Bank of Ghana moves to tighten cyber rules as digital payments surge

The Bank of Ghana is preparing a major upgrade of its cybersecurity rulebook for banks and fintech firms, as growth in digital payments exposes the financial system to more complex and coordinated cyber threats.

Officials say a revised Cyber and Information Security Directive is expected early next year, with tougher governance requirements, clearer accountability structures and enhanced sector-wide monitoring. The plans were outlined at a cybersecurity summit in Accra.

Representing the Governor, Dr Johnson Pandit Asiama, deputy director and acting head of information, Emmanuel Klu, said the central bank is recalibrating its oversight to match the speed and sophistication of emerging risks.

Digital payments, he noted, have become “central to the economy”, but that transformation has also increased exposure to system-wide vulnerabilities, where a single breach can damage public confidence and even disrupt the transmission of monetary policy.

He emphasised that the Bank intends to “champion data protection and consumer safety” while avoiding overly rigid rules that could stifle innovation and financial inclusion.

A central plank of the upcoming directive is the formal elevation of Chief Information Security Officer (CISO) roles across banks and payment institutions.

A draft version issued earlier this year proposes:

Giving CISOs greater visibility and authority in strategic decision-making;

Tightening existing requirements on incident reporting; and

Deepening Board-level oversight of cyber risk.

The Bank of Ghana already obliges regulated institutions to appoint dedicated cybersecurity officers and report incidents within strict timelines. The revised directive is expected to raise the compliance bar further, particularly around governance and accountability.

The reforms also reinforce the mandate of the Financial Industry Command Security Operations Centre (FICSOC) – a 24/7 monitoring hub established in 2019.

Initially focused on universal banks, FICSOC now covers all licensed financial institutions and fintechs. Mr Klu said commercial banks, savings and loans companies and some regulators are already connected, with plans to link additional supervisory bodies.

He described FICSOC as the “nerve-centre” of real-time threat detection for the sector. Under the Cybersecurity Act, 2020, the platform has been designated the financial industry’s lead sectoral operations centre, enabling:

Continuous monitoring for anomalies;

Faster, coordinated responses across institutions; and

Centralised visibility of major cyber incidents.

The central bank is also encouraging adoption of global standards such as ISO 27001 and NIST frameworks, positioning them as benchmarks for improving cyber maturity across the ecosystem.

Mr Klu told participants that cyberattacks are now a “daily reality” and warned that the industry cannot afford a reactive posture.

He called for investments in:

Stronger governance structures;

Customer verification tools; and

Advanced fraud-prevention systems.

The objective, he said, is to build “collective resilience”, stressing that the financial system “is only as strong as its weakest institution”.

Event co-host Visa echoed the call for coordinated action.

Visa’s country manager for Ghana, Fabrice Konan, said cybersecurity should now be treated as a national priority, given that the trust and functionality of the financial system depend on it.

Mr Konan urged banks and payment firms to:

Share threat intelligence more openly; and

Deploy joint defensive strategies as digital transaction volumes continue to grow.

He said the forum should mark a turning point in Ghana’s approach to cyber-readiness, adding: