Bank of Ghana Imposes GHS 12,000 Fine for Non-Compliance with New Outsourcing Directive
The Bank of Ghana (BoG) has released a stringent outsourcing directive that aims to strengthen governance frameworks and risk controls across Ghana’s banking and financial sector, mandating regulated financial institutions, including banks and specialized deposit-taking institutions (SDIs), to fully comply by July 1, 2025, or face steep penalties.
The directive targets the growing reliance on outsourced services among financial institutions, which seek to cut costs and boost efficiency amid rising operational demands. However, the central bank’s guidance underscores that this cost-efficiency drive must not compromise the integrity of critical functions. Institutions that do not meet the directive’s standards face an administrative fine of 1,000 penalty units, or GH₵12,000, and potential further sanctions.
BoG’s guidelines clearly demarcate which functions may and may not be outsourced. Senior management and board roles, strategic oversight functions, corporate planning, anti-money laundering (AML) and know-your-customer (KYC) compliance, risk management, and internal audit functions are all strictly off-limits for outsourcing.
In contrast, routine partnerships, such as those with payment card schemes or clearing and settlement systems, are exempt from these restrictions, signaling BoG’s intent to retain strong internal controls over critical and decision-making roles.
The directive, representing one of BoG’s most comprehensive moves to date on operational governance, seeks to mitigate strategic, operational, and reputational risks that outsourcing can pose. Under the directive, regulated financial institutions (RFIs) are required to maintain in-house oversight of core operational areas, and the central bank has mandated that all existing contracts be reviewed for compliance by mid-2025 or upon renewal, whichever is earlier. RFIs must also submit a “materiality assessment” framework by June 2, 2025, clarifying core and non-core functions.
While RFIs are permitted to outsource non-core activities without prior approval, provided these do not require additional regulatory permissions, the BoG has set specific preconditions for engaging third-party providers on essential functions. For any new or renewed outsourcing agreements involving core functions, BoG’s prior written consent is required under Section 60 (12) of Act 930.
The directive also places a firm boundary on the handling of sensitive customer data, mandating that no customer information be shared with third parties without the individual’s explicit consent. To further bolster oversight, institutions must adopt a rigorous materiality assessment mechanism to distinguish between core and non-core functions in outsourcing plans.
BoG’s directive reflects broader efforts to ensure that Ghana’s financial institutions are safeguarded against potential pitfalls tied to third-party dependencies. With compliance deadlines looming, banks and SDIs will need to make structural adjustments, review existing contracts, and strengthen their internal controls to meet the directive’s demands.
Institutions that fail to comply will face not only financial penalties but also broader disciplinary actions under Act 930 and Act 1032, highlighting BoG’s determination to uphold high standards across Ghana’s financial sector.