The Central Bank of Egypt (the “CBE”) has recently issued a revolutionizing circular (the “Circular”) regulating the provision of Payment Cards Tokenization Services on Electronic Devices Applications (the “Tokenization Services”) in the Arab Republic of Egypt (the “ARE”). The Circular effectively allows, subject to certain requirements and approvals, contactless payments utilizing tokens generated through electronic devices’ applications, including applications such as Apple Pay and Samsung Pay. The Circular is issued in line with the CBE’s overarching agenda of (i) creating a robust electronic payments infrastructure with a more diversified set out of electronic payment methods being made available; (ii) expanding the usage of electronic payment methods across the various segments of the population; and (iii) achieving financial inclusion. It is expected that the Circular will be the first of a series of upcoming circulars and regulations to be issued by the CBE and aimed at efficiently adapting to the rapidly changing world of financial technology.
I. Important Definitions
The Circular defines “Tokenization” as the process of replacing a payment cards’ sensitive data with a unique non-sensitive token (the “Token”), whereby the Token represents other data such as the card number and the Token Requestor. Accordingly, a Token is a series of randomly generated numbers not connected to an account number or individual, limiting exposure to potential security breaches. A “Token Requestor” is the entity which initiates the Tokenization process by requesting a Token from the Token Service Provider (the “TSP”) through electronic channels and applications. Importantly, the Circular defines a TSP as any entity operating within the payments system, duly licensed by the CBE and engaged in the issuance and management of Tokens.
It is important to note that the Circular distinguishes between “Original Equipment Manufacturer Wallet (OEM Wallet)” and “Host Card Emulation Wallet (HCE Wallet)”. On the one hand, OEM Wallet refers to Tokenization applications issued by manufacturers of electronic devices, including, but not limited to, applications such as Apple Pay, Google Pay and Samsung Pay. On the other hand, HCE Wallet refers to Tokenization applications issued by Issuer Banks (as defined under Section IV (2) of this memo) or payment service providers.
II. Scope of Application
The primary purpose of the Circular is to set out the framework of operation for banks and related parties engaged in the infrastructure underlying the provision of Tokenization Services. The provisions of the Circular apply to the following entities:
- all the banks operating in the ARE; and
- Token Service Providers duly licensed by the CBE.
Section IV of this memo sets out the obligations placed by the CBE on the various entities addressed by the Circular with respect to the provision of Tokenization Services.
III. Risk Management and Obligations of the Banks’ Boards of Directors (the “BoD”)
The Circular includes a section addressing the risks associated with the provision of Tokenization Services. Such risks include, amongst other things, non-compliance risks, reputational risks, fraud risks and information security risks. As per the Circular, all entities engaged in the provision of Tokenization Services are obligated to put in place the requisite frameworks, guidelines and standards as may be necessary to manage and minimize such risks.
In addition to risk management obligations, the Circular places various duties on the BoD of banks concerning Tokenization, including a commitment to put in place sufficient policies regulating the provision of Tokenization Services. Such policies must, amongst other things, (a) incorporate the necessary procedures to determine the bank’s risk appetite as well as to minimize the risks associated with Tokenization Services; and (b) be based on a specific risks and threats analysis taking into consideration inherent risks and compensating controls with the aim of reaching an acceptable level of residual risks.
Additionally, the Circular includes a section addressing anti-money laundering and combating terrorist-financing obligations of banks. Banks providing or accepting Tokenization Services must, amongst other things, (a) adhere to applicable laws and regulations governing anti-money laundering and terrorist financing, including, amongst other things, the provisions of the Anti-Money Laundering Law No. 80 of 2002 (the “AML Law”), its amendments, and its executive regulations; (b) have in place mechanisms to detect potential money laundering and/or terrorist financing transactions; and (c) maintain sufficient records of clients and transactions in accordance with the provisions of the AML Law.
IV. Obligations of Concerned Entities
The Circular details the regulations and obligations governing each entity’s operation concerning Tokenization. Entities addressed by the Circular are (i) The Egyptian Banks Company (the “EBC”) (in its capacity as a service provider for the Unified Issuer TSP Interface), (ii) Issuer Banks; (iii) Acquirer Banks; (iv) Approved Networks; (v) TSPs; and (vi) Token Requestors.
- Unified Issuer TSP Interface
The Circular stipulates that the EBC will act as a service provider with respect to the Unified Issuer TSP Interface. The “Unified Issuer TSP Interface” is defined under the Circular as the unified interface connecting Issuer Banks and Approved Networks for the purpose of managing the provisioning of Tokens (“Token Provisioning”) for all payment cards issued inside the ARE.
It is important to note that an additional token (“Auxiliary Token”) will need to be issued by the Unified Issuer TSP Interface for cards issued in the ARE, which form part of an International Card Scheme. The two Tokens shall be issued as follows: (a) a token issued by the relevant internationally Approved Network; and (b) an Auxiliary Token issued by the Egyptian National Payment Scheme “Meeza”.
Moreover, the Circular sets out additional responsibilities to be borne by EBC with respect to Tokenization. Such responsibilities include, but are not limited to, the following: (a) making available the Unified Issuer TSP Interface; (b) executing the requisite integration procedures with all internationally Approved Networks duly licensed to operate in the ARE; (c) making the necessary reports available to banks participating in the Unified Issuer TSP Interface service; and (d) implementing internal monitoring and auditing systems.
- Issuer Banks
The Circular defines an “Issuer Bank” as a bank duly authorized by the CBE to (a) issue Electronic Payment Methods in collaboration with Approved Networks; as well as (b) approve financial transactions and transfers that are completed utilizing Electronic Payment Methods. “Electronic Payment Methods” are defined under the Circular as the banking tools made available by Issuer Banks for use in electronic payment transactions, which include, inter alia, electronic cards.
The Circular sets out an exhaustive list of obligations to be borne by the Issuer Bank with respect to Tokenization. The responsibilities placed on Issuer Banks include, amongst other things, the following: (a) using the Unified Issuer TSP Interface to connect with Approved Networks; (b) making available the Tokenization Services offered by the bank to all Approved Networks with whom the bank has a contractual relationship; (c) undertaking all requisite Know Your Customer (“KYC”) checks and verifying the data of the Electronic Payment Methods held by its clients; (d) setting maximum limits for the number and value (daily and monthly) of transactions that may be completed using a single Token; (e) ensuring that the maximum aggregate value and number of transactions permitted for contactless payment transactions do not exceed those mandated by the CBE in this respect; and (f) obtaining the requisite license from the CBE to engage in the provision of Tokenization Services.
It is worth noting that the Circular stipulates that the maximum validity period of a Token is 5 (five) years. Upon the elapse of such period, the Circular obligates the Issuer Bank to re-verify the identity of its clients.
- Acquirer Banks
As per the Circular, an “Acquirer Bank” is a bank duly authorized by the CBE to (a) provide electronic acceptance services for transactions completed utilizing different payment methods; and (b) settle transactions.
The Circular outlines several obligations to be upheld by the Acquirer Bank with respect to Tokenization. These obligations include, but are not limited to, the following: (a) ensuring that Points of Sale (“PoS”) are compatible with all Token acceptance methods (including near field communications); (b) ensuring that the client’s signature is not obtained upon the completion of any contactless payment transaction, with the exception of transactions completed using contactless payment methods issued outside of the ARE; (c) providing sufficient training to the bank’s employees on the various contactless payment methods to enable them to provide effective support to clients; and (d) putting in place procedures to avoid incorrect duplication of transactions on a merchant’s PoS.
- Approved Networks
The term “Approved Networks” is used throughout the Circular to refer to accepted payment card networks. The Circular imposes several obligations on Approved Networks with respect to Tokenization. Such duties include, inter alia, the following: (a) connecting with EBC in its capacity as a service provider for the Unified Issuer TSP Interface; (b) ensuring that Token Provisioning for each card is done securely at all times; (c) establishing mechanisms to audit the Tokenization systems periodically; and (d) putting in place procedures to ensure that clients’ payment card numbers cannot be detected from the Token by any entity other than the Approved Network pertaining to the Issuer Bank.
The Circular imposes several obligations on TSPs, including, but not limited to, (a) providing Tokenization Services upon the request of Issuer Banks and/or Token Requestors, as well as fulfilling detokenizing requests received from Approved Networks; (b) complying with the Payment Card Industry Data Security Standard (“PCI DSS”); and (c) ensuring that the data of the cardholders remains encrypted throughout all the phases up until it is translated into a Token.
It is important to note that the Circular stipulates that the Approved Networks are also allowed to license a payment service provider to provide Tokenization Services to its network members, provided that the Issuer Bank shall obtain the CBE’s approval if it wishes to benefit from the services offered by such payment service provider.
- Token Requestor
The Circular imposes several obligations on the Token Requestor. Such responsibilities include, amongst other things, the following: (a) ensuring that the Tokenization application links the Token to the mobile phone which has issued the Token; (b) conducting all the necessary tests on the Tokenization application; and (c) providing the CBE with the following reports: (i) Penetration Test Report; (ii) Credential Vulnerability Assessment; and (iii) PCI DSS Report on Compliance.
It is worth noting that the Circular outlines that the Issuer Bank may enable payment through Tokenization applications, whether the Tokenization Service is integrated within its own mobile banking application or a separate application, provided that the Issuer Bank itself hosts the management server of such application (“Locally Hosted Wallet Management Server”) or any of the service providers authorized by the CBE.
In addition, the Circular stipulates that payment service providers or any of the mobile phone manufacturers (i.e., Google Pay, Apple Pay) are entitled to provide HCE & OEM Wallets, provided that, amongst other things, the CBE’s approval is obtained by the Issuer Bank wishing to provide the service via their respective applications.
V. General Rules And Regulations Governing Tokenization
The Circular outlines the regulatory requirements governing the Tokenization Services provisions. Notably, the Circular highlights that the provision of Tokenization Services entails the circulation of confidential data. Accordingly, the Circular obliges banks and TSPs to use appropriate data protection methods. The Circular has also mandated that banks and TSPs utilize Tokenization technologies compatible with the sensitivity of the data at hand.
Additionally, the Circular stipulates that security services must be outsourced to companies or individuals that comply with the relevant Egyptian laws. Furthermore, the Circular imposes an obligation on banks and TSPs to periodically assess the security status of all their relevant systems, which includes, amongst other things, conducting a periodic vulnerability assessment at least every three months or upon the occurrence of a fundamental change in their operating environment.
It is also worth noting that the Circular obliges banks to accurately define the terms and conditions that shall apply to their clients through Tokenization applications. The Circular mandates, amongst other things, the following: (a) subscribing to the Tokenization Service may only occur after the client electronically agrees to such terms and conditions; (b) upon the misuse of the Tokenization Service by the client, the client may be prevented from using the Tokenization Service; and (c) if there are any additional costs or fees for using the Tokenization Service, such costs and fees must be clarified to the client.
VI. Licensing Procedures
The Circular provides that Issuer Banks wishing to engage in the provision of Tokenization Services must submit a licensing request to the banking affairs sector of the CBE to obtain the requisite CBE approval. It is important to note that Issuer Banks must obtain this requisite CBE approval for each application through which the Issuer Bank’s cards are accepted.
As per the Circular, the Issuer Bank must satisfy certain conditions to obtain the aforementioned CBE approval. Such conditions include, but are not limited to, submitting (a) data concerning the infrastructure of the system that the bank will use to provide the Tokenization Service; and (b) a three-year business plan that includes, inter alia, the targeted number of clients and their respective cards.
It is also worth noting that the CBE mandates that they are provided with, amongst other things, the following prior to the actual launch of the Tokenization Service: (a) a Penetration Test Report and Credential Vulnerability Assessment Reports on the work environment; and (b) evidence that the electronic applications which are intended to be used have passed the requisite technical tests.