The Bank of Tanzania (BoT) has issued its Draft Cloud Computing Guidelines for Financial Service Providers, 2025, a landmark document that significantly updates and supersedes the 2023 guidelines. This new framework goes beyond general recommendations to establish a clear and comprehensive regulatory system with explicit penalties for non-compliance. For RIVE& Co.’s clients, understanding these changes is not just a matter of technical compliance but a strategic business necessity.
What is Cloud Computing?
At its core,cloud computing is the practice of using a network of remote servers, managed by a third party and hosted on the internet, to store, manage, and process data. Instead of making a large, lump-sum investment in local databases, software, and hardware, an institution can outsource these IT systems and access them via the internet. Cloud services can be delivered in various models:
- Public Cloud: Services offered for public use.
- Private Cloud: Services with limited or exclusive use
- Hybrid Cloud: A combination of both public and private clouds
Defining Key Terms in the Guidelines
To navigate the new regulations, it’s crucial to understand the key terms as defined by the BoT:
- Bank: Refers to the Bank of Tanzania.
- Financial Service Provider: An institution that is licensed, regulated, and supervised by the Bank of Tanzania.
- Mission Critical System: A system that is essential for a financial service provider’s survival and core operations. Its failure or interruption would significantly impact business operations. Examples include core management functions like customer deposit management and payments and settlements. Financial service providers are prohibited from hosting these systems in a primary data center outside of Tanzania.
- Non-Mission Critical System: A system that is not essential to the core operations or survival of the institution. Its failure does not significantly impact business continuity.
The Evolution of the Guidelines: 2023 vs. 2025
The 2025 guidelines represent a significant leap from the 2023 version by introducing a robust framework for enforcement and accountability.
| Feature | 2023 Cloud Computing Guidelines | 2025 Draft Cloud Computing Guidelines | |
| Enforcement | Lacked a dedicated section on penalties. | New Section V: General Provision outlines specific sanctions for non-compliance, including fines, suspension of operations, and license revocation. | |
| Scope | Focused on establishing a baseline for using cloud services, including criteria for approval and contract requirements | Expands on the 2023 criteria and introduces explicit consequences for non-compliance. | |
| Due Diligence | Required a due diligence process for cloud providers. | Adds a new requirement to consider the potential | reputational impact of a service provider’s failure. It also specifies that an annual review of the provider’s financial and operational condition is required. |
| Existing Users | Did not explicitly address existing cloud arrangements. | Mandates that financial service providers who adopted cloud computing before the 2025 guidelines’ commencement must seek written approval from the Bank within twelve months or cease the service. | |
| Oversight | Mentioned the Bank’s right to access records. | Clarifies that the Bank’s right to access data includes any information stored by the cloud provider or its subcontractors. |
Key Implications for RIVE& Co’s Clients
The 2025 guidelines fundamentally change the risk and compliance landscape for financial service providers. The transition from a guiding framework to an enforceable legal instrument means that the consequences of non-compliance are now severe and clearly defined.
- Increased Compliance Burden and Risk: The new sanctions mean that non-compliance can result in substantial financial penalties and operational suspension. Furthermore, directors, officers, and employees can face personal liability, including suspension from their positions. This necessitates a comprehensive and proactive approach to compliance.
- Urgent Action for Existing Users: Clients who have already adopted cloud computing under the 2023 guidelines have a strict twelve-month deadline to seek formal re-approval from the Bank. Failure to do so could result in a mandate to cease the use of cloud computing, causing significant business disruption.
- Strengthened Due Diligence and Ongoing Monitoring: Clients must now conduct more rigorous initial and ongoing due diligence. The evaluation of a cloud service provider must now include a deep dive into its security measures, uptime history, ability to handle workloads, and a crucial assessment of its reputation and contingency plans.
- Contractual Review: All cloud computing contracts must be reviewed by the financial service provider’s legal counsel to ensure they are legally enforceable and protect the institution from risk. The 2025 guidelines specify that contracts must include provisions for a clear exit strategy, data recovery, and the Bank’s right to access information.
The Author
The Author Sunday Ndamugoba is a partner with the firm. He can be reached at sunday@rive.co.tz
Disclaimer
This article is for general informational purposes only and does not constitute legal advice. The content is a summary of the draft guidelines and should not be relied upon as a substitute for professional legal counsel. Clients should consult with a qualified legal professional to understand how these guidelines specifically apply to their business operations. RIVE& Co. disclaims all liability for any actions taken or not taken based on this information.