A diverse array of stakeholders—including governments, investors, academics, and development practitioners—have their eyes on the rapidly digitizing economies of Africa and other developing or emerging markets across the globe. But their models and policy recommendations all tend to flow in one direction: How can the West modernize developing economics and bring the underbanked into the global financial system?1

Nanjira Sambuli
Nanjira Sambuli is a fellow in the Technology and International Affairs Program.
More >

These conversations hinge on one big assumption—that because a central banking infrastructure has worked for the United States and other developed economies, it will work in the rest of the world as well. Bolstering financial-sector cybersecurity in Africa and other developing and emerging markets has been framed as a capacity-development priority that is (1) defined in terms of technical assistance, information sharing, and advisory partnerships with developed states; and (2) implemented by regulators, supervisors, and policymakers.

Taylor Grossman
Taylor Grossman is a nonresident scholar with Carnegie's Cyber Policy Initiative.

This framing, however, often discounts key questions of national policies and cultures of security, regional integration, and interdependence, as well as individual user behaviors. Innovations in digital financial services (DFS)—particularly through the spread of mobile money payments and digital lending platforms—have expanded the reach of market infrastructure to systemically underbanked communities.

Digital financial inclusion has advanced rapidly in some contexts and stagnated in others. The conditions that promote success are still not well understood. In some cases, new payment systems reinforce existing barriers for unbanked customers. In others, feature phone use, shared mobile phones, and poor digital financial literacy create significant vulnerabilities. Rampant fraud and security breaches can dissuade consumers from engaging in DFS or even encourage them to readopt the use of cash and other less formal economic systems, such as loan sharks. 

Contextualizing the digital transformation of the financial system across low- and lower-middle-income countries is a critical step toward understanding the determinants of security and trust in digital financial services to foster secure digital development. These rapidly digitalizing countries—particularly those that already have more robust financial technology (fintech) and mobile payment system communities than most Western markets—offer distinct lessons and help to illuminate how the opportunities and risks that accompany new technologies are not evenly distributed.

The country case studies that will follow were developed in collaboration with African scholars and researchers. They are part of Carnegie’s Cybersecurity, Capacity Development, and Financial Inclusion project—or CyberFI. The project is informed by—and will continue to adapt to—the shifting developments at the intersection of digital transformation, security, and financial inclusion.

About CyberFI

The Cybersecurity, Capacity Development, and Financial Inclusion project brings together a robust, transparent community of practitioners and researchers working on digital financial inclusion.

Through discussions and convenings with government policymakers, regulators, cybersecurity specialists, and development community actors, it became evident that in-depth, country-specific context was often missing from work on digital financial inclusion: What kinds of capacity-development projects were succeeding? How did information-sharing and technical support systems that existed on paper compare to actual practice? How clear were regulatory processes for emerging DFS? Where were there gaps and overlaps in policy and practice?

We engaged researchers with deep subject-matter expertise and experience in financial inclusion developments to focus on six countries in Africa that help capture the diversity of ecosystems across the continent: Cameroon, Ghana, Nigeria, South Africa, Uganda, and Zimbabwe. Our initial aim was to map key players in the following six areas: (1) regulating the financial, technology, and security sectors; (2) developing and delivering traditional financial services, such as brick-and-mortar banking; (3) innovating and delivering new digital financial services, such as mobile payment systems; (4) providing technical cybersecurity expertise, including information-sharing mechanisms, remediation capabilities, and cutting-edge research; (5) coordinating international and regional development efforts; and (6) interfacing with national government policy. 

We aim to contribute to the understanding of digital financial inclusion in Africa by going beyond the surface of prevailing narratives—for example, that regulation on security standards hinders innovation in digital financial inclusion. As part of this process, we also confront prevailing ideas about the shortcomings and needs associated with building capacity. 

By exploring the drivers and hurdles to establishing and sustaining mechanisms for collaboration, enforcement, and monitoring, we endeavor to illuminate pathways for public, private, and development community actors to secure digital financial inclusion in respective market ecosystems.

Emerging Themes

Each researcher spent several weeks mapping key financial inclusion ecosystem players in their focus country. During this preliminary phase, we began to identify a series of interesting themes across these country explorations.

First, the modes of policy and regulatory coordination across sectors are often unclear and disjointed. This is particularly true in matters related to DFS: major divides frequently emerged across telecommunications/information communications technology regulators and financial regulators. The shape of these divisions, however, differed widely across countries. In some cases, telecommunications regulators were of paramount importance, while financial supervisors lagged on new fintech; in other countries, telecommunications regulation was underdeveloped. Additionally, at least one country in our study did not suffer from this problem: in Nigeria, telecommunications and financial sector regulators appeared to collaborate quite closely on mobile money service regulation.

Second, national cybersecurity policies and strategies vary greatly across these six countries. Ghana and Nigeria, for example, have strong national strategies that establish institutional authorities specific to promoting cybersecurity. Cameroon and Uganda lack cybersecurity frameworks, policies, or strategies. South Africa, meanwhile, has a national cybersecurity policy framework in place but lacks clear implementation procedures. Zimbabwe is in the process of debating a cybersecurity bill, but its future remains unclear.

National cyber incident response teams (CIRTs) also vary in structure and significance from country to country. CIRTs exist on paper in Cameroon, Nigeria, South Africa, and Ghana. In the case of Ghana, for example, the country’s Cybersecurity Act created a Cybersecurity Authority that is mandated to set up a Computer Emergency Response Team (CERT) for the banking and financial sector. The operational specifics of this CERT, however, remain unclear.

Furthermore, the role that regional and supranational actors play in national policymaking also varies greatly from country to country. For example, Cameroon’s legislative and regulatory provisions for banking institutions are established through a regional body, the Central African Banking Commission (COBAC). But in South Africa, regional institutions tend to be much less significant for in-country financial regulation. Because it’s economically much stronger than its neighbors, South Africa tends to dominate regional discourse, leading sometimes to incorrect assumptions and extrapolations for the Southern African Development Community (SADC). Both Ghana and Nigeria are members of the West African Securities Regulators Association (WASRA), a regional body; however, Ghana is the only country in this study that has ratified the African Union Convention on Cyber Security and Personal Data, also known as the Malabo Convention.

Consumer protection is another particular area of interest. In more established financial sectors, the role of consumer protection authorities tends to be more clearly articulated by existing regulators. The countries of these studies each approach this issue in a distinct way. In Cameroon, the Trade Ministry and COBAC are responsible for consumer protection. South Africa has established a National Consumer Commission and Tribunal. In Ghana, the financial sector regulator enforces consumer protections that are established through acts of parliament. These varying mechanisms have distinct consequences for reducing fraud and protecting individual customers.

Finally, several countries in our initial set of studies have embarked on regulatory experiments at the intersection of digital and financial services. In Nigeria, financial sector and capital market regulatory bodies are collaborating to establish crypto asset market regulations. Zimbabwe has undertaken a dynamic fintech regulatory sandbox. In Ghana, fintechs are partnering with more established telecom service providers to offer digital financial services.

This project sets out to identify these key trends without reducing country-specific contexts. We hope to provide both distinct understandings of individual country phenomena as well as patterns of innovation, regulation, opportunities, and challenges.

Setting the Foundation

This series focuses on understanding financial inclusion ecosystems on their own terms—what countries are doing, what is working, and what isn’t. The six country case studies help capture the diversity of financial markets on the African continent: South Africa, Nigeria, Cameroon, Uganda, Ghana, and Zimbabwe. The essays ask, among other questions: What is the role of regional organizations in Africa, particularly when they often represent diverse economies? How does state policy operate in practice? Are new DFS platforms facilitating inclusion for underbanked communities or reinforcing previous gateways to financial access? 


1 An underbanked person usually has a bank account but relies much more frequently on informal network and cash transactions. An unbanked individual, on the other hand, has no formal financial accounts or mobile money profile. These communities often consist of poor, rural, or otherwise marginalized individuals; additionally, unbanked populations are disproportionately female. See Asli Demirgüç-Kunt, Leora Klapper, Dorothe Singer, Saniya Ansar, and Jake Hess, “The Global Findex Database 2017: Measuring Financial Inclusion and the Fintech Revolution,” World Bank, 2018,