Kenyan banks are revising their terms of engagement with third-party technology service providers (TSPs) as they grapple with emerging challenges linked to the growing reliance on outsourced partners, a new Central Bank of Kenya (CBK) survey has revealed.
The survey shows that local lenders are increasingly scrutinising the work of TSPs, adopting a more cautious approach in selecting partners and revising contracts to mitigate associated risks.
This comes as the lenders report rising concerns over cybersecurity and data breaches linked to external firms—risks that have led to financial losses and regulatory setbacks.
“Several FIs (financial institutions) noted the need to move beyond static assessments toward dynamic, integrated oversight frameworks that reflect evolving enterprise risk priorities and technological advancement,” said the CBK in the survey.
Third-party tech firms offer essential services such as mobile and internet banking application development, cloud-storage solutions, and artificial intelligence-based services.
They also support banks with core operations, including payment aggregation, credit scoring, anti-money-laundering and combating the financing of terrorism (AML/CFT), fraud mitigation, and cybersecurity, among others.
However, banks say they are now facing heightened risks, including threats introduced by the outsourced firms’ own clients, prompting a rethink of how these partnerships are managed.
“Financial institutions face a number of challenges when engaging third-party TSPs, including but not limited to high costs of third-party services, adaptability and response to new requirements, limited visibility into subcontractors, longer response times to fix issues, and delayed response to incidents or breaches,” said the CBK.
Cybersecurity and data privacy have emerged as the top concerns in these engagements, cited by over 70 percent of the surveyed financial institutions.
Official data shows that the number of cybercrime attacks deployed against Kenyan institutions more than doubled during the year ended June 2025 compared to the preceding similar period.
Data from the Communications Authority of Kenya (CA) showed that the number of detected threats rose 146 percent to 8.6 billion during the 12 months to June 2025, up from 3.5 billion in a corresponding period the preceding year.
According to the CBK survey, 26 percent of the lenders said they lack adequate mechanisms to monitor the TSPs. Other issues cited include regulatory and compliance hurdles, and vendor lock-in—where switching providers becomes prohibitively expensive
To address these concerns, many banks are enhancing oversight of external service providers, increasing due diligence during selection, and updating contract terms.
While TSPs are already under monitoring, banks are proposing deeper vigilance and adoption of more advanced tools to track outsourced activities, adapting more quickly to emerging threats.
They are also tightening the selection process, moving beyond basic regulatory box-ticking to conducting security drills and audits of the firms.
“Evaluating a vendor’s technical capacity, financial stability, regulatory compliance, and cybersecurity posture must go beyond basic checklists and include in-depth assessments, joint disaster recovery drills, and security audits,” CBK noted as feedback from the lenders.
Contracts with third-party vendors are also being revised to include clauses on data protection and termination protocols to “prevent ambiguity and reduce operational and legal risks.”
