Tanzania is turning to tougher legislation after fraud in digital finance increased. The Bank of Tanzania is drafting the Cybersecurity Guidelines for Financial Service Providers, 2026, which puts stricter obligations on banks and mobile money operators. The draft is issued under Section 71 of the Banking and Financial Institutions Act, 2006 and Section 56(3) of the National Payment Systems Act, 2015.
The timing of it all is a reflection of the growth taking place in digital finance right now. Mobile money usage now exceeds 70% of the population, according to official data reported by Impact Newswire. The more that payments move to phones and online platforms, the more exposure to cyber crime has grown.
Customers lost about 5.3 billion Tanzanian shillings, which is around $2 million, to fraud in 2024, and its mainly through mobile money, bank transfers and ATM transactions, according to official crime statistics. Regulators also recorded an 84% increase in cyber enabled fraud in late 2023. The Tanzania Communications Regulatory Authority reported that mobile network fraud attempts came up 33% between December 2024 and March 2025.
Central bank governor Emmanuel Tutuba said authorities are strengthening safeguards to protect the country鈥檚 鈥渞apidly evolving digital payments landscape.鈥
What Do The New Rules Require From Banks And Mobile Money Operators?
The draft guidelines establish minimum standards for every financial service provider licensed and supervised in Tanzania. They apply across governance, technical controls and reporting duties.
Boards of directors will carry ultimate responsibility, the guidelines say the board 鈥渟hall have ultimate responsibility for the formulation, approval and oversight of the implementation of the institution鈥檚 cybersecurity strategy, policies, procedures, and minimum cybersecurity standards.鈥 Senior management must then develop and maintain those frameworks and report cyber risks and incidents to the board.
Each institution must appoint a Chief Information Security Officer. The CISO must make sure that cybersecurity policies and procedures are adhered to and incidents are dealt with on time, as they鈥檝e put it. Institutions must also conduct background checks on staff and enforce formal disciplinary frameworks for breaches. They also need to define post employment confidentiality duties.
On the technical side, the draft outlines detailed requirements…
More from News
- UK Government To Launch 拢500 Million Sovereign AI Unit – What Does This Mean?
- World Quantum Day 2026: Experts Reflect On Industry Developments This Year
- 79% Of UK Workers Fear Losing Their Jobs This Year – And Its Not AI Related
- Scail Launches To Help Regulated SaaS Businesses Navigate The AI 鈥淧erfect Storm鈥
- X Is Taking A Slightly Different Approach To Managing Click Bait Content – Will It Work?
- AI Is Meant To Reduce Workloads, Why Is It Still Causing Workers Cognitive Fatigue?
- Apple Wins Q1 As Smartphones Shipments Go Up And Competitor Sales Go Down
- Can Travellers Expect Lower Flight Prices After The Ceasefire?
Financial service providers must conduct vulnerability assessments at least quarterly and penetration testing at least annually through an accredited and independent firm licensed by the Tanzania Communications Regulatory Authority. Multi factor authentication is mandatory for privileged accounts, remote access, high risk transactions as well as customer facing applications. Shared or default accounts are prohibited unless technically unavoidable and strictly controlled.
Digital financial services must follow secure coding practices, apply encryption, use certificate pinning in mobile apps and follow OWASP security guidelines.
How Will Enforcement Work In Practice?
The Bank is backing technical requirements with strict reporting timelines and sanctions. Any cyber attack that could harm service delivery or reputation must be reported within 24 hours through the TZ FINCERT portal. Quarterly incident reports and vulnerability assessment reports must be submitted within 15 days after each reporting quarter and then annual penetration test reports must be filed within 30 days of completion.
The guidelines also list consequences, where the Bank may impose civil penalties, suspend lending and investment operations, suspend capital expenditure, suspend the privilege to accept new deposits, disqualify directors or officers or revoke a licence.
Tanzania placed near the bottom of the 2025 Global Fraud Index, which speaks to weaknesses in fraud prevention capacity. Olanyika David West said, 鈥淩obbers don鈥檛 come in through the front door anymore,鈥 referring to how cyber criminals exploit system vulnerabilities rather than physical bank infrastructure.
Compliance costs for banks are expected to increase. The Bank鈥檚 position is that stronger governance, together with mandatory testing and real time monitoring, will build trust in digital finance at a time when more than 70% of citizens rely on it.
