The Central Bank of Kenya (CBK) has issued new rules to payment service providers including commercial banks and technology companies warning the boards of directors that they face "ultimate" liability in case of criminal breaches.
In the guidelines aimed at stemming cybercrime, the CBK says boards will take responsibility for breaches of customer information.
"Payment Service Providers (PSPs) should carry out regular independent assessment and audit functions that shall be undertaken by the internal and external audit and risk functions ... The board of directors is ultimately responsible for the cybersecurity of the PSP," said CBK.
PSPs including firms like Mastercard, Visa, Safaricom, Airtel and Telkom who have 90 days to comply with the requirements published this month.
Firms working with PSPs are also expected to treat customer information confidentially.
"Outsourcing agreements should be governed by a clearly written contract, the nature and detail of which should be appropriate to the materiality of the outsourced activity in relation to the ongoing business of the PSP," says the policy.
"Some of the key provisions of the contract include controls to ensure customer data confidentiality and service providers' liability in case of breach ... "
Some financial institutions are required to collect detailed customer information for anti-money laundering, tax and accounting reasons.
Privacy experts around the world have recently expressed concerns about how personal data is collected and used by companies.
In April, the government approved a tough policy on data protection, paving the way for it to be tabled in Parliament.