Fintech in Zambia is governed by various pieces of legislation, depending on the type of financial service offered. There is no single piece of legislation that governs the entire fintech industry. Generally, fintech is governed by the same laws that govern traditional financial services. However, because of the digital or technological aspect, there are specific laws that apply only to fintech and not to traditional financial services.
Fintech is primarily governed by the Banking and Financial Services Act No. 7 of 2017, the National Payment Systems Act No. 1 of 2007, the Insurance Act Chapter 392 of the Laws of Zambia, the Data Protection Act No. 3 of 2021 and the various regulations and directives issued pursuant to the foregoing.
- Banking and Financial Services Act No.7 of 2017 (“BFSA”)
The BFSA regulates the licensing of financial service providers and the provision of financial services. It also governs the behavior of financial service providers and creates consumer protection mechanisms. It is administered by the Bank of Zambia which issues different types of licences to financial service providers.
Fintech providers whose services are defined as “financial services” under the BFSA must follow it and any Bank of Zambia (“BoZ”) directives. Some examples of such services are commercial or consumer financing services, factoring, brokering, finance leasing, venture capital funding, microfinancing, and development financing.
In addition to the BFSA, micro-financial service providers, both deposit and non-deposit taking are primarily regulated under the Banking and Financial Services (Microfinance) Regulations of 2006.
- National Payment Systems Act No.1 of 2007 (“NPSA”)
The NPSA regulates payment system operations to ensure their safety, security, and dependability. The Bank of Zambia, which serves as the regulatory authority has issued a number of directives governing fintech payment services. The following are some of the directives issued by the Bank of Zambia:
- National Payment Systems (Money Transfer Services) Directives 2021;
- National Payment Systems Directives on Electronic Money Issuance 2018; and
- National Payment Systems on Automated Teller Machine, Point of Sale, Internet Transactions and Mobile Payments 2019.
Mobile money and other electronic payment systems must comply with the relevant directives issued by the Bank of Zambia under the NPSA.
- Insurance Act No. 38 of 2021 (“Insurance Act”)
The Insurance Act, in addition to regulating life and general insurance, introduces and makes provision for the regulation of micro-insurance, expanding the number of insurance products that can be offered through fintech. The Insurance Act is expected to come into effect within the first quarter of 2023, prior to which all insurance related services are regulated by the Insurance Act No. 27 of 1997.
- Regulatory Sandboxes
Regulators like the Bank of Zambia and the Securities Exchange Commission (“SEC”) have put in place frameworks for regulatory sandboxes to promote innovative fintech products. These sandboxes allow the testing of new products and services on the market without putting consumers at risk.
- BoZ Sandbox Guidelines
The BoZ Sandbox Guidelines provide a framework for the market introduction and testing of innovative products and services, as well as other emerging fintech, without the need to strictly adhere to all regulatory requirements. To be eligible for the sandbox, a product or service must be innovative or significantly different from what is currently available on the market, and it must promote financial inclusion. An applicant with a novel product or service must specify which regulations or directives should not apply during the testing phase and explain why those regulations should not apply.
- SEC Sandbox Guidelines
The SEC Sandbox Guidelines promote innovation and participation in capital markets while mitigating risks. The SEC Sandbox Guidelines enable participants to test their products in a timely and cost-effective manner without putting investors or the financial system at risk. The SEC Sandbox is intended for both licensed and unlicensed capital market participants who want to provide innovations not covered by existing legislation. It is also aimed at foreign capital market participants who want to bring new innovations to Zambia. Innovative capital market fintech products can be tested in the SEC Sandbox.
- Data Protection
Data protection is an important aspect of fintech products and services. The Data Protection Act No. 3 of 2021 (the “Data Protection Act”) specifies how customer information and data must be gathered and managed.
The Data Protection Act prohibits the processing of personal data without the customer's consent. The reason for collecting and processing the data must be disclosed in a transparent manner.
The Data Protection Act restricts the circumstances under which data may be processed. This restriction is waived where the data is required for the performance of a contract to which the customer is a party. A fintech service provider can therefore process personal data to fulfil its contractual obligations to a customer for the provided service.
The Data Protection Act requires the implementation of technical and organizational measures to ensure the security and protection of personal data. A data protection impact assessment must be performed whenever new technology is used to process personal information and is likely to pose a high risk to an individual's rights and freedoms. Failure to comply with the provisions on the handling of personal data can result in fines of up to Thirty Million Kwacha or 2% of an entity annual turnover, whichever is higher.
Originally Published 26 January 2023
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.