Egypt regulatory update: Financial Regulatory Authority issues decrees regulating the development and use of FinTech within non-banking financial services and activities

On 11 July 2023, the Egyptian Financial Regulatory Authority (the FRA) issued three separate decrees (Decrees No. 139, 140, and 141 (the Decrees)) to enforce Law No. 5 of 2022 (Law) (which law regulates the development and use of Financial Technology (FinTech) within Non-Banking Financial Services and Activities (NBFSA)).

(1) Decree no. 139 of 2023

Decree no. 139 outlines the required facilities pertaining to technological infrastructure and information system, including database servers, application servers, and web servers for adopting and using technology in the NBFSA.

The Decree defines the entities to which its scope applies, and sets out certain applicable requirements including, but not limited to, entry into a service level agreement between the entity conducting the NBFSA and its customers, as well as establishing a dedicated 24/7 customer service centre.

The Decree further establishes guidelines and definitions for the Information Technology Governance Framework (ITG-F), the Information Technology Service Management (ITSM), Cybersecurity Management, and Technology Risk Management (TRM), all of which are infrastructure-related technologies, and are required for the use of FinTech in the NBFSA.

(2) Decree No. 140 of 2023 

Entities to be set up to operate in the NBFSA using FinTech, or already existing entities operating in the NBFSA (but intending to add FinTech to their services), whether in-house or through firms offering FinTech outsourcing services for NBFSA, are all required to have a license in accordance with Decree no. 140.

There are three main processes regulated under Decree no. 140. These processes are: (1) digital identity; (2) digital contracting; and (3) digital register. Below is a summary description of each process.

1. Digital identity 

Digital identity is established through identification, verification, and authentication. The Decree sets out the Digital Identification Process required to enable a person or customer accessing or transacting with the NBFSA entity, and is comprised of three elements: (i) knowledge (including, for example, a username and password); (ii) possession (including, for example, ID, email address, payment account); and (iii) biometrics (including, for example, face print, fingerprint).  The Digital Identification Process in place must correspond with the risk level of any given transaction, as follows: 

• Low-risk (basic) transactions: these require a minimum of two components from the knowledge element, in addition to at least three components from the biometric element, and a minimum of four components from the possession element; and
• Medium-risk (general) transactions: these require the elements specified at the basic level, in addition to the possession of a non-cash payment account; and
• High-risk transactions: these require the elements specified at the general level, in addition to the possession of an authenticated e-signature.

2. Digital contracting

Digital contracting is the next step of the process and requires the service provider to verify the user’s identity in accordance with the Digital Identification Process set out above. 

Following verification, the customer’s acceptance must be established to verify capacity and authority. 

3. Digital register

Once the contract is put in place or concluded, the Decree requires it to be electronically stored, together with the related transactions, using appropriate encryption technology approved by the FRA.  

(3) Decree No. 141 of 2023

Decree no. 141 aims to establish the Outsourcing Registry, for companies engaged in FinTech activities offering outsourcing services (that is, Outsourcing Service Providers). 

Registration with the Outsourcing Registry is mandatory for Outsourcing Service Providers. The registration requirements include:

• Legal structure: entities that wish to register must be in either joint-stock or any other legal form, with a commitment to convert into a joint-stock form within 12 months of their registration in the Outsourcing Registry. The FRA is yet to specify the minimum required capital and relevant experience for these companies. The FRA will review the application within 30 days of submission and decide on registration status based on supporting documents.
• Technological requirements: registered entities are required to acquire adequate technological capabilities to ensure data security, customer privacy, and efficient performance with appropriate remedial measures in case of any issues.
• Insurance coverage: registered entities must obtain an insurance policy covering technological and professional liability. A registration fee of EGP 25,000 for each sector of activity is implemented.

The initial registration in the Outsourcing Registry is valid for one year, subject to renewal upon fulfilling the set requirements. 

If you would like more information, or assistance with the licensing requirements, please contact us.