Kenyan banks are exposing themselves to financial risks by not enforcing robust contractual safeguards with third-party technology partners, a new report by the Central Bank of Kenya warns.
The banking sector regulator says that while most financial institutions now depend heavily on third-party vendors for digital banking operations support, some lack clear legal provisions.
This, CBK says leaves them vulnerable to data breaches, service failures and compliance violations.
The July 2025 Survey on Third-Party Technology Service Providers in the Banking Sector shows that 21 percent of microfinance banks (MFBs) do not include any risk management requirements in their contracts with third-party technology service providers (TSPs).
CBK says this is a critical gap in an era of rising cyberattacks and systemic digital exposure.
Among those that do, many fail to rigorously enforce key provisions such as service level agreements (SLAs), audit rights or termination clauses.
“Some institutions still enter these partnerships without fully articulating accountability frameworks. The absence of enforceable terms increases exposure to operational disruptions, legal disputes, and regulatory sanctions.” the CBK report notes.
The report surveyed 52 institutions, including 38 commercial banks and 14 MFBs. It found that every commercial bank includes risk clauses in its TSP contracts, but compliance among MFBs remains uneven.
Only 79 percent of MFBs said they include risk clauses, raising questions about the sector's preparedness to handle third-party failures.
Banks use third-party technology providers for a wide range of critical services, including mobile and internet banking, cloud storage, payment processing, cybersecurity tools, and core banking applications.
These vendors are now embedded deeply into the core operations of nearly every bank in the country.
Yet, despite this reliance, many institutions still lack the contractual teeth to manage their partners effectively.
“While most contracts contain basic clauses such as data protection and confidentiality, fewer institutions secure the right to conduct regular audits of their vendors. Only 50 percent of MFBs and 87 percent of commercial banks reported including audit rights in their TSP agreements,” the report says
Even fewer go beyond that to ensure enforceability of disaster recovery obligations, subcontractor disclosures or breach notification timelines.
Some banks are also neglecting exit strategies, a risk that could result in “vendor lock-in”—where switching providers becomes technically or financially unfeasible.
“Without clear termination clauses and transition plans, institutions may find themselves trapped in underperforming or insecure partnerships,” warns CBK.
The CBK’s concern comes from the increasingly central role that third-party vendors continue to play in banking operations.
To try and bring uniformity in the sector, the banks regulator is now recommending a centralised vendor accreditation systems.
“Regulatory and policy support are essential for effective Third-Party risk management. Institutions noted that cybersecurity and compliance should be approached collaboratively, and that regulatory alignment is critical,” the report reads in part.
“Suggestions included creating a centralised vendor accreditation system, enforcing minimum cybersecurity standards and establishing regulatory sandboxes for innovation.”
Over 58 per cent of commercial banks work with more than 10 technology providers and many now rely on vendors to power critical systems such as payment aggregation, credit scoring, and fraud detection.
The survey warns that this deep integration, if not matched with adequate legal and operational oversight, could result in widespread system failures or regulatory breaches.
In the case of a breach or downtime, the absence of clear responsibilities and reporting timelines could delay response, frustrate investigations and expose the institution to customer backlash or CBK sanctions.
Adding to the risk is a lack of training for vendors. Only 34 per cent of commercial banks and 36 per cent of MFBs currently offer third-party vendors training on risk mitigation and compliance.
This means most TSPs operate without direct guidance from their banking partners on expected security protocols or legal obligations.
The CBK suggests
that banks should not only require vendors to meet compliance standards such as
ISO 27001 or the Kenya Data Protection Act, but also educate them regularly to
ensure alignment on critical areas like cybersecurity, fraud prevention, and
data governance.
Although only two
institutions—one commercial bank and one MFB—reported facing regulatory
penalties tied to third-party risk in the last five years, CBK warns this may
reflect underreporting or the immaturity of enforcement frameworks, rather than
actual compliance strength.
