2023-01-01
Added · Updated
The General Authority for Financial Supervision (GAFS) issued Decision No. 139 of 2023 to mandate specific technology infrastructure, information systems, and security standards for entities conducting non-banking financial activities using fintech. The regulation requires licensed companies to maintain local data centers, implement robust cybersecurity measures such as firewalls and encryption, and adhere to strict IT governance frameworks including ITIL and ISO 27001. Compliance with these technical and operational requirements is a prerequisite for obtaining or maintaining licenses to operate in the non-banking financial sector under Law No. 5 of 2022.
Egyptian Gazette - No. 150 Supplementary (A) on July 11, 2023
Decisions General Authority for Financial Supervision Decision of the Board of Directors No. 139 of 2023 Dated 2023/6/21 Regarding the Facilities and Technology Infrastructure, Information Systems, and Protection and Security Means Necessary for Using Financial Technology to Conduct Non-Banking Financial Activities
The Board of Directors of the General Authority for Financial Supervision Having reviewed Law No. 5 of 2022 on the Regulation and Development of the Use of Financial Technology in Non-Banking Financial Activities; Having reviewed Law No. 151 of 2020 on the Protection of Personal Data; Having reviewed the Decision of the Board of Directors of the General Authority for Financial Supervision No. 58 of 2022 regarding the Conditions and Procedures Required for Establishment, Licensing, and Approval for Companies and Entities Wishing to Conduct Non-Banking Financial Activities through Financial Technology Techniques; And having the approval of the Board of Directors dated 2023/6/21;
Decided:
( Article One ) The attached Rules regarding the Facilities and Technology Infrastructure, Information Systems, and Protection and Security Means necessary for using Financial Technology to conduct Non-Banking Financial Activities shall be applied.
Egyptian Gazette - No. 150 Supplementary (A) on July 11, 2023
( Article Two ) Companies and entities wishing to obtain a license or approval to conduct Non-Banking Financial Activities using Financial Technology must fulfill the requirements set forth in the attached Rules and their appendices, as well as the necessary documents specified by the Authority.
( Article Three ) This Decision shall be published in the Egyptian Gazette and shall be enforced from the day following its publication date.
Chairman of the Board of Directors General Authority for Financial Supervision Dr. Mohamed Fared Saleh
Egyptian Gazette - No. 150 Supplementary (A) on July 11, 2023
First - Definitions In applying the provisions of the following Rules, the following terms are intended to have the meanings indicated alongside each:
Facilities Infrastructure: The infrastructure of facilities and equipment necessary for information centers (primary and backup), which includes equipment necessary for access to public utilities such as electricity, communications, water, and sewage, as well as internal systems for electricity, ventilation, cooling, network cables, fire detection and suppression, physical security, access control, and monitoring through closed-circuit television.
Technology Infrastructure: The infrastructure of hardware and systems necessary for information centers (primary and backup), which includes network and data transfer devices, computers, storage devices, dedicated peripheral devices, and database infrastructure systems.
Information Systems: Systems composed of applications and databases developed to perform specific tasks supporting targeted operations and workflows, and contributing to coordination among internal or external users. They may include "Artificial Intelligence" applications to provide higher degrees of automation, accuracy, and speed in task performance.
Protection & Security Mechanisms: The mechanisms and methodologies used to provide the following:
Egyptian Gazette - No. 150 Supplementary (A) on July 11, 2023
Technology Risk: Any Threats or Vulnerabilities arising from reliance on the Technology Infrastructure and Information Systems in performing business activities, which, if they occur, would negatively affect the ability to continue performing those activities.
Technology Resiliency: The ability of the Technology Infrastructure and Information Systems to withstand and recover targeted capabilities and functions after the occurrence of a technology risk.
Cyber Risk: Any Threats or Vulnerabilities arising from the connection of the internal Technology Infrastructure to external networks or the global communication network (the Internet).
Cyber Resiliency: The ability of the Technology Infrastructure and Information Systems to withstand and recover targeted capabilities and functions after the occurrence of a cyber risk.
Data Security (Cybersecurity) in conducting Non-Banking Financial Activities (NBFS-Cybersecurity): Technical and organizational procedures intended to maintain the privacy, confidentiality, integrity, unity, and coherence of data.
Digital Platform Used in Conducting Non-Banking Financial Activities (NBFS-Digital Platform): A business model based on using technological means to conduct Non-Banking Financial Activities and display related products and services to persons wishing to obtain them, allowing the exchange of necessary data and information to complete these transactions.
Outsourcing Technology Service Provider: An entity that provides technological services through an Outsourcing Agreement, where the Outsourcing Party is the beneficiary of the service and the Outsourcee is the service provider.
Egyptian Gazette - No. 150 Supplementary (A) on July 11, 2023
NB-Critical-System: A system or application whose failure weakens the ability of companies and entities working in Non-Banking Financial Activities to fulfill their obligations to counterparties or to the General Authority for Financial Supervision.
Client Data: Data related to a client, their accounts, accounts associated with Non-Banking Financial Products, or transactions associated with those Non-Banking Financial Products.
Personally Identifiable Information: Any client data that can be used to distinguish or trace the identity of an individual.
Executive Management of the Company: Includes organizational units responsible for planning processes at the executive level (Planning Processes - Executive Level), and internal supervision and control over applied procedures at the operational level (Internal Auditing on Applied Procedures - Operational Level) for the functions and services of Non-Banking Financial Activities or possible Information Technology functions and services.
Operational Management of the Company: Includes organizational units responsible for applied procedures at the operational level (Applied Procedures - Operational Level) for the functions and services of Non-Banking Financial Activities or possible Information Technology functions and services.
Strategy Processes: Includes processes achieving a targeted strategy through a specific intended life cycle. Each process has a set of inputs and a set of outputs, where the outputs of each process are inputs for another process (or processes). The group has cyclical characteristics and iterations, and the "Purpose & Value-add" of the Strategy Processes life cycle evolves with each iteration of the cycle. "Strategy Processes" represent the strategic level of the intended framework.
Egyptian Gazette - No. 150 Supplementary (A) on July 11, 2023
Planning Processes: Includes a set of processes achieving targeted plans, implementing a specific strategy. Each process has a set of inputs and a set of outputs, where the outputs of each process are inputs for another process (or processes). The set of Planning Processes achieves the "Purpose and Value-add" of the specific strategy. "Planning Processes" represent the executive level of the intended framework.
Applied Procedures: A set of procedures applied to specific planning processes. Each procedure has "trigger events" and has a "resulting state," which may trigger another procedure or procedures. The set of Applied Procedures achieves the "Purpose and Value-add" of the specific Planning Processes. Applied Procedures represent the "operational level" of the intended framework.
Targeted Entities:
Egyptian Gazette - No. 150 Supplementary (A) on July 11, 2023
Second - Facilities, Technology Infrastructure, Information Systems, and Protection and Security:
Companies and targeted entities bound by the provisions of this Decision must provide the facilities specified by the Authority and necessary for automatic linkage with it.
Companies and targeted entities bound by the provisions of this Decision must provide the following basic server devices as a minimum for Technology Infrastructure and Information Systems requirements:
Companies and targeted entities bound by the provisions of this Decision must adhere to the following minimum Information Security controls:
Egyptian Gazette - No. 150 Supplementary (A) on July 11, 2023
* Providing all computers connected to the company network (desktops, laptops, servers) with updated and licensed antivirus and malware protection software, such as Antivirus and Endpoint Detection & Response systems.
* Periodic updates of operating systems, applications, and various software.
* Security Isolation between different service systems according to their security level.
* Conducting approved Penetration Tests to measure the security of networks, applications, and software at least once a year, and submitting a copy of these tests to the Authority. The Authority may request re-testing if weaknesses are found that necessitate it.
* Notifying the Authority of Security Incidents occurring at the level of the basic information infrastructure and the systems operating on it.
* Securing the website with a valid electronic security certificate dedicated to identification and data encryption (SSL Certificate), so that it appears to customers when browsing the website.
* Issuing a Unique Session ID, added with a Time Stamp, for each connection upon opening the connection after verifying access.
* Logging Activities occurring on all devices and systems, such as System Logs, Security Logs, and Application Logs, and any dependent auxiliary devices (computers, network devices, information security devices) for a period of no less than five years from the date the activity occurred.
* Retaining complete transaction logs on accounts, including all login and logout operations and others, for a period of no less than five years.
4. Companies and targeted entities bound by the provisions of this Decision must adhere to the following controls: * The company's client database must be located within the geographical boundaries of the Arab Republic of Egypt. * Notifying the Authority if any procedures are taken to relocate its headquarters or data center, within a period not exceeding 30 days from the date of starting to take procedures. * Providing a customer service center operating 24 hours a day to respond to customer inquiries and resolve issues immediately upon occurrence. * Signing a Service Level Agreement between the company and its customers.
Egyptian Gazette - No. 150 Supplementary (A) on July 11, 2023
Appendix (1): Information Technology Governance Framework (ITG-F: Information Technology Governance Framework)
The following terms are intended to have the meanings indicated alongside each:
Information Technology Governance Framework: It is a fundamental and complementary element of corporate governance, and its corollary, IT Service Management (ITSM). The framework consists of Strategy Processes at the strategic level, Planning Processes at the executive level, and Applied Procedures at the operational level. This presentation of the "IT Governance Framework" adopts the Service-Oriented Approach to provide IT services (ITSM) for Facilities, Technology Infrastructure, Information Systems, and Protection and Security Means. Best practices and other global frameworks may be used, or an alternative framework may be adopted after presentation and approval by the Authority.
The Company's Board of Directors must establish and adopt an "IT Strategy" through the "Information Technology Governance Framework," which must be approved by the Board of Directors and govern the Executive Management and Operational Management. The Board of Directors must also review it periodically, at least once every three years. The Board of Directors must form a committee called the "IT Governance Committee" subordinate to the Board of Directors, responsible for supervising the implementation of the IT Service Management Framework, ensuring the suitability of the workflow and those responsible for its implementation, and ensuring compliance with required procedures.
The IT framework includes five basic Strategy Processes for the Life Cycle (LP), involving 40 Planning Processes at the executive level, in addition to 12 Supporting Strategy Processes for the Life Cycle (SP), involving 62 Planning Processes at the executive level, totaling 17 Strategy Processes and 102 Planning Processes.
Egyptian Gazette - No. 150 Supplementary (A) on July 11, 2023
Strategy Processes: These are processes aimed at converting IT service provider resources into services of value to customers. These services must be provided at agreed levels of quality, cost, and risk, and are divided into:
First - Basic Strategy Processes for the Life Cycle, including:
Second - Supporting Strategy Processes for the Life Cycle, including:
Egyptian Gazette - No. 150 Supplementary (A) on July 11, 2023
Customer Relationship Management: This process is responsible for maintaining a positive relationship with customers, identifying potential new customers, and ensuring obtaining regular feedback from current customers through customer meetings and surveys, and signing customer service agreements with the service provider's customers.
Managing Configuration Information: Refers to maintaining information about the configuration items required to provide services, including the relationships between them.
Evaluating and Coordinating Changes: Refers to controlling the life cycle of all changes, with the main purpose of enabling useful changes with minimal service disruption.
Project Management: Refers to planning and coordinating resources to complete a project on time and within the targeted cost.
Security Assurance: Refers to ensuring the security of the service provider's service portfolio, aligning the service provider's security needs with its customers' needs, and ensuring the protection of systems and data from intrusion, and that they are accessed only by authorized parties.
Disaster Event Preparedness: Refers to ensuring that the service provider can provide the minimum agreed service levels in the event of events considered disasters. This is primarily achieved by implementing mechanisms to prevent disasters, and by putting in place continuity plans and arrangements to restore services once a disaster occurs.
Compliance Assurance: Refers to ensuring that services, processes, and systems comply with relevant legal requirements, standards, and organizational policies.
Human Resource Management: Refers to providing the skills and staff levels required by the service provider to achieve its objectives.
Supplier Management: Refers to ensuring that all agreements with suppliers support business needs, and that all suppliers fulfill their contractual obligations.
Service Financial Management: Refers to managing the budget, accounting, and fee requirements of the service provider.
Egyptian Gazette - No. 150 Supplementary (A) on July 11, 2023
Planning Processes, including:
First - Basic Planning Processes for the Life Cycle, including:
Defining Strategic Direction:
Designing New or Modified Services:
Egyptian Gazette - No. 150 Supplementary (A) on July 11, 2023
3. **Building New or Modified Services**:
* **Coordinating Development and Procurement Processes**: Refers to initiating and coordinating activities to develop or procure infrastructure components and other capabilities required for a new or changing service.
* **Developing Applications and Systems**: Refers to developing or configuring application and system components that provide the required functions for services. This process includes developing custom applications and systems, in addition to customizing and configuring purchased product components.
* **Accepting Service Component Delivery**: Refers to receiving service components and presenting them for initial evaluation. This process ensures that only components meeting strict quality standards are allowed to enter the main service testing phase.
* **Creating or Updating Operational Documentation**: Refers to providing guidelines for operating the new service.
* **Testing Service Components**: Refers to testing all service components as well as all tools and mechanisms required for deployment. This process ensures that service components are deployed in the live production environment only in a strict quality standards environment.
* **Deploying Service Components in the Production Environment**: Refers to deploying service components in the live production environment.
* **Preparing for Service Activation**: Refers to evaluating whether all infrastructure components and other capabilities are present before allowing new services to be activated.
4. **Operating Services**:
* **Supporting the Service Operation Process**: Refers to providing support for the service process, by ensuring the availability of required resources to operate services, and by configuring and maintaining operational support systems, etc.
* **Organizing the Service Process**: Refers to providing guidelines for the procedures to be executed by the operations team.
* **Monitoring Services**: Refers to ensuring continuous monitoring of service infrastructure and service usage, and to determine appropriate responses if any violations are detected.
Egyptian Gazette - No. 150 Supplementary (A) on July 11, 2023
* **Issuing Service Quality Reports**: Refers to measuring the achieved service quality on a regular basis and identifying areas where service quality should be improved.
* **Performing Routine Operational Tasks**: Refers to executing the routine operational tasks required to provide the agreed service quality on a sustainable basis.
* **Resolving Incidents and Service Requests**: Refers to resolving incidents and service requests is to return the service to users as quickly as possible.
* **Supporting Incident and Service Request Resolution**: Refers to providing support for resolving incidents and service requests, for example, by configuring systems to manage incidents and service requests, and by maintaining a set of service request and incident templates.
* **Logging Incidents and Service Requests**: Refers to recording all details related to incidents and service requests, verifying that all required licenses are granted, and prioritizing incidents or requests.
* **Fulfilling Service Requests**: Usually either requests for information or requests to perform minor (standard) changes, such as resetting a password.
* **Proactively Informing Users and Customers**: Refers to informing users of actual or impending service failures as soon as they become known to support Level 1, so that users and customers are in a position to adapt to disruptions. This process is also responsible for distributing other important information, such as current security alerts.
* **Resolving Major Incidents**: Refers to resolving a major incident that causes serious disruptions to business activities and must be resolved promptly, with the goal of rapid service recovery, possibly through an alternative solution.
Egyptian Gazette - No. 150 Supplementary (A) on July 11, 2023
* **Resolving Incidents in Level 1 Support**: Refers to resolving an incident (service outage) within the agreed timeframe, aiming for rapid service recovery, possibly through applying an alternative solution. Once it becomes clear that Level 1 support is unable to resolve the incident itself or when the targeted times for Level 1 resolution are exceeded, the incident is escalated to Level 2 support.
* **Resolving Incidents in Level 2**: Refers to resolving an incident (service outage) within the agreed timeframe, aiming for rapid service recovery, either through an alternative solution, and if necessary, specialized support groups may participate in this regard.
* **Monitoring Incidents and Service Requests**: Refers to continuous monitoring of the status of pending incident processing and service requests, so that escalation and countermeasures can be taken if agreed resolution times are likely to be violated.
* **Closing Incidents and Service Requests**: Refers to submitting service request and incident records to final quality control before official closure. The aim is to ensure that the incident or service request resolution history is described in sufficient detail. Results derived from incident resolution must be recorded for future use.
* **Problem Solving**: Refers to managing the life cycle of all problems, where the problem is the underlying cause of one or more (potential) incidents. This process aims to prevent service incidents and reduce the impact of incidents that cannot be prevented.
* **Proactively Identifying Problems**: Refers to improving the overall availability of services by proactively identifying problems. This process aims to identify and resolve problems or provide suitable alternative solutions before further service incidents occur.
* **Classifying and Prioritizing Problems**: Refers to recording problems and prioritizing them with appropriate care, in order to facilitate rapid and effective resolution.
Egyptian Gazette - No. 150 Supplementary (A) on July 11, 2023
* **Analyzing and Solving Problems**: Refers to determining the underlying causes of problems and determining the most suitable solution for problems, and providing a temporary solution if a complete solution is not available.
* **Monitoring Pending Problems**: Refers to continuous monitoring of pending problems regarding their processing status, and taking corrective actions as required.
* **Closing Problems**: Refers to ensuring that the problem solution was successful and that all related information is updated.
5. **Improving Services**:
* **Performing Service Reviews**: Refers to identifying service improvement opportunities. This includes evaluating whether the quality of the provided service aligns with contractual commitments, as well as detecting weaknesses in the service delivery method.
* **Identifying Service Improvements**: Refers to defining the objectives of service improvement initiatives and their implementation approaches. This includes preparing feasibility studies for initiatives.
* **Initiating Service Improvement Initiatives**: Refers to launching service improvement initiatives, including obtaining authorization through budget requests and submitting change requests.
* **Implementing Service Improvements**: Refers to implementing, testing, and deploying service improvements, including updating related service definitions and agreements.
* **Monitoring Improvement Initiatives**