Executive Summary

Technology and cyber risk was highlighted as one of the top three risks for the banking sector in addition to credit risk and liquidity risk.

In order to address the risks posed to business continuity and the associated reputational risk arising from the increasing digitization of financial services, CBK issued a Guidance Note on Cybersecurity in 2017. The note set out the regulatory standards to industry participants on assessment and mitigation of cybersecurity threats which has been necessitated by the increased leveraging of technology by the industry which exposes them to increased cyber risks.


Initiatives planned in the Banking sector for 2018 related to technology are:

  • Review of emerging disruptive technology such as distributed ledger technology, cloud computing and artificial intelligence and formulating appropriate regulatory responses to emerging risks from these technologies.
  • Deployment of Regulatory Technology (Reg-Tech) and Supervisory Technology (Sup-Tech) in surveillance processes.


Developments in Information and Communication Technology (ICT)

2017 was marked with limited activities in the Information and Communication Technology (ICT) space in terms of acquisition or upgrade of existing core banking systems in Kenya’s banking sector. What was mainly witnessed was enhanced efforts by institutions to leverage on existing ICT systems to improve productivity and navigate the turbulence in the year.


  • Many banks continued to join the PESALINK platform
  • Issuance of the Cybersecurity Guidance Note on August 27, 2017, to curb the emergent threat of Cybercrime
  • Fintech continued growth. Some banks such as Equity have set up Fintech subsidiaries while others are opting for a partnership with already established Fintech companies.
  • Exploration of Blockchain Technology
  • Chatbots for customer service delivery
  • Video Teller Machines (VTMs) or video banking
  • Psychometric credit scores by CRB’s to evaluate potential borrowers who do not have a credit history


As for Cryptocurrency


CBK reiterates that it does not recognize Cryptocurrencies as legal tender. CBK is of the opinion that despite the ubiquitous positive influence of technology, there lies a potential of great risk in the event that the technology fails or is misused by unscrupulous individuals.”


Enhanced Security of SWIFT

Kenya is ranked 3rd in Africa for use of SWIFT. In response to the Bangladesh hack and many other cybersecurity concerns, SWIFT introduced 27 security controls of which 16 are mandatory while 11 are advisory. These controls are based upon three broad objectives for each SWIFT user to: –

  • Secure its SWIFT environment from cyber-attacks.
  • Know and limit access of people accessing their local SWIFT environment.
  • Promptly detect and respond in case of a cyber-attack


Technology and employees efficiency

On average, in 2016, one employee was serving 1,222 customers whereas in 2017 an employee was serving 1,544. There has been a steady progress over the years and in 1996 when one employee could serve only 60 customers.


New Products

Banks strive to enhance access to customers as well as differentiating their products and services by use of alternative delivery channels such as e-banking and m-banking.


Future outlook

The adoption of emerging technologies like BlockChain, artificial intelligence, machine learning and big data analytics, financial technology (FinTech) is expected to continue transforming the banking and customer experience.

The integration of digital technology into the banking business will lead to fundamental changes in how the banking sector operates and delivers value to its customers.


Cyber Security Guidance Note

On August 18, 2017, the Central Bank of Kenya (CBK) rolled out a Guidance Note on Cybersecurity to commercial banks and mortgage finance companies. The aim of the Guidance Note was to set the minimum cybersecurity requirements upon which the banks would build their cyber threat landscape, nature of a business, size and risks faced. This Guidance recommends among other things that commercial banks and mortgage institutions;

  • Incorporate cyber-risk into the enterprise-wide risk management framework and governance.
  • Develop an effective control and response frameworks for cyber-risk, including ensuring the implementation of general sound risk management practices in the context of cyber-risk.
  • Consider as starting points the existing technical standards on cyber-and information security for any regulation relating to cyber-risk.
  • Put more emphasis on promoting cyber-security awareness among staff.
  • Benefit from further collaboration with the industry in strengthening bank’s cyber-security


One of the biggest emphasis on this was the Board of Directors setting the ‘tone from the top” by approving the overall cybersecurity governance framework. On its part, the senior management has the responsibility of formulating and implementing cybersecurity strategies, policy, procedures, and guidelines. The Chief Information Security Officer (CISO) also has a critical role in implementing the institution’s framework and enforcing the cybersecurity policy.


The required reporting requirements are also included in the Guidance Note which includes:-

  • Submission to CBK of the institution’s Cybersecurity Policy, strategies, and frameworks.
  • Notify CBK within 24 hours of any Cybersecurity incident(s) that could have a significant and adverse impact on the institution’s ability to provide adequate services to its customers, its reputation or financial condition.
  • Provide CBK with a report indicating the occurrence and handling of Cybersecurity incidents within the quarter.

CBK considers the issuance of the Cyber Security Guidance Note as an important first step in enhancing the overall cyber resilience of the Kenyan banking sector. As an immediate next step, CBK has commenced the process of formulating and issuing a Cyber Security Guidance Note to Payment Systems. The expected parties to comply with these guidelines are participants authorized under the National Payments Systems Act.

Here is the complete Bank Annual Supervision Report 2017