African Community Fund

Digital Share Registry Directive

Directive No.: ACF-DIR-004 | Effective Date: 13/04/2026 | Version: 1.0

PREAMBLE

WHEREAS the African Community Fund (the "Fund") operates as an international institution with full juridical personality under Article 2.1 of its Charter;

WHEREAS Article 10.2 mandates the establishment of a secure Digital Share Registry to record all shareholdings, transfers, and encumbrances;

WHEREAS Article 14.2(c)–(d) entrusts the Executive Committee with oversight of the Registry, share transfer protocols, and liquidity management;

WHEREAS Article 10.1 authorizes electronic transferability within share classes subject to international laws, sanctions regimes, and KYC/AML protocols;

WHEREAS Article 10.5 guarantees protection of Member shares from seizure, freezing, or confiscation except following material default and exhaustion of contractual remedies;

WHEREAS Article 13.5 authorizes the Chair to adopt directives consistent with the Charter to implement the Fund's mission;

NOW THEREFORE, the Chair hereby issues this Digital Share Registry Directive to establish the technical architecture, security protocols, operational procedures, and governance standards for the Fund's authoritative record of ownership.

ARTICLE 1: ESTABLISHMENT AND SCOPE

1.1 Official Record: The Digital Share Registry (the "Registry") shall serve as the sole, authoritative, and legally conclusive record of:

  • (a) All issued Class A (Governance) and Class B (Non-Governance) shares;
  • (b) Share ownership, beneficial entitlements, and class designations;
  • (c) Electronic transfers, encumbrances, pledges, and collateral arrangements;
  • (d) Redemption contracts, forfeiture records, and withdrawal statuses per Article 11.

1.2 Applicability: This Directive applies to all Fund operations, Members, authorized signatories, technical integrators, auditors, and third-party service providers interacting with the Registry.

1.3 Governance Oversight: The Executive Committee shall maintain ultimate policy authority over the Registry's specifications, security posture, and operational protocols, as delegated under Article 10.2(b).

ARTICLE 2: TECHNICAL ARCHITECTURE & SECURITY STANDARDS

2.1 Cryptographic Standards:

  • (a) Data at rest shall be encrypted using AES-256-GCM or equivalent internationally recognized standards.
  • (b) Data in transit shall be secured via TLS 1.3 or higher, with mandatory certificate pinning for API endpoints.
  • (c) All Registry transactions shall be cryptographically hashed to ensure tamper-evidence and immutable audit trails.

2.2 Key Management:

  • (a) Master encryption keys and signing keys shall be generated and stored in FIPS 140-2 Level 3 or higher Hardware Security Modules (HSM).
  • (b) Key rotation, escrow, and multi-person control (M-of-N) protocols shall align with NIST SP 800-57 and ISO/IEC 19790 standards.

2.3 Zero-Trust & Network Security:

  • (a) The Registry shall operate within a zero-trust architecture, requiring continuous identity verification and least-privilege access.
  • (b) Intrusion detection/prevention systems (IDS/IPS), DDoS mitigation, and automated threat intelligence feeds shall be deployed.

2.4 Interoperability: The Registry shall expose secure, versioned APIs compliant with OpenAPI 3.0 specifications, enabling authenticated integration with Member systems, the ACF Certificate Authority (ACF-DIR-002), and the Fund's Programmatic API.

ARTICLE 3: SHARE LIFECYCLE MANAGEMENT

3.1 Issuance: Shares shall be recorded in the Registry upon:

  • (a) Executive Committee approval of membership (Article 4.3);
  • (b) Execution of the Subscription Agreement;
  • (c) Receipt of the initial 20% payment per Article 7.2(a).

3.2 Electronic Transfer:

  • (a) Transfers shall occur electronically within the same share class, subject to automated KYC/AML screening and sanctions compliance checks (Article 10.1).
  • (b) Cross-class transfers or transfers to unverified entities shall require explicit Executive Committee approval.
  • (c) The Registry shall automatically update voting eligibility (Class A only) and economic entitlements upon confirmed transfer.

3.3 Forfeiture: Upon resolution by the Executive Committee per Article 10.3, the Registry shall:

  • (a) Immediately freeze associated economic rights;
  • (b) Record the forfeiture event with timestamp, reason, and authorizing resolution;
  • (c) Transfer title to the Fund pending reallocation or cancellation per Article 10.4.

3.4 Redemption & Withdrawal: Upon effective withdrawal date (Article 11.2), the Registry shall:

  • (a) Lock the withdrawing Member's shares pending NAV calculation;
  • (b) Record the Redemption Contract terms, settlement method election, and payment milestones per Article 11.4;
  • (c) Finalize share removal only upon full satisfaction of the Redemption Contract (Article 11.7).

3.5 Encumbrance Tracking: The Registry shall record pledges, collateral assignments, or liens against shares, including priority ranking, duration, and release conditions, to support loan operations under Article 17.

ARTICLE 4: ACCESS CONTROLS & AUTHENTICATION

4.1 Role-Based Access Control (RBAC): Access shall be strictly tiered:

  • (a) Members: View own holdings, initiate transfers, submit withdrawal requests, download statements.
  • (b) Fund Operations: Execute approved transfers, record encumbrances, process redemption settlements, manage system parameters.
  • (c) Executive Committee: Override restricted actions, approve exceptions, view aggregated liquidity and compliance dashboards.
  • (d) Auditors: Read-only access to historical transaction logs and compliance reports, scoped by audit mandate.

4.2 Authentication:

  • (a) All access shall require multi-factor authentication (MFA) via the ACF Certificate Authority (ACF-DIR-002).
  • (b) Institutional Members may authenticate via mTLS or OAuth 2.0 tokens integrated with the Fund's Programmatic API.
  • (c) Session timeouts, IP allowlisting, and behavioral analytics shall be enforced for privileged accounts.

4.3 Audit Logging: Every read, write, modification, or access attempt shall be immutably logged with user ID, timestamp, IP address, action type, and system state. Logs shall be retained for a minimum of ten (10) years.

ARTICLE 5: DATA INTEGRITY, AUDIT & REPORTING

5.1 Conclusive Evidence: Registry entries shall constitute prima facie evidence of ownership, transfer validity, and encumbrance status for all Fund purposes and dispute resolution under Article 27.

5.2 Independent Audit: The Registry's data integrity, security controls, and operational compliance shall be reviewed annually by external auditors of recognized international standing, as required by Article 23.2.

5.3 Reporting:

  • (a) Real-time dashboards shall be provided to the Executive Committee for liquidity monitoring, capital call tracking, and risk assessment.
  • (b) Aggregated, anonymized Registry data (e.g., total issued shares by class, geographic distribution of Members) shall be published via the Open Data portal in machine-readable formats.
  • (c) Personal data and transaction-level details shall never be published without explicit Member consent or legal requirement.

ARTICLE 6: BUSINESS CONTINUITY & DISASTER RECOVERY

6.1 Redundancy: The Registry shall operate across geographically distributed, fault-tolerant data centers with active-active replication to ensure 99.99% uptime.

6.2 Recovery Objectives:

  • (a) Recovery Point Objective (RPO): ≤ 5 minutes
  • (b) Recovery Time Objective (RTO): ≤ 2 hours

6.3 Backup & Testing: Encrypted backups shall be performed continuously and stored in isolated, air-gapped environments. Full disaster recovery simulations shall be conducted biannually, with results reported to the Executive Committee.

6.4 Key Escrow: Master decryption keys shall be escrowed with independent, internationally recognized custodians under multi-party authorization to prevent lockout scenarios.

ARTICLE 7: COMPLIANCE, SANCTIONS & KYC/AML INTEGRATION

7.1 Automated Screening: All transfer requests, new registrations, and beneficial ownership updates shall be screened in real-time against international sanctions lists (UN, OFAC, EU, HMT, AU) and Politically Exposed Persons (PEP) databases.

7.2 KYC/AML Alignment: Registry onboarding and transfer validation shall integrate with the Fund's KYC/AML Compliance Directive (ACF-DIR-005), requiring verified identity, source of funds/gold declarations, and ongoing monitoring per FATF recommendations.

7.3 Data Retention & Privacy: Registry data shall be processed in accordance with international data protection principles. Cross-border data flows are protected by Chapter V immunities (Articles 18-22), though Members remain responsible for domestic compliance when accessing the Registry.

ARTICLE 8: LIABILITY, IMMUNITIES & DISPUTE RESOLUTION

8.1 Limitation of Liability: The Fund shall not be liable for losses arising from Member credential compromise, unauthorized third-party access, or system failures beyond gross negligence or willful misconduct.

8.2 Immunity Assertion: The Registry's infrastructure, data, and operations are protected under Chapter V of the Charter. Any legal action attempting to compel disclosure, seizure, or alteration of Registry data is subject to the Fund's immunities and privileges.

8.3 Dispute Resolution: Disputes regarding Registry accuracy, transfer validity, or encumbrance status shall be resolved under Article 27: first by the Executive Committee, then by the Voting Meeting if appealed, with decisions final and binding subject to Chair confirmation.

ARTICLE 9: AMENDMENTS, REVIEW & ENTRY INTO FORCE

9.1 Amendments: This Directive may be amended by the Chair upon recommendation of the Executive Committee, provided amendments remain consistent with the Charter.

9.2 Review Cycle: The Executive Committee shall review this Directive biennially to incorporate technological advancements, emerging threats, or operational feedback.

9.3 Entry into Force: This Directive enters into force upon signature by the Chair and publication on the Fund's official website.

9.4 Languages: In accordance with Article 28.1, this Directive is authentic in English, French, Portuguese, and Arabic. In case of discrepancy, the English text shall prevail for technical specifications.

SCHEDULE A: MINIMUM TECHNICAL SPECIFICATIONS

Component Requirement Standard/Reference
Database ACID-compliant, distributed ledger or cryptographic hash chain PostgreSQL / Hyperledger Fabric
At-Rest Encryption AES-256-GCM NIST SP 800-38D
In-Transit Encryption TLS 1.3 + Certificate Pinning RFC 8446
API Security OAuth 2.0 + mTLS + Rate Limiting RFC 6749, OpenAPI 3.0
Audit Logging Immutable, append-only, cryptographically signed ISO/IEC 27001, NIST SP 800-92
Key Management FIPS 140-2 Level 3 HSM, M-of-N control NIST SP 800-57
Availability SLA 99.99% uptime, active-active geo-replication ITIL / ISO 22301
Backup RPO/RTO ≤ 5 min / ≤ 2 hours NIST SP 800-34

SCHEDULE B: CONTACTS & SUPPORT

Function Contact Purpose
Registry Operations [email protected] System monitoring, performance, incident response
API Integration Support [email protected] Developer documentation, sandbox access, troubleshooting
Compliance & Screening [email protected] KYC/AML validation, sanctions alerts, transfer approvals
Audit & Security Review [email protected] Independent audit coordination, penetration testing
Member Access Support [email protected] Credential recovery, statement requests, MFA setup

Adopted by the Chair of the African Community Fund on 13/04/2026.
Shared Value, Shared Prosperity.

Digital Signature md5-FeMpsWJhUOyHG0kVbttFsg==
Verify digital signature
©2026 African Community Fund
africancommunityfund.com