LogoRegulatory Alerts
2023-10-26

Instruction No. 14/2023 of 23 October - Payment System: Mandatory Minimum Information Requirements for Fraud Prevention and Strong Customer Authentication

Banco Nacional de Angola issued Instruction No. 14/2023 mandating payment service providers and system operators to implement mandatory minimum customer identification and contact data collection, alongside strong customer authentication (SCA) protocols for electronic payments. The directive requires dynamic authentication elements to be applied when remote transaction values exceed Kz 750,000.00 or accumulate over 20 days, while explicitly excluding certain chip, magnetic stripe, and contactless cards that meet specific daily and monthly limits. Payment institutions must align with these requirements within 120 days, subject to sanctions under existing payment and financial institution laws for non-compliance.

Banco Nacional de Angola logo

Angola

Banco Nacional de Angola

Click to view thumbnail

INSTRUCTION NO. 14/2023 of 23 October SUBJECT: PAYMENT SYSTEM

  • Mandatory Minimum Information Requirements for Fraud Prevention and Strong Customer Authentication of Operations

Whereas it is necessary to ensure that payment service providers participating in the Multicaixa System and Instant Transfer System apply strong customer authentication, as provided for in Articles 96 and 97 of Law No. 40/20 of 16 December (Angolan Payment System Law), regarding authentication and technical standards for authentication and communication; Whereas it is equally necessary to adopt technologies capable of guaranteeing secure user authentication and preventing fraud risk in electronic payment services, aiming to strengthen the security of using payment instruments and means; Pursuant to Article 6 of Law No. 40/20 of 16 December (Angolan Payment System Law) and Article 36 of Law No. 14/21 of 19 May (General Regime for Financial Institutions Law), combined with Article 21 of Law No. 24/21 of 18 October (Banco Nacional de Angola Law).

I HEREBY DETERMINE:

  1. Object This Instruction establishes the minimum information requirements regarding customer identification and contact details, within the Multicaixa System and Instant Transfer System, for fraud prevention and strong customer authentication in electronic payment operations.

CONTINUATION OF INSTRUCTION NO. 14/2023 Page 2 of 6 2. Scope This Instruction applies to payment service providers and payment system operators, as provided for in Law No. 40/20 of 16 December (Angolan Payment System Law). 3. Customer Data Collection 3.1. Without prejudice to Provision No. 01/23 of 20 January on Opening, Movement and Closure of Accounts, in the process of collecting customer data for opening bank accounts, Banking Financial Institutions must mandatorily request the Tax Identification Number (TIN), mobile phone number, and optionally, email address. 3.2. In the process of collecting customer data for opening payment accounts, Payment Service Providers must request the mobile phone number and, where applicable, the email address. 3.3. Without prejudice to the preceding paragraph of this Instruction, for level IV payment accounts, Payment Service Providers must request the Tax Identification Number (TIN), in accordance with regulations on Electronic Money Accounts. 4. Customer Data Reporting Obligation The customer data referred to in the preceding paragraph of this Instruction must be reported to the operator of the Multicaixa System and Instant Transfer System. 5. Strong Authentication 5.1. Without prejudice to Article 96 of Law No. 40/20 of 16 December (Angolan Payment System Law), strong customer authentication requirements apply to payments initiated by the payer, regardless of whether the payer is an individual or a legal entity. 5.2. Payment Service Companies must apply strong authentication procedures whenever the customer:

CONTINUATION OF INSTRUCTION NO. 14/2023 Page 3 of 6 5.2.1. Accesses their bank account or electronic money account online; 5.2.2. Initiates an electronic payment operation; and, 5.2.3. Performs an action through a remote channel that may involve fraud risk in the payment act. 6. Authentication Elements 6.1. In the strong authentication process, Payment Service Providers must include a dynamic authentication element. 6.2. For the purposes of the preceding paragraph, the inclusion of at least one dynamic element in the customer's strong authentication process must be verified in the following cases: 6.2.1. Electronic payment operations performed through remote channels up to the maximum account transaction limit established in this Instruction; 6.2.2. Opening and modification of bank account and electronic money account details without physical presence. 6.3. Without prejudice to this Instruction, Payment Service Providers may, at any time, apply additional elements to the customer's strong authentication process. 6.4. For the purposes of this Instruction, a dynamic element is considered a strong authentication factor that dynamically links the payment operation to a specific amount and a specific beneficiary. 7. Authentication Limits 7.1. In the authentication process for operations performed through remote channels, at least one dynamic element must be applied whenever: 7.1.1. The accumulated value of operations exceeds the limit of Kz 750,000.00 (seven hundred and fifty thousand Kwanzas), since the last strong authentication process of the customer with a dynamic element; 7.1.2. The accumulated number of days is 20 (twenty) days, since the last strong authentication process of the customer with a dynamic element.

CONTINUATION OF INSTRUCTION NO. 14/2023 Page 4 of 6 7.2. Whenever the above limits are reached or exceeded, the system must reset its count, repeating the strong authentication process as many times as necessary once the defined limits are reached or exceeded. 8. Exclusions The provisions of this Instruction do not apply to: a) Payment cards with chip when combined with PIN; b) Payment cards that use only the magnetic stripe to execute operations, for commercial or social purposes, when observing daily and monthly limits, according to Table 1 of the Annex, which is an integral part of this Instruction; c) Contactless chip payment cards, when observing the limits, according to Table 2 of the Annex, which is an integral part of this Instruction; d) Electronic money instruments associated with type I and II payment accounts when combined with PIN. 9. Transitional Provisions 9.1. Payment service providers must comply with the provisions of this Instruction within 120 (one hundred and twenty) days, counting from the date of publication of this Instruction. 9.2. The Operators of the Multicaixa and Instant Transfer Systems must publish to payment service providers the format and period for communicating customer information data, within 30 (thirty) days, counting from the date of entry into force of this Instruction. 10. Sanctions Non-compliance with the provisions established in this Instruction constitutes an offense provided for and punishable under Law No. 40/20 of 16 December (Angolan Payment System Law) and Law No. 14/21 of 19 May (General Regime for Financial Institutions Law).

CONTINUATION OF INSTRUCTION NO. 14/2023 Page 5 of 6 11. Doubts and Omissions Doubts and omissions resulting from the interpretation and application of this Instruction are resolved by Banco Nacional de Angola. 12. Entry into Force This Instruction enters into force on the date of its publication. PUBLISHED. Luanda, 23 October 2023. THE GOVERNOR MANUEL ANTÓNIO TIAGO DIAS

CONTINUATION OF INSTRUCTION NO. 14/2023 Page 6 of 6 ANNEX Payment card usage limits Table 1 - Usage limits for magnetic stripe payment cards Daily Limit Monthly Limit Up to 1 year after publication of this Instruction Kz 100,000.00 Kz 1,000,000.00 More than 1 year after publication of this Instruction Kz 25,000.00 Kz 100,000.00 Table 2 - Usage limits for contactless payment cards Daily Limit Per transaction Kz 25,000.00 Maximum number of successive operations without PIN 5

Share