Bank Of Ghana Issues New Corporate Governance Guidelines For Payment Service Providers In Ghana
Ghana’s digital financial ecosystem is experiencing rapid growth, with Dedicated Electronic Money Issuers (DEMIs) managing millions of mobile wallets and Payment Service Providers (PSPs) offering gateways, merchant solutions, and interoperability services. This growth has expanded financial inclusion and enhanced convenience but has also created a pressing need for robust governance frameworks to ensure accountability, resilience, and public trust.
In June 2025, the Bank of Ghana (BoG) issued the Corporate Governance Guidelines for Payment Service Providers, 2025, which take effect on 31st December 2025. These guidelines apply to all institutions licensed under the Payment Systems and Services Act, 2019 (Act 987), including DEMIs, PSPs, Payment Schemes, and Payment and Financial Technology Service Providers (PFTSPs). BoG’s primary objective is to entrench trust, transparency, and accountability in the digital financial sector, safeguard financial stability, and reinforce public confidence.
This article provides a summary of the Guidelines, focusing on the responsibilities of Boards, Key Management Personnel (KMPs), and Shareholders, as well as the disclosure, compliance, and reporting obligations of regulated institutions.
Key Guidelines
Directors and Key Management Personnel
The Guidelines place significant emphasis on the appointment and oversight of directors and KMPs. KMPs include the Chief Executive Officer or Managing Director, Technology and Systems Manager, Compliance and Anti-Money Laundering (AML) Reporting Officer, Finance Manager, Chief Legal Officer, and managers of significant business units.
Qualification
No individual may be appointed, elected, or accept a position as director or KMP without the prior written approval of the Bank of Ghana. This requirement ensures that only fit and proper persons with the requisite integrity, competence, and financial soundness are entrusted with leadership roles in the sector.
Regarding the appointments of KMP, institutions must submit a detailed due diligence report on nominees. Acting KMP appointments are restricted to existing staff and cannot exceed six months.
Disqualification
The Bank of Ghana will reject appointments where a nominee has been adjudged to be of unsound mind, declared insolvent, entered into a debt arrangement and has suspended payment of the debt, convicted of fraud or dishonesty, removed from office by a competent authority, holds a similar role in another licensed institution under Act 987, or is below the age of eighteen.
Resignation
Resignations by directors or KMPs must be formally communicated to the Bank of Ghana within ten (10) days of the effective date.
Sound Corporate Governance Standards
The Board
Every regulated institution must establish a Board with the mandate to provide strategic direction, make key decisions, and exercise effective oversight of operations.
Among its roles, the Board must ensure robust risk management, compliance, and internal controls. It must also approve acquisitions and divestments of 10% or more of the company’s value (5% for DEMIs), as well as major investments.
Charter of the Board
The Board must operate under a Board Charter, which serves as its governing framework. The Charter should set out the Board’s authority, define directors’ responsibilities, directors’ code of ethics, and specify the Board’s composition and structure. It must also outline quorum requirements, the frequency of meetings, and the processes for appointment, tenure, re-election, resignation, or removal and remuneration of directors.
The Charter must be reviewed at least once every three years.
Board Structure and Composition
Each regulated institution must maintain a Board of at least three members, two of whom, including the CEO, must be resident in Ghana. The Bank of Ghana may direct the appointment of additional directors depending on the institution’s risk profile. Members of the Board must be appointed by the shareholders of the institution and approved by the Bank of Ghana.
Boards must have a majority of non-executive directors, with DEMIs and EPSPs required to ensure that at least one-third are independent directors.
To avoid conflicts of interest, no more than one-third of Board members may be related persons, and no two related individuals may serve as Board Chair and CEO simultaneously. The roles of Board Chair and CEO must always be separate, with the Chair being a non-executive director.
Independent Director
An independent director may not hold more than five percent of the institution’s shares, may not have been employed by the institution or related entities within the previous two years, and must have no close relatives employed as KMPs or significant financial dealings with the institution in that period.
Board Meeting
Board meetings must be scheduled annually and held at least quarterly. Directors must attend no fewer than two-thirds of meetings within a financial year. The quorum for the Board meetings is two-thirds (2/3) of members, majority of whom shall be non-executive directors. Minutes must be documented, signed by the Chair and Board Secretary, securely stored, and submitted to the Bank of Ghana within ten days of approval.
The Board must conduct regular performance evaluations of itself, its Chairperson, and individual directors, with an externally facilitated review at least every three years
Roles of Key Management Personnel
The Guidelines underscore the importance of KMPs in ensuring that regulated institutions are managed transparently, efficiently, and in alignment with regulatory expectations.
At the helm is the Managing Director (MD) or Chief Executive Officer (CEO), who is responsible for day-to-day management. The CEO must define and communicate responsibilities across the executive team, implement Board-approved policies, manage income and expenditure within approved budgets, and provide the Board with timely financial updates. The CEO must also develop and execute a talent management and succession plan for critical roles.
The Technology and Systems Manager
Supporting the CEO are other key officers. The Technology and Systems Manager is responsible for the security, reliability, and performance of the institution’s IT infrastructure, ensuring its timely maintenance and upgrades.
The Compliance and Risk Manager
The Compliance and Risk Manager ensures adherence to legal and regulatory requirements, implements risk mitigation strategies, and advises the Board on emerging compliance issues.
The AML Reporting Officer
The AML Reporting Officer focuses specifically on anti-money laundering, counter-terrorism financing, and proliferation (AML/CFT&P) compliance, reporting regularly to the Board and liaising with regulators and authorities.
The Chief Finance Officer
The Chief Finance Officer manages financial planning and reporting, monitors performance against budgets, and ensures timely prudential reporting to the Bank of Ghana.
Together, these roles form a comprehensive governance structure, ensuring operational integrity and the sound management of regulated institutions.
Specialized Board Committees
At minimum, an Audit Committee and a Risk and Compliance Committee must be constituted, each chaired by an independent director. The Audit Committee oversees internal and external audit functions, while the Risk and Compliance Committee advises on the institution’s risk appetite and monitors management’s implementation of risk strategies.
Tenure is limited; non-executive directors may serve a maximum of four years per term, renewable for not more than two additional terms, while the Board Chair may be renewed only once.
Alternate Director
Where a director is absent from Ghana or unable to act for a period not exceeding six months, they may appoint another director or another person approved by Board resolution to serve as an alternate director, in accordance with section 181 of the Companies Act, 2019 (Act 992).
Disclosure and Transparency
Regulated institutions must, by 31st March each year, submit to the Bank of Ghana a list of significant shareholders, directors, and KMPs as of 31st December of the preceding year, including details of major shareholdings, voting rights, and any related party transactions.
Corporate Governance Certification
Directors are required to undertake corporate governance certification every four years from the National Banking College or another institution recognized by the Bank of Ghana.
Cooling-Off Period
To prevent conflicts of interest, former Bank of Ghana officers, directors, or senior executives may not be appointed as directors or consultants of a regulated institution until at least two years have elapsed since the end of their service. Similarly, audit professionals who have provided services to institutions within the ecosystem may not be appointed as directors or CEOs until two years have passed since their last engagement.
Conclusion
The Corporate Governance Guidelines for Payment Service Providers, 2025, represent a significant step toward building a resilient and transparent digital financial services sector in Ghana. By setting clear expectations for board composition, management accountability, risk oversight, and disclosure, the Bank of Ghana is signalling its commitment to safeguarding financial stability and protecting consumers.
For DEMIs, PSPs, and other regulated entities, these Guidelines are more than a compliance requirement, they are a framework for embedding sound governance practices that can enhance institutional credibility, attract investment, and support long-term growth. Institutions that proactively align their policies, board structures, and internal controls with the Guidelines will be better positioned to manage risk, foster public trust, and thrive in an increasingly competitive and regulated market.
An Overview Of Data Protection Law In Ghana
As digital technology becomes increasingly central to business, governance, and everyday life, the need to safeguard personal data has gained global significance. Recognizing the risks associated with the misuse of personal information, Ghana has taken proactive steps to establish a legal framework that ensures data protection and privacy rights for its citizens and residents. The cornerstone of this framework is the Data Protection Act, 2012 (Act 843).
This article explores the key provisions, principles, and implications of Ghana’s data protection laws, offering insight into how the country is addressing privacy in the digital age.
The Legal Framework: Data Protection Act, 2012 (Act 843)
Data protection is the process of safeguarding important information from corruption, compromise, or loss. Ghana’s Data Protection Act, 2012 (Act 843) was enacted to regulate the processing of personal information, particularly in the context of digital communication and record-keeping. The Act establishes the rights of individuals regarding their personal data and imposes obligations on organizations that collect, store, or process such data.
The main objectives of the Act include safeguarding the privacy of individuals, regulating the collection, use, and disclosure of personal data, and ensuring transparency and accountability in data handling practices.
Core Principles of Data Protection
The concept of data protection is underpinned by certain key principles organizations are required to follow to ensure personal data is collected, used, managed, and stored in a responsible manner. While these principles may vary slightly according to various legislations, they are generally influenced by the globally accepted General Data Protection Regulation (GDPR).
In Ghana, Act 843 sets out eight key principles that govern the processing of personal data as provided under Sections 17 to 33. These are accountability, lawfulness of processing, specification of purpose, compatibility of further processing, quality of information, openness, data security safeguards and data subject participation.
The above principles represent the core obligations of data controllers under Act 843 and are designed to promote accountability and protect individuals' privacy. They require organizations to handle personal data responsibly, lawfully, and in a transparent manner, collecting it only for specific purposes, keeping it accurate and secure, and ensuring individuals are informed and can exercise their rights over their own data.
The Role of the Data Protection Commission
Section 1 of Act 843 establishes the Data Protection Commission (DPC) as the regulatory authority responsible for implementing, monitoring and enforcing data protection laws in Ghana.
Its responsibilities include:
- Registering data controllers and data processors;
- Promoting awareness of data protection rights and responsibilities;
- Investigating complaints and enforcing compliance;
- Issuing guidelines, codes of conduct, and sanctions where necessary.
Rights of Data Subjects
Under Section 39 of Act 843, individuals whose personal data is collected or processed—referred to as data subjects—are granted several rights to protect their privacy and ensure transparency. These include the right to be informed when their data is being collected, the right to access and correct their personal data, the right to object to certain forms of processing, the right to withdraw consent at any time, and the right to lodge a complaint with the Data Protection Commission if they believe their rights have been violated.
Who Must Comply
The Data Protection Act, 2012 (Act 843) applies to all data processors and controllers operating in Ghana, including but not limited to financial institutions, healthcare providers, telecommunications companies, and educational institutions. It also extends to entities based outside Ghana that process personal data relating to individuals within the country.
Registration with the Data Protection Commission
Every organization that handles personal data, i.e., data processors and controllers, is required to register with the Data Protection Commission (DPC).
To begin the registration process, the data controller or processor must complete a registration form provided by the DPC. This form requires key information about the organization, including its legal status, nature of operations, categories of personal data collected, the purpose for processing, and security measures in place to protect the data. Applicants must also submit supporting documents such as a certificate of incorporation, business license, TIN, and proof of payment of the applicable registration fee.
Upon approval, the Commission issues a Certificate of Registration, authorizing the organization to lawfully process personal data. This registration is valid for one year and must be renewed annually.
Offences and Penalties
The Data Protection Act, 2012 (Act 843) imposes both civil and criminal liabilities for non-compliance with its provisions. Offences under the Act include failure to register with the Data Protection Commission (DPC), the unlawful disclosure of personal data, failure to implement appropriate data security measures, and obstruction of investigations conducted by the Commission. Depending on the nature and severity of the offence, penalties may be in the form of fines, imprisonment or both.
Additionally, the Commission is empowered to impose administrative sanctions such as the suspension or cancellation of an organization’s registration.
Conclusion
Ghana’s Data Protection Act, 2012 (Act 843) plays a crucial role in promoting data privacy and security in an increasingly digital environment. As organizations and public institutions increasingly rely on personal data, complying with the law is not only mandatory but also vital for establishing trust with clients and the public.
Whether you are a business operator, employee, or individual, it is important to be aware of your rights and responsibilities under the Act to ensure responsible handling and use of personal data.