The Cybersecurity, Capacity Development, and Financial Inclusion project, or CyberFI, brings together a robust, transparent community of practitioners and researchers working on digital financial inclusion. This series focuses on understanding financial inclusion ecosystems on their own terms—what countries are doing, what is working, and what isn’t. Six country case studies help capture the diversity of financial markets on the African continent: South Africa, Nigeria, Cameroon, Uganda, Ghana, and Zimbabwe.
The Digital Transformation Strategy for Africa (2020–2030) has a vision for an integrated and inclusive digital economy. The strategy acknowledges that an African digital transformation would help achieve the Agenda 2063 objectives and the UN Sustainable Development Goals. At the same time, it recognizes some threats to a digitally transformed Africa, not least of which are challenges related to the security of fintech services.
In Cameroon, financial services and particularly fintech companies are regulated at the regional level by the Economic and Monetary Community of Central Africa (CEMAC). While Cameroon’s Ministry of Finance takes a more supervisory role, regulations governing the country’s financial sector are made by the CEMAC and sanctioned by the Banking Commission of Central Africa (COBAC).1 However, the CEMAC puts the onus on member states to ensure the integrity and security of communications networks and digital infrastructure for financial services and general communications.2 In response, the Cameroonian government passed Law No. 2010/012 of 21 December 2010 on Cybersecurity and Cybercrime in Cameroon.3
The current media frenzy about fintech start-ups puts them in the spotlight. This attention will draw customers, but it will also attract cyber criminals looking for easy targets. It is important to assess the measures that fintech start-ups in Cameroon have undertaken to secure their digital systems and applications from cyber attacks and to gain consumer trust in their data safeguards.
Fintech Start-ups in Cameroon
Used as early as the 1970s, the term fintech was defined early on as a shorthand for “financial technology, combining bank expertise with modern management science techniques and the computer.”4 Today it is defined as the “new financial industry that applies technology to improve financial activities.”5
The fintech ecosystem consists of the following five elements.6
- fintech start-ups: in Cameroon, these firms are primarily involved in electronic payments, lending, insurance, crowdfunding, and to some extent capital asset management, especially for cryptocurrencies
- technology developers: including blockchain, data analytics, and cloud computing developers
- financial customers: individuals and enterprises
- traditional financial institutions: such as conventional banks, insurance companies, venture capitalists, and wealth managers
- government officials: financial regulators and legislators
This analysis focuses on the first element—fintech start-ups—and the measures they have taken to ensure the security of their digital systems and to instil consumer trust.
In 2017, 1.7 million people held a bank account in Cameroon, a number that was only about 31 percent of the total registered mobile money accounts (5.4 million) held in the country that same year.7 Compared to the figures for traditional bank accounts, the adoption of fintech solutions in Cameroon has been massive. While the widespread adoption of fintech accounts in the country was originally driven by the need to advance financial inclusion and reach the unbanked, the coronavirus pandemic has further accelerated this trend.
With a literacy rate of 77 percent,8 Cameroon enjoys the highest mobile money penetration rate in the CEMAC region.9 But because for some time only banks and microfinance institutions, often in partnership with technical operators like telecom companies, were allowed by law to provide payment services, fintech start-ups could not initially participate in this digital financial services boom. This changed, however, in 2019 after a regulation on payment services in the CEMAC redefined payment service providers to include nonbanking institutions like digital platforms and fintech start-ups.10
With initiatives like a start-up incubator and a national payment switch designed to drive down mobile transaction costs and provide fairer interconnection conditions, the government of Cameroon is clearly committed to increasing digitization and access to financial services across the country.11 However, the government admits that a lot still needs to be done not only to secure digital systems in the country but also to build trust among citizens regarding digital technology.12
Research commissioned by the MasterCard Foundation found that trust is the most important factor driving the uptake of fintech services in Cameroon.13 This research also identified fear of new technology as a barrier to fintech adoption, and users were reluctant to use services perceived to be volatile.
Cybersecurity in Fintech Start-ups in Cameroon
Cyber attacks and cyber incidents that lead to financial losses, including those caused by negligence or human error, can cause significant volatility. For example, the MasterCard Foundation report found that fears of new technology were related to “network outages or similar bugs in the technology systems.”14 Ensuring, therefore, that fintech infrastructure and systems are secured from attacks is paramount.
Traditionally, the cybersecurity of large banks and other financial institutions is regulated through strict laws and regulations, with heavy fines meted out for noncompliance. This is the case with Cameroon’s 2010 law on cybersecurity and cyber crime, which requires all operators of information systems to take all necessary technical and administrative measures to guarantee the security of the services provided.15 The law defines an information system as “devices or [a] group of interconnected or related devices performing, by itself or by one or many of its components, automatic data processing, in line with a program.”16 Based on this definition, fintech start-ups are indeed operators of information systems, so the law applies to them. However, fintech companies are often small, young, and budget-constrained. As a result, fintech start-ups tend to invest very few resources and little time in cybersecurity, which in turn makes them attractive, easy targets with vulnerable or outdated software systems for hackers and cyber criminals to attack.
Fintech is revolutionizing the financial services industry in Cameroon with new technologies, such as cloud computing, artificial intelligence and machine learning, big data analytics, robotic process automation, and blockchain. This growing use of technology increases the attack surface of fintech companies and the consumers they serve in ways different from the threats that traditional banking institutions face. At the same time, one of the characteristics of start-ups in Africa and Cameroon in particular is that the companies often have small budgets, with limited or no access to financing, a situation that can cause some fintech start-ups to view the security of their systems and applications as a burden rather than an opportunity.
Financing in African fintech start-ups is at a record high as reported by the World Economic Forum.17 However, the start-up funding reaching the continent is focused on only seven out of fifty-five countries (see figure 1), with Nigeria, Kenya, and South Africa accounting for 87.9 percent of this investment.
When faced with limited access to funding, fintech start-ups in countries that do not attract the bulk of this financing may be forced to prioritize speed to market over other aspects of their operations like cybersecurity.
Cameroon’s minister for posts and telecommunications, Minette Libom Li Likeng, has acknowledged that the country has no cybersecurity culture, a fact confirmed by a 2020 report that studied the state of cybersecurity in Cameroonian enterprises.18 The report found that most enterprises in Cameroon do not understand the cybersecurity threats they face. It is worth noting that a mere 16 percent of firms safeguard their apps and only about half that number conduct penetration testing.19
Cameroon’s 2010 law on cybersecurity and cyber crime generally governs how information systems throughout the country are secured, regardless of industry or sector.20 It empowers the National Agency for Information and Communication Technologies (ANTIC) to serve as Cameroon’s national cybersecurity regulator. The country has no industry-specific cybersecurity regulators or incident-response agencies. The encryption of data both at rest and in transit and the security risks posed by third-party suppliers are two main cybersecurity policy areas that fintech start-ups must get right. There are also other security threats that fintech start-ups should protect against to secure their systems and reassure their customers, including the following ones.
- Securing digital identities to prevent unauthorized access
- Ensuring data security since fintech providers have access to large volumes of sensitive personal data
- Combating money theft and laundering
- Preventing the spread of malware attacks, phishing campaigns, and malicious software masquerading as fintech apps
Because of the likelihood that fintech start-ups in Cameroon could go to market with products and services that are not secure given financing constraints, it is vital to understand what measures (if any) fintech start-ups are taking to secure their systems and their attitude toward cybersecurity as a whole. Representatives from nine Cameroonian fintech start-ups were interviewed, and the results are discussed below.
Using news articles, internet search results, and conversations with individuals in the financial services sector, the author identified fintech start-ups with a product in the Cameroonian market as potential survey respondents. Nine of the firms responded and filled out the survey between October 2021 and January 2022. Some of them declined to answer certain survey questions, citing concerns related to anonymity and discomfort with sharing the information requested. The target respondents for the survey included company founders, chief executive officers, and business development managers. Figure 2 represents the companies that responded to the questionnaire broken down by sector. The survey findings have been grouped into subsections based on the questions that were asked.
The companies were asked to indicate which industry regulations they comply with. This question was open-ended to give companies the opportunity to think about and list all the regulatory bodies that they believe govern their operations and activities. Five respondents said they don’t comply with any regulations, while three said they comply with CEMAC and COBAC regulations (see figure 3). One responded that it complies with the financial markets, an answer that points to the fact that some start-ups do not fully understand the role of regulators or which regulatory bodies are relevant to the fintech sector.
Notably, none of the companies mentioned Cameroon’s cybersecurity regulator, ANTIC, even though it is the only agency in the country that regulates the security of information and communications systems.
Efforts to Balance Security with Other Product Priorities
Based on the responses received, there seems to be a sense that cybersecurity is critical for fintech services, although the companies did not consider ANTIC to be a regulator of the fintech industry. Eight out of nine start-ups considered security and the ease of use of their applications to be equally important, and 33 percent were neutral regarding the importance of the speed to market of their products compared to efforts to secure them.
Of the nine fintech companies, seven said that they had a cybersecurity policy, while two indicated that they did not. Eight companies said that they encrypt application data both in transit and when it is stored, while one respondent was not certain if the firm uses encryption or not. Interestingly, one company that said it had no cybersecurity policy was nonetheless encrypting its application data.
Considering that none of the companies mentioned ANTIC when asked about regulations they comply with, the results for this question were surprising. It may be that these start-ups elect to adhere to industry practice on encryption, regardless of the cybersecurity regulator’s specific regulations.
Security Risks Posed by Third-Party Vendors
Unlike security risks owned by the fintech companies surveyed, the findings showed that third-party security risks are not something that worries fintech start-ups much. While five of the respondents were very concerned about third-party providers’ security risks and do have a specific policy to address them, three of the start-ups interviewed do not take any steps to mitigate third-party risks and one start-up didn’t know what third-party vendor security risks were (see figure 4).
Cybersecurity Audits and Application Security Testing
Like cybersecurity policy, all the interviewed start-ups said they perform regular cybersecurity audits albeit with different frequencies. There was no common frequency among the companies for performing cybersecurity audits. Most of the start-ups also said that they undertake security testing of their applications within the testing phase of their development cycle.
Based on the firms’ responses, cybersecurity incident reporting is left to the individual companies to decide as there are no regulations requiring companies to report cybersecurity incidents. Even Cameroon’s 2010 cybersecurity law does not have any provisions obligating companies to inform customers of any cybersecurity incidents. Three companies said they do not notify any stakeholders of security incidents. Six firms said they notify customers, and four said they notify ANTIC of cybersecurity incidents. This finding is also interesting because, as mentioned earlier, no company recognizes ANTIC as a regulator of the sector’s activities. One company said it reports cybersecurity incidents to the police when they occur.
Customer Awareness of Fraud
It is usually helpful for customers to be aware of what fraud might look like on a particular platform, especially when using digital financial services, because criminals are continually developing new ways to steal money or otherwise defraud users. Two-thirds of the start-ups in the survey said they inform their customers what fraud might look like on their platforms and in their ecosystems.
Cybersecurity Risks in Cameroon’s Financial Ecosystem
In conjunction with the survey results, it is worthwhile to highlight several notable gaps that remain in Cameroon’s capabilities for protecting the cybersecurity of its financial ecosystem.
- No national cybersecurity strategy: Cameroon does not have a formal cybersecurity strategy or a single unified document for cyber policy. However, the majority of its cybersecurity policy today is contained in Law No. 2010/012 of 21 December 2010 on Cybersecurity and Cybercrime in Cameroon.
According to government officials, Cameroon is working on its national cybersecurity risk assessments within the framework of relevant international cooperation initiatives and the Commonwealth Cyber Declaration. The declaration integrates three pillars, the second of which underscores paths for building the foundations of an effective national cybersecurity response.
- No clear and accessible way to report cyber crime: Cameroon’s national Computer Incident Response Team (CIRT) was established in 2012, and it sits within ANTIC. It acts as the central point of contact for reporting cyber crime. There is an email address listed on its website for this purpose. Once an incident is reported, it is understood that the crime is investigated by a division specially tasked with investigating cybercrimes within the Ministry of Posts and Telecommunications.21
Unfortunately, the general population in Cameroon doesn’t seem to be aware of this channel or which agency to report cyber crime to. Statistics from ANTIC’s only report on cyber crime and cybersecurity show that there are very few or no reports of cyber crime from ordinary citizens.22 The report divided cyber crime in Cameroon into five categories—attacks on websites, identity theft on social media, credit card fraud, scamming, and simbox fraud—but the figures provided by the report are mostly related to government employees and Most notably, the report highlights that there have been hundreds of cases of identity theft, 182 of which concerned members of the government.
The national police, to whom citizens are used to reporting crime, have no cyber-crime-specific reporting channel or information on their website’s landing page, despite having a special unit for the fight against cyber crime.23 This raises the question of whether there could be a better, easier channel for the general public and enterprises to use to report cyber crimes.
- No sector-specific CIRT: There is no publicly known sector-specific CIRT in Cameroon.
- No specific law or regulation on data privacy and related protections: There are some provisions in the CEMAC’s Regulation No. 03/16-CEMAC-UMAC-CMAC-CM of 21 December 2016 on Systems, Means, and Incidents of Payment, but the data protection obligations on financial institutions are weak.24
- Cybersecurity regulations do not recognize the challenges of small- and medium-sized enterprises (SMEs): Regulators place a blanket obligation on operators of information systems and corporate bodies to secure their digital systems and prevent cyber attacks. No consideration, support, or incentives are given to smaller businesses that do not have the kind of financial and human capital resources required to improve their cybersecurity postures. This basically ignores the fact that approximately 99 percent of enterprises in Cameroon are SMEs.25 How can regulators incentivize SMEs to improve their cybersecurity postures? Can regulators and other government officials perhaps ask larger organizations to include security in their service offerings to SMEs to make such efforts more affordable?
- Cybersecurity skills shortages exist across the nation: There is no publicly available national strategy to address skill shortages or any known cohesive effort to address such skills challenges and cybersecurity education.
- Low cybersecurity awareness in the country with no clear strategy to address it: There is a lack of cybersecurity awareness in Cameroon’s general population. Users are adopting digital technologies, moving online with an offline culture and understanding of security. ANTIC has a program on the national radio broadcaster Cameroon Radio Television, but it is heavily focused on enterprise security and less on individual and family security. While many Cameroonians listen to the radio, it is unclear whether the radio broadcast strategy is achieving its goal, considering that the main target audience seems to be enterprises. How effective is the cyber awareness program, considering the choice of medium and target audience of the radio show? Is there a need to target different types of audiences at different times with appropriate content? Are there other effective and innovative ways that cybersecurity awareness campaigns can be done in Cameroon?
The survey responses from the fintech companies provide more insight into these companies’ general attitudes toward cybersecurity and the drivers or incentives for securing their digital systems when they opt to do so. While the responses do not reveal exactly what their incentives are, it appears that it is not regulation that drives Cameroonian fintech companies’ consciousness of cybersecurity and approaches to product development and operations.
Admittedly, it is surprising that 85.7 percent of the fintech companies interviewed consider security to be a key feature of their products and operations despite the industry’s funding challenges. This suggests that there are already some forces motivating fintech companies in Cameroon to prioritize cybersecurity. Perhaps it is the media’s reporting of the ever-increasing frequency of cyber attacks around the world, or maybe it is simply awareness within the fintech community of the risks that cyber attacks pose. Whatever the reasons are, there is an opportunity for a properly developed and fair cybersecurity regulation not only to support the current forces incentivizing fintech companies to secure their products and operations but also to encourage consistency, predictability, and clarity in the sector as a whole.
The CEMAC, the COBAC, and Cameroon’s Ministry of Finance should consider including sector-specific cybersecurity obligations in their regulations of the fintech sector, including incident notification obligations. When developing these obligations, they should pay attention to the characteristics of the sector, especially the funding limitations many fintech companies face early on. Another set of issues to consider are challenges that might hinder compliance, even when firms are willing to comply.
Finally, information sharing helps peers and partners within an industry protect and defend each other from cyber threats. When the authors requested information from the fintech companies for this survey, many were understandably uncomfortable sharing this information, given that the financial sector generally struggles with sharing cybersecurity information with trusted partners and peers. Yet meaningful cyber threat intelligence gives industry stakeholders an advantage over attackers. The Cameroonian financial sector, in partnership with regulators, should therefore establish a sector-based information sharing center not only to encourage intelligence sharing on threats between trusted partners but also to urge more industry players to participate and collaborate.
From the survey results, fintech companies and start-ups in Cameroon appear to have a strong interest in securing their applications and systems, though it is not clear how that interest translates into action. Such interest is encouraging news for a country with a less mature (in terms of cybersecurity) financial market and with no specific cybersecurity regulations for the financial sector. However, more still needs to be done to help entrepreneurs act on this interest.
For example, Cameroon could benefit from additional government support in the form of awareness campaigns and the development of a sector-specific cybersecurity regulation that uses economic instruments including taxes and subsidies. The awareness campaigns should focus not only on the threat landscape but also on the development of laws, regulations, and incentives that can help fintech companies achieve their cybersecurity goals. This would ensure that cybersecurity remains a priority for fintech companies in Cameroon and that the regulation is implemented in a predictable and sustainable way, thereby safeguarding the financial inclusion gains already made from cyber threats.
This study provides useful insights into fintech entrepreneurs’ views on cybersecurity, but many questions remain unanswered. Why do fintech start-ups seem to care about cybersecurity despite having little or no awareness of national cybersecurity laws and regulations and little recognition of the country’s cybersecurity regulator? How do fintech companies become aware of the risks and repercussions of cyber attacks, and through which channels do companies inform customers of what fraud might look like? These are some areas where further study might be beneficial.
1 “Banking in Cameroon,” Nico Halle and Co. Law Firm, December 24, 2020, https://web.archive.org/web/20210514161138/https://www.hallelaw.com/banking-in-cameroon.
2 “Fixant le Cadre Juridique de la Protection des Droits des Utilisateurs de Reseaux et de Services de Communications Electroniques au Sein de la CEMAC” [Fixing the Legal Framework for the Protection of the Rights of Users of Electronic Communications Networks and Services Within the CEMAC], Economic and Monetary Community of Central Africa (CEMAC), December 2008, http://www.droit-afrique.com/upload/doc/cemac/CEMAC-Directive-2008-07-droit-des-utilisateurs-de-reseaux.pdf.
3 “Loi No. 2010/012 du 21 Decembre 2010 Relative a la Cybersecurite et la Cybercriminalite au Cameroun” [Law No. 2010/012 of 21 December 2010 on Cybersecurity and Cybercrime in Cameroon], Cameroon’s Ministry of Posts and Telecommunications, December 2020, https://www.minpostel.gov.cm/images/Les_textes/Lois/Loi_2010-012_cybersecurite_cybercriminalite.pdf.
4 Abraham Bettinger, “Fintech: A Series of 40 Time Shared Models Used at Manufacturers Hanover Trust Company,” Interfaces 2, no. 4 (1972): 62–63, https://www.jstor.org/stable/25058931?refreqid=excelsior%3Abeb51e314f6c8cca20069fb4241fd4d4.
5 Patrick Schueffel, “Taming the Beast: A Scientific Definition of Fintech,” Journal of Innovation Management 4, no. 4 (2016): 32–54, https://journalsojs3.fe.up.pt/index.php/jim/article/view/2183-0606_004.004_0004/262.
6 In Lee and Yong Jin Shin, “Fintech: Ecosystem, Business Models, Investment Decisions, and Challenges,” Indiana University’s Kelley School of Business 61 (2018): 35–46, https://iranarze.ir/wp-content/uploads/2019/01/E10696-IranArze.pdf.
7 Frank Sylvio Gahapa Talom and Robertson Khan Tengeh, “The Impact of Mobile Money on the Financial Performance of the SMEs in Douala, Cameroon,” Sustainability 12, no. 1 (2020): 183. https://doi.org/10.3390/su12010183.
8 “Cameroon – Literacy Rate, Adult Total (% Of People Ages 15 And Above),” World Bank, September 2021, https://data.worldbank.org/indicator/SE.ADT.LITR.ZS?locations=CM.
9 “Central Africa’s Path Forward: Regional Digital Cooperation,” Mondato (blog), October 20, 2020, https://blog.mondato.com/central-africa-path-forward-regional-digital-cooperation.
10 “Reglement No. 04/18/CEMAC/UMAC/COBAC Relatif aux Services de Paiement Dans la CEMAC” [Regulation No 04/18/CEMAC/UMAC/COBAC on Payment Services Within the CEMAC], CEMAC, December 21, 2018, https://www.beac.int/wp-content/uploads/2019/07/REGLEMENT-N-04-18-CEMAC-UMAC-COBAC-du-21-d%C3%A9cembre-2018.pdf.
11 “Digital Economy: Cameroon Plans Creation of Development Center, This Year, to Support ICT Startups,” Business in Cameroon, February 2020, https://www.businessincameroon.com/public-management/1902-9987-digital-economy-cameroon-plans-creation-of-development-center-this-year-to-support-ict-startups.
12 “Plan Stratégique Cameroun Numérique 2020” [Digital Cameroon Strategic Plan 2020], Cameroon’s Ministry of Posts and Telecommunications, May 2016, https://web.archive.org/web/20210303105450/http://cameroundigital.com/wp-content/uploads/2017/05/Plan-strat%C3%A9gique-Cameroun-Num%C3%A9rique-2020_ANG.pdf.
13 “Future of Financial Inclusion with Fin-Techs in Africa,” Muellners Foundation, July 18, 2021, https://research.muellners.org/financial-inclusion-in-africa.
15 “Loi No. 2010/012 du 21 Decembre 2010 Relative a la Cybersecurite et la Cybercriminalite au Cameroun” [Law No. 2010/012 of 21 December 2010 on Cybersecurity and Cybercrime in Cameroon], Cameroon’s Ministry of Posts and Telecommunications.
17 Niall McCarthy, “Funding for Africa’s Startups Is at a Record High – This Is Where It’s Going,” World Economic Forum, May 28, 2021, https://www.weforum.org/agenda/2021/05/study-shows-virtual-capital-for-african-startups-is-steeply-increasing.
18 “Cameroon: Cyber Security/Cybercrimes – Experts Examine Advantages, Challenges,” All Africa, November 5, 2020, https://allafrica.com/stories/202011050461.html.
19 Tomslin Samme-Nlar, “Cybersecurity in Cameroonian Enterprises: What We Learnt,” Gefona Digital Foundation (blog), May 22, 2021, https://gefona.org/cybersecurity-in-cameroonian-enterprises-what-we-learnt.
20 Cameroon’s Ministry of Posts and Telecommunications, “Loi No. 2010/012 du 21 Decembre 2010 Relative a la Cybersecurite et la Cybercriminalite au Cameroun” [Law No. 2010/012 of 21 December 2010 on Cybersecurity and Cybercrime in Cameroon].
21 “Country Wiki: Cameroon,” Council of Europe, March 2022, https://www.coe.int/en/web/octopus/-/cameroon?redirect=https://www.coe.int/fr/web/octopus/country-wiki-ap?p_p_id=101_INSTANCE_CmDb7M4RGb4Z&p_p_lifecycle=0&p_p_state=normal&p_p_mode=view&p_p_col_id=column-4&p_p_col_count=1.
22 “Rapport sur la Cybercriminalite et la Cybersecurite au Cameroun de 2015 a 2017” [Report on Cybercrime and Cybersecurity in Cameroon From 2015 to 2017], Cameroon’s National Agency for Information and Communication Technologies (ANTIC), 2017, https://www.cirt.cm/sites/all/themes/corporateclean/bulletins/statistiques_2015_2017.pdf.
23 “Unite Speciale de Lutte Contre la Cybercriminalite,” [Special Unit for the Fight Against Cybercrime], Cameroon’s General Delegation for National Security, https://www.dgsn.cm/wp-content/uploads/2020/01/Depliant-cybercriminalit%C3%A9.pdf.
24 “Règlement N° 03/16-CEMAC-UMAC-CM Relatif aux
Systèmes, Moyens et Incidents de Paiement,” [Regulation No. 03/16-CEMAC-UMAC-CM Relating to Payment Systems, Means and Incidents], CEMAC, November 22, 2016, https://www.beac.int/wp-content/uploads/2019/07/REGLEMENT-N-03-CEMAC-UMAC-CM-du-21-d%C3%A9cembre-2016.pdf.
25 “Recensement General Des Entreprises 2016 (Rge-2), Rapport Preliminaire Des Principaux Resultats” [General Business Census 2016 (Rge-2), Preliminary Report of the Main Results], Cameroon’s National Institute of Statistics, January 2018, https://www.journalducameroun.com/wp-content/uploads/2018/04/Projet_de_rapport_preliminaire_RGE2_du_29_decembre_2017_final.pdf.