Following the enactment of the Central Bank of Kenya (Amendment) Act, 2021 (the Act) on 23 December 2021, the mandate of the Central Bank of Kenya (the CBK) now extends to licensing and oversight of Digital Credit Providers in Kenya (DCPs) (see our earlier alert on the enactment here).

25 March 22

The CBK also published the draft Digital Credit Providers Regulations, 2021 (the Draft Regulations) on 23 December 2021, which set out in more detail, provisions relating to a range of matters required to bring the Act into full effect including licensing and compliance requirements applicable to DCPs, against which the CBK would regulate their activities. The CBK invited members of the public to provide commentary on the Draft Regulations, a process that was concluded on 21 January 2022 leading to the publication of the Central Bank of Kenya (Digital Credit Providers) Regulations, 2022 by Legal Notice No. 46 of March 18, 2022, which are now in effect.

Licensing and Initial Compliance Requirements
An individual who wishes to carry out a digital credit business in Kenya is required to apply to the CBK for a licence in the form prescribed under the Regulations. The Regulations require that an applicant for a licence to conduct the business of a DCP must be a company incorporated under the Companies Act.

In addition to information relating to the DCP and its significant shareholders, an application for a licence should be accompanied by various supporting documents including:

  1. a description of the information and communication technology systems to be used in its operations;
  2. a description of the delivery channels or platforms to be deployed by the DCP together with an agreement with a telecommunication or other service provider for provision of the channel or platform;
  3. the terms and conditions of credit products and services which the DCP intends to provide;
  4. a description and evidence of sources of funds to be invested in the DCP; and
  5. its pricing model and parameters.

Like banks and other financial institutions in Kenya, every director, significant shareholder, chief executive officer and senior officer of DCPs will now also be subject to vetting and approval by the CBK and may only hold such positions once the CBK has certified such person as fit and proper in accordance with the criteria set out in the Regulations. The CBK may, where it considers it necessary, carry out an assessment of the professional and moral suitability of every such person.

The vetting of directors, significant shareholders, chief executive officers and senior officers of banks and financial institutions by the CBK is more rigorous when compared to the vetting of similar officials of DCPs. The information required by the CBK on significant shareholders of DCPs mainly relates to the source of their funds and not their past activities and financial condition, which is the central bank’s area of focus for significant shareholders of financial institutions.

As part of the licensing procedures, the applicant will be required to test their ‘data submission’ capability using Application Programming Interfaces (APIs) with guidance from the CBK. If satisfied that the applicant meets the requirements of the Regulations and that the data submission testing has been conducted successfully, a license is issued to the applicant within 60 days of submission of a complete application. The CBK will thereafter, within 30 days of grant of the licence, publish the name of the licensed DCP in the Kenya Gazette and on its website. A licence once granted remains valid unless suspended or revoked.

Following publication of the Regulations, all DCPs must apply for and obtain a licence by September 17, 2022.

Continuing Compliance Requirements
Once licensed, a DCP is required to pay an annual fee of KES 20,000 (approx. USD 175) and submit a return to the CBK certifying its compliance with the Act and Regulations on or before the 31st of December every year. The CBK will publish the names and addresses of all licensed digital credit providers in the Kenya Gazette and on its website.

Like financial institutions in Kenya, DCPs will be required to:

  • Inform the CBK of any intended changes in its significant shareholding, board or management structure, or the appointment of a new director, chief executive officer or a senior officer at least 30 days before the effective date of the change;
  • issue a written notification to the CBK at least 30 days before opening, relocating or closing a branch or place of business; and
  • avail their books and records and grant access to the CBK and its officers, agents or employees to their premises and systems for inspection as and when required.

Suspension and Revocation of Licences
The Regulations give the CBK wide powers to revoke or suspend the licences of DCPs including upon a failure to pay the prescribed annual fees or any monetary penalty imposed by the CBK and the violation of any anti-money laundering laws or combating the financing of terrorism laws. The CBK may also suspend or revoke a licence issued to a DCP where the entity otherwise conducts its business in a manner detrimental to the interests of its customers or members of the public. We wait to see the circumstances under which the CBK will invoke this provision and hope that this power will be exercised justifiably.

Actions requiring approval of CBK
DCPs will be required to obtain written approval of the CBK prior to:

  1. introducing new digital credit products as well as any variations to any existing products;
  2. undertaking amalgamations and transfer of assets and liabilities except in relation to disposal of assets in the ordinary course of business;
  3. transferring or assigning the licence issued to it pursuant to the Regulations. This was completely prohibited in the Draft Regulations so it would appear that feedback from the sector has been taken on board; and
  4. undertaking a voluntarily liquidation where it is able to meet all its liabilities as and when they fall due.

DCPs will also be required to notify the CBK at least 30 days before entering into any arrangements with third parties seeking to invest in or finance them. The CBK may call for any additional information and documentation that it considers necessary for considering the notified transaction. As currently drafted, the Regulations require that all investments into or financing of DCPs be notified regardless of the quantum of investment or financing. From our review of the Regulations and the nature of information required in the fit and proper forms provided under the Schedules to the Regulations, it would appear that the aim of this requirement is to keep the CBK appraised of capital invested in the sector to enable it to investigate any funds that it suspects may be proceeds of crime. This is different from the approach taken by the central bank in relation to financial institutions in Kenya, where it seeks to regulate shareholding according to the prescribed shareholding thresholds.

Whilst this regulation only provides for a notification requirement in relation to transactions involving investment into or financing of DCPs, it is not clear whether its involvement in an investment or financing transaction will be subjected to any further requirements where the CBK is not satisfied with the additional information provided to it in relation to a notified transaction. We hope that this will not have an adverse impact on the timelines for completion of transactions of this nature.

Consumer Protection
DCPs are required to include the minimum information set out in the Regulations in their terms and conditions for lending. This includes i) the loan charges and the circumstances under which they may be imposed; ii) interest rates to be charged and whether on a reducing balance or not; and iii) the date on which the amount of credit and all interest, charges, fees or any other liabilities are due and payable and how they may be calculated. The Regulations also place a legal obligation on DCPs to: i)  furnish a customer with such terms and conditions and give a 30 day notice to customers prior to varying its terms and conditions; ii) notify their customers of any variations to existing products at least 30 days before the variations take effect; iii) provide a receipt or acknowledgement and/or a statement of transactions carried out by or with a customer upon request; and iv) notify customers in writing of their intention to submit any negative credit information relating to those customers to a licensed credit reference bureau either 30 days before submitting the negative information or within a shorter period as may be contracted between the DCP and the customer, subject to a minimum of seven days.

Like financial institutions, the Regulations also place a limit on the amount recoverable by DCPs from non-performing loans to the maximum amount being the sum of:

  1. the principal owing when the loan becomes non-performing;
  2. interest in accordance with the contract between the customer and the DCP, not exceeding the principal owing when the loan becomes non-performing, and
  3. reasonable expenses incurred in the recovery of any amounts owed by the customer. Limits will not be applicable to any interest accrued after a court order has come into effect.

Additionally, certain conduct by DCPs, their officers, employees or agents such as making unauthorized or unsolicited calls or messages to a customer’s phone contacts and other contacts, has been specifically prohibited under the Regulations. The prohibited conduct includes actions whose consequence is to harass, oppress, or abuse a customer or any person in connection with the collection of a debt.

Data Protection
DCPs are required to put in place appropriate policies, procedures and systems to promote data subject consent to collection and sharing of their data and confidentiality of customer information and transactions in line with the provisions of the Data Protection Act, 2019. The Regulations require DCPs to only collect and access customer information that is necessary or reasonably required for a customer’s credit appraisal, approval, disbursement and collection. DCPs will therefore be required to revise their privacy and data policies to ensure that they are compliant with the provisions of the Data Protection Act, 2019 and the Regulations.

Enforcement by the CBK
Where a DCP has acted contrary to the Act, the Regulations or any directives given by the CBK, the central bank will issue a Notice to Show Cause to the digital creditor and invite the DCP to make representations, which the CBK will take into consideration when making its determination on the administrative sanctions (if any) to impose on the DCP. The administrative sanctions provided for in the Regulations include: i) monetary penalty subject to a maximum of KES 500,000 (approx. USD 4,400) and additional penalties of up to KES 10,000 (approx. USD 90) in each case for each day during which the violation or non­compliance continues; ii) disqualification of a significant shareholder, director or officer of the DCP from holding any position or office in any licensed financial institution in Kenya; and iii) suspension or revocation of the licence. The CBK also has the discretion to impose any other sanction that it considers appropriate. The determination of administrative sanctions will be carried out on a case­ by-case basis and different sanctions may be imposed for different violations or against different DCPs or any other person, provided that the CBK is able to justify the difference in treatment.

DCPs or other aggrieved persons may request a review of any administrative sanction issued against it within 14 days of notification of CBK’s decision, on the grounds set out in the Regulations. However, such a request must be made before the effective date of the administrative sanction.

Tax Considerations for DCPs
Since DCPs were not previously regulated, they were outside the boundaries of the excise duty regime on financial services, which applies to licensed financial service providers. The import of the Regulations is that DCPs are now licensed financial institutions and the tax considerations for this new status needs to be considered. Specifically, certain fees charged by licensed financial institutions are subject to excise duty under the Excise Duty Act, 2015 (the Excise Duty Act). The Excise Duty Act defines ‘financial institutions’ as ‘’persons licensed under—the Banking Act; the Insurance Act; the Central Bank of Kenya Act; or the Micro Finance Act, 2006”. Further, the Excise Duty Act provides that excise duty is applicable on ‘other fees’ charged by financial institutions. The term ‘other fees’ is defined to include ‘any fees, charges or commissions charged by financial institutions relating to their licensed activities but does not include interest on loan or return on loan or any share of profit.’

Based on the foregoing, DCPs may now be considered licensed financial institutions for purposes of the Excise duty Act, and it will be necessary for an assessment to be carried out to determine whether specific charges imposed by a DCP to its customers will be subject to excise duty. Given the revenue pressures being experienced by the Kenya Revenue Authority (KRA), we expect swift action by the revenue authority to interpret the provisions as applying to DCPs and to thereafter enforce excise duty compliance by DCPs. A proactive approach by DCPs to determine the excise duty compliance requirements on their respective businesses is therefore encouraged.

With the coming into force of the Act and the Regulations, we hope to see a more streamlined sector that addresses previous consumer protection and data privacy concerns relating to the businesses carried out by DCPs

Should you have any questions on this legal alert, please do not hesitate to contact or Shellomith Irungu, Kenneth Njuguna and Dominic Rebelo

Authors