The Threat

Nigeria's tech regulator has formally pushed for mandatory breach disclosure requirements targeting fintech operators, including mobile money platforms. This development, reported by TechCabal on April 30, 2026, comes at the same time MTN shareholders are voting on a structural split of the MTN MoMo fintech business from the parent telco. These two events together signal a continent-wide regulatory shift: mobile money platforms are now firmly in the crosshairs of data protection enforcers.

MTN MoMo operates across multiple East African markets including Uganda, Rwanda, and has a significant user base touching millions of unbanked and semi-banked citizens. A structural fintech split, while commercially motivated, also creates new and ambiguous security ownership gaps between the telco parent and the carved-out fintech entity. Attackers exploit exactly these transition periods.

Separately, Amazon's satellite internet unit Kuiper is now seeking a Kenyan operating licence following its Nigerian approval. Expanded broadband reach is welcome, but every new connectivity layer is also a new attack surface for critical infrastructure and financial services.

Impact Assessment for East African Organizations

For banks, SACCOs, and mobile money operators in Kenya, Uganda, Tanzania, Rwanda, Somalia, and Ethiopia, this regulatory momentum has direct and immediate consequences across three areas:

  • Regulatory exposure: Kenya's Data Protection Act 2019 and the CBK Cybersecurity Guidelines already require breach notification. Nigeria's move will accelerate similar enforcement pressure from the Communications Authority of Kenya (CA) and the Office of the Data Protection Commissioner (ODPC). Organizations without a tested incident response plan face fines and reputational damage.
  • MoMo platform risk: Any corporate restructuring of MTN MoMo creates interim periods where security policies, access controls, and incident escalation paths are undefined. East African subsidiaries of MTN - including Uganda and Rwanda - inherit that risk directly.
  • Expanded attack surface from new broadband: Amazon Kuiper's entry into Kenya will rapidly connect rural government offices, health facilities, and power infrastructure. These endpoints are rarely hardened and represent high-value, low-resistance targets for threat actors.

Somalia's rapidly growing mobile money sector, dominated by platforms like EVC Plus and Premier Wallet, operates with almost no formal breach disclosure framework. A breach on those platforms today would go publicly unreported for weeks - exactly the environment organized financial crime groups look for.

Immediate Actions

  • Audit your breach notification readiness today. Map your obligations under the Kenya Data Protection Act 2019, CBK guidelines, or your local regulator's framework. Know your notification window - CBK expects notification within 24 hours of a confirmed breach.
  • Review third-party fintech integrations. If your bank or SACCO connects to MTN MoMo, M-Pesa, or any mobile money API, verify that your vendor agreements include breach notification SLAs and that access is scoped with least privilege.
  • Run a tabletop incident response exercise. Simulate a mobile money API breach and time how long it takes your team to detect, contain, and notify regulators. If the answer is "we don't know," that is your answer.
  • Assess new connectivity endpoints proactively. If your organization is evaluating Kuiper or any new satellite/broadband service for branch or remote-site connectivity, require a security architecture review before go-live - not after.
  • Align with ISO 27001 Annex A.16 (Incident Management). Formalize your incident response procedures, assign named owners, and document your regulator escalation contacts now - before an incident forces your hand.

DRONGO Recommendation

The regulatory direction is clear: breach disclosure is no longer optional in East Africa. DRONGO's vCISO and compliance team helps financial institutions and mobile money operators build incident response programs that satisfy CBK, ODPC, and cross-border regulatory requirements - before an auditor or attacker forces the conversation.

Is your organization protected? Request a free security assessment.