The Key Takeaways of Decision 139 of 2023 issued by FRA and the Potential Overlap with Data Protection Law
This article represents the end of the series of decisions issued by the Financial Regulatory Authority (“FRA”), being Decision No. 139 of 2023 (“Decision 139”). While Decision 139 was the first decision issued by the FRA, it comes last in our series of articles as it regulates the facilities infrastructure, technological infrastructure, information systems and the protection and security mechanism needed to use fintech in carrying out non-banking financial activities.
Similar to Decision 140, Decision 139 applies on entities:
- wishing to obtain a license to carry out non-banking financial activities using fintech techniques under the Law (as defined in our first article);
- operating in the non-banking financial sector; or
- operating as outsourcing service providers.
Decision 139 imposes the fundamental rules and minimum requirements for facilities infrastructure, technological infrastructure, information systems, and means of protection and insurance.
Decision 139 provides that the information infrastructure and protection and security mechanisms should follow the following:
- the criteria and conditions set out by the FRA;
- availing certain servers (defined under the Decision 139) as a minimum requirement to the information infrastructure;
- abiding by the information security minimum requirements (as further detailed under Decision 139). These requirements include but not limited to notifying the FRA with any security incident which takes place on the level of information infrastructure and issuance of unique session ID along with the time stamp for each call to verify the communication; and
- abiding by the data protection conditions, which particularly include:
- locality requirements with respect to maintaining and storing the clients’ data base;
- informing the FRA with any transfer of the data center within 30 days at most; and
- availing a 24/7 customer support to deal with all the clients’ queries and provide immediate problem solving.
Furthermore, Decision 139 includes three (3) annexes which tackle thoroughly the following topics:
- Information Technology Governance Framework (“ITG-F”);
- Technology Risk Management Framework (“TRM-F”); and
- Cybersecurity Management Framework (“CSM-F”).
These annexes are designed to provide additional support and guidance in implementing effective information technology governance, managing technology-related risks, and ensuring robust cybersecurity practices.
While the Data Protection Law issued back in 2020 has not been effectively enforced given the non-issuance of its executive regulations, it is worth highlighting that Decision 139 necessitates that the clients (i.e., data subject) must be informed of any potential or actual service breach which (similar to the Data Protection Law) would entail notifying the clients of data breach incidents.
In conclusion, Decision 139 introduces crucial guidelines for companies seeking licenses for non-banking financial activities through fintech. It outlines rules and requirements for facilities infrastructure, technological infrastructure, information systems and the protection and security mechanism. The annexes attached to Decision 139 provide additional support for effective information technology governance, risk management, and cybersecurity practices. Adhering to these frameworks will enhance the security and resilience of operations, build customer trust, and protect against potential threats and disruptions.
Given the technicality of Decision 139, we are happy to address any specific queries you may have.