In recent years, the financial services landscape has undergone a remarkable transformation, driven by the convergence of technology and finance. Fintech companies, at the forefront of this evolution, have harnessed digital innovation to revolutionise access to financial resources, particularly in regions with limited traditional banking infrastructure.

Digital credit providers (DCPs) leverage technology and data analytics to assess borrowers’ creditworthiness and provide quick and convenient access to short-term loans or credit facilities. Notable examples of DCPs include Inventure Mobile Limited (trading as Tala), M-Kopa Loan Kenya Limited, and Ngao Credit Limited. As of April 2023, the Central Bank of Kenya (the CBK) had licensed thirty-two (32) DCPs to operate in Kenya. While the growth of fintech companies has brought about significant benefits, it has also raised concerns regarding consumer protection and data privacy. For instance, many borrowers who access loans through online platforms often lack a comprehensive understanding of how these companies operate, or even their official identities.

To address these concerns and align the industry’s operations with the Constitution of Kenya 2010, the CBK – exercising its powers under section 57 of the CBK Act – formulated the Digital Credit Providers Regulations 2022 (the Regulations). These Regulations are designed to govern the licensing, operations, and compliance requirements of DCPs in the country. Notably, the Regulations do not apply to banks, financial institutions, microfinance institutions, Sacco societies, or any entity whose digital credit business is regulated under any other written law, or any other entity regulated by the CBK.

Compliance Requirements

The Regulations introduce a framework to ensure that DCPs operate responsibly, protect consumers, and maintain the integrity of the financial system, an overview of which is as follows:

a)Licensing

Rule 4(1) of the Regulations prohibits a person from carrying on a digital credit business in the country without licensing from the CBK. Contravention of this provision constitutes an offence that attracts a penalty, upon conviction, of imprisonment for a term not exceeding three (3) years or a fine not exceeding KES 5,000,000. An application for a licence is submitted in a prescribed form (CBK DCP 1), which contains information such as the name and address of the applicant and the source of funds for the proposed business. Rule 4 (3) further requires the application to be accompanied by documents such as the applicant’s data protection policies and procedures and the applicant’s Anti-Money laundering and combating the financing of terrorism policies and procedures (which shows their commitment towards combating anti-money laundering and terrorism financing).

If satisfied that the applicant meets the requirements of the Regulations, a licence is issued within sixty (60) days of submission of a complete application, and it remains valid unless suspended or revoked by the CBK. The CBK is also obliged to publish the name of every licensed DCP in the Kenya Gazette and on its website within thirty (30) days of issuing the licence. The CBK is further required to publish the names and addresses of all licensed DCPs in the Kenya Gazette and on its website before the 31st day of March of every year.

Once licensed, DCPs are required to pay annual fees and submit a return to the CBK, certifying their compliance with the Regulations by the 31st day of December of every year. However, it is worth noting that the CBK retains the authority to suspend or revoke a licence, as per Rule 9 (1) of the Regulations. This can occur if the licencee fails to pay annual fees or a monetary penalty imposed by the CBK, provides false information during the licence application process, or ceases to carry on the business of a DCP. Before such revocation or cancellation, the CBK is required to notify the DCP and allow it to be heard.

1. b) Credit Information Sharing and Data Protection

The Regulations allow DCPs to disclose both positive and negative credit information regarding their customers to licensed credit reference bureaus (CRBs). This disclosure is only permitted when such information is reasonably required for the performance of the functions of either the DCP or the licensed CRBs. However, the Regulations impose restrictions on submitting negative credit information in relation to a customer where the outstanding amount does not exceed KES 1,000. Before submitting negative information, DCPs are mandated to notify the concerned customer at least thirty (30) days in advance.

After submitting credit information to a CRB, DCPs are required to notify the customer within thirty (30) days from the date the information was submitted. This ensures that customers are informed about any changes to their credit history. Moreover, the information submitted must be timely, complete and accurate.

Most importantly, information derived from CRBs is to be used by DCPs in making decisions on customer transactions or for purposes authorised under the Regulations. DCPs are therefore required to implement measures to ensure the security of the information submitted or provided to CRBs. Accordingly, sharing of information with third parties is only permitted under the Regulations or relevant laws. This is because the security of shared information is crucial for confidentiality and integrity.

c)Conduct of Digital Credit Business

To further protect consumers, DCPs are prohibited from introducing a new digital credit product to the market or varying the features of an existing product without prior approval from the CBK. Additionally, DCPs are obliged to notify the customers at least thirty (30) days in advance before effecting such variations. The Regulations stipulate a maximum limit on the amount DCPs can recover from a non-performing loan, which prevents them from continuously accruing interest beyond the principal amount. To this end, the in duplum rule is applicable to DCPs, as affirmed in the case of Mugure & 2 others v Higher Education Loans Board (Petition E002 of 2021) [2022] KEHC 11951 (KLR).

Moreover, Rule 20 of the Regulations prohibits DCPs from engaging in any of the listed actions against a borrower or any other person during debt collection. Some of the prohibited actions include the use of threats, violence, or other means to harm the borrower, their reputation, or property if they fail to settle their loans; use of obscene or profane language sent to the borrower or the borrower’s references or contacts for purposes of shaming them or accessing the customer’s phone book or contacts list and other phone records for purposes of sending them messages in the event of untimely payment or non-payment.

d)Consumer Protection

DCPs are required to issue transaction receipts or acknowledgements of customer transactions, whether conducted electronically or through other acceptable means. To address customer concerns, a complaints redress mechanism should be established with dedicated communication channels. Complaints should be promptly resolved within thirty (30) days and records of such complaints and resolutions maintained.

DCPs are also obliged to implement secure and reliable information systems that uphold information confidentiality, integrity, and availability to minimise disruptions. Further, DCPs must provide detailed terms and conditions of loan agreements to customers prior to granting the loan. Some of the information contained in the terms includes the loan amount, the interest rate to be charged and whether on a reducing balance, the date on which the amount of credit and all interest are due and payable and how the same may be calculated and the annual percentage rate of interest.

Challenges

While the Regulations aim to foster a safer and more transparent financial ecosystem, they also present formidable hurdles that fintech companies must navigate. Some of these challenges include the following:

a)Delayed Approval Process

Since the implementation of the Regulations, numerous DCPs have submitted their licensing applications to the CBK. However, prevailing reports indicate that many DCPs are still awaiting approval. These delays are attributed to the comprehensive documentation required for each application, coupled with increased industry scrutiny. Consequently, this situation has disrupted the operational continuity of the DCPs and has made potential investors hesitant to provide funding without the CBK’s certification.

b)Compliance Costs and Administrative Burden

To ensure compliance with the Regulations, DCPs are forced to allocate resources and invest in compliance measures. This includes the establishment of mechanisms for tracking and reporting various operational aspects, such as transaction receipts, customer complaints and credit information sharing. These compliance efforts impose financial burdens and administrative complexities, particularly for start-up DCPs.

c)Risk Assessment and Responsible Lending

The Regulations underscore the importance of responsible lending practices. DCPs are required to implement effective risk assessment models that accurately evaluate a customer’s creditworthiness. This requirement can be challenging, particularly when dealing with customers who lack traditional credit histories. Additionally, limitations on debt collection procedures and techniques have contributed to a rise in loan repayment defaults, forcing fintech companies to write off some debts as bad debts.

d)Product Innovation and Regulatory Approval

Introducing new digital credit products or modifying existing ones requires obtaining regulatory approval. This can slow down the pace of innovation for DCPs, potentially hindering their ability to respond quickly to market demands and adapt to changing customer needs.

Conclusion

As fintech companies endeavour to adapt to the evolving regulatory landscape, the intricate web of compliance obligations, data privacy concerns and consumer protection mandates demand a strategic recalibration of their operations. These challenges, while formidable, also present opportunities for fintech companies to cultivate a culture of responsible innovation and customer-centricity. By embracing the challenges as catalysts for progress, fintech companies have the chance to shape financial services, bolster customer trust and drive inclusive economic growth in a technologically empowered era. Collaborative efforts between industry stakeholders and regulatory authorities are therefore pivotal in the pursuit of a cohesive financial services ecosystem.