I & M Bank House 3rd Floor, 2nd Ngong Avenue

Balancing Innovation and Protection: Digital Credit Providers Kenyan Regulatory Maze 


A Digital Credit Provider (DCP) is a financial institution that uses digital platforms like websites and mobile apps to provide loan products and services. Borrowers can apply for, receive and repay loans entirely online without needing to visit a physical branch. 

Some examples of DCPs include fintech lenders with mobile loan apps, mobile banking platforms with credit features, mobile network operators offering airtime advances and Buy Now Pay Later providers. 

Kenya’s DCPs are governed by the Central Bank of Kenya (Digital Credit Providers) Regulations 2022 “Regulations”, which were introduced under the amended Central Bank of Kenya Act of 2021. The DCP regulations in Kenya were passed to address concerns about the growing digital lending industry such as; 

  1. Consumer protection: The Regulations crack down on predatory lending, hidden fees, and aggressive collection tactics by some digital lenders. This aims to create a fairer lending environment for borrowers. 
  2. Transparency: Opaque loan terms left borrowers confused and potentially vulnerable. These terms often lacked clarity on crucial aspects like interest rates, fees, repayment schedules and late payment penalties. The regulations aim to clamp down on this by ensuring clear and easy to understand loan details. 
  3. Corporate Governance: Prior to the implementation Regulations, the digital lending space while experiencing a boom in convenience and accessibility between 2014 and 2019, lacked established practices and safeguards, raising concerns on governance. These concerns centered around issues like board governance, accountability and ethics. The Regulations address these concerns by prescribing corporate governance principles that establish a framework for responsible lending. 

Beyond the core Regulations, DCPs in Kenya must also play by the rules set out in wider laws. This includes adhering to the Data Protection Act, Consumer Protection Act and the Proceeds of Crime and Anti-Money Laundering.  

Registration of a DCP 

To operate as a DCP, a license from the CBK is mandatory under the Regulations. DCP licenses are valid for one year, subject to renewal by December 31st. The CBK publishes the names and addresses of licensed DCPs within 30 days of issuance in the Gazette and on their website. A recent press release from the CBK in March 2024 indicated that there are now 51 licensed DCPs operating in Kenya. 

To obtain a DCP License, entities must be registered as a Company and should initiate registration with the Office of the Data Protection Commissioner’s Office (ODPC). These registrations are mandatory compliance documents for the CBK application process. 

The key requirements for the formal application to CBK are as follows; 

  1. Application Forms: Complete CBK DCP 1 form detailing your company and proposed DCP business. 
  2. “Fit and Proper” Assessments: Directors, CEO, Senior Officers and significant Shareholders need to fill out “Fit and Proper” forms (CBK DCP 2 & 3) to assess their suitability. 
  3. Business Plan: A detailed plan outlining your digital credit business model, target market and risk management strategies. 
  4. Financial Information: Evidence demonstrating the legitimacy and source of funds for your investment. 
  5. Policies: Copies of your Data Protection Policy, Consumer Protection Policy, Dispute Resolution Policy and Terms & Conditions for lending services. 
  6. Technical Capacity: A copy of the service provider agreement, IT system description and independent assurance report on the systems. 
  7. Anti-Money Laundering (AML) Measures: Plan for identifying and verifying customer identities and preventing money laundering activities. 
  8. Compliance Documents: Copies of certificate of good conduct, tax compliance certificate and credit reference bureau report for each of the digital credit provider’s individual significant shareholders, directors, chief executive officer and senior officers. 

Reporting Obligations 

  1. Each year by December 31st, DCPs are required to submit a report to the CBK confirming their compliance with the relevant Act and the Regulations. 
  2. DCPs are required to notify the CBK not less than 30 days before any significant changes occur within their shareholding, board composition, management structure or the appointment of new directors, CEOs, or senior officers. 
  3. Also required to pay a yearly license fee by the end of December 31st. 
  4. Before getting any outside funding or investment, DCPs need to notify the CBK at least 30 days in advance. 
  5. If a DCP experiences a personal data breach, they must report it to the ODPC 72 hours of becoming aware of the incident.


While the 2022 DCP Regulations have brought much needed order to digital lending, a potential loophole remains. Section 2 of the Central Bank Act defines a “digital credit business” as one operating solely through digital channels. This raises concerns; could lenders using traditional methods to escape regulation?  

Additionally, the while the Regulations established a deadline of September 2022 for existing digital lenders to obtain licenses, a lack of clarity regarding consequences for non-registration creates a temporary grey area. This ambiguity may have act as a loophole for some unregulated lenders to continue operating beyond the deadline. 

Overall, the risks of operating an unlicensed DCP in Kenya are significant for instance criminal sanctions, reputational damage and difficulty accessing funding. It is highly recommended for DCPs to comply with the CBK Regulations and obtain the necessary licenses to operate legally and avoid potential sanctions. 

The industry is also witnessing some trends, such as the adoption of open banking (enhanced with cybersecurity measures) as an innovation strategy and the establishment of regulatory sandboxes, which can be instrumental in fostering a healthy and innovative DCP landscape within a well-regulated environment.