The CBK has come up with a way to reduce cybercrime rates by issuing new rules to Payment Service Providers (PSPs), stating that they will be responsible for any cybercrime related offenses.
Henceforth, if a customer’s right to privacy is overlooked, the payment service providers including, commercial banks and technology companies, the board of directors of the organizations will have to take responsibility for the criminal offenses.
There has been a cybersecurity concern all over the world where experts say that customer information is collected by service providers and fail to be protected.
The CBK said that the PSPs have a responsibility to carry out regular independent assessments and audit functions that shall be undertaken by both the internal and external audit and risk functions.
“The board of directors is ultimately responsible for the cybersecurity of the Payment Service Providers,” said the Central Bank of Kenya.
The PSPs are expected to comply within three months. Other firms such as telco firms (Safaricom, Airtel, and Telkom) have 90 days to make sure they sort out any cybersecurity breaches.
All customers should be regarded with respect and have their data and information guarded with the utmost confidentiality. In the event that the customers’ data is leaked, then there should be an agreement supported by a clearly written contract, as is stated in the policy.
“Some of the key provisions of the contract include controls to ensure customer data confidentiality and service providers liability in case of a breach,” said the CBK.
The new policy has however put into consideration institutions that collect detailed customer data for accountability and security reasons.
“There are some financial institutions that are required to have detailed customer information to curb money laundering, tax, and accounting reasons,” the CBK explained.
The customer data protection policy is feasible to be tabled in parliament after it was approved by the government.