🏢 FinGuard — Complai Africa

CDPA Compliance for MFIs, SACCOs & Credit Providers

Financial history and credit data are classified as sensitive data under the CDPA. MFIs face dual obligations — POTRAZ data protection compliance and RBZ KYC requirements.

⚖ Ask DPO AI Free
📁 FinGuard Document Bundle
🏢
MFI/SACCO Data Protection Policy
POTRAZ and RBZ aligned
Included
📝
Client Consent & KYC Disclosure Form
Loan applications
Included
🤝
Staff Confidentiality Agreement
All staff
Included
🔍
DPIA Template
Financial data processing
Included
📞
Credit Bureau Data Sharing Agreement
CreditRegistry and TransUnion
Included
📑
Debt Collector Data Processing Agreement
Agent agreements
Included
🚨
Breach Response Protocol + DP3
72-hour rule
Included
Your Legal Obligations

What the CDPA Requires from Your Organisation

These are mandatory legal requirements under Zimbabwe law, currently being enforced by POTRAZ.

CDPA S.12(1)
Financial History is Sensitive Data
Financial history and credit history require explicit written consent before processing, sharing with bureaus, or using for risk assessment.
CDPA S.17
Credit Bureau Data Sharing
Sharing client data with bureaus requires a signed Data Processing Agreement, explicit client consent naming which bureaus will receive their data, and a right to opt out.
S.I. 155 / RBZ KYC
Dual Compliance Framework
MFIs operate under both POTRAZ data protection and RBZ KYC obligations. FinGuard is designed to satisfy both frameworks simultaneously.
CDPG 5/2024
Cloud-Based Loan Management Systems
Cloud-hosted loan management or core banking software storing data outside Zimbabwe requires POTRAZ authorisation. Your DPO manages this process.
What Your Plan Includes

Comply Foundations, FinProtect Controls, and DPO-Ready Oversight

FinGuard combines your Comply tier with FinProtect overlays for regulated lending, KYC, and payment data. DPO Shield is the recurring layer for named DPO support and ongoing review.

🏢
MFI/SACCO Data Protection Policy
POTRAZ and RBZ aligned
Comply
📝
Mobile Money Consent & KYC Disclosure
Loan applications
FinProtect
🤝
AML / Data Handling Checklist
Screening, KYC, and escalation controls
FinProtect
🔍
DPIA Template
Financial data processing
Comply
📞
Payment Data Addendum
Card, mobile money, and repayment flows
FinProtect
📑
Financial Data Retention Schedule
Loan, KYC, and repayment retention rules
FinProtect
🚨
Breach Response Protocol + DP3
72-hour rule
Corporate+
📊
Financial Data Asset Register
POTRAZ DP1 ready
Included
🔎
Compliance Gap Assessment
27-point checklist
Business+
📋
DSAR Response Kit
Member and client requests
Business+
Comply Tier Foundations

ROPA and Impact Assessments from Your Comply Tier

These frameworks come from your Comply package. FinProtect adds financial-services overlays, while DPO Shield supports recurring governance and sign-off.

📊

Record of Processing Activities (ROPA)

Required under CDPA Section 13. This sits inside Comply Business and above, and becomes the foundation of your POTRAZ-facing operating record.

Your FinGuard ROPA covers:

  • Client names, National IDs, dates of birth
  • Client contact and residential details
  • Employment and income verification data
  • Loan application and credit history records
  • Guarantor personal data
  • Biometric data (fingerprints, photos)
  • Bank account and transaction data
  • Credit bureau submission records
  • Staff employment and payroll records
  • CCTV footage (branches)
Included in: Comply Business and above
🔍

Data Protection Impact Assessment (DPIA)

Required under CDPA Section 18 before any high-risk processing activity. Comply provides the base framework, while FinProtect adds lending and payments-specific prompts.

A DPIA is required when you:

  • Implementing biometric member authentication
  • Introducing a new core banking or loan management system
  • Integrating with a new credit bureau
  • Launching a mobile lending product
  • Sharing data with a new debt collection agency
  • Any offshore cloud storage of client financial records
Included in: all Comply tiers, with scope varying by package
Common Questions

Frequently Asked Questions

We share data with a debt collection agency. Do we need a contract? +
Yes — a Data Processing Agreement is mandatory under CDPA Section 17 before any third party accesses client data. This includes collection agencies, law firms handling debt recovery, and credit bureaus. Your toolkit includes agreement templates so your organisation can put the right contracts in place.
A client wants to see what we shared with the credit bureau. Must we respond? +
Yes. Under CDPA Section 21, clients have the right to access all personal data you hold, including third-party disclosures. You must respond within 30 days. Your higher-tier FinGuard package includes a complete DSAR response kit.
We collect fingerprints for member authentication. What are our obligations? +
Biometric data is sensitive under CDPA S.12(1). You need: explicit written consent per member, a DPIA assessing biometric risks, and secure storage. Your FinGuard DPIA template covers this specifically.
What is our POTRAZ tier if we have 2,000 active loan clients? +
You are likely Tier 2 (1,001–10,000 data subjects) at $300. Your total count must include guarantors, former clients whose data you still hold, staff, and website users. Your DPO confirms the exact tier.

Need help interpreting the finance-sector requirements?

⚖ Ask AskDPO AI — Free, instant guidance

Choose Your FinGuard Path

Start with Comply Business, then select the FinProtect add-on in the next checkout step. Add DPO Shield Business afterward if you need recurring oversight and support matching with a suitable POTRAZ-certified DPO.

Start Your Compliance
Please enter your organisation name, your name, and a valid email.

🔒 Secure payment via the Complai Africa client portal