The Bank of Mozambique has issued new rules requiring supervised credit institutions and financial companies to classify and report technology and cyber incidents under a common taxonomy and deadline regime, and has also introduced an annual cap on payments abroad made using bank cards issued in Mozambique. For incident reporting, institutions must classify incidents by nature and severity using the taxonomies set out in the annexes, covering external and internal events whether intentional or accidental. Critical, high and medium incidents must be reported using an incident reporting template that will be approved by Circular, while low-severity incidents must be documented and kept available for review. Reporting is incremental, with a preliminary report due within 24 hours of occurrence, an interim report due within 10 business days of submitting the preliminary report, and a final report due within 30 business days of submitting the interim report; if the incident is not resolved by the final deadline, institutions must submit the final report alongside an action plan setting out mitigation measures adopted or planned to resolve the incident and prevent recurrence. For card-based payments abroad, individuals and legal entities are capped at an annual aggregate limit of MZN 6,000,000 across the entire national banking system per cardholder, irrespective of the number of contracts, cards or payment channels used, including cash withdrawals, without prejudice to any daily card limits set by the issuing credit institution. Once the annual limit is reached, all credit institutions must block that cardholder’s bank cards for foreign transactions and must notify cardholders when they reach half of the annual limit, when they reach the limit, and when cards are blocked; breaches are treated as foreign exchange contraventions under the Foreign Exchange Law. The Bank of Mozambique may set different limits on request, with an additional limit not exceeding MZN 6,000,000, and the measure applies from publication for a 12-month period.
Bank of Mozambique 2025-12-09
Bank of Mozambique sets cyber incident reporting deadlines and caps foreign card payments at MZN 6 million a year
The Bank of Mozambique requires credit institutions and financial companies to classify and report technology and cyber incidents using a standardized taxonomy and deadlines. An annual cap of MZN 6,000,000 is imposed on foreign payments made with bank cards issued in Mozambique, with breaches treated as foreign exchange contraventions. The cap applies per cardholder across the national banking system, and institutions must notify cardholders as they approach and reach the limit.