Since the Schrems 2.0 case ended the EU-US Privacy Shield agreement, the companies that relied on the framework to transfer data between Europe and the U.S. have been left wondering what to do next. Can companies still rely on Standard Contractual Clauses (SCCs) for data transfers? If not, what alternatives do they have? The European…
Benjamin Mensah is the Senior Supervisor, Compliance Monitoring, and AML with Republic Bank Ghana Limited in Accra, Ghana. Mensah is a professional accountant and certified forensic auditor with 15 years of experience in banking operations, internal audit, and regulatory compliance. Recently he became a Charter Member of the Association for Data and Cyber Governance. He is our first member in Africa!
Mensah holds membership in the Institute of Public Accountants, Australia, the Institute of Financial Accountants, UK, the Financial Services Institute of Australasia, the Chartered Institute of Securities and Investments, UK, the London Institute of Banking and Finance, UK, the Chartered Management Institute, UK, the Association of Certified Fraud Specialists, USA, the Ghana Institute of Management, and the Institute of Internal Auditors, Ghana.
He holds a diploma from the Institute of Chartered Accountants, Ghana, and is an alumnus of the University of Portsmouth, the UK where he was awarded a Master’s in Forensic Accounting. He is currently pursuing a Ph.D. in Business Administration from Anaheim University in California, U.S.A
How did your career and education lead you to your current position at Republic Bank, Ghana?
In 2005, I was admitted to the Christian Service University College (affiliated with the University of Ghana) and began to pursue a bachelor’s degree. I graduated with a 2nd Class Upper and went on to obtain a Master’s of Science in Forensic Accounting with the University of Portsmouth in the UK, which I completed in 2016. I am currently pursuing my Doctorate in Business Admission at Anaheim University, in California, U.S.A
I started working with Nwabiagya Rural Bank in 2004 as an Accounting Clerk and rose to the rank of Sub-assistant Accountant. As a person who always wants to take challenging responsibilities, in 2007, I took an offer from the Ghana Audit Service (GAS) – the only supreme public auditing institution in Ghana. The GAS was established by an Act of parliament to audit all the public accounts of Ghana. I worked for 2 years and again took a challenging responsibility to set up an Internal Audit Department at Advans Ghana. I then worked in the Compliance Department of Midland Savings and Loans Company Limited as Manager, Compliance. I am currently working with Republic Bank Ghana Limited as Senior Supervisor, Compliance Monitoring, and AML.
What types of laws and regulations does Ghana have with respect to data privacy?
The data privacy environment in Ghana is regulated by the Data Protection Act 2012 (Act 843). This act was passed by parliament and was given presidential assent on May 10, 2012. The act established the Data Protection Commission (DPC), a body with a core mandate to protect the privacy and personal data of individuals by regulating the processing of personal information. The DPC provides a process to obtain, hold, use, and disclose personal information.
What about laws and regulations related to data protection, cybersecurity, and reporting of breaches?
- Data Protection Act 2012 (Act 843)
- Bank of Ghana Cyber Security Directive 2018
You mentioned that compliance with ISO 27001 is satisfied cybersecurity regulatory requirements. Have most institutions in Ghana achieved this compliance?
Yes, the majority of banking institutions are compliant with ISO 27001.
How much of your responsibilities deal with data and cyber governance?
I monitor the reporting of cybersecurity and data incidents/threats/breaches to the Bank of Ghana and the Data Protection Commission, Ghana.
What other people in your organization deal with these issues?
The Information Security Manager and CISO are in charge of the operational issues of information security in the bank.
Are you subject to the GDPR?
Do most institutions in Ghana require business executives and board members to be educated on cybersecurity?
What are the traditional targets of cybercrime in Ghana?
Traditional, electronic and mobile banking services, as well as E-commerce, and government.
What types of cyber threats and crimes are being perpetrated in Ghana?
The list is long:
- ATM frauds
- Social engineering (phishing)
- DoS attacks
- Cyber fraud
- Insider threats
- Data breaches
- Fake news
- Electronic Payment (mobile money) threats
- Social media threats
- Mobile device security threats
- Identity theft
- Network attacks
- Email hacking
- Cyber espionage
- Sim box fraud
What are the biggest obstacles to successful cyber compliance in Ghana?
- IT infrastructure
- Capacity building/awareness creation/training
- Inadequate leadership
- Bad corporate governance