Male bank worker in navy blue suit, smiling and leaning over desk to shake hands with female bank customer in financial office.

Kenya: Cloud in Financial
Services

An Interactive Guide for Legal and Compliance
Professionals

DOWNLOAD OUR WHITEPAPER : Regulating the Use of Cloud Computing by
Financial Institutions

DOWNLOAD OUR LATEST WHITEPAPER

REGULATORY OVERVIEW

The financial services sector in Kenya has benefited from technological advances such as improved connectivity speeds resulting in improved efficiencies in providing services. A number of new banks have emerged over the last decade and several Kenyan banks have established themselves in other East African countries, gaining a regional footprint. Even though banks and insurance companies in Kenya are yet to fully adopt cloud computing, this is expected to change soon with increasing awareness of the significant benefits and competitive edge derived from cloud services; such as agility, scalability, cyber resilience, and secure access. Increased innovation in Kenya’s mobile telecommunications sector led to the development of M-PESA as a mobile money transfer service. M-PESA has won numerous awards including the ‘Best Mobile Transfer Service’ award and as of November 2016, it was estimated that M-PESA contributed Kenya Shillings 184 billion to Kenya’s economy.1 The growth of M-PESA has facilitated the provision of mobile banking products provided in partnership with banks as well as increased financial inclusion among Kenyans.

The insurance sector has also benefited. Policy holders can pay premiums through platforms such as M-PESA. The Central Bank Kenya (‘CBK’) played a key role in the development of mobile money services in Kenya by providing an enabling environment and ensuring that there was no risk exposure to consumers of these services. When M-PESA was launched in 2007, there were no laws or regulations governing the provision of mobile money services in Kenya. The CBK however adopted a risk based approach and permitted the M-PESA product to be launched. Further, in developing regulations to govern mobile money services, the CBK recognised the need to keep pace with market developments and promote innovation, competition, and consumer protection. It has been observed that innovations evolve faster than legislation and any legal and regulatory framework developed should not stifle competition. It is projected that lenders will continue to leverage mobile telephony innovations to develop cost effective channels of offering financial services.2

In principle, both those in the financial services industry and their regulators appear receptive to cloud usage provided certain risks are addressed. In a highly regulated sector such as the financial services sector, it is however crucial to ensure that any move to the cloud complies with applicable regulation, and achieves the obvious benefits without undue risk.

MICROSOFT'S COMMITMENT TO THE KENYA FINANCIAL SERVICES SECTOR

We believe that no cloud services provider has more experience of delivering compliant solutions to financial institutions in Kenya than Microsoft. Having helped a number of financial institutions move to the cloud, Microsoft recognises that the role of the cloud service provider is to help facilitate compliance through full, transparent, proactive engagement with the financial institution and where appropriate, with financial regulators. Through this process of collaboration over a number of years (with both customers and regulators), Microsoft has developed excellent experience and a pool of practical resources to help financial institutions move to the cloud in a way that meets the highest compliance, risk, and security standards. From sharing product and service information in the initial project scoping phase through to assisting in any required consultation with financial regulators in Kenya, Microsoft stands ready to support our financial services customers in Kenya. Microsoft has already initiated plans to deliver the Microsoft Cloud - including Microsoft Azure, Office 365, and Dynamics 365 - from data centres located on the African continent, which will offer enterprise-grade reliability and performance to customers across Africa.

In addition, our subject-matter experts are available to understand your requirements and provide detailed information on the technical, contractual, regulatory and practical aspects of any cloud project. This is all part of our commitment to helping our financial services customers smoothly navigate their way to the Microsoft cloud with confidence and enjoy the benefits of the digital transformation.

THE REGULATORY ENVIRONMENT

The current financial services industry in Kenya is characterised by a fragmented regulatory regime, with different sectors being supervised by different regulators. There is however a Draft Financial Markets Conduct Bill, 20183 which seeks to promote a fair, non-discriminatory marketplace for access to credit and to provide for the establishment of uniform practices and standards in relation to the conduct of providers of financial products and financial services. The Bill also seeks to regulate the cost of credit and provide for supervision of the conduct of providers in relation to retail financial customers and the promotion and maintenance of a fair and efficient financial sector in Kenya.

  • Currently, the banking sector in Kenya is regulated by the Central Bank of Kenya whereas the Insurance Regulatory Authority has regulatory and supervisory mandate over the insurance sector. The Capital Markets Authority supervises, licenses, and monitors the activities of market intermediaries including the stock exchange and the central depository and settlement system.4

    The Draft Financial Markets Conduct Bill, 2018 proposes to establish a Financial Markets Conduct Authority, a Financial Sector Ombudsman and a Financial Sector Tribunal.

  • Yes, cloud services are in principle permitted and regulatory approval is not required. There is a general requirement for institutions to ensure that third-party service providers of cloud services comply with the applicable legal and regulatory frameworks as well as international best practices. In addition, risks arising from the use of cloud services would be considered to be technology risks and there is a general requirement for institutions to have in place processes of risk assessment and management.5

    Although cloud services are in principle permitted, specific aspects of the regulatory regime should always be carefully considered to ensure both cloud provider and cloud user compliance based on specific use cases and cloud architecture.

  • There is presently no specific legislation governing the provision of cloud services in Kenya. There are however Guidelines and Regulations that would be relevant with respect to the provision of cloud services.

    Within the banking sector, a Kenyan bank’s move to the cloud will likely have to pay attention to:

    1. The Central Bank of Kenya Guidance Note on Cybersecurity:6 Institutions are required to comply with a number of measures in respect of outsourcing arrangements. In this regard, institutions are required to have in place adequate governance of outsourcing agreements including due diligence on prospective service providers, documented outsourcing agreements and adequate monitoring of service delivery. In addition, Institutions should ensure that all outsourcing contracts require service providers to comply with applicable legal and regulatory frameworks. Further, vendors should be selected based on compliance and risk assessments and any Service Level Agreements entered into should have robust provisions in relation to security, service availability, performance metrics, or penalties; and
    2. banker-client confidentiality rules: A bank must maintain client confidentiality in respect of customer information. Banking secrecy covers information relating to the customer's account, the customer's transactions with the bank and information relating to the customer acquired through the keeping of his account. The duty to respect privacy and confidentiality is expressly recognised in the Banking Act, Cap 488 of the Laws of Kenya.

    Board of directors of market intermediaries regulated under the Capital Markets Act are required to oversee the development and implementation of a process of risk assessment and management.7

    There are no Regulations or Guidelines governing the use of cloud services by insurance companies.

  • Generally approval is not needed. The provision of cloud services is not regulated and as such the terms under which such services would be provided would be contained in the agreements entered into between the parties.

  • Banks are required to engage external consultants with sufficient cybersecurity expertise to assist in understanding their cyber threat landscape. In addition, they should carry out an independent cyber threat test at least once a year8. In this regard, there should be a collaborative approach between the internal audit, risk management, and external audit functions of an institution.

    Banks are also required to undertake due diligence on prospective service providers, documented outsourcing agreements and adequate monitoring of service delivery.9 Furthermore, banks are required to monitor contracted third parties for changes in their business and cyber posture including expansions, divestitures, breaches, and new attacks that may alter the third parties’ exposure.

    A bank or insurance company which has issued securities to the public is required to conduct a legal and compliance audit on a periodic basis.10 The board of such an entity is required to ensure that save for when the independent legal and compliance audit is carried out, an internal legal and compliance audit is carried out on an annual basis, with the objective of establishing the level of adherence to applicable laws, regulations, and standards.

  • At present, there are no restrictions on the transfer of data outside Kenya. However, the draft Data Protection Bill, 201811 contemplates possible future restrictions on the flow of personal data outside Kenya save in specified circumstances, such as where:12

    1. the third party is subject to a law or agreement that requires the putting in place of adequate measures for the protection of personal data;
    2. the data subject consents to the transfer;
    3. the transfer is necessary for the performance or conclusion of a contract between the agency and the third party; and
    4. the transfer is for the benefit of the data subject.

    Microsoft holds itself accountable to and is subject to laws of general application applicable to information technology service providers, and has binding agreements which, in its view, will likely constitute adequate measures. In addition, Microsoft adheres to the EU Model Clauses as well as the EU Privacy Shield and the ISO 27018 Privacy Standard. Microsoft is also committed to ensuring compliance with the EU General Data Protection Regulation (GDPR) which came into force in May 2018.

  • 1 Celebrating 10 Years of Changing Lives
    2 Joseph’s M-Pesa dream that triggered Kenya’s mobile money revolution
    3 The National Treasury
    4 Other market intermediaries include investment banks, stockbrokers, sealers, investment advisers, fund managers, authorized securities dealers, authorized depositories (custodians), credit rating agencies and venture capital companies.
    5 Section 24 of the Capital Markets (Corporate Governance) (Market Intermediaries) Regulations 2011.
    6 Guidance Note on Cybersecurity for the Banking sector issued by the Central Bank of Kenya pursuant to the provisions of section 33(4) of the Banking Act
    7 Section 6 of the Capital Markets (Corporate Governance)(Market Intermediaries) Regulations 2011
    8 Paragraph 3.2 of the Guidance Note on Cybersecurity for the Banking sector
    9 Paragraph 3.3 of the Guidance Note on Cybersecurity for the Banking sector
    10 Paragraph 2.10.3 of the Capital Markets Authority Code of Corporate Governance Practices for Issuers of Securities to the Public 2015.
    11 We have considered the Data Protection Bill, 2018, issued under Kenya Gazette Supplement No. 66 (Senate Bills No. 16) dated 30 May 2018
    12 Section 31 of the Draft Data Protection Bill, 2018

WE BUILD OUR TRUSTED CLOUD ON FOUR FOUNDATIONAL PRINCIPLES

Security

We build our services from the ground up to help safeguard your data

Learn more

Privacy

Our policies and processes help keep your data private and in your control

Learn more

Compliance

We provide industry-verified conformity with global standards

Learn more

Transparency

We make our policies and practices clear and accessible to everyone

Learn more

INDUSTRY RESOURCES

Slide %{start} of %{total}. %{slideTitle}

Responding to the evolving cyber threat landscape in the financial services sector.

With the threats of cyberattacks becoming an ever-increasing problem in today’s financial landscape, the need for cybersecurity and protection of data and information has become of utmost importance. Find out what you can do to improve your security stance against cyberattacks.

DOWNLOAD NOW
Close up shot of man‘s hands using Dell convertible laptop as tablet in café restaurant setting. Screen shows charts of TD Bank sales, savings, and checking accounts.
Slide %{start} of %{total}. %{slideTitle}
A close up of a woman with line illustrations on the left-hand side

AI in Africa

Download the full whitepaper to learn more about the future of AI in Africa.

Learn more
A man and a woman using Microsoft HoloLens

The Future Computed

Artificial Intelligence and its role in society

Read more Download the book
Global network security illustration with tablet and stylus in background

GDPR

Safeguard individual privacy with the Microsoft Cloud

Take GDPR assessment
Highway lights blur to depict fast digital connection

Digital Transformation in the Cloud

Partnering with Microsoft helps your organization transform into a digital company by developing new capabilities.

Read more Download the book
Microsoft Cyber Defense Operations Center

Cloud for Global Good

A roadmap to a trusted, responsible, and inclusive cloud

Read more Download the book

CUSTOMER STORIES

Anglo-Gulf Trade Bank (AGTB) Logo

Anglo-Gulf Trade Bank (AGTB)

Trade finance has become an option for the few―mostly large multinationals―leaving a trade-financing gap of around 1.5 trillion dollars worldwide. This gap implies a tremendous loss of economic growth potential for many countries.

Read more
Atura Logo

Atura

Robotic chat advisor Atura takes advantage of artificial intelligence (AI) to offer powerful sales, onboarding, customer support, and transactional chatbot services, which improve customer experiences while reducing fees.

Read more
Bank of Beirut Logo

Bank of Beirut

Today’s customers want speed and personalization in all services. That’s why Bank of Beirut optimized its processes to improve customer experience and interaction with the bank by developing the DiGi BoB chatbot on the Microsoft Azure Bot Framework.

Read more
GHL Bank Ltd. Logo

GHL Bank Ltd.

GHL Bank, 2018 Best Mortgage Company of the Year, was established in December 2017 in Ghana. As a digital bank, GHL used Microsoft Office 365 and Microsoft Azure to deeply integrate branches and increase employee productivity.
Read more
Mashreq Bank - we make possible Logo

Mashreq Bank

International banking institution increases growth and market share through digital transformation

Read more
Redwood Bank Logo

Redwood Bank

Redwood Bank puts business customers first with Microsoft Azure

Read more
Banco Angolano de Investimentos (BAI Group) Logo

Banco Angolano de Investimentos (BAI Group)

Innovative Angolan bank rethinks business with a cloud-first approach

Read more
goeasy Ltd. Logo

goeasy Ltd.

Goeasy improves productivity, increases employee satisfaction with Surface Book and Office 365

Read more
Mashreq Bank - we make possible Logo

Mashreq Bank

International banking institution increases growth and market share through digital transformation

Read more
Boursa Kuwait Logo

Boursa Kuwait

Towards a more secure digitized stock trading venue in Kuwait

Read more
Ecobank The Pan African Bank Logo

Ecobank Ghana Limited

Microsoft Power BI solution helps boost Ecobank’s business performance

Read more
Interswitch Logo

Interswitch

Digital payments company answers questions about using Azure Blockchain Workbench to help build a more prosperous Africa

Read more
Standard Bank Logo

Standard Bank

The power of four: African bank embraces digitalization and increases efficiency with time-saving Microsoft Flow, PowerApps, Power BI, and SharePoint

Read more
NEDBANK Logo

NEDBANK

Internet and mobile apps, move over. The new industry disrupter is bot technology. Nedbank, one of the major...

Read more
Diamond Your Bank Logo

Diamond Bank Plc

Diamond Bank is one of the 22 financial institutions operating in Nigeria, with a mission

Read more
ABN AMRO BANK Logo

ABN AMRO BANK

To prepare for its digital transformation, ABN Amro simplified and rationalized its IT...

Read more
Kuwait Finance House Logo

Kuwait Finance House

Islamic banking pioneer innovates again with digital banking shift

Read more
Societe Generale Qarnot computing Logo

Société Générale Corporate & Investment Banking

This article is part of a series about customers who've worked closely with Microsoft on Service Fabric

Read more
SEE MORE STORIES
*EXPLANATORY NOTE AND DISCLAIMER: This website is intended to provide a summary of key legal obligations that may affect customers using Microsoft cloud services. It indicates Microsoft’s view of how its cloud services may facilitate a customer's compliance with such obligations. This website/document is intended for informational purposes only and does not constitute legal advice nor any assessment of a customer's specific legal obligations. You remain responsible for ensuring compliance with the law. As far as the law allows, use of this website/document is at your own risk and Microsoft disclaims all representations and warranties, implied or otherwise.