Guide to Financial Services Regulations & Guidelines in Kenya

The Central Bank of Kenya (CBK) oversees banks, credit institutions, and payment operators, while the Insurance Regulatory Authority (IRA) manages and supervises the insurance industry.

To regulate the use of information technology in the financial industry, the CBK and the IRA have issued a series of regulatory provisions on cyber security and information technology risk management for Kenyan financial institutions. These include:

● Risk Management Guidelines: In January 2013, the CBK provided minimum guidance on risk management systems and frameworks for all institutions. The guidelines cover risk management frameworks, strategic risk management, credit risk management, liquidity risk management, market risk management, operational risk management, information and communication technology risk, compliance risk, and more.

● IRA Guidelines on Risk Management and Internal Controls IRA/PG/11: In June 2013, the IRA required insurance companies to have effective risk management and internal control systems as part of their overall company management framework, including effective risk management, compliance, and internal audit.

● CBK Prudential Guidelines on Outsourcing CBK/PG/16 (Outsourcing Guidelines): In January 2013, the CBK issued the Prudential Guidelines, which provide basic standards that financial institutions must implement, including the CBK Prudential Guidelines on Outsourcing CBK/PG/16. Part four of the guidelines specifically requires internal control and prudential standards, risk management practices for outsourcing financial services, regulatory and supervisory requirements, and security requirements for offshore outsourcing of financial services.

● Guidance Note on Cybersecurity: In August 2017, the CBK provided minimum requirements that institutions should follow when developing and implementing strategies, policies, procedures, and related activities aimed at mitigating cyber risks. The guidelines cover risk management, outsourcing, information and communication technology, internal control, and corporate governance.

● CBK Guidelines on Cybersecurity for Payment Service Providers (PSP Guidelines): In November 2019, the CBK established minimum standards that payment service providers (PSPs) should adopt to develop effective network security governance and risk management frameworks.

The white paper Compliance Guide for the Kenyan Financial Industry Regulations on Huawei Cloud explains in detail how Huawei Cloud will assist you in meeting regulatory requirements in the financial industry.