Male bank worker in navy blue suit, smiling and leaning over desk to shake hands with female bank customer in financial office.
Kenya: Cloud in financial services

Kenya: Cloud in Financial Services

An Interactive Guide for Legal and Compliance Professionals

DOWNLOAD OUR WHITEPAPER : Regulating the Use of Cloud Computing by Financial Institutions

Download now

REGULATORY OVERVIEW

The financial services sector in Kenya has benefited from technological advances such as improved connectivity speeds resulting in improved efficiencies in providing services. A number of new banks have emerged over the last decade and several Kenyan banks have established themselves in other East African countries, gaining a regional footprint. Even though banks and insurance companies in Kenya are yet to fully adopt cloud computing, this is expected to change soon with increasing awareness of the significant benefits and competitive edge derived from cloud services; such as agility, scalability, cyber resilience, and secure access. Increased innovation in Kenya’s mobile telecommunications sector led to the development of M-PESA as a mobile money transfer service. M-PESA has won numerous awards including the ‘Best Mobile Transfer Service’ award and as of November 2016, it was estimated that M-PESA contributed Kenya Shillings 184 billion to Kenya’s economy.1 The growth of M-PESA has facilitated the provision of mobile banking products provided in partnership with banks as well as increased financial inclusion among Kenyans.

The insurance sector has also benefited. Policy holders can pay premiums through platforms such as M-PESA. The Central Bank Kenya (‘CBK’) played a key role in the development of mobile money services in Kenya by providing an enabling environment and ensuring that there was no risk exposure to consumers of these services. When M-PESA was launched in 2007, there were no laws or regulations governing the provision of mobile money services in Kenya. The CBK however adopted a risk based approach and permitted the M-PESA product to be launched. Further, in developing regulations to govern mobile money services, the CBK recognised the need to keep pace with market developments and promote innovation, competition, and consumer protection. It has been observed that innovations evolve faster than legislation and any legal and regulatory framework developed should not stifle competition. It is projected that lenders will continue to leverage mobile telephony innovations to develop cost effective channels of offering financial services.2

In principle, both those in the financial services industry and their regulators appear receptive to cloud usage provided certain risks are addressed. In a highly regulated sector such as the financial services sector, it is however crucial to ensure that any move to the cloud complies with applicable regulation, and achieves the obvious benefits without undue risk.

MICROSOFT'S COMMITMENT TO THE KENYAN FINANCIAL SERVICES SECTOR

We believe that no cloud services provider has more experience of delivering compliant solutions to financial institutions in Kenya than Microsoft. Having helped a number of financial institutions move to the cloud, Microsoft recognises that the role of the cloud service provider is to help facilitate compliance through full, transparent, proactive engagement with the financial institution and where appropriate, with financial regulators. Through this process of collaboration over a number of years (with both customers and regulators), Microsoft has developed excellent experience and a pool of practical resources to help financial institutions move to the cloud in a way that meets the highest compliance, risk, and security standards. From sharing product and service information in the initial project scoping phase through to assisting in any required consultation with financial regulators in Kenya, Microsoft stands ready to support our financial services customers in Kenya. Microsoft has already initiated plans to deliver the Microsoft Cloud - including Microsoft Azure, Office 365, and Dynamics 365 - from data centres located on the African continent, which will offer enterprise-grade reliability and performance to customers across Africa.

In addition, our subject-matter experts are available to understand your requirements and provide detailed information on the technical, contractual, regulatory and practical aspects of any cloud project. This is all part of our commitment to helping our financial services customers smoothly navigate their way to the Microsoft cloud with confidence and enjoy the benefits of the digital transformation.

THE REGULATORY ENVIRONMENT

The current financial services industry in Kenya is characterised by a fragmented regulatory regime, with different sectors being supervised by different regulators. There is however a Draft Financial Markets Conduct Bill, 20183 which seeks to promote a fair, non-discriminatory marketplace for access to credit and to provide for the establishment of uniform practices and standards in relation to the conduct of providers of financial products and financial services. The Bill also seeks to regulate the cost of credit and provide for supervision of the conduct of providers in relation to retail financial customers and the promotion and maintenance of a fair and efficient financial sector in Kenya.

  • Currently, the banking sector in Kenya is regulated by the Central Bank of Kenya whereas the Insurance Regulatory Authority has regulatory and supervisory mandate over the insurance sector. The Capital Markets Authority supervises, licenses, and monitors the activities of market intermediaries including the stock exchange and the central depository and settlement system.4

    The Draft Financial Markets Conduct Bill, 2018 proposes to establish a Financial Markets Conduct Authority, a Financial Sector Ombudsman and a Financial Sector Tribunal.

  • Yes, cloud services are in principle permitted and regulatory approval is not required. There is a general requirement for institutions to ensure that third-party service providers of cloud services comply with the applicable legal and regulatory frameworks as well as international best practices. In addition, risks arising from the use of cloud services would be considered to be technology risks and there is a general requirement for institutions to have in place processes of risk assessment and management.5

    Although cloud services are in principle permitted, specific aspects of the regulatory regime should always be carefully considered to ensure both cloud provider and cloud user compliance based on specific use cases and cloud architecture.

  • There is presently no specific legislation governing the provision of cloud services in Kenya. There are however Guidelines and Regulations that would be relevant with respect to the provision of cloud services.

    Within the banking sector, a Kenyan bank’s move to the cloud will likely have to pay attention to:

    • The Central Bank of Kenya Guidance Note on Cybersecurity:6 Institutions are required to comply with a number of measures in respect of outsourcing arrangements. In this regard, institutions are required to have in place adequate governance of outsourcing agreements including due diligence on prospective service providers, documented outsourcing agreements and adequate monitoring of service delivery. In addition, Institutions should ensure that all outsourcing contracts require service providers to comply with applicable legal and regulatory frameworks. Further, vendors should be selected based on compliance and risk assessments and any Service Level Agreements entered into should have robust provisions in relation to security, service availability, performance metrics, or penalties; and
    • banker-client confidentiality rules: A bank must maintain client confidentiality in respect of customer information. Banking secrecy covers information relating to the customer's account, the customer's transactions with the bank and information relating to the customer acquired through the keeping of his account. The duty to respect privacy and confidentiality is expressly recognised in the Banking Act, Cap 488 of the Laws of Kenya.

    Board of directors of market intermediaries regulated under the Capital Markets Act are required to oversee the development and implementation of a process of risk assessment and management.7

    There are no Regulations or Guidelines governing the use of cloud services by insurance companies.

  • Generally approval is not needed. The provision of cloud services is not regulated and as such the terms under which such services would be provided would be contained in the agreements entered into between the parties.

  • Banks are required to engage external consultants with sufficient cybersecurity expertise to assist in understanding their cyber threat landscape. In addition, they should carry out an independent cyber threat test at least once a year8. In this regard, there should be a collaborative approach between the internal audit, risk management, and external audit functions of an institution.

    Banks are also required to undertake due diligence on prospective service providers, documented outsourcing agreements and adequate monitoring of service delivery.9 Furthermore, banks are required to monitor contracted third parties for changes in their business and cyber posture including expansions, divestitures, breaches, and new attacks that may alter the third parties’ exposure.

    A bank or insurance company which has issued securities to the public is required to conduct a legal and compliance audit on a periodic basis.10 The board of such an entity is required to ensure that save for when the independent legal and compliance audit is carried out, an internal legal and compliance audit is carried out on an annual basis, with the objective of establishing the level of adherence to applicable laws, regulations, and standards.

  • At present, there are no restrictions on the transfer of data outside Kenya. However, the draft Data Protection Bill, 201811 contemplates possible future restrictions on the flow of personal data outside Kenya save in specified circumstances, such as where:12

    • the third party is subject to a law or agreement that requires the putting in place of adequate measures for the protection of personal data;
    • the data subject consents to the transfer;
    • the transfer is necessary for the performance or conclusion of a contract between the agency and the third party; and
    • the transfer is for the benefit of the data subject.

    Microsoft holds itself accountable to and is subject to laws of general application applicable to information technology service providers, and has binding agreements which, in its view, will likely constitute adequate measures. In addition, Microsoft adheres to the EU Model Clauses as well as the EU Privacy Shield and the ISO 27018 Privacy Standard. Microsoft is also committed to ensuring compliance with the EU General Data Protection Regulation (GDPR) which came into force in May 2018.

WE BUILD OUR TRUSTED CLOUD ON FOUR FOUNDATIONAL PRINCIPLES

Security

Security

We build our services from the ground up to help safeguard your data

Learn more
Privacy

Privacy

Our policies and processes help keep your data private and in your control

Learn more
Compliance

Compliance

We provide industry-verified conformity with global standards

Learn more
Transparency

Transparency

We make our policies and practices clear and accessible to everyone

Learn more

INDUSTRY RESOURCES

INDUSTRY RESOURCES

INDUSTRY RESOURCES

INDUSTRY RESOURCES

RECOMMENDED RESOURCES

CUSTOMER STORIES

 
 
SEE MORE STORIES

CUSTOMER STORIES

 
 
SEE MORE STORIES
*EXPLANATORY NOTE AND DISCLAIMER: This website is intended to provide a summary of key legal obligations that may affect customers using Microsoft cloud services. It indicates Microsoft’s view of how its cloud services may facilitate a customer's compliance with such obligations. This website/document is intended for informational purposes only and does not constitute legal advice nor any assessment of a customer's specific legal obligations. You remain responsible for ensuring compliance with the law. As far as the law allows, use of this website/document is at your own risk and Microsoft disclaims all representations and warranties, implied or otherwise.