Introduction
Financial inclusion is the provision of diverse financial services to all segments of society through official channels, ensuring quality and affordability while safeguarding the rights of the beneficiaries. This empowers individuals to effectively manage their finances. Recognized as a fundamental pillar, financial inclusion plays a pivotal role in attaining strategic goals, especially in the pursuit of sustainable development. It aligns with the objective of fostering a competitive and diversified economy. Through the promotion of financial inclusion, the state aims to harmonize economic justice with social justice.
The National Agenda for Sustainable Development seeks to improve financial inclusion by giving residents in rural and distant areas greater access to financial services. Establishing robust frameworks for financial protection for individuals interacting with the banking and financial industries is another goal of financial inclusion. Other goals include helping citizens become more financially literate, strengthening their financial capabilities, and developing financial products that cater to their needs.
Data from banks and financial service providers, including the Egypt Post, was gathered for the Central Bank of Egypt’s (CBE) financial inclusion database, which was categorized by type for natural individuals and utilized the national number (unified identifier) as a foundation. According to database indicators, there was a notable surge in financial inclusion rates between June 2016 and June 2022, with a growth rate of 131 percent. This resulted in 39.6 million citizens having accounts that allow them to conduct financial transactions, or 60.6 percent of all citizens aged 16 and over (of nearly 65.4 million citizens based on population estimates for 2022).
An Additional Step to Promote Financial Inclusion
The CBE is conducting advanced negotiations with the central banks in Saudi Arabia, the UAE, and Jordan to allow financial transfers to customer accounts in Egypt using a mobile phone via the InstaPay application starting next year. Through this, the CBE aims to facilitate transfers by Egyptians residing abroad. According to data from the Central Agency for Public Mobilization and Statistics, there are 5 million Egyptians residing abroad in Arab countries, the majority of whom (36.6 percent) are in the Kingdom of Saudi Arabia, followed by Jordan (22.5 percent), and the United Arab Emirates (15.2 percent). The goal of the government is to raise the remittances that Egyptians who work overseas send home, which decreased by 30.8 percent to $22.1 billion in the fiscal year that ends in June 2023.
The CBE also plans to grant fintech companies a license so that, beginning the following year, they can connect the customer-issued cards they offer to the real-time payments network and InstaPay application. Egypt introduced InstaPay in March 2022, a nationwide system that facilitates real-time payments and establishes a digital infrastructure connecting all functioning banks within the country. It establishes a connection between the InstaPay mobile application and the various bank accounts, enabling round-the-clock, real-time transfers between them. Users also have the capability to check their account balances, make utility bill payments, and add funds to their accounts.
The InstaPay app has gained popularity among bank customers, particularly since its services are provided at no cost until the end of the year. In the second quarter of this year, the number of InstaPay users increased by 76 percent on a quarterly basis to exceed 3.8 million users. The InstaPay application places restrictions on money transfers. It sets a daily cap of EGP 120,000, a maximum monthly limit of EGP 400,000, and a maximum limit for a single transaction of EGP 70,000. The InstaPay application rapidly established credibility among Egyptians by ensuring the protection of personal and financial information and data. However, users subsequently eroded that confidence in light of the Fawry incident.
The Fawry Crisis
Social media platforms were rife with reports on November 9 regarding a breach in the database of Fawry, a provider of banking technology and electronic payments. This sparked panic among users of Fawry and other companies with which cards are registered. As a result, users who had previously used applications that required the use of cards to access funds had to remove those applications.
Fawry responded by releasing a statement refuting the claims made by certain social media pages that they had been the target of an information system hack or cyberattack. It emphasized the effectiveness and integrity of its electronic safeguards throughout its electronic platforms and services, asserting that these rumors are unfounded.
In this regard, Fawry’s founder and CEO, Ashraf Sabry, said: “Our investigation is underway into the possibility that an attack has been launched against our systems. Nonetheless, an examination of the systems reveals that no information was compromised or withdrawn.” This did not reassure users. On the Egyptian Stock Exchange, Fawry shares declined by around 5 percent.
Fawry, which operates in the Egyptian market (which comprises 22 licensed companies specializing in digital financial services and electronic payments), stands as the largest entity in this sector. The company serves approximately fifty million clients who, among other things, make and withdraw funds from their accounts, conduct local and international money transfers, and settle credit card balances.
As such, users of all platforms that specialize in electronic payments have been thrown into a state of panic due to rumors; the question now is whether or not money could be stolen in the event that these companies’ data is compromised.
The short answer is no. The CBE requires all electronic payment gateways to follow the Payment Card Industry Data Security Standards (PCI DSS). According to those standards, the full card number (16 digits for MasterCard and Visa and 15 digits for American Express) is not retained at any point in the payment process if there is no business reason to do so. In cases where a consumer stores their card information via online stores or payment gateways like Amazon, Jumia, or Fawry, the card number itself is not retained in the database. Here’s what happens:
- The cardholder enters all of his card information in the first step, including the card number, expiration date, and card verification value (CVV).
- The payment gateway sends this information to its bank gateway, the acquirer bank, via a secure channel.
- The acquirer bank transmits the data to the card network, which is an interconnection point for the four largest card issuers (Mastercard, Visa, American Express, and Discover).
- The data undergoes verification through the card network. If the card details entered are correct, a token serving as an identifier for both the card and the merchant is created and sent back to the payment gateway.
- The token is stored in the payment gateway, which also associates it with the user profile.
In accordance with PCI regulations, payment gateways and online platforms are permitted to display the initial two digits and the final six (35XX-XXXX-XX42-4562). This information enables the gateway to notify the user of the card that was utilized or saved during the transaction. At no point is the CVV saved. The next time the cardholder logs into the online store or payment gateway, they will only be required to enter the CVV; the payment gateway will then combine the CVV with the token.
For certain service providers (like Amazon, for instance), the acquirer bank authorizes the service provider to use the token only with an optional CVV. With Fawry, however, this is not the case, as Fawry requests the CVV.
Over the past few years, the card network has implemented 3-D Secure (3DS), an additional layer of protection and security that employs an SMS-delivered OTP to the linked mobile number of the cardholder.
Payment gateways store a variety of data types, including payment history, other information, and personal account details (name, phone number, address, etc.). This type of extremely valuable and sensitive data is outside the purview of PCI DSS; the payment gateway is in charge of storing and protecting it.
This raises the question of how important personally identifiable information (PII) is and how it is used. PII refers to any information that can be used to identify a specific individual. These components comprise personal and financial information, names, addresses, social security numbers, phone numbers, and email addresses. In the current digital age, safeguarding personal information is critical for the reasons outlined below:
- Protecting People’s Privacy: Maintaining people’s right to privacy depends on protecting their personal information, and keeping it secure gives people control over who can see their private information.
- Mitigating Identity Theft Risk: For fraudsters, personal information is a prime target. Preventing unauthorized access and use of such information lowers the possibility of identity theft and financial fraud. In the event that hackers obtain access to this information, they sell it to the largest buyers first, followed by lower-level buyers. This information is sometimes sold to ordinary users on the dark web for a fee.
- Ensuring Personal Safety: Disclosure of personal information may, in certain circumstances, result in physical harm; for instance, divulging residential addresses or daily schedules could jeopardize an individual’s safety.
In short, the CBE is dedicated to and holds all financial transaction providers accountable to the PCI DSS. This ensures that fraudulent activities involving card and smart wallet users are rendered unfeasible and can only occur in the event that the customer’s mobile phone is compromised. As a result, what happened with Fawry will have no impact on Egypt’s efforts to achieve financial inclusion and facilitate banking and financial operations for citizens. In addition, the CBE mandates that Egyptian banks protect their customers’ financial and personal information in accordance with industry standards. The same holds true for any business or app that conducts financial transactions with Egyptian banks.
