Instruction No. 141-04-07 on the Accreditation Procedure for Qualification Bodies and the Evaluation and Qualification Procedure for Electronic Certification Service Providers in UEMOA Payment Systems

[BCEAO Logo]

BCEAO CENTRAL BANK OF WEST AFRICAN STATES

The Governor

INSTRUCTION NO. 141-04-07 ON THE ACCREDITATION PROCEDURE FOR QUALIFICATION BODIES AND THE EVALUATION AND QUALIFICATION PROCEDURE FOR ELECTRONIC CERTIFICATION SERVICE PROVIDERS IN UEMOA PAYMENT SYSTEMS

The Governor of the Central Bank of West African States,

WHEREAS the Treaty of the West African Economic and Monetary Union (UEMOA) dated January 10, 1994, particularly Article 18;

WHEREAS the Treaty of November 14, 1973 establishing the West African Monetary Union (UMOA), particularly Article 22;

WHEREAS the Statutes of the Central Bank of West African States (BCEAO), annexed to the aforementioned Treaty of November 14, 1973, particularly Articles 27, 34, 38 and 44;

WHEREAS Regulation No. 15/2002/CM/UEMOA of September 19, 2002, on payment systems in the member states of the West African Economic and Monetary Union (UEMOA), particularly Articles 3, 17 to 30, and 247.

H E R E B Y D E C I D E S

CHAPTER I: GENERAL PROVISIONS

SECTION I: DEFINITIONS AND OBJECTIVE

Article 1: Definitions

For the purposes of this Instruction, the following terms shall mean:

1. Accreditation: the formal recognition, by an authoritative body, of a body's competence to carry out conformity assessments;

2. Approval: the decision by which a competent authority authorizes:

   • an evaluator to carry out the systematic examination of the degree of compliance, with regard to specific requirements, of the service offered by an Electronic Certification Service Provider (ECSP) regarding its capacity to issue qualified certificates within the UEMOA payment systems;
   • an ECSP to offer electronic signature services within the UEMOA payment systems;

3. BCEAO: the Central Bank of West African States;

Avenue Abdoulaye FADIGA, P.O. Box 3108 - Dakar - Senegal Tel. (221) 839 05 00 / Fax (221) 823 93 35 www.bceao.int

---

4. Approval Center: a competent structure for issuing approvals;

5. Electronic certificate: an electronic document attesting to the link between electronic signature verification data and a signatory;

6. Certificate of conformity: the document attesting that a product or service conforms to a set of specified technical prescriptions or standards for providing electronic certification services;

7. Qualified certificate: a certificate that meets the requirements set forth in Article 27 of Regulation No. 15/2002/CM/UEMOA of September 19, 2002, on payment systems in the member states of the West African Economic and Monetary Union (UEMOA), issued by an ECSP meeting the requirements set forth in Article 28 of the aforementioned Regulation;

8. Certification: the procedure by which a third party provides written assurance that a product, process, or service conforms to specified requirements;

9. CONOBAFI: the West African Committee for Banking and Financial Organization and Standardization;

10. Cryptography: the set of techniques for protecting communication by means of a secret code;

11. Electronic signature creation device: hardware or software intended to apply electronic signature creation data;

12. Electronic signature verification device: hardware or software intended to apply electronic signature verification data;

13. Electronic signature creation data: elements specific to the signatory, such as cryptographic keys, used to create the electronic signature;

14. Verification data: including, inter alia, public cryptographic codes or keys used to verify the electronic signature;

15. Member State: the State party to the Treaty of the West African Economic and Monetary Union (UEMOA);

16. Evaluator: the person entrusted by a competent authority with the systematic examination of the degree of compliance of a product, process, or service against specified requirements;

17. Conformity assessment: a systematic examination of the degree of compliance of a product, process, or service against specified requirements;

18. GIM-UEMOA: the West African Monetary Interbank Group;

19. Electronic Certification Service Provider or ECSP: any natural or legal person who issues certificates or provides other electronic signature services related to banking transactions, hereinafter "the provider";

20. Electronic signature product: any hardware or software product, or specific element thereof intended to be used by an electronic certification service provider for the provision of electronic signature services or intended to be used for the creation or verification of electronic signatures;

21. ECSP qualification: the act by which a body, accredited by the BCEAO services responsible for information system security, attests that an ECSP issues qualified certificates meeting specific quality requirements;

22. Accreditation frameworks: the reference document detailing the technical means that may be implemented to comply with accreditation criteria;

23. The Regulation: Regulation No. 15/2002/CM/UEMOA of September 19, 2002 on payment systems in the member states of UEMOA;

24. Signatory: any natural or legal person who holds a creation device and acts, either on its own behalf or on behalf of a public entity or natural/legal person it represents;

25. Electronic signature: an electronic data attached to or logically associated with other electronic data and serving as an authentication method (cf. UNCITRAL Model Law on Electronic Signatures adopted July 5, 2001). It also results from the use of a process meeting the conditions defined in Article 23 of the Regulation;

26. Secure electronic signature: an electronic signature that meets the following requirements:

    • be uniquely linked to the signatory;
    • enable identification of the signatory;
    • be created by means under the sole control of the signatory; and
    • be linked to the data to which it relates in such a way that any subsequent alteration of the data is detectable.

27. SOAC: the West African Accreditation System established by Regulation No. 01/2005/CM/UEMOA of July 4, 2005 on the harmonization scheme for accreditation, certification, standardization and metrology activities in UEMOA;

28. UEMOA: the West African Economic and Monetary Union, referred to in this Instruction as "the Union";

29. UMOA: the West African Monetary Union, established by the Treaty of November 14, 1973.

Article 2: Objective

This Instruction determines the accreditation procedure for qualification bodies and the evaluation and qualification procedure for ECSPs in application of Article 28, paragraph 3 of the Regulation.

The provisions of this Instruction apply in each member State without prejudice to rules relating to cryptography.

SECTION II: APPROVAL OF ECSPS BY THE BCEAO

Article 3: Approval Regime

No person may, without prior approval by the BCEAO, be recognized as a qualified ECSP in the field of payment systems of the member States of UEMOA.

Article 4: Pre-conditions for Approval

An ECSP seeking approval by the BCEAO must, in addition to meeting the conditions set forth in Article 27 of the Regulation, satisfy the following requirements:

1. enjoy its civil and political rights;

2. not have undergone any criminal conviction affecting its honorability, in particular no conviction involving the prohibition of managing or administering a company;

3. not exercise another professional activity incompatible with the ECSP activity.

CHAPTER II: QUALIFICATION OF ECSPS

SECTION I: ACCREDITATION OF ECSP EVALUATORS BY THE BCEAO

Article 5: Accreditation Procedure

The qualification of ECSPs operating in the banking and financial sector is ensured by persons accredited by the BCEAO, in application of Article 28, paragraph 2 of the Regulation.

Article 6: Accreditation Conditions

The accreditation application is submitted to the BCEAO for processing. This application specifies the field in which the applicant intends to exercise its activity.

The applicant must demonstrate:

1. compliance with quality criteria according to current accreditation rules and standards;

2. its ability to apply current evaluation criteria and corresponding methodology as well as ensure required confidentiality for the assessment;

3. its technical competence to conduct an assessment.

The technical competence mentioned in 3 is assessed by the BCEAO, inter alia, based on the means, resources and experience of the evaluation center.

Article 7: Content of the Accreditation Application

The accreditation application must include the following elements:

1. The applicant's statutes, internal regulations and all other documents governing its operations;

2. The names and titles of the applicant's executives as well as members of its board of directors or equivalent bodies;

3. The names and qualifications of the applicant's personnel participating in the assessment procedure;

4. A description of the applicant's activities, structure and technical means;

5. Annual financial statements;

6. A description of the procedures and means to be implemented by the applicant to evaluate ECSPs, taking into account current technical standards or prescriptions.

The applicant must also notify the BCEAO of any potential links it has with ECSPs. In such cases, it must specify the measures it intends to implement to avoid any conflict of interest.

Article 8: Processing of the Accreditation Application

The accreditation or refusal of accreditation is notified by the BCEAO to the applicant within three (3) months from receipt of the application.

For processing the accreditation application, the BCEAO may request any supplementary information or carry out document and on-site verifications.

Upon completion of processing, the BCEAO grants accreditation. When granting accreditation, the BCEAO may impose specific obligations on the beneficiary body.

Accreditation is deemed refused if not granted within three (3) months from receipt of the application by the BCEAO, unless a contrary opinion is given to the applicant.

The accreditation of an ECSP qualification body is valid for a period of three (3) years from its issuance by the BCEAO.

Article 9: Issuance of Accreditation

Accreditation is issued by the BCEAO after opinion from the competent member State administrations responsible for granting approvals to bodies managing cryptographic convention contracts on behalf of others.

Article 10: Mutual Recognition Agreements for Accreditation of Evaluation Bodies

The BCEAO may conclude mutual recognition agreements for accreditation with foreign equivalent bodies.

These agreements may provide that accreditations issued by these foreign co-signatory bodies, under procedures comparable to those provided for in this Instruction, are recognized as having the same value as those given by the BCEAO, subject to reciprocity.

Mutual recognition of accreditation may be limited to a specified assurance level. However, the duration of this accreditation granted by the BCEAO cannot exceed that of the original accreditation issued by the competent authorities of its place of establishment.

Article 11: Publication of the List of Approved Evaluation Bodies

Accreditation is confirmed by publication, at the beneficiary's expense, in a legal notices newspaper of the member State where the beneficiary is located and in any other member State where activities are exercised.

A list of accredited natural or legal persons, prepared by the BCEAO, may also be consulted on an internet website in addition to the publication made under the preceding paragraph.

The list of natural or legal persons approved as ECSP evaluators is kept up to date by the BCEAO, which assigns a registration number to each accredited person.

Article 12: Monitoring of Accreditation

Benefiting persons must inform the BCEAO of any changes to the information communicated during the accreditation application.

The Central Bank takes necessary measures to ensure that bodies continue at all times to meet the criteria under which they were approved.

Article 13: Withdrawal of Accreditation

When an evaluator no longer meets the requirements mentioned in Article 6 or fails to meet specific obligations under Article 8 of this Instruction, accreditation may be withdrawn by the BCEAO. Withdrawal cannot be pronounced until after the representative of the evaluation body has been given the opportunity to present its observations.

The withdrawal of accreditation is published by the BCEAO in a legal notices newspaper of the member State where the beneficiary's headquarters are located and in any other member State where activities are exercised.

SECTION II: EVALUATION AND QUALIFICATION PROCEDURE FOR ECSPS

Article 14: Selection of the Evaluator

An ECSP seeking recognition as qualified chooses one or more evaluators accredited by the BCEAO to carry out an assessment of the services it offers to clients.

For processing the assessment application, the ECSP is required to provide all information deemed necessary by the evaluator.

The assessment is carried out at the expense of the ECSP.

Article 15: Scope of Assessment

The assessment aims to verify that services offered by the ECSP meet the conditions and obligations set forth in Articles 26 and 27 of the Regulation.

The assessment file includes a description of the security system to be assessed, provisions for ensuring its full effectiveness as well as the prospective work program enabling an assessment.

The evaluator verifies, inter alia, that the ECSP meets applicable standards, technical prescriptions and good practice rules in electronic certification.

Upon completion of the assessment procedure, the evaluator draws up a report, which is notified to the ECSP so that it may, if applicable, formulate observations on its content.

Article 16: Assessment Procedure

Upon receipt of the assessment application file, when the evaluator considers that security objectives are insufficient relative to applicable standards, technical prescriptions or good practice rules at the time assessment begins, it has a period of thirty (30) days after receipt of this file to notify the ECSP that it cannot, in the current state of the file, proceed with the envisaged certification.

Article 17: Assessment Work

Prior to the start of work, the ECSP determines with each of its evaluators:

1. the product or system to be assessed as well as security objectives;

2. confidentiality protection conditions for information to be processed during the assessment;

3. the cost and payment terms of the assessment;

4. the work program and deadlines provided for the assessment.

The ECSP is required to ensure the evaluator and BCEAO have access to all information deemed necessary, and if applicable, after agreement with concerned manufacturers.

Article 18: Transmission of the Assessment Report

Upon completion of the assessment, the evaluator submits an Assessment Report (AR) to the BCEAO. The AR is confidential. A copy of the Assessment Report is notified to the ECSP.

Article 19: Role of the BCEAO

The BCEAO ensures proper execution of assessment work. It may, at any time, request to attend these works or obtain information on their progress.

Article 20: Termination of Assessment

The ECSP may decide, at any time, after compensating the evaluator for work already performed, to terminate the latter's mission.

Article 21: Issuance of Certificate of Conformity

The certificate of conformity is issued by the BCEAO.

It attests that the product or system sample submitted to assessment meets specified security characteristics. It also attests that the assessment was conducted in accordance with current rules and standards, with required competence and impartiality.

Certified signature creation devices are valid for a limited period of three (3) years. Extending the validity period of a certificate of conformity requires a complete new study of the file according to the latest state of the art.

SECTION III: ECSP QUALIFICATION BY THE BCEAO

Article 22: Validation of Qualification Report

When the assessment results in the issuance of a certificate of conformity, the ECSP and BCEAO validate the assessment reports in liaison with the evaluator. When all expected reports have been validated, the BCEAO prepares a qualification report within one (1) month. This report, which specifies characteristics of proposed security objectives, concludes either with the issuance of a qualification certificate or refusal. It is sent for opinion to competent member State administrations responsible for granting approvals to bodies managing cryptographic convention contracts on behalf of others.

The qualification report may include reservations regarding security objectives. It is published, at the ECSP's expense, in a legal notices newspaper of its headquarters location and in any other member State where activities are exercised.

Article 23: Issuance of Qualification Certificate

Based on the qualification report and any observations from the provider, and after a conforming opinion from competent member State administrations responsible for granting approvals to bodies managing cryptographic convention contracts on behalf of others, the BCEAO pronounces the qualification or non-qualification of the ECSP.

When recognizing an ECSP's qualification, the BCEAO issues a certificate describing the services covered by the qualification as well as its duration, which cannot exceed one (1) year during which the certificate is valid.

Article 24: Publication of Qualification Decision

The decision to issue a qualification certificate is published by the BCEAO, in a legal notices newspaper of the ECSP's headquarters State and any other member State where activities are exercised, within thirty (30) days following the pronouncement of the qualification decision.

The costs of the aforementioned publications are borne by the ECSP.

Article 25: Mutual Recognition Agreements for Accreditation

The BCEAO may conclude mutual recognition agreements with foreign competent bodies regarding ECSP accreditation.

These agreements may provide that certificates of conformity issued by foreign co-signatory bodies, under procedures comparable to those provided in this section, are recognized as having the same value as certificates of conformity issued under this Instruction. Mutual recognition of certificates may be limited to a specified assurance level.

SECTION IV: OBLIGATIONS OF QUALIFIED ECSPS

Article 26: Publication Measures

An ECSP whose qualification is recognized may communicate to any person a copy of the certificate issued by the BCEAO.

The ECSP maintains an electronic directory comprising the qualified certificates it issues and their expiration dates.

The ECSP publishes, in a legal notices newspaper of its headquarters location and any other member State where activities are exercised, the certificate describing the services covered as well as its validity period.

Article 27: Termination of ECSP Activities

An ECSP required to cease activities for reasons independent of its will or in case of bankruptcy must notify the BCEAO in advance within three (03) months of its intention to terminate activities.

To this end, it must ensure, in coordination with the BCEAO, the takeover of certificates already issued by another ECSP guaranteeing the same level of quality and security, or failing that, revoke qualified certificates within two (2) months from notification to certificate holders.

Article 28: ECSP Liability and Financial Guarantee

Unless it demonstrates that it has committed no fault, the ECSP is liable for damage caused to persons who have reasonably relied on certificates presented by them as qualified when:

1. The information contained in the qualified certificate, at the date of its issuance, was inaccurate;

2. The data prescribed for the certificate to be considered qualified were incomplete;

3. The ECSP failed to carry out the verification:

   • of the signatory's possession, at the time of issuance of the qualified certificate, of data relating to signature creation corresponding to data enabling verification of this signature, provided or identified in the qualified certificate;
   • of their completeness, where the provider supplies creation and verification signature data;
   • of their asymmetric nature, where the provider manages security keys.

4. The ECSP failed to have the revocation of the qualified certificate registered in its electronic directory and kept this information available to third parties via publication in a legal notices newspaper of its establishment location.

Liability Exemption

The ECSP is not liable for damage caused by use of the qualified certificate exceeding limits fixed on its use or transaction value for which it may be used, provided these limits have been clearly brought to the attention of users in the qualified certificate.

The ECSP is not liable for negligence in taking measures to verify the validity, suspension or revocation of the qualified certificate.

Financial Guarantee Obligation

The ECSP must at all times demonstrate sufficient financial guarantee, specifically allocated to paying sums it may owe to persons who have reasonably relied on the qualified certificates it issues, or insurance guaranteeing the financial consequences of its professional civil liability.

When the ECSP does not have the aforementioned guarantee, the qualified certificates it issues must bear this mention.

The lack of the aforementioned mention...