2024-09-01

Added · Updated

Circular No. 002 of 2024 on Payment Aggregation Institutions

The Banque de la République du Burundi issued Circular No. 002/SP/2024 to regulate the authorization, operation, and supervision of Payment Aggregation Institutions (PAIs). The regulation mandates a minimum capital of 200 million Burundian Francs, strict governance and data protection standards, and comprehensive anti-money laundering compliance for all applicants. It further establishes detailed requirements for licensing documentation, incident reporting, client fund segregation, dispute resolution, and ongoing regulatory reporting.

Banque de la Republique du Burundi logo

Burundi

Banque de la Republique du Burundi

Click to view thumbnail

BANQUE DE LA REPUBLIQUE

DU BURUNDI

LE GOUVERNEUR

CIRCULAR NO. 002/SP/2024 ON PAYMENT AGGREGATION INSTITUTIONS, ISSUED PURSUANT REGULATION NO. 002/2024 AMENDING REGULATION NO. 001/2017 RELATING TO PAYMENT SERVICES AND THE ACTIVITIES OF PAYMENT INSTITUTIONS.

Having regard to Law No. 1/34 of December 2, 2008, establishing the Statutes of the Banque de la République du Burundi; Having regard to Law No. 1/17 of August 22, 2017, governing banking activities; Having regard to Law No. 1/07 of May 11, 2018, establishing the national payment system; Having regard to Regulation No. /2024 amending Regulation No. 001/2017 relating to payment services and the activities of payment institutions.

The Banque de la République du Burundi, hereinafter referred to as the "Central Bank", enacts: this circular.

The Banque de la République du Burundi, hereinafter referred to as the "Central Bank", enacts:

Article 1: Definition

For the purposes of this circular, a "Payment Initiation Service Provider", hereinafter referred to as a "payment aggregation institution", is a provider of payment initiation, aggregation, or facilitation services. It is a company that offers a service allowing a natural or legal person to order payments (e.g., transfers) from an account held with another institution (bank, payment institution, etc.) other than the one where their account is opened.

Article 2: Object and Scope

This circular governs the conditions and procedures for applying for and obtaining authorization, as well as the operating rules for payment aggregation institutions authorized by the Central Bank.

Article 3: Conditions for Obtaining Authorization

No one may carry out the activities of a payment aggregation institution without prior authorization from the Central Bank.

The main conditions subject to which authorization is granted are as follows:

1. Minimum Share Capital Every payment aggregation institution must have a minimum share capital, fully paid up at the time of authorization, amounting to two hundred million Burundian Francs (200,000,000 BIF).

2. Governance and Internal Control Authorization can only be obtained if the payment aggregation institution has adequate governance and internal control for its activity. In this regard, the institution must have put in place effective internal management mechanisms to monitor and control its financial operations, as well as to assess and manage risks related to its activities.

3. Qualifications of Management The managers of a payment aggregation institution must demonstrate appropriate qualifications in financial management, competence, and experience in the payment services sector. This requirement aims to ensure that the persons heading these establishments possess the necessary skills to manage a complex and sensitive financial activity.

4. Protection of Sensitive Payment Data. Every payment aggregation institution must implement an appropriate system to guarantee the security of its clients' personal data. This includes protection against data breaches, fraud prevention, and compliance with data confidentiality regulations.

5. Compliance with Anti-Money Laundering and Counter-Financing of Terrorism Rules. Every payment aggregation institution must comply with current regulations regarding the fight against money laundering and the financing of terrorism. In this regard, it must establish mechanisms for detecting and reporting suspicious activities, as well as for verifying the identity of clients, ordering parties, and beneficiaries of funds, in accordance with identification procedures. Every payment aggregation institution must not only meet these conditions at the time of obtaining authorization but also throughout its activity. This means it must continuously respect capital requirements, organizational, control, and security standards, as well as anti-money laundering and data protection regulations. In the event of continuous non-compliance with these conditions, the Central Bank has the power to withdraw the authorization of the payment aggregation institution, which results in the cessation of its activities.

Article 4: Required Documents In order to protect consumers against fraud, in addition to the documents in Annex 2 of this circular, the information required to constitute the application file for authorization as a payment aggregation institution is as follows:

  1. An activity program indicating, in particular, the type of payment services envisaged;
  2. A business plan containing, among other things, a budgetary forecast for the first three (3) financial years, demonstrating that the applicant is able to implement the appropriate, necessary, and proportionate systems, resources, and procedures for its proper functioning;
  3. Proof that the payment aggregation institution has the required minimum initial share capital;
  4. A description of the measures taken to protect the funds of payment service users;
  5. A description of the governance structure and internal control mechanisms, including the applicant's administrative, risk management, and accounting procedures, demonstrating that this governance structure, these control mechanisms, and these procedures are proportionate, adapted, sound, and adequate;
  6. A description of the procedure in place to ensure the monitoring, processing, and follow-up of security incidents and client complaints related to security, including an incident reporting mechanism that takes into account the notification obligations incumbent on the payment institution under Article 8 below;
  7. A description of the process in place to record, monitor, and restrict access to sensitive payment data and keep a record of such access;
  8. A description of business continuity provisions, including a clear designation of essential activities, appropriate emergency plans, and a procedure providing for submitting these plans to tests and periodically reviewing their adequacy and efficiency;
  9. A description of the principles and definitions applied for the collection of statistical data related to performance, operations, and fraud;
  10. A document relating to the security policy, including a detailed risk analysis regarding the proposed payment services and a description of control and mitigation measures taken to adequately protect payment service users against identified security risks, including fraud and the illicit use of sensitive or personal data;
  11. A description of the internal control mechanisms put in place to comply with anti-money laundering and counter-financing of terrorism obligations;
  12. The identity of persons holding, directly or indirectly, a participation in the capital of the applicant, the size of their participation, and proof of their status, given the need to ensure sound and prudent management of the payment institution;
  13. The identity of the managers and persons responsible for the management of the payment institution and, where applicable, the persons responsible for the management of the payment institution's payment services activities, and proof that they enjoy good repute and possess the required skills and experience for the provision of payment services;
  14. Where applicable, the identity of the statutory auditors and audit firms;
  15. The legal status and Articles of Association of the company in formation;
  16. The physical address of the applicant.

Article 5: Notification of Decision

Within three (3) months following the receipt of the complete application file for authorization, the Central Bank informs the applicant of the acceptance or refusal of the authorization. The Central Bank provides reasons for any refusal of authorization.

Article 6: Maintenance of Authorization

When any change among the conditions that led to the granting of authorization affects the accuracy of the information and supporting documents provided in accordance with Article 4 of this circular, the payment aggregation institution must inform the Central Bank without delay.

Article 7: Withdrawal of Authorization

The Central Bank may withdraw the authorization granted to a payment aggregation institution if said institution:

  1. does not use the authorization within twelve (12) months, expressly renounces it, or has ceased to exercise its activity for a period exceeding six (6) months;
  2. obtained the authorization through false declarations or by any other irregular means;
  3. no longer meets the conditions for granting the authorization or fails to inform the competent authority of major changes regarding this;
  4. would represent a threat to the stability of the payment system or confidence in it by continuing its payment services activity;
  5. falls under any of the other cases of withdrawal of authorization provided for by Regulation No. /2024 amending Regulation No. 001/2017 relating to payment services and the activities of payment institutions.

The Central Bank is required to provide reasons for any withdrawal of authorization and to inform the interested party. The Central Bank makes the withdrawal of authorization public, notably on its website and in the Official Bulletin of Burundi.

Article 8: Notification of Incidents

In the event of a major operational or security incident, the payment aggregation institution must inform the Central Bank without delay. When the incident has or is likely to have repercussions on the financial interests of users of its payment services, the payment aggregation institution must promptly inform them of the incident and all available measures it has taken to mitigate the harmful effects of the incident.

Upon receipt of the notification referred to in paragraph 1, the Central Bank shall immediately communicate the important details of the incident to the National Financial Intelligence Unit, and, after assessing the relevance of the incident to other concerned authorities, inform them accordingly. Based on this notification from paragraph 2, the Central Bank and competent authorities shall take, where necessary, all measures required to protect the immediate security of the financial system.

Article 9: Requirements for the Protection of Client Funds

Every payment aggregation institution must protect all funds that have been received from users of its payment services:

  1. These funds are never mixed with the funds of natural or legal persons other than the payment service users for whose benefit the funds are held and, when at the end of the business day following the day they were received, they are still held by the payment aggregation institution and have not yet been handed over to the beneficiary or transferred to another payment service provider, they are deposited in a separate account with a credit institution, the National Post Office, or a first or third-category microfinance institution.
  2. These funds are shielded from the claims of other creditors of the payment aggregation institution, notably in the event of insolvency.

Article 10: Dispute Resolution

Every payment aggregation institution must put in place and apply appropriate and effective procedures for the resolution of complaints from payment service users regarding rights and obligations. Every payment aggregation institution must respond, on paper or, if the payment service provider and the payment service user have agreed otherwise, on another durable medium, to complaints from payment service users. This response addresses all points raised in the complaint and is transmitted within an appropriate timeframe and no later than fifteen (15) business days following the receipt of the complaint. In exceptional situations, if a response cannot be given within fifteen business days for reasons beyond the control of the payment service provider, the latter sends an interim response clearly justifying the additional time needed to respond to the complaint and specifying the final date by which the payment service user will receive a definitive response. In any case, the timeframe to receive a definitive response does not exceed thirty-five (35) additional business days.

Article 11: Information to Clients

Every payment aggregation institution is required to communicate to its clients, the flat fees per transaction or based on transaction volume, before entering into a business relationship with them. Furthermore, every payment aggregation institution must communicate to the client the type of assistance service it offers to clients, its availability, and the channels by which it can be reached (e-mail, telephone, etc.). It must also precisely inform the client of the registration process to be followed.

Article 12: Reporting Obligation

Every payment aggregation institution must communicate to the Central Bank, within a maximum period of fifteen (15) calendar days, starting from the end of the concerned month, data related to its activity for the previous month, in accordance with the template appearing in Annex 1 to this circular.

Article 13: Sanctions

The Central Bank determines the regime of sanctions applicable in case of infringement of the provisions of this circular and takes all necessary measures to ensure its application.

Article 15: Transitional Provisions

Payment aggregation institutions authorized before the entry into force of this Circular are required to comply with the provisions of said Circular within a period of six (6) months from its entry into force.

Article 16: Entry into Force

This Circular enters into force on the day of its publication in the Official Bulletin of Burundi and on the website of the Central Bank.

Done in Bujumbura, on July 30, 2024

Edouard Normand BIGENDAKO Governor


ANNEXE 1: MONTHLY REPORT ON THE ACTIVITIES OF PAYMENT AGGREGATION INSTITUTIONS

NAME OF THE INSTITUTION: .................................................... ADDRESS OF THE INSTITUTION: .................................................... Address for transmission of the report: RapportSFN@brb.bi

a. Monitoring of payment operations

Outgoing Payments

Op NumDate of OperationOperation ReferenceSender's Name and First NameValid ID or Passport No.Phone NumberNationalityAmount TransferredCurrency UsedRate UsedDestination Country and CityBeneficiary NameOperation StatusReason for Non-SettlementFees Paid by Sender

Incoming Payments

| Op Num | Date of Operation | Operation Reference | Beneficiary's Name and First Name | Valid ID or Passport No. | Phone Number | Nationality | Amount Received | Currency Used | Rate Used | Purpose of Transfer | Origin Country and City | Sender Name | Operation Status | Reason for Non-Settlement | Fees Charged | | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | | | | | | | | | | | | | | | | |

b. Monitoring of suspicious transactions identified in the system

5.1. Suspicious Incoming Payments

No.DescriptionCountry of OriginBeneficiaryJanuaryFebruary
VolumeValue

5.2. Suspicious Outgoing Payments

No.DescriptionDestination CountryOrdering PartyJanuaryFebruary
VolumeValue

ANNEXE 2: DOCUMENTS TO BE PROVIDED FOR AN APPLICATION FOR AUTHORIZATION OF A PAYMENT AGGREGATION INSTITUTION

A. APPLICATION FORM FOR AUTHORIZATION

1.NAME OF APPLICANT (as it appears on the registration register)
2.CATEGORY OF LICENSE REQUESTED
3.APPLICANT CONTACTS
Physical Address:Plot No.
Building Name
Floor Level
Avenue
City
P.O. Box
Landline Phone
Fax
Mobile Phone
E-mail Address

B. IDENTITY OF SHAREHOLDERS

No.NAMEADDRESSNATIONALITYOCCUPATIONNUMBER OF SHARES HELD IN SHAREHOLDINGTELEPHONE & EMAIL
1.
2.
3.

C. 5. IDENTITY OF ADMINISTRATORS AND MANAGERS

No.NAMENATIONALITYPOSITION HELDEDUCATION LEVELTELEPHONE & E-MAIL
1.
2.
3.

D. OTHER INFORMATION:

1.Indicate if any of the partners / managers / shareholders have shares in another company authorized by the Central Bank
2.Is there a previous application that was rejected or cancelled by the Central Bank? (If yes, provide details)
3.Others (to be specified).

E. DECLARATION OF SHAREHOLDERS:

We, the undersigned, hereby declare: a) that the information mentioned in this document is true and conforms to reality; b) that we are not declared bankrupt and have never been found guilty of fraud or dishonesty in Burundi and/or elsewhere.

No.Name and SurnameSignature
1.
2.
3.