POS devices or the E-Payment gateway, to ensure that an MCC code is assigned, and the description of the payment transactions are in accordance with the updated list of codes and descriptions of E-Payment methods in KNET’s POS devices and the E-Payment gateway. Best Regards, The Executive Director Abdul Hameed D. Al-Awadh

CHAPTER TWO: Supervisory & Regulatory Instructions & Controls for E-Payment Service Providers Circulars for Regulating the Electronic Payment of Funds. J. Circular No. (2/PS/532/2023) to E-Payment Service Operators, E-Payment Service Providers, and E-Money Service Providers Regulating the Provision of POS and Soft POS Devices to Exhibition Organizers. 34 The Executive Director Safar 18, 1445 H September 03, 2023 The Chief Executive Officer, Circular No. (2/PS/532/2023) to E-Payment Service Operators, E-Payment Service Providers, and E-Money Service Providers Regulating the Provision of POS and Soft POS Devices to Exhibition Organizers In line with the CBK’s roles of regulations and oversight over the banking and financial sector, as mandated under the Law No. 32 of 1968 concerning Currency, the Central Bank of Kuwait and the Regulation of Banking and its amendments, and the Instructions regulating the Electronic Payment of Funds issued on 15/05/2023, we would like to inform you that POS and Soft POS devices must not be provided to exhibition organizing companies for use by exhibition participants. Instead, such services shall be directly provided by Local Banks, E￾Payment Service Providers or E-Money Service Providers, to exhibition participants, and the bank or activity provider shall be responsible for providing the service in accordance with the Instructions regulating the Electronic Payment of Funds, as well as the Anti-Money Laundering and Combating Financing Terrorism (AML/CFT) instructions to the E-Payment Service Providers and E￾Money Service Providers issued on 05/07/2023. Best Regards, The Executive Director Abdul Hameed D. Al-Awadh

CHAPTER TWO: Supervisory & Regulatory Instructions & Controls for E-Payment Service Providers Circulars for Regulating the Electronic Payment of Funds. K. Circular to all E-Payment Service Providers, E-Money Service providers and E-Payment Service Operators regarding Access to KwFIU Website to update the Suspicion Indicators that aid in Monitoring Suspicious Transactions. 35 The Executive Director Safar 19, 1445 H September 04, 2023 The Chief Executive Officer, Circular to all E-Payment Service Providers, E-Money Service Providers and E-Payment Service Operators Further to the update by Kuwaiti Financial Intelligence Unit (KwFIU) of the suspicion indicators that aid financial institutions, designated non-financial businesses and professions in monitoring suspicious transactions, approved on 22/06/2023 and published on the KwFIU’s website, you are required to access the KwFIU website to consider the said indicators for guidance. Best Regards, The Executive Director Abdul Hameed D. Al-Awadh

CHAPTER TWO: Supervisory & Regulatory Instructions & Controls for E-Payment Service Providers Circulars for Regulating the Electronic Payment of Funds. L. Circular No. (2/BS, IBS/534/2023) to all Local Banks regarding Measures for Protection of Customers from Electronic Fraud. 36 THE GOVERNOR Rabiʽ Al-Awwal 3, 1445 H September 18, 2023 The Chairman, Circular No. (2/ BS, IBS/534/2023) to all Local Banks regarding Measures for Protection of Customers from Electronic Fraud Out of the CBK’s keenness to enhance measures for protection of customers from fraud, all local banks are required to take the necessary actions to fulfill the below requirements:

1. When adding a new beneficiary to the list of beneficiaries through Internet Banking or Mobile Banking Applications, the following must be adhered to:

• OTP SMS must be sent.
• Once a beneficiary is added successfully, SMS and a notification message through the bank’s mobile application, and an email, if available, will be sent to the customer including the name of the new beneficiary, advising the customer to contact the bank if he/she is not aware thereof.
• The bank must not activate the beneficiary before the lapse of at least 12 hours, unless the customer contacts the bank to confirm adding the beneficiary.
• If the identification number of the customer’s previously registered device or smart chip (e.g. using a VPN from outside the State of Kuwait for a device or SIM that has not previously been registered with the bank) is not recognized, the customer must be contacted through the bank’s official phone service systems to verify that the process has been completed with the customer’s knowledge and approval, before processing any banking transaction. The same procedure must also be taken when downloading the bank application on Mobile Banking.

2. The bank’s policy must include precautionary procedures to prevent using the bank application on mobiles in case any remote devise control applications, e.g., AnyDesk, is downloaded.
3. Banks must develop additional security systems that allow generation of security codes to implement banking operations through their Mobile Apps to ensure that no transaction has been made through any other device.

CHAPTER TWO: Supervisory & Regulatory Instructions & Controls for E-Payment Service Providers Circulars for Regulating the Electronic Payment of Funds. L. Circular No. (2/BS, IBS/534/2023) to all Local Banks regarding Measures for Protection of Customers from Electronic Fraud. 37 4. The circular issued on 05/04/2023 regarding e-payment links for individual customers must be complied with. In addition, the transactions of electronic transfers must be continuously monitored. Processes, procedures and proactive controls must be developed to detect fraudulent transactions, and continuous supervision through anti-fraud systems must be activated. and CBK must be notified of such transactions, and awareness campaigns must be increased raise the level of awareness of the recent methods of fraud. 5. Informing customers on the new process for adding a beneficiary in line with this circular must be conducted through all of the bank’s official social media platforms. Best Regards, The Governor Basel A. Al-Haroon

CHAPTER TWO: Supervisory & Regulatory Instructions & Controls for E-Payment Service Providers Circulars for Regulating the Electronic Payment of Funds. M. Circular No. (2/ BS, IBS/535/2023) to all local Banks on Linking with the Shared Electronic Banking Services Company (KNET) for the Apple Pay Service. 38 The Manager Rabiʽ Al-Awwal 04, 1445 H September 19, 2023 The Chief Executive Officer, Circular No. (2/ BS, IBS/535/2023) to all Local Banks on Linking with the Shared Electronic Banking Services Company (KNET) for the Apple Pay Service As part of the CBK’s roles of regulation of the e-Payment related activities, all local banks should have a direct link with the Shared ElectronicBanking Services Company (KNET) to process transactions related to the Apple Pay Debit Card Service, within a maximum period of 6 months as of the date hereof, and provide us with a confirmation that the link process has been completed. Best Regards, Manager, Digital Operations & Financial Technologies Supervision Department Reem M. Al-Roumi

CHAPTER TWO: Supervisory & Regulatory Instructions & Controls for E-Payment Service Providers Circulars for Regulating the Electronic Payment of Funds. N. Circular to all Local Banks regarding Fees and Commissions for E-Payment Services. 39 The Manager Rabiʽ Al-Awwal 27, 1445 H October 12, 2023 The Chief Executive Officer, Circular to all Local Banks regarding Fees and Commissions for E￾Payment Services As part of the CBK’s regulation of E-Payment activities, and with reference to Article (23) of the Instructions regulating the Electronic Payment of Funds issued in May 2023 which states: “It is prohibited to collect or modify any fees or commissions under any name unless a written approval is obtained from CBK, and after informing CBK of the nature, actual cost and supporting documents of such fees and commissions”, your banks must provide us with all fees and commissions collected for any payment service that you provide, including E-Payment gateway service and POS devices service. Best Regards, Manager, Digital Operations & Financial Technologies Supervision Department Reem M. Al-Roumi

• Sent to all local banks.

CHAPTER TWO: Supervisory & Regulatory Instructions & Controls for E-Payment Service Providers Circulars for Regulating the Electronic Payment of Funds. O. Regulations applicable to Non-resident Companies for Providing Buy Now Pay Later Services in the State of Kuwait. 40 Regulations Applicable to Non-resident Companies for Providing Buy Now Pay Later Services in the State of Kuwait1 I. The following are the terms and conditions to be fulfilled by a non￾resident company upon submitting the application for providing BNPL Services in the State of Kuwait:

1. The non-resident company should submit the license for practicing BNPL activity issued from the regulatory authority in the company’s home country, provided that a 3-year period should have been elapsed since the date the company began effective operation in providing BNPL services.
2. A written approval from the regulatory authority in the non-resident company’s home country should be obtained for providing BNPL Service in the State of Kuwait.
3. An official letter from the regulatory authority in the non-resident company’s home country should be obtained declaring its readiness to cooperate with the Central Bank of Kuwait in the area of supervision, taking into consideration information confidentiality and protection.
4. An official letter from the regulatory authority in the non-resident company’s home country shall be submitted, declaring its adherence to the BNPL activity standards.
5. The memorandum of association, articles of association, the commercial register and information on the financial position of the non-resident company shall be submitted, attaching the last three annual financial statements audited by auditors.
6. Proof shall be provided of expertise and qualifications of the company’s shareholders and the members of senior management, along with evidence of their eligibility, and the absence of any issue that may jeopardize their reputation and integrity.
7. The company’s organization structure shall be provided, indicating all departments and positions, and the main duties of each.
8. The required share capital of the non-resident company shall be fixed at the discretion of the Central Bank of Kuwait. 1 These regulations have been approved by virtue of the CBK BoD’s Resolution passed on 29/01/2024.

CHAPTER TWO: Supervisory & Regulatory Instructions & Controls for E-Payment Service Providers Circulars for Regulating the Electronic Payment of Funds. O. Regulations applicable to Non-resident Companies for Providing Buy Now Pay Later Services in the State of Kuwait. 41 9. The company shall submit an irrevocable and automatically renewable letter of guarantee issued in favor of the Central Bank of Kuwait from a licensed bank in the State of Kuwait for an amount of KWD 1,000,000. 10. The company shall submit a work plan that includes, at least, the following: A. The manual of work procedures for providing the services including payment procedures, settlement and installment procedures, charge and commission deduction procedures, and procedures for inquiry about client’s credit limit and reporting of granted amounts. B. The rules and conditions of BNPL Service including, as a minimum, the types of products and services that would be purchased, the target segments of customers, the number of payments, the maximum grant amount, the maximum period of payment, delay charges (if any) etc. C. The policy for granting limits to BNPL customers, and The Central Bank of Kuwait has the right to reduce the amount, as it deems appropriate. 11. The company shall submit a plan for customers’ right protection measures, including: A. Dispute Resolution Mechanism: this should be defined to ensure resolving any dispute that may arise between the service provider and a customer; it shall be clear and well-defined to ensure efficacy, and Kuwaiti courts shall have jurisdiction to adjudicate any such dispute. B. Linking the customer complaint service with the Central Bank of Kuwait, where any individual customer may submit a complaint/grievance directly to the Central Bank of Kuwait against a BNPL Service Provider registered with the Central Bank of Kuwait. C. Refunds for Returns of purchases: a mechanism should be developed to regulate returned purchases refund processes between the beneficiary of the BNPL Service and the service provider, including the period for returning purchases, settlement of transactions’ amounts and the Service Level Agreement.

CHAPTER TWO: Supervisory & Regulatory Instructions & Controls for E-Payment Service Providers Circulars for Regulating the Electronic Payment of Funds. O. Regulations applicable to Non-resident Companies for Providing Buy Now Pay Later Services in the State of Kuwait. 42 II. Controls for Service Implementation:

1. The maximum grant amount is KWD 500 per customer from all service providers.
2. Period of repayment by the customer should not exceed 4 months, except in cases where prior approval from the Central Bank of Kuwait is obtained.
3. The service provider may not collect any interest, profit or returns from the customer for BNPL Service.
4. There should be a connection established with the Kuwait Credit Information Network Company (Ci-Net) to inquire about the customer’s credit limit and report on the amounts granted to customers during the provision of BNPL Services. In addition, the necessary actions should be taken to ensure that the total grant amounts to customers from all service providers should not exceed the mentioned maximum limit of grant amount.
5. The dispute resolution mechanism should be followed in accordance with the approval issued from the Central Bank of Kuwait for the service provider, when resolving any dispute that may arise between the service provider and a customer. The service provider, against whom a complaint is submitted, must reply in writing to the customer within 15 working days from the submission date. It should be indicated whether the response included a rectification on the subject of complaint, or whether the service provider is satisfied that the proper procedure had been taken regarding the incident. If the customer is not satisfied with the service provider’s response, he/she may submit a grievance to the Central Bank of Kuwait along with a copy of the service provider’s response and the necessary documents to verify the procedures taken by the service provider.
6. Service Level Agreement between the beneficiary of BNPL Services and the service provider shall be adhered to. A provision should be included in the Service Level Agreement for exchange of information, return purchases policy that should include the timeframe for the beneficiary of BNPL Service to inform the service provider of the details of purchases return so that the due amount be refunded to the customer and the necessary action be taken.
7. No charges should be imposed on the customer by the service provider for a delay in payment if the return was made before the installment due date.

CHAPTER TWO: Supervisory & Regulatory Instructions & Controls for E-Payment Service Providers Circulars for Regulating the Electronic Payment of Funds. O. Regulations applicable to Non-resident Companies for Providing Buy Now Pay Later Services in the State of Kuwait. 43 III. License:

1. The Central Bank of Kuwait may take the necessary action to verify that the company has fulfilled its requirements.
2. In case all requirements for providing BNPL Services have been fulfilled, the company shall be listed in the designated register with the Central Bank of Kuwait. The Company may not provide BNPL services unless it is registered.
3. The Company may not practice any other activity it is not licensed to, except where prior written approval is obtained from the Central Bank of Kuwait. 29/01/2024

CHAPTER TWO: Supervisory & Regulatory Instructions & Controls for E-Payment Service Providers Circulars for Regulating the Electronic Payment of Funds. P. Circular to all E-Payment Service Providers, E-Money Service Providers and Limited Purpose E-Money Providers emphasizing the Necessity of Adhering to the Provisions of Article (24) on the Instructions regulating the Electronic Payment of Funds issued in May 2023. 44 THE GOVERNOR Sha’ban 05, 1445 H February 15, 2024 The Chief Executive Officer, Circular to all E-Payment Service Providers, E-Money Service Providers and Limited Purpose E-Money Providers Emphasizing the Necessity of Adhering to the Provisions of Article no. (24) on the Instructions regulating Electronic Payment of Funds issued in May 2023 It was observed that some companies applying to No-Objection Certificate for Limited Purpose E-money include an expiration date on the customer (End User) of Limited Purpose E-money, who, accordingly, does not gain any benefit or service in exchange for e-money after the said expiry date, and crediting the money to the account of the merchant/service provider. This contravenes the provisions of Article (24) on the Instructions regulating the Electronic Payment of Funds issued in May 2023, which states: “In addition to the provisions stated out under the above article, E-money Services Providers must: Settle the full or partial value of E-money at any time at the customer's request. Such payment shall be in the same currency of stored funds.” Therefore, CBK emphasizes the necessity of adhering to the provisions of Article (24) and giving the End User the option to refund the E-money to his/her account or maintain the same in the E-wallet, provided that its term shall be extended. Best Regards, The Governor Basel A. Al-Haroon

CHAPTER TWO: Supervisory & Regulatory Instructions & Controls for E-Payment Service Providers Circulars for Regulating the Electronic Payment of Funds. Q. Circular No. (2/BS, IBS, PS/547/2024) to all Local Banks, E-Payment Service Providers, E-Money Service Providers, and E-Payment Service Operators regarding the Electronic Payment Links. 45 THE GOVERNOR Thul-Qi’da 25, 1445 H June 02, 2024 The Chairman, Circular No. (2/BS, IBS, PS/547/2024) to all Local Banks, E-Payment Service Providers, E-Money Service Providers, and E-Payment Service Operators regarding the Electronic Payment Links Out of the Central Bank of Kuwait’s Keenness to ensure the sound control over electronic payment, and minimize risks arising from electronic payment links (Quick Pay), the following shall be adhered to upon providing such service to individual and corporate customers:

1. Electronic payment links must include the amount to be paid, name of beneficiary, and purpose of payment. In addition, customers’ prior approval must be obtained before moving to the electronic payment gateway.
2. The amount of the electronic payment must be included in the message sent to the customer along with One-time password (OTP) to verify the amount of the transaction. The above must be adhered to as soon as possible and inform the Central Bank of Kuwait of the implementation of these measures. Best Regards, Basel A. Al-Haroon The Governor

CHAPTER TWO: Supervisory & Regulatory Instructions & Controls for E-Payment Service Providers Circulars for Regulating the Electronic Payment of Funds. R. Circular No. (2/BS, IBS /546/2024) to all Kuwaiti Banks regarding “Instant Payment” Project. 46 THE GOVERNOR Thul-Qi’da 29, 1445 H June 06, 2024 The Chairman, Circular No. (2/BS, IBS /546/2024) to all Kuwaiti Banks concerning “Instant Payment” Project Reference is made to the Central Bank of Kuwait’s Circular issued on 11/09/2023 concerning “Instant Payment” Project, all banks participating in the project must complete all the necessary tests related to linking “Instant Payment” service with the Shared Electronic Banking Services Company (KNET), obtain prior approval from the Central Bank of Kuwait (CBK) of the scheduled date for launching the service and provide CBK with the following:

1. A letter of undertaking to comply with the approved rules and instructions document of the service, linking procedures of the project and operations ceiling and limits.
2. The daily settlement limit for the “Instant Payment” service, provided that this limit must be proportionate to the liquidity available in your bank’s account with CBK that covers the daily and weekly operations as well as the operations carried out during official holidays.
3. An authorization to enable CBK to balance your account with it based on the daily report issued by KNET for “Instant Payment” service, without any liability towards CBK. Therefore, your bank must adhere to the CBK’s Circular dated 05/12/2022, conduct awareness campaigns on the mechanism of using the “Instant Payment” service, and prepare your call center staff to respond to customers’ inquiries. Best Regards, The Governor Basel A. Al-Haroon

CHAPTER TWO: Supervisory & Regulatory Instructions & Controls for E-Payment Service Providers Circulars for Regulating the Electronic Payment of Funds. S. Circular No. (2/PS/557/2024) to all Local Banks, E-Payment Service Providers, E-Money Service Providers, and E-Payment Service Operators Concerning Company Managers’ Tasks Assigning During Absence. 47 The Executive Officer Rabi’ Al-Thani 13,1446 H October 16, 2024 The General Manager /The Executive Officer, Circular No. (2/PS/557/2024) to all E-Payment Service Providers, E-Money Service Providers, and E-Payment Service Operators regarding Delegation of Company Managers’ Tasks in their Absence In order to ensure the sound regulation of the workflow at E-Payment Service Providers, E-Money Service Providers, and E-Payment Service Operators in accordance to the related laws and instructions, and considering the observation that managers in some companies travel on business trips or special vacations abroad without notifying the Central Bank of Kuwait (CBK), CBK draws your attention that it must be notified, and his/her duties and works shall be assigned to deputies or assistants or the like, as approved for their positions in accordance with provisions of Article (36) of the Instructions regulating the Electronic Payment of Funds issued in May 2023, in line with your in-house bylaws. Best Regards, Acting Executive Director, Supervision Sector Dr. Mohammad B. Al-Khamees

CHAPTER TWO: Supervisory & Regulatory Instructions & Controls for E-Payment Service Providers Circulars for Regulating the Electronic Payment of Funds. T. Circular No. (2/PS/558/2024) to all E-Payment Service Providers, E-Money Service Providers, and E-Payment Service Operators regarding the required Documents for Partners and Members of the Board of Directors when Applying for Registration. 48 THE GOVERNOR Rabi’ Al-Akhir 17, 1446 H October 20, 2024 The General Manager, Circular No. (2/PS/558/2024) to all E-Payment Service Providers, E-Money Service Providers, and E-Payment Service Operators Reference is hereby made to Article (23) of the instructions regulating the Electronic Payment of Funds issued on 14/10/2023, which states: “Registration applications shall be submitted to CBK as per the designated form along with the required documentation and enclosures. CBK may request additional information or data at any time during the application submission stage, and the applicant must provide CBK with the requested information/data within 30 days as of the request date or the period CBK sees reasonable, at its discretion. CBK may reject the application should the applicant not submitted the requested information”, and to Article (27) of the said instructions, which states: “Activity services providers must comply with AML/CFT requirements set forth under the Law No. 106 of 2013 regarding Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) and its Executive Bylaw, the related ministerial resolutions, the requirements under the international standards issued by the Financial Action Task Force (FATF), and any instructions issued by CBK or the related supervisory authorities”. We would like to inform you that when applying for registration in the register of E-Payment Service Providers, E-Money Service Providers, and E-Payment Service Operators, your company must provide us with the following:

1. Documents indicating the identification of the partner (individual or corporate), and the person(s) exercising effective control over the company in order to identify the actual beneficiary.
2. A certificate issued by the Criminal Enforcement Prosecution Office at the Ministry of Justice for the partners, including members of the Board of Directors, which contains the final judgments against them, if any, taking into account that the certificate issue date must not exceed one month from the date of issuance to the date of application submission to CBK.
3. Documents indicating professional competence and previous experience for all or some of the partners in one of the institutions or companies in the field of banking, finance or technology.

CHAPTER TWO: Supervisory & Regulatory Instructions & Controls for E-Payment Service Providers Circulars for Regulating the Electronic Payment of Funds. T. Circular No. (2/PS/558/2024) to all E-Payment Service Providers, E-Money Service Providers, and E-Payment Service Operators regarding the required Documents for Partners and Members of the Board of Directors when Applying for Registration. 49 In addition, we stress the importance that your company must obtain a prior approval from the Central Bank for Kuwait in the event of amendment to the company's ownership structure, and the entry of new partners. Best Regards, The Governor Basel A. Al-Haroon

CHAPTER TWO: Supervisory & Regulatory Instructions & Controls for E-Payment Service Providers Circulars for Regulating the Electronic Payment of Funds. U. Circular No. (2/PS/559/2024) to all Local Banks, E-Payment Service Providers, E-Money Service Providers, and E-Payment Service Operators regarding the Statement of Development of the required National Labor Ratio by Main Jobs and the Company’s Economic Activity. 50 THE GOVERNOR Rabi’ Al-Thani 17,1446 H October 20, 2024 The Chairman, Circular No. (2/PS/559/2024) to all E-Payment Service Providers, E-Money Service Providers, and E-Payment Service Operators Within the regulatory and supervisory role of the Central Bank of Kuwait vis a vis the banking and finance sector, by virtue of the Law No. 32 of 1968 Concerning Currency, the Central Bank of Kuwait, and Regulating of Banking, and its amendments, and in light of the CBK's monitoring of the national labor ratios at its regulated entities, you must provide CBK with a statement of development of the required national labor ratio by the main jobs and the economic activity at your company, on a semi-annual basis, as at 30/6 and 31/12 each year, inclusive of all employees’ information, i.e., their number, nationality and job levels (use the attached form). CBK emphasizes on taking the necessary measures towards fulfilling the national labor ratio in accordance with the Kuwait Council of Ministers’ Resolution No.1868 of 2018 regarding the national labor ratio in the private sector, by the main jobs in the economic activity. Best Regards, The Governor Basel Ahmad Al-Haroon

Central Bank of Kuwait Department of Digital Operations and Financial Technologies Supervision Company Name: Statement of Employees at ………………. Company sorted by their number, nationality and job level as at / / Numbers of Kuwaiti Laborer (1) Numbers of Non-Kuwaiti Laborer (2) Total (1) + (2) High levels Middle levels Low levels Total High levels Middle levels Low levels Total High levels Middle levels Low levels Total

1. The statement shall include all employees excluding (drivers, messengers, office boys)
2. The excluded number of jobs as per Item (1) above is ………….
3. “High levels” refer to supervisory Jobs.
4. This statement is prepared on a semiannual basis (as at 30/6 and 31/12) and must be submitted to CBK within 10 working days from the end of the reporting period. CHAPTER TWO: Supervisory & Regulatory Instructions & Controls for E-Payment Service Providers Instructions regulating the Electronic Payment of Funds. U. Circular No. (2/ PS/559/2024) to all Local Banks, E-Payment Service Providers, E-Money Service Providers, and E-Payment Service Operators regarding the Statement of Development of the required National Labor Ratio by Main Jobs and the Company’ s Economic Activity. 51

CHAPTER TWO: Supervisory & Regulatory Instructions & Controls for E-Payment Service Providers Circulars for Regulating the Electronic Payment of Funds. V. Circular No. (2/PS/554/2024) to all E-Payment Service Providers and E-Money Service Providers regarding Opening a Current Account with CBK. 52 THE MANAGER Rabi’ Al-Akhir 26, 1446 H October 29, 2024 The General Manager, Circular No. (2/PS/554/2024) to all E-Payment Service Providers and E￾Money Service Providers regarding Opening a Current Account with CBK We would like to inform you that, in light of the instructions regulating the Electronic Payment of Funds issued in May 2023, your company is required to open a current account with CBK. It is also decided that the minimum balance of the account of any e-payment service provider and e-money service provider is set at KD 5,000. Your company, therefore, is required to maintain the mentioned minimum limit of the current account with CBK by the end of November 2024. Best Regards, Manager of Digital Operations & Financial Technologies Supervision Department Reem Alroomi

CHAPTER TWO: Supervisory & Regulatory Instructions & Controls for E-Payment Service Providers Circulars for Regulating the Electronic Payment of Funds. W. Circular No. (2/BS, IBS, PS/561/2024) to all Local Banks, E-Payment Service Providers, E-Money Service Providers regarding the Pilot Launch Requirements. 53 THE MANAGER Jumada Al-Oula 1, 1446 H November 3, 2024 The Executive Director, Circular No. (2/ BS, IBS, PS/561/2024) to all Local Banks E-Payment Service Providers, E-Money Service Providers regarding the Pilot Launch Requirements Further to the Circular dated 15 May 2023 to all Local Banks, Financing Companies, Exchange Companies and E-Payment Infrastructure Providers (EPIPs) and their Agents regarding the Instructions regulating the Electronic Payment of Funds, and Article (12) thereof that states: “… CBK may request additional information or data at any time during the application submission stage, and the applicant must provide CBK with the requested information/data within 30 days as of the request date or the period CBK sees reasonable, at its discretion. CBK may reject the application should the applicant not submitted the requested information”, Companies that have obtained initial approval for registration in the CBK’s Register of E-Payment Service Providers, E-Money Service Providers, and E￾Payment Service Operators, are required to complete the procedures for the pilot launch of their electronic payment services as per the related initial approval, and based on a detailed plan approved by CBK. Best Regards, Manager of Digital Operations & Financial Technologies Supervision Department Reem Alroomi

CHAPTER TWO: Supervisory & Regulatory Instructions & Controls for E-Payment Service Providers Circulars for Regulating the Electronic Payment of Funds. X. Circular No. (2/PS/564/2024) to all E-Payment Service Providers, E-Money Service Providers, and E-Payment Service Operators regarding the Submission of Financial Statements. 54 THE MANAGER Jumada Al-Akhira 25, 1446 H December 26, 2024 The Executive Director, Circular No. (2/PS/561/2024) to all E-Payment Service Providers, E-Money Service Providers, and E-Payment Service Operators regarding the Submission of Financial Statements Within CBK’s supervisory role over all E-Payment Service Providers, E-Money Service Providers, and E-Payment Service Operators, your company must provide CBK with copies of its semi-annual financial statements reviewed by the auditor, and the annual financial statements audited by the auditor within a maximum period of forty-five days from the end of reporting period. These financial statements should be prepared following the same principles based on which the closing financial statements are prepared at the end of each year. Best Regards, Manager of Digital Operations & Financial Technologies Supervision Department Reem Alroomi

CHAPTER TWO: Supervisory & Regulatory Instructions & Controls for E-Payment Service Providers Circulars for Regulating the Electronic Payment of Funds. Y. Circular No. (2/PS/565/2024) to all E-Payment Service Providers, E-Money Service Providers, and E-Payment Service Operators regarding the Required Reports and the Mechanism for Submission. 55 THE GOVERNOR Jumada Al-Akhira 25,1446 H December 26, 2024 The Chairman, Circular No. (2/PS/565/2024) to all E-Payment Service Providers, E-Money Service Providers, and E-Payment Service Operators regarding the Required Reports and the Mechanism for Submission Reference is made to Article (39) of the Instructions Regulating the Electronic Payment of Funds issued on 14/05/2023, which states: “Activity services providers must submit all necessary data and information to CBK, for the purposes of supervision, oversight and inspection as per the procedure stated by CBK. Activity service providers shall allow access to all books, records, documents and minutes of meeting, and not to take any action that may have a negative impact on CBK’s supervision, oversight and inspection, and to fully cooperate to accomplish the mission. In addition, they must submit periodic reports, data and information required by CBK in accordance with the related instructions”. CBK must be provided with the required reports according to the time period specified for each of them, taking into account that the preparation of these reports must comply with the following:

1. Provide CBK with the required reports approved and certified within ten working days from the end of the reporting period, through the e-payment services system.
2. Use the forms approved by CBK without making any amendment thereto. Best Regards, The Governor Basel Ahmad Al-Haroon

CHAPTER TWO: Supervisory & Regulatory Instructions & Controls for E-Payment Service Providers Circulars for Regulating the Electronic Payment of Funds. Y. Circular No. (2/PS/565/2024) to all E-Payment Service Providers, E-Money Service Providers, and E-Payment Service Operators regarding the Required Reports and the Mechanism for Submission. 56 Attachment No. (1)

• Company Name:
• Type of Activity: Report on the Number of E-Payment Service Transactions and its Value from ……. to ……. Period Month Number Transactions** Value in KWD*** First Quarter January February March First Quarter Total Second Quarter April May June Second Quarter Total Third Quarter July August September Third Quarter Total Fourth Quarter October November December Fourth Quarter Total Total  Period: Quarterly Report. ** Number of Transactions: Transactions made during this period (each month). *** Value: Value of transactions made by customers during this period (each month).

CHAPTER TWO: Supervisory & Regulatory Instructions & Controls for E-Payment Service Providers Circulars for Regulating the Electronic Payment of Funds. Y. Circular No. (2/PS/565/2024) to all E-Payment Service Providers, E-Money Service Providers, and E-Payment Service Operators regarding the Required Reports and the Mechanism for Submission. 57 Attachment No. (2)

• Company Name:
• Type of Activity: Report on the Number of Customers and Number and Value of E-Payment Service Transactions According to the Implementing Sectors from ……. to ……. Sector No. of Customers No. of Transactions Value in KWD MCC Code #1 MCC Code #2  Period: Quarterly Report. ** Sector: Payment transaction code according to the updated list of descriptions and codes of e-payment methods on both POS and the e-payment gateway.

CHAPTER TWO: Supervisory & Regulatory Instructions & Controls for E-Payment Service Providers Circulars for Regulating the Electronic Payment of Funds. Y. Circular No. (2/PS/565/2024) to all E-Payment Service Providers, E-Money Service Providers, and E-Payment Service Operators regarding the Required Reports and the Mechanism for Submission. 58 Attachment No. (3)

• Company Name:
• Type of Activity: Report on Customer Movement based on the E-Payment Method Used from ……. to ……. POS First Quarter Second Quarter Third Quarter Fourth Quarter Total Debit Cards Number Value Credit Cards Number Value Other Payment Method** Number Value Payment Links First Quarter Second Quarter Third Quarter Fourth Quarter Total Debit Cards Number Value Credit Cards Number Value Other Payment Method** Number Value Payment Gateway First Quarter Second Quarter Third Quarter Fourth Quarter Total Debit Cards Number Value Credit Cards Number Value Other Payment Method** Number Value  Period: Quarterly Report. ** Other Payment Method: Any other payment method (e.g., Apple Pay, Google Pay, Samsung Pay, etc.).

CHAPTER TWO: Supervisory & Regulatory Instructions & Controls for E-Payment Service Providers Circulars for Regulating the Electronic Payment of Funds. Y. Circular No. (2/PS/565/2024) to all E-Payment Service Providers, E-Money Service Providers, and E-Payment Service Operators regarding the Required Reports and the Mechanism for Submission. 59 Attachment No. (4)

• Company Name:
• Type of Activity: Report on E-Payment Service Provider’s Customer Movement on POS Devices from ……. to ……. Period Month Number Devices Total Fees Collected from Device Rental in KWD First Quarter January February March First Quarter Total Second Quarter April May June Second Quarter Total Third Quarter July August September Third Quarter Total Fourth Quarter October November December Fourth Quarter Total Total  Period: Quarterly Report.

CHAPTER TWO: Supervisory & Regulatory Instructions & Controls for E-Payment Service Providers Circulars for Regulating the Electronic Payment of Funds. Y. Circular No. (2/PS/565/2024) to all E-Payment Service Providers, E-Money Service Providers, and E-Payment Service Operators regarding the Required Reports and the Mechanism for Submission. 60 Attachment No. (5)

• Company Name:
• Type of Activity: Report on E-Money Service Provider’s Customer Movement from ……. to ……. Period Month Value of Stored E-Money** Value of Carried out E-Payment Transactions in KWD First Quarter January February March First Quarter Total Second Quarter April May June Second Quarter Total Third Quarter July August September Third Quarter Total Fourth Quarter October November December Fourth Quarter Total Total  Period: Quarterly Report. ** Value of Stored E-Money: If there is more than one wallet, they must be separated.

CHAPTER TWO: Supervisory & Regulatory Instructions & Controls for E-Payment Service Providers Circulars for Regulating the Electronic Payment of Funds. Z. Circular No. (2/BS, IBS/566/2024) to all Local Banks regarding Security Controls on Card Tokenization. 61 THE GOVERNOR Jumada Al-Akhira 25,1446 H December 26, 2024 The Chairman, Circular No. (2/BS, IBS/566/2024) to all Local Banks regarding Security Controls on Card Tokenization Keen to tighten control, and enhance and develop the internal control systems of banks, your bank is required to:

1. Develop a mechanism for monitoring financial transactions executed through card tokenization, by setting effective security requirements on the banks' monitoring systems, such as customer behavior, the geographical location of the transactions to be passed, and the frequency of those transactions.
2. Develop a mechanism that enables the customer to activate the service of adding bank cards to e-wallets such as Apple Pay and Samsung Pay, provided that the service is not activated automatically for all customers, and will not conduct any transactions related to the tokenized cards if the customer does not activate this service in advance, for example: not sending the one-time password (OTP) for adding the bank card to e-wallets.
3. If the customer adds his/her bank card to e-wallet through card tokenization such as Apple Pay and Samsung Pay but not through the bank's application, following must be done in addition to the existing procedures:

• Add an additional security step to activate the bank card through authentication via the bank application, along with the reason for authentication.
• Stop the “add requests” that are not done by the bank’s application from outside the State of Kuwait, unless the customer contacts the bank to confirm adding the card on his part.

4. Add a list on the bank’s application to enable the customer to view his cards identified in any of the e-wallets, such as Apple Pay and Samsung Pay, and specifying the types of devices through which the activation process was carried out such as iPhone, Android Phone and Smart Watch. CBK also emphasizes the necessity of adhering to Article (32) of the Instructions Regulating the Electronic Payment of Funds issued in May 2023, which states: “develop the policies, procedures, systems and controls necessary for detecting

CHAPTER TWO: Supervisory & Regulatory Instructions & Controls for E-Payment Service Providers Circulars for Regulating the Electronic Payment of Funds. Z. Circular No. (2/BS, IBS/566/2024) to all Local Banks regarding Security Controls on Card Tokenization. 62 fraud and the mechanism for dealing with it, and update them according to CBK directives, and inform the competent authorities of fraud related cases and reporting, while notifying CBK on a continuous basis as per the specified term and timeframe”. Therefore, you are required to implement this circular and provide us with the necessary time plan for completion. Best Regards, The Governor Basel Ahmad Al-Haroon

CHAPTER TWO: Supervisory & Regulatory Instructions & Controls for E-Payment Service Providers Circulars for Regulating the Electronic Payment of Funds. AA. Circular No. (2/BS, IBS/567/2024) to all Local Banks regarding Financial Limits on Bank Cards and Payment Transactions. 63 THE GOVERNOR Jumada Al-Akhira 25,1446 H December 26, 2024 The Chairman, Circular No. (2/BS, IBS/567/2024) to all Local Banks regarding Financial Limits on Bank Cards and Payment Transactions Keen to tighten control, enhance and develop the internal control systems of banks, and improve the security requirements related to payment transactions on all bank cards (ATM cards, credit cards, and prepaid cards), your bank is required to develop conservative controls on payment transactions, by adhering to the following: 3. Control financial transactions executed through websites using bank cards, especially those that do not require entering a one-time password (OTP), by setting a conservative daily limit for the total financial transactions and their number during one day. 4. Develop a mechanism, whether through branches or e-banking service channels at your bank, that enables the customer to choose and modify the limits of payment transactions made using bank cards for each payment channel available according to the customer’s classification at your bank, ensuring to notify the customer of any amendments made, and applying for the CBK approval in this regard. CBK also emphasizes the need to adhere to Article (32) of the Instructions Regulating the Electronic Payment of Funds issued in May 2023, which states: “develop the policies, procedures, systems and controls necessary for detecting fraud and the mechanism for dealing with it, and update them according to CBK directives, and inform the competent authorities of fraud related cases and reporting, while notifying CBK on a continuous basis as per the specified term and timeframe”. Therefore, you are required to implement this circular and provide us with the necessary time plan for completion. Best Regards, The Governor Basel Ahmad Al-Haroon