Finally, the Fintech Law has entered into force by the issuance of the long-awaited Fintech Executive Decisions

The Financial Regulatory Authority (the “FRA”) has issued on Tuesday 11th of July, three new decisions – decision no. 139, 140 and 141 of 2023 – (the “Decisions”) almost a year after the issuance of Law no. 5 of 2022 Regulating and Developing the Use of Financial Technology in Non-Banking Financial Activities (“Fintech Law”) with the aim of enforcing said law. The newly issued Decisions serve as a new digital era for non-banking financial services. The Decisions are as follows:

1. Decision no. 139 of 2023 regarding the facilities and technological infrastructure, the information systems, and protection and security mechanisms required for the use of Fintech in the non-banking financial sector.

The provisions of the decision set out in the beginning its addressees, which are as follows:

• Companies wishing to obtain a license from the FRA to undertake non-banking financial activities through fintech under the auspices of the Fintech Law.
• Companies and authorities already in procession of a license from the FRA to undertake non-banking financial activities under the auspices of other laws and wish to obtain approval of the FRA to undertake said activities through Fintech or through one of the outsourcing technology service providers under the auspices of the Fintech Law.
• Companies wishing to undertake outsourcing technology service providing activities in the fintech sector that may be used in undertaking non-banking financial activities under the auspices of the Fintech Law.

In addition to determining the addressees, the decision sets out the equipment required to be present with the aforementioned addressees for the technology infrastructure and information system, which include database servers, application servers and web servers.

Furthermore, the decision sets out several obligations and controls that need to be adhered to by the addressees mentioned above, which include:

• The company’s customer database must be within the geographical borders of Egypt.
• Informing the FRA within a timeframe of no more than 30 days from undertaking any measure for moving the headquarters or the data center.
• Providing around the clock customer service center that responds to client queries and undertakes to solve any issues.
• Signing a service level agreement between each company and its customers.

The decision also includes several annexes regarding information technology governance framework, technology risk management framework, and cybersecurity management framework.

2. Decision no. 140 of 2023 regarding digital identity, digital contracts and digital records and the requirements for authentication.

All companies wishing to provide non-banking financial services through fintech are required to adhere to the provisions set out in this decision. The provisions of the decision set out several important definitions; most importantly:

• Digital Identity: Any technically processed data relating to a specific natural or legal person, which can be identified directly or indirectly by linking this data with any other data such as name, sound, photo, or identification number, or through online identifier, provided that said data allows the evaluation and approval of transactions that take place through digital platforms and are related to non-banking financial activities. The decision has furtherly specified three levels of the digital identity authentication.
• Digital Contracts: Any contract that includes the rights and obligations of the contracting parties in a digital form. In addition to the aforementioned, the contract must be registerable in the digital record. The contract may also be a “smart contract” through a program that aims to implement, control or document the provisions of the contract automatically.
• Digital Record: An electronic record that includes transaction data that customers experience through the digital platform, which are carried out in accordance with the provisions of the law, allowing the tracking of said data through a secure network.

The addressees of this decision are similar to the addressees of decision no. 139 of 2023.

The decision further stipulates a set of requirements for the authentication of digital identity including usernames, passwords, identity documents, emails, mobile phone numbers, e-payment accounts, digital signatures, and biometrics. Besides, it stipulates the relevant sectors for companies wishing to engage in fintech activities.

The decision sets out the controls for digital contracts which include the verification of the customer’s identity, the verification of customer satisfaction and the digital storage of the contract. Finally, the decision has obligated its addressees to prepare a biannual report on “work results and error rates”.

3. Decision no. 141 of 2023 regarding outsourcing technology service providers registry

The decision establishes a registry for outsourcing service providers engaging in fintech activities (the “Outsourcing Registry”), where the latters may not provide any outsourcing services without being registered in said registry.

The decision further specifies the conditions and requirements for registration in the Outsourcing Registry, which include most importantly the following:

• Taking the form of a joint stock company or any other form provided that such form is converted to a joint stock company within a maximum period of 12 months upon the date of registration in the Outsourcing Registry.
• To have the needed technology to secure customer’s data and confidential information and to have a suitable remedy measure in case of any deficiency.
• To conclude an insurance policy against technological and professional liability along with settling a fee amounting to EGP 25,000 for each sector.

It is important to highlight that the FRA is yet to set out the required capital and relevant experience in said companies.

The duration of the registration is one year subject to renewal. A grace period of one month has been granted to the registered companies by the FRA from the expiration date of the registration for renewal.

The decision has detailed the registration procedures along with the conditions for continuity of registration as well as the administrative measures in case of any violation.