Law No. 2017-018 Governing the Integrated Information System of Banky Foiben'i Madagasikara

---

REPUBLIC OF MADAGASCAR

PRESIDENCY OF THE REPUBLIC

Law No. 2017-018 governing the Integrated Information System of Banky Foiben'i Madagasikara

EXPOSITION OF MOTIVES

To achieve strong and inclusive growth for development, the establishment of a developed and resilient financial system is required.

Furthermore, to promote an environment conducive to financial inclusion, the development of financial infrastructure constitutes one of its major conditions.

In this context, the Integrated Information System (SII) managed by Banky Foiben'i Madagasikara (BFM) serves as an instrument that makes the necessary information available to economic actors to achieve the aforementioned objectives.

Moreover, within the framework of its statutory missions, BFM is tasked with conducting all relevant studies and analyses for its information.

To this end, BFM is authorized to establish structures, such as the SII, enabling it to collect from all entities—including enterprises and professional associations, public administration, credit institutions, and other economic agents—the data essential to fulfilling its statutory missions.

However, given the sensitive nature of these data, which may pertain to legal or natural persons, an appropriate legal framework is necessary to ensure respect for the rights of data holders and the purposes of their processing. This framework must also prescribe data security measures while guaranteeing data quality, enabling BFM to achieve its objectives under the best conditions.

This is the purpose of the present law.

---

PRESIDENCY OF THE REPUBLIC

Law No. 2017-018 governing the Integrated Information System of Banky Foiben'i Madagasikara

The National Assembly and the Senate adopted this law in their respective sessions on November 2, 2017, and November 21, 2017.

THE PRESIDENT OF THE REPUBLIC

• Having regard to the Constitution;
• Having regard to Decision No. 21-HCC/D3 of December 12, 2017 by the Constitutional Court;

PROMULGATES THE LAW AS FOLLOWS:

Article 1 – OBJECT

This law aims to establish the general regime and principles for the creation, organization, and operation of the Integrated Information System, abbreviated SII.

The SII comprises a set of mechanisms:

• for data collection, centralization, processing, and utilization; and
• for managing resulting monetary, economic, financial, and commercial information.

The administration and management of the SII fall under Banky Foiben'i Madagasikara, abbreviated BFM.

Article 2 – DEFINITIONS

For the purposes of this law, the following terms are defined as:

• "Economic agents": any natural and/or legal person of public or private law, such as the State, local authorities, credit institutions, financial institutions, and enterprises;

• "Archiving period": the duration during which data and information are no longer intended for use, beyond which they shall be deleted;

• "Retention period": the timeframe during which information remains accessible and consultable by any user in accordance with this law;

• "Data": any representation of facts or concepts in a form suitable for computer processing;

• "Data providers": all entities obliged to supply the required data according to the prescribed forms, nature, periodicity, structures, and procedures;

• "Payment incidents": any offense related to the use of payment instruments;

• "Information": data that have undergone processing;

• "Aggregated information": grouped, synthetic, or sectoral information that does not identify the concerned natural or legal persons and may be made available to the public on BFM's website or in paper format upon a written request;

• "Named information": all information enabling the identification of the concerned natural or legal person;

• "Consultable information": all named or unnamed information made available exclusively to the data providers of this law in exchange for their contribution to feeding the SII;

• "Register information": all details concerning a company, including identity or corporate name, nature of activity, share capital, address or registered office, directors or managers, auditors, partners or shareholders, as well as any event or transaction affecting the company's life;

• "Rating system": the procedure by which BFM assigns a rating to an enterprise or other designated entity based on its ability to meet financial obligations for a specified period;

• "Users": any credit institution or other entity authorized by BFM to access information derived from the SII.

Article 3 – PURPOSES OF THE SII

The SII is an analytical tool for BFM in fulfilling its statutory mission, supports the supervision of credit institutions, and serves as an information source for any authorized entity, subject to this law.

Data collected within the SII are used exclusively for the needs and purposes set forth in the preceding paragraph and may not serve, directly or indirectly, any other purposes.

Article 4 – DATA SOURCES

Throughout the territory of the Republic of Madagascar, and for the purpose of feeding the SII, BFM is authorized to collect all data from the following listed data providers:

• all credit institutions;
• all public bodies;
• all private or public enterprises;
• all professional associations, private or public; or
• all economic agents.

Data and information related to specific domains governed by legislative texts may also be utilized as sources of information for the SII.

Article 5 – STRUCTURE OF THE SII

The SII comprises various interconnected Information Centers, including:

• the Accounts Center, which records all bank accounts and similar accounts of any kind;
• the Payment Incidents Center, which records payment incidents on checks, bills, and all payment instruments used in Madagascar;
• the Risk Center, which registers data related to credit extended to legal and natural persons;
• the Financial Statements Center, which collects financial data from enterprises in Madagascar with the aim of establishing a rating system;
• the Corporate Register Information Center, which records general information about enterprises.

Information derived from these Centers is intended for authorized users.

Article 6 – COMMUNICATION OF INFORMATION

Data and information intended to feed the SII or derived from it are transmitted according to practical procedures established by BFM instruction or agreement.

Data communication to BFM may be permanent or occasional.

Transmission is carried out in compliance with quality and security requirements as per Articles 7 and 8 of this law.

Communication of information derived from the SII may be subject to pricing by BFM.

Article 7 – DATA QUALITY

Every data provider must ensure the accuracy, consistency, completeness, and sincerity of the communicated data.

It is their responsibility to conduct all necessary prior verifications and, where applicable, prove the reliability of transmitted data.

BFM cannot in any case be held liable for inaccuracies in the data it receives.

It may request clarifications or supplementary information when data are unclear, inconsistent, or do not comply with SII requirements.

Article 8 – SYSTEM SECURITY

BFM takes and prescribes all appropriate measures to protect data, programs, and hardware against any risks that could impair the confidentiality, integrity, and availability of collected data, processed information, and disseminated information within the SII.

Article 9 – NATURE OF INFORMATION

BFM ensures the communication of information derived from the SII, which may be named or aggregated.

Named information contained in the SII is accessible and transmissible only to data providers, according to the principle of reciprocity. This limitation does not apply to named information made public under applicable regulations.

Article 10 – OBLIGATIONS OF DATA PROVIDERS

Data providers must inform the concerned natural or legal person of their rights prior to transmitting their data to the SII, namely:

• the identity of the data controller;
• the nature of information transmitted to the SII;
• the purposes of data processing;
• the recipients of the data;
• the right to receive free of charge from data providers a copy of information concerning them;
• the existence of a right of access and rectification to their data.

This provision does not apply to information made public under applicable regulations.

Article 11 – RIGHTS OF CONCERNED PERSONS

Any person registered in one or more SII centers may request, through data providers, the consultation and rectification of data in case of error or the updating of information concerning them within the SII.

BFM establishes by instruction, vis-à-vis data providers, the implementation procedures for these rights.

Article 12 – PROFESSIONAL SECRECY

All persons involved in data processing and information dissemination, as well as those with access to consultable SII information, are bound by professional secrecy under penalty of applicable criminal sanctions.

Compliance with professional secrecy, to which data providers under this law are bound, is not enforceable against BFM in the context of collecting data intended to feed the SII, as per this law.

The obligation of professional secrecy is not enforceable against the concerned person, data providers, or Authorities acting under applicable law.

Article 13 – RETENTION AND ARCHIVING

The retention period for centralized data and information derived from the SII is five (5) years from the date of the last declared information.

The archiving period is five (5) years from the date of the last retained information.

Article 14 – PROTECTION OF PERSONAL DATA

Data of natural persons collected at the SII level must comply with provisions established by the law on personal data protection.

Article 15 – GRANT OF MANDATE

BFM is solely authorized to permit, by written mandate, the execution by other entities of all or part of the SII mechanisms mentioned in Article 5 of this law.

Confidentiality rules for data and information processing, as well as all security mechanisms, must be respected in accordance with this law.

Article 16 – APPROVAL OF ENTITIES RESPONSIBLE FOR CREDIT DATA SHARING

In fulfilling its statutory missions, BFM is the authorized Authority to approve private entities engaged in credit data sharing.

The implementation procedures for these provisions are established by regulatory means.

Article 17 – SANCTIONS

Without prejudice to criminal sanctions provided by applicable legislation, the following are subject to imprisonment of 2 to 6 months and a fine of 10,000,000 to 40,000,000 Ariary, or either of these two penalties alone:

• any person who has diverted data and information intended for or derived from the SII from their purpose;
• any person who has knowingly transmitted inaccurate and incomplete data and information to the SII;
• any person who has knowingly concealed information intended for the SII;
• any person who has disclosed confidential information in violation of this law;
• any unauthorized person who has fraudulently acquired information derived from the SII with the intent to harm the concerned person.

Without prejudice to administrative and/or criminal sanctions provided by applicable legislation, any credit institution violating the provisions of this law is subject to a penalty whose amount is fixed by BFM instruction.

Article 18 – TRANSITIONAL AND FINAL PROVISIONS

Until the establishment of the Malagasy Commission for Informatics and Liberties (CMIL), provided by Law No. 2014-038 of January 9, 2015 on personal data protection, all disputes regarding data processed at the SII level fall under the jurisdiction of civil courts.

Regulatory texts will be issued to implement this law.

This law shall be published in the Official Journal of the Republic of Madagascar.

It shall be executed as a law of the State.

Promulgated in Antananarivo on December 19, 2017

RAJAONARIMAMPIANINA Hery Martial

FOR CONFORMING EXTRACT

Antananarivo, January 2, 2018 THE GENERAL SECRETARY OF THE GOVERNMENT

FARATIANA Tsihoara Eugène