Mobile money transfer networks must notify Central Bank of Kenya within 24 hours of any cybersecurity incident, a new guideline says.
CBK issued the draft cybersecurity guidelines on Friday in an effort to crack down on rising financial service transaction fraud that saw consumers lose at least Sh17 billion last year.
The guidelines are expected to create a more secure cyberspace that underpins information system security priorities, to promote stability of the world acclaimed Kenyan payment system sub-sector.
It will also help maintain public trust and confidence in the national payment system by establishing a coordinated approach to the prevention and combating of cybercrime.
“The guidelines set the minimum standards that PSPs should adopt to develop effective cybersecurity governance and risk management frameworks in order to maintain a sound, secure and efficient National Payment System,”CBK said.
Under the new regulations rules, payment service providers will be required to place the cyber risks issue at the board and management level. The board is expected to set the right tone from the top in fostering a robust cyber risk management culture.
The regulations will compel PSPs to hire internet savvy experts, including chief information security officers, dedicated to countering cyber threats.
Payment Service Providers shall provide Central Bank of Kenya with quarterly reports detailing occurrence and handling of Cybersecurity incidents.
All PSPs are required to submit their cybersecurity policy, strategies and frameworks to CBK by August 31, 2018.
Stringent measures by CBK are coming on the backdrop of a recent Financial Transaction Fraud survey that shows 70 per cent of Kenyans have been victims of financial fraud, or know someone who has.
According to the study, one is more likely to be conned through a mobile money transaction compared to ATM cards, online banking or use of cheques.
At least 41 per cent of mobile money consumers lose between Sh1, 000 to Sh5, 000 a month, 39 per cent of online bankers also lose the same amount of money in 30 days.
Kenya has recorded increasing cases of SIM swap fraud in recent weeks, with some implicating employees of mobile money networks who use customers’ personal identification details to access their mobile money wallets.
Early last week, crime busters from the Directorate of Criminal Investigations (DCI) seized 30,000 SIM cards, 240 iPhones, 150 MI phones, two laptops, two inverters and other electrical appliances in Kiambu County where four suspects were arrested.
Communication Authority last month warned mobile phone users against sharing personal identification information by strangers pretending to help them.
CBK has given public up to September 14 to comment on proposed guidelines that will affect both large value and retail payment system providers.