After much-needed hue and cry over predatory and arm-twisting conduct characterising Kenya’s digital lending businesses, The Central Bank of Kenya Amendment Act 2021 (hereinafter the “Act”) was assented to on December 7, 2021, and became effective on December 23, 2021.
The legislation is a much needed and a laudable guardrail that seeks to bring digital credit providers into the fold of regulatory oversight.
The Act defines “digital credit” as a credit facility or arrangement where money is lent or borrowed through a digital channel whilst” digital lenders” are now referred to as “digital credit providers” to mean a person licenced by the Central Bank of Kenya (hereinafter the “Bank”) to provide credit facilities or loan services through a digital channel (i.e., the internet, mobile devices, computer devices, applications and any other digital systems as maybe prescribed by The Bank).
Proceeding is a substantive discussion of core parts of the Act:
The Act now requires that all persons/businesses offering or intending to offer digital credit in Kenya must be licensed by the Bank with digital credit businesses that were in existence prior to the coming into force of the Act required to apply for licenses within six months of publication of the Regulations to be made under the Act.
The said Regulations should be made within three months from the date when the Act came into force.
In order to be licensed, a digital lender shall be required to file an application for a license accompanied by: a copy of the certificate of incorporation under the Companies Act; a certificate issued pursuant to section 19 of the Data Protection Act; and a statement as to compliance with the provisions of Part VII of the Consumer Protection Act.
Further, an applicant shall provide the terms and conditions applicable to the digital credit and which must be accepted by the borrower before activation of a mobile loan account.
The significance of Section 19 of the Data Protection Act stems from Section 18 of the same Act whose effect is that it requires mandatory registration of data controllers and data processors who process data of certain thresholds where, in the absence of such registration, are estopped from acting as data controllers and data processors.
Consequent to this, Section 19 details particulars to be furnished to the Data Commissioner by data controllers and data processors referenced in Section 18 and in compliance of which a certificate of registration shall be issued.
The particulars referenced in Section 19 of the Data Protection Act include: a description of the personal data to be processed by the data controller or data processor; a general description of the risks, safeguards, security measures and mechanisms to ensure the protection of personal data and a description of the purpose for which the personal data is to be processed.
The import in requirement of a certificate issued pursuant to Section 19 of the Data Protection Act is that it reorders the current imprudent conduct of digital credit providers of disregarding customers’ privacy.
A research study conducted by CIPIT, for instance, revealed that digital credit providers’ applications have access to customers’ phone microphones in order to record audio, calendars which includes the permission to add or modify calendar events and email guests without the borrower’s knowledge and continuous access to location data thereupon tracking borrowers’ movements.
Noting the vitality of data digital credit providers process, it is prudent to hinge license to operate on adherence to data protection principles and this is a welcome development in the law.
Even so, the buck does not stop at fulfilment of registration requirements when seeking a green light to operate their business but actual processing activities for such actors must reflect the T’s and I’s they claim to cross and dot.
II) Power of the Central Bank
In regulating digital lenders, the Act empowers the Central Bank of Kenya to among others; license digital credit providers; approve digital channels through which digital credit business may be conducted; determine parameters for pricing of digital credit; supervise digital credit providers and to suspend or revoke a license.
This scope of the Central Bank’s authority is broad and should be exercised judiciously as the Bank rakes in might to steer further innovation and nip in the bud recalcitrant behaviour.
Additionally, the Act’s requirement for the Bank to consult with other regulators including, but not limited to, the Office of the Data Protection Commissioner and the Communications Authority promises adept governance alive to the multisectoral nature of the Fintech ecosystem.
Sieving the market from all and sundry, the Act requires that the Bank shall cause to be published in the Gazette and the Bank’s website – (a) before the thirtieth day of March in each year, the names and addresses of all licenced digital lenders under this section; (b) within thirty days of suspension or revocation of a license, the name and address of the digital lenders whose licenses have been have been suspended or revoked. This provision promotes transparency and boosts customer confidence to seek digital credit.
To be supplanted by regulations, the Amendment Act is worth commendation.
Other aspects that the Bank should pay attention to and prescribe regulations over include; sound security systems/standards to be maintained by digital credit businesses, streamlined metrics of borrower’s creditworthiness, open data banking/sharing among credit providers and protection of customers from decisions entirely grounded on automated processing.