According to the Economic Survey Report of 2022, the value of output from the Information and Communication Technology (ICT) Sector rose by 6.9% from USD 4.03 billion in 2020 to USD 4.31 billion in 2021. Mobile money subscribers increased by 8.5% to 35.2 million in 2021 and the value of mobile commerce transactions increased by 63.2% to USD 116.4 billion in the same period. Essentially, the total mobile money transfers grew by 31.7% to USD 52.5 billion, a growth which is attributed to the COVID-19 pandemic. Within this period the Kenyan Government encouraged use of mobile money platforms with an aim to curb the spread of the virus through handling of cash.
Financial technology (‘Fintech’) refers to the integration of technology by firms in delivering financial services to customers. Fintech is a rapidly growing industry in the East Africa region steered by a unique blend of mobile adoption, technology innovations and investor interests. Some of the major Fintech activities carried out in Kenya include mobile payments, digital lending, asset and wealth management, insurance, and money remittance operations. The Central Bank of Kenya (CBK) is the primary regulator, responsible for ensuring that all financial institutions operate within the set standards. However, the dynamic nature of the Fintech industry and its overlap across different sectors, leads to a multiplicity in the regulatory framework. There are however sector-specific regulations as will be highlighted herein.
Mobile money, one of the prevalent forms of financial services in Kenya is regulated by the Kenya Information and Communications Act (KICA), 1998 which is responsible for the mobile network operators and the National Payment Systems Act, 2011 which regulates the payment systems and payment service providers. A Mobile Payment Service Provider means a telecommunications service provider licensed under KICA and authorized by Central Bank of Kenya to offer payment services. The scope of payment services is prescribed by the National Payment System Act to include:
- sending, receiving, storing or processing of payments or provision of other services in relation to payment services through an electronic system;
- ownership, possession, operation, management, or control of a public switched network for the provision of payment services; and
- processing and storage of data on behalf of such payment service providers or users of such payment services.
The Central Bank of Kenya (CBK) Act defines digital credit business as “the business of providing credit facilities or loan services through a digital channel.”
Regulation 4(2) of the CBK (Digital Credit Providers) Regulations, published in 2022 provides that a person who wishes to carry out digital credit business in Kenya shall apply to the Bank for a license. In assessing an application, the regulations provide that the CBK shall consider issues such as the sources and evidence of funds to be invested by or in the digital credit provider.
Money Remittance Operations
The Money Remittance Regulations, 2013 define money remittance business as a “service for the transmission of money or any representation of monetary value without any payment accounts being created in the name of the payer or payee, where funds are received from a payer for the sole purpose of transferring a corresponding amount to a payee or to another payment service operator acting on behalf of the payee, or funds are received on behalf of, and made available to the payee.”
Regulation 4 stipulates that for any person to provide money remittance services, the person;
- must be incorporated as a limited liability company under the Companies Act;
- must obtain approval from the Bank for the proposed business name before incorporation and has the words ‘money remittance’ or ‘money transfer’ as a brand name; and
- should be licensed to provide money remittance services under the regulations.
Asset and Wealth Management
One of the statutory mandates of the Capital Markets Authority (CMA) is to develop a framework to facilitate the use of electronic commerce for the development of capital markets in Kenya. The Capital Markets Act No.3 of 2000 defines electronic commerce to include “… the offer, distribution or delivery in electronic form of securities or services ordinarily provided by licensed persons; and the execution of securities transactions without the need for parties to the transaction to be physically present at the same location.”
In execution of this objective, the CMA established Kenya’s Regulatory Sandbox framework in 2019. This allows firms to test innovative products, solutions, or services that have the potential to broaden the capital markets, for a period of up to twelve months in a real-world environment, while still under the Authority’s regulatory oversight. The Policy Guidance Note provides for the eligibility, application, and acceptance criteria. The Authority can either authorize an applicant to operate in Kenya subject to existing regulations, develop new regulations based on the observations made in the test, or deny the firm the right to operate.
Insurance technology (Insurtech) is the use of technology in insurance transactions and processes to enhance efficiency in the traditional processes and models. In Kenya, there are no specific regulations for Insurtech services. Essentially, the regulations governing these services are based on the insurance product or service being provided. The Insurance Act CAP 487 is the primary legislation governing the insurance business in Kenya, with the Insurance Regulatory Authority mandated to regulate, supervise, and develop the industry.
In addition to the sector-specific regulations, Fintech firms are also required to ensure compliance within other areas of law of general application. Some of these include:
- Data Protection and Privacy
Every person’s right to privacy which includes the right not to have information related to their family or private affairs unnecessarily required or revealed, or to have the privacy of their communications infringed is protected under Article 31 of the Constitution of Kenya 2010. The Data Protection Act (DPA) 2019, enacted to give effect to this provision, regulates the processing of personal data, provides for the rights of data subjects, and obligations of data controllers and processors.
Personal data is especially relevant to Fintech firms due to the need for customer KYC information as well as handling of their transactional information. The Act defines personal data as “any information relating to an identified or identifiable natural person.” Further, Section 25 provides for the basic principles and obligations of personal data protection which involve lawful collection and processing of personal data.
- Consumer Protection
The Consumer Protection Act, 2012 is the principal legislation for the protection of the consumer and prevention of unfair trade practices. This notwithstanding, it is important to note that most sector-specific regulations have incorporated consumer protection provisions capturing the sectors.
For example, the CBK (Digital Credit Providers) Regulations, 2022 addresses consumer protection under Part VII. Digital Credit Providers are required to issue transaction receipts to customers, establish customer redress mechanisms, put in place systems for the purposes of ensuring business continuity, observe limitations set in relation to access and collection of customer information, provide terms and conditions as prescribed by the regulations, avoid false advertisements, and ensure they get a written approval from the CBK prior to variation of credit terms.
The NPSR 2014 provides for disclosure requirements, advertisements, customer care services, filing and resolution of complaints, customer service agreements, and confidentiality. Part VI of the Money Remittance Regulations provides for the consumer protection regulations on disclosure and consumer redress.
- Anti-Money Laundering Compliance
With reference to Section 2 of the Proceeds of Crime and Anti-Money Laundering Act (POCAMLA) 2009 a financial institution is “any person or entity which conducts as a business, one or more of the activities stated therein including issuing and managing means of payment such as credit and debit cards, cheques, money orders and bankers’ drafts, travelers’ cheques, and electronic money.”
The Act recognizes financial institutions as reporting institutions and thus obligated to register with the Financial Reporting Centre (FRC) and establish systems and procedures to combat money laundering. The Reporting Institutions’ obligations as set out under PART IV of the Act include:
- Monitoring and reporting to the FRC;
- Verification of customer identity;
- Establishing and maintain customer records; and
- Establishing and maintaining internal reporting procedures.
The Fintech ecosystem in Kenya is vibrant and dynamic, cutting across different sectors and hence a regulatory overlap is inevitable. In some instances, therefore, Fintech firms may be required to obtain multiple licenses with respect to the different products offered. For a mobile money product for example, a firm would require authorization from both the Central Bank of Kenya and the Communications Authority of Kenya and further ensure compliance with the data protection, consumer protection and anti-money laundering laws.