The Bank of Ghana (BoG) has intensified efforts to protect banks and other financial institutions from possible cyber-attacks following the surge in the use of the internet to transact businesses.
Mrs. Elsie Addo Awadzi, 2nd Deputy Governor of the BoG said the approach of the regulator to addressing cyber risks in the banking and payments ecosystem is designed to safeguard operational resilience, safety, soundness, and integrity of the entire system while promoting confidence in the use of financial services (including DFS) and financial inclusion.
“Key issues to be addressed from a regulatory perspective to help anticipate, identify, and mitigate cyber risks on a continued basis include: Improvements in the security systems and infrastructure of national switches, banks and other financial services providers, electronic money issuers, telcos, fintechs including 3rd party aggregators and technology service providers; Deploying staff and other insiders in fraud prevention and mitigation;
“Enhancing capacity to understand, identify and mitigate cyber risks on the part of operators, regulators, security agencies, and the entire national eco-system. Enhancing cross-border regulatory cooperation (regional and global) in respect of financial institutions, telcos, fintechs operating in multiple jurisdictions.”
She added “The Bank of Ghana’s approach to addressing cyber risks in the banking and payments ecosystem is designed to safeguard operational resilience, safety, soundness, and integrity of the entire system while promoting confidence in the use of financial services (including DFS) and financial inclusion.
To this end, the Bank of Ghana has taken the following measures: (i) Issued the Cyber and Information Security Directive (CISD) in 2018 which provides for: Governance requirements for financial services providers to institute key risk mitigation pillars – including a Board Committee on information security matters, senior management roles including Internal Audit and Chief Information Security Compliance Officer (CISO), among others.
“Technical requirements to augment security including ISO27001 certification and adoption of ISO27032, PSI-DSS compliance for institutions that handle, process, store, or transmit debt card, credit card, prepaid card, e-purse, ATM Cards etc. Reporting by regulated entities on a periodic basis and as and when incidents occur.
“(ii) Our regulatory approach enables payment service providers (e.g. electronic money issuers, fintechs, and others) to participate in the payments and DFS ecosystem to help generate innovate products and services, but in a manner that ensures that regulatory requirements are proportional to the risks that are likely to be introduced into the system.
“For very small financial service providers and fintech, the burden of regulatory requirement is relatively low, but to avoid regulatory arbitrage, their access to payments infrastructure is through bigger and more established service providers.
“(iii) BoG’s comprehensive Risk-Based Supervisory Framework ensures that cyber security issues are embedded in the supervisory cycle for licensed financial services providers as part of operational risks assessments and overall safety and soundness assessments. Cooperation among all of BoG’s supervisory Departments overseeing banks, specialized deposit-taking institutions (e.g. savings and loans companies, microfinance companies, and others), and payment systems infrastructure and service providers. A coordinated approach is in place to ensure that risks that cut across are identified and mitigated in a comprehensive manner.
“(iv) BoG stresses continued vigilance for all service providers and operators in the ecosystem, as well as continually educates consumers to help empower them to take steps to protect their financial transactions especially those that are digital.”