EGYPT Law and Practice Contributed by: Dina Kamel, Helal El Hossary, Omar Fouda and Kareem Hashem, Zaki Hashem
The CBE sandbox is typically cohort-based and time- limited, allowing firms with market-ready solutions to perform tests under supervision within defined param - eters, and with core controls in place (including KYC, AML/CFT and data protection). The FRA sandbox provides a controlled testing envi - ronment for both licensed and unlicensed firms to pilot technology-driven NBFS products directly with consumers through a staged process of applica - tion, approval, testing and evaluation, with outcomes including approval to scale, extended testing or exit. It also increasingly aims to focus on consumer pro - tection and supervisory priorities, such as suptech and responsible AI governance, including managing “black-box” model risk. It is worth noting that as of 14 March 2026 – ie, since the inception of its sandbox – the FRA has granted preliminary approval to three companies. 2.6 Jurisdiction of Regulators The CBE governs banks and the payments ecosys - tem (PSOs/PSPs), including licensing, operations, customer protection and enforcement (Law 194/2020, Articles 184–199, 201, 205–206, 216 and 225). The FRA governs non-banking financial activities. However, a licensed consumer finance company that provides payment services through prepaid cards in co-operation with a bank must comply with the CBE’s PSP rules. The partnering bank must also obtain the CBE’s approval for the issuance of prepaid cards. In practice, the FRA’s role is limited to approving the consumer finance company’s participation in the card arrangement, and CBE oversight applies once the bank seeks and obtains approval to issue co-branded prepaid cards. 2.7 No-Action Letters In Egypt, “no-action” letters are not issued by any of the fintech regulators – the regulators have the dis - cretion to act at any time, and no letter is capable of limiting this discretion. 2.8 Outsourcing of Regulated Functions The CBE internet banking rules require prior CBE approval before outsourcing internet-banking ser - vices, and impose vendor-related controls relating to
due diligence, audit and oversight rights, information security and business continuity requirements, and contractual safeguards – including termination and orderly exit. Cross-border outsourcing must be in compliance with Egyptian law (Rules s2-2-2-3, 2-2- 2-7 and 3-7). According to the Law Regulating and Developing the Use of Financial Technology in Non‑Banking Finan - cial Activities and FRA Decree Nos 139, 140 and 141, NBFS companies may outsource specified fintech services only to providers registered in the FRA’s Fin - Tech Outsourcing Service Providers Register, and no entity may provide such outsourcing services without that registration. The outsourcing provider must be established in Egypt and, if not already an Egyptian joint stock company, must be converted into one with - in the period prescribed by the relevant FRA decree. The provider must also notify the FRA of outsourcing contracts (and material amendments) and comply with the FRA’s applicable outsourcing requirements. 2.9 Gatekeeper Liability PSOs/PSPs must ensure service continuity, non- discrimination, and the security of systems and data (Law 194/2020, Article 198). Failure to comply can lead to staged measures and monetary sanctions, activity restrictions and management removal (Arti - cles 195–196). The PDPL assigns direct duties and penalties to con - trollers and processors for unlawful processing, secu - rity lapses, sensitive data misuse and cross-border violations (Articles 4–16 and 36–42). Cybercrime Law 175/2018 and ER 1699/2020 impose minimum technical and organisational standards, and penalise noncooperation and security breaches. The standards pertain to encryption (Advanced Encryption Standard 256) and multifactor/strong authentication. 2.10 Significant Enforcement Actions The CBE criminalises breaches of Articles 184, 205 and 206 of Law 194/2020 with imprisonment and fines ranging from EGP1 million to EGP10 million (Article 225). Violating money transfer licensing under Article 209 can trigger criminal penalties (Article 233).
222 CHAMBERS.COM
Powered by FlippingBook