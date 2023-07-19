Financial technology vendors have been hit with tough rules as the Sacco Societies Regulatory Authority (Sasra) cracked the whip on cybersecurity fraud that has seen Saccos lose more than Sh201,000 daily to hackers.

In drastic changes, the vendors will now be required to provide the regulator unfettered access to their fintech systems round-the-clock for real-time monitoring and deposit bank guarantees against fraud committed on their systems used by saccos.

The vendors will also be required to undertake security penetration tests twice per year to test their technology environment, provide 24/7 monitoring of transactions on their platforms, monitor attack trends, and report to Sasra any cases of attacks or attempted attacks within 12 hours including the remedial measures taken.

“Allow the Authority unfettered access to its systems used or proposed to be used to serve or provide services to regulated saccos, including prompt submission of such IT audit reports as may be necessary,” said Sasra Chief Executive Peter Njuguna in a memo to CEOs of saccos.

The memo was copied to Chris Gathingu, the chairman of Techpesa Association, a lobby group made up of third-party vendors of payment systems to saccos.

Further, the vendors will be required to provide a mandatory bank guarantee for each sacco which should be able to cover not less than 10 percent of the amount of money held by each sacco at the mobile money wallet provider Paybill account.

This means that if hackers penetrate the security systems and steal money and an internal inquiry indicates that the system provided by the vendor was at fault, the sacco will immediately realise the guarantee.

“Provide an insurance indemnity policy covering the balance of money held in the float by each regulated sacco at the mobile money wallet provider B2C (business to customer) (Paybill), and in the event of loss from the Paybill, the regulated saccos to lodge a compensation claim from the fintech integrator, if an internal inquiry indicates the integrator was at fault,” said Mr Njuguna.

To reduce the chances of the vendors being infiltrated by criminal elements, Sasra now requires the fintechs to undertake annual and mandatory due diligence checks on their new employees including sharing information with saccos and itself of any staff exits and the reasons for the exit.

Vendors that violate any of these new strict rules risk being barred from offering their platforms to any regulated sacco operating in the country.

Sasra’s reforms come months after the CBK warned saccos to review and enhance their IT security including their service level agreements to ensure that affected Saccos are compensated by the vendor in the event of an attack where the vendor is culpable.

“Saccos are also encouraged to undertake indemnity covers to safeguard against attacks,” said CBK in the report mentioned earlier.

Saccos are increasingly switching to digital channels to receive deposits from customers and also disburse funds, which has left them vulnerable to cybersecurity threats from hackers who exploit weaknesses in these payment systems.

This is already having dire ramifications on saccos. The Financial Sector Stability Report 2021 published by the Central Bank of Kenya (CBK), for instance, shows that saccos lost Sh106 million to hackers in the 17 months to March 2021.