Contributed By Bowmans (Coulson Harney)
The 2020 Findexable Global Fintech Rankings report placed Kenya number 63 in the global top 100 rankings of the world’s leading fintech hub countries in Africa. In terms of African cities, Nairobi was ranked the second largest fintech city hub in Africa. These rankings can be attributed to the presence of an estimated 20% of African fintechs in Nairobi, an emerging ecosystem of local investors, an enabling human resource environment, increased mobile phone penetration and growing interest from global technology firms.
The key driver of the fintech revolution in Kenya has been the collaboration between technology providers, traditional financial institutions, fintech start-ups and regulators, sustained market demand and an open-minded appetite for these types of solutions, and an enabling regulatory framework. Increasingly, partnerships are being formed and integration is occurring between Mobile Network Operators (MNOs) offering mobile money services and traditional financial institutions such as commercial banks. The most popular services being offered as a result of these partnerships are payment solutions, money transfer and access to credit. In this way, commercial banks are able to reach the MNOs’ extensive customer bases while the MNOs benefit by increasing the number of services they offer.
There has also been significant growth in digital credit products that use credit-scoring algorithms and provide credit through mobile payment systems. The existence of mobile payment technologies has been a key growth factor for digital credit as these provide a channel for digital credit providers to transfer funds to borrowers and for borrowers to repay the borrowed amounts. The credit transactions are conducted over both the digital credit mobile applications or USSD platforms and mobile payment systems.
The COVID-19 pandemic has created opportunities for the development of fintech products and services, and has fuelled increased use of fintech solutions. For instance, on 16 March 2020, the Central Bank of Kenya (CBK) announced emergency measures to facilitate greater use of mobile money transactions instead of cash. Furthermore, the COVID-19 pandemic has stimulated e-commerce business, which has also led to an increase in the use of electronic payment methods.
As the mainstream use of fintech gains traction in Kenya, commercial enterprises and government entities are exploring the adoption of fintech to promote their efficiency and improve service delivery.
Three predominant fintech business models emerged in Kenya in 2020, namely digital banking, payment gateways and insurtech.
Most banks in Kenya have adopted digital platforms to provide their products and services. Customers are able to access their bank accounts, view their account information and statements, transfer funds, carry out foreign exchange transactions and pay utility bills, among others. Certain banks have partnered with MNOs to provide mobile banking services, thereby allowing customers to access their accounts through their phones and to deposit and withdraw funds from their accounts through mobile money wallets.
Payment gateways are MNO platforms that facilitate payment for goods and services by customers to merchants or between merchants. The platforms provide integrated payment systems between merchants, banks and other MNOs. The most popular payment gateway in Kenya is MPESA which is owned by Safaricom. Banks also have partnerships with credit card providers, such as Mastercard and Visa, who have also facilitated electronic payments.
Insurance companies have also increasingly adopted online platforms through which customers can view their policy details and premium statements, report and track claims, make service requests and view service providers, among others. Other intermediaries in the insurance business are adopting digital platforms to link insurance companies, customers, agents and other intermediaries.
There is no separate regime for the regulation of fintech in Kenya, so fintech products and services fall under the existing financial services regulatory framework. Currently, most fintech players are unregulated and where they offer services or products that are regulated, they have an obligation to comply with the regulations applicable to the services or products offered. That said, legislation is being amended to expand the jurisdiction of the CBK to include fintech actors, such as digital credit and financial services providers.
The main regulators of the financial services industry are the CBK, the Capital Markets Authority (CMA) and the Insurance Regulatory Authority. Other regulators that play a role in regulating specific segments of the market or activities relating to it are the Retirement Benefits Authority, the Sacco Societies Regulatory Authority and the Competition Authority of Kenya. Their respective mandates are governed by the following legislation.
Several regulators have also issued guidelines, circulars and directives on the application and interpretation of the statutes.
There are no specific provisions on the permissible compensation that industry participants may charge their customers. However, certain general provisions apply to specific players, for instance:
Most fintech players are unregulated and where they offer services or products that are regulated, they have an obligation to comply with the regulations applicable to the services or products offered. For the most part, new players would partner with legacy players to ensure compliance. However, there are other players who apply for their own licences, especially in the payment services sector. There have, however, been efforts by the regulators and parliament to update the regulations to cover technological developments,eg, as with the Central Bank of Kenya Amendment Bill.
The CMA established a regulatory sandbox to accelerate its understanding of emerging technologies and to facilitate the deepening and broadening of Kenya’s capital markets. The sandbox is a platform that will allow testing of innovative products, solutions and services that have the potential to enhance Kenya’s capital markets.
In March 2019, the CMA released the Regulatory Sandbox Policy Guidance Note, which provides a framework for the operation of the sandbox.
The sandbox is available to entities that are either incorporated in Kenya or licensed by a securities market regulator in an equivalent jurisdiction; with the intention to offer an innovative product, solution or service in Kenya.
Once the CMA has approved an application to participate in the sandbox, together with the applicant’s testing plan, the applicant can proceed with testing the product or service in Kenya. The CMA may, during the testing period, require modifications to be made to the testing plan. During the testing period, the applicants are required to submit interim reports on the progress of the tests and comply with other requirements from the regulator, including safeguard mechanisms.
Once the testing period is complete, the CMA may either license and grant the participant permission to operate in Kenya, or deny and reject the participant’s licence request.
Currently, the CMA has accepted seven applications for participation in the sandbox, including:
On 12 October 2020, the CMA granted a "No Objection" letter to Pezesha Africa Limited to operate its debt-based crowd-funding platform in the Kenyan capital markets, after a successful one-year testing period.
Where more than one regulator has jurisdiction over an industry participant, each regulator only regulates the participant to the extent that they fall within their jurisdiction. For example, listed banks are regulated by the CBK and the CMA, each of which limits their regulation to the scope of their respective legislative mandates. See the specific mandates of the regulators in 2.3 Compensation Models.
It is, however, expected that such regulators would adopt a collaborative approach. For instance, the CMA has indicated that discussions are underway towards establishing a multi-sector regulatory sandbox to address developments such as cryptocurrency and evolving payment technologies, which are related to, but are not the sole province of, capital markets.
Although regulated functions can be outsourced, outsourcing is subject to various restrictions in most sectors. For instance, the Central Bank of Kenya’s Prudential Guidelines (Guideline on Outsourcing CBK/PG/16) prohibit banks from outsourcing core functions such as corporate planning and management and control. Furthermore, the guidelines provide that any outsourcing of any material activity such as IT, market research and internal auditing should be approved by the CBK. These guidelines were issued in 2013 and have yet to be updated to reflect the current sector developments.
The guidelines provide for mandatory contractual requirements such as:
The National Payment System Regulations, 2014 provide that a payment service provider (PSP) may outsource operational functions. However, it cannot outsource material operational functions. A material function is one that, if a defect or performance failure were to occur, would materially impair the PSP’s continuing compliance with the requirements of its licence, financial performance and soundness or continuity.
A PSP is required to notify the Central Bank of Kenya of proposed outsourcing 30 days prior to the outsourcing arrangement taking effect.
The Capital Markets (Corporate Governance) (Market Intermediaries) Regulations, 2011 provide that, where market intermediaries contract third parties to undertake any functions on their behalf, they must ensure that:
These Regulations further clarify that outsourcing does not diminish the regulated entities’ liability with respect to their obligations.
From a regulatory perspective, it is much easier for market entrants to collaborate with existing licensed institutions and provide their products or services as outsourced functions, for instance, as this minimises the regulatory oversight and burden on them.
Currently there are no specific regulations on the responsibility of fintech providers over their platforms. This responsibility and liability are mainly established contractually. Where such providers are subject to indirect regulatory oversight, eg, as third-party vendors, the responsibility may be implied through the requirement to comply with regulatory standards.
The main regulatory enforcement actions across the verticals are:
Regulators may also institute court proceedings against regulated entities and/or their employees for committing offences under the statutes. On conviction, the courts may impose fines or prison terms for the relevant officers. The term of imprisonment or the amount of the fines varies under different regimes and depends on the nature of the offence committed.
The Data Protection Act
The Data Protection Act, 2019 regulates the processing of personal data of data subjects who are resident in Kenya, by data controllers and data processors. The Act regulates the processing of personal data, provides for the rights of data subjects and prescribes the obligations of data controllers and data processors. Kenya recently appointed its first Data Commissioner, who is currently setting up the Office of the Data Commissioner, as mandated by the Data Protection Act.
On 15 January 2021, the cabinet secretary in charge of ICT established a Taskforce for the Development of the Data Protection (General) Regulations. This task force is expected to propose regulations that will provide clarity to certain provisions of the Act.
Under the Data Protection Act, the Data Commissioner may cancel the registration of a data controller or data processor that, without any lawful reason, fails to comply with the Act. It further provides that a data subject is entitled to compensation from a data controller or processor where the subject suffers damage by reason of contravention of the Act.
The Data Commissioner also has the power to serve an enforcement notice on a data controller or processor to take certain steps within a specified period to be in compliance with the law, and may issue penalty notices requiring the payment of certain amounts specified in the notice if the enforcement notice is not honoured.
A person who commits an offence under the Data Protection Act for which no specific penalty is provided, or who otherwise contravenes the provisions of the Act, is liable on conviction to a fine not exceeding KES3 million or to an imprisonment term not exceeding 10 years, or both.
The Computer Misuse and Cybercrimes Act
The Computer Misuse and Cybercrimes Act is also pertinent. Among other aims, it seeks to protect the confidentiality, integrity and availability of computer systems, programs and data, and to facilitate the prevention, detection, investigation, prosecution and punishment of cybercrimes. This Act requires service providers to assist in investigating offences, such as by collecting and providing data. A service provider is defined as a public or private entity whose services provide users with the means to communicate by use of a computer system, as well as any other entity that processes or stores computer data on behalf of that entity or its users.
The penalties for offences under the Computer Misuse and Cybercrimes Act range from fines of approximately KES100,000 to KES20 million and/or imprisonment terms of between three and 20 years. The Act provides for enhanced penalties where these offences are committed with respect to protected computer systems. These include systems for the provision of services directly related to communications infrastructure, banking and financial services, payment and settlement systems, and instruments.
Readers should note that the Computer Misuse and Cybercrimes Act was ruled unconstitutional on 29 October 2020, following a ruling by the High Court which nullified 23 Acts of Parliament (the Laws) enacted by the national assembly without reference to and input from the senate as required under the Constitution of Kenya. The High Court has suspended the nullification of the Laws until 29 July 2021 to allow the national assembly to comply with the constitution and regularise the Laws.
The National Computer and Cybercrimes Co-ordination Committee
The National Computer and Cybercrimes Co-ordination Committee administers the Act. Failure to comply with a request for assistance or a related court order is an offence, with penalties of a fine of up to approximately KES5 million or imprisonment for up to three years. Service providers are not liable for the disclosure of any data or other information that they divulge pursuant to a requirement under the Act.
Other than regulators, there are a number of organisations that review the activities of industry participants. Among them are the Kenya Bankers Association, FSD Africa, East Africa Venture Capital Association (EAVCA), and capital market intermediaries such as Cytonn. For instance in 2018, FSD Africa and EAVCA published the report "Fintrek: Exploring New Frontiers in Fintech Investments in East Africa" on the funding options available for the fintech sector.
However, as reports on the sector are limited, it is difficult to ascertain the industry practice in detail.
Industry participants do offer unregulated as well as regulated products and services. However, these are mainly offered through alternative entities, as most regulated entities, such as banks and capital market intermediaries, are subject to restrictions prohibiting them from engaging in any activity for which they are not licensed.
Among the unregulated services that regulated entities may provide in Kenya, an example is the provision of investment advice to private and sophisticated investors, which is not subject to regulation by the CMA. However, providing investment advice to the public is regulated, and a licensed investment adviser may provide investment advice to both private and public investors.
There are no specific regulations in Kenya relating to robo-advisers. Robo-advisory is regulated by the CMA as general investment advisory. The business models for robo-advisers in Kenya are dependent on the type of licensing obtained from the authority and not the asset classes. For instance, fund managers and investment advisers are licensed as intermediaries that may provide advisory services with respect to any asset classes.
The CMA has admitted a participant to the sandbox to test robo-advisory services in Kenya, with a view to adopting suitable regulations for robo–advisory services.
There do not appear to be any robo-advisers in Kenya (save for the participant admitted to the sandbox referenced in 3.1 Requirement for Different Business Models) or any legacy players that employ solutions from robo-advisers.
No further information is available.
There are no significant differences in the business or regulation of loans to individuals, small businesses and others. The regulation of lending businesses is not based on the type of borrower but on the nature of the lending.
Kenyan law regulates financial businesses that have an element of "deposit-taking business" and requires such businesses to be licensed by the Central Bank of Kenya. Deposit-taking business entails (a) accepting money on deposit, and (b) lending the money at the risk of the person lending the money or financing the activities of one business from such funds. Lending that is part of deposit-taking businesses is regulated. However, lending in itself does not require licensing and is not subject to regulation.
The commonly used underwriting process is the analysis of consumer data using set machine-learning algorithms that make automated decisions on a customer’s credit worthiness and risk.
As this involves data processing, it is regulated under the Data Protection Act. Data subjects have a right not to be subject to automated decision-making unless the processing complies with the applicable legislation.
Lenders who are engaged in deposit-taking businesses such as banks, Sacco societies and microfinance institutions secure funds from:
Lenders who do not engage with deposit-taking institutions primarily source funds from capital raised as either equity or debt from other investors.
Raising funds through equity and debt is only regulated to the extent that the securities are issued to the public under the Capital Markets (Securities) (Public Offers, Listing and Disclosures) Regulations, 2002.
Raising funds through securitisation is regulated under the Capital Markets (Asset Backed Securities) Regulations, 2007. However, securitisation is not common in Kenya.
There is no specific regulation for syndication of loans in Kenya. The syndication process follows the current industry practice, as follows:
Payment processors may use existing payment rails or create new payment rails. However, a payment processor is required to obtain authorisation as a PSP in order to provide payment services (irrespective of whether the payment service is through an existing or new payment rail.)
The National Payment System Act defines a PSP to include a person, company or organisation:
The National Payment System Act regulates the provision of payment services to persons resident in Kenya. Any person outside Kenya who provides payment services in Kenya is a PSP and is subject to the provisions of the Act. PSPs that provide payment services in Kenya on a cross-border basis are required to obtain authorisation from the CBK and comply with the provisions of the National Payment System Act.
The following fund administrators are regulated in Kenya:
Note that a collective investment scheme refers to an investment company, unit trust, mutual fund or other scheme, whether or not established or organised in Kenya, which collects and pools funds from the public or a section of the public for investment.
The Retirement Benefits (Administrators) Regulations, 2007 provide that an administrator must enter into a written agreement with the relevant scheme. Such agreement sets out the specific arrangements for the required administration services and must be entered into prior to the commencement of the provision of administrative services. The agreement should be a service level agreement that clearly sets out all the relevant agreed requirements and acceptable standards for delivery, and stipulates the basis on which the administrator is to be remunerated.
There are no mandatory provisions for contracts with administrators under the Collective Investment Schemes Regulations. However, when engaging a fund administrator, it is prudent to include the statutory functions of the fund administrators as part of their scope of work. Some of the administrative roles of a fund manager under the Collective Investment Schemes Regulations include:
Where a fund manager outsources fund administration functions, they need to ensure that the outsourcing contract complies with the above statutory requirements.
Trading platforms in Kenya can either be:
The regulations provide for the licensing, corporate governance and conduct of business of entities, and the supervision of the markets.
There is currently only one licensed securities exchange in Kenya, the Nairobi Securities Exchange. As at January 2021, there were five licensed online foreign exchange brokers.
Asset classes are generally subject to a similar regulatory regime. However, there are regulations that contain specific provisions for specific asset classes, taking into consideration the differences inherent in the nature of the assets. The following asset classes have different special regulations:
The different regulations prescribe the instruments of ownership and the mode of trading of the assets. Furthermore, they also prescribe the conduct of market intermediaries while dealing in and managing the assets. For instance, the Collective Investment Schemes Regulations provide for the management of collective investment schemes and the conduct of the fund managers, trustees and custodians. The Derivatives Exchange rules provide for the conduct of derivatives brokers and the conduct of trading at the Derivatives Exchange.
Cryptocurrency exchanges are not presently regulated in Kenya. However, Kenya’s securities regulatory regime under the Capital Markets Act, and the subsidiary legislation thereunder, are broadly drafted. For instance, the Act defines a "security" to include "any other instrument" prescribed by the CMA to be a security for the purpose of the Act. This arguably allows the CMA to extend the regulatory purview of the Act by prescribing, for example, virtual currency as a security. Consequently, despite not presently being regulated, if the CMA were to prescribe that virtual currencies are securities under the Capital Markets Act, virtual currency markets would be regulated.
The CBK has issued a warning to the public to the effect that virtual currencies are not legal tender and there is no protection available to persons dealing or trading in them. The CBK does not recognise virtual currency as legal tender and therefore does not regulate it.
Listing requirements for shares and fixed income instruments are provided under the Capital Markets (Securities) (Public Offers, Listing and Disclosures) Regulations, 2002. These regulations provide for listing requirements in the following market segments:
Securities exchanges are also required to provide their own listing standards that may complement (but not contravene) the standards in the regulations. Consequently, the Nairobi Securities Exchange also prescribes listing standards that are largely similar to the standards in the regulations.
Order handling rules prescribed by the CMA apply. The general order handling rules to be followed by market intermediaries are found in the Capital Markets (Conduct of Business) (Market Intermediaries) Regulations, 2011 ("Conduct of Business Regulations"). The regulations specify that market intermediaries must:
The Nairobi Securities Exchange has also prescribed order handling rules with respect to the trading of shares, fixed income securities and derivatives. The order handling rules provide for qualification requirements for orders, validity periods for orders, allowable spreads and limits on bids and offers, and the execution and settlement of trades.
Peer-to-peer trading platforms are not yet active, dominant or rising in Kenya. It is therefore difficult to assess the impact such platforms might have on traditional and fintech players, and the regulatory challenges posed.
The Conduct of Business Regulations provide that a market intermediary shall deal for the client on the best terms, timeously and fairly. There are instances where market intermediaries fail to comply with these requirements by:
Any market intermediary that fails to comply with the statutory provisions may be sanctioned by the CMA in any of the ways set out in 2.9 Significant Enforcement Actions.
There are no express rules against payment for order flow. However, the practice may be prohibited to the extent that it contravenes other trading rules, eg, dealing in the best interest of the client, avoiding conflict of interests and fair dealing.
The Conduct of Business Regulations provide the following principles of market integrity governing trading by market intermediaries:
In Kenya, high frequency and algorithmic trading are not regulated.
However, it is advisable for a person who has created and wants to use such technologies to apply to the CMA to be placed in a regulatory sandbox, for purposes of allowing small-scale, live testing of innovations by private firms in a controlled environment.
Generally, no person is entitled to undertake market making unless they have been authorised to operate as such under the Nairobi Securities Exchange Rules and they hold a licence from the CMA, such as a stockbroker’s or dealing licence. Therefore, to the extent that a person engaging in high frequency or algorithmic trading creates demand and supply for securities by way of entry into the automated trading system of bids and offers for the purposes of enhancing liquidity, they will be required to be registered as a market maker with the Nairobi Securities Exchange. This applies whether or not they are acting in a principal capacity and hold a licence from the CMA.
Given that there are no regulations on high frequency or algorithmic trading, there are no distinctions between funds and dealers that engage in these activities.
However, the Capital Markets Act makes a distinction between a dealer and a fund manager. Accordingly, a dealer mainly engages in the business of buying, selling, dealing, trading, underwriting or retailing of securities, except exchange-traded derivatives contracts, whether or not the dealer carries on any other business. Whereas a fund manager is defined as a manager of a collective investment scheme, registered venture capital company or an investment adviser who manages a portfolio of securities.
Programmers who develop and create trading algorithms and other electronic tools are not regulated in Kenya.
Financial research platforms are not subject to registration in Kenya. However, to the extent that a financial research platform qualifies as an investment adviser, then it must be licensed by the CMA. An investment adviser is defined as a person who carries on the business of advising others concerning securities, or as part of a regular business, issues or provides analyses or reports concerning securities, or manages a portfolio of securities on behalf of a client.
The spreading of rumours and other unverified information with respect to securities is regulated by the Capital Markets Act. To this end, it is an offence for a person to make any statement which at the time and in light of the circumstances in which it is made, is false or misleading, and which that person knows or ought to have reasonably known is false or misleading in relation to securities. It is also an offence where a person makes a false or misleading statement by omitting a material fact. It is also an offence for a person to create a false or misleading impression of active trading in securities, or the price of dealings in securities traded on the securities market of a securities exchange.
Additionally, the Computer Misuse and Cybercrimes Act makes it an offence for a person to intentionally publish false, misleading or fictitious data or misinformation with the intent that the data shall be considered or acted upon as authentic, with or without financial gain.
In order to avoid pump-and-dump schemes, spreading of false information or other types of unacceptable behaviour, the Capital Markets Act makes it an offence for:
Persons posting on a financial research platform must ensure that the information posted does not breach the law or amount to an offence. Platform owners with editorial capabilities should also ensure that the content posted on their platforms does not amount to an offence as they may be vicariously liable.
The insurance industry participants' underwriting process includes KYC checks and conducting due diligence on insurable interest for the purposes of risk acceptance. The Insurance Regulatory Authority has issued guidelines and regulations on the basic KYC information to be obtained and the minimum rates that can be charged in the market.
The underwriting process differs among different types of insurance. Under the Insurance Act, the funds for life insurance business and non-life insurance business must be completely separate, and a business cannot use funds from life insurance business to settle any claim by a non-life customer. It is the practice that insurance businesses incorporate two companies, one to undertake life insurance and another to undertake non-life insurance. The underwriting processes to be adopted for the two types of insurance may therefore differ by practice.
Regtech providers remain unregulated in Kenya. The uptake of regtech in the Kenyan market is very low, with most financial services firms opting to meet their compliance requirements and returns manually.
As the uptake of regtech in the Kenyan market is very low, there are no established practices on the contractual relationships between regtech providers and financial services firms. Regulations on this have yet to be developed, as the industry is still in its very early days and industry custom is yet to be established. As the regulatory framework of Kenya’s financial services firms is based on self-assessment and reporting, firms still bear all the risks associated with this reporting and as such, may not be able to transfer any liability to regtech providers.
Traditional financial institutions in Kenya have been exploring the possible integration of blockchain (distributed ledger technologies or DLT) to assist them in facilitating payments and creating credit-scoring models. The CBK has indicated that it has received a number of applications from financial institutions seeking approval and licensing of products and services linked to blockchain technology.
No legislative or regulatory proposals have as yet been published with respect to blockchain in Kenya. However, industry players such as the CBK and the Communications Authority are said to be working on regulations relating to blockchain, cryptocurrencies and forex online trading.
Although Kenya does not presently have a regulatory regime for blockchain or blockchain assets, the CBK has indicated that there is a need to create a robust regulatory framework for cryptocurrencies, since they can have an impact on financial stability and may carry inherent risks.
Although Kenya does not have a regulatory regime for blockchain. the CMA has previously issued a cautionary notice (in January 2019) warning investors against participating in Initial Coin Offerings (ICOs). The CMA view is that ICOs form part of regulated activities as they amount to raising capital from the public, but they have not yet been approved in Kenya.
Kenya does not currently have a regulatory regime for blockchain, including blockchain asset trading platforms.
No specific regulatory requirements on investments by funds in blockchain assets apply in Kenya. However, regulated funds in Kenya will need to adhere to any prudential requirements and investment restrictions under the existing regulatory regimes. Noting the warning from the CBK and the CMA to their licensees against dealings in cryptocurrencies and crypto-assets, most funds are likely to shy away from investing in these assets.
Kenya does not presently have a regulatory regime for blockchain assets, including cryptocurrencies or any other form of virtual currencies. However, the CBK and the CMA have warned persons under their regulations against dealings in cryptocurrencies and crypto-assets.
At this point in time, Kenya does not have a regulatory regime for "DeFi" (decentralised finance).
Kenya is yet to publish any specific regulations or standards for open banking infrastructure and practice. The sharing of consumer data and related personally identifiable financial data by any service provider and participating bank will be subject to the provisions of the Data Protection Act. The Act is the primary legislation on data protection and privacy that regulates the processing of personal data, provides for the rights of data subjects, and prescribes the obligations of data controllers and data processors.
Notwithstanding the lack of open banking-specific regulation, the collection and processing (including data sharing) of personal data by banks and technology providers is subject to the provisions of the Data Protection Act. To comply, banks and technology providers are developing data processing policies that meet the requirements under the Act and that govern their operations. There has also been an increased trend towards appointing data protection officers to monitor and ensure organisational compliance with the requirements under the Act.