Kenya's position as an African fintech powerhouse is undeniable. According to Disrupt Africa's African Tech Startups Funding Report 2023, roughly 15% of Africa's fintechs call Kenya home, attracting approximately USD174 million in funding over the last 24 months. This robust investment underscores the market's growth and potential, largely concentrated in fintechs operating within the payments and remittances, digital lending and business administration sectors.

Key Developments in the Past 12 Months

Key developments shaping the Kenyan fintech landscape over the last 12 months include the following.

The rise of digital banks/neobanks

Fully digital banks have emerged, offering account opening, savings products and lending options wholly through a software or digital application. In early 2023, the Central Bank of Kenya (CBK) issued a regulatory approval for Fingo Africa to roll out its services in Kenya, in partnership with Ecobank International.

Growth of digital lending

The growth of digital lending in Kenya is commendable, with the CBK licensing over 51 digital credit providers. These lenders address traditional banking gaps by using data analytics and alternative credit scoring models to provide faster, more accessible loans to individuals and small businesses. However, the CBK's slow licensing process, evidenced by over 200 pending applications, creates an uncertain operating environment for unlicensed digital credit providers.

Taxation of digital assets

The Finance Act of 2023 introduced a 3% tax on income earned from the transfer or exchange of digital assets, including cryptocurrencies and non-fungible tokens (NFTs). The owners of a platform or any person who facilitates the exchange or transfer of a digital asset is now responsible for withholding the digital asset tax and filing returns.

Looking Forward: the Regulatory Spotlight

The next 12 months are likely to see an increased effort to regulate various components of the fintech market.

The Capital Markets (Amendment) Bill 2023 (CMA Bill) demonstrates the government's intention to regulate digital assets. It proposes that individuals who plan to introduce a new cryptocurrency product must obtain a licence from the Capital Markets Authority (CMA). To obtain this licence, the following criteria must be met:

• the cryptocurrency product must have been subjected to a product development period of not less than two years; and
• the product must have been subject to a product test on a customer base of not less than 10,000 customers.

The predominant business models in the Kenyan fintech market relate to digital banking, digital lending and payment services.

Digital Banking

Kenyan banks and microfinance institutions typically use digital platforms to provide services and products to their customers. As such, customers can open bank accounts, access and view their account information and undertake transactions (such as funds transfers and bill payments) through mobile phones or other digital devices.

Digital Lending

Digital credit providers (DCP) are entities that provide credit facilities or loan services to borrowers through a digital channel. DCPs typically provide small, short-term loans to individuals and businesses, disbursed directly to borrowers' mobile money accounts. Repayment is equally seamless, with options to use mobile apps or simple USSD codes.

However, it useful to note that the CBK and the Kenyan courts have a broad interpretation of what constitutes a DCP. In the 2022 case of Association of Micro-Finance Institutions Kenya (AMFIK) v The Central Bank of Kenya & 3 others, the High Court of Kenya held that a DCP includes any entity that uses digital platforms as even one part of their lending process.

Payment Services

Payment services encompass the systems and processes that facilitate financial transactions. These services cover interactions between businesses, businesses and their customers, and even individual consumers. Several key players shape the payment service landscape.

• Licensed mobile network providers have significantly expanded financial access through their mobile money platforms (eg, M-PESA).
• Payment service providers (PSPs) are specialised entities that provide payment services such as transaction processing and technology solutions.
• Traditional banks and licensed money remittance operators facilitate cross-border payment services beyond Kenya's borders. Money remittance operators are entities that facilitate the transfer of funds between individuals without the requirement of traditional bank accounts for either the sender or the recipient.

Investment Services

Investment service providers in Kenya are increasingly utilising technology to expand access to investment opportunities for Kenyan customers. Notable services include the following.

• Brokerage – various start-ups are partnering with licensed collective investment schemes to connect retail investors with these schemes, simplifying the investment process.
• Forex trading – online forex trading is gaining popularity in Kenya. The CMA regulates forex brokers offering online foreign exchange trading platforms as well as entities that act as a link between the foreign exchange market and a client in return for a commission or mark-up in spreads.
• Crowd-funding platforms – online platforms for crowdfunding allow investors to participate in a range of debt or equity-based financing opportunities. The CMA regulates these platforms to ensure investor protection when offered to investors in Kenya.

Insurtech

Kenya's historically low insurance penetration rate has spurred innovation in the insurtech sector. Start-ups and established insurers are leveraging technology to improve accessibility. This includes digital platforms for coverage access, claims submission and policy management, as well as the development of microinsurance products tailored to underserved populations.

Edtech

Following the closure of schools in 2020 as a result of the COVID-19 pandemic, there has been an increased adoption of edtech in Kenya. Edtech provides a variety of services, such as the provision of revision papers, the supply of textbooks and interactive learning using technologies such as USSD and mobile applications. Edtech is tailored to accommodate persons with various levels of technological literacy.

Agritech

With 70% of the rural population in Kenya working in the agricultural industry, agritech has seen a steady uptake. Agritech solutions offer farmers vital resources, including soil quality testing, expert advice, access to credit for small-scale operations, and a marketplace for products and services.

There is no separate regime for the regulation of fintech in Kenya, with fintech products and services falling under the ambit of various financial laws that already exist in Kenya. The main pieces of legislation that govern the financial services sector and the corresponding regulators are as follows.

Digital Banking and Digital Lending

• The Central Bank of Kenya Act, Cap 491 of the Laws of Kenya establishes the CBK, which regulates and supervises various financial institutions, such as banks, microfinance institutions, DCPs and PSPs.
• The Banking Act, Cap 488 of the Laws of Kenya provides for the licensing and regulation of banks that undertake “banking business” in Kenya (ie, accepting deposits from the Kenyan public and using the deposits for lending or investment).
• The Microfinance Act, No 19 of 2006 provides for the licensing and regulation of deposit-taking microfinance institutions operating in Kenya and providing services to small or micro enterprises or low-income households.
• The Central Bank of Kenya Prudential Guidelines set out guidelines for banks on the conduct of their operations, including licensing procedures, capital adequacy requirements and the enforcement of banking laws and regulations.

Digital Lending

• The Central Bank of Kenya (Digital Credit Providers) Regulations, 2022 (DCP Regulations) provide for the licensing and regulation of DCPs.

Payment Services

• The National Payments Systems Act, No 39 of 2011 (NPS Act) provides for the authorisation and regulation of PSPs in Kenya, such as e-money issuers, electronic retail providers and cash merchants.
• The Central Bank of Kenya Money Remittance Regulations 2013 provide for the licensing and regulation of money remittance providers.

Investment

• The Capital Markets Act, Cap 485A of the Laws of Kenyan establishes the CMA and provides for the regulation of offers of securities in Kenya (whether publicly or privately).
• The Retirement Benefits Act, No 3 of 1997 establishes the Retirement Benefits Authority and the registration and regulation of retirement benefits schemes.

Insurance

• The Insurance Act, Cap 487 of the Laws of Kenya establishes the Insurance Regulatory Authority (IRA) and provides for the regulation of insurance providers and insurance products, including digital insurance products.

Consumer Protection

• The Competition Act, No 12 of 2010 focuses on ensuring a fair and competitive marketplace. It aims to protect consumers from businesses that engage in harmful practices like misleading advertising or unfair pricing, and creates the Competition Authority of Kenya, which is the agency responsible for upholding these fair competition standards.
• The Consumer Protection Act, No 40 of 2012 offers specific safeguards for individuals who use credit. It requires lenders to be transparent with borrowers, providing clear information about loan terms. It also prevents lenders from penalising borrowers who choose to repay their loans ahead of schedule.

Industry players apply different compensation for their services, as follows.

• PSPs and market intermediaries typically impose a transaction fee for each action a customer takes on their platform, such as using a debit card or making an online payment.
• Unlike the above, DCPs focus on providing credit and charge a credit facility fee, which is usually deducted from the loan amount at the time of disbursement.
• Banks are unique in that they often employ both fee structures. They may charge transaction fees for transaction services, while also offering credit facilities with associated fees or interest rates.

In addition, the various sector laws impose certain conditions on how industry participants can charge customers and what disclosures need to be made to customers.

Digital Banking

A bank that provides any credit facilities to a borrower is restricted from imposing default charges or prepayment penalties. In addition, for non-performing loans, any interest on the overdue amount stops running the moment the accrued interest equals the principal amount of the loan.

Banks are required to disclose to customers all charges, fees and penalties that would be incurred through the use of a product or the rendering of a service prior to a customer choosing a product or service.

Banks are also required to ensure that a consumer is notified within a reasonable time (typically, 30 days) as the circumstances of the case may require and before implementing any changes to fees or charges imposed on products or services.

Digital Lending

DCPs are required to disclose to customers all payments that they would be required to make to the DCP in consideration of receiving a loan from the DCP, including all interest, fees, expenses and costs associated with the provision of the loan. In addition, DCPs are restricted from increasing charges or credit limits without giving at least 20 days' prior notice to the customers.

DCPs are also required to submit their pricing models to the CBK for approval and, once approved, are restricted from altering their pricing models or parameters without the prior written approval of the CBK. They are subject to similar restrictions to banks on default charges, prepayment and interest on non-performing loans.

Payment Services

PSPs are required to disclose the charges for all services, and must publish such information and display it prominently at all points of service. They are also required to notify customers and the CBK of any material changes in the rates, terms and charges at which they offer their services, and must do so at least seven days before the changes take effect.

Investment Services

Service providers licensed by the CMA (market intermediaries) are required to disclose their fees for the provisions of services to their customers. They are also restricted from taking any fees or charges from any client’s funds or liquidating a client’s securities for the purpose of recovering its fees or charges, unless doing so is in accordance with the client agreement or in the manner prescribed by the CMA.

Market intermediaries include:

• stockbrokers;
• derivatives brokers;
• REIT managers;
• trustees;
• dealers;
• investment advisers;
• fund managers;
• investment banks;
• central depositories;
• authorised securities dealers;
• authorised depositories;
• online forex brokers;
• commodity dealers; and
• commodity brokers.

If the services or products offered by fintechs fall under existing Kenyan regulations, there is no distinction between how fintechs and legacy players are regulated. In this case, both fintechs and legacy players would be required to obtain a licence from the applicable regulator before providing the service or product.

CMA

The CMA has established the Capital Markets Authority Regulatory Sandbox (CMA Sandbox), a framework designed to facilitate live testing of innovative financial products, solutions and services, while prioritising investor protection. The CMA Sandbox operates under the Regulatory Sandbox Policy Guidance Note, issued in early 2019 (CMA Sandbox Note). The CMA Sandbox Note outlines clear eligibility criteria, application procedures, safeguards and testing requirements for firms seeking to participate in the Sandbox.

After the testing period, the CMA can take one of the following actions:

• grant a full licence or approval to operate in Kenya;
• issue a letter of no-objection to the applicant to operate in Kenya under specific conditions;
• create new regulations, guidelines or notices if insights gained during the testing period reveal a need for broader legal reform or a new regulatory framework to accommodate innovative business models; or
• deny the applicant permission to operate in Kenya if the innovation does not comply with prevailing legal and regulatory standards.

Approach to Regulation

Once a fintech is onboarded onto the CMA Sandbox, it must adhere to certain minimum regulatory requirements, applicable to all capital market participants, such as the prevention of money laundering, counter-terrorism financing and other illicit activities.

If the fintech is already licensed by the CMA, the licence would continue to apply to all non-sandbox approved activities of the fintech.

If a fintech fails to maintain any required safeguards, submits false information to the CMA or fails to address defects or vulnerabilities in its products that give rise to service disruptions or fraud incidents, the CMA may revoke or suspend an approval to participate in the CMA Sandbox.

Communications Authority of Kenya (CA)

The CA has established a regulatory sandbox to foster innovation within Kenya's ICT sector. This sandbox provides a controlled environment for companies to test new products and services in fields such as broadcasting, cybersecurity, multimedia, telecommunications and e-commerce.

Similar in operation to the CMA Sandbox, the CA Sandbox offers the following potential outcomes:

• granting the participant a licence or approval to operate in Kenya under existing regulations;
• granting the participant authorisation to operate in Kenya, subject to specific conditions;
• the development of new regulations, guidelines or notices informed by Sandbox testing insights, addressing regulatory gaps; or
• denial of permission to operate in Kenya if current legal and regulatory requirements are not met.

It is common for more than one regulator to have jurisdiction over a fintech in Kenya. The jurisdiction of each regulator will be governed by the applicable enabling legislation. For example, a mobile network provider would be subject to regulation by:

• the CA, which regulates the provider's core telecommunications services;
• the CBK, which oversees the provider's mobile payment services, money remittance and/or digital credit services;
• the Competition Authority of Kenya, which monitors mergers, acquisitions and potential abuses of market dominance to ensure fair competition; and
• the Kenya Revenue Authority, which addresses tax obligations stemming from the provider's business activities.

Typically, regulators with overlapping mandates would enter memoranda of understanding to govern their regulatory action or consult with each other before undertaking regulatory action.

Digital Banking

Under the Central Bank Prudential Guideline on Outsourcing (CBK/PG/16), any person undertaking “banking business” is:

• prohibited from outsourcing certain core management functions, such as corporate planning, organisation, management, and control and decision-making functions;
• permitted to outsource some “material activities” but they must receive the approval of the CBK before outsourcing these services – these include information system management and maintenance, application processing (eg, loan origination), claims administration, cash movement and internal audit; and
• permitted to outsource the following activities and need only notify the CBK rather than seek its prior approval:
1. courier services;
2. credit background checks;
3. background investigations; and
4. employment of contract or temporary staff.

All permitted outsourcing arrangements must be governed by a clearly written contract that contains provisions emphasising the importance of clearly defined services, performance standards and the ability to monitor the service provider. It should also cover data security, termination clauses, subcontractor approval, audit rights and dispute resolution mechanisms, and specify pricing and fees.

Payment Service Providers

A PSP is permitted to outsource operational functions related to payment services. However, this outsourcing must adhere to specific guidelines, including ensuring robust internal quality control, enabling CBK oversight of all parties involved, retaining ultimate responsibility by senior management, and strictly complying with all customer contracts and licensing requirements.

If a PSP intends to outsource any of its functions, it is required to notify the CBK at least 30 days before any outsourcing agreement is implemented.

Market Intermediaries

Market intermediaries are not restricted from engaging third parties to undertake any of their functions, but they are required to maintain detailed records of the engagement. These records include:

• a contract, with a clear outline of what services the third party will provide;
• information verifying the third party's legal standing, including documents to ensure they are financially sound; and
• details on the skills and experience of the third party's employees who will be working on behalf of the market intermediary.

Even if a market intermediary delegates a task to a third party, the intermediary remains ultimately responsible for ensuring the task is completed correctly.

Fintechs would be liable for failures to notify the Financial Reporting Centre of any transactions that are suspected to be related to money laundering or are the proceeds of crime. Please see 2.13 Impact of AML and Sanctions Rules for more information.

Kenyan financial laws (as set out in 2.2 Regulatory Regime) have adopted similar approaches to enforcement. As such, the main regulatory enforcement actions that can be imposed by regulators are:

• imposing discretionary fines;
• revoking or suspending licences;
• imprisonment of a company's officials;
• ordering compensation or restitution for persons affected by a regulatory breach;
• issuing enforcement notices specifying remedial actions for rectifying a breach; and
• disqualifying directors from holding office in financial institutions.

The imprisonment of company officials and fines can be imposed pursuant to court proceedings in accordance with the corresponding statutes.

Data Protection

The Data Protection Act, No 24 of 2019 provides for the regulation of the processing of personal data, the rights of data subjects and the obligations of data controllers and data processors. Any fintech that is resident in Kenya and processes any personal data or that processes personal data relating to natural people in Kenya would be required to comply with the Data Protection Act. The obligations that fintechs are required to adhere to include:

• registration with the Office of the Data Protection Commissioner (ODPC) as either a data controller or data processor;
• obtaining the consent of a data subject prior to processing any personal data;
• processing the personal data only to the extent necessary; and
• reporting and documenting personal data breaches.

If a fintech breaches the provisions of the Data Protection Act, it may be subject to administrative penalties from the ODPC of up to KES5 million (approximately USD35,000) or 1% of annual turnover for the preceding year, whichever is lower, or it may be subject to criminal sanctions of up to ten years in jail or a fine of up to KES3 million (approximately USD20,000).

Consumer Protection

The Consumer Protection Act provides for the protection of consumers and the prevention of unfair trade practices in consumer transactions.

Under the Consumer Protection Act, businesses are strictly prohibited from making false, misleading or deceptive representations to describe their products or services. This includes things like claiming a product has features it does not, that it is of higher quality than it is, or that it is available for a hidden reason. Companies cannot go back on promises made in previous advertising and must be truthful about any special offers or price advantages. In addition, they must clearly explain the customer's rights, remedies and obligations within a transaction. Using exaggeration, vague language or hidden information to deceive a customer is also illegal.

Moreover, the Consumer Protection Act forbids businesses from taking advantage of vulnerable consumers and making unconscionable representations. It is considered unconscionable for a business to make claims knowing (or where it should know) that the consumer is unable to fully protect themselves due to factors like a disability, lack of understanding or illiteracy. The law also prevents deals that are heavily one-sided in favour of the business or contain extremely unfair terms for the consumer, or where the consumer was pressured into making a decision.

If a fintech makes a false, misleading or deceptive representation or an unconscionable representation, any agreement entered into between the fintech and the customer can be rescinded by the customer, who would be entitled to apply for other remedies available under law, including damages.

Cybersecurity

The Computer Misuse and Cybercrimes Act, Cap 79C of the Laws of Kenya (CMCA) seeks to enable the timely and effective detection, prohibition, prevention, response, investigation and prosecution of computer and cybercrimes in Kenya.

Under the CMCA, any person that provides users of its services the means to communicate by use of a computer system (ie, a service provider) is required to:

• comply with any order issued by a court to submit subscriber information to a police officer or authorised person;
• comply with any requests from a police officer or authorised person to preserve any data that is at risk of modification, loss or destruction; and
• respond expeditiously to requests for assistance from a police officer or authorised person.

A fintech would fall within the definition of a service provider and therefore would be required to comply with the above requirements.

In addition, any person who obtains unauthorised access, causes unauthorised interference or, without authorisation, intercepts data in relation to a protected computer system commits an offence and is liable on conviction to a fine not exceeding KES25 million or imprisonment for a term not exceeding 20 years, or both. A protected computer system is defined in the CMCA to include a computer system used directly in connection with – or necessary for the provision of services directly related to – communications infrastructure, banking and financial services, and payment and settlement systems and instruments.

The activities of fintechs are largely subject to review by various private industry organisations, such as the Kenya Bankers Association, the Fintech Association of Kenya, the Digital Financial Services Association of Kenya and the Association of Fintechs in Kenya. These organisations aim to act as forums for education, information sharing and networking between fintech, policymakers and the general public.

Industry participants do offer unregulated products and services, but such activities are undertaken through affiliate entities, rather than by the regulated entity itself, due to restrictions placed on the regulated entities by the applicable laws. For instance, a bank can only undertake “banking business” and is not permitted to undertake any other type of business.

The Proceeds of Crime and Anti-Money Laundering Act, Cap 59A of the Laws of Kenya (POCAMLA) sets out rules and obligations that various types of “reporting institutions” are required to abide by. In this regard, a fintech would be subject to POCAMLA if it falls within the definition of a “reporting institution”, which POCAMLA defines as a financial institution or a designated non-finance business and profession. A financial institution is defined as a person or entity that conducts business in one of the following activities or operations:

• accepting deposits and other repayable funds from the public;
• lending, including consumer credit, mortgage credit, factoring, with or without recourse, and financing of commercial transactions;
• issuing and managing means of payment (such as credit and debit cards, cheques, travellers’ cheques, money orders and bankers’ drafts, and electronic money);
• participation in securities issues and the provision of financial services related to such issues;
• investing, administering or managing funds or money on behalf of other persons;
• underwriting and placement of life insurance and other investment-related insurance; and
• money and currency changing.

Any fintech that engages in these activities would fall within the definition of a “reporting institution” and would be subject to POCAMLA. The activities such fintechs would have to comply with include:

• monitoring all complex, unusual, suspicious, large or such other transactions on an ongoing basis; and
• reporting suspicious or unusual transactions or activity to the Financial Reporting Centre upon suspecting that it could constitute or be related to money laundering or the proceeds of crime.

In addition, the DCP Regulations require DCPs to provide evidence of the sources of funds invested or to be invested in their business to the CBK. This ensures that these funds are not the proceeds of criminal activity.

Furthermore, market intermediaries are required to obtain the following information from their clients, prior to making any investment order on their client's behalf:

• details regarding the origin of funds used or to be used for the investment, including confirmation from the remitting entity (if funds originate outside Kenya) regarding the client's business and funds origin; and
• a written statement from the client verifying the accuracy of the provided information and confirming that the funds are not the proceeds of money laundering or other illegal activities.

There are specific regulations in Kenya related to robo-advisers; as such, there are no prescriptions on business models to be adopted in relation to robo-advisers.

However, the CMA has taken steps in relation to the regulation of robo-advisers for the provision of investment services. In this regard, the CMA has, through the CMA Sandbox, issued letters of no-objection to two entities (FourFront Management Limited and Waanzilishi Capital Limited), allowing them to provide automated, algorithm-driven financial planning services with limited to no human intervention.

It should be noted that the letters of no-objection are issued on the back of licences issued to the two entities – ie, FourFront Management Limited is a division of Standard Investment Bank, a licensed investment bank in Kenya, and Waanzilishi Capital Limited is registered as a fund manager. Both investment banks and fund managers have the power and authority under the Capital Markets Act to provide investment advice to customers in Kenya.

Currently, one of the licensed robo-advisers is a legacy player (Standard Investment Bank) and it needed to seek approval for the implementation of the solution through the CMA Sandbox, given the lack of existing regulation on robo-advisers.

There are currently no regulations prescribing how robo-advisers can best execute customer trades. However, as robo-advisory services are currently being provided by licensed market intermediaries, such market intermediaries would need to comply with the requirement of the Capital Markets (Conduct of Business) (Market Intermediaries) Regulations, 2011 to:

• deal for a client on the best terms available for the client;
• not execute an order unless the client has made sufficient arrangements for the necessary funds or securities; and
• ensure that transactions it executes are allocated to those clients who gave the orders in a timely and equitable manner.

There are no significant differences in the business or regulation of loans to individuals, small businesses and others. Differences in Kenyan lending regulations are based on the source of funds and the channel of contracting/disbursement of funds.

Sources of Funds

The key element for the regulation of loans is whether the loans are made from customer deposits. Under the Banking Act, “banking business” and “finance business” are regulated activities. Both “banking business” and “finance business” involve:

• accepting money on deposit from members of the public, repayable on demand; and
• using the money held on deposit by lending, investing or other means, at the risk of the person lending or investing the funds.

A similar definition is set out for “microfinance business” under the Microfinance Act.

Channel of Contracting/Disbursement of Funds

Another differentiator for regulation is whether loan proceeds are deployed using digital means. As set out in 2.1 Predominant Business Models, non-deposit-taking entities that provide credit facilities or loan services through a digital channel would be considered a DCP and therefore be subject to regulation by the CBK.

There are no specific regulations that prescribe the underwriting process for industry participants. However, the DCP Regulations impose an obligation on a DCP not to advance any credit to a customer before it has taken reasonable steps to assess the customer's ability to repay the credit facility.

DCPs will typically use consumer data and apply automated algorithms to make automated decisions on a customer's creditworthiness and risk. In undertaking such an assessment, the DCP Regulations require the DCP to collect and assess only such customer data as is required for the appraisal. This is in line with the requirements on the processing of personal data as set out under the Data Protection Act.

Deposit-taking Lenders

Entities that undertake deposit-taking business (eg, banks) raise funds from the following.

Customer deposits

As set out in 4.1 Differences in the Business or Regulation of Loans Provided to Different Entities, entities undertaking “banking business” or “microfinance business” will obtain deposits from customers, which will be used to issue loans to customers.

Equity capital

The shareholders of a deposit-taking business will typically provide capital in the form of:

• permanent shareholders’ equity (issued and fully paid-up ordinary shares and perpetual non-cumulative preference shares);
• disclosed reserves, such as ordinary share capital and perpetual non-cumulative share premium; and
• retained earnings.

Debt capital

Deposit-taking businesses can also raise capital through debt from lenders or investors (eg, convertible notes)

Non-deposit-taking Lenders

Lenders that do not obtain deposits from customers but provide loans (eg, DCPs) source funds from capital raised as either equity capital or debt capital in a similar manner to deposit-taking lenders.

Regulation of Sources of Funds

Raising debt or shareholder capital would be subject to regulation if such capital raising is considered to be a “public offer of securities”. In such instances, the entity would be required to comply with the Capital Markets Act and the Capital Markets (Securities) (Public Offers, Listing and Disclosures) Regulations, 2002.

A public offer of securities occurs when a company extends an invitation to a broad segment of the public to invest in its financial instruments and would occur if:

• the invitation extends beyond a small, predefined group of investors; or
• the structure of the offer allows for securities to be transferred to individuals who were not the initial targets.

Syndication of loans is not common Kenya and there are no prescribed regulations governing such activity. However, the syndication process is typically as follows.

• Origination – a borrower identifies a significant funding need and chooses a lead arranger, typically an experienced investment bank or commercial bank, to organise the syndication.
• Details and negotiation – the lead arranger assists the borrower in creating a detailed information package about its business and financial health, which is used to negotiate core loan terms like the amount, interest rates and repayment plans.
• Finding partners – the lead arranger strategically approaches other banks or investors, inviting them to join the lending group (the syndicate). These potential partners carefully review the company's information and evaluate the risk.
• Commitments and contracts – interested lenders decide how much of the loan they are willing to fund. The terms are fine-tuned, and a comprehensive loan agreement is drawn up, legally binding all parties.
• Funding and beyond – upon signing the agreement, the lead arranger releases the funds to the company. Often, a specific bank is appointed to manage the loan on behalf of everyone in the syndicate and ensure the borrower adheres to the agreed-upon terms.

Payment processors can use existing payment rails or can create or implement new payment rails.

To operate in Kenya, a payment processor would first need to be authorised as a PSP by the CBK under the NPS Act. Under the NPS Act, a PSP is an entity that:

• sends, receives, stores or processes payments or provides other services through any electronic system;
• owns, possesses, operates, manages or controls a public switched network for the provision of payment services; or
• processes or stores data on behalf of PSPs or users of payment services.

Upon authorisation, a PSP would be able to make use of existing payment rails to facilitate payments between customers in Kenya, subject to any conditions imposed by the CBK in its authorisation.

Cross-border payments and remittances are regulated by the Money Remittance Regulations, under which any person that wishes to undertake “money remittance business” is required to obtain a licence from the CBK. “Money remittance business” is defined in the Money Remittance Regulations as a service for the transmission of money or any representation of monetary value without any payment accounts being created in the name of the payer or the payee, where:

• funds are received from a payer for the sole purpose of transferring a corresponding amount to a payee or to another payment service operator acting on behalf of the payee; or
• funds are received on behalf of and made available to the payee.

The CBK currently requires PSPs to obtain a money remittance licence for cross-border transactions, because the NPS Act does not explicitly address PSP involvement in such services. To avoid confusion and ensure smooth operations, clearer regulations are needed to address this gap in the legislation.

Banks and deposit-taking microfinance institutions are exempted from the Money Remittance Regulations and can undertake cross-border payments and remittances without the need to obtain a money remittance licence.

Fund administrators are regulated under the Capital Markets Act and the Retirement Benefits Act.

Under the Capital Markets Act, a fund manager is a manager of a collective investment scheme, a registered venture capital company or an investment adviser who manages a portfolio of securities in excess of an amount prescribed by the CMA from time to time.

A collective investment scheme (CIS) is any investment structure, such as an investment company, unit trust or mutual fund, that meets the following criteria, regardless of whether or not it is established within Kenya:

• it gathers and pools money from the public or a specific group of investors;
• the primary goal is to invest the pooled funds collectively; and
• the scheme is managed by the promoter or on the promoter's behalf.

A CIS can also be an umbrella scheme, where the investment is divided into multiple sub-schemes or classes. These sub-schemes share a common promoter who manages them.

Under the Retirement Benefits Act, a fund manager is a manager of a retirement benefits scheme, which is a scheme or arrangement (other than a contract for life assurance) under which persons are entitled to benefits in the form of payments payable primarily upon retirement, or upon death, termination of service or the occurrence of such other event as may be specified in a written law or other instrument. The scheme is established under an irrevocable trust, registered under the Retirement Benefits Act.

An administrator of a pension fund is responsible for the day-to-day administration of the retirement benefits scheme, while the fund manager of a retirement benefits scheme is responsible for investment of the scheme funds, in accordance with the investment policy statement of the retirement benefits scheme.

The administrator and the fund manager will enter into separate contracts with the retirement benefits scheme through its trustees and, as such, it is not typical for administrators to impose contractual terms on fund managers in the provision of their duties, and there are no regulations governing interactions between administrators and fund managers.

Different types of marketplaces and trading platforms are permissible in Kenya with respect to the trading of securities. These marketplaces and trading platforms are regulated by the CMA and include the following.

• Securities exchange – a formal marketplace where various securities are bought, sold or exchanged. Tradeable securities on an exchange encompass shares, debt securities, government securities, warrants, options, futures, units in a CIS, depository receipts and asset-backed securities.
• Derivatives exchange – a CMA-licensed securities exchange specifically designed for the listing of exchange-traded derivative contracts. These standardised financial instruments derive their value from underlying assets, indices or interest rates.
• Commodities market – a regulated marketplace, licensed by the CMA or equivalent authority, facilitating the buying, selling or trading of commodity contracts. This market can operate in a physical or electronic format. Tradeable commodities include agricultural, livestock, fishery, forestry, mining or energy goods and related manufactured/processed products, financial instruments, indices, rights or interests tied to such commodities.
• Over-the-counter (OTC) securities exchange – a decentralised market where securities not listed on a formal exchange are traded directly between participants (usually through a broker-dealer network). OTC markets are typically less regulated than traditional exchanges.
• Online foreign exchange platforms – internet-based systems managed by online foreign exchange brokers that enable the trading of foreign currencies, including contracts for difference (CFDs) based on foreign underlying assets.

The different assets tradeable on the platforms and marketplaces listed in 7.1 Permissible Trading Platforms are regulated by the Capital Markets Act and the regulations issued thereunder.

The regulations issued under the Capital Markets Act in relation to derivatives, asset-based securities, commodities and CFDs each set out how the assets should be traded in the respective exchanges and platforms and the obligations of market intermediaries in dealing with the assets.

Cryptocurrency exchanges are currently not regulated in Kenya. However, both the CBK and CMA have taken stances on the regulation of cryptocurrencies.

In the past, the CBK has issued cautionary statements in relation to dealing in cryptocurrencies, warning Kenyans that cryptocurrencies are not legal tender in Kenya and therefore there is no protection if the cryptocurrency exchange fails or goes out of business.

On the other hand, the CMA views cryptocurrencies as “securities” subject to regulation under the Capital Markets Act; this stance was legally confirmed by the High Court in the case of Wiseman Talent Ventures v Capital Markets Authority [2019] eKLR.

There have been progressive steps towards the regulation of cryptocurrency in Kenya.

• As noted in 1.1 Evolution of the Fintech Market, the Finance Act of 2023 introduced a 3% tax on income earned from the transfer or exchange of digital assets, including cryptocurrencies. The Finance Act also requires the owners of a crypto-exchange to register in Kenya (for purposes of taxation), withhold digital asset tax and file returns with the Kenya Revenue Authority.
• In March 2024, the Blockchain Association of Kenya tabled a draft Virtual Asset Service Providers Bill to the National Assembly that intends to regulate cryptocurrency exchanges and the companies that issue new crypto-based tokens, seeking to protect consumers. It also includes measures to prevent market manipulation and illegal activities like money laundering and financing terrorism.

The listing of shares (stocks) and fixed income securities (like bonds) on a securities exchange in Kenya is subject to the following regulations and guidelines.

• The Capital Markets (Securities) (Public Offers, Listing and Disclosures) Regulations, 2002 – this primary legislation from the CMA establishes the overarching framework for how issuers can list and trade their securities on a securities exchange.
• The Nairobi Securities Exchange (NSE) Listing Rules – these rules are specifically tailored to the listing of securities on the NSE, but are in line with the Capital Markets (Securities) (Public Offers, Listing and Disclosures) Regulations. The Listing Rules outline the detailed requirements and procedures that companies must follow in order to list on the following different segments of the NSE:
1. the Main Investment Market Segment (MIMS), designed for larger, well-established companies with a proven track record;
2. the Alternative Investment Market Segment (AIMS), which offers more flexible listing criteria to accommodate smaller and medium-sized enterprises;
3. the Fixed Income Securities Market Segment (FISMS), which facilitates the listing and trading of fixed income securities, primarily corporate and government bonds; and
4. the Growth Enterprises Market Segment (GEMS), which caters to high-growth companies and start-ups, giving them access to capital markets even without extensive profitability history.

The handling of orders is prescribed by the Capital Markets (Conduct of Business) (Market Intermediaries) Regulations, 2011, which impose certain requirements on a market intermediary when handling orders on behalf of a client. Such requirements include:

• executing client orders in the chronological sequence in which the orders were received and giving priority to outstanding orders;
• ensuring that all transactions it executes are allocated to the clients who gave the orders in a timely and equitable manner;
• not executing an order unless the client has made sufficient arrangements for the necessary funds or securities;
• if a market intermediary has aggregated an order for a client’s transaction with an order for its own account transaction, or with an order for another client’s transaction, in the subsequent allocation, not giving unfair preference to itself or to any of the clients and giving priority to satisfying orders for client transactions, if all orders cannot be satisfied; and
• where a market intermediary has a client order to execute, or where it intends to publish a price-sensitive recommendation or research or analysis to clients, not knowingly effecting an own account transaction in the securities concerned or in any related investment until the order has been executed or until the clients for whom the publication was principally intended have had, or are likely to have had, a reasonable opportunity to react to it.

Peer-to-peer (P2P) cryptocurrency trading platforms have gained significant popularity in Kenya. These platforms are currently unregulated and leave Kenyan users without legal protection if the platforms experience failures or cease operations. However, the proposed Virtual Asset Service Providers Bill aims to address this issue. If passed, the bill would regulate P2P trading platforms, requiring them to obtain a licence as a virtual asset service provider to operate legally.

With respect to the execution of trades on the platforms and marketplaces listed in 7.1 Permissible Trading Platforms, the Capital Markets (Conduct of Business) (Market Intermediaries) Regulations, 2011 require a market intermediary to deal for a client on the best terms available for the client – ie, to take all reasonable steps to obtain the best possible result for the client.

There are no express rules permitting or prohibiting payment for order flow. However, such activities may be prohibited if they are detrimental to the integrity of a securities exchange or runs afoul of legal requirements under the Capital Markets (Conduct of Business) (Market Intermediaries) Regulations, 2011 or rules prescribed by a securities exchange (such as the NSE).       

A market intermediary is required to apply the principles of best practice when conducting a regulated activity. These include observing a high standard of integrity and fair dealing, acting with due skill, care and diligence, and observing high standards of market conduct.

In addition, a market intermediary is required to adhere to the following principles:

• ensuring that any agreement, written communication, notification or information that it gives or sends to clients to whom it provides a service is presented fairly and clearly;
• ascertaining if any of its clients are insiders and maintaining records that assist it to monitor insider dealing;
• holding its clients’ funds in trust for and on behalf of the clients and segregating its clients' bank accounts from any account holding funds belonging to the market intermediary; and
• avoiding any conflict of interest between itself and a client.

High-frequency and algorithmic trading are not regulated in Kenya. However, one of the robo-advisers exited from the CMA Sandbox (ie, FourFront Management) is providing algorithmic trading services as part of the robo-adviser services approved under the letter of no-objection issued by the CMA.

As there is no regulatory regime for high-frequency and algorithmic trading, there are no market players acting in a principal capacity who would need to register as market makers.

As there is no regulatory regime on high-frequency or algorithmic trading, there is no distinction between funds and dealers that engage in these activities.

As there is no regulatory regime on high-frequency or algorithmic trading, there are no regulations with respect to programmers who develop and create trading algorithms and other electronic trading tools.

There is currently no regulation governing DeFi in Kenya. However, the passage into law of the Virtual Asset Service Provider Bill would provide for the regulation of virtual assets in Kenya and lay a basis for DeFi regulation.

Financial research platforms are not regulated in Kenya. However, if a finance research platform carries on the business of advising others concerning securities or for remuneration as part of a regular business or issues or promulgates analyses or reports concerning securities, such financial research platform would be undertaking the activities of an investment adviser and would need to obtain a licence from the CMA.

The Capital Markets Act establishes strict rules to prevent the spread of inaccurate information that could manipulate markets or harm investors.

Prohibited Actions

• Inducing investment through deception – it is an offence to make or publish false, misleading or deceptive statements, promises or forecasts to persuade someone to buy, sell or subscribe to securities.
• Material omissions – it is illegal to make false statements or leave out crucial information in connection with a securities transaction that would render those statements misleading.
• Market manipulation – any statement or omission intended to artificially influence the price of securities is prohibited. This includes statements that are false or misleading, or that omit key facts.

Consequences

Penalties

• First offence:
1. individuals: a fine of up to KES5 million (approximately USD350,000) or two years' imprisonment, plus repaying double the gains or losses; and
2. companies: a fine of up to KES10 million (approximately USD700,000), plus repaying double the gains or losses.
• Subsequent offences:
1. individuals: a fine of up to KES10 million (approximately USD700,000) or five years' imprisonment, plus repaying triple the gains or losses; and
2. companies: a fine of up to KES30 million (approximately USD2.1 million), plus repaying triple the gains or losses.

Liability for damages

Offenders are not only subject to criminal penalties but can also be sued by investors who suffered financial losses due to the false or misleading information.

The offences set out in 9.2 Regulation of Unverified Information would apply to anyone who makes a false or misleading statement, the effect of which is the perpetuation of a pump and dump scheme.

Financial research platforms may be vicariously liable if misleading information is posted on the platform and users of the platform suffer loss due to the false or misleading statement.

The Insurance Act does not set out any regulations that apply to insurtech; there are no specific underwriting requirements for these entities.

Generally, the underwriting process for insurance industry participants is guided by guidelines and circulates issued by the IRA. The IRA has published various guidelines that require industry participants to develop criteria for risk assessment, and to monitor and amend their processes as necessary, such as the IRA guidelines on insurance products, risk management and market conduct.

The Insurance Act provides for the regulation of general insurance business and long-term insurance business, and these two types of insurance business are treated differently. Long-term insurance business is insurance business in any of the following classes:

• life assurance;
• annuities;
• pensions (personal pension or deposit administration);
• group life;
• group credit;
• permanent health;
• investment (unit link and linked investments or non-linked investments); or
• any incidental business.

General insurance, on the other hand, is any insurance business for any class or classes not being long-term insurance business.

Insurers that offer both long-term and general insurance must maintain distinct capital reserves for each type of business. In addition, the assets held for long-term insurance policies are strictly protected. They are exclusively for the benefit of long-term policyholders and cannot be accessed to cover liabilities from the general insurance side of the business.

Regtech providers are unregulated in Kenya. However, the evolving regulatory landscape in Kenya creates an opportunity for the introduction of regtech solutions such as automated compliance systems that monitor transactions in real-time, detect anomalies, ensure adherence to local regulations, and generate the necessary reports for regulatory bodies.

There are no established practices on regtech in Kenya.

Kenyan financial institutions have explored use cases for blockchain in operations and sought regulatory approval for blockchain-linked products. However, there is a lack of information available to ascertain the uptake of blockchain technology.

There are no regulations or rule proposals made by regulators in relation to blockchain technology in Kenya. Kenyan regulatory bodies have demonstrated a nuanced understanding of blockchain technology, recognising its potential benefits while remaining cautious of the risks associated with cryptocurrencies. For example, the CBK has taken a measured stance towards cryptocurrencies, issuing warnings about their inherent volatility and potential use in illicit activities.

However, the regulators are significantly more open to the underlying blockchain technology. The CBK has released a research paper exploring central bank digital currencies, demonstrating an interest in harnessing blockchain's power for a regulated digital currency.

Blockchain assets are not considered a form of regulated financial instrument in Kenya. However, the draft Virtual Asset Service Provider Bill seeks to provide the regulation of blockchain assets such as asset-referenced tokens, crypto-assets, NFTs, real-world-asset tokens, security tokens and utility tokens.

Currently, there are no regulations pertaining to issuers of blockchain assets. However, the CMA views initial coin offerings as an offer of “securities”, which should be subject to its regulation. Under the draft Virtual Asset Service Provider Bill, initial coin offerings would be a regulated activity that can only be undertaken by a licensed virtual asset service provider.

There are currently no regulations relating to blockchain asset trading platforms or the secondary market trading of blockchain assets. However, the draft Virtual Asset Service Provider Bill provides for the regulation of virtual asset marketplaces, which are centralised platforms that facilitate:

• the trading and exchange of virtual assets for fiat currency or other virtual assets;
• the issuing, listing, buying and selling of virtual assets; and
• the trading of virtual assets, including peer-to-peer trading.

Currently, there are no regulations on how funds can invest in blockchain assets. In order for fund managers licensed under the Capital Markets Act and the Retirement Benefits Act to be able to invest in blockchain assets, the investment guidelines set out in the respective regulatory frameworks would need to be amended to allow for investment in blockchain assets.

Virtual currencies are not currently expressly defined in Kenyan law. The Finance Act provides for the imposition of a digital asset tax on income derived from the transfer of exchange of a “digital asset”.

The term “digital asset” is defined in the Finance Act to include “anything of value that is not tangible and cryptocurrencies, token code, number held in digital form and generated through cryptographic means or otherwise, by whatever name called, providing a digital representation of value exchanged with or without consideration that can be transferred, stored or exchanged electronically”. This definition would capture virtual currencies and, as such, any gain from the exchange of virtual currencies would be subject to tax in Kenya.

There is currently no regulation on DeFi in Kenya; please see 8.3 Regulatory Distinction Between Funds and Dealers.

There is no regulatory framework for NFTs or NFT platforms. The Finance Act provides for the imposition of a digital asset tax on income derived from the transfer of exchange of a “digital asset”. The term “digital asset” is defined in the Finance Act to include “a non-fungible token or any other token of similar nature, by whatever name called”.

Kenya currently lacks specific open banking regulations. As such, the sharing of personal financial data with third parties falls under the purview of the Data Protection Act. However, the CBK has expressed a commitment to developing appropriate API standards and promoting secure data-sharing practices, within its National Payments Strategy 2022–2025. The adoption of secure APIs by digital financial providers would streamline connectivity between third parties, primarily fintechs specialising in tailored solutions, and traditional financial institutions. This integration would lead to enhanced efficiency and security within the financial sector.

While there are no regulations that specifically deal with open banking, banks and technology providers would need to be compliant with the Data Protection Act; please see 2.10 Implications of Additional, Non-financial Services Regulations.

The key elements of fraud are:

• a false representation of a false fact;
• with the intention that another party should act on it; and
• that said party suffers damage.

In legal proceedings, an accusation of fraud carries a heightened standard of proof, exceeding the “balance of probabilities” threshold common in civil cases, demanding more substantial evidence. While this standard falls short of the “beyond a reasonable doubt” requirement of criminal cases, it necessitates a significantly more persuasive demonstration of fraudulent conduct.

Regulators prioritise investigating and taking action against individuals or businesses that conduct regulated financial activities without the necessary licences and those that overcharge interest on their financial products. These fraudulent practices harm customers by potentially leading to lost funds and financial vulnerability.

Examples of enforcement activities include:

• issuing cease-and-desist orders – regulators typically order unlicensed entities to immediately halt their operations;
• imposing fines – regulators have the power to impose financial penalties on persons undertaking regulated activity without appropriate licensing;
• criminal prosecutions – regulators may work with law enforcement to pursue criminal charges against persons undertaking regulated activity without appropriate licensing; and
• public warnings – regulators often issue public statements and warnings to inform consumers about unlicensed entities or fraudulent schemes they have identified.