Regulation of Digital Lending in Kenya

Digital lending has expanded rapidly, but complaints about harassment, privacy violations and abusive recovery practices prompted regulation. This article explains Kenya’s framework under the CBK (Digital Credit Providers) Regulations, 2022, including licensing, governance and reporting duties. It also highlights the key borrower protections on consent, data minimisation, disclosure and fair debt collection.

Author : Grace Maina

Regulation of Digital Lending in Kenya

Grace Maina

Article Overview

This insight explains why Kenya moved to regulate app-based digital credit, noting the rapid expansion of digital lending alongside complaints of harassment, threats, and privacy violations during debt recovery.

It outlines the regional benchmark for responsible digital credit, then focuses on Kenya’s core legal response, the Central Bank of Kenya (Digital Credit Providers) Regulations, 2022, which introduced licensing and CBK oversight for previously unregulated digital lenders.

The article highlights who the Regulations apply to and who is excluded, then sets out key compliance duties around licensing, governance, consumer protection, confidentiality and data minimisation, fair debt collection, CRB reporting safeguards, and rules on changing credit terms.

Key takeaways

Why regulation was needed: the article cites allegations against some platforms for threatening borrowers and violating privacy and dignity in recovery efforts, creating the need for order and oversight.
Regional benchmark: the AFI Policy Framework for Responsible Digital Credit (Feb 2020) highlights principles like transparency, disclosure, data privacy, cybersecurity, consumer education, competition, and redress systems.
Kenya’s legal basis: CBK operationalised regulation through Legal Notice No. 46 (18 March 2022) issuing the CBK (Digital Credit Providers) Regulations, 2022 under the CBK Act.
Scope and exclusions: the Regulations cover credit/loan services offered through digital channels, but exclude banks, microfinance institutions, SACCOs, Postbank, credit-by-sale-of-goods arrangements, and other entities regulated under other laws or approved by CBK.
Mandatory licensing: DCPs must apply for a CBK licence (issued within 60 days of a complete application), pay annual fees (by 31 December), and are listed by CBK; the article notes a directory of licensed DCPs (22 as at 20 January 2023).
Revocation and public interest: licences may be suspended or revoked for non-compliance, false information, winding up, AML/CFT violations, or conduct detrimental to public interest.
Governance and operations: DCPs must maintain policies on consumer redress, data protection, AML/CFT, governance, ethics, and market conduct, and must notify CBK ahead of certain financing arrangements or restructurings.
Consumer protection rules: confidentiality is central; borrowers must be notified before negative CRB listing; recoveries are capped using a duplum-style approach once a loan becomes non-performing.
Debt collection conduct: DCPs are barred from threats, violence, obscene language, accessing phone books/contacts, posting sensitive data online, harassment, and other improper tactics.
Term changes and consent: customers must receive 30 days’ notice for changes, and increases to charges or credit terms require notice plus acceptance by the consumer; the article proposes fair options where a customer declines revised terms.
Implementation watch-outs: the article flags the compliance burden, including CBK reporting oversight without predictable timelines, and the need for harmonisation across regulators to support fair competition and collaboration.

About the author

Grace Maina is an Associate at Rachier & Amollo LLP. In this insight, she analyses Kenya’s digital credit licensing regime and the borrower protection safeguards that CBK oversight is designed to enforce in the digital lending market