Ghana’s progress and leadership in the digitaliSation of payments has been hugely acclaimed across Africa. The visionary decision of setting up Ghana Interbank Payment and Settlement System (GhIPSS) by the Bank of Ghana (BoG) in 2007 – and the introduction of mobile money services in Ghana by MTN in 2009 – were two key milestones that have culminated in the development of digital payment services. GhIPSS, in collaboration with banks and payment service providers (PSPs), has deepened digital payments with products/services such as Mobile Money Interoperability, GhanaPay Mobile Money, GhIPSS Instant Pay, ACH/CCC and E-zwich.
This feature explores the current state of digital payments architecture in Ghana key technologies and developments, and the cybersecurity measures that have been defined to protect the availability and integrity of this digital infrastructure promoting digital payments and services.
BoG regulatory leadership in digital payments
The central bank of Ghana, with support from its stakeholders, has laid a strong regulatory framework underpinning digital payments that has led to the creation of necessary digital payment infrastructure. This digital infrastructure has become the revolving point around which digital payments and innovation are taking place at a rapid pace in Ghana.
In Ghana, the regulatory regime of digital payments is primarily governed by the Payment Systems and Services Act, 2019 (Act 987), Banks and Specialised Deposit-Taking Institutions Act, 2016 (Act 930), Guideline on the Operations of Electronic Payment Channels in Ghana (Guideline on Digital Payment Channels), Guidelines for Inward Remittance Services by Payment Service Providers, Licencing Application Pack for Payment Service Providers, Licencing and Categorisation of Fintechs, and Guidelines for Processing Payment Card Transactions for Cards Issued in Ghana.
In 2019, an industry colleague in Kenya had this to say to me: “Kenya is the pioneer of mobile money services, but Ghana has overtaken us with your mobile money interoperability that facilitates seamless inter-telco mobile money transactions”. Careful adoption of new technologies and digital transformation have become the primary drivers of rapid developments in this critical sector of financial services.
Navigating the Payment System Landscape
The Payment System Landscape in Ghana illustrated in Figure 1 identifies four main pillars in Ghana’s digital payments architecture: (1) Bank of Ghana (BoG), (2) Ghana Interbank Payment and Settlement System (GhIPSS), (3) Commercial Banks and Specialised Deposit Taking Institutions, and (4) Fintechs and PSPs.
The Real Time Gross Settlement System (RTGS) is used for large-value payments within Ghana, SWIFT messaging platform facilitates cross-border/inter-country payments, Automated Clearing House (ACH) for cheque codeline clearing is used to facilitate cheque clearing and settlements, a central payment switch is for facilitating payments and the mobile money interoperability (MMI) for cross-telco mobile money transfers and payments.
To facilitate cross-border payments toward realising the AfCFTA protocol on digital trade in promoting intra-African trade and e-commerce, the Africa Import and Export Bank (Afrexim Bank) based in Cairo, Egypt, has been spearheading implementation of the Pan African Payment and Settlement System (PAPSS). PAPSS is a cross-border digital payment infrastructure, that will enable payment transactions across Africa and transform the high dependence of Africa on foreign currencies (US dollar, euro and pound) that have always created foreign exchange risks for African central banks and governments. It has been estimated that the launch of PAPSS will save US$5billion to African central banks and governments yearly, and boost intra-African trade.
BoG Guidelines on Digital Payments and Services in Ghana
The Bank of Ghana in 2018 published a Guideline on Operations of Electronic Payment Channels in Ghana, as part of providing better clarity on the implementation of sections of the Payment Systems and Services Act. Subsequently, additional guidelines (Guidelines for Inward Remittance Services by PSPs, Licenving Application Pack for PSPs, Licencing and Categorisation of Fintechs, Guidelines for Processing Payment Card Transactions for Cards Issued in Ghana) have been published that provide more clarity on the operationalisation of requirements stated in the Payment Systems and Services Act, 2019.
The key areas that have been addressed by Digital Payment Channels Guideline are: (1) Standards on Automated Teller Machine Technology and Deployment, (2) Point of Sale and Mobile Point of Sale Acceptance Services, (3) Payment Terminal Service Providers, (4) Payment Terminal Service Aggregators, (5) Web Acceptance Service (E-commerce), and (6) Fraud Management, Chargeback, Dispute Resolution and Penalties.
These guidelines apply to Banks, Savings and Loans Companies, Rural and Community Banks, Mobile Money companies, Payment Service Providers, Fintechs and Super Agents across the country. It addresses the roles and responsibilities of key stakeholders such as Acquirers (Banks & SDIs), Issuers (Banks & SDIs), online merchants, Card Schemes like Visa and Mastercard, entities which operate payment switches like GhIPSS, payment service providers (PSPs) and patrons of digital payment services in Ghana.
BoG Licencing and Categorisation of Fintechs and PSPs
The Bank of Ghana FinTech & Innovation Office has published the Licence Categories and Permissible Activities for Fintechs and PSPs in Ghana. Fintechs and PSPs have been categorised as (1) Dedicated Electronic & Electronic Money Issuers (DEMI) (2) Payment Service Provider Scheme, (3) Payment Service Provider – Enhanced, (4) Payment Service Provider – Medium (5) Payment Service Provider – Standard and (6) Payment and Financial Technology Service Provider (PFTSP).
The central bank, through the Fintech & Innovation Office, with this categorisation of licencing has also defined the permissible activities each of these licence holders can do. For example, a payment service provider-enhanced licencee can engage in merchant acquiring, printing and personalisation of EMV cards, inward international remittances, provide payment gateway services and provide services to banks and SDIs.
Achieving Cybersecurity for the Digital Payment Ecosystem
The Bank of Ghana has since 2018 issued the Cyber & Information Security Directive to all Banks, Savings and Loans Companies, Rural and Community Banks, Fintechs and Payment Services Providers. It provides the framework for addressing cyber threats and vulnerabilities associated with increased digitalisation in the financial services sector.
In addition to the Cybersecurity Directive, the Guideline on Digital Payment Channels alluded to in the previous section also identifies specific payment industry security standards that Banks, SDIs, PSPs and Fintechs are required to comply with. These payment industry security standards are: (1) Payment Card Industry Data Security Standard (PCI DSS), (2) Payment Application Data Security Standard (PA DSS), (3) Payment Card Industry PIN Security Requirements (PCI PIN), (4) PCI Card Production and Provisioning Security Requirements and (5), Payment Card Industry 3-D Secure (PCI 3DS).
For example, the PCI 3DS (3-D Secure) provides additional security for ecommerce or online payment transactions and guarantees secure transactions that reduce online fraud. It has advanced security requirements for the acquirer domain, the issuer domain and the interoperability domain.
Challenges with BoG enforcement of Payment Industry Security Standards
The Bank of Ghana has different supervisory/inspectorate departments: Banking Supervision Department (BSD), Other Financial Institutions Supervision Department (OFISD), Payment Systems Department (PSD) and the Fintech & Innovation Office. Personnel from these departments seem not to be working in synergy, and sometimes conduct duplicated audits/inspections on Banks, SDIs and PSPs with similar requirements – especially around technology, security and digital payments.
There are lapses on monitoring compliance with these payment security standards after licences are issued to PSPs and Fintechs. In my view, the Bank of Ghana’s supervisory activities toward enforcing the payment industry security standards documented in the Guideline on Digital Payment Channels has been weak. There have been lapses in ensuring that Banks, SDIs and PSPs submit annual attestations of compliance (AoCs) for the various payment industry security standards; such as PCI DSS, PCI PIN, PCI Card Production, PCI 3DS, etc.
These weaknesses may have contributed to the fraud volumes and amounts recorded in the Bank of Ghana’s Banks, SDIs and PSPs Fraud Report. The 2021 and 2022 reports reveal Banks, SDIs and PSPs in the financial services sector lost GH¢61million and GH¢56million respectively to fraudster activities.
The Way Forward
It is my recommendation that Bank of Ghana personnel from the inspectorate departments (BSD, OFISD, PSD, Fintech) – whose task it is to ensure integrity and safety of the digital payment system ecosystem – should work in synergy, build enough capacity in the payment industry security standards and monitor compliance with the payment industry security standards (PCI DSS, PA DSS, PCI PIN, PCI 3DS, etc.) in order to effectively regulate Banks, SDIs, PSPs and Fintechs toward safe and secure digital payments services architecture.
In addition, the central bank should explore the option of relying on licenced cybersecurity providers and cybersecurity assurance entities to independently audit Banks, SDIs and PSPs against the Central Bank Cybersecurity Directive and other payment industry guidelines, so that those independent reports can be submitted to the central bank. This approach has been used successfully by Financial Services Authorities in European countries such as the UK, Germany and Malta, creating more specialised jobs for cybersecurity and payment security assurance specialists and service providers.
Chief Executives and Executive Management of Banks and SDIs should also designate teams (e.g. Payment Engineering & Services Team) with the right mix of skill and experience in technology and digital payments, with dedicated focus on the digital payments landscape to keep pace with the new technologies, developments and regulatory directives issued by the central bank.
Conclusion
The digital payments architecture in Ghana is a key asset underpinning the financial services market architecture. Chief Executives and Executive management of Banks, SDIs, payment service providers and all industry stakeholders should support the Bank of Ghana to protect the accessibility, availability and integrity of this digital payments architecture/system.
Francis is a Cybersecurity, Payments and Privacy Consultant with over 15 years’ experience in the financial, technology and payments services industry. He can be reached on [email protected]