The Bank of Ghana on 26 March unveiled the Cyber and Information Security Directive 2026, its most detailed set of cybersecurity rules for financial institutions to date.
The directive, known as CISD 2026, was presented at an event in Accra attended by bank executives, fintech operators, and BoG officials.
For the first time, the directive includes governance frameworks specifically covering the use of AI in financial services.
Banks and licensed fintechs deploying AI for credit scoring, fraud detection, or customer-facing decisions will need to document model risks and demonstrate that outputs can be explained to regulators on request.
The directive also tightens cloud security requirements. Institutions using third-party cloud providers must now maintain detailed records of where customer data is stored and processed, with restrictions on certain categories of data leaving the country.
Cyber Information Security Directive 2026
Bank of Ghana
The Bank of Ghana's Cyber and Information Security Directive (March 2026) is a comprehensive regulatory framework for all Regulated Financial Institutions in Ghana, covering governance structures (including mandatory CISO appointments), cyber and information security policies, risk management, asset management, cyber defence and response protocols, HR security and competency frameworks, electronic banking platform controls, external connectivity requirements, cloud services governance, and incident reporting obligations to the BoG — essentially establishing minimum security standards that RFIs must implement to protect financial systems and customer data against increasingly sophisticated cyber threats.
BoG said it would adopt a risk-based approach to enforcement, meaning institutions handling larger volumes of customer data or running more complex systems will face closer scrutiny.
Board-level accountability is another centrepiece. Every regulated institution must now designate a board member or senior executive directly responsible for cybersecurity. BoG said this was a response to repeated findings that cyber risk was being treated as a purely technical matter rather than a governance priority.
The directive also expands the mandate of FICSOC, the Financial Industry Security Operations Centre, which monitors threats across the banking sector. FICSOC will take on a larger role in coordinating incident response and sharing threat intelligence between institutions.
Industry reaction has been cautious. Several bank technology officers said privately that the AI governance requirements, while expected, arrive before most institutions have mature internal frameworks to comply.
Smaller fintechs may feel the burden more acutely, given thinner compliance teams.
BoG has not yet published a compliance timeline, but said it would issue implementation guidance within the second quarter.
