The Guideline on Cybersecurity for Payment Service Providers




The Central Bank of Kenya (CBK) issued a guideline on cybersecurity for Payment Service Providers (PSPs).

The Guideline on Cybersecurity for Payment Service Providers (the Guideline) is applicable to all PSPs authorised under the National Payment System Act, which include:

  • a person, company or organisation acting as provider in relation to sending, receiving, storing or processing of payments or the provision of other services in relation to payment services through any electronic system;
  • a person, company or organisation which owns, possesses, operates, manages or controls a public switched network for the provision of payment services; or
  • any other person, company or organisation that processes or stores data on behalf of such payment service providers or users of such payment services.

Commercial banks already have most but not all of these obligations under the Guidance Note on Cybersecurity issued by the CBK in August 2017.

The Guideline:

  • requires PSPs to maintain a cybersecurity programme with specified minimum standards designed to mitigate cyber risk in the payment system in Kenya; and
  • places the ultimate responsibility for compliance with this requirement on the board of directors and senior management of PSPs. This requirement is one of those additional responsibilities not set out in the earlier Guidance Note on Cybersecurity for commercial banks.

Key highlights

The highlights of the specified minimum standards PSPs are now required to maintain to mitigate cyber risk in the payment system are as follows:

Governance structure

  • The Guideline has set out the various roles to be carried out by the board of directors and senior management of a PSP including, amongst others: overseeing the cultivation and promotion of an ethical governance, management culture and awareness – setting “the right tone from the top” and implementing the board-approved cybersecurity strategy, policy and framework, respectively.
  • All PSPs are required to have a Chief Information Security Office (CISO). The roles of the CISO include amongst others: developing and implementing the PSP’s cybersecurity programme and enforcing the cybersecurity policy; and periodically reporting on the organisation’s cybersecurity posture to senior management, board of directors and audit committee.
  • A PSP is limited to outsourcing only the operational security functions of the CISO, such as information security monitoring, testing and threat intelligence, and will be required to seek the prior approval of CBK.

Cybersecurity strategy, frameworks and policies

  • Each PSP shall implement and maintain a written policy or policies for the protection of its information systems and confidential information stored on those information systems.
  • The policy should address key cybersecurity issues including: information security; data governance and classification; business continuity and disaster recovery planning; resources, systems and network security; customer data privacy; vendor and third party service provider management; risk assessment and incident response.

Risk management

Each PSP shall conduct a periodic risk assessment of the PSP’s information systems sufficient to inform the design of the cybersecurity programme as required under the Guideline, including the identification of critical cyber assets and revision of controls to respond to technological developments and evolving threats.


  • PSPs are required to ensure that their third party service providers i.e. cloud service providers comply with legal and regulatory frameworks as well as international best practices.
  • The relationship should be governed by an outsourcing agreement in the nature of a clearly written contract, the nature and detail of which should be appropriate to the materiality of the outsourced activity in relation to the ongoing business of the PSP.
  • PSPs are required to notify CBK of the intention to outsource functions, services and infrastructures at least 30 days before such outsourcing agreements are executed.

Regular independent assessment and testing

  • PSPs are also required to carry out regular independent assessment and audit. To achieve this, the Guideline requires PSPs to incorporate qualified information and communication technology (ICT) auditors within their internal audit team.
  • The Guideline has also set out the IT audit scope for the external auditors.

Training and awareness

  • PSPs should implement IT security awareness training programmes to provide information on good IT security practices, common threat types and the PSP’s policies and procedures to the PSP’s customers, clients, suppliers, partners, outsourced service providers, staff and other third parties who have links to the PSP’s IT infrastructure.

Next steps for PSPs

  • The Guideline allows PSPs up to 1 October 2019 to comply with the requirements in the Guideline.
  • All PSPs except commercial banks are required to submit their cybersecurity policy, strategies and frameworks to the CBK by 31 December 2019.
  • PSPs are required to notify the CBK within 24 hours of any cybersecurity incidents that could have a significant and adverse impact on the PSP’s ability to provide adequate services to its customers, its reputation or financial condition.
  • PSPs operating systemically important payment systems and system-wide important payment systems are required to notify CBK within two hours of any cybersecurity incidents that could have a significant and adverse impact on the PSP’s ability to provide adequate services to its customers, its reputation or financial condition.
  • PSPs are required to provide CBK with a report on the occurrence and its handling of cybersecurity incidents on a quarterly basis.
  • The Guideline has not provided a penalty for non-compliant PSPs. However, the National Payment System Act provides that the CBK may revoke or vary any designation of a payment instrument if, in the opinion of the CBK, the issuer of a designated payment instrument has failed to comply with any regulations, guidelines, circulars, notices or standards issued by the CBK.
  • Before imposing such a penalty, the CBK shall give the PSP not less than seven days’ notice, requiring the PSP to show cause as to why the penalty prescribed should not be imposed.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Dentons | Attorney Advertising

Written by:


Dentons on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.