Sacco Society Regulatory Authority (SASRA) has set minimum requirements for engagement of third-party financial system integrators (vendors) that provide their financial services to Saccos in a bid to deal with cyber-attacks related to third parties.
In a letter dated June 6, 2023 addressed to chief executives (CEOs) of the regulated Sacco societies, SASRA CEO Peter Njuguna directed all Saccos under it to always ensure that the vendors, who are also known as fintechs, are compliant with the set rules and regulations.
This includes compliance with the requirements of the National Payment Systems Act and related regulations.
SASRA’s guidelines come after a number of third-party system integrators and vendors came together and formed Techpesa Association under the leadership of Chris Gathingu as chairperson.
The objectives of the Association is to set minimum standards of operation of its members and also undertake a self-regulatory role for its members; a reaction to SASRA’s stakeholder consultations with a view to mitigating cyber-attacks on regulated Saccos, especially those committed through the third party integrator platforms or bridges.
“The Sacco sub-sector is substantially dependent on Third-Party Financial System Integrators (TPFSI) in the provision of mobile money services to their members, including but not limited to digital credit products,” said Njuguna in the letter.
Consequently, the regulated Sacco CEOs have been warned that SASRA reserves the right to prohibit any regulated Saccos from using non-compliant fintech integrators. The regulator may bar Saccos from using the services of these vendors.
And in case of persistent and continued cyber-attacks on an integrator platform, SASRA notes that through its regulatory mandate, it may direct the Saccos never to use the platform again.
According to SASRA, the terms and conditions of the contractual engagements of fintech vendors with Saccos should be audited bi-annually by reputable audit firms to test the security penetration level.
Also, the vendors will be required to undertake full Information Technology (IT) audits whose scope should include but not limited to TPFSI governance and internal policies, change management, applications controls, identity and access management, business continuity, disaster recovery, and penetration testing.
Further, the vendors will also be required to allow the Authority unfettered access to its systems used to provide services to regulated Saccos, including prompt submission of such audit reports as may be necessary.
On incident response plan, the fintech vendors will be required to formulate and implement a robust plan, including a 24/7 cyber-security monitoring of transactions conducted on the platforms.
They are also expected to monitor attack trends and report to the Authority, stating the cause and remedial measures taken within 12 hours.
In addition, they will be required to provide technical assistance to the Authority during any investigations or inspections of the affairs of a regulated Sacco, including providing transactional information of any Sacco.
Further, the fintech vendors will observe bank guarantee and insurance indemnity by providing a mandatory bank guarantee for each regulated Sacco on the vendor’s platform, which should be sufficient to cover not less 10 per cent of the amount of money held in the float held by Sacco at the mobile money wallet.
And in the event of loss from the paybill, the regulated Saccos will be required to immediately get the guarantee if internal inquiry indicates the vendor was at fault.
The regulated Sacco will be required to lodge a compensation claim from the fintech vendor for any loss from the paybill.
Disputes arising between the regulated Sacco and the third-party integrator will promptly be resolved through the Self-Regulatory Organization (SRO) to which the fintech vendor is a member.
The vendors will further be required to observe employee due diligence by undertaking annual and mandatory new employee checks, including sharing of information with the regulated Sacco and Authority on staff exits and the reasons for that exit.
Furthermore, the engagement terms will also require vendors to adhere to segregation of end points, and as such the Authority may limit the number of regulated Saccos being served by a single vendor.
For integration to M-PESA platform, the Saccos and vendors will operate under an umbrella fraud detection solution provider.
The vendors will be required to adhere to minimum basic IT security standards set out by the provisions of the Data Protection Act and the Sacco Societies Act.
By Hezron Roy
Get more stories from our website: Sacco Review
Kindly follow us via our social media pages on Facebook: Sacco Review Newspaper for timely updates.