The Bank of Mozambique (BoM) has presented a draft notice establishing new rules for the processing and storage of data by credit institutions and financial companies. The proposal aims to strengthen security, integrity and transparency in the management of computer systems used in the financial sector.
According to the document, institutions must keep their main systems implemented in data processing centres (DPCs) located on national territory, except in exceptional cases authorised by the BoM. The rule aims to ensure that critical data is subject to Mozambican jurisdiction, reducing the risks associated with unauthorised access or legal conflicts in other countries.
Institutions will also be obliged to establish replication facilities designed to guarantee business continuity and data recovery in the event of failures or disasters. These facilities may be located abroad, provided they are previously authorised and meet security requirements compatible with the primary centres.
The notice also regulates the use of cloud computing services. Services for main systems can only be contracted within national territory and with BoM authorisation, while peripheral systems will have greater flexibility, depending on prior communication or authorisation, as the case may be.
In addition, the central bank defines mandatory clauses for contracts with data service providers, including confidentiality guarantees, strict security measures and audit rights to ensure regulatory compliance.
Failure to comply with the provisions will be considered an offence punishable under current legislation.
The proposal is subject to public consultation before entering into force, and must be implemented 120 days after its official publication.
Text: Felisberto Ruco