Over the past 12 months, Egypt’s fintech market has moved from linear growth to a more “regulated scale” phase, with rails, licensing and supervision catching up to adoption.

On the payments side, Instapay, the Central Bank of Egypt (CBE)-controlled instant payment network (IPN), continued to expand at mass scale. The market has shifted from free usage towards monetisation, with transfer fees applied from 1 April 2025 (0.1% of value; minimum EGP0.50, maximum EGP20). Instapay reported approximately 16 million users in June 2025, expected to reach upwards of 20 million users by year end. Transaction activity accelerated sharply, from 20.3 million transactions valued at EGP112.7 billion in year one to nearly 1.5 billion transactions worth approximately EGP2.9 trillion by the end of 2024. In the first half of 2025 alone, Instapay reported processing 1.1 billion transactions valued at EGP2.4 trillion.

The year 2025 also saw the first ever digital bank licence granted by the CBE. In August 2025, Banque Misr’s Misr Digital Innovation received approval to transition into onebank, Egypt’s first fully digital-native bank, with products and services expected to go live in 2026 through exclusively digital channels. This approval is widely viewed as a market inflection point under the CBE’s digital banking direction, unlocking a broader pipeline of “digital-first” banking entries. Multiple banks and fintechs have publicly signalled interest in digital bank licensing, reflecting a clear shift towards platform-led banking as the next phase in the modernisation of Egypt’s financial sector.

In parallel, the CBE issued the June 2025 licensing and registration rules for payment system operators (PSOs) and payment service providers (PSPs), signalling higher expectations around governance, operational resilience and compliance for payment market participants. The aim is to strengthen parameters and regulations in preparation for continued digital financial adoption in Egypt.

On the non-banking side, the Financial Regulatory Authority (FRA) has been actively “productising” fintech licensing, starting in 2022 when the legislator issued Law No 5 of 2022 (the “Law Regulating and Developing the Use of Financial Technology in Non‑Banking Financial Activities”), regulating the use of financial technology in non-banking financial activities. The aim was to enhance financial inclusion, expand the beneficiary base and reduce costs. Following the law’s issuance, the FRA issued regulatory decrees regarding non-banking fintech companies’ incorporation, licensing, operation and technical requirements.

On December 2024, the FRA granted Egypt’s first fully digital non-banking fintech licence to Oliv Finance S.A.E., a joint stock company incorporated in accordance with the Law Regulating and Developing the Use of Financial Technology in Non‑Banking Financial Activities and engaging in factoring activity using financial technology. The incorporation and licensing of Oliv Finance S.A.E. was a practical milestone for SME working capital products delivered end-to-end digitally.

The FRA also introduced a first-of-its-kind pathway for digital insurance and reinsurance brokerage activity, requiring FRA approval and specific readiness measures before licensed intermediaries can conduct their activities digitally.

Looking to the next 12 months, the significant factors/areas to look out for will be:

• implementation and enforcement of the CBE’s licensing regime for PSPs and PSOs, which will shape consolidation, outsourcing and compliance;
• continued FRA digitisation of non-banking activities, including digital investment platform frameworks and “licence-first” expansion into new verticals;
• consumer protection and fraud pressure as instant payments volumes, product complexity and fee structures expand; and
• data protection compliance and cross-border cloud risk, with the release of the Data Protection Law Executive Regulations and establishment of a personal data protection centre (PDPC).

AI models are already being used in Egyptian fintech products, and this use is expected to greatly accelerate, especially in relation to fraud detection, AML and transaction monitoring, credit decisioning, collections optimisation and customer support automation. The legal risk is less about prohibition and more about whether AI changes the nature of the regulated activity – and whether firms can evidence governance. Data origination and consent, explainability and bias controls for automated decisions, audit trails and robust third-party model management are to be scrutinised, especially where cloud or external model vendors are involved. Software “black-box” auditing, in case of machine learning AI tools, will continue to be a major issue for regulators.

In Egypt, fintech business models tend towards two regulatory groups: CBE-supervised banking and payments, and FRA-supervised non-banking financial services (NBFS). Legacy players (banks, telcos, large payment aggregators/operators) dominate distribution and rails, while newer entrants aim to innovate via efficient product design, faster onboarding, vertical focus and partnerships.

CBE (Banking and Payments)

The following are of relevance:

• payment facilitators and aggregators (PSPs) on-board merchants, provide acceptance tools (quick response (QR), point of sale (POS), gateways), route transactions to banks and offer settlement as a service;
• internet payments and payment gateways facilitate e-commerce payments (cards, wallets, bank transfers) via checkout application programming interfaces (APIs), fraud tools and merchant analytics;
• governmental payments (non-cash) – digital collection of government fees and dues (taxes, utilities, fines, licensing fees) through banks, wallets and aggregators, focusing on scale and reliability; and
• digital-first banking propositions (often via licensed banks) emphasising remote onboarding, digital channels and embedded services/products such as wallets, cards, lending and savings.

FRA (NBFS)

Of note here are the following:

• consumer finance (including buy now, pay later – BNPL) – instalment-based purchasing and consumer credit, embedded at the POS or in apps, supported by underwriting and collections;
• SME finance – credit granted to juridical persons operating SMEs for the purpose of supporting their productive, service, commercial or agricultural economic activities to finance working capital, assets or business expansion and growth;
• microfinance – small-ticket credit to micro-enterprises (projects with annual turnover below EGP1 million or start-ups with capital under EGP50,000) for productive, commercial or agricultural activities requiring borrower participation through labour or capital.
• nano finance – ultra-small, high-frequency credit products (often with short tenors) offered to juridical persons, commonly delivered through mobile journeys;
• factoring (including digital factoring) – providing SME liquidity by purchasing or financing invoices and receivables (increasingly end-to-end digital for onboarding, verification and disbursement);
• insurance (including digital insurance distribution/intermediation) – digital sale, distribution and servicing of policies (often micro- or embedded insurance), with claims workflows moving online;
• insurance brokerage – intermediation between clients and insurers, providing advisory, placement and policy management services (brokers may operate digitally, offering online comparisons, quotes and client servicing, while facilitating claims processing and risk assessment); and
• financial consultancy/advisory – licensed advisory services delivered through digital channels, covering investment, corporate finance and financial structuring support.

Impact of the Fintech Law: Regulatory Direction

Egypt’s fintech regulations are moving towards “licence-first digitisation”, clearer activity boundaries and more formal and digital governance, especially where customer funds, credit decisioning or investor-facing products are involved. Practically, most growth models now combine a regulated licence (or partnership with a licensee) with technology-led distribution, data-driven underwriting or risk controls and deeper integration into merchant, employer and government payment flows. This clearer and more transparent regulatory environment is likely to give new investors more comfort when investing into up-and-coming fintech companies – and is also likely to enhance appetite for investment into the legacy players as they continue to streamline, scale and license new activities. 

Egypt’s fintech regulation is split by regulatory perimeter: the CBE for banking and payments and the FRA for NBFS. In several models, there exists a dual-compliance component; for example, an FRA-licensed finance product that relies on a bank partner or PSP for collections, cards or wallet rails.

CBE Regulation

The CBE regulates payments (including internet payments), facilitators/aggregators, government collections and digital banking. The following are of relevance:

• primary law – Central Bank and Banking Law No 194 of 2020 (the “Central Bank and Banking System Law”), including the payment systems and payment services framework (PSOs/PSPs) and CBE supervisory powers;
• key CBE instruments include the 2025 CBE decision on licensing and registering PSOs and PSPs, and the CBE’s electronic banking and online banking rules; and
• telecom oversight (where applicable) – Law No 10 of 2003 (the “Telecommunications Law”) and the National Telecommunication Regulatory Authority (NTRA) licensing terms are applicable where the model uses telco infrastructure, mobile networks, connectivity or telco wallet distribution.

FRA Regulation

The FRA regulates NBFS (delivered non-digitally or digitally), consumer finance, SME finance, microfinance, nano-finance, insurance, reinsurance, insurance brokerage, reinsurance brokerage, factoring, financial consultancy and fintech enablement.

• FRA mandate: Law No 95 of 1992 and its Executive Regulations (the “Capital Markets Law”), Law No 10 of 2009 and its Executive Regulations, and FRA decrees regarding governance and licensing set baseline expectations for supervised entities (notably licensing and ongoing requirements, governance and capital adequacy).
• Non-banking financial technology: the Law Regulating and Developing the Use of Financial Technology in Non‑Banking Financial Activities and the FRA’s implementing framework make “digital licensing” workable in practice (FRA Decree Nos 139, 140 and 141 of 2023), especially in relation to:
1. digital identity, digital contracting and compliance requirements for NBFS delivered through fintech;
2. outsourcing registry and third-party service provider governance;
3. tech infrastructure and cybersecurity requirements for supervised entities; and
4. sandbox and specific digital programme rules – eg, for robo-advisors, digital insurance brokerage and digital policy issuance.
• Consumer finance: Law No 18 of 2020 (the “Consumer Finance Law”) and FRA decrees shape the product and conduct layer, including model contract templates, affordability and instalment-to-income constraints and rules on cash advances.

It is worth noting that in 2024, the FRA issued Board Decision No 184 of 2024, deciding to suspend the incorporation and licensing of consumer finance companies that intend to engage in consumer finance activity non-digitally for a renewable period of one year, and in 2025 the FRA renewed the suspension (via Board Decision No 237 of 2025) for an additional one-year period starting on 11 October 2025. This exempts companies and entities wishing to engage in consumer finance activities via financial technology (fintech), in accordance with the provisions of the Law Regulating and Developing the Use of Financial Technology in Non‑Banking Financial Activities, as part of the FRA’s approach to promoting digital transformation in financial activities and supporting financial innovation.

Typically, factoring is FRA-supervised as an NBFS activity, and where digitised, it also falls within the FinTech Law category covering digital onboarding, contracting and outsourcing controls. Insurance is FRA-supervised, with a distinct digital rulebook for digital issuance and digital brokerage activities that sits alongside general insurance regulation.

Law 194/2020 empowers the CBE to set disclosure and transparency requirements and supervise customer protection for entities within its perimeter; the general consumer protection statute does not apply to CBE-regulated entities (Article 216). The CBE can set rules for service pricing disclosure and quality standards (pricing rules can be issued per Article 186, and service quality/continuity obligations per Article 198).

The CBE licensing rules reference public registry transparency and oversight; they do not enumerate fee caps for PSPs/PSOs in the provided excerpts. Banks retain authority to set returns and service prices subject to disclosure rules and competition safeguards in Law 194/2020 (Article 89).

FRA-regulated non-banking financial entities may be compensated via monthly and annual fees for providing finance to clients, in addition to administrative fees and any other fees that may apply.

The FRA have issued standardised contract models. NBFS companies are obliged to comply with the provisions stated in these models as a minimum requirement. As an example, a consumer finance contract shall include clear fee and pricing disclosure, including:

• the finance amount;
• the fees and annual interest rate;
• administrative and any other expenses; and
• the total amount due.

In Egypt, regulation of fintech participants differs from that of banks in ways that are structural, not cosmetic. The key is the regulatory perimeter; banks are supervised as systemic deposit takers, while most fintechs and NBFS models are supervised as payments or credit providers, with a heavier focus on operational and conduct risks.

Regulation Overview

Legacy banks are regulated under the CBE licensing regime (the Central Bank and Banking System Law). Fintechs providing payment services or operating payment systems also fall under the supervision of the CBE, but under a payments framework that is distinct from the banks. Fintech-enabled NBFS models typically fall under the FRA and the relevant NBFS sector law, with a fintech overlay for fintechs engaging in non-banking financial activities. A central distinction for fintechs is how customer funds are provided, protected and audited, often via electronic integration with the FRA, safeguarding, guarantees and operational controls rather than deposit protection (as with banks).

Operational Emphasis

Banks are regulated primarily with respect to balance sheet risk, capital, liquidity, credit risk and stability. However, many fintechs are regulated more with respect to resilience, cybersecurity, governance, outsourcing risk and fair customer outcomes, even where licensing is required (governed by the Central Bank and Banking System Law, Law No 10 of 2009, the Consumer Finance Law and the Law Regulating and Developing the Use of Financial Technology in Non‑Banking Financial Activities).

Customer Protection is Handled Differently

For CBE-licensed entities, the general Consumer Protection Law is not applicable, and customer protection is administered through the CBE’s regime – including complaints handling and related requirements. NBFS firms are generally subject to the consumer protection laws and regulations, as well as FRA conduct rules and sector laws (Law No 10 of 2009 and the Consumer Finance Law).

AML/CFT Obligations: Same Goal, Different Supervisory Track

Banks typically encounter AML/CFT obligations through CBE supervision and banking onboarding standards, while NBFS and some fintech models are commonly supervised through their sector regulator’s framework alongside the general AML statute (Law No 80 of 2002 – the “Anti-Money Laundering Law”).

Outsourcing and Critical Tech Providers

Fintechs outsourcing service providers are regulated either by the CBE or the FRA, depending on the service provided, because banks and regulated firms can only outsource certain critical services to licenced providers (either via the CBE or the FRA, depending on the service provided) that meet regulator-imposed requirements, and with the regulated firm remaining responsible (governed by the Central Bank and Banking System Law and the Law Regulating and Developing the Use of Financial Technology in Non‑Banking Financial Activities).

Data Protection and Bank Secrecy

Beyond Law No 151 of 2020 (the “Personal Data Protection Law” – PDPL), banks are bound by statutory bank secrecy requirements, restricting sharing or monetising customer data and covering accounts, deposits, valuables and transactions. Disclosure is allowed only in case of customer consent or a judicial order, or if necessary in relation to regulatory sharing, AML/CFT, credit information frameworks, disputes, limited M&A due diligence and controlled access by outsourced providers.

Fintech and NBFS entities remain subject to the PDPL with respect to cross-border transfers and direct marketing. Many are contractually held to bank secrecy standards when handling bank customer data.

Egypt operates two main regulatory sandboxes:

• the CBE’s FinTech Egypt sandbox for banking and payments; and
• the FRA’s sandbox for NBFS.

The CBE sandbox is typically cohort-based and time-limited, allowing firms with market-ready solutions to perform tests under supervision within defined parameters, and with core controls in place (including KYC, AML/CFT and data protection).

The FRA sandbox provides a controlled testing environment for both licensed and unlicensed firms to pilot technology-driven NBFS products directly with consumers through a staged process of application, approval, testing and evaluation, with outcomes including approval to scale, extended testing or exit. It also increasingly aims to focus on consumer protection and supervisory priorities, such as suptech and responsible AI governance, including managing “black-box” model risk.

The CBE governs banks and the payments ecosystem (PSOs/PSPs), including licensing, operations, customer protection and enforcement (Law 194/2020, Articles 184–199, 201, 205–206, 216 and 225).

The FRA governs non-banking financial activities. However, a licensed consumer finance company that provides payment services through prepaid cards in co-operation with a bank must comply with the CBE’s PSP rules. The partnering bank must also obtain the CBE’s approval for the issuance of prepaid cards. In practice, the FRA’s role is limited to approving the consumer finance company’s participation in the card arrangement, and CBE oversight applies once the bank seeks and obtains approval to issue co-branded prepaid cards.

In Egypt, “no-action” letters are not issued by any of the fintech regulators – the regulators have the discretion to act at any time, and no letter is capable of limiting this discretion.

The CBE internet banking rules require prior CBE approval before outsourcing internet-banking services, and impose vendor-related controls relating to due diligence, audit and oversight rights, information security and business continuity requirements, and contractual safeguards – including termination and orderly exit. Cross-border outsourcing must be in compliance with Egyptian law (Rules s2-2-2-3, 2-2-2-7 and 3-7).

According to the Law Regulating and Developing the Use of Financial Technology in Non‑Banking Financial Activities and FRA Decree Nos 139, 140 and 141, NBFS companies may outsource specified fintech services only to providers registered in the FRA’s FinTech Outsourcing Service Providers Register, and no entity may provide such outsourcing services without that registration. The outsourcing provider must be established in Egypt and, if not already an Egyptian joint stock company, must be converted into one within the period prescribed by the relevant FRA decree. The provider must also notify the FRA of outsourcing contracts (and material amendments) and comply with the FRA’s applicable outsourcing requirements.

PSOs/PSPs must ensure service continuity, non-discrimination, and the security of systems and data (Law 194/2020, Article 198). Failure to comply can lead to staged measures and monetary sanctions, activity restrictions and management removal (Articles 195–196).

The PDPL assigns direct duties and penalties to controllers and processors for unlawful processing, security lapses, sensitive data misuse and cross-border violations (Articles 4–16 and 36–42).

Cybercrime Law 175/2018 and ER 1699/2020 impose minimum technical and organisational standards, and penalise noncooperation and security breaches. The standards pertain to encryption (Advanced Encryption Standard 256) and multifactor/strong authentication.

The CBE criminalises breaches of Articles 184, 205 and 206 of Law 194/2020 with imprisonment and fines ranging from EGP1 million to EGP10 million (Article 225). Violating money transfer licensing under Article 209 can trigger criminal penalties (Article 233).

The PDPL imposes fines and custodial penalties for unlawful data processing, sensitive data misuse, cross-border violations and marketing breaches (Articles 36–43).

If a fintech NBFS company breaches the FinTech Law or its implementing regulations, ceases to meet any licensing condition or engages in activities that threaten market stability or the interests of its shareholders or clients, the FRA board may take one or more of the following measures:

• issue a warning requiring rectification within a specified period and under specific conditions;
• require the company’s board or General Assembly to convene in the presence of an FRA representative to address the violations and adopt corrective actions;
• dissolve the board and appoint a commissioner to manage the company for up to six months, extendable once for a further six months, during which time the commissioner must refer the matter to the General Assembly to appoint a new board in accordance with the law;
• prohibit the company from conducting business or entering into new contracts for up to six months; and/or
• revoke the licence to carry on the activity.

The following are of relevance.

• Data protection: The PDPL is one of the primary horizontal regimes, governing lawful basis, security, records, data protection officers (DPOs), breach reporting, licensing/authorisation for sensitive data and cross-border transfers and penalties (Articles 2–17, 26–28 and 36–42). It applies equally to legacy and fintech in relation to all non-CBE regulated players and activities – the CBE has its own separate data protection rules, which apply only to CBE-regulated entities.
• Cybercrime: Cybercrimes Law 175/2018 and ER 1699/2020 set security controls pertaining to Advanced Encryption Standard 256-level encryption with secure key management, digital evidence handling and provider obligations.
• Consumer protection (CPA): Law No 181 of 2018 (the “the Consumer Protection Law”) applies horizontally to suppliers and service providers, mandating consumer disclosures and governing complaint handling. It tends to affect fintechs more in practice because onboarding, remote contracting and marketing are predominantly digital.
• Media: Law No 180 of 2018 (Supreme Council for Media Regulation – SCMR) regulates online media and advertising content, and legacy players are usually less exposed than fintechs because fintech customer acquisition relies heavily on social media and online campaigns.
• Telecoms: Where products rely on telecoms infrastructure – eg, one-time passwords (OTPs), short message service (SMS), short codes, comms delivery – the Telecommunications Law and National Telecommunication Regulatory Authority (NTRA) licensing and sector rules apply.
• E-signatures: Law No 15 of 2004 (Information Technology Industry Development Agency – ITIDA) is relevant where the model depends on legally effective e-signatures and electronic transaction trust services – an area in which fully digital fintechs are more heavily dependent compared to non-digital legacy players.
• Intellectual property: IP Law No 82 of 2002 (as amended) governs key risks related to code ownership, licensing, branding, trade marking and protection (specifically trade secret protection) – this is typically more relevant to fintechs given that their value lies in software and data.

External accounting and auditing firms are the only entities beside regulators that may review the activities of industry participants to ensure compliance and the accuracy of financial records.

Entities offering services regulated by the CBE, and NBFS companies regulated by the FRA, are authorised to offer only the services covered by their licences. A single legal entity may engage in multiple activities, subject to prior approval by the relevant regulator.

CBE (Regulated Fintechs and Vendors Partnering With Banks)

Banks and CBE-supervised payment actors are required to comply with the Anti-Money Laundering Law (as amended by PM Decree No 3331/2023), including as it pertains to customer due diligence (with heightened focus on higher-risk customers/transactions) and prompt reporting of suspicious transactions to the Egyptian Money Laundering and Terrorist Financing Combating Unit (EMLCU). The CBE approved updated AML/CFT controls for banks on 19 December 2023.

FRA (Fintechs Providing NBFS)

FRA Board Decree No 161/2024 requires FRA-supervised NBFS entities to:

• maintain an internal AML/CFT manual covering systems and procedures;
• perform due diligence in line with EMLCU-issued procedures; and
• immediately notify the EMLCU of suspected money laundering/terrorist financing-related transactions (including attempts), using internal escalation channels and systems to detect/report suspicious activity.

Egypt’s AML/CFT framework is designed to align with the FATF Recommendations, and Egypt is assessed through Middle East and North Africa Financial Action Task Force (MENAFATF) mutual evaluations, which assess technical compliance to the FATF 40 Recommendations and the FATF methodology. The primary domestic law relevant here is the Anti-Money Laundering Law and its Executive Regulations.

Egypt is a member of the MENAFATF but not of the FATF. Nevertheless, in line with the FATF, Egypt is expected to implement targeted financial sanctions linked to UN Security Council resolutions (with respect to terrorism and proliferation financing).

The CBE licensing rules require that institutions outside Egypt providing PSO/PSP services to residents obtain a CBE licence. The rules list preconditions such as home authorisation and experience, but do not provide reverse solicitation protection. However, Egyptian citizens may use the services of foreign banks or fintechs located offshore. In this case, the services are offered offshore.

Regarding NBFS, any such services may only be provided by an Egyptian joint stock company. However, the FRA recently – as per Decree No 158 of 2025 – allowed non-resident foreign reinsurance brokers to be registered in the Non-Resident Foreign Reinsurance Brokers Register. Insurance and reinsurance companies are not allowed to deal with reinsurance brokers who are not registered in this register.

Crypto/e-money activities, including issuance, trading, promoting and operating trading platforms, are prohibited absent a specific CBE board licence (Law 194/2020 Article 206).

FRA Board Decision No 57 of 2024, issued within the broader framework of the Law Regulating and Developing the Use of Financial Technology in Non‑Banking Financial Activities, sets the rules for the provision of “robo-adviser for investment” services by FRA-licensed portfolio formation and management firms.

In practice, legacy players implement robo-adviser solutions through hybrid models that automate risk profiling and suitability assessment, offer model portfolios and use rules-based monitoring and rebalancing triggers, while still retaining human oversight and maintaining governance documentation for algorithm design, review and updates to meet auditability and accountability expectations.

Best execution issues arise even where a retail trading app routes orders straight to the exchange and execution is automated once the order reaches the order book, because execution can still be affected by the market’s trading rules and controls.

Key issues include:

• price and costs – whether the customer uses market or limit orders, and whether fees, spreads and slippage mean the customer did not achieve the best available outcome;
• speed and reliability – including latency and outages;
• likelihood of execution and settlement – including partial fills, illiquidity and exchange suspensions;
• order handling fairness – including time priority, and ensuring non-discriminatory treatment and avoidance of conflicts in how orders are routed/managed; and
• governance and auditability – maintaining an execution policy, monitoring execution quality and keeping the audit trail and error-handling process consistent with the exchange rule framework.

Egypt’s banking and non-banking financial sector is shifting towards fintech-enabled online lending by both banks and NBFS companies, with the permitted loan products differing by borrower type.

CBE

Bank lending is governed by the Central Bank and Banking System Law, with separate SME-specific banking lending rules. Article 205 requires CBE approval for digital finance that is bundled with payment and collection services, regardless of the provider’s legal form. Non-banking consumer lending is regulated by the FRA under the Consumer Finance Law and related FRA decisions (including 869/2021 and 81/2023).

FRA

Microfinance, nano-finance and SME finance companies may finance micro, nano-, and SME businesses only. Consumer finance companies primarily extend credit to individuals for consumer purchases, and generally may not provide cash loans – except cash loans up to EGP50,000 when pre-approved by the FRA under Decree No 81 of 2023 and Decree No 138 of 2025, subject to a cap whereby cash lending may not exceed 20% of the portfolio. Separately, Decree No 318 of 2025 permits financial leasing, factoring and SME finance companies to offer financing in foreign currencies.

Banks that co-operate with fintech companies under the relevant CBE regulations for a given service typically require those fintech companies, by contract, to comply with the CBE’s KYC and customer due diligence rules. The CBE internet banking rules also require KYC, customer due diligence, and enhanced due diligence for online services, as well as manual verification for certain high-risk or credit operations (Rule s3-4-5).

The FRA provides relevant companies with a default monitoring system, including a list of defaulting customers. In practice, fintech underwriting in Egypt is shaped by industry standards and regulatory requirements set by the FRA, CBE and other authorities, and commonly includes the following:.

• technology-enabled credit scoring using factors such as credit history (including the iScore), income verification (employment details and business revenue), spending habits (from bank transaction or third-party data) and sports club membership (including the club’s perceived social status);
• AI-based risk assessment models to estimate repayment likelihood based on financial behaviour and other data points, enabling faster decisions; and
• electronic KYC (E-KYC), where the FRA requires fintech companies to verify client identity by collecting personal information (eg, national ID and proof of address) and conducting checks to support AML compliance. Banks and NBFS companies also manage default risk through insurance policies covering their portfolios, by entering into portfolio default insurance.

NBFS companies may fund the loans they offer to clients through various sources. Each funding source has its own legal and regulatory considerations. The main sources of fiat currency funds for loans include the following.

Company’s Paid-In Capital

NBFS companies may use their own paid-in capital to finance loans. This capital is typically raised from the company’s shareholders and can be used to provide loans to clients directly.

Using equity capital can be advantageous as it does not create debt liabilities. However, there are some legal requirements regarding capital adequacy, which vary among NBFS. The FRA set minimum capital requirements to ensure that the company remains solvent and capable of fulfilling its obligations to clients.

Loans Repaid by Shareholders

NBFS companies may borrow funds from shareholders, typically in the form of shareholder loans, to finance lending activities. These loans may be repaid once the company has enough cash flow from its loan portfolio.

Shareholder loans are subject to specific legal conditions regarding interest rates, repayment terms and documentation. The FRAs require these transactions to be properly disclosed to and pre-approved by other shareholders, ensuring that the interest rates charged are not excessively high or exploitative.

Different Types of Bank Facilities

NBFS companies often rely on credit facilities (such as term loans) provided by banks to finance their lending products. These credit facilities can be used to fund the loans made to clients. Borrowing from banks is regulated by the CBE, which sets guidelines for lending practices. NBFS companies must follow key regulations:

• AML: Under the Anti-Money Laundering Law, NBFS companies must implement strict AML measures, including KYC checks, monitoring for suspicious activity and reporting to the EMLCU.
• Leverage and borrowing limits: The FRA sets rules to prevent NBFS companies from over-leveraging. According to the FRA’s decrees, companies must maintain a certain capital adequacy ratio, ensuring they do not take on too much debt relative to their capital.

Securitisations

NBFS companies may convert future receivables into tradable securities (bonds), which are sold to investors. These securities are backed by the future payments that are expected to be made by virtue of consumer finance payments, microfinance payments, etc. By securitising these future cash flows, the company can raise funds upfront.

Securitisation is a complex financing mechanism that involves multiple legal, regulatory and structural considerations. One of the key regulatory requirements is disclosure, as NBFS companies must provide investors with comprehensive and accurate information regarding the bonds. This typically includes conducting a detailed due diligence review of the securitised portfolio.

In addition, the issued securities must comply with regulatory requirements relating to the credit rating, transparency, investor protection, and the preparation and issuance of an information memorandum. The transaction is also subject to extensive oversight by the FRA, requiring multiple approvals at various stages of the securitisation process.

Fiat currency loans issued by banks may be syndicated in accordance with CBE laws and the relevant regulations. Unlike banks, NBFS companies do not issue such syndicated loans or credits for their clients.

Entities may operate new payment rails if licensed as PSOs under Law 194/2020 (Articles 184–185) and the CBE rules, including meeting the EGP500 million capital requirement and operational standards (Rule s2-2-2-3(d)). PSPs that are not PSOs must use authorised systems and stay within their licensed scope.

Cross-border payments and remittances in Egypt are primarily under CBE oversight, and are conducted through banks and CBE-licensed money transfer companies. Money transfer companies require a CBE licence under the Central Bank and Banking System Law (Article 209), with minimum capital and a CBE-registered auditor, and cross-border transfers are expected to be routed through licensed channels under the foreign exchange perimeter.The main regulatory focus areas are licensing and operational controls, foreign exchange compliance and FX fraud, and AML/CFT and sanctions compliance – including risk-based customer due diligence and suspicious transaction reporting to the EMLCU. Fintechs providing remittance-like payment services are under the CBE payments licensing and oversight framework.

The following are permissible.

• Regulated securities exchanges (public market): Trading in listed securities occurs on a licensed stock exchange under the Capital Market Law. Trades outside the exchange are void, with execution required through a licensed securities company (the Capital Markets Law, Articles 15–18).
• Exchange-registered transactions for non-listed securities (OTC): Egyptian rules provide for unlisted securities to be registered with an exchange rather than traded in an unregulated OTC market. The FRA issues rules governing the trading and ownership transfer of unlisted securities (the Executive Regulations of the Capital Market Law).
• Private exchanges and specialised venues (alternative trading systems (ATSs): The Executive Regulations allow “private exchanges” operating as joint stock companies, with trading limited to specified securities subject to FRA board approval and licensing, and with compliance obligations aligned to securities company rules (Articles 104–106).
• Non-banking fintech digital platforms: Where a platform functions as a marketplace for non-banking financial products, the FRA applies a two-layer approach: (i) the platform must be in scope of the fintech framework for NBFS activities, and (ii) it must remain subject to the underlying sector laws for that activity. The FinTech Law explicitly defines a “digital platform” business model for offering products and completing transactions (the Law Regulating and Developing the Use of Financial Technology in Non‑Banking Financial Activities).

Traditional capital markets instruments (such as shares, bonds, sukuk and other regulated instruments) are under the FRA capital markets perimeter and exchange rules approved by the regulator (the Capital Market Laws).

“Security tokens” do not have their own “token” regime in the primary legislation, so treatment is generally substance-based: if the token economically represents a regulated security, it is subject to the Capital Markets Law.

Cryptocurrencies and crypto platforms are treated fundamentally differently: the issuance, trading or promotion of cryptocurrencies is prohibited without a CBE-board licence (the Central Bank and Banking System Law, Article 206). As of 30 December 2025, there are no indications that the government or the CBE will change its stance on legalising or licensing any crypto-asset.

The CBE has clearly indicated prohibition by default on any form of trading or commercialisation of cryptocurrency, as well as any formal government involvement in the use or adoption of cryptocurrency, with a licensing gateway controlled by the CBE board for crypto issuance/trading/promotion/platform operation (the Central Bank and Banking Sector Law, Article 206).

Practically, this means centralised and decentralised cryptocurrency exchanges cannot lawfully operate or market in Egypt.

Regulatory listing standards for Egyptian Exchange (EGX) listing/delisting are under the FRA’s listing framework (FRA Board Decision No 11 of 2014 on the Listing and Delisting Rules).

Regulatory standards typically cover eligibility and documentation requirements for admission, ongoing disclosure and periodic reporting, governance-related conditions and delisting triggers – all implemented through exchange committees under the regulator’s framework (FRA Board Decision No 11 of 2014).

Industry norms include audited financials, consistent disclosure discipline, governance hygiene and predictable ongoing reporting, mainly because the exchange and regulator can suspend or intervene where trading would harm the market or where there is manipulation risk (the Capital Markets Law, Articles 20 bis and 21).

Order handling rules apply in Egypt, and they are governed by a combination of executive regulations, exchange internal rules and market-specific guidelines.

The executive regulations of the Capital Market Law require transparent and fair execution, proper documentation and record-keeping with respect to client instructions, and honest, competent broker conduct (governed by the Capital Markets Law as it pertains to general trading principles).

In 2024, the EGX issued the Trading Rules Book – 5th Edition, which further elaborates on the rules governing the trading of listed and unlisted securities on the EGX. This updated book includes provisions on:

• order handling, covering order execution procedures;
• limit orders, market orders, stop-loss orders and margins; and
• matching buy and sell orders.

The Trading Rules Book ensures that all market participants comply with the necessary standards to ensure market integrity, fairness and investor protection.

According to the Capital Markets Law, Article 17, any trading of listed securities outside of the exchange is null and void.

The Egyptian Capital Markets Law, FRA decrees and EGX trading rules do not regulate payment for order flow. However, it is prohibited for any brokerage firm to follow a policy or conduct operations that may harm its clients or violate their rights, and it is also prohibited for them to engage in operations for their own interests.

The EGX Trading Rules Book mentions some of the most important types of illegal trading practices, including: “Exploiting an order or a group of orders issued by a client or a group of clients, where the quantities of these orders could potentially move the price of a security, or engaging in trades in the same direction as these orders before their execution, in a manner that could generate profits through the illicit exploitation of client orders. It is also prohibited to agree with others or issue recommendations for them to move in the same direction as these orders before their execution”.

Three core pillars under the Capital Markets Law, Article 20 are:

• insider dealing restrictions;
• anti-manipulation powers; and
• disclosure discipline.

The Law prohibits trading on the basis of material non-public information, and it also prohibits tipping (Article 20). The Executive Regulations further define and give instructions regarding price manipulation, the use of inside information and insider dealing, with these activities being strictly prohibited across all market participants (the Capital Markets Law, Articles 316–319).

In Egypt, there is no standalone algorithmic trading law. The regulated activities are dealing and brokerage services, portfolio management, fund management, market-making and futures brokerage. In practice, automated tools must be designed and used so that they do not facilitate market abuse and manipulative orders, such as practices that create a misleading appearance of trading or artificially manipulate prices by submitting orders to trading systems.

The Capital Markets Law and Ministry of Investment Decree No 293 of 2007 regulate market-maker licensing and activity.

Market makers are licensed to operate in accordance with the procedures set out in the Capital Markets Law. The board of directors of the FRA sets the standards for financial solvency and the expertise and competence required to conduct market making, in addition to the requirements for membership of the EGX. The market maker is obligated to:

• buy and sell the securities they are committed to making a market for, at their own expense, during official trading hours – provided that these securities are listed on the EGX;
• submit sell offers and buy orders for the securities they are committed to making a market for during official trading hours; and
• adjust the offers and orders they submit within the period specified by the EGX administration.

The difference between the bid and ask prices, and the quantities of the bids and asks, must not exceed the percentage and quantities determined by the EGX based on the type of security and its trading activity.

If the EGX objects to the prices of the offers and orders submitted by the market maker, they must submit realistic prices. If they fail to do so, the EGX president may suspend offers and orders subject to the objection and inform the authority. The market maker may engage in margin trading and borrow securities for the purpose of selling securities they make a market for, provided that such securities are allowed to be traded in accordance with these activities.

The regulators in Egypt distinguish sharply between funds and dealers. Funds are defined as collective investment vehicles. They convert investor subscriptions into fund units, invest according to an approved investment policy and operate according to the governance requirements of the Capital Markets Law and Prime Minister Decree No 135 of 1993, as amended. Dealers and brokers are defined and regulated as market intermediaries. They execute and route orders, may deal for their own accounts and are supervised in relation to conduct, client asset protection and market integrity. Dealers and brokers are both subject to market abuse prohibitions and disclosure duties, but their client-facing obligations and licensing perimeter are different.

While programmes and programmers are not in and of themselves regulated, the licensed firm that deploys the tool or product is regulated. Companies are required to maintain and ensure governance, controls, audit trails and compliance so that programmes do not enable prohibited trading behaviours (governed by the Capital Markets Law).

In Egypt, insurers generally follow a standard underwriting workflow. They collect proposal data, assess risk, set pricing and terms, decide on acceptance or exclusions, arrange reinsurance where needed, and issue and administer the policy – increasingly through digital channels.

Regulation does not prescribe a single underwriting “method”, but it does impose guardrails that directly shape how underwriting is done under FRA supervision. The Unified Insurance Law confirms that the FRA has exclusive competence for the “licensing, supervision and oversight” of insurance activities. Insurers must establish technical provisions based on any report prepared by an actuary “registered with the Authority”, and those provisions must follow “technical bases approved by the Authority’s board”. For digital underwriting and issuance, the law allows certain standardised policies to be issued electronically – but only if the insurer obtains the FRA’s prior approval and complies with FRA control measures (Law No 155 of 2024; the “Unified Insurance Law”).

Different types of insurance are treated differently by both industry participants and the regulator. The Unified Insurance Law categorises insurance into distinct types and branches, and applies different technical expectations accordingly under FRA oversight.

The law distinguishes “persons insurance and capital formation operations” (eg, life, long-term personal accident, long-term medical, pension and capital formation insurance) from “property and liability insurance” (including fire, transport and related liabilities, marine hull, aviation hull, comprehensive motor and compulsory motor liability, engineering, petroleum, energy, agricultural, miscellaneous accident and liability, credit, short-term medical and cyber insurance), and it also recognises specialised categories such as medical insurance and microinsurance.

This classification matters in practice because liabilities and risk dynamics differ accordingly. Technical provisions and prudential treatment are not uniform across lines, and the law also imposes specific conduct constraints on persons and capital formation insurance, including a prohibition on applying different terms or conditions to policies within the same category unless authorised by the FRA board.

Regtech is not specifically regulated, and the applicable regime depends on how and where a regtech product is used. If the product is used by banks, PSPs or PSOs, the primary regulator is the CBE under the Central Bank and Banking System Law. In practice, regtech vendors are bound by the regulated client’s mandatory requirements for confidentiality, cybersecurity, auditability, business continuity, incident response and outsourcing controls, and must be registered in the CBE Outsourcing Service Providers Register.

If the product is used by NBFS firms, the primary regulator is the FRA, anchored in Law No 10 of 2009 and the Law Regulating and Developing the Use of Financial Technology in Non‑Banking Financial Activities. The most directly relevant pieces of legislation for regtech vendors are the FRA board of director decrees (Decree No 139 of 2023, Decree No 140 of 2023, and Decree No 141 of 2023, as amended by Decree No 68 of 2025 (amending Decrees 140 and 141) that operationalise technology governance and outsourcing for fintechs providing NBFS. Vendors must be registered in the FRA Outsourcing Service Providers Register.

Even where the regtech provider is “simply a vendor”, horizontal regimes still apply. The PDPL applies to controllers and processors and provides security, governance and cross-border transfer requirements, although it includes an exemption for personal data held by the CBE and entities subject to its control and supervision. Therefore, bank-facing regtech is primarily driven by CBE confidentiality and security requirements, while for NBFS use cases the PDPL applies.

In Egypt, regulated firms typically rely on a few key contractual terms pertaining to:

• detailed service level agreements (SLAs) and key performance indicators (KPIs);
• testing and validation duties (especially where analytics affect customer outcomes);
• audit and inspection rights;
• mandatory incident notification timelines;
• change-of-management controls;
• subcontractor restrictions;
• data minimisation, duplication and retention; and
• clear allocation of responsibility for false positives/negatives and resulting customer harm.

These are relied on as a practical way to evidence compliance with statutory obligations around security, lawful processing and safe operations.

The regulator, whether the CBE or the FRA, imposes operational requirements, including technology tool requirements, on licensed entities. These entities must adhere to such requirements in their contracts with the service provider.

In Egypt, the use of blockchain by traditional financial institutions is not illegal per se and is typically framed as a back-end technology option (eg, for internal recordkeeping, reconciliation, controlled pilots or back-end tokenisation) rather than a public crypto activity. The key distinction is that the issuance, trading or promotion of “virtual currencies” is statutorily restricted without CBE approval, so institutions cannot provide retail-facing crypto rails and related products. Instead, they can focus on institutionally governed, permissioned implementations given that no outright prohibition exists on the use of blockchain technology.

The regulators’ approach to blockchain is cautious. If blockchain is used to perform or support a regulated financial activity, existing sector rules apply. Blockchain is generally treated as a technology option rather than as a standalone regulated category. The key factor is whether the use case invokes virtual currencies, which remain statutorily restricted, without CBE approval. Thus, market practice tends towards non-crypto enterprise implementations and controlled pilots, rather than public crypto use (governed by the Central Bank and Banking System Law, Article 206).

As per 10.2 Local Regulators’ Approach to Blockchain, there is no framework that directly regulates or classifies blockchain assets. Not all blockchain assets are automatically regulated financial instruments in Egypt. The classification (if any) follows strict rules – if the token represents or functions like a security (eg, share, bond, fund or interest), capital markets rules can apply regardless of the “token” label. By contrast, if the asset is a “virtual currency” used as a medium of exchange or store of value, it is subject to the Central Bank and Banking System Law unless CBE approval is obtained (governed by the Capital Markets Law; Ministerial Decree No 135 of 1993; and the Central Bank and Banking System Law, Article 206).

As per 10.2 Local Regulators’ Approach to Blockchain, there is no framework that directly regulates or classifies blockchain assets or issuers. The tokenisation of real-world assets also raises concern – even if a blockchain record is operationally robust, “legal title” and enforceability still depend on the applicable underlying asset transfer formalities (subject to the form and sector-specific requirements and regulations) and the regulator’s satisfaction with respect to custody, auditability and investor protection. In short, tokenisation may be technically feasible, but the enforceable regulations are what determines whether it can be offered to the public within Egypt’s regulated markets.

As per 10.2 Local Regulators’ Approach to Blockchain, blockchain is treated as a technology, but where a platform use case involves cryptocurrencies, the Central Bank and Banking System Law (Article 206) applies: the issuance, trading or promotion of cryptocurrencies is prohibited without a CBE board licence.

For blockchain-based instruments that qualify as securities, secondary trading would need to be in accordance with the capital markets regime under FRA supervision, with appropriately licensed intermediaries and trading venues. Furthermore, peer-to-peer trading or lending is not permissible in Egypt, regardless of what asset is traded.

There are no laws regulating the staking of cryptocurrencies in Egypt. Without explicit approval or a licensing structure, offering staking to the public is prohibited in Egypt.

Crypto-backed or crypto-denominated lending is not clearly regulated by a dedicated framework in Egypt. If the product involves virtual currencies, the Central Bank and Banking System Law restriction is the primary issue, and marketing/solicitation can result in risk.

Offering cryptocurrency derivatives, a restricted virtual currency, is illegal under the Central Bank and Banking System Law, Article 206, and the Capital Markets Law.

Egypt does not currently operate a dedicated DeFi regulatory regime. If a DeFi product facilitates the trading or promotion of virtual currencies, the Central Bank and Banking System Law restriction remains relevant, and decentralisation does not eliminate liability for operators, promoters, brokers or facilitators.

Generally, funds are regulated under the Capital Market Law, regardless of whether they invest in “blockchain-linked” assets. In practice, funds investing in conventional blockchain-related assets outside of Egypt are permitted according to the existing rules, whereas funds holding virtual currencies are not permitted under the Capital Markets Law and the Central Bank and Banking System Law. An investment fund is obliged to follow the investment plan stated in its information memorandum, as approved by the FRA (governed by the Capital Markets Law and the Central Bank and Banking System Law, Article 206).

Virtual currencies are specifically addressed by the Central Bank and Banking System Law. “Blockchain assets” as a broader concept can include many things that are not used as currency.

Non-fungible tokens (NFTs) are not regulated inside the financial regulatory framework in Egypt, since any tradeable asset must be approved by the FRA in order to be traded publicly.

Stablecoins are typically treated as a form of virtual currency in most jurisdictions, and the Central Bank and Banking System Law restricts their use in the absence of CBE approval of the issuance or dealing thereof.

Egypt does not have a Revised Payment Services Directive (PSD2)-style statutory mandate forcing banks to open APIs to third-party providers as a general right.

As per 11.1 Regulation of Open Banking, open banking is not a regulated activity, so this issue is not applicable in Egypt.

In Egypt, fraud in financial services and fintech is typically prosecuted as one of several different types of offence. Classification as criminal fraud under the Penal Code (Law No 58 of 1937) requires:

• deceptive conduct via legally recognised fraudulent means (using a false name or acting in a false capacity, creating a false impression about a project, profit, debt, entitlement, etc); and
• provision by the victim of money or other movable property, a document, or a release/settlement, with intent to appropriate the benefit.

Cybercrimes Law No 175 of 2018 considers unauthorised access to bank card or e-payment data an offence, particularly where the purpose is to obtain another’s funds or services. Other offences pertinent to fintech include fabricating or impersonating websites, accounts or emails – a common issue in phishing and account takeover.

In regulated markets, the Capital Markets Law defines “fraud” as false or misleading disclosure of materials and corporate records, sham trades, recording artificial prices or attempting to influence market prices by deceitful means. The Central Bank and Banking Sector Law governs banks and payment ecosystems (including in respect of licensing and sanctions).

The CBE’s focus in relation to banking and payment ecosystems is on:

• impersonation inducing customers to disclose credentials or “authorise” transfers (phishing, smishing, pharming and vishing);
• credential theft and account takeover leading to misuse of card and e-payment data (executing fraudulent transactions); and
• sector-level fraud governance and co-ordinated responses through the Fraud Combating Central Department and fraud awareness and training initiatives.

Regarding NBFS, the FRA focuses heavily on onboarding and identity manipulation (eg, fake IDs and changes of mobile number ownership), requiring multifactor digital identity checks (including possession factors, biometrics and liveness indicators) and verification of the customer’s mobile number ownership.

A second FRA priority is consumer finance monetisation schemes and fraud-related defaults (eg, financing a device and then reselling it for cash without servicing the instalments or using a fake ID), reflected in measures to implement a ban list for entities practising consumer finance cash-out and tighter controls around cash consumer finance (requiring proof of use and stronger traceability through digital records and e-payment rails).

A fintech service provider’s responsibility for customer losses is mainly civil, arising either in contract (breach of service terms) or in tort (a wrongful act causing harm), and is generally classified based on fault, damage and causation under the Civil Code (Law No 131 of 1948). Compensation may cover actual loss and missed gain where it is a natural consequence, but is subject to foreseeability limits absent fraud or gross negligence, may be reduced if the customer contributed to the loss and can be avoided where non-performance is due to a “foreign cause”. Agreed liquidated damages are permissible but courts may reduce excessive amounts, and exceeding the agreed amount requires proof of fraud or gross negligence.

In addition, liability can be vicarious, meaning the regulated entity or principal may be responsible for losses caused by its employees, agents or outsourced providers acting within the scope of their assigned work. Where the relationship falls under the Consumer Protection Law, service providers owe statutory remedies for defects or deficiencies, and liability-limiting clauses are void. However, for CBE-licensed PSPs (under the Central Bank and Banking System Law), the Consumer Protection Law does not apply. Instead, the CBE customer protection and dispute framework applies – including the requirement for licensed entities to ensure third parties comply, without relieving the licensed entity of responsibility for customer harm.