African Community Fund

Secure Mail Directive

Directive No.: ACF-DIR-001 | Effective Date: 10/11/2025 | Version: 1.0

PREAMBLE

WHEREAS the African Community Fund (the "Fund") operates as an international institution with full juridical personality under its Charter;

WHEREAS secure, authenticated, and legally recognised electronic communication is essential to the integrity of Fund operations, the Digital Share Registry, and Member relations;

WHEREAS Article 10.2 of the Charter mandates the maintenance of a secure Digital Share Registry and Article 7.4 requires good faith declarations consistent with KYC protocols;

WHEREAS the Fund operates a sovereign Certificate Authority to enable legally recognised digital signatures and robust identity management;

NOW THEREFORE, the Executive Committee hereby issues this Secure Mail Directive to establish minimum standards for electronic communication within the Fund's ecosystem.

ARTICLE 1: SCOPE AND APPLICABILITY

1.1 Covered Communications: This Directive applies to all electronic mail, messaging, and document transmission systems used for:

  • (a) Official Fund business, governance, and administrative functions;
  • (b) Member onboarding, share subscription, and capital calls;
  • (c) Loan applications, approvals, and servicing under Article 17;
  • (d) Access to and transactions within the Digital Share Registry;
  • (e) Transmission of financial statements, audit reports, and Program criteria;
  • (f) Any communication containing non-public, sensitive, or legally significant information.

1.2 Covered Persons: This Directive binds:

  • (a) All Members (Class A and Class B), their authorised signatories, and designated technical contacts;
  • (b) Members of the Executive Committee, ceremonial officers, employees, and consultants of the Fund;
  • (c) External auditors, independent valuers, and third-party service providers engaged by the Fund.

1.3 Exclusions: Public-facing communications published via the Fund's official website or Open Data portal are governed by separate publication policies.

ARTICLE 2: TECHNICAL SECURITY STANDARDS

2.1 Encryption Requirements:

  • (a) All covered communications shall be encrypted in transit using TLS 1.3 or higher, or equivalent internationally recognised protocols;
  • (b) Messages containing sensitive financial, personal, or governance data shall be encrypted at rest using AES-256 or equivalent;
  • (c) End-to-end encryption shall be employed for communications involving share transfers, redemption notices, or loan agreements.

2.2 Authentication and Identity Verification:

  • (a) All users shall authenticate via the Fund's sovereign Certificate Authority (CA) using X.509 digital certificates;
  • (b) Multi-factor authentication (MFA) shall be mandatory for access to systems handling covered communications;
  • (c) Certificate issuance, renewal, and revocation shall follow policies established by the Executive Committee and align with RFC 5280 and WebPKI best practices.

2.3 Digital Signatures and Non-Repudiation:

  • (a) Legally significant communications (e.g., subscription agreements, withdrawal notices, loan contracts) shall be signed using digital signatures issued by the Fund CA;
  • (b) Digital signatures shall comply with eIDAS, UETA, or equivalent frameworks to ensure cross-jurisdictional legal recognition;
  • (c) Signed messages shall include timestamping and integrity verification to prevent repudiation.

2.4 Approved Protocols and Interoperability:

  • (a) The Fund shall support S/MIME and PGP/MIME for secure email interoperability with Member systems;
  • (b) API-based communications shall utilise the Fund's Programmatic API with OAuth 2.0 or equivalent token-based authentication;
  • (c) Members integrating with Fund systems shall adhere to technical specifications published by the Executive Committee.

ARTICLE 3: DATA PROTECTION AND PRIVACY

3.1 Confidentiality: Covered communications shall be treated as confidential unless expressly designated otherwise. Unauthorised disclosure, interception, or forwarding is prohibited.

3.2 Personal Data Handling: Where communications contain personal data, processing shall comply with applicable international data protection standards and the Fund's Privacy Policy.

3.3 Cross-Border Transfers: The Fund's supranational status under Chapter V of the Charter exempts its operations from restrictive national data localisation laws. However, Members remain responsible for ensuring their own compliance with applicable domestic regulations when transmitting data to the Fund.

3.4 Retention and Archiving:

  • (a) Covered communications shall be retained for a minimum of seven (7) years, or longer if required by applicable law or Fund policy;
  • (b) Archival systems shall preserve message integrity, metadata, and signature validity for the full retention period;
  • (c) Members may request deletion of their personal data subject to legitimate Fund record-keeping obligations.

ARTICLE 4: INCIDENT RESPONSE AND BREACH NOTIFICATION

4.1 Reporting Obligations: Any suspected or actual compromise of secure mail systems (e.g., certificate theft, unauthorised access, phishing) shall be reported to the Fund's Security Office within twenty-four (24) hours of discovery.

4.2 Fund Response: Upon confirmation of a security incident, the Executive Committee shall:

  • (a) Contain and remediate the incident in accordance with the Fund's Incident Response Plan;
  • (b) Notify affected Members promptly and transparently;
  • (c) Revoke compromised certificates and re-issue credentials as necessary;
  • (d) Document lessons learned and update security policies accordingly.

4.3 Member Responsibilities: Members shall maintain reasonable security measures for their own systems and promptly update contact information for security notifications.

ARTICLE 5: COMPLIANCE, MONITORING, AND ENFORCEMENT

5.1 Compliance Monitoring: The Executive Committee, in consultation with the Audit Committee, shall periodically review adherence to this Directive through technical audits, penetration testing, and policy assessments.

5.2 Non-Compliance Consequences: Failure to comply with this Directive may result in:

  • (a) Suspension of secure communication privileges;
  • (b) Delay or rejection of transactions requiring secure channels (e.g., share transfers, loan disbursements);
  • (c) Referral to the Executive Committee for potential membership review under Article 4.3.

5.3 Waivers and Exemptions: The Executive Committee may grant limited, time-bound exemptions to this Directive where strict compliance would cause undue hardship and where alternative safeguards provide equivalent protection. Waivers shall be documented and reported to the Voting Meeting annually.

ARTICLE 6: LEGAL ADMISSIBILITY AND DISPUTE RESOLUTION

6.1 Presumption of Authenticity: Communications transmitted in compliance with this Directive shall be presumed authentic, intact, and attributable to the identified sender for purposes of Fund governance and dispute resolution.

6.2 Evidentiary Weight: Digitally signed messages, audit logs, and certificate validation records maintained by the Fund shall be admissible as evidence in proceedings before the Executive Committee or Voting Meeting under Article 27 of the Charter.

6.3 No Waiver of Immunities: Compliance with this Directive does not constitute a waiver of the Fund's immunities, privileges, or exemptions under Chapter V of the Charter.

ARTICLE 7: IMPLEMENTATION AND REVIEW

7.1 Effective Date: This Directive enters into force upon adoption by the Executive Committee and publication on the Fund's official website.

7.2 Member Onboarding: New Members shall receive technical documentation and credentials for secure mail integration as part of the onboarding process under Article 4.2 of the Charter.

7.3 Periodic Review: The Executive Committee shall review this Directive at least every two (2) years, or sooner in response to technological developments or security threats, and propose amendments to the Voting Meeting as appropriate.

7.4 Support and Training: The Fund shall provide technical support, documentation, and training resources to assist Members in complying with this Directive.

SCHEDULE A: MINIMUM TECHNICAL SPECIFICATIONS

Component Requirement Standard/Reference
Transport Encryption TLS 1.3 or higher RFC 8446
At-Rest Encryption AES-256-GCM or equivalent NIST SP 800-38D
Digital Certificates X.509 v3, SHA-256 signatures RFC 5280
Email Security S/MIME v3.2 or PGP/MIME RFC 8551, RFC 3156
API Authentication OAuth 2.0 + JWT or mTLS RFC 6749, RFC 7519
Multi-Factor Auth TOTP, FIDO2, or hardware token RFC 6238, W3C WebAuthn
Timestamping RFC 3161-compliant TSA RFC 3161
Audit Logging Immutable, tamper-evident logs ISO/IEC 27001

SCHEDULE B: CONTACTS AND SUPPORT

Function Contact Purpose
Certificate Authority Operations [email protected] Certificate issuance, renewal, revocation
Secure Mail Technical Support [email protected] Integration assistance, troubleshooting
Security Incident Reporting [email protected] Breach notification, incident response
Compliance & Policy Queries [email protected] Directive interpretation, waiver requests
General Membership Support [email protected] Onboarding, account management

Adopted by the Executive Committee of the African Community Fund on 10/11/2025.
Shared Value, Shared Prosperity.

Digital Signature md5-hlUOMMfg/zue25PDd+Sy3A==
Verify digital signature
©2026 African Community Fund
africancommunityfund.com