New directive replaces 2018 framework with stricter requirements on AI oversight, data localization and board accountability, forcing banks and fintechs to overhaul systems as cyber threats grow
Ghana’s central bank has introduced sweeping new cybersecurity rules for financial institutions, replacing a framework officials say can no longer keep pace with the rapid evolution of digital finance and cyber threats.
The Bank of Ghana launched its Cyber and Information Security Directive 2026 in Accra late last month, extending its reach across the financial system, from commercial banks to microfinance firms, fintechs and payment service providers.
“A framework designed for the challenges of 2018 cannot adequately solve the problems of 2026,” Governor Dr. Johnson Pandit Asiama said at the launch.
The directive comes as digital financial services expand rapidly in Ghana, bringing more people into the formal economy while exposing institutions to increasingly sophisticated cyber risks, including ransomware attacks and large-scale data breaches.
Under the new rules, the central bank is shifting from a compliance-based approach to what it describes as “active and collective cyber resilience,” with requirements that cut across operations, governance and technology.
A key change is the introduction of stricter oversight for artificial intelligence systems used in areas such as fraud detection and credit scoring. Financial institutions will be required to demonstrate that such systems are transparent, secure and fair.
The directive also imposes tighter controls on cloud computing, requiring that core systems and sensitive customer data be stored within Ghana, a move that could force banks and fintech companies to restructure existing arrangements with international cloud providers.
Cybersecurity responsibility will now extend to the highest levels of management. Boards will be required to take direct accountability for cyber risk, ending the practice of treating it primarily as a technical issue handled by IT departments.
The rules also seek to address disparities across the sector by scaling requirements to the size and risk profile of institutions, offering smaller firms a pathway to compliance that reflects their more limited resources.
Another major shift is the expansion of oversight to include non-bank financial institutions under a unified framework, closing gaps that regulators say have been exploited by cybercriminals.
“In cybersecurity, one small broken chain can be the entry route for a cyber miscreant to gain access to the bigger architecture,” said John Awuah, chief executive of the Ghana Association of Banks.
The directive builds on the Financial Industry Command Security Operations Centre, established under Ghana’s Cybersecurity Act of 2020 as a sector-wide response unit for cyber threats. The new rules expand its mandate to cover a broader range of institutions.
Implementing the directive is expected to come at a cost. Building and maintaining national cyber defense infrastructure requires investment in technology and skilled personnel, both of which remain in short supply across much of Africa.
Governor Asiama said the central bank had borne the initial costs of establishing the security operations center, but signaled that financial institutions would eventually share in the expense as the system expands.
While large banks are expected to absorb the costs, smaller institutions and fintech firms may face greater strain, even as the proportional framework aims to ease the burden.
Industry participants have broadly welcomed the directive, citing their involvement in its development. But significant work lies ahead, particularly for institutions that rely on offshore cloud infrastructure and will now need to reassess where and how their data is stored.
The changes also demand a shift in how executives approach cyber risk, requiring boards and senior leaders to engage more directly with technical and strategic questions around security.
Ghana is betting that strengthening its defenses now will be less costly than responding to major cyber incidents later. Whether institutions can move quickly enough to meet the new standards remains an open question.
Get the latest news and insights that are shaping the world. Subscribe to Impact Newswire to stay informed and be part of the global conversation.
Got a story to share? Pitch it to us at info@impactnews-wire.com and reach the right audience worldwide
Faustine Ngila is the AI Editor at Impact Newswire, based in Nairobi, Kenya. He is an award-winning journalist specializing in artificial intelligence, blockchain, and emerging technologies.
He previously worked as a global technology reporter at Quartz in New York and Digital Frontier in London, where he covered innovation, startups, and the global digital economy.
With years of experience reporting on cutting-edge technologies, Faustine focuses on AI developments, industry trends, and the impact of technology on society.
Discover more from Impact Newswire
Subscribe to get the latest posts sent to your email.
