The Hidden Risk in Ghana’s Banking and Fintech

In the past few years, I have seen Ghana’s financial sector from three very different angles. I started in traditional banking, later moved into consulting with a Big Four consulting firm where I worked mainly in cybersecurity, and eventually transitioned into the fintech space.

Across all these roles, one thing has become clear to me, there is a serious gap between how regulation is written and how risk is managed in practice. On paper, compliance looks strong. In reality, however, I have seen cases where documentation passes the test, but the actual operational environment would not.

This gap matters because banks, fintechs, and their service providers are more interconnected than ever. If regulators and industry leaders do not address it, we will continue to rely on paperwork that gives a false sense of security.

The Payment Services Act. A Necessary but Incomplete Framework.

The Bank of Ghana introduced the Payment Systems and Services Act (Act 987) to regulate payment service providers and fintechs. This was necessary because of the speed at which these entities were becoming central to financial transactions in Ghana. However, when you compare this Act with the frameworks that apply to traditional banks, such as the Corporate Governance Directive, the

Outsourcing Directive, and other Bank of Ghana-issued guidelines, it quickly becomes clear that there is a difference in the level of specificity.

The Payment Services Act outlines the licensing and operational requirements for fintechs, but it does not provide the same depth of controls, especially in areas like third-party risk management, information security, and governance. In contrast, banks are guided by clear, detailed directives that leave no room for ambiguity.

This lack of specificity creates room for interpretation, and that interpretation often works against stronger regulatory oversight.

A Real Example of the Gap in Action.

Consider the Outsourcing Directive issued by the Bank of Ghana. Its provisions on third-party risk management, contractual obligations, and security controls are robust and, if applied across the board, could help close many of the operational gaps that exist in the financial sector.

Yet, there is an interesting point of contention. Because the directive does not explicitly mention fintechs or PSP’s, some industry players may interpret this to mean it does not apply to them. As a result, compliance with these requirements often becomes a matter of choice rather than obligation.

Fintechs are licensed and regulated financial institutions, and they are deeply embedded in the banking ecosystem. Many banks rely on them for digital transaction processing, and in turn, these fintechs sometimes outsource parts of their own operations to other providers. This creates a chain of access that is only as secure as its weakest link.

If regulatory directives remain silent on whether fintechs are covered, is the industry inadvertently leaving a gap that could introduce systemic risk?

Ambiguity and the Risk of Waiting for Enforcement.

Some experts may argue that organizations should not wait to be explicitly mentioned in a regulatory directive before acting. From a governance standpoint, that is true. If a control or standard clearly improves security, adopting it should be common sense.

However, the reality on the ground is more complex. In many cases, whether or not a directive is implemented depends on the environment and the mindset of the organization involved. Some companies will close the gap voluntarily. Others will take advantage of ambiguity and argue that if the regulator did not explicitly include them, they are not required to comply.

This gap creates two categories of players:

1.      Proactive organizations that treat directives as guiding principles even if they are not named specifically.

2.      Reactive or exploitative organizations that use the lack of explicit mention as an excuse to delay or avoid implementation until forced by an audit.

This is where the real risk lies. Regulators, such as the Bank of Ghana, may still audit fintechs and payment service providers as if they were traditional banks, relying on broader requirements like ISO 27001 compliance. But the time between the moment a directive is issued, and the moment regulators perform an audit, is where the danger sits.

Within that period, integrations happen, services scale, and sensitive access chains expand. A vulnerability in any one of those connections can be exploited long before an audit catches it. By the time the regulator enforces compliance, the damage could already be done.

This is why clarity matters. Ambiguity creates a window of exposure. Specific language in directives would close that window and remove any room for interpretation.

What if There Was a Public Information Security Rating for Banks and Fintechs?

In third-party risk management, credibility checks are standard practice. Before entering a business partnership, you review reputation and past performance. Yet, when it comes to financial institutions, traditional banks, fintechs, and payment service providers, there is no unified point of reference for their information security posture.

Imagine if there was a regulator-backed platform that provided a security rating for every licensed financial institution in Ghana. For example, if Bank A wanted to integrate with Fintech B, it could review Fintech B’s security posture before committing. A low rating would not necessarily ban the partnership, but it would alert Bank A to apply stronger controls or conduct a deeper due diligence review.

This would solve a growing problem: compliance has become increasingly paperwork-driven. Many organizations focus on passing audits and producing documents that look good on paper, even if operational security is far weaker in practice. Regulators are often the only ones with the power to audit deeply enough to see past the paperwork, but such audits typically happen after the fact, sometimes only after an incident.

What if, instead, there was a proactive mechanism for visibility?

Such a platform could:

• Provide a reference point for financial institutions to assess the security of prospective partners.

• Create accountability for fintechs and banks to maintain strong operational security, not just compliance documentation.

• Protect customers by ensuring that their transactions flow through an ecosystem where weak links are visible and can be managed.

This is not just theoretical. We already accept similar concepts in other domains. For example, credit rating agencies exist to measure creditworthiness. Why not create something similar for information security in the financial sector?

If such a system existed, the weakest link in Ghana’s digital financial ecosystem would not be hidden behind compliance paperwork. It would be visible, measurable, and addressable before risk crystalizes.

Final Thoughts

This is not a theoretical argument. I have seen these gaps from the perspective of a banker, a consultant, and a fintech insider. I have seen how clean paperwork can hide weak operational realities. I have seen how vague regulation allows organizations to sidestep good security practices.

Fintechs are not the future of banking in Ghana. They are already here, and they are already critical. It is time our regulatory frameworks reflected that reality.

What do you think?

Should fintechs be held to the same technical operational standards as banks? Should directives like the Outsourcing Directive explicitly include them?

Or do you believe the current approach is sufficient?

Should regulators go beyond compliance audits and create a measurable security posture rating for all financial institutions in Ghana?

Abena Nyameye Kyei.