1. INTRODUCTION
Tanzania’s financial sector is rapidly and irreversibly digitising. Mobile money platforms, internet banking, USSD-based services and API-driven fintech integrations have dramatically expanded the digital attack surface of regulated financial service providers (FSPs). Against this backdrop, the Bank of Tanzania (BOT) has moved decisively to set a minimum standard for cybersecurity by introducing the Draft Cybersecurity Guidelines for Financial Service Providers, 2026 (hereinafter Guidelines).
The draft Guidelines were issued in March 2026 and are intended to bind all institutions licensed under the Banking and Financial Institutions Act and the National Payment Systems Act. The issuance of these Guidelines signals a clear regulatory intent that cybersecurity is no longer an IT function only but it is a board-level governance imperative and a key condition of licensing. This article provides a detailed legal analysis of the guidelines by examining the key aspects of FSPs and providing general recommendations.
2. KEY ASPECTS OF THE CYBERSECURITY GUIDELINES FOR FSP
Establishment of the Financial Computer Emergency Response Team (TZ-FinCERT)
To ensure an effective national computer security incident response, the Electronic and Postal Communications (Computer Emergency Response Team) Regulations of 2018 established the National Computer Emergency Response Team (TZ-CERT). Under Regulation 6, the TZ-CERT is mandated to coordinate sector-specific Computer Emergency Response Teams (S-CERTs). These S-CERTs are specialized bodies established to enhance collaboration and information sharing among organizations within particular sectors. In this context, the Financial Computer Emergency Response Team (TZ-FinCERT) was established to coordinate cybersecurity matters within the financial and banking sectors. TZ-FinCERT serves as a central platform for managing and responding to cyber threats affecting financial service providers. Furthermore, under Guideline 4.1.3, financial service providers are required to submit reports of significant cyberattack incidents that may adversely affect their ability to deliver services or harm their reputation. Such reports must be submitted to the Bank within 24 hours of the incident through the TZ-FinCERT portal.
Guideline 4.3 mandates FSPs to establish and maintain a Cyber Threat Intelligence (CTI) process to enhance their ability to understand, anticipate and defend against emerging and targeted cyber threats. Furthermore, the guidelines obligate FSPs to appoint a primary and an alternative focal point of contact to participate in TZ-FINCERT engagements as well as engaging with TZ-FINCERT for the sharing and dissemination of cyber threat intelligence and incidents occurring in the institutions.
Governance Framework (Part II of the Guidelines)
The Guidelines have established a four-tier governance structure in cybersecurity for FSPs, with each tier carrying distinct responsibilities, as highlighted below:
Tier 1: Board of Directors
The Guidelines vest the ultimate responsibility for cybersecurity strategy, policy approval, standards and cyberrisks oversight squarely with the Board of the bank. Key board obligations under Guideline 2.1 include:
- Approve and periodically review the institution’s cybersecurity strategy to ensure alignment with the institution’s overall business objectives, risk appetite and regulatory obligations;
- Ensure the establishment of an effective cybersecurity governance framework including clear roles, responsibilities and reporting lines across management and control functions;
- Oversee the identification, assessment, monitoring and mitigation of cyber risks, including risks arising from third-party arrangements, outsourcing and emerging technologies;
- Ensure that management allocates sufficient financial, technical and human resources to implement and maintain effective cybersecurity controls and capabilities;
- Foster a strong cybersecurity culture by setting the tone at the top and ensuring that cybersecurity awareness and accountability are embedded throughout the organization;
- Ensure periodic independent assessments, audits or reviews of the institution’s cybersecurity framework and controls, and oversee the timely remediation of identified weaknesses.
Tier 2: Senior Management
The Guidelines assign operational execution responsibilities to senior management. The obligations of senior management, among others, include:
- Implementing Board-approved strategies, policies and framework
- Identifying, assessing and managing cyber risks on an ongoing basis;
- Managing third party and outsourcing cyber risks by conducting due diligence, defining security requirements in contract, monitoring service providers and ensuring adherence to standards; and
- Promoting cyber risks, vulnerabilities and incident escalation to the Board in a timely manner.
- Promote financial sector collaboration and information sharing on matters related to cyber threats.
Tier 3: Cybersecurity Steering Committee
The Guidelines compel each FSPs to establish a Cybersecurity Steering Committee (CSC) under Guideline 2.3. The CSC must comprise senior representatives from relevant departments and has the responsibility to translate board strategy into actionable plans, review policy frameworks, coordinate implementation of the cybersecurity framework, monitor the risk profile, oversee third-party risks, facilitate crisis coordination, monitor the adequacy of cybersecurity resources and recommend enhancements to senior management where gaps are identified.
Tier 4: Chief Information Security Officer (CISO)
Under Guideline 2.5, every FSP must appoint a CISO who shall ensure that cybersecurity policies and procedures are adhered to and incidents are dealt with on time. The CISO serves as the secretariat to the CSC, implementing security controls, communicating threats to the CEO, enforcing cybersecurity standards, developing policies and conducting annual staff awareness training. Importantly, the CISO is further obliged to monitor all IT platforms and ensure full adherence to strict cybersecurity standards.
Cybersecurity Technical and Operational Controls (Part III of the Guidelines)
Part III is the most technical section of the Guidelines, addressing 14 distinct control domains. The following analysis highlights these consequential obligations.
| Domain | Obligation |
| Information Asset Management | Every FSPs must establish a single, accurate and up-to-date asset register covering all information assets, including their physical or logical locations. This obligation extends to creating an inventory, classification, labelling and establishing handling and secure disposal procedures. |
| Identifying People and Roles | Everyone with access to an organization’s systems or facilities, whether employees, temporary staff, contractors or visitors, must have their identity, role and authorized working hours documented. This applies to both physical and digital access to information. |
Identifying Business Processes and Activities | An entity must maintain a comprehensive inventory of all its business processes. This inventory shall detail: · Core and supportive processes and their associated activities; · Dependencies between different processes; · The IT assets that enable each business process; and · A plan for the continuous and regular review and update of this inventor. |
Asset Retention | Information must be retained and maintained if needed and destroyed immediately when it is no longer required. The Guideline requires a security policy to identify retention timeframes according to applicable laws and regulations that dictate the length of time an organization shall retain data. |
| Human Capital Security | FSP should implement risk-based controls throughout the employee lifecycle to mitigate potential insider threats and foster a strong culture of information security. The guideline further obligates entities to ensure that post-employment obligations including confidentiality and non-disclosure requirements, are defined, documented, communicated and enforced for all personnel and relevant parties. |
User Management and Access Control | The Guidelines have established three aspects in this domain: - Identity Management requires formal procedures for user registration and deregistration, unique identifiability for all users, least-privilege and need-to-know enforcement as well as immediate deactivation upon termination.
- Authentication mandates multi-factor authentication (MFA) for all privileged accounts, remote access, high-risk transactions and customer-facing applications. Password complexity requirements, encryption/hashing of stored passwords and mandatory password change at regular and predefined intervals
- Access Right Review FSP must implement access control frameworks based on Role-Based Access Control (RBAC) or Attribute-Based Access Control (ABAC). Such frameworks enforce the segregation of duties, apply zero-trust principles for access to critical systems and ensure secure remote and mobile access through multi-factor authentication. User access rights shall be provisioned, reviewed, modified, and revoked in accordance with the established access control policies.
|
Data Protection | FSPs must maintain a data protection policy compliant with the Personal Data Protection Act. The policy must address data classification, confidentiality, integrity, authenticity, data minimization, purpose limitation, access control, data masking, anonymization, data sharing, transfer, retention and disposal. |
| Vulnerability Management and Penetration Testing | This domain establishes two clear obligations: - Quarterly vulnerability assessments must be conducted on a risk-based basis each quarter and submitted to the BOT within 15 days after the end of each reporting quarter.
- Annual penetration testing: Penetration tests must be conducted by an accredited, independent firm licensed by the Tanzania Communications Regulatory Authority (TCRA) at least annually. The test report must be submitted to the BOT within 30 days of completion.
|
Information Systems Security Management | FSPs must implement security controls covering, at a minimum, bring-your-own-device policies, servers, databases, networks, endpoints, storage, email, internet and applications. FSP must also ensure strong authentication and secure session management, protect systems against malware and advanced threats, and maintain robust logging and monitoring. |
Virtual Meetings and Video Conferencing | Access to virtual meetings and video conferences must be strictly granted to the intended participants. The Information shared during such meetings shall be adequately secured and measures shall be implemented to prevent inadvertent disclosure to unauthorized individuals. |
Clock Synchronization | Financial service providers’ information processing systems shall be synchronized with approved time sources. |
Logging and Monitoring. | FSPS must implement - Centralized log management to collect events from multiple sources (servers, network devices, OS, databases, applications, etc.) in a single repository.
- Logging facilities and log information shall be protected against tampering and unauthorized access.
- Monitoring and detection processes that enable the identification of anomalies, malicious activities, and security events across networks, systems, and applications;
|
Cryptography | FSP shall develop secure processes for generating, storing, archiving, retrieving, distributing, retiring and destroying cryptographic keys Financial service providers shall establish and maintain a Cryptography Policy that is documented, approved, implemented, periodically reviewed, and updated in line with emerging threats, industry standards, and regulatory requirements If possible, digital certificates issued by trusted Certificate Authorities (CAs) should be used for authentication, signing, and encryption purposes. Internal PKI deployments should follow the industry’s best practices for certificate lifecycle management. |
| Digital Financial Services | FSP must ensure the confidentiality, integrity and availability of all DFS operation - Mobile and USSD security controls
- Secure coding practices, peer code reviews and security testing before release.
- All applications (mobile apps, USSD or Web) must follow the OWASP security guidelines.
|
Administrative Sanctions for Non-Compliance
The Guidelines empower the Bank to impose a range of administrative sanctions where a FSPs or its directors, officers or employees, contravene the provisions of the Guidelines. The sanction may include the imposition of civil penalties in amounts determined at the discretion of the Bank, suspension of access to the Bank’s credit facilities, limitation or suspension of lending and investment activities, and restrictions on capital expenditure or the acceptance of new deposits. Further, the Bank may take action against responsible individuals, including suspension from office or disqualification from holding any position within any financial service provider regulated and supervised by the Bank of Tanzania. Ultimately, where non-compliance is significant or persistent, the Bank retains the authority to revoke the financial service provider’s licence. These administrative sanctions serve as critical enforcement tools to ensure compliance, promote accountability and safeguard the stability and integrity of the financial system.
3. CRITICAL GAPS AND AREAS FOR IMPROVEMENT
AI and Emerging Technology Risk:
The Guidelines reference ’emerging technologies’ in multiple governance provisions but contain no dedicated treatment of Artificial Intelligence (AI) and machine learning (ML) systems deployed by FSPs. Given the rapid adoption of AI in customer service automation, credit scoring, fraud detection and AML monitoring. AI systems introduce distinct risks beyond cybersecurity risks which may constitute material weaknesses for FSPs. We strongly suggest that BOT incorporate a dedicated AI cybersecurity risk Guideline in the final Guidelines, requiring FSPs to assess AI-specific risks as part of their overall cybersecurity and information risk management frameworks before and after the deployment of AI systems.
A good example is the framework for Bank of Ghana Cyber & Information Security Directive which has a dedicated and specific directives on AI & ML as briefly highlighted below:
- There is a mandatory directive for awareness and education for AI & ML across all organisational levels ( the Board, senior management, data scientists and operational staff) as well as requirement on certification and workshops to develop competence in identifying and mitigating AI and ML related risks.
- Board is obligated to supervise the principle of trustworthy and secure in all AI & ML.
- There is a requirement to establish an AI/ML Oversight Committee (or designate it within the existing Cyber & Information Security Risk Committee).
- Before deploying to production, AI/ML models must undergo independent validation (internal or external), adversarial testing (such as stress tests and injection of edge cases), and counterfactual analysis with report submitted to the board for approval.
- ANNEXURE E on AI/ML governance and control guidelines outlines mandatory guidance and expectations for applying AI and ML systems within their operations, risk management, decision-making processes or service delivery. It defines the minimum required controls, documentation and oversight mechanisms required to ensure security, reliability, fairness, explainability and regulatory compliance throughout the AI/ML models lifecycle
We therefore strongly recommend the draft guidelines be amended to provide a detailed framework for AI Risk management can be added in the domain under Part III of the guidelines.
Absence of a Clear Definition of ‘Significant Cyber Attack incident’:
Guideline 4.1.3 imposes a 24-hour reporting obligation for ‘significant cyber-attack incidents that may have an adverse impact on the financial service provider’s ability to provide services or damage its reputation.’ This is a critical trigger, yet the term ‘significant’ is not defined. The Guidelines provide a severity rating matrix in Schedule I (High, Medium, Low, None) but the reporting obligation in Guideline 4.1.3 is not expressly pegged to any rating threshold. Does a Medium-rated incident trigger a 24-hour window? Does a Low-rated incident with reputational implications qualify? This ambiguity creates a real operational risk of either over-reporting by cautious institutions or under-reporting by those applying a high threshold to avoid regulatory scrutiny, resulting in potential regulatory differences. The final Guidelines should define ‘significant’ by reference to the Schedule I rating criteria, ideally specifying that all High-rated incidents and Medium-rated incidents affecting customer-facing services trigger the 24-hour window.
Unclear Applicability and Exclusion of Certain Financial Service Providers:
The Guidelines state that they apply to all financial service providers operating in Tanzania “except where prescribed otherwise by the Bank” through other instruments. However, this broad formulation creates ambiguity when read alongside the definition of a financial service provider in the Guidelines which is limited to institutions licensed, regulated and supervised under the Banking and Financial Institutions Act, 2006 and the National Payment Systems Act, 2015 as these are the same statutes under which the Guidelines are issued. This inconsistency raises concerns about regulatory overreach and a lack of clarity regarding the scope. If the intention is to bind only entities governed under these two Acts then the applicability guideline should expressly align with that definition to avoid interpretive uncertainty.
As currently framed, it may be inferred that certain entities regulated by the Bank of Tanzania such as credit reference bureaus (regulated under the Bank of Tanzania Act) and microfinance service providers particularly those in Tier 2 and Tier 3 governed by the Microfinance Act fall outside the scope of the Guidelines. This raises the question of whether such excluded institutions are not subject to cybersecurity oversight or whether separate frameworks are anticipated. Given the increasing digitization and interconnectedness of all financial sector actors, excluding these entities undermines the systemic cyber resilience of the financial sector. Therefore, it is recommended that the regulatory scope be expanded to cover all institutions licensed and regulated by the Bank of Tanzania with a tiered compliance approach adjusted to institutional size, complexity, risk exposure and operational capacity. A useful benchmark in this regard is the Bank of Ghana Cyber & Information Security Directive which adopts a proportional, risk-based model for different categories of all financial institutions licensed by their central bank.
Error in Schedule 1
The Regulation under Schedule I indicates that it is made pursuant to Guideline 5.1.4. However, Guideline 5.1 addresses sanctions unrelated to cybersecurity incident reporting. It appears that the intended reference was Guideline 4.1.4 which provides that financial service providers shall submit a cybersecurity incident report to the Bank for all incidents occurring within the reporting quarter. The report is to be prepared in the format specified in Schedule I issued under that Guideline and submitted within 15 days after the end of each reporting quarter.
Additionally, the current form under Schedule I indicates a monthly reporting requirement which is inconsistent with the quarterly reporting obligation prescribed under Guideline 4.1.4.Therefore, we recommend that the Schedule I form be amended to correctly reference Guideline 4.1.4 and align the reporting frequency with the prescribed quarterly submission requirement.
4. IMPLICATIONS AND RECOMMENDED PRACTICE
FSPs should ensure that their cybersecurity governance frameworks treat cybersecurity compliance not as a periodic exercise but as a continuous operational discipline. Boards and senior management should receive regular, structured reporting on the institution’s cybersecurity posture, material vulnerabilities, incident history and the status of remediation programmes. Chief Information Security Officers (CISOs) and Data Protection Officers (DPOs) should have direct reporting lines to the Board or a relevant Board committee and their assessments should form part of the institution’s risk appetite and strategy review processes.
Moreover, institutions should maintain detailed records of compliance assessments, incident responses and corrective actions as such records will be critical evidence in any regulatory investigation or enforcement proceeding. Proactive engagement with the Bank of Tanzania upon discovery of a material cybersecurity incident including timely notification in accordance with the mandatory reporting obligations in these Guidelines is of material importance.
5. CONCLUSION
The Bank of Tanzania Draft Cybersecurity Guidelines for Financial Service Providers, 2026 represent a landmark regulatory development for Tanzania’s financial sector. They demonstrate a mature understanding of cybersecurity governance and the challenges facing financial service providers in an era of accelerating digitization, increasingly sophisticated cyber threats and growing systemic interconnection.
We strongly encourage all financial service providers to begin assessing their cybersecurity compliance posture to ensure readiness for anticipated regulatory requirements.
Victory Attorneys & Consultants’ Technology Law Department stands ready to support financial service providers in navigating both the compliance obligations and the consultation process, offering specialized advisory and training services at the intersection of these Cybersecurity Guidelines, the Personal Data Protection Act, 2022, and other applicable regulatory frameworks.
Authored by
Adv Fatma Haruna Songoro (CIPM)
Technology & Cybersecurity Lawyer
Head of Technology & Fintech Law Department at Victory Attorneys
