African organisations face an average of 3,153 cyberattacks a week, which is around 60% higher than the global average[1]. The continent is sitting right in the proverbial thick of the threats, with fraud and attacks costing companies thousands. The African financial sector has seen a 350% increase in fraud losses, and companies like South African Airways, Kenya Urban Roads Authority, Telecom Namibia and Bank of Uganda have been targeted.[2][3] The fintech environment in Africa may be booming, with more than half of the 2.1 billion global registered accounts (74% of global mobile money transactions), but it is also at risk. Security, says Mandla Mbonambi, CEO of Africonology, has to be architected from the first whiteboard sketch, not patched in the week before go-live.
“Fintechs that treat security as a late quality assurance step tend to face higher breach risks, delayed launches and failed audits,” he says. “This is because vulnerabilities are only discovered when changes are expensive and hard to fix. Security-by-design models are a far better approach in the financial services industry because security best practices and protocols are embedded in digital transformation rather than as bolt-on added extras.”
Building a product without prioritising security from the outset creates both technical debt and risk. From day one, fintech teams need to assume that every design decision has a regulatory and security impact. Across data flows, API exposure, identity models and even UI flows, teams must prioritise key built-in elements. For example, early threat modelling of payment flows, API gateways, mobile apps and integrations to identify fraud, account takeover, and data-leak paths is essential before code is even written.
Then there are the secure coding standards, including encryption in transit and at rest, strong key management, IAM, multi-factor authentication, and the secure use of third-party and open-source components. Within this there are also the disciplines of compliance-as-code and policy-as-code in pipelines, with the sole purpose of ensuring that PCI DSS, SOC 2, ISO 27001, POPIA, GDPR, and DORA controls are checked automatically during builds, not as a panicked afterthought during audits.
“DevSecOps isn’t a new concept, but it is now crucial,” says Mbonambi. “Rather than running security reviews after features are built and before they deploy, DevSecOps embeds security into every phase of the software lifecycle. Vulnerabilities are flagged in real time as developers write code, and dependencies are automatically scanned for known issues during integration. You’re moving security to the heart of development, which puts fintech solutions on a far stronger footing.”
The economics alone make the argument. Fixing a bug at the design stage costs around $80; fixing the same issue after deployment can cost upwards of $7000[4]. For fintechs under pressure to extend runway and reach profitability, this exponential cost increase is not an abstract concept – it can make all the difference for fintechs still finding their feet, especially as compliance grows increasingly challenging to navigate.
A fintech operating across multiple African markets could handle customer data from Nigeria, Kenya, South Africa, and the EU, for example, which would require it to navigate the NDPR, Kenya’s Data Protection Act, POPIA, and GDPR. South Africa’s Information Regulator amended POPIA regulations in April 2025 to introduce stricter breach notification timelines and expanded information officer responsibilities. And as of 2025, 46 of the 54 African countries have enacted data protection laws, meaning enforcement is no longer selective.
“Compliance is not a project with a completion date,” says Mbonambi. “It’s a continuous state, and the only way to maintain that state is to build it into how you operate from day one. This is where security-as-a-service becomes strategic. For fintechs lacking the headcount or internal expertise to maintain continuous security operations, external capabilities provide them with ongoing support.”
Security needs to move away from being a function owned by a specific team and become part of the entire process. It’s now a shared responsibility across developers, operations engineers, security analysts and leadership, because when DevSecOps is done well, it transforms the entire ecosystem. It allows security to move from a friction point to part of how teams think from the moment they create the first line of code.
“Africa has already proven it can lead the way in mobile money and digital payment innovation. Now the challenge is to set the gold standard for security within these solutions and the fintech environment,” concludes Mbonambi.
[4] https://public.dhe.ibm.com/software/rational/info/do-more/RAW14109USEN.pdf
