The Parliament of Uganda passed the National Payment Systems Act (the Act) in 2020 and a year later, the National Payment Systems Regulations 2021 (the Regulations) were passed to operationalise the Act. The objective of this regime is to control risk, promote the efficiency of payment systems and provide for the functions of the Central Bank (BOU) in its role as the regulator of fintech and other enterprises operating payment systems.
The legal regime provides clarity in a previously uncertain market with BOU paving the way for the creation and enforcement of standards, oversight, and consumer protection. The enactments are a welcome development that have seen enterprises adjust to comply with the legal requirements.
Most notably, is the influx of fintechs seeking to offer and roll out a variety of e-payment systems and services to tap into the growing need for digital financial solutions and financial inclusivity. These emerging businesses have tested the robustness of the regulatory regime and exposed procedural issues yet to be streamlined considering that it is still relatively new.
1. Types of Licenses
The National Payment Systems regime provides for three categories of licenses which include the payment systems operator license, a payment service provider license, and an issuer of payment instrument license.
A payment system operator license is applicable to e-fund transfer systems, clearing systems, settlement systems, and third party systems such as aggregators, integrators, or payment gateways. The payment service provider license is issued to electronic money issuers and payment services such as e-loan providers, tokens; and the license for an issuer of a payment instrument is issued in respect of payment cards, electronic devices and any paper-based payment instruments. An applicant may apply for two or more licenses in one application if the services they seek to offer fall in more than one of the licensing categories.
2. The Licensing Process
To acquire a Payment Systems License, an applicant must apply to BOU in a form prescribed under the Regulations, supported by documentation relating to the incorporation of the Applicant, the fitness of its shareholders, directors, and managers and proof of sufficient technical, financial and operational capacity to run and maintain a payment system with its associated risks.
Minimum capital requirements are also applicable to applicants for a payment systems operator and a payment service provider. These depend on the category of payment system or service that the applicant seeks to obtain a license for. The lowest threshold for an operator of a e-funds transfer system is UGX 100 million (approximately USD. 28,000), and the lowest threshold for an electronic money issuer is UGX 250 million (approximately USD 70,000). In addition to this are application and licensing fees which are determined based on the category of product or service offered and the transaction threshold of the applicant.
An applicant is also required to provide a list of its substantial and beneficial shareholders, a description of its products, services or operations, a business plan with financial projections demonstrating that the applicant’s ability to employ appropriate resources and procedures to operate soundly for three years, its organisational, governance and management structure, risk management framework, policies and procedures for the handling of customer complaints, pricing policy, credit reference reports for substantial shareholders, directors and managers, certificate of good conduct for all shareholders, directors and managers and a policy for monitoring, detecting and reporting money laundering, among others. BOU as the regulator has discretion to request for further information from the applicant to meet all legal and security requirements and to minimise risk.
3. Related Licenses
In addition to the application to BOU, the applicant must also simultaneously register with and obtain certifications from other regulators to cater for privacy and data protection concerns, anti- money laundering, tax compliance, among others.
An applicant is required to apply to the National Information Technology Authority of Uganda (NITA-U) to obtain certification for its software/e-products before submitting its application to BOU. The Application for certification requires an applicant to provide evidence of qualified IT personnel employed by the applicant and procedures and policies for data protection and retention, IT audits, dispute resolution mechanisms, information and network security, access control, backup and recovery and business continuity.
The applicant must also register with the Financial Intelligence Authority (FIA), if they qualify as an “accountable person” under the Anti- money Laundering Act (AMLA), and the KYC – due diligence requirements there under. Accountable persons among others include persons who conduct the business of transfer of money or value, issuing or managing means of payment such as credit cards, debit cards and electric money and persons who conduct the business of accepting deposits from the public . The AMLA requires all accountable persons to record and maintain records of all transactions, dates the parties involved and any documentation for a period of 10 years. Accountable persons are also required to report suspicious transactions to the FIA.
An applicant is required to designate a data protection officer to liaise with the Personal Data Protection Office and ensure compliance with requirements under the Data Protection and Privacy Act such as ensuring that the entity obtains the consent of a data subject before the collection and processing of their data.
Although the Act explicitly prescribes 60 days as the period within which the overall application to BOU is considered and a license issued, the discretion given to BOU to further inquire into the affairs of the applicant typically stretches the application process up to 6 months, and beyond.
The NITA- U Certification Regulations provide for a timeline of 45 days to obtain certification, however, in practice, this process many take up to 4 months depending on the queries and additional information requested by NITA-U. This is in addition to scheduling an audit of the applicants operations. This application also attracts a fee of UGX 72,450 (approximately USD. 20) payable once NITA has completed evaluation of the information submitted.
The registration with the FIA takes 1-3 working days while registration of the data protection officer with the Personal Data Protection Office takes 3-5 working days.
5. Due Diligence by BOU
In their evaluation of Payment Systems License applications, BOU independently conducts a due diligence process. The process involves obtaining customer information and verifying or assessing the authenticity of the information submitted by independent consultants. In some instances, BOU outsources due diligence work to external experts such as law firms, regulators, auditors, and analysts to report on potential risks with the applicant. This cost is typically incurred by the applicant and due diligence takes anywhere between 3-6 weeks.
After the conduct of the due diligence BOU has the discretion to grant the license with or without conditions. BOU also has the discretion to add, vary or to substitute the conditions for grant of a license to ensure that the Licensee meets the prescribed standards.
6. Reporting Obligations
After the grant of the license, the licensee must attend to all reporting obligations applicable to the respective regulators in this case the Central Bank, NITA, FIA some being annual, bi-annual etc.
Whilst the regulation of Fintech was a welcome development due to the high risk involved in operating e-payment systems and e-money, the licensing process is not without challenges. The rationale for the various levels of registrations and certifications is to ensure maximum consumer protection and efficiency. This is in line with the government’s National Payment Systems Policy Framework which seeks to ensure consumer protection, addressing money laundering and data security concerns and preventing and containing system risks.
Prospective Fintech applicants should brace themselves for deep pockets and a patient game as they tick off the respective regulators’ lists added to streamlining a host of their group policy with Ugandan law, to qualify for the licenses.
A decent measure of good faith and cooperation between the applicant, BOU and the other regulators works well in coordinating the flow of information and speedy evaluation of applications. It remains to be seen whether BOU will issue any practice guidelines to streamline the application process.
Read the original publication at ALN.