The Central Bank of Egypt (CBE) has recently issued governing rules concerning Instant Payment Network (IPN) services. Released in October 2021, this vital guideline aims to create a plan for the realization of financial inclusion and assist a wide range of different social classes in accessing all financial services. Moreover, this guide also helps achieve the digitization process, increasing electronic transactions.
Essentially, the guide defines the work frame for both banks and services providers subscribed to IPN who provide their services through mobile applications and e-payment tools. This key work also regulates the implementation of compatible financial services.
The guide defines “the instant payment” as the operation through which the credit/debit deposit/withdrawal transactions are fulfilled instantly between the sender and the recipient.
Accordingly, e-payment tools are defined as financial instruments provided by banks to users through IPN and define an operating network between banks themselves that provides the instant completion of transfers between banks and clients 24/7.
In addition to that, the guide clearly defines all involved operating entities, including:
- Issuer bank,
- “Payment Service Provider” PSP bank,
- Acquirer bank,
- IPN service provider,
- Technology service provider, and
- The Secure Library SL.
Scope of application
These CBE regulations within this guide apply to all banks in Egypt, noting that these rules are the minimum standards to which banks should comply to provide IPN services to their clients.
It is essential to highlight that this guide includes requirements and general objectives to be fulfilled for banks and service providers to provide IPN services.
Accordingly, banks are also required to comply with the following:
- Regulatory requirements issued by the CBE for financial e-transactions,
- Instructions concerning financial transactions completion, and
- Anti-money laundry and terrorism financing requirements as issued by CBE.
The CBE guide thoroughly stipulates a detailed risk management plan for IPN provided services.
The stipulated risk management lists include:
- Lists of risks related to the execution of financial instant transactions services through e-channels.
Even though these risks existed before, the introduction of IPN services created new challenges and levels that all entities, especially banks, must address via frameworks and new requirements to limit and manage them.
These above-mentioned risks include:
- Strategic risks:
Banks should examine the economic efficiency of providing such services, especially the timing of offering them, and consider the quality of the services banks can provide.
- Operational and transactional risks:
Operational and transactional risks include frauds and completion errors that may occur in financial loss for both banks and clients, depending on the operations’ complications and the level of applied technology.
- Legal and organizational risks:
The guide stipulates numerous lists of legal obligations upon issuer banks, banks providing e-payment services, and acquirer banks.
- Reputation risks:
Banks should eliminate risks concerned with using these services in money-laundry or terrorism financing.
- Cyber security risks:
These risks can emerge from illegal and unauthorized breaches in the bank system via weak points, affecting the data integrity, security, and confidentiality levels.
- Strategic risks:
- List of obligations and liabilities of banks’ Board of Directors (BoD):
The guide requires involved entities to prepare strategies and policies that address the provided services, risk management, disputes, refunds, and fraud.
Additionally, banks shall stipulate requirements and rules to ensure IP risk analysis.
Finally, a global and sustainable mechanism for Due Diligence shall be implemented.
List of requirements for anti-money laundry and terrorism financing policies:
CBE stipulates in detail all requirements and obligations to be fulfilled by involved actors and entities to ensure the elimination of IPN services’ use in money-laundry or terrorism-financing purposes.
General rules concerning banks subscribed in the IPN
The guide stipulates that banks requiring licenses to subscribe in IPN must apply for obtaining authorizations from CBE after complying with the following:
- CBE rules and its updates,
- IPN rules and its updates,
- Technical requirements for connecting and operating the bank’s system on IPN.
Accordingly, the guide defines a list of obligations on both acquirer and issuer banks, specifically the maximum limit for daily and monthly transactions (EGP 60 000 for everyday transactions and EGP 200 000 for monthly transactions). Besides this list of obligations, the list of licenses required for PSP banks -whether pre-authorized or Full Fledge- to activate their e-channels (such as internet or mobile banking) is also contained within the guide.
It is important to note that services provided on the IPN are both financial and non-financial transactions and enable clients to register through payment service provides’ applications.
Finally, the general requirements are defined thoroughly as follows:
- Banks must follow special instructions issued by CBE in Feb 2019 regarding the protection of clients’ rights,
- Special provisions concerning mobile applications PSP banks must follow.
- Special provisions concerning the payment address, Instant Payment Address (IPA), authentication’s tools management (two factors of authentication, also known as 2FA), IPN PIN special requirements, and Technical Service Providers engagement.
Egyptian Banks Company (EBC) responsibilities
EBC is responsible for:
- Issuing IPN rules and subsequent updates following CBE approval,
- Defining the regulations, directives, responsibilities, and liabilities of IPN subscribers,
- Transactions analysis and disputes management,
- IPN management, and
- Parties’ commissions defining.
Regulatory requirements on IPN services
The CBE guide stipulates several regulatory requirements to comply with, including information security and integrity requirements, infrastructure and security following systems, the sustainable evaluation for the services’ security system through periodic vulnerability assessments, requirements concerning remediation plans and penetration testing, and finally, the instant treatment for both actual and suspected security breaches.