As Uganda's digital economy pivots from infancy to systemic maturity, the Bank of Uganda ('BOU') has recently released to its licensees, draft Corporate Governance Guidelines for Non-Bank Payment Service Providers ('NBPSPs'), Payment System Operators (PSOs) and Issuers of Payment Instruments ('IPIs') ('Guidelines'), representing a watershed moment in regulatory oversight. For years, the agility of NBPSPs and PSOs has outpaced the rigid structures of traditional banking; however these new Guidelines signal that the move fast and break things era is now being replaced by a standard of institutional permanence.
By codifying Board compositions, risk management frameworks and fiduciary duties specifically for PSPs, the Central Bank is not merely adding red-tape — it is laying the governance infrastructure necessary to attract large scale cross-border investment. When viewed through a comparative lens, it becomes clear that the Pearl of Africa is seeking a middle path between innovation and systemic stability.
- Every PSP, PSO, and IPI is expected to maintain a formal Board of directors, with the appointment procedures clearly outlined in the organization's Board Charter.
- Shareholders are responsible for selecting Board members, and each appointment must be approved by the BOU.
- Electronic money issuers must have between five (5) and seven (7) directors; other licensees must maintain three (3) to five (5) directors.
- Institutions are encouraged to ensure gender balance on their Boards to enhance inclusive leadership.
- The Board Chairperson must be an Independent Non-Executive Director — one who is free from significant relationships or dealings that could compromise objective decision-making, including not having benefited from preferential business terms in the two years prior.
- Boards must implement staggered terms to maintain experience, renewal, and continuity over time.
- Individuals are prohibited from simultaneously serving as director or trustee in more than one institution regulated by the BOU.
- A director cannot transition into the role of Independent Director within the same institution unless a minimum two-year cooling-off period has elapsed.
- Where a director's resignation leads to the Board falling below the mandatory minimum size, the Board is obliged to inform the Bank of Uganda.
- No more than one-third of the Board or senior management may be drawn from a single extended family, and only one family member may occupy key leadership roles such as CEO, Managing Director, Executive Director, or Board Chairperson.
- The Board is expected to convene at least once every quarter.
- The Board is required to develop a charter to be approved by BOU to guide the Board's operations.
- The Board must operate through at least three committees: audit, risk and compliance, and the strategy, innovations and technology committee — each led by a Non-Executive Director.
- The Audit, Risk and Compliance Committee must be chaired by an Independent Non-Executive Director.
- The Board is responsible for appointing the CEO/MD/CM, Executive Directors, and Senior Executives, with all appointments requiring approval from the BOU.
- Each PSP, PSO and IPI is required to establish a risk and compliance function dedicated to advising management and the Board on appropriate risk-management practices, monitoring regulatory compliance, and promoting risk awareness internally.
- The Board must endorse an ERM Framework that outlines the organization's risk appetite, tolerance levels, risk culture, governance structures, and detailed procedures for identifying, measuring, monitoring, and reporting risk exposures. The framework must also assign responsibility among stakeholders.
- The risk and compliance function is required to report to the Board quarterly and to the CEO on a day-to-day basis.
- The Board is required to establish an internal audit function and, on the advice of the audit committee, appoint an internal auditor with appropriate qualifications and experience.
- The Head of Finance is required to be a member of the Institute of Certified Public Accountants of Uganda (ICPAU).
PSPs, PSOs and IPIs must follow the BOU's existing guidance on financial reporting, external auditor appointments, annual systems audit and vulnerability assessment requirements.
PSPs, PSOs and IPIs are required to have a functional website and, in the interest of the public, disclose the profiles of their Board members and senior management team.
PSPs, PSOs and IPIs are encouraged to integrate Environmental, Social and Governance (ESG) practices into their governance frameworks, including initiatives that support financial inclusion, digital literacy, sustainability, and related disclosures.
In cases of non-compliance with the Guidelines, the BOU may apply corrective actions under the principal Act, including suspension or revocation of licences.
Regulatory Comparison
Kenya is often viewed as the gold standard for fintech regulation in Africa, largely because the Central Bank of Kenya ('CBK') allowed the market to innovate first before tightening the governance screws.
Many PSPs in Kenya are subsidiaries of larger entities or telecoms. The CBK enforces ring-fencing guidelines that require PSP Boards to have autonomous decision-making power separate from the parent company — a tighter approach to local autonomy than Uganda's Guidelines currently provide.
One could argue Uganda's Guidelines should adopt a similar technical governance standard to maintain a robustly governed ecosystem with granular liability.
In 2025, the Central Bank of Ghana ('CBG') issued corporate governance Guidelines for PSPs establishing key rules on Board structure, executive responsibility, internal controls and risk oversight. Ghana is often cited as a peer for Uganda given its rapid mobile money penetration and payments law heritage.
Similar to Uganda, Ghana's Guidelines are prescriptive for larger players. Dedicated electronic money issuers and enhanced PSPs must have at least one-third of the Board as independent non-executive directors, with independence defined strictly — prohibiting any director with more than a 5% equity stake or significant business ties.
The CBG also requires at least 30% Ghanaian Board membership within audit and risk committees — a significant consideration for multinationals like MTN, Airtel and Wave operating across East Africa.
Conclusion
The regulatory trajectories of Uganda, Kenya and Ghana reveal a shared truth: the fintech honeymoon is over, and the era of institutional maturity has arrived. On the horizon for Uganda, we can expect three distinct shifts.
Resilience Governance
The Central Bank moves from checklist compliance to operational resilience as the primary measure of institutional health.
Regional Harmonisation
As the EAC cross-border payment system gains steam, these governance standards will become the minimum entry requirement for Ugandan firms scaling into the wider East African monetary union.
Governance as an Asset Class
In a tightening global capital market, players with a BOU-compliant, transparent and independent Board will be the only ones capable of attracting the next wave of international investment.
Ultimately, the Guidelines do not just tether NBPSPs and PSOs to a Regulator — they provide the legal gravity necessary for Uganda's digital economy to finally reach escape velocity.
