PAYMENT SERVICE PROVIDERS (PSPs) AUTHORIZATION

CHECKLIST –
This A-Z guide provides a list of steps and requirements for
Payment Service Provider’s (PSPs) authorization.

Requirements
SECTION 1: Yes/No Comments
PRELIMINARY ENGAGEMENTS/REQUIREMENTS
1. Determine if you are a PSP as defined in the National Payment System Act
2011 and that your service can be classified under any of the classes of PSPs
as defined in The National Payment System Regulations, 2014 If in doubt,
inquire from the Central Bank of Kenya (CBK) either through telephone 286
3113, 3107, 3117, 3112, e-mail [email protected] or a letter addressed
to the Assistant Director, Payment Services of the Central Bank of Kenya.
2. Request for a meeting with CBK to discuss the intended application, concept
note and application requirements should be submitted via
[email protected]. Request for a meeting can be made simultaneously
with the application for name approval. Request for name approval should
be accompanied by three names in order of preference.
3. Submission of Application Form 1 as set out in the First Schedule. The
application should be addressed to the Director, Banking and Payment
Services of the Central Bank of Kenya. This application should be
accompanied by a sworn affidavit, in line with the Annex 1 template in the
NPS Regulations 2014.
4. The application should be submitted together with a non-refundable
application fee of Kshs. 5,000.00 by Banker’s Cheque or RTGS in favor of the
Central Bank of Kenya. A/C No. 1472200020001
Application should be accompanied by the following documents
and/or information;
SECTION 2:
COMPANY AND PRODUCT NAME APPROVAL DOCUMENTS
5. Submit the proposed names to the CBK in descending order of preference
accompanied by the following preliminary documents for review;
a) Business model of the proposed payment service solution including the
scope of proposed business activities and marketing strategy;
b) Proposed objects of the company;
c) Ownership structure and governance of the company;
d) Evidence of sources and availability of capital (as detailed in Section 4);
e) Proposed financial projections for 3 years;
f) Legal and regulatory compliance function;
g) High level outlines of proposed infrastructure and internal controls;
h) High level outlines of the proposed risk management policies and
procedures and internal control systems manual;
SECTION 3:
COMPANY DOCUMENTS
6. A certified copy of the certificate of incorporation and the memorandum
and articles of association of the applicant.
7. A certified copy of the certificate of incorporation and Memorandum and
Articles of Association of any corporate body that proposes to have a
significant shareholding (more than 5% shareholding) in the applicant’s
company.
8. A certified copy of the current license from the communication services
regulator where this is applicable or a certified copy of any other regulatory
license where the applicant is subject to any other regulatory authority. The
name and addresses of the regulator should also be provided.
9. Current tax compliance certificate from tax authorities.
10. Current credit rating report from a credit reference bureau.
11. Physical and PO Box address of the head office.
12. A certified copy of the latest audited statements, from a reputable firm, of
financial position and statement of comprehensive income for each of the
three years immediately preceding the date of the application if the applicant
has been operating.
13 In case of a foreign company:
i) A letter of no objection from the home regulatory authority allowing the
applicant to establish a payment service business in Kenya.
j) A notarized copy of the signed minutes of the board of the foreign
company passing the resolution to establish payment service business in
Kenya.
k) Background of the foreign entity including list of all countries they
operate from including services offered in the different countries as well
as the details of respective regulators.
l) An undertaking by the board or other oversight body of the foreign
company to maintain minimum assigned capital in Kenya throughout the
business period.
m) Signed declaration by the board of directors to adhere to the NPS Act
2011 and NPS Regulations 2014 issued thereunder and other relevant
Kenyan Laws at all times during the validity of the authorization.
n) An understanding that the home country regulator will exchange
supervisory information with the Central Bank of Kenya.
SECTION 4:
EVIDENCE OF CAPITAL
14. Evidence that the payment service provider holds the requisite capital set
out in the First Schedule of the NPS Regulations 2014.
a) Evidence should be reflected in a bank statement of a licensed bank or a
deposit taking microfinance institution indicating the isolated funds
and/or Government of Kenya Treasury Bills and Bonds not under lien;
b) Evidence should either be in the name of the company and/ or the
promoters/ shareholders of the company.
c) The promoters/ shareholders should give the Central Bank authority to
verify the authenticity of the bank statement directly from the bank or
microfinance institution.
 d) The promoters/ shareholders should provide the distribution or
allocation (ultimate beneficiaries, citizenship, amount and percentage) of
core capital to each individual promoter/ shareholder and/ or company,
indicating significant capital contributors (contributors of at least 10% of
the share capital).
e) Information on and documentary evidence of source of funds/capital.
Details should be provided on the sources of capital contributed by each
significant shareholders.
f) A sworn declaration by all the significant shareholders to the effect that
the proposed capital is not from proceeds of crime should be provided
through an Affidavit.
SECTION 5:
BUSINESS PLAN
15. The business plan should include the following
a) The business concept and the list and/or type of services to be offered.
b) The program of operations to offer these service including rules and
procedures for:
 Measures to ensure safety, security and operational reliability
of the service including contingency arrangements.
 Maintenance of separate records and accounts for its e-money
activities from other business activities; and
 Internal control mechanisms.
c) Information on the public interest that will be served by the provision
of the payment service.
d) The business strategy and the business model to be used.
e) Projections of statements of financial affairs and statements of
comprehensive income for the next three years of operations.
f) Proposed products and planned channels of delivery.
g) Activities to be run in-house and those that shall be outsourced.
h) Statistical and other data which may have been collected in respect of
the area in which the applicant intends to serve including population
of the area, - coverage of the area by other PSPs.
i) Information on the business plan guideline as set out in Annex 2 of the
First Schedule to the NPS Regulations, 2014.
SECTION 6:
PROGRAM OF OPERATIONS
16. Terms and conditions that will apply to its customers and/or agents and cash
merchants.
17. Draft standard contracts to be signed with agents and cash merchants.
18. A draft copy of the master agreement between the applicant and the
commercial banks.
19. Operational policies and procedures covering the areas below;
a) Information Systems and Security Policy;
b) Information storage/Data storage/Data Retention;
c) Accounting and Operating Procedures manuals;
d) Complaints handling procedures;
e) Anti-Money Laundering and CFT Policy;
f) Human Resource and Manpower Development;
 g) Settlement procedures accompanied by a diagram of flow of funds and
management of settlement risk;
h) Agent/cash merchant operational policies and procedures;
i) Demonstration of segregation of other activities of the PSP from the PSP
business;
20. Outsourcing / Third Party Services
a) Documentation on outsourcing arrangement/Draft outsourcing contract;
b) Due diligence report on proposed third parties including the IT
Platform/Connectivity provider (if any)
Due diligence report should encompass
i. The scope of third party / outsourced services;
ii. Third party suitability assessment;
iii. Approval process for third party service providers;
SECTION 7:
GOVERNANCE AND INTERNAL CONTROL MECHANISMS
21. The identity of:
i. Directors and Senior Managers of the payment service provider as
well as Senior Managers of the division under which the authorized
solution will fall under.
ii. Custodial trustees holding the cash which is represented in the
payment service of the applicant;
iii. Significant Shareholders (anyone who owns more than 5% shares in
the business).
iv. “Fit and Proper Form” as set out in the Second Schedule of the
Regulations for persons listed in paragraph (i) (ii) and (iii);
The Fit and Proper Form above should be accompanied by;
i. Up-to-date and detailed curriculum vitae of the above-named
persons.
ii. Contact details (postal and e-mail addresses, phone contacts of at least
three independent referees, one of whom should be the immediate
previous employer).
iii. Valid Personal Identification Number (PIN).
iv. National Identity Card or Passport or any other valid identification
document acceptable to CBK.
v. Tax compliance certificate issued by the relevant tax authority.
vi. The latest credit report from a licensed credit reference bureau.
vii. A certificate of good conduct from the National Police Services of
Kenya.
22. A description of:
i. Shareholding structure – List of shareholders, respective
shareholdings, respective percentages of shareholdings, and the
ultimate beneficiaries. Any shareholding agreements should be
submitted to CBK. Shareholding records held by the Registrar of
Companies should be submitted.
ii. Group structure where the applicant is a member of a group.
 iii. Organizational structure – Board of directors (show executive and non-
executive directors), proposed Chief Executive Officer, senior
management, key business/ management/ departmental/ functional
units. This can be summarized by use of an organizational chart.
iv. The internal control mechanisms which the applicant has established
to comply with its Anti-Money Laundering and Combating the
Financing of Terrorism laws and regulations as set out in the AML/CFT
Laws and Regulations
SECTION 8:
SAFEGUARDING OF CUSTOMER FUNDS
23. Establishment of a trust
a) A copy of the trust deed.
b) Minimum contents of the trust deed in line with Section 26 (1) of the NPS
Regulations 2014;
c) A certified copy of the management agreement where a custodial Trust
relationship exists with the mobile payment service provider;
d) Details of the bank(s) where the trust fund will be held (in a local bank;
e) Employ risk mitigation strategies to ensure that the funds held in the
Trust Fund are sufficiently diversified and placed in licensed commercial
banks – proposed trust fund protection scheme/arrangement;
i. Principal characteristics of the service provided pursuant to the
Trust;
ii. Details of how the fund shall be held and invested in line with
Section 25 (3) of the NPS Regulations 2014;
iii. Procedures for nomination of the Trustees;
iv. Duties, responsibilities and the extent of liability of Trustees;
v. Provisions on discontinuation or termination of the Trust and
subsequent handling of the Trust Fund
vi. Procedure of handling of dormant accounts;
vii. Procedure of handling accounts of deceased persons;
viii. Rights of system participants and beneficiaries;
ix. Applicable law and mode of resolution of disputes;
x. Where the trustee is a company, duties of the management
company and key particulars of the management arrangement;
xi. Use of income generated from the trust fund. Should be in line with
Section 25 (5) of the NPS Regulations 2014.
SECTION 9:
RISK, IT AUDIT AND BUSINESS CONTINUITY PRACTICES
24. A description of
a) A risk assessment report of the operations to be performed;
b) A risk matrix on all the risks identified and how they will be mitigated;
c) Risk Management Policies and Procedures;
d) IT system audit report by a qualified, professional and reputable audit
firm;
e) Vulnerability and Assessment Report (Due diligence report);
f) Internal audit report regarding the adaptation of internal controls
performed in readiness for commencement of business;
 g) Business Continuity and Disaster Recovery plan;
h) Procedure for handling security incidences;
i) Organizational measures and tools for the prevention of fraud;
j) Transaction and cash holding limits.
SECTION 10:
ACCESS TO SENSITIVE PAYMENT DATA
25. A description of
a) The data classified as sensitive payment data in the context of the
payment institution’s business model;
b) The access right policy, detailing access to all relevant infrastructure
components and Systems;
c) The IT system and technical security measures that have been
implemented such as encryption to prevent access to sensitive payment
data, firewalls and updated anti-virus scans;
d) Identification of the individual’s access to the sensitive payment data;
e) An explanation of how breaches will be detected and addressed;
f) Demonstration of compliance with the Data Protection Act 2019.
Any other information CBK may require