Introduction

Digital lenders have until now been generally carrying on business unregulated.

The regulatory lacuna has historically meant that for as long as mobile phones have been widely used in Kenya, consumers have been exposed to harmful practices such as predatory lending, invasive debt collection tactics that often flouted the right to privacy, and exorbitant interest rates.

The Central Bank (Amendment) Act, 2021 (the Act) which came into force on 23 December 2021 now marks a major shift from the existing self-regulatory model, to one where the Central Bank of Kenya (CBK) has significant control over digital lending and borrowing. The regulation of digital lenders will afford more protection to borrowers when it comes to consumer protection and data privacy; however, only time will tell if the new legislation will enable rather than stifle innovation given the new compliance requirements.

CBK's Mandate

The Act amends the primary legislation-the Central Bank of Kenya Act-to vest in the CBK the power to licence "digital credit providers" to carry out "digital credit business". Digital credit business is defined as the business of providing credit facilities or loan services through a digital channel, being the internet, mobile devices, computer devices and any other digital devices that are prescribed by the CBK. "Digital credit" means a credit facility or arrangement where money is lent or borrowed through a digital channel. The specific reference to money is welcome given that previous draft laws to regulate this sector were unclear on this issue. However, even though the commentary on the passing of this law has focussed on providers of mobile money loans, the definition of digital credit business appears wide enough to cover other businesses such as suppliers of goods online who provide credit terms. It is not clear whether this was intended by the legislature but our review of the relevant Hansard reports suggest it was not.

The CBK also has the power to:

  1. approve digital channels through which digital credit business may be conducted;
  2. determine parameters for pricing of digital credit;
  3. supervise digital lenders;
  4. suspend or revoke licences; and
  5. direct any other changes it considers necessary.

In dispensing its mandate, the CBK is required to consult with other regulators such as the Office of the Data Protection Commissioner (ODPC) and the Communications Authority.

Licensing and Revoking a Licence

All digital lenders must be licensed by the CBK under the Act, unless permitted to conduct digital credit service provision under any other written law. The CBK is required to publish the names and addresses of all licenced digital lenders. The Act sets out the basic application requirements for obtaining a licence. However, it is notable that the CBK will require applicants to provide a certificate of registration as either a data controller or data processor under the Data Protection Act, 2019 (the DPA). Undoubtedly this is a move to bolster compliance by digital lenders with the DPA and highlights the importance that the legislature is giving to ensure that data privacy in Kenya is respected. The problem with this in the short term is that the registration formalities under the DPA are themselves subject to regulations which have not as yet been promulgated.

Further, applicants must provide a statement indicating their compliance with the provisions of the Consumer Protection Act, 2012, relating to the rights of consumers in credit arrangements. In addition, applicants must provide to CBK the terms and conditions which borrowers will need to accept before their mobile loan applications are activated.

Likewise, there are various grounds upon which a licence, once issued, may be suspended or revoked by the CBK, for example where the licensee fails to meet the CBK's conditions or where a licensee is in breach of the DPA or the Consumer Protection Act.

Draft Central Bank of Kenya (Digital Credit Providers) Regulations, 2021

While the Act sets out a number of the requirements to obtain a licence, it leaves much of the detail to subsequent regulations to be made by the CBK. On 23 December 2021, the CBK published the draft Central Bank of Kenya (Digital Credit Providers) Regulations, 2021 (the Draft Regulations) which set out, in more detail, provisions relating to a range of matters including licensing, credit information sharing, data protection, consumer protection, reporting requirements and offences and penalties. The Draft Regulations are yet to come into force - the CBK is, until 21 January 2022, collecting views from the public.

If clients have any specific recommendations they would like us to include in our submissions do please let us know.

Information Sharing

Under the Act, digital lenders will be permitted to disclose positive or negative information relating to their customers to licensed credit reference bureaus where this information is reasonably required for the discharge of the functions of either entity. The Draft Regulations propose to restrict digital lenders from sharing negative information relating to a customer in relation to amounts below KES. 1,000. However, this threshold may be amended prior to publication.

Penalties

The general penalty for offences which are to be provided in the Draft Regulations are capped by the Act at KES 500,000 (approximately USD 4,400) with an additional KES 10,000 (approximately USD 88) per day for continuing offences.

Timelines

The Act provides that the CBK has a period of 3 months from 23 December 2021 to issue the Draft Regulations. Thereafter, digital lenders will be required to apply for a licence within 6 months of the issuance of the Draft Regulations.

Contributors: Charlotte Patrick-Patel, Senior Associate and Abdulmalik Sugow, Trainee Lawyer

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.