2023-01-01

Added · Updated

Council of Management Decision No. 140 of 2023 on Digital Identity, Digital Contracts, and Digital Registers for Non-Banking Financial Activities

The Egyptian Financial Regulatory Authority issued Decision No. 140 of 2023 to establish comprehensive regulatory frameworks for digital identity, digital contracts, and digital registers in non-banking financial activities. The decision mandates specific multi-factor authentication protocols, including biometric and possession-based factors, to ensure high levels of trust and security for digital transactions. It further requires entities to maintain immutable digital logs and submit semi-annual compliance reports detailing audit results and error rates to the Authority.

Financial Regulatory Authority Egypt logo

Egypt

Financial Regulatory Authority Egypt

Click to view thumbnail

Financial Regulatory Authority Council of Management Decision No. 140 of 2023 Dated 21/6/2023 Regarding Digital Identity, Digital Contracts, Digital Register, and Areas of Use of Financial Technology to Address Non-Banking Financial Activities and Compliance Requirements

Council of Management of the Financial Regulatory Authority

Having reviewed: The Civil Law issued by Law No. 131 of 1948; The Law of Evidence in Commercial and Civil Matters issued by Law No. 25 of 1968; The Law on Joint Stock Companies, Consolidation of Names, Limited Liability Companies, and Single-Person Companies issued by Law No. 159 of 1981; Law No. 15 of 2004 regarding the regulation of electronic signatures and the establishment of the Information Technology Industry Development Authority; Law No. 10 of 2009 regarding the regulation of supervision on non-banking financial markets and instruments; The Personal Data Protection Law issued by Law No. 151 of 2020; The Law on the Central Bank and the Banking System issued by Law No. 194 of 2020; The Law on the Regulation and Development of the Use of Financial Technology in Non-Banking Financial Activities issued by Law No. 5 of 2022; Council of Management Decision No. 58 of 2022 regarding the conditions and procedures required for establishment, licensing, and approval for companies and entities wishing to conduct non-banking financial activities through financial technology techniques; Council of Management Decision No. 139 of 2023 regarding the technological infrastructure, information systems, and necessary protection and security measures required for the use of financial technology to address non-banking financial activities; And with the approval of the Council of Management in its session held on 21/6/2023;

Decided:

(Article 1) The attached rules regarding Digital Identity, Digital Contracts, Digital Register, and areas of use of financial technology to address non-banking financial activities, and compliance requirements, shall be applied.

(Article 2) Entities and companies wishing to obtain a license or approval to conduct non-banking financial activities using financial technology are required to fulfill the requirements set forth in the attached rules and any subsequent amendments, as well as the necessary documents specified by the Authority.

(Article 3) This Decision shall be published in the Egyptian Gazette and shall be effective from the day following its publication.

Chairman of the Council of Management Financial Regulatory Authority Dr. Mohamed Fared Saleh

First - Definitions In the application of the provisions of the following rules, the following terms are intended to have the meaning indicated alongside each:

Digital Platform: A business model based on the use of technological means in conducting non-banking financial activities, and in offering related products and services to persons wishing to obtain them, allowing for the exchange of necessary data and information to complete these transactions.

Digital Identity: Any processed data relating to a specific natural or legal person who can be identified directly or indirectly by linking this data with any other data such as name, voice, image, identification number, or identity identifier via the World Wide Web (Internet), provided that this data is permitted to present and authenticate transactions conducted through digital platforms related to non-banking financial activities.

Digital Contract: Any contract that includes the rights and obligations of the contracting parties digitally, and can be recorded in a digital register. The digital contract may also be a "smart contract" through a program aimed at automatically executing, controlling, or documenting the provisions of the contract.

Digital Transaction: Any digital transaction conducted between a user with a specific digital identity and a service provider through their digital platform.

Digital Register: An electronic register containing data related to transactions conducted by users through the digital platform in accordance with the provisions of the law, allowing for the tracking of this data through a secure network.

Electronic Writing: All letters, numbers, symbols, or any other signs recorded on an electronic, digital, or voice support, or any other similar medium, providing a perceptible indication.

Electronic Document: A data message containing information created, combined, stored, sent, or received, entirely or partially, by electronic, digital, voice, or any other similar means.

Electronic Signature: What is placed on an electronic document and takes the form of letters, numbers, symbols, signals, or others, having a binding nature that allows identifying the signatory and distinguishing them from others.

Electronic Customer Identification Processes: Processes for identifying basic information and customer requirements and needs to analyze and determine the suitability of non-banking financial products and services offered, with the purpose of creating a digital customer account that allows viewing and requesting non-banking financial products and services through digital platforms.

Electronic Customer Contracting Processes: Contracting processes with the customer for a non-banking financial product with the purpose of creating a digital account for the non-banking financial product linked to the customer's digital account, including recording digital contract data in digital registers for storage through digital platforms.

Addressed Entities:

  1. Companies wishing to obtain a license to conduct non-banking financial activities through financial technology techniques under the umbrella of Law No. 5 of 2022.
  2. Companies and entities licensed by the Authority to conduct any of the non-banking financial activities under other laws, and wishing to obtain the Authority's approval to conduct these activities using some areas of financial technology themselves, or through one of the incubation entities under the umbrella of Law No. 5 of 2022.
  3. Companies wishing to provide incubation services in areas of financial technology that can be used in conducting non-banking financial activities under the umbrella of Law No. 5 of 2022.

Second - Digital Identity Controls

  1. Digital identity is controlled through three sub-processes: Identification, Verification, and Authentication.
  2. Digital identity is created or renewed by fulfilling the identification, verification, and authentication processes of the physical identity. To enable the user to access the digital platform, the identification, verification, and authentication processes of the digital identity must be fulfilled.
  3. Sub-processes must rely on more than one set of qualitative factors for identification, verification, and authentication.
  4. Qualitative sets are divided into three groups: (a) Knowledge Factor Group: Includes several elements such as username, password, and answers to personal questions. (b) Possession Factor Group: Includes several elements such as identity proof document, email box, mobile phone number, device number used, or SIM card number linked to the mobile phone number, non-cash payment account, and certified electronic signature. (c) Inherence and Liveness Factor Group: Includes several elements such as biometric characteristics of face print, voice print, fingerprint, hand geometry, eye print, reaction liveness, geographic location identifiers, and transaction time identifiers. (d) In applying the provisions of the previous two paragraphs, the service provider must fulfill the requirements set forth in Annex No. (1). (e) In identification, verification, and authentication processes for creating a digital identity or upon renewal, the following must be done: (a) Use at least four elements from the possession factor group, including an identity proof document, email box, mobile phone number, and device number used, in addition to three elements from the inherence and liveness factor group, including biometric characteristics of face print, reaction liveness, geographic location identifiers, and transaction time identifiers. (b) Determine cyberspace location and transaction time. (c) Create or update three elements from the knowledge factor group, which are username, password, and answers to personal questions. (d) Law No. 5 of 2022 regarding the regulation and development of the use of financial technology in non-banking financial activities.
  5. In identification, verification, and authentication processes subsequent to the creation or renewal of the digital identity, the following must be done: (a) Use two elements from the knowledge factor group, namely username and password, in addition to at least one element from the possession factor group from among device number used, mobile phone number, or email box, in addition to at least one element from the inherence and liveness factor group from among one of the biometric characteristics, or reaction liveness, or geographic location identifiers. (b) Determine cyberspace location and transaction time. (c) Review changes to any of the elements through the electronic register, and take appropriate measures, including ensuring that changes to data are in accordance with the provisions of Law No. 5 of 2022 regarding the regulation and development of the use of financial technology in non-banking financial activities.
  6. Digital identity has three levels of trust: (a) Basic Trust Level: Including at least two elements from the knowledge factor group, in addition to three elements from the possession factor group, in addition to four elements from the inherence and liveness factor group. This level is required for low-risk operations. (b) General Trust Level: Including at least the factors required in the basic trust level, in addition to possession of a non-cash payment account. This level is required for medium-risk operations. (c) High Trust Level: Including at least the factors required in the general trust level, in addition to possession of a certified electronic signature. This level is required for high-risk operations. The service provider determines the type of operation in terms of risk as determined by the Authority in this regard.

Third - Digital Contract Controls

  1. The service provider is obliged to verify the identity of the user, reject it if necessary, and is obliged to save the contract electronically, according to the following requirements: (a) Verification of User Identity: User identity is verified by applying the digital identity controls required for access to the digital platform, as stated in the second section of these rules. (b) Verification of User Consent: The service provider must, to the necessary extent, verify the user's consent, which requires the availability of capacity and will elements, and the provisions of offer and acceptance, especially proving that the user has reviewed all contract terms, without prejudice to the special nature of digital contracts. (c) Electronic Storage of Contract: After concluding the contract, it must be saved with all stages preceding its conclusion and its signatures in the digital register using an encryption technology approved by the Authority.
  2. In digital contracts related to executing transactions of low or medium risk degree determined by the company as determined by the Authority, appropriate encryption technology is used with including the data of the electronic payment account whose possession has been verified. The digital contract in this case includes the counterparty's consent to use the account to complete transactions related to agreed cash flows through payment service providers and facilitators approved by the Central Bank.
  3. In digital contracts related to executing high-risk transactions determined by the company as determined by the Authority, electronic signature technology coupled with public and private key cryptography (known as public key cryptography technology) is used from one of the providers of electronic signature certification services coupled with public and private key cryptography. The Information Technology Industry Development Authority determines this, and the Authority determines the value of electronic transactions that do not require electronic signature coupled with public and private key cryptography.

Fourth - Digital Register

  1. Each digital platform has a digital register, which can be segmented into sub-digital registers, each dedicated to one type of operation and transaction related to a service of the digital platform. For example: (a) "Digital Register" for "Digital Identity" operations, including digital creation, modification, update, and cancellation transactions. (b) "Digital Register" for "Customer Identification" operations, including creation, modification, update, and cancellation transactions of a digital customer account. (c) "Digital Register" for "Electronic Contracting" operations, including creation, modification, update, and cancellation transactions of a digital non-banking financial product account. (d) "Digital Register" for "Transactions Related to Non-Banking Financial Products" operations, including creation, modification, update, and cancellation transactions on a digital non-banking financial product account, linked to its nature.
  2. The "Digital Register" is capable of storing and retrieving the following: (a) Data and transaction details and recording events related to various operations, stating their parties, timing, content, and result as the state of the original digital changed. (b) Digital documents related as input, attachment, or output for the transaction.
  3. Appropriate encryption technology approved by the Authority is used to ensure the confidentiality and integrity of the contents of the digital register, and mechanisms are used to ensure that the content is not modified after saving and storing.
  4. Storage means with appropriate storage capacity are provided to retain digital records and documents and archive them for at least five years after their expiration, and the original digital subject to registration, after notifying the responsible and beneficiary entities, unless there is a judicial or arbitration lawsuit notified to the service provider, in which case it is retained until the dispute is resolved. Records and documents may be saved and archived after this period in storage means outside the live operational environment, or disposed of after obtaining prior approval from the Authority.
  5. A suitable database and file management system is used, ensuring the provision of maximum reliability degrees, and ensuring the application of business continuity and disaster recovery mechanisms.
  6. Mechanisms for verification, search, summarization, and issuing reports on the content of records are ensured without compromising security and protection requirements, with mechanisms for recording verification and search operations stating their timing without compromising original event timings.
  7. The widely used user logging model "Syslog" specified by the "Internet Engineering Task Force" (RFC 5424), (IETF) is adhered to. An alternative logging model may be used after obtaining approval from the Authority.
  8. In all cases, the digital register must include characteristics that enable side analysis of events through a systematic chain of methods and procedures for evidence collection, from technological infrastructure components including network devices, computer devices, storage means, data management systems, and virtual and professional communications, operating systems, data management systems, databases, and access control systems, and from information system components including applications and databases. Records related to different components must be accessible to various technical handling authorities of the register, which include, for example, the system administrator, forensic investigator, and developer.
  9. In the case of relying on general or private computing business models that provide diverse services on the same shared technological environment for more than one client, approval from the Authority must be obtained, and complete separation between the virtual environment of each client must be ensured.
  10. The digital register must include proof and documentation of the sequence in possession of outputs from the register using encryption technologies or any other technology approved by the Authority: (a) Data privacy. (b) Non-modification by deletion, addition, or change (by the digital platform administrator, digital platform user, forensic investigator, or any external party). (c) What prevents denial of the register content by the digital platform administrator. (d) What prevents denial of the register content by the digital platform user.
  11. Electronic logging, electronic signature, and enforcement of smart contract terms secured through "Blockchain" technology are considered permitted business models in conducting non-banking financial activities based on digital identity, digital contracts, and digital registers. The contract in this case is a program that produces the contractual state which changes upon the occurrence of pre-agreed events, and may operate through "Blockchain" technology.
  12. Digital register technologies may be applied to centralized or distributed technologies according to the requirements set forth in Annex No. (2).
  13. The aforementioned data holds the probative value of official documents from the date of saving in the digital register.

Fifth - Areas of Use of Financial Technology to Address Non-Banking Financial Activities

  1. The Authority determines the basic areas necessary for the use of financial technology in conducting non-banking financial activities, which addressed entities must comply with under this Decision, including: (a) Area of electronic identification, verification, and authentication processes. (b) Area of electronic customer identification processes. (c) Area of electronic contracting processes for non-banking financial products. (d) Area of electronic registration, storage, and retrieval from digital registers.
  2. The Authority determines other areas in which financial technology may be used in conducting non-banking financial activities.

Sixth - Compliance Requirements A semi-annual report regarding "audit results and error rates" must be prepared, taking into account the nature and volume of the activity conducted by the service provider. This report must be submitted to the Authority, certified by the service provider's board of directors, within four weeks from the end of the period for which the report is submitted, for all non-banking financial technology operations and areas that can be used in conducting non-banking financial activities, according to the model provided in Annex No. (3).

Annex No. (1): Requirements for Identification, Verification, and Authentication Processes

  1. When determining biometric characteristics, the following must be done: (a) Rely on face characteristics identified by electronic devices via image or video. (b) Ensure that the image or video is captured directly, and that the captured characteristics are compared with previous ones (if any).
  2. When determining liveness, it must be ensured that the user's liveness is automatically activated and not mechanical through responding to random requests.
  3. When determining the identity proof document, the following must be done: (a) Capture a live image of the document. (b) Convert the captured data into digital data through optical character recognition technology. (c) Capture the personal photo to compare it with the image captured in the biometric characteristics determination stage. (d) Verify that the document is valid by reviewing its characteristics through linking with competent administrative authorities or through the "Unified Digital Identity Application Programming Interface for Non-Banking Financial Services at the Authority," or by other methods for non-residents determined by the service provider after approval from the Authority. The national ID number is fundamental for Egyptians, and other identity proof documents may be added.
  4. When determining email, a message must be sent and the reply confirmed within a specific timeframe suitable for the purpose of proving possession. The primary email is the minimum, and another secondary email may be added.
  5. When determining mobile phone number, the following must be done: (a) Send a short message and confirm the reply within a specific timeframe. (b) Verify that the mobile phone number is issued by one of the licensed telecommunications service providers from the National Telecom Regulatory Authority, and linked to the same national ID number identified in the identity document determination stage (if available), through linking with the National Telecom Regulatory Authority or through the "Unified Digital Identity System Application Programming Interface for Non-Banking Financial Services at the Authority," or by other methods for non-residents determined by the service provider after approval from the Authority. The primary mobile phone number is the minimum, and another secondary mobile phone number may be added.
  6. When determining the international mobile device identity, the validity of the number must be verified. The primary device is the minimum, and other secondary devices may be added.
  7. When determining geographic location, the mobile device must be verified through postal addresses with comparison, or selected mailing addresses.
  8. When determining cyberspace location, the mobile device must be verified through postal addresses with comparison identified in the identity creation stage, or selected mailing addresses.
  9. When determining transaction time, the mobile device must be verified through time compared with a time-logged source.
  10. When determining a non-cash payment account from one of the banks or electronic payment providers/facilitators subject to Central Bank supervision, possession of the electronic payment account must be ensured by transferring a small amount and confirming its successful completion. It must also be ensured that the same mobile phone number identified is used.
  11. When determining a certified electronic signature, the following must be done: (a) Use the electronic signature obtained with the public cryptographic key, electronic time stamp, and electronic certification certificate to determine the electronic signature creation data. (b) Verify that the electronic signature is issued by one of the electronic signature certification service providers authorized by the Information Technology Industry Development Authority, and linked to the same national ID number identified in the identity document determination stage.

Annex No. (2): Digital Register Technologies

  1. The digital register may be applied based on "Distributed Ledger Technology" or "Blockchain" technology in managing records of non-banking financial service providers, including customer identification records. This is done after obtaining approval from the Authority, with designating a "General Coordinator" for each "Distributed Register," who is responsible for involving technical handling authorities of the register in the organization to determine each of their needs and work decisively to resolve them, which may be implemented through "Blockchain" technology as a type of distributed registers.
  2. "Distributed Ledger Technology" requires a peer-to-peer network of computing and storage units and consensus algorithms so that copies of the "Ledger" are reliably replicated across distributed network units.
  3. The "Distributed Ledger Technology" system is a digital database used to store data or information on distributed computing and storage units spread across a peer network. Each participating unit in the "Distributed Ledger Technology" system has equal authority to obtain consensus approval from all participating units. When these units approve and changes are made, each unit in the decentralized network automatically receives the updates made to the database.
  4. The Blockchain system is a "database" for decentralized, replicated digital transactions, where transaction records are "hashed" by peer network members. "Blockchain" technology is characterized by its data structure taking the form of blocks which are chronologically chained and mathematically secured using a code derived from previous digital transaction information.
  5. The Blockchain system may be public, private, permissioned, or permissionless, and may be associated with tokenized or non-tokenized shared assets.

Annex No. (3): Compliance Requirements Model for Operations

Total PeriodMonth 6....Month 1
1- Total number of operations
2- Total number of acceptance cases
3- Total number of reviewed cases
4- Number of correct acceptance cases
5- Number of correct rejection cases
6- Number of incorrect acceptance cases
7- Number of incorrect rejection cases
8- Incorrect acceptance rate = (5+6) / 6
9- Incorrect rejection rate = (4+7) / 7