The Central Bank of Kenya (Amendment) Act, 2021 empowered the Central Bank of Kenya (the “CBK”) to regulate digital credit providers. Our analysis of the Amendment Act is here. The CBK has now published the Central Bank of Kenya (Digital Credit Providers) Regulations, 2022 (the Regulations) setting out the licensing procedure and compliance requirements for digital credit providers.
Who is a Digital Credit Provider?
Digital Credit Providers (DCPs) are entities involved in the business of providing credit facilities through a digital system such as the internet, mobile devices, computer devices, and applications.
Which Digital Credit Providers are exempt?
- institutions licensed under the Banking Act (Cap 488), the Microfinance Act (No. 19 of 2006), and the Sacco Societies Act (No. 14 of 2008);
- entities whose digital credit businesses are regulated under any other written law. These may include hire purchase firms, building societies and life assurance companies that offer access to loans against life policies digitally or retirement benefit schemes that opt to automate their provision of mortgages;
- the Kenya Post Office Savings Bank; and
- credit agreements incidental to the sale of goods and provisions of services, e.g. where a provider of goods or services allows payment in instalments.
Key Highlights of the Regulations – Consumer and Data Protection
The Regulations focus on consumer and data protection, both anchored in the Constitution.
Key highlights include the following:
The in duplum rule – In line with the Banking Act, Kenyan courts have limited the application of this rule to institutions under the Banking Act. The Regulations now extend its application to DCPs limiting recoveries to (i) the principal owing when the loan becomes nonperforming; (ii) interest not exceeding the principal owing when the loan becomes nonperforming; and (iii) reasonable expenses incurred in recovering amounts owing. Institutions such as life assurance companies still remain not statutorily bound by the in duplum rule. If the in duplum rule is to be adopted as a matter of public policy, then amendments will have to be made to their parent statutes.
Conduct of DCPs – DCPs are prohibited, in their recovery efforts, from using threat, violence or other means to harm borrowers, their reputation or property; or accessing borrowers’ contacts lists and using obscene or profane language for purposes of shaming them; or using improper or unconscionable debt collection tactics, methods or conduct.
Corporate Governance – While the Regulations do not set out minimum corporate governance requirements for DCPs, DCPs are required to practice sound corporate governance principles.
Privacy – DCPs are to put in place appropriate policies, procedures and systems to ensure confidentiality of customer information and transactions.
Transparency and Informed Consent – DCPs must inform their customers of the terms and conditions of the loan before granting the loan. Any changes must be notified to the customer at least 30 days before their effective date. Customers are also entitled to receipts of transactions and upon request, a comprehensive statement of transactions carried out by them. Advertisements must not include false, misleading or deceptive representation.
Grievance Resolution – DCPs are also required to establish and inform their customers of the complaints redress mechanisms. Customer complaints should be resolved within thirty days and a record of all complaints and the outcome of their resolution kept.
Business Continuity Plans – DCPs must also have systems and processes to minimize disruptions and ensure business continuity.
- Who is eligible for registration?
To be eligible for registration, a DCP must be a registered company. It may either be a local or foreign company, provided it is registered under the Companies Act, 2015.
- How to Register as a Digital Credit Provider
Registration is through an application to the CBK using a prescribed form, paying the prescribed fee and submitting the below information:
- Applicant Information – certified copy of the entity’s certificate of incorporation, its constitutive documents and those of any significant shareholder. Significant shareholders are persons (other than the Government or a public entity) holding directly or indirectly 10% or more of the share capital. Other requirements include notice of registered address and source of funds;
- Operational Information – a description of the information and communication technology system, including delivery channels, to be used together with an independent assurance on the systems;
- People – names and addresses of its shareholders, directors and key personnel;
- Product Information – a description of, and terms and conditions of credit products and services it intends to provide, the pricing model and parameters;
- Policies and Procedures – policies on anti-money laundering and combating terrorism financing, data protection and consumer redress mechanisms, a credit policy and, code of ethics and market conduct;
- Compliance with other laws – certificate of registration as a data controller or data processor and a statement of compliance with the provisions of the Consumer Protection Act, 2012 on credit and loan agreements, certificate of good conduct, tax compliance certificate and credit reference bureau report for each of its directors, key personnel and significant shareholders.
The CBK will consider the application and make a determination within 60 days from its submission. Once granted the license remains valid unless suspended, revoked or the period prescribed (12 months) expires. The license is renewable annually and DCPs should apply for renewal at least 3 months before expiry of the license.
- Notice and Reporting Obligations
Licensed DCPs are required to:
- notify CBK of any intended changes in significant shareholding, board or management structure at least 30 days before the effective date;
- notify CBK at least 30 days before entering into any financing agreement or arrangement with a third party;
- submit a return to CBK by the 31st day of December every year, certifying its compliance with the Amendment Act and Regulations;
- submit periodic reports and returns and avail its premises, systems, books and records for inspection as may be requested by CBK; and
- give CBK at least 30 days written notice before opening, relocating or closing a branch or place of business.
- Consent requirements
Licensed DCPs may not do the following, without CBK’s prior written consent:
- appointing a director, chief executive officer or a senior officer, or a significant shareholder;
- entering into arrangements for transfer of assets and liabilities;
- voluntary liquidation;
- introducing new digital credit products or varying the features of existing products; and
- changing their pricing model or parameters.
DCPs are prohibited from:
- taking deposits including cash collateral as security for loans advanced. This ensures they do not participate in deposit taking which is regulated under the Banking Act; and
- advancing credit to a customer before assessing the customer’s ability to repay the credit facility. This is to prevent money laundering activities being carried out under the guise of lending.
- Penalties and Administrative Sanctions
If the exemptions above do not apply to you, it is an offence to carry on digital credit business without a license from CBK, and is punishable by imprisonment for a term not exceeding 3 years or a fine not exceeding KES 5 Million or both.
Non-compliance may lead to a first instance penalty of up to KES 500,000 and additional penalties up to KES 10,000 each day during which the violation or non-compliance continues.
CBK may also suspend or disqualify the non-compliant shareholder, director or officer in addition to prescribing additional remedial measures as it sees fit or suspending or revoking the licence held by the DCP.
- What next?
The Regulations were published two months from the publication of the Amendment Act. The speed of publication speaks to the registration of DCPs as a priority agenda and DCPs should therefore ensure compliance. Existing DCPs have up to September 2022 to comply. New DCPs must obtain a license from CBK before starting digital credit business.
Where a DCP, seeks to rely on the exemptions particularly on the basis that digital lending is regulated under any other written law or an ancillary business, getting legal advice to guide the decision-making and ensuring proper documentation of the decision-making process is critical.
For existing and new DCPs, priority should be given to registration with the Data Protection Commissioner, as it is a pre-requirement for registration with the CBK. This registration is now set to start on July 14, 2022 as we wait for the office of the Data Commissioner to launch the online registration portal. For more information on registration requirements under the Data Protection Act, see our update here.
The Regulations require self-certification with the provisions of the Consumer Protection Act. Where necessary DCPs should seek an independent legal review of their terms and conditions, policies and existing frameworks. Going forward an independent review can be done periodically.
The Amendment Act and Regulations seek to address the increasing complaints by consumers over the methods employed by DCPs in debt collection and their apparent disregard for consumer protection and data protection principles. The new legal framework will enhance transparency in this subsector ensuring customers are informed of the terms of any loan agreement entered into and, limit amounts recoverable upon default on loan repayment.
The Amendment Act and Regulations do not specify the types of reports and returns that DCPs should submit to CBK and the frequency of the submission. We expect CBK to issue circulars or guidelines setting out the form of the reports and returns for uniformity and ease of compliance.
Click to Download
This briefing is a highlight of legislative and policy changes and is intended to be of general use only. It is not intended to create an advocate-client relationship between the sender and the receiver. It does not constitute legal advice or a legal opinion. You should not act or rely on any information contained in this legal update without first seeking the advice of an advocate.