COLLEGE OF BUSINESS

MSC IN DEVELOPMENT FINANCE

COURSE TITLE: MFD 014-FINANCIAL SERVICE REGULATIONS

GROUP 1 MEMBERS
1. NELIUS NJERU - 13/04048
2. RUTH CHELANGAT - 22/01055
3. PETER MUTUI - 21/08121
4. GODFREY KAMAU - 10/03533
5. ZACHARIAH BOSIRE - 22/01317
6. BRIDGIT MAGOKO - 15/00799

TERM PAPER: REGULATION OF DIGITAL FINANCIAL SERVICES AGAINST

CYBER CRIME

SUBMITTED TO: DR. PETER NJUGUNA

DATE OF SUBMISSION: 9TH JULY 2022

 TABLE OF CONTENT

1. INTRODUCTION....................................................................................................................1

1.1 Background...........................................................................................................................1

2. LITERATURE REVIEW.........................................................................................................3

2.1 Theoretical Perspective.........................................................................................................3

2.2 Empirical Review of Literature............................................................................................4

3. CONCLUSION........................................................................................................................8

4. RECOMMENDATIONS.........................................................................................................9

REFERENCES..............................................................................................................................11

ii
1. INTRODUCTION

1.1 Background

Article 46 of the Central Bank of Kenya (Digital Credit Providers), Central Bank of Kenya
(Digital Credit Providers) Regulations 2022, 2022) that was gazette in March 18, 2022 provide
for the licensing and oversight of previously unregulated Digital Credit Providers (DCPs). The
Regulations, now operational, provide for among other things the licensing, governance, and
lending practices of DCPs. The regulations also provide for consumer protection, and credit
information sharing, and outline the Anti-Money Laundering and Combating the Financing of
Terrorism (AML/CFT) obligations of DCPs. These regulations initially referred to as Draft
Regulations of 2021, have required all unregulated DCPs to apply to CBK for licensing by
September 17, 2022, or cease operations.

The National Payment System (NPS) Act of 2011 was enacted by Kenya, establishing a new
legislative foundation for NPS. In addition to other matters, this law established rules for the
regulation and management of payment systems and payment service providers. The National
Payment System Regulations of 2014 were also passed in order to put the NPS Act of 2011 into
effect. It specifies payment service provider permission and control, payment system and
payment instrument designation, and anti-money laundering processes. According to Omwansa
and Waema (2018), the Central Bank of Kenya published a Guidance Note on Cybersecurity in
2017 that defines, among other things, cybersecurity, cyber, and vital information infrastructure.
Safaricom's M-Pesa is an example of a well-known mobile money success story. Safaricom's
seminar on mobile money and fraud issues, for example, has strengthened Kenya's digital
financial ecosystem and promoted collaboration to combat mobile money fraud.

Fintechs have been able to develop creative business models that make use of payment systems
or platforms hosted by commercial banks as a result of digitization (World Bank. (2015). Despite
this accomplishment, system vulnerabilities caused by technology failures or malfunctions,
human error, or hacking could result in significant losses. Since the commencement of the
COVID-19 outbreak, cybercriminals have targeted banks, financial institutions, and fintech

1
organizations, with the goal of stealing money. As a result, the importance of cybersecurity in the
Fintech business cannot be overstated (Lim & Ting, 2021).

The regulation on the DCPs by the Central Bank of Kenya were reached through a consultative
process that ensures all stakeholders concerns are captured in line with best global practices and
that the regulations work for and with Kenyans, (Press Release Publication of Regulations for
Digital Credit Providers and Commencement Of Their Supervision, 2022). They provide the
conditions under which digital credit providers may share or exchange credit information with
credit reference bureaus; require customer consent prior to submitting or sharing credit
information, and restricts sharing with third parties or using credit information obtained from
bureaus for purposes other than its intended use. Furthermore, the regulations include consumer
protection obligations, such as requiring providers to create grievance redress channels and use
secure systems to safeguard the confidentiality and security of personal data.

Cybersecurity Guidelines for Payment Service Providers (PSPs) - To promote the stability of
Kenya's payment system subsector, the goal is to create safer and more secure cyberspace that
supports information system security priorities. The Guideline specifies the minimum
requirements that PSPs must achieve in order to develop and implement effective cybersecurity
governance and risk management frameworks. Furthermore, it specifies the minimal
requirements that PSPs must meet when establishing and executing cyber risk mitigation plans,
policies, and procedures (Kenyoru, 2020).

Mobile financial services have been a critical driver of financial inclusion in recent years. As of
2018, the mobile money business had over 866 million registered accounts in 90 countries and
over $1.3 billion in daily transactions among users, many of whom were using financial services
for the first time (Błach,2018). However, in developing countries, a rise in fraud, system
disruptions, and data breaches is diminishing consumer trust in mobile banking services.
Cyberattacks can jeopardize the reputation of the mobile industry, resulting in market share loss
and diminished innovation incentives (Akhisar, Tunay & Tunay, 2015).

2
Under the guidance of the Central Bank of Nigeria, the Nigeria Electronic Fraud Forum is
proactive in defending the country's e-payment platforms. The World Economic Forum's Global
Initiative for Cybersecurity, which was launched in 2018, aims to tackle organized digital crime
(Bayero, 2015). The overarching goal of these forums is to improve cybersecurity by fostering
collaboration, information exchange, and the adoption of common standards among
governments, corporations, and law enforcement. To allow for honest discussions on the most
important cyber-related concerns confronting the sector, these forums must maintain a high level
of trust and anonymity. Experience from industry-led fraud and security communities, such as
the South African Banking Risk Information Centre (SABRIC) or the GSMA Fraud and security
group, indicates that industry associations are well-positioned to lead the exchange with
supervisors in order to maintain confidentiality and allow for open discussions (Sarker & Sahay,
2017).

2. LITERATURE REVIEW

2.1 Theoretical Perspective

Silber (1983) presented the theory of financial innovations, which was founded on the premise
that the major motivation for financial inclusion in the development of the benefits associated
with money-related foundations. The theory demonstrates that the weaknesses in the financial
system, such as inaccurate data, office costs, and exchange rates, are what spur new inventions.
The argument holds that financial innovations could be entirely new approaches or just
established practices through which the most recent advancement has been made, increasing
organizations’ liquidity and attracting more candidates who are qualified for the position.

The idea contends that the financial system is driven in large part by financial innovation, which
enhances economic competence and increases competitive advantage due to its frequent and
innovative innovations. Sekhar (2013) asserts that the introduction of new production techniques
and technological advancements, which increase overall economic growth and return rates,
define financial developments. The thesis contends that innovation increases a company's
competitive edge and increases investor profitability. Innovation is a strategy for handling,

3
delegating, and resolving all responsibilities. Through improved allocation, better efficiency, and
decreased financial and administrative costs, the adoption of innovations promotes the growth of
financial institutions.

According to Villasenor, Darrell and Lewis (2015), financial innovations improve financial
inclusion by boosting market liquidity, ensuring that resources are distributed to neglected areas,
and granting access to emerging. Commercial banks come up with creative ways to reach more
people in order to boost their profits since, according to the theory of financial innovations, some
constraints, such as external handicaps, help companies pursue their goal of revenue
maximization. Peake (2017) established that particularly in many African countries, emerging
innovative financial inclusion models utilizing mobile and other digital financial services are
assisting with closing the gap in financial instruments that exists in these countries.

Nwanne (2017) indicated that attacks using ransomware frequently include requests for
cryptocurrency ransom payments. Attackers are using supply chain vulnerabilities and those of
third-party providers more frequently to compromise or steal data, interrupt services, and extort
ransom payments. Andrianaivo and Kpodar (2017) established that cyberattacks are becoming
more frequent and sophisticated, and the extent of their damage has been constantly growing.
Attackers target these service providers and IT suppliers in an effort to reach other institutions
that make use of their services or goods. The results could be disastrous if impacted institutions
detect or learn about such attacks slowly. In IT environments, it is crucial to keep an eye on all
software and hardware, regardless of size, as opposed to concentrating mostly on the most
crucial third-party providers.

2.2 Empirical Review of Literature

McKee, Kaffenberger, and Zimmerman (2020) examined doing digital finance right: the case for
stronger mitigation of customer risks. It was noted that the public sector has taken a number of
steps to reduce cyber risk in response to recent high-profile hacks on financial institutions that
have highlighted the need to improve cybersecurity. In an effort to help banks adapt their cyber-
security strategies to their operational and regulatory settings, the G7 finance ministers and

4
central bank governors published Fundamental principles of cybersecurity for the financial
industry. The need to monitor cyber-risk brought on by financial technology (fintech) and to
identify the supervisory and regulatory issues from the perspective of financial stability was
included in the Financial Stability Board's (FSB) work plan for 2017. The FSB lists reducing the
detrimental effects of cyber risk on financial stability as one of the top three priority themes for
future international cooperation in its report for the Hamburg G20 meeting in July 2017. Cyber
Resilience Guidance for Financial Market Infrastructures was published in June 2016 by the
Committee on Payments and Market Infrastructures (CPMI) and the International Organization
of Securities Commissions (IOSCO).

Villasenor, Darrell, and Lewis (2019) examined the 2015 Brookings Financial and Digital
Inclusion Project Report: Measuring Progress on Financial Access and Usage. It was established
that in order to improve insurer and supervisor knowledge of the problems posed by cyber risk,
the International Association of Insurance Supervisors (IAIS) published a white paper in April
2016. The largest economies in the world are not the only ones with a heightened awareness of
cyber risk. The FSI polled banking regulators in 73 nations outside of the Basel Committee in
2016. When asked to name their main issues with macroeconomic and financial stability, the
majority of respondents named fintech and the associated cyber-risk as the biggest challenge.
The business community is concerned about these issues. In Deloitte's 2016 Global Risk
Management Survey, only 42% of participants said their company was very or very competent in
managing cyber risk. However, of the top three risk categories that will become more significant
over the next two years, respondents most commonly chose cyber-risk (41 percent).

Muiruri and Ngari (2021) did a study on the effects of financial innovations on the financial
performance of commercial banks in Kenya. The analysis revealed that mobile money services
have become more and more popular as more companies, including banks and organizations,
digitize their processes. There were 67,7 million registered mobile money accounts as of
September 2021, and 305,831 active mobile money agents. 29 180.85 million agents’ cash-out
transactions totaling 585.38 billion Kenyan Shillings were made (USD 5.19 billion). The overall
number of active registered telecom mobile money subscriptions reached 34,7 million in the
fourth quarter of 2021.30. Revenue from mobile services was KES 280.1 billion (USD 2.48

5
billion) in 2020, up 1.3 percent from the previous year. Additionally, investments in the mobile
subsector rose by 28.9% in 2019 to KES 45.9 billion (USD 407.17 million), up from KES 35.6
billion in 2018.

Kamau (2020) examined intermediation efficiency and productivity of the banking sector in
Kenya. From the study, it was revealed that the analysis of the mobile app environment (mostly
on Google's Android ecosystem) in the 2019 Digital Trend Report shows that there has been a
greater emphasis on digital experiences, particularly for financial institutions. Some of these
businesses offer a variety of financial services packaged together, such as Chipper Cash, an
African cross-border payments company that provides business solutions for both end-users and
corporate clients as well as financial solutions for payments, investing in cryptocurrencies, and
stock purchases. To enable authors to accept payments on its platform, Twitter just launched its
Tips feature, often known as the Tip Jar. It is integrated with payment networks like Chipper,
PayPal, Patreon, GoFundMe, Cash App, and Venmo so that it is available worldwide.

Nyamongo and Ndirangu (2015) who focused on financial Innovations and Monetary Policy in
Kenya found that cyberattacks could jeopardize the delivery of time-sensitive goods and services
by the banking industry. Banks frequently provide the most goods and services aimed at the
general public within the financial sector. Bank systems are more vulnerable to cyberattacks due
to the numerous points of contact they have with outside parties, which also makes them
potential entry sites for attacks on other parts of the financial system. Banks must have the right
governance, systems, procedures, and processes in place to reduce cyber risk. Only a few
jurisdictions have specific regulatory and supervisory efforts in place to handle banks' cyber-risk,
despite the fact that it is a major worry for the majority of bank supervisors.

Andrianaivo and Kpodar (2017) esta ICT, Financial Inclusion, and Growth: Evidence from
African Countries. There is a concern that regulations will become unduly prescriptive and lag
behind both advancements in cyber risk management and the constantly changing cyber threat.
Prescriptive laws may be necessary for some industries, such as requiring bank boards to adopt a
cyber-risk management structure and appetite, but they are obviously inappropriate in other
industries. One illustration is recommending the use of a specific technology; given the pace of

6
technological advancement, any recommended technology is likely to become dated very
rapidly. Another situation where regulators must be careful about how banks execute it is the
requirement of a predetermined recovery period. The goal is to avoid lengthy delays in crucial
financial processes, but if institutions are unable to adequately verify that all compromised
systems have been removed, an unduly strict and stringent recovery period may be ineffective.

The study by Korir, Shisia and Mutung’u, (2015) focused on the financial innovations and
Performance of Commercial Banks in Kenya. The results revealed that because cyber threats are
international in nature, there must be extensive regulatory coordination at the national level.
Because cybercrime is a worldwide problem, no one organization or regulation can successfully
reduce the risk on their own. Governments, regulators, and industry must work together to
address the transnational nature of cyber risk, and there must be a high degree of international
regulatory framework harmonization. Good development is the G7's fundamental element. But
there is still a lot to be done in this area.

The study by Monyoncho (2015) focused on the relationship between banking technologies and
the financial performance of commercial banks in Kenya. The study discovered that the impact
of various jurisdictional regulatory frameworks for cyber risk is analogous to that of legislation
that deviates from accepted technical standards. In order to prevent conflicting directives, some
of which would be implemented solely for compliance and not improve cyber-security,
regulatory requirements must be aligned. This would allow banks operating in many jurisdictions
to avoid these directives. As with any other general regulation on other risks, the conventional
starting point for jurisdictions with clear regulatory requirements for cyber-risk is for banks to
have a written cyber-security program or policy.

The study by Omwansa and Waema (2018) addressed the deepening financial inclusion through
collaboration to create innovative and appropriate financial products for the poor. It was noted
that banks must be able to identify their crucial information assets in the jurisdictions this study
covers. Governments at the national level decide whether organizations and critical infrastructure
are covered by their national cybersecurity regimes. At their own level, banks must meet the
same requirements. This enables systems that contain important information assets to receive

7
priority in cyber-security initiatives. In an ideal world, the entire bank would be protected, but
due to resource constraints, banks would be allowed to choose where to allocate funds to
maximize returns. Usually, the starting point for identifying crucial information assets is the
legal and regulatory obligations for data protection.

3. CONCLUSION

This paper concludes that the digital financial services industry in both developed economies and
emerging economies is aware of the obligations it bears to defend the global financial system in
the face of increasing threats posed by cybercrime. Despite this, there is still a need for
standardization in the way that the sector approaches cybersecurity. As a result of the lack of
standardization in partnership agreements, industry associations, and local regulatory
requirements, compliance management is an endeavor that is fraught with difficulty, particularly
when applied across markets. The industry must continue to engage with regulators and
policymakers in order to develop horizontal and technology-neutral smart privacy regulations
and reach a consensus on their implementation.

In conclusion, despite the success of this endeavor, there is still a possibility that massive losses
could be incurred as a result of system vulnerabilities brought about by technology faults or
malfunctions, human error, or cyberattacks.

Businesses run the danger of suffering severe financial and reputational damage if they do not
make the necessary efforts to bolster their defenses in light of the increasing regulatory attention
on security and privacy. It is imperative that operational risk and cybersecurity risk become
equally ingrained in the mindset of organizations. Everyone working for an organization has the
ability to act as a weak link, which is why it is essential to emphasize the need for cybersecurity
measures at every level of an organization, from the board of directors to the administrative
departments. Everyone in the company is accountable for ensuring the organization's continued
safety in the face of threats.

8
4. RECOMMENDATIONS

In light of the conclusions made above that the digital financial services industry in both
developed economies and emerging economies is aware of the obligations it bears to defend the
global financial system in the face of increasing threats posed by cybercrime. We were drawn to
make the below recommendations:

Key recommendations for the private sector include making investments in the hiring and
retention of skilled personnel, knowledge and capacity building, and an upgrade of
infrastructure, tools, and software, as well as cybersecurity strategies; developing cyber hygiene
programs for their users; ensuring compliance with data protection laws; and collaborating with
other stakeholders to manage cyber incidents.

The acquisition of specialized expertise, which can be prohibitively expensive for some
businesses, is required for the mitigation of cyber risks. An alternative to this is to use an
insourced approach, which allows for the utilization of devoted and experienced personnel "as
needed" to carry out an efficient plan. Businesses may immediately have access to a dedicated
workforce with the knowledge and abilities to construct a relevant and risk-appropriate cyber
security plan once a Cyber Security as a Service (CSaaS) model has been put into place. Internal
security personnel have a responsibility to acquire ongoing training in order to maintain a level
of expertise in emerging threats and data privacy concerns.

The development of cyber hygiene programs for the general public, the monitoring and reporting
of the effectiveness of measures implemented by the government and the financial sector, and
the improvement of collaboration with other stakeholders are the three recommendations for civil
society that are considered to be the most important.

Shared monitoring systems for small and medium-sized financial service providers, collaboration
with universities and academics working on cybersecurity, and increased investments in training
and mentoring young cyber-professionals are some of the additional cybersecurity measures that

9
should be taken into consideration. It is also possible for trade groups to play a part in the
process of supporting the development of suitable resources for those who have been victims of
mobile money fraud or cybercrime. These precautions can protect the honesty and reputation of
mobile financial services, which are absolutely necessary for expanding people's access to
financial resources.

Last but not least, international development partners are urged to do a number of things,
including the following: support civil society organizations in their efforts to conduct research,
advocacy, and training; collaborate with other stakeholders; invest in capacity-building
programs, information sharing, knowledge and technology transfer, and international cooperation
to strengthen the synergies and capabilities between global and national actors, such as
academia, business, government, and media.

Harmonization of legal and regulatory frameworks across different jurisdictions and adherence
to principle-based techniques that reference international standards are both extremely important
aspects of this process. In addition, governments need to play a significant part in the process of
enforcing norms and setting up channels of coordination for the purpose of investigating and
punishing global cybercrime. Both the public and private sectors have the potential to greatly
extend their operations if they engage in open communication and work together on problems
that are related to cyberspace.

10
REFERENCES

Akhisar, I., Tunay, K. B. & Tunay, N. (2015). The Effects of Innovations on Bank Performance:
The Case of Electronic Banking Services. Procedia - Social and Behavioral Sciences
195, 369 – 375.

Andrianaivo, M. & Kpodar, K. (2017). ICT, Financial Inclusion, and Growth: Evidence from
African Countries. IMF Working Paper WP/11/73. International Monetary Fund.
Article 46 of the Central Bank of Kenya (Digital Credit Providers) Regulations of 2021.

Bayero, M. A. (2015). Effects of Cashless Economy Policy on Financial Inclusion in Nigeria: An

Exploratory Study. Procedia - Social and Behavioral Sciences 172, 49–56.

Błach, J. (2018). Financial Innovations and their Role in the Modern Financial System
Identification and Systematization of the Problem. Financial Internet Quarterly-
Finanse, 7(3), 13-26.

Centralbank.go.ke. 2022. Central Bank of Kenya (Digital Credit Providers) Regulations 2022.
[online] Available at:
<https://www.centralbank.go.ke/wp-content/uploads/2022/03/L-.N.-No.-46-Central-
Bank-of-Kenya-Digital-Credit-Providers-Regulations-2022.pdf> [Accessed 2 July
2022].

Centralbank.go.ke. 2022. Press Release Publication Of Regulations for Digital Credit Providers
And Commencement of Their Supervision. [online] Available at:
<https://www.centralbank.go.ke/uploads/press_releases/2119450187_Press%20Release
%20-%20Publication%20of%20Regulations%20for%20Digital%20Credit
%20Providers%20and%20Commencement%20of%20their%20Supervision.pdf>
[Accessed 2 July 2022].

Kamau, A. W. (2020). Intermediation Efficiency and Productivity of the Banking Sector in

Kenya. Interdisciplinary Journal of Research in Business, 1(9), 12- 26.

11
Kenyoru, J. O. (2020). Effect of Financial Innovations on Financial Deepening in Kenya.
Unpublished MBA Project. University of Nairobi.

Korir, M. C., Sang, W., Shisia, A. & Mutung’u, C. (2015). Financial Innovations and
Performance of Commercial Banks in Kenya. International Journal of Economics,
Commerce and Management, 3(5), 1242 – 1265

Lim, W. M. & Ting, D. H. (2021). E-shopping: An Analysis of the Technology Acceptance

Model. Modern Applied Science, 6(4), 49 -62.

McKee, K., Kaffenberger, M. & Zimmerman, J. M. (2020). Doing Digital Finance Right: The
Case for Stronger Mitigation of Customer Risks. Focus Note No. 103.

Monyoncho. L. N. (2015). Relationship between Banking Technologies and Financial

Performance of Commercial Banks in Kenya. International Journal of Economics,
Commerce and Management, 3(11), 784 -815.

Muiruri, J. K. & Ngari, J. M. (2021). Effects of Financial Innovations on the Financial

Performance of Commercial Banks in Kenya. International Journal of Humanities and
Social Science, 4(7), 51 – 57.

Njenga, S. M. Kiragu, D. N. & Opiyo, H. O. (2015). Influence of Financial Innovations on

Financial Performance of Savings and Credit Co-Operative Societies in Nyeri County
Kenya. European Journal of Business and Social Sciences, 4(6), 88 – 99

Nwanne, T. F. I. (2017). Relationship between Financial Inclusion and Economic Growth in

South African Rural Dwellers. International Journal of Small Business and
Entrepreneurship Research, 3(7), 17-2.

Nyamongo, E. & Ndirangu, L. (2015). Financial Innovations and Monetary Policy in Kenya. A
paper submitted to the African Economic Research Consortium (AERC)

Biannual Research Workshop on Financial Inclusion and Innovation in Africa, 1-5.

Omwansa, T. K. & Waema, T. M. (2018). Deepening Financial Inclusion through Collaboration

to Create Innovative and Appropriate Financial Products for the Poor. Working Paper
No. 01/14. Kenya Bankers of Association.

12
Peake, C. (2017). New Frontiers: Launching Digital Financial Services in Rural Areas. The 2012
Brookings Blum Roundtable Policy Briefs. Mercy Corps.

Sarker, S. & Sahay, S. (2017). Implications of Space and Time for Distributed Work: An
Interpretive Study of US-Norwegian Systems Development Teams. European Journal
of Software Developments, 13(1) 3-20.

Sekhar, G. V. S. (2013). Theorems and Theories of Financial Innovation: Models and

Mechanism Perspective. Financial and Quantitative Analysis, 1(2), 26-29.

The National Payment System (NPS) Act of 2011.

Tuesta, D., Sorensen, G., Haring, A. & Cámara, N. (2015). Financial Inclusion and Its
Determinants: The Case of Argentina. Working Paper No. 15/03. Madrid.
Villasenor, J. D., Darrell M. W. & Lewis, J. R. (2019). The 2015 Brookings Financial
and Digital Inclusion Project Report: Measuring Progress on Financial Access and
Usage. Washington, DC. Center for Technology Innovation.

World Bank. (2015). Innovative Digital Payment Mechanisms Supporting Financial Inclusion:
Stocktaking Report. World Bank Group.

13