Banks told to report fraud within 2 hours

Banks and mobile money firms will from October be required to furnish the Central Bank of Kenya (CBK) with information on cyber-attacks on a real-time basis.

This latest measure follows a decision by the banking regulator to step up surveillance on cyber fraud.

In the new regulations, CBK wants banks and mobile money companies to submit a report within two hours of a cyber-fraud incident.

The guidelines on cyber-security for payment service providers that became effective this month require firms with systems that clear huge amounts such as bank-to-bank transfers to immediately file reports.

Firms with systems that move huge volumes of cash such as mobile money will also be required to file a preliminary report.

CBK noted that banking systems that it referred to as Systemically Important Payment System (SIPS) were sensitive and their failure ‘could potentially endanger the operation of the entire economy.’

The failure of mobile money platforms or System-Wide Important Payment Systems ‘could also create disruptions due to a large number of users relying on the system, thus affecting public confidence’.

“PSPs should notify CBK within 24 hours, and SWIPS and SIPS within two hours, of any cyber-security incident(s) that could have a significant and adverse impact on the PSP’s ability to provide adequate services to its customers, its reputation or financial condition... this should be followed by a comprehensive report on the incident,” reads CBK guidelines, which PSPs have 90 days to implement.

“On a quarterly basis, PSPs shall provide CBK with a report… concerning its occurrence and handling of cybersecurity incidents.”

The apex bank has also given payment service providers, including telcos operating mobile money and traditional mobile cash platforms, up to December 31 to file strategies on how they have protected themselves against cyber fraud.

It includes having their personnel well versed with cybersecurity and the strategies to ward off possible threats.

Between January and March this year, the Kenya – Computer Incident Response Team (KE-CIRT) detected 11.2 million cyber threats.

In 2018, the economy lost Sh29.5 billion to cybercrime.