Every cross-border fintech expansion I've been involved in — whether advising from a law firm, structuring from a consulting engagement, or operating inside the company itself — has hit the same wall. Not product-market fit. Not capital. Regulatory fragmentation.
Fifty-four sovereign jurisdictions, each with its own licensing authority, capital requirements, data localisation rules, and AML/CFT expectations. The cost structure of that reality has killed more African fintech expansion plans than any competitive threat.
The emergence of regulatory passporting frameworks represents the most significant structural shift in African financial services regulation since the adoption of the AfCFTA. But a dangerous misconception has taken hold in boardrooms and investor decks: that passporting lets you operate across borders while sidestepping local compliance.
It doesn't. And the founders who build on that misconception will discover the gap between expectation and reality at the worst possible moment — during a regulatory audit, an enforcement action, or a fundraise where institutional LPs ask pointed questions about licence hygiene.
The mechanics: what passporting actually does
Passporting — or mutual recognition of licences — allows a fintech authorised and supervised in one jurisdiction (the "home" regulator) to notify and commence operations in another (the "host") without duplicating the full licensing process. The conceptual ancestor is the European Union's regime under MiFID II and PSD2, but the African implementation is being built through bilateral agreements and AfCFTA-aligned protocols rather than supranational directive.
On 25 February 2025, at the Inclusive FinTech Forum in Kigali, the Bank of Ghana and the National Bank of Rwanda signed Africa's first fintech licence-passporting MoU — a bilateral agreement allowing regulated fintechs licensed by either central bank to operate in both markets with minimal additional regulatory requirements. The MoU, developed in partnership with the Global Finance and Technology Network (GFTN) and the Pan-African Payment and Settlement System (PAPSS), also includes cross-border payment interoperability provisions and a Next-Gen Digital Public Infrastructure (Next-Gen DPI) framework.
Similar arrangements are in various stages of negotiation involving Nigeria's CAC and CBN frameworks, Kenya's CMA and Central Bank, and players across the East African Community and ECOWAS. These sit within the broader AfCFTA ambition — a single market for services across 54 nations and 1.4 billion people.
Structurally, every passporting regime rests on three pillars:
That third pillar is where most misunderstandings begin. It is also where most compliance failures originate.
The compliance reality: a fast-track visa, not diplomatic immunity
Passporting is not a licence to operate anywhere. In practice, it functions like a fast-track visa — it gets you through immigration faster, but you're still subject to the laws of the country you've entered. The analogy is precise because the consequences of violation are equally real.
Host-country obligations that survive passporting include:
- Data protection and localisation. Nigeria's NDPA, Kenya's Data Protection Act (2019), South Africa's POPIA, and Egypt's PDPL (Law 151/2020) each impose distinct obligations. Cross-border data transfers require specific legal bases under each framework. Localisation requirements — where they exist — are non-negotiable regardless of your home licence.
- AML/CFT and KYC. Even where FATF Recommendations create a harmonised floor, transaction monitoring thresholds, suspicious activity reporting protocols, and customer due diligence requirements carry jurisdiction-specific calibrations. A grey-listed jurisdiction's expectations — Nigeria was on the FATF grey list from 2023 to 2024, South Africa from 2023 to 2025 — will differ materially.
- Consumer protection and conduct. Disclosure requirements, fair lending rules, complaint handling timelines, and interest rate caps (where applicable) are locally determined. The AfCFTA Services Protocol expressly preserves host-state regulatory authority over consumer outcomes.
- Capital, liquidity, and operational resilience. While core licensing capital may be mutually recognised, host regulators frequently impose supplemental buffers, ring-fencing requirements, or local asset maintenance rules for systemic stability — consistent with the Basel Committee's home-host supervision principles.
- Tax, FX, and local entity requirements. Many markets still require a local subsidiary, branch registration, or banking partnership. Transfer pricing, withholding tax, and foreign exchange compliance — governed by each country's central bank and revenue authority — are entirely outside the passporting framework.
Know exactly what each jurisdiction requires — before you file.
Kwame is Veritas's regulatory Q&A agent. Ask any question about licensing requirements, capital adequacy thresholds, AML/CFT obligations, or data protection rules in any African jurisdiction and receive cited answers grounded in verified statute. Every response links to the specific instrument, section, and obligation — not summaries, not commentary.
The strategic frame: passporting as market-access infrastructure
For operators with genuine home-market compliance — not paper compliance, but tested, auditable, regulator-relationship-backed compliance — passporting dramatically compresses the cost and timeline of regional expansion. Instead of 12–18 months and six-figure legal and compliance spend per jurisdiction, you allocate those resources to product localisation, distribution partnerships, and customer acquisition.
The fintechs I've seen execute this well share four characteristics:
- Modular compliance architecture. Their technology stack is designed to toggle jurisdiction-specific rules at the configuration layer. AML thresholds, disclosure language, data residency routing, and reporting formats are parameterised — not hardcoded.
- Regulatory affairs as a strategic function. They maintain standing relationships with multiple central banks and supervisory authorities. Regulatory affairs sits alongside product and finance at the leadership table.
- Auditability by default. Their systems produce real-time regulatory reporting across jurisdictions. When an examiner asks for transaction monitoring logs from a specific corridor, the answer is measured in hours, not weeks.
- Local networks with genuine depth. They invest in on-the-ground advisory relationships — lawyers, former regulators, industry association leaders — who understand the unwritten rules, political dynamics, and supervisory preferences that no legal database captures.
Expansion is easier when the obligation register stays current.
Ayo is Veritas's compliance monitoring agent. As you enter new markets, Ayo keeps the licensing, AML/CFT, data protection, and reporting obligations for each jurisdiction in one live register and alerts your team when the rules shift.
The real prize is harmonisation — and it isn't here yet
Bilateral passporting agreements are proving grounds. The Ghana–Rwanda MoU demonstrates political will and creates implementation precedent. AfricaNenda's policy research identifies three additional building blocks needed for continental scale: a fintech licence passporting regime with standardised criteria, harmonised e-KYC and AML/CFT standards across central banks, and a Pan-African Payment Services Directive (PSDA) — modelled on Europe's PSD2/PSD3 — providing unified guidelines for cross-border payment services.
The AfCFTA Secretariat, alongside regional economic communities like ECOWAS, EAC, and SADC, has a central role in closing the gaps that persist between major hubs — Nigeria, Kenya, South Africa, Egypt, Ghana — and the emerging jurisdictions where regulatory capacity is still developing. Twenty-four countries have already made initial commitments in the five AfCFTA priority services sectors. The remaining State Parties are still finalising their schedules.
The operators who will capture disproportionate value from this evolution are those who view regulatory compliance not as overhead but as infrastructure — as a moat that deepens with every jurisdiction mastered, every obligation mapped, and every supervisory relationship maintained.
Passporting lowers the barrier to entry. Rigorous, proactive, multi-jurisdictional compliance builds the durability and institutional trust that separates companies that scale from companies that stall.
Africa's fintech opportunity is the largest greenfield financial services market in the world. The founders who master the nuance of passporting — who embrace its efficiencies without mistaking them for exemptions — will be positioned to build the companies that define the next decade of African financial infrastructure.
Get regulatory intelligence delivered
Join in-house counsel and compliance leaders across Africa receiving our weekly regulatory brief.
The views expressed are those of the author and do not constitute legal advice. Veritas Africa Ltd. is not a law firm.