Executive Summary.

As the cybersecurity challenge continues to affect many financial institutions, Central Bank of Kenya has now moved on to issue guidelines for Payment Service Providers (PSPs) barely a year after issuing one for the Banking sector. This guidelines is still in draft and the public and related stakeholders are required to give their comments by 14 September 2018.

The Guideline sets the minimum standards that PSPs should adopt to develop effective Cybersecurity governance and risk management frameworks.

With the recent rise of Internet Fraud in the financial institutions and attackers leveraging on the payment systems used by banks, CBK guideline Note amplifiers the need to maintain sound, secure and efficient National Payment System.

Who are Payment Service Providers?

These are essentially providers who are players who participate in the payment space. Well, known examples are Safaricom’s M-PESA and Real-time Gross Payment (RTGS) which is owned by CBK through Kenya Electronic Payment and Settlement System (KEPSS) platform. Other payment services providers include regional payment systems, retail/ low-value payment systems, payment card industry, mobile phone transfer services the likes of Equitel, Airtel Money, T-Kash, Mobile Pay etc.

You can get a list of the payment service providers here

Core Areas of Compliance

  • Have a governance framework to combat cybersecurity through strategies, policies and procedures as well as clear roles within the organization from the board all way down the organization hierarchy.
  • Carry out training and awareness
  • Carry out risk assessments, internal and external audits on their systems
  • Have adequate governance on outsourced services and notify CBK whenever they need to outsource
  • Report to CBK on any major cybersecurity incident within 24 hours and also submit their Cybersecurity Policy, strategies and Framework on a quarterly basis.

Governance of PSPs

Setting the tone of Cybersecurity at the top level of management of the organization is the best practice to protect the digital assets of an organization. The guideline provides the following roles and responsibilities to various hierarchical levels in an organization.

The Board Members of a PSP should understand the nature of their institution’s business and the cyber risks to which the institution can be exposed.

The Senior Management is responsible for implementing the PSP’S Business strategy in line with its risk appetite, while being cognizant of Cyber Threats.

The Chief Information Security Officer (CISO) will be responsible for developing security and risk mitigation strategies, implement security programs and manage incidents and remediation. And also required to report directly to the CEO or Chief Information Officer, Chief Operating Officer or Risk Function.

Setting Appropriate Risk Management

PSPs are required to have a proper Risk Management function that is capable of addressing

  • Operational risk
  • Audit their systems,
  • Set up policies, procedures and standards
  • Institute Business Continuity Plans
  • Continuously identify, monitor and manage risk to users and any third parties.

Setting up a Cyber Resilient Organization

In order to set up a resilient Cybersecurity program, the institutions should cover all the elements of identification, protection, detection, response and recovery. This can be done in three ways:

  1. Internal Dependency Management: Have effective capabilities to identify and manage cyber risks associated with business assets throughout their lifespans and to continually assess and improve as necessary, their ability to reduce the cyber risks associated with internal dependencies on enterprise-wide basis,
  2. External Dependency Management (EDMs): Have effective capabilities in place to identify and manage cyber risks associated with external dependencies and interconnection risks.
  3. Incident Response: Able to respond, contain and to rapidly recover from disruptions caused by cyber incidents.

Regular Independent Assessment and Test

The PSPs should test the following functions, Internal Audit, Risk Management and External Audit

  1. Risk management has the duty to ensure that cybersecurity risks are managed within the enterprise risk management portfolio
  2. The internal audit should review and report on cyber risks and controls of the ICT systems within the PSPs and other related third-party connections.
  3. External Auditor should also review the institution’s IT infrastructure, use of IT, operations and the impact of IT on financial reporting statements.

Outsourcing and Training

The PSPs should have adequate governance when outsourcing their services. They should also notify CBK before outsourcing any services.


PSPs should put in place a formalized plan to provide ongoing technical training to Cybersecurity specialists. Awareness should also cover customers, clients, suppliers, partners, outsourced service providers and other third parties who have links to the PSP’s IT infrastructure.


Given the varying sizes of Payment Service Providers, a number of these compliance requirements might be waived on application to CBK. Requirements such as to have a CISO are examples of items that might be waived.

Need help?

We understand that Cybersecurity is a complex area that requires collaboration with various parties. Talk to us to provide you with guidance on compliance with this requirement.