The Bank of Ghana has published a five-year National Payment Systems Strategy covering 2025 through 2029.

The document names four work-streams as the load-bearing pieces of the transition to a cash-lite economy: open banking, digital identity built on eKYC, cybersecurity resilience, and interoperability across the country's payment rails.

It does not say what cash-to-GDP ratio it is moving the economy against, what share of retail transactions should be clearing digitally by 2029, or which specific milestones mark the path between now and then. Those numbers are not in the published version.

Paper Trail

National Payment Systems Strategy

Bank of Ghana

The Bank of Ghana's National Payment Systems Strategy 2025–2029 is a five-year roadmap built on four pillars — agile regulation, a trusted payment ecosystem, financial inclusion, and enhanced infrastructure — aiming to move Ghana from 81% financial inclusion (2024 Global Findex) to 94% by 2029 through initiatives including ISO 20022 adoption across all payment systems, a centralised fraud monitoring and blacklisting framework, open finance and AI regulations, a "One ID, One Account" programme tied to the Ghana Card, agent interoperability, RTGS and Gh-Link upgrades, cross-border payment integration via PAPSS, SupTech for real-time supervisory monitoring, and a National Trust and Data Exchange Platform — all while updating the Payment Systems and Services Act (Act 987) to accommodate CBDCs, virtual assets, embedded payments, and other emerging technologies.

That is the Strategy in its current shape. A thesis statement with load-bearing pillars, but without the measurement layer that would turn it into a project plan. The implementing committees are where the numbers will come from, and those committees have not been stood up yet.

The four work-streams are not new. Open banking has been a regulatory conversation since the 2023 Payment Systems and Services regulations were updated. eKYC has been the implicit precondition for every cross-bank lending product the country has tried to scale. Cybersecurity resilience is the file the BoG has been building since 2018, when the original Cyber and Information Security Directive first formalised what the industry was already doing informally. Interoperability has been the GhIPSS file since 2008, with a mixed scoreboard in the years since. What is new is putting the four under a single five-year roof and asking the same regulator to grade itself against all four at once.

The most useful numbers in the document are not the targets. They are the threat data the BoG is flagging in the same release. Cyber attacks against domestic financial institutions rose 43 percent in 2024. GH¢19 million was lost to cybercrime in the first nine months of 2025, a 17 percent increase on the comparable 2024 period. The BoG counted 2,008 cyber incidents in the first half of 2025 alone, a 52 percent jump from the prior period. More than 100 virtual asset service providers were registered with the regulator by July 2025, and the figure is presumably larger now. Those numbers are the floor the regulator is starting from. They are also the reason the Strategy exists in its current shape.

The question is how the four work-streams relate to that threat data, because the relationship is inverse. Every work-stream other than cybersecurity itself increases the attack surface. Open banking gives fintechs programmatic access to bank account data. eKYC creates a single identity substrate across the financial sector that becomes a high-value target the moment it goes live. Interoperability connects payment rails that previously had no reason to talk to each other, which means a compromise in one rail has a larger propagation radius than it would have had before. A Strategy that digitises retail payments successfully without hardening the rails in parallel produces a much larger fraud loss number than the GH¢19 million currently on the table. The ordering of the four work-streams in the BoG's document suggests the regulator knows this, though the implementing detail has not been published.

The eKYC work-stream is a question about the Ghana Card more than it is a question about identity standards. The country has spent the last seven years building toward a national biometric ID stack that would eliminate duplicate KYC enrolments across the regulated sector. The Ghana Card is the named infrastructure. It is also the infrastructure the National Identification Authority confirmed this week is not currently activated for payment authentication, even as conversations about future integration continue. A five-year payment systems strategy that depends on eKYC at scale depends on Ghana Card integration at scale, and Ghana Card integration at scale is a different ministry's decision. The BoG cannot make that call unilaterally.

Open banking is the work-stream most likely to reshape competitive dynamics in the payments rail. Done well, it lets a customer at GCB Bank authorise a fintech to read account data and initiate a payment without the fintech needing to negotiate a bilateral integration with each bank. Done badly, it becomes a compliance burden the smallest banks pass through to their customers as a fee. The standards body the Strategy will need to stand up has not been named. Whichever institution the BoG chooses to host that work will quietly become one of the most consequential regulatory bodies in the country's financial stack.

The fiscal backdrop makes the timeline either harder or easier, depending on which variable you look at. The policy rate cut to 14 percent and the sustained disinflation run through the low threes give the BoG macro breathing room it needs to do payment-system work that will not produce immediate political wins. The IMF programme, on the other hand, makes any Strategy that requires significant new public spending difficult to fund through ordinary budget lines. The implementation question for 2026 is whether the work-streams can be covered by existing BoG operating budgets, whether development partner programmes already in flight (the Bank has historically drawn on IFC and World Bank technical assistance for payments infrastructure) can be layered in, or whether new funding requests will be tabled and how quickly they clear.

The five-year window is long enough to outlast the current political cycle. That is the structural argument for a five-year plan: the work does not finish inside a single term, and a strategy document creates institutional accountability across whichever administration sits in 2027 and beyond. It is also the structural risk: a Strategy whose first eighteen months produce only committees and frameworks is vulnerable to a new minister who decides the file needs reframing.

The right way to read the Strategy this week is therefore not as a list of specific commitments. It is as a calendar. Q3 2026 is when the implementing committees should be in place. Q4 2026 is when the open banking standards body should be named. Q1 2027 is when the first eKYC pilot under the Strategy should be running, presumably with a small number of regulated institutions. By Q2 2027, the BoG will need to have published the cash-to-GDP and digital-share targets the current document leaves implicit. If those checkpoints slip, the Strategy stops looking like a plan and starts looking like a press release.

The cybercrime numbers in the same document are why the checkpoints matter. The threat surface is growing faster than the rail. The Strategy is the regulator's bet that it can close the gap. Whether the bet works depends on what fills the space between the four work-streams over the next eighteen months.