The Digital Financial Services Association of Kenya (DFSAK) has termed central bank’s latest proposal targeting None-Deposit Taking Credit Providers as a regulatory overreach designed to stifle innovation in the sector.
According to DFSAK Chairman Kevin Mutiso, the proposals in the draft Non-Deposit Taking Credit Providers Regulations 2025 by the Central Bank of Kenya will hurt consumers who depend on digital lenders to access affordable credit.
“The industry is engaging with each other to craft a comprehensive response to the proposed regulation. We worry about regulatory over reach by the CBK. They seem to also want to regulate the data aspects of our business and we worry that now have to separate compliance issues of data,” said Mutiso.
Among requirements to be issued operational license by the bank include a copy of the data protection policy and procedures and certificate from the Office of the Data Protection Commissioner and a description of data protection measures to be put in place to ensure protection of personal data of the customer and the proposed non-deposit taking credit provider.
“Over regulation actually does not hurt businesses, it actually hurts the customer. The additional regulatory costs that comes with compliance, the curbing of innovative ideas, the lack of a clear consumer redress mechanism hurt the consumer in many ways,” added Mutiso.
According to the association, NDTCP are responsible for financing at least 300,000 smartphones monthly, at least 70pc of new bodabodas registrations, disbursing Ksh 500 million daily in credit and driving the adoption of e-bikes in Kenya.
Speaking during the roundtable with DFAK, Data Commissioner Immaculate Kassait said some digital lenders continue to abuse their data protection and privacy mandate. As such, she called on the industry to be proactive in strengthening its alternative dispute mechanisms to minimize risks.
Since 2021, the Office of Data Protection Commissioner says it has received 5,284 complaints in relation to the digital lenders.
“This reflects the growing digital lending sector and the need to align practices to data protection. Nature of complaints include unlawful access to contacts and personal details on the phone, processing of third party personal data, lack of consent, transparency before data is collected or shared,” said Kassait.
Since then, the office has made 39 determinations, issued 22 enforcement notices, compensated 27 and issued penalty notice to 8 entities.
