Central Bank of Tunisia Circular No. 2020-11 dated May 18, 2020

1 Central Bank of Tunisia Circular No. 2020-11 dated May 18, 2020 Subject: Conditions for the provision of domestic mobile payment services. The Governor of the Central Bank of Tunisia, Having regard to Organic Law No. 2004-63 of July 27, 2004 on the protection of personal data, Having regard to Organic Law No. 2015-26 of August 7, 2015 on the fight against terrorism and money laundering repression, as amended and supplemented by Organic Law No. 2019-09 of January 23, 2019, Having regard to Law No. 2000-83 of August 9, 2000 on electronic exchanges and commerce, Having regard to Law No. 2004-05 of February 3, 2004 on information security, Having regard to Law No. 2005-51 of June 27, 2005 on electronic fund transfers, Having regard to Law No. 2016-35 of April 25, 2016 establishing the status of the Central Bank of Tunisia and in particular its Articles 8, 17, and 42, Having regard to Law No. 2016-48 of July 11, 2016 on banks and financial institutions, Having regard to Central Bank of Tunisia Circular No. 91-22 of December 17, 1991 regulating banking conditions as amended and supplemented by subsequent texts, Having regard to Central Bank of Tunisia Circular No. 2006-01 of March 28, 2006 on the regulation of outsourcing operations,

2 Having regard to Central Bank of Tunisia Circular No. 2011-01 of January 6, 2011 on the conditions for providing mobile telephony payment services, Having regard to Central Bank of Tunisia Circular No. 2017-08 of September 19, 2017 on internal control rules for managing money laundering and terrorism financing risk, as amended by Circular No. 2018-09 of October 18, 2018, Having regard to Central Bank of Tunisia Circular No. 2018-16 of December 31, 2018 on the rules governing the activity and functioning of payment institutions, Having regard to the opinion of the Compliance Control Committee No. 2020-12 of May 14, 2020, Decides:

Article 1 - This circular sets out the rules governing domestic mobile payment, which apply to the institutions designated by this circular and to mobile Switch managers, with the aim of:

• promoting an ecosystem conducive to the development of digital payments and favorable to reducing cash and enhancing financial inclusion;
• establishing a structured and standardized framework for mobile payment services that defines the roles and obligations of the various stakeholders in the mobile payment chain;
• standardizing minimum requirements for different actors in the mobile payment services industry;
• promoting the security and efficiency of mobile payment services and strengthening user confidence in these services.

Article 2 - This circular primarily falls within the scope of the Central Bank of Tunisia's supervisory missions for payment instruments and its mandate to take measures ensuring the stability, soundness, and efficiency of payment systems, as conferred by Law No. 2016-35 of April 25, 2016 mentioned above. It applies to banks, payment institutions, and the National Office of Posts, as well as to mobile Switch managers authorized by the Central Bank of Tunisia to exercise their activity. When the persons referred to in the preceding paragraph subcontract certain operations related to the mobile payment service or make use of third-party services, they must ensure at all times that providers take all necessary measures to comply with the provisions of this circular.

Article 3 - For the purposes of this circular, the following terms are defined:

• Institution: banks, payment institutions, and the National Office of Posts.
• Wallet: a payment instrument made available by the institution to the client, enabling the storage of electronic money and the execution of payment operations via mobile phone, which may include various technologies.
• Default Wallet: the wallet among those available to a client onto which received funds or funds from a transfer or payment for accepting merchants are automatically credited.
• Mobile Payment: any payment operation performed from a mobile phone resulting in a debit or credit movement on a Wallet, either on a card, or on a bank, postal, or payment account. Mobile payment transactions include, in particular:
  • cash deposits (Cash in);
  • cash withdrawals (Cash out);
  • fund transfers;
  • merchant payment operations.
• Merchant Payment: any payment made to settle the purchase of a good or service and similar payments, such as invoice payments, fee payments, and payments to the State and local authorities...
• Mobile Switch: a centralized technical platform that manages the correspondence table, technical routing of transaction flows, compensation between account-holding institutions, and, where applicable, the management of transaction authorizations.
• Correspondence Table: a table maintained by the mobile Switch manager that manages client identification and referencing rules for interoperability, routing of settlement, and transaction compensation.
• Mobile Switch Manager: a legal entity approved by the Central Bank of Tunisia to manage a mobile Switch.
• Provider: a service provider who, under an outsourcing or services contract linking it to the institution or mobile Switch manager, delivers a service contributing to the availability, continuity, and security of mobile payment services.
• Interoperability: The ability of digital payment service users to benefit from certain infrastructures established by institutions and the mobile Switch, and to conduct transactions with users holding accounts at different institutions. Interoperability enables different applications, platforms, or systems to connect and exchange data and flows between them.
• On-Us Flows: transactions carried out between users of mobile payment instruments domiciled within the same institution.
• Off-Us Flows: transactions carried out between users of mobile payment instruments domiciled at two different institutions.
• Strong Authentication: two-factor authentication combining the use of two elements from the following three categories: something you know (password, PIN), something you have (computer, mobile phone), something you are (fingerprint, iris, voice...).
• User/Client: "mobile payment service user": a natural or legal person who uses a mobile payment service as payer, payee, or both.
• Issuer: the institution that makes payment instruments available to its client for initiating mobile payment operations.
• Acquirer: the institution that makes acquisition services for mobile payment transactions available to its client.
• SGMT: large-value transfer system managed by the Central Bank of Tunisia.

Paragraph 1: General Rules and Conditions Article 4 - The issuance and public availability by an institution of any mobile payment instrument must be:

• in compliance with the provisions of this circular and any other regulatory provision concerning it; and
• exercised through affiliation to an authorized mobile Switch (Off Us) capable of ensuring the functions listed in the preceding article. In providing mobile payment services, the institution remains subject to requirements regarding the fight against terrorism financing and money laundering, as well as personal data protection.

Article 5 - Each institution must, one month prior to making any mobile payment instrument available to the public, submit to the Central Bank of Tunisia a file containing in particular:

1. Description of operational procedures and adopted technology, including:
   • the procedure for exercising the service and the operating dynamics of the services;
   • the description, where applicable, of the use of a provider in the service delivery process.
2. Risk management policy related to this service, including:
   • the preservation of customer data and transactions;
   • security against cyber risks;
   • the fight against money laundering and terrorism financing;
   • the business continuity plan.
3. Pricing policy adopted, supported by a cost and market positioning study;
4. Customer complaint handling policy and dispute management;
5. All documents proving satisfaction of and compliance with the requirements set by the Central Bank of Tunisia and the Mobile Switch.

Article 6 - Without prejudice to existing legal provisions, the relationship between the institution and the client using a mobile payment instrument must be formalized by a clear and understandable contract specifying the obligations and rights of each party. Subscription to mobile payment services offered by the institution may be done remotely in accordance with applicable legislation and regulations.

Article 7 - In addition to legal requirements, the contract regarding the provision and use of a mobile payment instrument must stipulate in particular:

• the main services offered via mobile payment, including the provision, free of charge for a fixed period and frequency, to its client of a clear statement on all mobile payment transactions showing the operation identification, value, timestamp, and amount of fees and commissions charged;
• client obligations, particularly regarding the designation of a default transaction account, identification, protection of access codes, compliance with security and confidentiality rules, and disputes;
• issuer obligations, particularly regarding service continuity, security, complaint processing deadlines, and client information obligations, including in case of service outage or unavailability;
• the operational mode of the service in clear and simple terms to promote financial literacy and enrich the customer experience;
• transparent and clear pricing conditions;
• dispute, complaint handling, and chargeback procedures;
• contract termination conditions and procedures.

Article 8 - The mobile Switch manager must establish transparent and fair admission conditions for institutions joining the mobile Switch. It must define and make public the participation, suspension, and exclusion conditions. To this end, the mobile Switch manager must conclude a standard agreement with institutions specifying in particular:

• services provided by the mobile Switch;
• rights and obligations of the manager and institutions, as well as users where applicable. The participation agreement is subject to prior approval by the Central Bank of Tunisia.

Article 9 - The institution must implement a formalized and clear procedure for handling complaints, ensuring:

• the dissemination to the public of complaint submission procedures and contact points;
• the availability to its customers of a telephone line for receiving complaints and requests for explanation. Remote complaints must be formalized via an online form, and their processing results in a confirmation of good receipt evidenced by a coupon.

Article 10 - The institution must treat all clients equitably. The needs of vulnerable groups must receive particular attention.

Article 11 - The institution must periodically evaluate and, where applicable, correct the complaint handling process through monitoring and reporting of complaints, which must be analyzed and cataloged.

Article 12 - The complaint and incident handling procedure referred to in Article 9 must comply with the following minimum rules:

• a complaint issued by a user is handled by the institution holding the mobile payment instrument;
• the complaint must be recorded in a dedicated database and cataloged with an identification reference;
• the client must have a sufficient deadline, not less than the legal deadline, to submit a complaint, particularly to contest an execution error or undue commission deduction;
• the processing of complaints must not exceed a maximum deadline of 7 working days;
• in case of dispute, the mobile Switch platform serves as the reference base for all "Off Us" transactions;
• the client must be promptly informed of any suspicion of fraudulent activity.

Article 13 - The institution is required to reimburse the client within legal deadlines, particularly in the following cases:

• operation performed after a dispute declaration;
• execution of operations not authorized by the client or fraudulently executed by agents, employees, and service providers of the institution;
• fraud due to a security issue.

Paragraph 2: Settlement, Compensation, and Pricing Rules Article 14 - Payment services offered via mobile phone are instant. Transactions become irrevocable once validated by the order giver. The beneficiary and the order giver are instantly notified of the transaction settlement by any means leaving a written trace.

Article 15 - The account-holding institution on which the payment instrument is based must immediately after transaction authorization credit the beneficiary's account, even before the actual receipt of funds from the external balance settlement at the SGMT level. The client's account credit must comply with:

• payment account ceilings, as defined by the provisions of Circular No. 2018-16 of December 31, 2018 governing the activity and functioning of payment institutions;
• specific thresholds set by the institution for its customers.

Article 16 - The mobile Switch manager ensures the accuracy of compensation balances and guarantees their preparation and transmission to the Central Bank of Tunisia, in accordance with the rules and timing defined in the SGMT operating calendar.

Article 17 - The settlement of payment institution flows at the SGMT level must comply with the following rules:

• upward leveling (account credit) of the escrow account no later than D+1 must necessarily comply with the timing defined in the SGMT operating calendar;
• downward leveling (account debit) of the escrow account no later than D+1 must only occur after the settlement at the SGMT level of balances resulting from the compensation of flows by the mobile Switch, card Switch, and tele-compensation system.

Article 18 - The institution must adopt a multi-criteria approach to pricing mobile payment services, adjusted to actual costs incurred, associated risks, and potential economies of scale and business flow, as well as the national financial inclusion and cash reduction strategy.

Article 19 - The following services must be provided free of charge:

• Subscription to the mobile payment service;
• Cash in operations;
• Merchant payments for the paying client;
• Balance consultation and transaction details;
• Termination of the mobile payment service.

Article 20 - Late mobile payment fees are not borne by the client if the delay was caused by a planned service interruption of which the client was not informed.

Article 21 - For any fund transfer and merchant payment operation referred to in Article 3 of this circular, interchange fees must not exceed 0.3% of the transaction value. The merchant payments made with a mobile phone valued at 15 dinars or less are exempt from any commission. Switching services are billed by the mobile Switch at a fixed rate per operation.

Article 22 - Actors in the mobile payment services ecosystem must not oppose interoperability. They are prohibited from participating in price-fixing arrangements, sales or service supply quota agreements, boycott calls, tied sales, and generally any unfair or aggressive practices that hinder the free play of competition, particularly those aimed at excluding a competitor from the market or restricting new competitors' access to markets.

Paragraph 3: Technical and Security Rules Article 23 - The institution must equip itself with an infrastructure meeting the minimum requirements set by the Central Bank of Tunisia and standards that enable:

• connection to the mobile Switch in compliance with technical prerequisites and security requirements established by the Central Bank of Tunisia for this purpose;
• sending and exchanging all payment flows via mobile phone in compliance with the rules provided by this circular;
• management of customer and account data ensuring protection of their data and confidentiality of issued codes;
• continuity of mobile payment services;
• transaction control and flow monitoring to ensure authenticity and verify reliability and regularity;
• production of necessary reporting, particularly to facilitate the supervisory mission of payment systems and instruments carried out by the Central Bank of Tunisia;
• retention of a statement of operations performed for at least ten years from the execution of the operation.

Article 24 - The institution must, prior to the effective launch of any mobile payment solution, conduct trial tests for a fixed period supported by stress tests to ensure the operational predispositions of the technical platform. The Central Bank of Tunisia may, to ensure that systems and applications are securely designed and have undergone rigorous testing, require the use of an external audit, with costs borne by the institution.

Article 25 - The mobile Switch manager must ensure in particular the following functions:

• management and updating of the client reference correspondence table;
• routing of transactions based on the correspondence table;
• recording (tracing) of payment transaction settlement processes;
• balance monitoring and provision of data enabling compensation;
• real-time notification to all institutions of any change in the default wallet;
• settlement of balances resulting from mobile payment transaction compensation at the SGMT level;
• monitoring of the mobile payment platform functioning and connections to other platforms.

Article 26 - Mobile payment services are interoperable. Issuer and acquirer institutions must implement the necessary technical prerequisites, particularly for interfacing with the mobile Switch, to implement transaction interoperability. Admission to the mobile Switch is ensured according to the homologation process defined by the Switch manager and approved by the Central Bank of Tunisia, prior to the operational availability of the mobile payment service.

Article 27 - On-Us dynamics are freely managed by the institution, which has the freedom to choose technological channels and tools. The institution must in all cases ensure that user interfaces have a harmonized charter to offer a fluid and homogeneous user experience.

Article 28 - The mobile Switch manager ensures the proper functioning of the system and takes necessary measures to guarantee availability and business continuity. It must ensure in particular:

• 24/7 permanent availability of switching services;
• instant confirmation to the payer upon payment validation;
• routing of information enabling the institution to ensure immediate fund availability for the operation's beneficiary.

Article 29 - Inter-operated transaction routing is based on the correspondence table, which determines the institution holding the mobile payment instrument of the recognized beneficiary client by their identifier. The structure of the correspondence table is designed to fulfill its assigned objectives, particularly client identification and issuer/acquirer institution identification, and transaction interoperability.

Article 30 - Any institution issuing a mobile payment instrument must, upon creation of this instrument, declare it to the mobile Switch. Each payment instrument has a unique transactional identifier, in accordance with the modalities fixed by the mobile Switch in consultation with institutions or their professional association and after the opinion of the Central Bank of Tunisia. In cases where a client holds multiple wallets, they must define their "Default Wallet". The default wallet is unique at any given time and can be changed at any moment by its holder, according to modalities fixed by the mobile Switch in consultation with institutions or their professional association and after the opinion of the Central Bank of Tunisia. Registration of the Default Wallet in the correspondence table is mandatory upon client enrollment.

Article 31 - The institution and the mobile Switch manager are required to take necessary measures to ensure network and operational system security, and the implementation of a payment network and channels protected against fraud, hacking, and any other form of utilization.