Dar es Salaam. Bank of Tanzania (BoT) is drafting new cybersecurity guidelines for financial service providers to curb rising digital fraud risks and protect public confidence as Tanzania’s digital financial ecosystem expands.
The proposed Cybersecurity Guidelines for Financial Service Providers, 2026 come amid growing concerns over cyber threats, including a recent Sh147.5 billion bank card fraud that exposed weaknesses in payment systems and internal controls across several institutions.
Issued under the Banking and Financial Institutions Act, 2006 and the National Payment Systems Act, 2015, the framework will require banks, mobile money operators and other regulated entities to strengthen governance, monitoring and response systems as digital transactions increase.
Though there is no direct reference, the move comes within the time when the Prevention and Combating of Corruption Bureau (PCCB) has uncovered a large-scale fraud involving cloned bank cards used to make unauthorised withdrawals across multiple banks. Presenting the bureau’s 2024/25 report at State House, PCCB Director General Crispin Chalamila said the stolen funds were channelled into various expenditures, including travel, health services and logistics.
The BoT Governor, Emmanuel Tutuba, said authorities have since tightened controls across the sector while investigations continue. He noted that the suspects, believed to be foreign nationals, used advanced technology to compromise bank cards and access customer accounts.
Against this backdrop, the central bank is proposing a comprehensive governance structure that places responsibility for cybersecurity at the highest level of financial institutions.
Under the draft guidelines, boards of directors will be required to approve cybersecurity strategies, define risk appetite, oversee resilience plans and ensure adequate allocation of financial and technical resources. Boards will also be expected to regularly review cybersecurity performance and commission independent audits of cyber controls.
Senior management will be responsible for implementing board-approved strategies, managing cyber risks across systems and digital channels, and ensuring timely escalation and response to incidents. Institutions will also be required to monitor risks associated with outsourced service providers and third-party technology partners.
Each financial institution will be required to establish a cybersecurity steering committee composed of senior representatives from relevant departments. The committee will coordinate implementation, monitor cyber risk exposure, review incidents and oversee remediation efforts.
In addition, institutions must appoint a Chief Information Security Officer to oversee day-to-day cybersecurity operations, monitor IT systems, enforce compliance with standards and conduct regular staff awareness training.
Risk management and compliance functions will also be strengthened, with institutions required to maintain updated cybersecurity risk registers and integrate cyber risks into enterprise-wide risk management frameworks.
The BoT says the proposed framework is intended to improve preparedness against cyberattacks, strengthen customer data protection and enhance trust in digital financial services, which are becoming central to Tanzania’s economy.
“The guidelines are in the consultation stage, where regulators engage stakeholders to gather views before final issuance,” Mr Tutuba said. “Cybersecurity is becoming increasingly critical as more financial transactions migrate to digital platforms.”
He added that the guidelines will set standards for identifying cyber risks, monitoring suspicious activity and strengthening controls to safeguard transactions against fraud, cyberattacks and other digital threats.
Mr Tutuba said discussions are also ongoing within the Southern African Development Community (SADC), where member states are pushing for harmonised cybersecurity standards to secure cross-border payment systems and digital financial infrastructure.
“There is growing consensus that member countries should establish similar frameworks to protect regional payment systems,” he said.
Countries such as Nigeria, Ghana, India and the United Arab Emirates have already implemented cybersecurity frameworks for financial institutions, setting benchmarks for risk management, incident reporting and customer protection.
Industry players have welcomed the BoT’s move, describing it as timely given the pace of digital adoption.
“This is a timely and necessary regulatory intervention. As Tanzania’s financial system becomes increasingly digital, cyber risk must be treated as a systemic priority,” said the chairman for Tanzania Bankers Association and NBC Bank Managing Director, Mr Theobald Sabi.
He said, the guidelines provide a clear and enforceable framework to promote consistency, strengthen accountability, and enhance regulatory compliance across the industry.
Chief Executive Officer for CRDB Bank, Abdulmajid Nsekela, said the guidelines align with efforts by banks to strengthen technology systems and protect customer data.
“As digital adoption increases, so does the responsibility to ensure system integrity and maintain trust. These guidelines will establish a consistent framework across the industry and reduce systemic risks,” he said.
Analysts say the guidelines could address concerns raised in recent audits over unauthorised withdrawals and weak internal controls, while strengthening accountability within financial institutions.
A senior lecturer at the University of Dar es Salaam Business School, Tobias Swai, said holding boards accountable for cybersecurity is an important step towards improving oversight.
Independent financial analyst Christopher Makombe said the framework will help reduce fraud risks and create a level playing field across banks, fintech firms and microfinance institutions.
“The guidelines will support stronger controls, better monitoring systems and improved protection of customer data, which is essential for sustaining trust in digital finance,” he said.
Register to begin your journey to our premium contentSubscribe for full access to premium content
