The 2020 Findexable Global Fintech Rankings report placed Kenya number 63 in the global top 100 rankings of the world’s leading fintech hub countries in Africa. In terms of African cities, Nairobi was ranked the second largest fintech city hub in Africa. These rankings can be attributed to the presence of an estimated 20% of African fintechs in Nairobi, an emerging ecosystem of local investors, an enabling human resource environment, increased mobile phone penetration and growing interest from global technology firms. 

The key driver of the fintech revolution in Kenya has been the collaboration between technology providers, traditional financial institutions, fintech start-ups and regulators, sustained market demand and an open-minded appetite for these types of solutions, and an enabling regulatory framework. Increasingly, partnerships are being formed and integration is occurring between Mobile Network Operators (MNOs) offering mobile money services and traditional financial institutions such as commercial banks. The most popular services being offered as a result of these partnerships are payment solutions, money transfer and access to credit. In this way, commercial banks are able to reach the MNOs’ extensive customer bases while the MNOs benefit by increasing the number of services they offer. 

There has also been significant growth in digital credit products that use credit-scoring algorithms and provide credit through mobile payment systems. The existence of mobile payment technologies has been a key growth factor for digital credit as these provide a channel for digital credit providers to transfer funds to borrowers and for borrowers to repay the borrowed amounts. The credit transactions are conducted over both the digital credit mobile applications or USSD platforms and mobile payment systems.

The COVID-19 pandemic has created opportunities for the development of fintech products and services, and has fuelled increased use of fintech solutions. For instance, on 16 March 2020, the Central Bank of Kenya (CBK) announced emergency measures to facilitate greater use of mobile money transactions instead of cash. Furthermore, the COVID-19 pandemic has stimulated e-commerce business, which has also led to an increase in the use of electronic payment methods.

As the mainstream use of fintech gains traction in Kenya, commercial enterprises and government entities are exploring the adoption of fintech to promote their efficiency and improve service delivery. 

Three predominant fintech business models emerged in Kenya in 2020, namely digital banking, payment gateways and insurtech.

Digital Banking

Most banks in Kenya have adopted digital platforms to provide their products and services. Customers are able to access their bank accounts, view their account information and statements, transfer funds, carry out foreign exchange transactions and pay utility bills, among others. Certain banks have partnered with MNOs to provide mobile banking services, thereby allowing customers to access their accounts through their phones and to deposit and withdraw funds from their accounts through mobile money wallets.

Payment Gateways

Payment gateways are MNO platforms that facilitate payment for goods and services by customers to merchants or between merchants. The platforms provide integrated payment systems between merchants, banks and other MNOs. The most popular payment gateway in Kenya is MPESA which is owned by Safaricom. Banks also have partnerships with credit card providers, such as Mastercard and Visa, who have also facilitated electronic payments.

Insurtech

Insurance companies have also increasingly adopted online platforms through which customers can view their policy details and premium statements, report and track claims, make service requests and view service providers, among others. Other intermediaries in the insurance business are adopting digital platforms to link insurance companies, customers, agents and other intermediaries. 

There is no separate regime for the regulation of fintech in Kenya, so fintech products and services fall under the existing financial services regulatory framework. Currently, most fintech players are unregulated and where they offer services or products that are regulated, they have an obligation to comply with the regulations applicable to the services or products offered. That said, legislation is being amended to expand the jurisdiction of the CBK to include fintech actors, such as digital credit and financial services providers. 

The main regulators of the financial services industry are the CBK, the Capital Markets Authority (CMA) and the Insurance Regulatory Authority. Other regulators that play a role in regulating specific segments of the market or activities relating to it are the Retirement Benefits Authority, the Sacco Societies Regulatory Authority and the Competition Authority of Kenya. Their respective mandates are governed by the following legislation.

• Capital Markets Act, Chapter 485A (and the regulations thereunder), empowering the CMA to regulate the capital markets and all public issuers of securities. 
• Banking Act (Chapter 488), which regulates banks and banking business in Kenya.
• Central Bank of Kenya Act (Chapter 491), which establishes the CBK and provides for the supervision of banks and foreign exchange businesses. There is a proposed Central Bank Amendment Bill, 2020 which, if enacted in its current form, would expand the CBK’s regulatory jurisdiction over digital financial products and services, digital credit service providers, providers of financial products and the conduct of financial services. 
• The National Payment System Act No 39 of 2011 (and regulations), which provides for the authorisation and regulation of payment services and payment service providers (PSPs). 
• The Insurance Act Chapter 487 (and regulations) which establishes the Insurance Regulatory Authority (IRA) and provides for the regulation of insurance services, insurers and insurance intermediaries.
• The Retirement Benefits Act No 3 of 1997 (and regulations), which establishes the Retirement Benefits Authority (RBA) and provides for the regulation of retirement benefit schemes. 
• The Consumer Protection Act No 46 of 2012 (and regulations), which provides for the protection of consumers, and restrictions against unfair trade practices in consumer transactions.
• The Microfinance Act No 19 of 2006, which provides for the licensing and regulation of microfinance institutions. 
• The Savings and Credit Cooperative (Sacco) Societies Act No 14 of 2008, which establishes the Sacco Societies Regulatory Authority and provides for the registration and regulation of Sacco Societies. 
• The Competition Act (and regulations), which establishes the Competition Authority of Kenya (CAK), regulates competition and provides for consumer protection from unfair and misleading market practices. 
• The Kenya Information and Communications Act No 2 of 1998 (and regulations) which establishes the Communications Authority of Kenya and regulates the information and communications sector (including broadcasting, multimedia, telecommunications and postal services). 

Several regulators have also issued guidelines, circulars and directives on the application and interpretation of the statutes.

There are no specific provisions on the permissible compensation that industry participants may charge their customers. However, certain general provisions apply to specific players, for instance:

• lenders are prohibited from charging borrowers default interest or prepayment penalties; 
• lenders, insurers, and capital market intermediaries (brokers, investment advisers, fund managers and dealers) and payment service providers are required, prior to transactions, to disclose the full charges for their services, such as fees, interest rate, penalties, premiums, etc (a borrower is not liable to pay any costs that have not been disclosed); and 
• payment providers are required to notify the CBK of any material changes to their charges.

Most fintech players are unregulated and where they offer services or products that are regulated, they have an obligation to comply with the regulations applicable to the services or products offered. For the most part, new players would partner with legacy players to ensure compliance. However, there are other players who apply for their own licences, especially in the payment services sector. There have, however, been efforts by the regulators and parliament to update the regulations to cover technological developments,eg, as with the Central Bank of Kenya Amendment Bill. 

The CMA established a regulatory sandbox to accelerate its understanding of emerging technologies and to facilitate the deepening and broadening of Kenya’s capital markets. The sandbox is a platform that will allow testing of innovative products, solutions and services that have the potential to enhance Kenya’s capital markets.

In March 2019, the CMA released the Regulatory Sandbox Policy Guidance Note, which provides a framework for the operation of the sandbox. 

The sandbox is available to entities that are either incorporated in Kenya or licensed by a securities market regulator in an equivalent jurisdiction; with the intention to offer an innovative product, solution or service in Kenya.

Once the CMA has approved an application to participate in the sandbox, together with the applicant’s testing plan, the applicant can proceed with testing the product or service in Kenya. The CMA may, during the testing period, require modifications to be made to the testing plan. During the testing period, the applicants are required to submit interim reports on the progress of the tests and comply with other requirements from the regulator, including safeguard mechanisms. 

Once the testing period is complete, the CMA may either license and grant the participant permission to operate in Kenya, or deny and reject the participant’s licence request. 

Currently, the CMA has accepted seven applications for participation in the sandbox, including:

• FourFront Management Limited, providing robo-advisory services;
• Pyypl Group Limited, which is a blockchain-based platform for issuance of debentures (unsecured bonds);
• Belrium Kenya Limited, which is blockchain-based and offers shareable Know Your Customer (e-KYC) solutions for capital markets intermediaries and investors;
• Central Depository and Settlement Corporation (CDSC), which offers a screen-based Securities Lending and Borrowing (SLB) platform;
• Innova Limited, a cloud-based data analytics platform designed for use by investors, fund managers, custodian banks, actuaries, pension administrators and regulators; and
• Pezesha Africa Limited, an internet-based crowd-funding platform through which investors can provide loan facilities structured as loan notes (debentures) for small and medium enterprises (SMEs).

On 12 October 2020, the CMA granted a "No Objection" letter to Pezesha Africa Limited to operate its debt-based crowd-funding platform in the Kenyan capital markets, after a successful one-year testing period. 

Where more than one regulator has jurisdiction over an industry participant, each regulator only regulates the participant to the extent that they fall within their jurisdiction. For example, listed banks are regulated by the CBK and the CMA, each of which limits their regulation to the scope of their respective legislative mandates. See the specific mandates of the regulators in 2.3 Compensation Models. 

It is, however, expected that such regulators would adopt a collaborative approach. For instance, the CMA has indicated that discussions are underway towards establishing a multi-sector regulatory sandbox to address developments such as cryptocurrency and evolving payment technologies, which are related to, but are not the sole province of, capital markets.

Although regulated functions can be outsourced, outsourcing is subject to various restrictions in most sectors. For instance, the Central Bank of Kenya’s Prudential Guidelines (Guideline on Outsourcing CBK/PG/16) prohibit banks from outsourcing core functions such as corporate planning and management and control. Furthermore, the guidelines provide that any outsourcing of any material activity such as IT, market research and internal auditing should be approved by the CBK. These guidelines were issued in 2013 and have yet to be updated to reflect the current sector developments.

The guidelines provide for mandatory contractual requirements such as:

• a clear description of the outsourced activities;
• the regulated entity’s supervision mandate of the outsourced activities; 
• CBK’s right to supervise and inspect the third party’s performance of the outsourced activities;
• contingency plans to ensure business continuity; and 
• details of the pricing and fee structure.

The National Payment System Regulations, 2014 provide that a payment service provider (PSP) may outsource operational functions. However, it cannot outsource material operational functions. A material function is one that, if a defect or performance failure were to occur, would materially impair the PSP’s continuing compliance with the requirements of its licence, financial performance and soundness or continuity. 

A PSP is required to notify the Central Bank of Kenya of proposed outsourcing 30 days prior to the outsourcing arrangement taking effect. 

The Capital Markets (Corporate Governance) (Market Intermediaries) Regulations, 2011 provide that, where market intermediaries contract third parties to undertake any functions on their behalf, they must ensure that:

• there is a contract describing the services; and 
• details of the third parties are provided, including details of the qualifications and experience of their employees. 

These Regulations further clarify that outsourcing does not diminish the regulated entities’ liability with respect to their obligations.

From a regulatory perspective, it is much easier for market entrants to collaborate with existing licensed institutions and provide their products or services as outsourced functions, for instance, as this minimises the regulatory oversight and burden on them. 

Currently there are no specific regulations on the responsibility of fintech providers over their platforms. This responsibility and liability are mainly established contractually. Where such providers are subject to indirect regulatory oversight, eg, as third-party vendors, the responsibility may be implied through the requirement to comply with regulatory standards.

The main regulatory enforcement actions across the verticals are: 

• monetary penalties subject to the regulator’s discretion;
• prohibition from continuing operations;
• suspension or revocation of licences; 
• termination of the employment of an officer; 
• prohibition from opening branches or limiting an entity’s activities; and 
• disqualification of directors from holding office in other licensed institutions. 

Regulators may also institute court proceedings against regulated entities and/or their employees for committing offences under the statutes. On conviction, the courts may impose fines or prison terms for the relevant officers. The term of imprisonment or the amount of the fines varies under different regimes and depends on the nature of the offence committed.

The Data Protection Act

The Data Protection Act, 2019 regulates the processing of personal data of data subjects who are resident in Kenya, by data controllers and data processors. The Act regulates the processing of personal data, provides for the rights of data subjects and prescribes the obligations of data controllers and data processors. Kenya recently appointed its first Data Commissioner, who is currently setting up the Office of the Data Commissioner, as mandated by the Data Protection Act. 

On 15 January 2021, the cabinet secretary in charge of ICT established a Taskforce for the Development of the Data Protection (General) Regulations. This task force is expected to propose regulations that will provide clarity to certain provisions of the Act.

Under the Data Protection Act, the Data Commissioner may cancel the registration of a data controller or data processor that, without any lawful reason, fails to comply with the Act. It further provides that a data subject is entitled to compensation from a data controller or processor where the subject suffers damage by reason of contravention of the Act. 

The Data Commissioner also has the power to serve an enforcement notice on a data controller or processor to take certain steps within a specified period to be in compliance with the law, and may issue penalty notices requiring the payment of certain amounts specified in the notice if the enforcement notice is not honoured.

A person who commits an offence under the Data Protection Act for which no specific penalty is provided, or who otherwise contravenes the provisions of the Act, is liable on conviction to a fine not exceeding KES3 million or to an imprisonment term not exceeding 10 years, or both.

The Computer Misuse and Cybercrimes Act

The Computer Misuse and Cybercrimes Act is also pertinent. Among other aims, it seeks to protect the confidentiality, integrity and availability of computer systems, programs and data, and to facilitate the prevention, detection, investigation, prosecution and punishment of cybercrimes. This Act requires service providers to assist in investigating offences, such as by collecting and providing data. A service provider is defined as a public or private entity whose services provide users with the means to communicate by use of a computer system, as well as any other entity that processes or stores computer data on behalf of that entity or its users.

The penalties for offences under the Computer Misuse and Cybercrimes Act range from fines of approximately KES100,000 to KES20 million and/or imprisonment terms of between three and 20 years. The Act provides for enhanced penalties where these offences are committed with respect to protected computer systems. These include systems for the provision of services directly related to communications infrastructure, banking and financial services, payment and settlement systems, and instruments.

Readers should note that the Computer Misuse and Cybercrimes Act was ruled unconstitutional on 29 October 2020, following a ruling by the High Court which nullified 23 Acts of Parliament (the Laws) enacted by the national assembly without reference to and input from the senate as required under the Constitution of Kenya. The High Court has suspended the nullification of the Laws until 29 July 2021 to allow the national assembly to comply with the constitution and regularise the Laws. 

The National Computer and Cybercrimes Co-ordination Committee

The National Computer and Cybercrimes Co-ordination Committee administers the Act. Failure to comply with a request for assistance or a related court order is an offence, with penalties of a fine of up to approximately KES5 million or imprisonment for up to three years. Service providers are not liable for the disclosure of any data or other information that they divulge pursuant to a requirement under the Act.

Other than regulators, there are a number of organisations that review the activities of industry participants. Among them are the Kenya Bankers Association, FSD Africa, East Africa Venture Capital Association (EAVCA), and capital market intermediaries such as Cytonn. For instance in 2018, FSD Africa and EAVCA published the report "Fintrek: Exploring New Frontiers in Fintech Investments in East Africa" on the funding options available for the fintech sector. 

However, as reports on the sector are limited, it is difficult to ascertain the industry practice in detail. 

Industry participants do offer unregulated as well as regulated products and services. However, these are mainly offered through alternative entities, as most regulated entities, such as banks and capital market intermediaries, are subject to restrictions prohibiting them from engaging in any activity for which they are not licensed. 

Among the unregulated services that regulated entities may provide in Kenya, an example is the provision of investment advice to private and sophisticated investors, which is not subject to regulation by the CMA. However, providing investment advice to the public is regulated, and a licensed investment adviser may provide investment advice to both private and public investors.

There are no specific regulations in Kenya relating to robo-advisers. Robo-advisory is regulated by the CMA as general investment advisory. The business models for robo-advisers in Kenya are dependent on the type of licensing obtained from the authority and not the asset classes. For instance, fund managers and investment advisers are licensed as intermediaries that may provide advisory services with respect to any asset classes.  

The CMA has admitted a participant to the sandbox to test robo-advisory services in Kenya, with a view to adopting suitable regulations for robo–advisory services. 

There do not appear to be any robo-advisers in Kenya (save for the participant admitted to the sandbox referenced in 3.1 Requirement for Different Business Models) or any legacy players that employ solutions from robo-advisers. 

No further information is available. 

There are no significant differences in the business or regulation of loans to individuals, small businesses and others. The regulation of lending businesses is not based on the type of borrower but on the nature of the lending.  

Kenyan law regulates financial businesses that have an element of "deposit-taking business" and requires such businesses to be licensed by the Central Bank of Kenya. Deposit-taking business entails (a) accepting money on deposit, and (b) lending the money at the risk of the person lending the money or financing the activities of one business from such funds. Lending that is part of deposit-taking businesses is regulated. However, lending in itself does not require licensing and is not subject to regulation. 

The commonly used underwriting process is the analysis of consumer data using set machine-learning algorithms that make automated decisions on a customer’s credit worthiness and risk.  

As this involves data processing, it is regulated under the Data Protection Act. Data subjects have a right not to be subject to automated decision-making unless the processing complies with the applicable legislation.  

Lenders who are engaged in deposit-taking businesses such as banks, Sacco societies and microfinance institutions secure funds from: 

• the public, in the case of licensed banks, microfinance institutions and Sacco societies (only these entities can take deposits from the public and utilise the same for loans as this is deposit-taking business which is regulated under the Banking Act, the Microfinance Act and the Sacco Societies Act); 
• capital from shareholders and other investors, such as direct foreign investors; and  
• loans from other institutions, eg, other banks.  

Lenders who do not engage with deposit-taking institutions primarily source funds from capital raised as either equity or debt from other investors. 

Raising funds through equity and debt is only regulated to the extent that the securities are issued to the public under the Capital Markets (Securities) (Public Offers, Listing and Disclosures) Regulations, 2002. 

Raising funds through securitisation is regulated under the Capital Markets (Asset Backed Securities) Regulations, 2007. However, securitisation is not common in Kenya.  

There is no specific regulation for syndication of loans in Kenya. The syndication process follows the current industry practice, as follows:  

• an arranger is appointed; 
• the borrower and the arranger agree on the syndication strategy; 
• the arranger prepares the information memorandum which is circulated to lenders that are interested in participating in the syndication; 
• the lenders who agree to participate in the syndicate agree on their commitments and negotiate the finance deal;  
• the finance documentation, including the loan agreement and the security documents, is prepared, negotiated and executed by the borrower, lenders and other parties that may be involved, such as guarantors, security trustees and hedge providers, among others; 
• the borrower satisfies the precedent conditions set out in the facility agreement; and 
• upon satisfaction of the precedent conditions, the lenders disburse the funds to the borrower, including the fees payable to the arranger, facility agent, security agent, etc.  

Payment processors may use existing payment rails or create new payment rails. However, a payment processor is required to obtain authorisation as a PSP in order to provide payment services (irrespective of whether the payment service is through an existing or new payment rail.) 

The National Payment System Act defines a PSP to include a person, company or organisation: 

• acting as provider in relation to sending, receiving, storing or processing of payments or the provision of other services in relation to payment services through any electronic system; 
• that owns, possesses, operates, manages or controls a public switched network for the provision of payment services; or 
• that processes or stores data on behalf of such PSPs or users of such payment services. 

The National Payment System Act regulates the provision of payment services to persons resident in Kenya. Any person outside Kenya who provides payment services in Kenya is a PSP and is subject to the provisions of the Act. PSPs that provide payment services in Kenya on a cross-border basis are required to obtain authorisation from the CBK and comply with the provisions of the National Payment System Act.  

The following fund administrators are regulated in Kenya: 

• fund administrators for retirement benefit schemes that are regulated under the Retirement Benefits Act; and 
• fund managers for collective investment schemes that are regulated under the Capital Markets (Collective Investment Schemes) Regulations, 2001 (the Collective Investment Schemes Regulations), which require that fund managers be administrators of the collective schemes they manage; however, there is no restriction against the fund managers outsourcing the administrative functions of the fund. 

Note that a collective investment scheme refers to an investment company, unit trust, mutual fund or other scheme, whether or not established or organised in Kenya, which collects and pools funds from the public or a section of the public for investment. 

The Retirement Benefits (Administrators) Regulations, 2007 provide that an administrator must enter into a written agreement with the relevant scheme. Such agreement sets out the specific arrangements for the required administration services and must be entered into prior to the commencement of the provision of administrative services. The agreement should be a service level agreement that clearly sets out all the relevant agreed requirements and acceptable standards for delivery, and stipulates the basis on which the administrator is to be remunerated. 

There are no mandatory provisions for contracts with administrators under the Collective Investment Schemes Regulations. However, when engaging a fund administrator, it is prudent to include the statutory functions of the fund administrators as part of their scope of work. Some of the administrative roles of a fund manager under the Collective Investment Schemes Regulations include: 

• preparing and timeously dispatching all cheques, warrants, notices, accounts, summaries, etc; 
• making records and books of accounts available for inspection by directors, trustees and auditors; and  
• publishing the price of the shares daily in local newspapers.  

Where a fund manager outsources fund administration functions, they need to ensure that the outsourcing contract complies with the above statutory requirements. 

Trading platforms in Kenya can either be: 

• licensed securities exchanges for shares, bonds, commodities and derivatives which are regulated by the CMA under:
1. the Capital Markets (Licensing Requirements) (General) Regulations, 2002; 
2. the Capital Markets (Coffee Exchange) Regulations, 2020;  
3. the Capital Markets (Derivatives Markets) Regulations, 2015; or
• trading platforms which are accessible through licensed dealing or non-dealing online foreign exchange brokers for foreign exchange trading (this includes trading in contracts for differences based on a foreign underlying asset; these brokers are regulated by the CMA under the Capital Markets (Online Foreign Exchange Trading) Regulations, 2017). 

The regulations provide for the licensing, corporate governance and conduct of business of entities, and the supervision of the markets.  

There is currently only one licensed securities exchange in Kenya, the Nairobi Securities Exchange. As at January 2021, there were five licensed online foreign exchange brokers.   

Asset classes are generally subject to a similar regulatory regime. However, there are regulations that contain specific provisions for specific asset classes, taking into consideration the differences inherent in the nature of the assets. The following asset classes have different special regulations: 

• derivatives; 
• forex trading and contracts for difference; 
• asset-backed securities; 
• commodities; 
• units in collective investment schemes such as money market funds, unit trusts and real estate investment trusts; and 
• repurchase agreements. 

The different regulations prescribe the instruments of ownership and the mode of trading of the assets. Furthermore, they also prescribe the conduct of market intermediaries while dealing in and managing the assets. For instance, the Collective Investment Schemes Regulations provide for the management of collective investment schemes and the conduct of the fund managers, trustees and custodians. The Derivatives Exchange rules provide for the conduct of derivatives brokers and the conduct of trading at the Derivatives Exchange.  

Cryptocurrency exchanges are not presently regulated in Kenya. However, Kenya’s securities regulatory regime under the Capital Markets Act, and the subsidiary legislation thereunder, are broadly drafted. For instance, the Act defines a "security" to include "any other instrument" prescribed by the CMA to be a security for the purpose of the Act. This arguably allows the CMA to extend the regulatory purview of the Act by prescribing, for example, virtual currency as a security. Consequently, despite not presently being regulated, if the CMA were to prescribe that virtual currencies are securities under the Capital Markets Act, virtual currency markets would be regulated. 

The CBK has issued a warning to the public to the effect that virtual currencies are not legal tender and there is no protection available to persons dealing or trading in them. The CBK does not recognise virtual currency as legal tender and therefore does not regulate it. 

Listing requirements for shares and fixed income instruments are provided under the Capital Markets (Securities) (Public Offers, Listing and Disclosures) Regulations, 2002. These regulations provide for listing requirements in the following market segments: 

• the Main Investment Market Segment; 
• the Alternative Investment Market Segment; 
• the Fixed Income Securities Market Segment; and 
• the Growth Enterprises Market Segment. 

Securities exchanges are also required to provide their own listing standards that may complement (but not contravene) the standards in the regulations. Consequently, the Nairobi Securities Exchange also prescribes listing standards that are largely similar to the standards in the regulations. 

Order handling rules prescribed by the CMA apply. The general order handling rules to be followed by market intermediaries are found in the Capital Markets (Conduct of Business) (Market Intermediaries) Regulations, 2011 ("Conduct of Business Regulations"). The regulations specify that market intermediaries must: 

• not execute an order unless the client has made sufficient arrangements for the necessary funds or securities; 
• execute client orders in the chronological sequence in which the orders were received and give priority to outstanding orders; 
• deal for a client on the best terms available for the client; 
• ensure that transactions it executes are allocated to the clients who gave the orders in a timely and equitable manner; and
• where a market intermediary has aggregated an order for a client’s transaction with an order for its own account transaction, or with an order for another client’s transaction, not give unfair preference to itself or to any of the clients, and give priority to satisfying orders for client transactions, if all orders cannot be satisfied. 

The Nairobi Securities Exchange has also prescribed order handling rules with respect to the trading of shares, fixed income securities and derivatives. The order handling rules provide for qualification requirements for orders, validity periods for orders, allowable spreads and limits on bids and offers, and the execution and settlement of trades. 

Peer-to-peer trading platforms are not yet active, dominant or rising in Kenya. It is therefore difficult to assess the impact such platforms might have on traditional and fintech players, and the regulatory challenges posed. 

The Conduct of Business Regulations provide that a market intermediary shall deal for the client on the best terms, timeously and fairly. There are instances where market intermediaries fail to comply with these requirements by: 

• failing to execute client instructions; 
• churning, ie, dealing in circumstances that could reasonably be considered as too frequent or too large, having regard to the trading activities, investment objectives, size and operations of such clients, mainly for the purpose of creating hefty commissions for the market intermediary; 
• front running; 
• insider dealing; and  
• executing unauthorised transactions. 

Any market intermediary that fails to comply with the statutory provisions may be sanctioned by the CMA in any of the ways set out in 2.9 Significant Enforcement Actions.  

There are no express rules against payment for order flow. However, the practice may be prohibited to the extent that it contravenes other trading rules, eg, dealing in the best interest of the client, avoiding conflict of interests and fair dealing.  

The Conduct of Business Regulations provide the following principles of market integrity governing trading by market intermediaries: 

• independence – when advising or acting on behalf of a client, an intermediary must ensure that it maintains its independence and impartiality;  
• fair dealing; 
• fair and clear communications – intermediaries are required to communicate clearly to the client and disclose relevant information, such as the risks of a transaction and the charge for services; 
• conflict of interest – a market intermediary is required to avoid any conflict of interest between itself and a client and where such a conflict exists, decline to act, or if it considers that the conflict can be managed, disclose it to the client and follow the policies developed to minimise damage to the client and to put the client’s interests ahead of its own; 
• confidentiality – an intermediary must keep all the information in its possession relating to a client confidential, whether obtained from the client or third parties; 
• not to front-run, churn or participate in insider dealing; and  
• not to use client funds without the client’s instructions. 

In Kenya, high frequency and algorithmic trading are not regulated.  

However, it is advisable for a person who has created and wants to use such technologies to apply to the CMA to be placed in a regulatory sandbox, for purposes of allowing small-scale, live testing of innovations by private firms in a controlled environment. 

Generally, no person is entitled to undertake market making unless they have been authorised to operate as such under the Nairobi Securities Exchange Rules and they hold a licence from the CMA, such as a stockbroker’s or dealing licence. Therefore, to the extent that a person engaging in high frequency or algorithmic trading creates demand and supply for securities by way of entry into the automated trading system of bids and offers for the purposes of enhancing liquidity, they will be required to be registered as a market maker with the Nairobi Securities Exchange. This applies whether or not they are acting in a principal capacity and hold a licence from the CMA.   

Given that there are no regulations on high frequency or algorithmic trading, there are no distinctions between funds and dealers that engage in these activities.  

However, the Capital Markets Act makes a distinction between a dealer and a fund manager. Accordingly, a dealer mainly engages in the business of buying, selling, dealing, trading, underwriting or retailing of securities, except exchange-traded derivatives contracts, whether or not the dealer carries on any other business. Whereas a fund manager is defined as a manager of a collective investment scheme, registered venture capital company or an investment adviser who manages a portfolio of securities.  

Programmers who develop and create trading algorithms and other electronic tools are not regulated in Kenya. 

Financial research platforms are not subject to registration in Kenya. However, to the extent that a financial research platform qualifies as an investment adviser, then it must be licensed by the CMA. An investment adviser is defined as a person who carries on the business of advising others concerning securities, or as part of a regular business, issues or provides analyses or reports concerning securities, or manages a portfolio of securities on behalf of a client. 

The spreading of rumours and other unverified information with respect to securities is regulated by the Capital Markets Act. To this end, it is an offence for a person to make any statement which at the time and in light of the circumstances in which it is made, is false or misleading, and which that person knows or ought to have reasonably known is false or misleading in relation to securities. It is also an offence where a person makes a false or misleading statement by omitting a material fact. It is also an offence for a person to create a false or misleading impression of active trading in securities, or the price of dealings in securities traded on the securities market of a securities exchange. 

Additionally, the Computer Misuse and Cybercrimes Act makes it an offence for a person to intentionally publish false, misleading or fictitious data or misinformation with the intent that the data shall be considered or acted upon as authentic, with or without financial gain. 

In order to avoid pump-and-dump schemes, spreading of false information or other types of unacceptable behaviour, the Capital Markets Act makes it an offence for:

• a person to do anything which is intended or is likely to create a false or misleading impression of active trading in securities or with respect to the market for, or the price for, dealings in securities traded on the securities market of a securities exchange; and 
• a person to induce or attempt to induce another person to subscribe for, sell or purchase securities by making or publishing statements, promises or forecasts that are false, misleading or deceptive; or by concealing material facts; or by recording or storing on any device information that is false or misleading.  

Persons posting on a financial research platform must ensure that the information posted does not breach the law or amount to an offence. Platform owners with editorial capabilities should also ensure that the content posted on their platforms does not amount to an offence as they may be vicariously liable.  

The insurance industry participants' underwriting process includes KYC checks and conducting due diligence on insurable interest for the purposes of risk acceptance. The Insurance Regulatory Authority has issued guidelines and regulations on the basic KYC information to be obtained and the minimum rates that can be charged in the market.  

The underwriting process differs among different types of insurance. Under the Insurance Act, the funds for life insurance business and non-life insurance business must be completely separate, and a business cannot use funds from life insurance business to settle any claim by a non-life customer. It is the practice that insurance businesses incorporate two companies, one to undertake life insurance and another to undertake non-life insurance. The underwriting processes to be adopted for the two types of insurance may therefore differ by practice.  

Regtech providers remain unregulated in Kenya. The uptake of regtech in the Kenyan market is very low, with most financial services firms opting to meet their compliance requirements and returns manually.   

As the uptake of regtech in the Kenyan market is very low, there are no established practices on the contractual relationships between regtech providers and financial services firms. Regulations on this have yet to be developed, as the industry is still in its very early days and industry custom is yet to be established. As the regulatory framework of Kenya’s financial services firms is based on self-assessment and reporting, firms still bear all the risks associated with this reporting and as such, may not be able to transfer any liability to regtech providers.  

Traditional financial institutions in Kenya have been exploring the possible integration of blockchain (distributed ledger technologies or DLT) to assist them in facilitating payments and creating credit-scoring models. The CBK has indicated that it has received a number of applications from financial institutions seeking approval and licensing of products and services linked to blockchain technology. 

No legislative or regulatory proposals have as yet been published with respect to blockchain in Kenya. However, industry players such as the CBK and the Communications Authority are said to be working on regulations relating to blockchain, cryptocurrencies and forex online trading.  

Although Kenya does not presently have a regulatory regime for blockchain or blockchain assets, the CBK has indicated that there is a need to create a robust regulatory framework for cryptocurrencies, since they can have an impact on financial stability and may carry inherent risks. 

Although Kenya does not have a regulatory regime for blockchain. the CMA has previously issued a cautionary notice (in January 2019) warning investors against participating in Initial Coin Offerings (ICOs). The CMA view is that ICOs form part of regulated activities as they amount to raising capital from the public, but they have not yet been approved in Kenya.  

Kenya does not currently have a regulatory regime for blockchain, including blockchain asset trading platforms. 

No specific regulatory requirements on investments by funds in blockchain assets apply in Kenya. However, regulated funds in Kenya will need to adhere to any prudential requirements and investment restrictions under the existing regulatory regimes. Noting the warning from the CBK and the CMA to their licensees against dealings in cryptocurrencies and crypto-assets, most funds are likely to shy away from investing in these assets.  

Kenya does not presently have a regulatory regime for blockchain assets, including cryptocurrencies or any other form of virtual currencies. However, the CBK and the CMA have warned persons under their regulations against dealings in cryptocurrencies and crypto-assets. 

At this point in time, Kenya does not have a regulatory regime for "DeFi" (decentralised finance).

Kenya is yet to publish any specific regulations or standards for open banking infrastructure and practice. The sharing of consumer data and related personally identifiable financial data by any service provider and participating bank will be subject to the provisions of the Data Protection Act. The Act is the primary legislation on data protection and privacy that regulates the processing of personal data, provides for the rights of data subjects, and prescribes the obligations of data controllers and data processors. 

Notwithstanding the lack of open banking-specific regulation, the collection and processing (including data sharing) of personal data by banks and technology providers is subject to the provisions of the Data Protection Act. To comply, banks and technology providers are developing data processing policies that meet the requirements under the Act and that govern their operations. There has also been an increased trend towards appointing data protection officers to monitor and ensure organisational compliance with the requirements under the Act.