Fragmented Cybersecurity Approach Threatens Ethiopia’s Digital Payment System

NBE, INSA to establish integrated cybersecurity, financial fraud department

The government has instructed the central bank and the Information Network Security Administration (INSA) to establish a new joint cybersecurity and fraud department in a bid to patch vulnerabilities in Ethiopia’s fast-growing digital payment system.

A national financial cybersecurity framework is also reportedly in the works, with the National Bank of Ethiopia (NBE) and INSA expected to deliver within the coming year,

The country’s cybersecurity challenges took center stage at the launch of the second National Digital Payment Strategy this week.

“A major vulnerability in Ethiopia’s digital payments ecosystem is the lack of a coordinated, sector-wide cybersecurity and threat intelligence mechanism. At present, information on cyber incidents—including phishing campaigns, ransomware, malware, distributed denial-of-service (DDoS) attacks, insider threats, and sophisticated fraud typologies—remains fragmented within individual institutions.This siloed approach prevents collective defence, leaving the ecosystem exposed to repeated exploitation of the same vulnerabilities across banks, MFIs, PIIs, PSOs, and telecom operators,” reads the document.

It outlines plans to establish a ‘Shared National Cybersecurity and Threat Intelligence System within the NBE, which officials envision functioning as a secure, centralized hub for real-time intelligence exchange.

The document notes the absence of a unified, sector-specific cybersecurity framework creates inconsistent security standards across the financial ecosystem, leaving institutions vulnerable to an increasingly sophisticated threat landscape.

It proposes the establishment of a new National Payment System Council as the highest governing body for the strategy, providing executive-level support and mandate for its implementation. The council will be chaired by the NBE governor and include representatives from financial lobby groups such as the Ethiopian Bankers Association, according to the document.

It describes the establishment of a dedicated cybersecurity and fraud directorate within the NBE as crucial for dealing with the increasing sophistication and volume of cyber threats and financial fraud.

“Without a dedicated supervisory body, responsibility for managing these complex risks can become fragmented, hindering the development of a unified and proactive security posture for the nation’s financial system,” it reads.

The document’s authors foresee the directorate serving as the financial sector’s focal point for risk monitoring and incident response in partnership with security agencies such as INSA and the Financial Intelligence Service (FIS).

The document notes that at present, coordinating an effective response becomes complex and slow when fraudulent transactions cross between different financial service providers.

“Individual institutions lack visibility into the full, end-to-end transaction chain, which can delay resolution for consumers. Establishing a shared cybersecurity and fraud desk at the national switch operator addresses this operational gap,” it reads.

Two months ago, EthSwitch, the national switch operator, announced that person-to-person (P2P) transactions had surpassed ATM cash withdrawals for the first time.

The company reported processing more than 128 million interoperable P2P transactions, which include account-to-account and wallet-to-account transfers, valued at nearly 578 billion Birr over the year, highlighting Ethiopia’s rapid adoption of digital payments.

“Positioned at the heart of the payment system, switches have a unique view of interoperable transactions. A dedicated desk at this level can therefore act as a neutral and central coordination point for incident management,” reads the strategy document.

It calls for a National Financial Sector Cybersecurity Framework, which officials hope will harmonize existing directives into a single, risk-based standard aligned with international best practices.

The document notes that although Ethiopia’s established National Public Key Infrastructure (PKI) —a cryptographic that ensures secure communication over a network—provides a foundational security layer for the entire country, financial institutions are largely yet to integrate.

The strategy mandates INSA to onboard all licensed banks, MFIs, PIIs and PSOs to embed Ethiopia’s National PKI into their core-banking systems, payment gateways and customer channels, using its digital certificates to sign and verify all interbank messages, authenticate payment instructions, provide non-repudiation, and enable fully remote, e-signature onboarding.

The strategy also includes plans for a national digital infrastructure working group made up of various agencies, including the National ID Program, to “coordinate and fast-track interoperability between payments and other digital public infrastructure, as well as coordinate data protection reforms.”

The document details that a lack of clarity on where responsibility and fault lies between financial institutions and consumers during instances of fraud often leaves the burden of loss from digital payment fraud almost entirely on the consumer.

This lack of a clear compensation mechanism weakens the incentive for financial institutions to invest in the advanced security systems needed to prevent such fraud and is a major barrier to building trust in the digital ecosystem, according to the strategy.

Officials plan to implement a directive for authorized push payment fraud they hope can help clarify the responsibilities and liability of consumers and financial institutions in preventing fraud.

“Such a policy would mandate that consumers are reimbursed in instances where financial institutions’ staff, agents, or systems are at fault for causing fraud or failing to adequately prevent fraud. Importantly, this would shift the responsibility for reimbursing victims, requiring both the sending and receiving financial institutions to share the cost of the loss, provided the consumer has acted with reasonable care and the financial institution can be deemed at fault,” reads the document.

While Ethiopia has a foundational financial consumer protection directive, its broad nature does not fully address the specific risks inherent in digital financial services, such as agent-related fraud or the complexities of instant payment disputes.

The strategy outlines plans to amend the directive to include a dedicated section for digital financial services.

Much of the plans hinge on designating the Fayda ID as the primary, mandatory identifier for all new and existing financial accounts, which officials foresee creating a foundational “trust anchor” for the entire ecosystem and reducing the scope for fraud.

The strategy also sets a two-year deadline for the ratification and full implementation of the African Continental Free Trade Agreement (AfCFTA) Digital Trade Protocol in a bid to unlock cross-border e-commerce and digital payment flows.