The Central of

Regulations Governing Provision of Payment Orders through Mobile Phones

First: Definitions Second: Supervisory Regulations Third: Managing System Accounts Fourth: System Security Requirements Fifth: System User Protection Appendix: Service Provider

First: Definitions

1- In these Regulations, a Payment through mobile shall means debit orders (on the mobile account of the user) sent by a system user via their mobile phone to their bank, that is registered in Egypt and licensed by the CBE to operate a mobile payment system. 2- System shall mean an electronic mobile payment system developed and operated according to these Regulations by a bank licensed by the CBE to operate a mobile payment system. 3- E-Money units shall mean electronic units of monetary value equivalent to 1 each. These shall be issued by a bank operating in the Arab Republic of Egypt under the supervision of the of Egypt, and shall represent a claim on the issuing bank provided that it obtains against issuance a cash sum of money of the same value as the electronic money units issued, and shall have the following characteristics: • Stored on an electronic device or medium; • Accepted as a means of payment by persons other than the issuer; • Exchangeable against the Egyptian pound value it represents; and Issued according to these Regulations by a bank licensed by the CBE to operate a mobile payment system 4- The role of the issuing bank in mobile payments shall be to take in cash deposits in exchange for electronic money; ensure that electronic money transactions comply with AML/CFT controls established by the CBE, particularly measures for proper identification of system users "customers" and "service providers" (as defined in 6 and 7 below); develop a framework for managing risks that may arise from the provision of this service; and operate computer systems used to execute and settle transactions on user and service provider accounts. The bank may outsource the operation of computer systems to a payment system operator approved by the CBE. 5- The role of the licensed mobile network operator shall be to provide the communications infrastructure and solutions needed to enable sending payment instructions and confirmations of transactions via mobile phones. This role may be undertaken by the bank. 6- The system user is the customer of the bank engaged in providing mobile payment service 7- The service provider is any entity contracted by the bank to provide the services described in the Appendix, provided that it deposits with the bank a cash sum of money and obtains in return electronic money units that can be transferred to system users as detailed in the Appendix

1

The Central Bank of Egypt

8- The mobile phone account is any account opened with a licensed bank by a system user or service provider under their name to make deposits, transfers and withdrawals

Second: Supervisory Regulations

1- Only operating under the supervision of the CBE may, subject to CBE's approval, issue electronic money units. 2- The issuing bank shall develop and operate a system to effectively and continuously manage electronic money records which include data on electronic money issued, information of system users and service providers, account details, and total balances; monitor electronic money payment instructions; and provide audit trails of payment processes. If the system fails to issue correct trails, this shall be considered a breach. 3- Electronic money units shall be exchanged for an equivalent cash amount (in Egyptian pounds), with no interest being payable to system users/service providers or incentives used to promote the use of this service or other relevant services provided by the bank or mobile phone operator, including offering extra electronic money units or applying fees to cash withdrawals other than fees payable for services provided under the service agreement between the bank and system user/service provider 4- No of any kind may be offered to system users or service providers against electronic money units 5- Electronic money units shall be issued to a system user or service provider only against an equivalent cash amount (in Egyptian pounds) deposited by that system user or service provider. The Central Bank of Egypt shall monitor compliance by the licensed bank with this rule to ensure that electronic money units issued do not exceed cash deposits held. 6- Electronic money units issued may not exceed the lesser of 5% of paid-in capital of the issuing bank or EGP 50M. The CBE Governor may modify this threshold on a case by case basis. 7- Management of the mobile payment system shall be the responsibility of the issuing bank and under its supervision and control. 8- The issuing bank's board of directors shall approve the operation of the mobile payment ervice, and shall require an assessment of system risks, including mitigation strategies, and shall issue a decision either to accept or reject the assessment, including the acceptable risk level 9- The "issuer of electronic money units" shall comply with the following minimum requirements to ensure effective operation of the system: • The system should be operated according to defined procedures and under strict controls. • System management should conform to industry best practices and common standards. • Computer systems should be tested prior to use to ensure effectiveness. • The bank should have in place policies and procedures to protect system security, including ensuring the integrity of data, proper identification of system users and service providers, verifying authorization to access the system, and data protection.

2

The Central Bank of Egypt

10- The bank should have backup systems and should have business continuity plans during system failure 11- The Central Bank of Egypt shall ensure compliance of the bank with operating controls and license terms; and shall have the right to audit system operation, including reviewing system staff performance, procedures and documents and inspecting locations where the system is used; and may to this end take any measures deemed appropriate. Hindering the CBE audit in any manner shall constitute a breech by the bank to these Regulations. 12- Where the bank violates any of its obligations or covenants under the license agreement or other conditions and regulations established by the CBE, the CBE has the right to waive the bank's license. The bank in this case shall duly fulfill its obligations vis-à-vis system users and service providers, including promptly exchanging electronic money for national currency according to the terms and conditions of the agreement between the bank and system user/service provider. 13- Any changes to the system, including adding new services, modifying existing ones, shall be licensed by the CBE. The bank must inform the CBE in case of revising service fees or changing terms and conditions in the agreement between the bank and system user/service provider. 14- The bank shall send periodical reports to the CBE including the volume of e- money issued, number of accounts (whether having balances or not), number of service providers, number and volume of daily transactions, and other data as may be required by the CBE, and shall instantly report to the CBE any actual or attempted attacks on system security, and to the AML Unit on any suspicious transactions

Third: Managing System Accounts

1- The bank shall for each system user/service provider open and manage a non-interest bearing account (mobile account) holding an amount of electronic money units equivalent to the national currency deposited therewith by the system user/service provider (demand deposits). 2- Transfers shall be made only within the Arab Republic of Egypt and in local currency (Egyptian pound). Currency Exchange, swap operations and clearing operations shall be subject to the approval of the CBE which shall incorporate conditions to ensure control over these transfers. 3- E-Money units may be transferred only between mobile accounts or between a service provider account and a checking account belonging to the same service provider. The use of electronic money units to make transfers to other accounts held with the bank or other banks (except for mobile accounts managed by other banks) or to use it as air-time credit to customers of the mobile phone operator shall be subject to the approval of the CBE which shall incorporate conditions to ensure control over these transfers. 4- The system shall allow transfers to similar mobile accounts managed by other banks. Banks licensed to transfer electronic money units from mobile accounts held therewith to similar accounts held with other banks shall do so in accordance with the relevant regulations established by the CBE and with the following minimum transfer and settlement rules: • Transfers and Clearing shall be performed through the national switch managed by the Egyptian Banks Co. for Technological Development.

3

The Central Bank of Egypt

• Settlements shall be made across banks' accounts with the CBE. • Transfers are made/received using ISO-compliant standardized messages to/from the national switch. • The national switch shall be provided on a daily basis with user data necessary to perform transfers between banks 5- The bank shall conduct the requisite due diligence required to open a new mobile account, including obtaining all relevant user data and mobile number, and shall comply with AML/CFT controls established by the CBE, and shall require users to appear in person at the bank or service provider's premises to sign a mobile account agreement or application. 6- The bank shall prior to allowing service access to a user verify the information provided by that user, and shall monitor transactions to make sure that no suspicious activity has been undertaken within the first 24 hours after access has been granted. 7- Any mobile number may not be linked to more than one account. 8- The bank, service provider and mobile phone operator shall comply with privacy regulations provided for in the Central Bank, Banks and Money Law No. 88 of the year 2003 and amendments thereto 9- The bank shall when closing a mobile account or terminating a service agreement take appropriate procedures for withdrawing electronic money units from the account and verifying the identity of the withdrawer, and shall keep proper account closure documentation 10- The bank may open a mobile account for a foreigner and shall in which case verify their identity against their ID card or passport used to enter the Arab Republic of Egypt

Fourth: System Security Requirements

1- The highest security standards for encryption and authentication of originator identity shall be applied to protect transfers and balance inquiries 2- Payment instructions must be encrypted from end to end, i.e. from the mobile phone until they reach servers for processing 3- To verify the identity of the payer, two-factor authentication security must be applied to financial transactions made via mobile phones based on "something you own and something you know". 4- Payment instructions may not be originated via SMS messages. However, these may be used to confirm payments. 5- A double authentication access process must be in place, using phone numbers and PIN to originate a payment instruction. PINs must satisfy the following requirements: • A PIN must be composed of a minimum of 4 digits (preferably 6) • It must be randomly generated. The user/service provider will be asked to change the PIN after they first use the service. • PIN information must be encrypted from the time a user/service provider enters the PIN until it reaches the decryption units. • The PIN must not appear as readable text on any system computer during the process. • PINs must be stored in inaccessible encrypted files. • PINs should be decrypted with a hardware security module (HSM) whenever is possible.

4

The Central Bank of Egypt

• The same PIN should not be used for other services provided by the bank. • System users/service providers should be advised of the necessary actions required if the PIN becomes known to another. 6- When the payment system is accessed by Internet through Web or Wap protocols from the mobile and since the phone number cannot be verified, the identity verification must include a name (that cannot be repeated) and a password not less than 8 digits (numbers and letters) in addition to the pin code of the service. 7- The payment order should be implemented till it is completed or to be waived. 8- A periodical risk analysis of the system shall be done, including the evaluation of penetration tests and Ethical hacking to ensure of the strength of the system. 9- The IT structure operating the system must include: a- Firewalls b- Intruder detection systems c- Data file & system integrity checking d- Surveillance & incident response procedures 10- All the system documentation must be exhaustively kept and secured. 11- Strict procedures shall be applied regarding physical security in accessing operations of programs, networks, and any equipment operating the system totally or partially. 12- Protection of system encoding keys shall be ensured. No one can obtain and use these keys solely. 13- Measures shall apply to the system operator whether operating the system fully or partially. CBE is entitled to reach any part of the system to make sure it complies with the measures and specifications of CBE. 14- Take into account the segregation of duties regarding keeping and operating security keys, and the system administration and operation.

Fifth- Protection of the user

1- The Bank must set up maximum limits to the balance, the daily and monthly withdrawal volume and the number of daily and monthly operations. This depends on the amount of risk related to the service and the reports submitted by the Bank to its Board of Directors about risk management related to the service. The maximum daily withdrawal limit must be defined for one account not to exceed 3,000 EGP. The maximum account balance must be defined not to exceed 5,000 EGP. 2- In case of disputes on financial transactions or of complaints by the system users, the dispute resolution must be subject to fixed rules announced to the users. These rules must be stated in the contract between the system user and the bank, taking into consideration that the system logs and audit trails are accepted proofs on condition that the system did not go down during the lifetime of the transaction and that the system contains full logs of the concerned dispute. 3- The Bank must initiate a mechanism to study complaints stating explicitly in the user contract of the procedures to submit a complaint to the bank and the maximum investigation time by the bank.

5

The Central Bank of Egypt

4- The contract between the bank and the user must state the time needed to stop the service from the moment of this request and the different means of requesting service stoppage. 5- The bank must indicate the handling of incorrect or unauthorized operations to service users 6- While the mobile operator keeps the customers data and their phone numbers, the customer accounts and their secrecy are the bank’s responsibility. The contract between the bank and the mobile operator must include guarantees to protect the secrecy of accounts, balances and pin codes 7- The bank presents the service as a cautious man, cares and protects the system from the risks of service unavailability and protects the service users from any unauthorized operations. 8- The contract between the bank and the user includes the user’s responsibilities to keep his pin code and to immediately report about the loss of his mobile phone. A form of the contract must be published on the bank’s web-site on the internet. 9- The contracts between the bank and the user should include the user right to reimburse the e-money units by cash (Egyptian Pound) at any time, the reimbursement conditions –if any- and any service charges or fees. 10- In case of ending the service operation by the Bank or by any agreement between the bank and the mobile operator, the bank commits to fulfill its liabilities towards the system’s users as soon as possible, including the reimbursement of e-money units by cash (Egyptian Pound) according to the contract conditions between the Bank and the system users. 11- All contracts related to this system are subject to the Egyptian laws and all disputes are settled inside the Arab Republic of Egypt.

6

The Central Bank of Egypt

Attachment: Service Provider

1- The Bank has the right to use service providers to reach system users and offer services for this system only. The service provider is limited to perform the following operations after an agreement with the Bank: • Ensure the identity and data of the applicant as a system user. • Record and receive new applications of system users. • Record and receive any other applications related to the service. • Cash-in (Egyptian Pound) to the system from the system users up to his balance of e-money units. • Cash-out (Egyptian Pound) to the system users against receiving e- money units from them. • Offer information and guidelines to system users. 2- The amount of E-money units granted to the service provider is limited to the cash amount (Egyptian Pound) deposited at the bank in order to transfer them to the system users against cash collection. The same applies when the system provider receives E-money units from users against cash (Egyptian Pound). It is not allowed for the service provider to receive money from the service users without transferring E-money units to them. 3- The service providers must open a credit current account at the Bank. 4- The service provider commits to send to the Bank a copy of the identification card of the applicant (National ID for Egyptians and ID which foreigners have used when entering Egypt) and the application that includes the applicant data and signature, immediately after opening the account but not later than thirty working days, otherwise the account must be suspended. 5- The service provider must prepare a suitable place to undertake the financial dealings related to the system. 6- The system provider must have a good financial position and a good reputation. 7- The charges against offering the service by the service providers must be clearly stated in the contract between them and the bank and must be announced to the service users. 8- The Bank’s responsibility against the service provider must be clearly stated, even if the service is offered by the service provider. 9- The service provider is not allowed to outsource his contract with the bank to others and is not allowed to transfer the contract with the bank nor assign it to others. This must be explicitly stated in the contract between the bank and the service provider.

7