Kenya's fintech market has solidified its position as a leader in Africa, driven by innovation, regulatory advancements and increased adoption of digital financial services. Over the past 12 months, the sector has experienced significant developments, shaping its trajectory and setting the stage for future growth.

Key Developments

The following key developments have shaped the Kenyan fintech landscape over the last 12 months.

Mobile money dominance

Mobile money continues to dominate Kenya’s financial ecosystem, with transactions surging to a record KES7.2 trillion (approximately USD55.81 billion) in the first ten months of 2024, according to the 2024 FinAccess Household Survey undertaken by Central Bank of Kenya (CBK).

Registered mobile accounts rose to 81 million, driven by the convenience of mobile banking apps and USSD-based transactions, which account for 45.7% and 38.2% of digital payments, respectively. This rapid growth has been fuelled by regulatory changes, including higher transaction limits, and the lasting impact of the COVID-19 pandemic, which accelerated the shift to digital payments.

In contrast, card payments have declined to a six-year low of KES465.4 billion (approximately USD3.61 billion), down from KES533.4 billion (USD4.14 billion) in 2023, reflecting the preference for mobile money and cash transactions. Point-of-sale card usage remains minimal at just 1.5%, further underscoring the shift away from traditional banking infrastructure.

Growth of digital lending

Digital lending has continued to expand, with the CBK licensing 27 additional digital credit providers, bringing the total number of licensed providers to 85. These lenders leverage data analytics and alternative credit scoring models to provide faster, more accessible loans to individuals and small businesses.

However, the CBK's slow licensing process, with over 200 pending applications, has created uncertainty for unlicensed operators. This regulatory bottleneck highlights the need for a more streamlined approval process to foster innovation while ensuring consumer protection.

Adoption of the Global Messaging Standard

The CBK migrated from the Kenya Electronic Payment and Settlement System (KEPSS) to the Global Messaging Standard (ISO 20022) in 2024. This transition facilitates faster settlement times, improved liquidity management and enhanced fraud detection for financial institutions. The move aligns with Kenya's vision of becoming a global financial hub and underscores the importance of modernising payment infrastructure to meet evolving economic needs.

Looking Forward: The Regulatory Spotlight

The next 12 months will likely see intensified efforts to regulate key areas of the fintech market, with a particular focus on cryptocurrencies and digital assets.

In January 2025, Kenya's National Treasury released draft framework documents for public consultation, aimed at overseeing and developing the virtual assets sector. The National Policy on Virtual Assets and Virtual Asset Service Providers (VASPs) outlines a strategic approach to regulating the ecosystem, while the Virtual Assets Service Providers Bill, 2025 (VASPs Bill) proposes a licensing and supervisory framework for VASPs operating in Kenya.

The VASPs Bill seeks to mitigate risks associated with virtual assets, such as money laundering, terrorism financing and proliferation financing. It establishes licensing criteria for VASPs, requiring financial stability, robust cybersecurity measures and fit-and-proper assessments. The VASPs Bill also sets out general obligations for VASPs, including customer asset protection, ethical business practices and compliance with anti-money laundering (AML) and counter-terrorism financing regulations. It also introduces regulations for initial virtual asset offerings and enforcement mechanisms to ensure compliance.

The predominant business models in the Kenyan fintech market relate to digital banking, digital lending and payment services.

Digital Banking

Kenyan banks and microfinance institutions typically use digital platforms to provide their services and products to their customers. As such, customers can open bank accounts, access and view their account information, and undertake transactions (such as funds transfers and bill payments) through mobile phones or other digital devices.

Digital Credit Services

Non-deposit credit providers (NDCPs) are entities that provide credit facilities, asset financing, buy-now-pay-later arrangements, credit guarantees, pay-as-you-go arrangements or peer-to-peer lending services to borrowers through digital channels. NDCPs typically provide small, short-term loans to individuals and businesses, disbursed directly to borrowers' mobile money accounts. Repayment is equally seamless, with options to use mobile apps or simple USSD codes.

Payment Services

Payment services encompass the systems and processes that facilitate financial transactions. These services cover interactions between businesses, businesses and their customers, and even individual consumers. Several key players shape the payment service landscape, including the following.

• Mobile network providers: licensed mobile network providers have significantly expanded financial access through their mobile money platforms (eg, M-PESA).
• Payment service providers (PSPs): these are specialised entities that provide payment services such as transaction processing and technology solutions.
• Banks and money remittance operators: traditional banks and licensed money remittance operators facilitate cross-border payment services beyond Kenya's borders. Money remittance operators are entities that facilitate the transfer of funds between individuals without the requirement of traditional bank accounts for either the sender or the recipient.

Investment Services

Investment service providers in Kenya are increasingly utilising technology to expand access to investment opportunities for Kenyan customers. Notable services include the following.

• Brokerage: various start-ups are partnering with licensed collective investment schemes to connect retail investors with these schemes, simplifying the investment process.
• Forex trading: online forex trading is gaining popularity in Kenya, and the Capital Markets Authority (CMA) regulates forex brokers offering online foreign exchange trading platforms as well as entities that act as a link between the foreign exchange market and a client in return for a commission or mark-up in spreads.
• Crowd-funding platforms: online platforms for crowdfunding allow investors to participate in a range of debt or equity-based financing opportunities. The CMA regulates these platforms to ensure investor protection when offered to investors in Kenya.

Insurtech

Kenya's historically low insurance penetration rate has spurred innovation in the insurtech sector. Start-ups and established insurers are leveraging technology to improve accessibility. This includes digital platforms for coverage access, claims submission and policy management, as well as the development of microinsurance products tailored to underserved populations.

Edtech

Following the closure of schools in 2020 as a result of the COVID-19 pandemic, Kenya has seen increased adoption of edtech. Edtech in Kenya provides a variety of services such as the provision of revision papers, the supply of textbooks, and interactive learning using technologies such as USSD and mobile applications. Edtech is tailored to accommodate persons with various levels of technological literacy.

Agritech

With 70% of the rural population in Kenya working in the agricultural industry, agritech has seen a steady uptake. Agritech solutions offer farmers vital resources such as soil quality testing, expert advice, access to credit for small-scale operations, and a marketplace for products and services.

There is no separate regime for the regulation of fintech in Kenya, with fintech products and services falling under the ambit of various financial laws that already exist in Kenya. The main pieces of legislation that govern the financial services sector and the corresponding regulators include the following.

Digital Banking and Digital Lending

The Central Bank of Kenya Act, Cap 491 of the Laws of Kenya establishes the CBK, which regulates and supervises various deposit-taking and non-deposit-taking financial institutions, such as banks, microfinance institutions, NDCPs and PSPs.

The Banking Act, Cap 488 of the Laws of Kenya, provides for the licensing and regulation of banks that undertake “banking business” in Kenya (ie, accepting deposits from the Kenyan public and using said deposits for lending or investment).

The Microfinance Act, No 19 of 2006, provides for the licensing and regulation of deposit-taking microfinance institutions operating in Kenya and providing services to small or micro enterprises or low-income households.

The Central Bank of Kenya Prudential Guidelines guide banks on the conduct of their operations, including licensing procedures, capital adequacy requirements and the enforcement of banking laws and regulations.

Digital Lending

The Central Bank of Kenya (Digital Credit Providers) Regulations, 2022 (DCP Regulations) provide for the licensing and regulation of NDCPs.

Payment Services

The National Payments Systems Act, No 39 of 2011 (NPS Act), provides for the authorisation and regulation of PSPs in Kenya, such as e-money issuers, electronic retail providers and cash merchants.

The Central Bank of Kenya (Money Remittance Regulations) 2013 provide for the licensing and regulation of money remittance operators.

Investment

The Capital Markets Act, Cap 485A of the Laws of Kenyan, establishes the CMA and provides for the regulation of offers of securities in Kenya (whether publicly or privately).

The Retirement Benefits Act, No 3 of 1997, establishes the Retirement Benefits Authority and the registration and regulation of retirement benefits schemes.

Insurance

The Insurance Act, Cap 487 of the Laws of Kenya, establishes the Insurance Regulatory Authority and provides for the regulation of insurance providers and insurance products, including digital insurance products.

Consumer Protection

The Competition Act, No 12 of 2010, focuses on ensuring a fair and competitive marketplace. It aims to protect consumers from businesses that engage in harmful practices like misleading advertising or unfair pricing, and creates the Competition Authority of Kenya (CAK), which is the agency responsible for upholding these fair competition standards.

The Consumer Protection Act, No 40 of 2012, offers specific safeguards for individuals who use credit. It requires lenders to be transparent with borrowers, providing clear information about loan terms. It also prevents lenders from penalising borrowers who choose to repay their loans ahead of schedule.

The Data Protection Act, No 24 of 2019, provides for the legal framework for the protection of personal data of individuals who use any fintech service, including financial data. It requires financial institutions to collect and safeguard customer data and implement technical and organisational measures to protect personal data.

Industry players apply different compensation for their services, as follows:

• PSPs and market intermediaries typically impose a transaction fee for each action a customer takes on their platform, such as using a debit card or making an online payment;
• NDCPs focus on providing credit and charge a credit facility fee, which is usually deducted from the loan amount at the time of disbursement; and
• banks are unique in that they often employ both fee structures – they may charge transaction fees for transaction services, while also offering credit facilities with associated fees or interest rates.

In addition, the various sector laws impose certain conditions on how industry participants can charge customers and what disclosures need to be made to the customers.

Digital Banking

A bank that provides any credit facilities to a borrower is restricted from imposing default charges or prepayment penalties. In addition, for non-performing loans, any interest on the overdue amount stops running the moment the accrued interest equals the principal amount of the loan.

Banks are required to disclose to customers all charges, fees and penalties that would arise from the use of a product or the rendering of a service prior to a customer choosing a product or service. They are also required to ensure that a consumer is notified within a reasonable time (typically, 30 days), as the circumstances of the case may require, and before implementing any changes to fees or charges imposed on products or services.

Digital Credit

NDCPs are required to disclose to customers all payments that they would be required to make to the NDCP in consideration of receiving a loan from the NDCP, including all interest, fees, expenses and costs associated with the provision of the loan. In addition, NDCPs are restricted from increasing charges or credit limits without providing at least 20 days prior notice to customers.

NDCPs are also required to submit their pricing models to the CBK for approval; once approved, the NDCPs are restricted from altering their pricing models or parameters without the prior written approval of the CBK. They are also subject to similar restrictions to banks on default charges, prepayment and interest on non-performing loans.

Payment Services

PSPs are required to disclose the charges for all services, and to publish such information and display it prominently at all points of service.

They are also required to notify customers and the CBK of any material changes in the rates, terms and charges at which they offer their services, and must do so at least seven days before the changes take effect.

Investment Services

Service providers licensed by the CMA (market intermediaries) are required to make customers aware of their fees for the provision of services. They are also restricted from taking any fees or charges from any client’s funds or from liquidating a client’s securities for the purpose of recovering its fees or charges, unless doing so is in accordance with the client agreement or in the manner prescribed by the CMA.

Market intermediaries include the following entities:

• stockbrokers;
• derivatives brokers;
• REIT managers;
• trustees;
• dealers;
• investment advisers;
• fund managers;
• investment banks;
• central depositories;
• authorised securities dealers;
• authorised depositories;
• online forex brokers;
• commodity dealers; and
• commodity brokers.

If the services or products offered by fintechs fall under existing Kenyan regulations, there is no distinction between how fintechs and legacy players are regulated. In this case, both fintechs and legacy players would be required to obtain a licence from the applicable regulator before providing the service or product.

CMA

The CMA has established the Capital Markets Authority Regulatory Sandbox (CMA Sandbox), a framework designed to facilitate live testing of innovative financial products, solutions and services while prioritising investor protection.

The CMA Sandbox operates under the Regulatory Sandbox Policy Guidance Note, issued in early 2019, which outlines clear eligibility criteria, application procedures, safeguards and testing requirements for firms seeking to participate in the Sandbox.

After the testing period, the CMA can take one of the following actions:

• grant a full licence or approval to operate in Kenya;
• issue a Letter of No Objection to the applicant to operate in Kenya under specific conditions;
• create new regulations, guidelines or notices if insights gained during the testing period reveal a need for broader legal reform or a new regulatory framework to accommodate innovative business models; or
• deny the applicant permission to operate in Kenya – this will occur if the innovation does not comply with prevailing legal and regulatory standards.

Approach to regulation

Once a fintech is onboarded onto the CMA Sandbox, it is required to adhere to certain minimum regulatory requirements applicable to all capital market participants, such as the prevention of money laundering, counter-terrorism financing and other illicit activities.

If the fintech is already licensed by the CMA, the licence would continue to apply to all non-sandbox approved activities of the fintech.

If a fintech fails to maintain any required safeguards, submits false information to the CMA, or fails to address defects or vulnerabilities in its products that give rise to service disruptions or fraud incidents, the CMA may revoke or suspend its approval to participate in the CMA Sandbox.

Communications Authority of Kenya (CA)

The CA has established a regulatory sandbox to foster innovation within Kenya's ICT sector. This sandbox provides a controlled environment for companies to test new products and services in fields such as broadcasting, cybersecurity, multimedia, telecommunications and e-commerce.

Similar in operation to the CMA Sandbox, the CA Sandbox offers the following potential outcomes:

• granting the participant a licence or approval to operate in Kenya under existing regulations;
• granting the participant authorisation to operate in Kenya, subject to specific conditions;
• development of new regulations, guidelines or notices informed by sandbox testing insights, addressing regulatory gaps; or
• denial of permission to operate in Kenya if current legal and regulatory requirements are not met.

It is common for more than one regulator to have jurisdiction over a fintech in Kenya. The jurisdiction of each regulator will be governed by the applicable enabling legislation. For example, a mobile network provider would be subject to regulation by:

• the CA, which regulates the provider's core telecommunications services;
• the CBK, which oversees the provider's mobile payment services, money remittance and/or digital credit services;
• the Competition Authority of Kenya, which monitors mergers, acquisitions and potential abuses of market dominance to ensure fair competition; and
• the Kenya Revenue Authority, which addresses tax obligations stemming from the provider's business activities.

Typically, regulators with overlapping mandates would enter memoranda of understanding to govern their regulatory action or consult with each other before undertaking regulatory action.

Regulators in Kenya have been known to issue "letters of no objection", which typically state that an organisation's proposal or activities do not contravene existing regulations or laws. A prominent example of this practice was the Central Bank of Kenya's issuance of a letter of no objection in February 2007, enabling the operation of M-PESA, Kenya's pioneering mobile money transfer platform, in what was then an unregulated sector.

An area where regulators may be called to issue letters of no objection is with regards to virtual assets. The VASPs Bill proposes to introduce specific scenarios in which letters of no objection would be utilised. Under this law, letters of no objection would be required:

• When an entity intends to issue or promote an initial virtual asset offering within or originating from Kenya, it must first apply for a licence from either the Central Bank of Kenya (CBK) or the Capital Markets Authority (CMA). The relevant authority would then issue a letter of no objection confirming it does not oppose such issuance.
• When the CBK or CMA considers granting a virtual asset service provider licence to an applicant already operating within another regulated sector, a letter of no objection from the respective regulator would be a prerequisite.

Digital Banking

Under the Central Bank Prudential Guideline on Outsourcing (CBK/PG/16), any person undertaking “banking business” is:

• prohibited from outsourcing certain core management functions, such as corporate planning, organisation, management and control and decision-making functions;
• permitted to outsource some “material activities” but they must receive the approval of the CBK before outsourcing these services, which include information system management and maintenance, application processing (eg, loan origination), claims administration, cash movement and internal audit; and
• permitted to outsource the following activities and need only notify the CBK rather than seek its prior approval:
1. courier services;
2. credit background checks;
3. background investigations; and
4. the employment of contract or temporary staff.

All permitted outsourcing arrangements must be governed by a clearly written contract that contains provisions emphasising the importance of clearly defined services, performance standards and the ability to monitor the service provider. It should also cover data security, termination clauses, subcontractor approval, audit rights and dispute resolution mechanisms, and specify pricing and fees.

Payment Service Providers

A PSP is permitted to outsource operational functions related to payment services. However, this outsourcing must adhere to specific guidelines, including ensuring robust internal quality control, enabling CBK oversight of all involved parties, retaining ultimate responsibility by senior management, and strictly complying with all customer contracts and licensing requirements.

If a PSP intends to outsource any of its functions, it is required to notify the CBK at least 30 days before any outsourcing agreement is implemented.

Market Intermediaries

Market intermediaries are not restricted from engaging third parties to undertake any of their functions, but they are required to maintain detailed records of the engagement. These records include:

• contracts, with a clear outline of what services the third party will provide;
• verification of the third party's legal standing, including documents to ensure they are financially sound; and
• details on the skills and experience of the third party's employees who will be working on behalf of the market intermediary.

Even if a market intermediary delegates a task to a third party, the intermediary remains ultimately responsible for ensuring the task is completed correctly.

Fintechs would be liable for failures to notify the Financial Reporting Centre of any transactions that are suspected to be related to money laundering or the proceeds of crime; please see 2.14 Impact of AML and Sanctions Rules.

Kenyan financial laws (as set out in 2.2 Regulatory Regime) have adopted similar approaches to enforcement. As such, the main regulatory enforcement actions that can be imposed by regulators are:

• discretionary fines;
• revoking or suspending licences;
• imprisonment of a company's officials;
• ordering compensation or restitution to persons affected by a regulatory breach;
• issuing enforcement notices specifying remedial actions for rectifying a breach; and
• disqualification of directors from holding office in financial institutions.

The imprisonment of company officials and fines can be imposed pursuant to court proceedings in accordance with the corresponding statutes.

Data Protection

The Data Protection Act provides for the regulation of the processing of personal data, the rights of data subjects and the obligations of data controllers and data processors.

Any fintech that processes any personal data that is resident in Kenya or that processes personal data relating to natural people in Kenya would be required to comply with the Data Protection Act and the following obligations, amongst others:

• registration with the Office of the Data Protection Commissioner (ODPC) as either a data controller or data processor;
• obtaining the consent of a data subject prior to processing any personal data;
• only processing the personal data to the extent necessary; and
• reporting and documenting personal data breaches.

If a fintech breaches the provisions of the Data Protection Act, it may be subject to administrative penalties from the ODPC of up to KES5 million (approximately USD35,000) or 1% of annual turnover for the preceding year, whichever is lower, or it may be subject to criminal sanctions of up to ten years in jail or a fine of up to KES3 million (approximately USD20,000).

Consumer Protection

The Consumer Protection Act provides for the protection of consumers and the prevention of unfair trade practices in consumer transactions.

Under the Consumer Protection Act, businesses are strictly prohibited from making false, misleading or deceptive representations to describe their products or services. This includes things like claiming a product has features it does not, that it is of higher quality than it is, or that it is available for a hidden reason. Companies cannot go back on promises made in previous advertising and must be truthful about any special offers or price advantages. In addition, they must clearly explain the customer's rights, remedies and obligations within a transaction. Using exaggeration, vague language or hidden information to deceive a customer is also illegal.

Moreover, the Consumer Protection Act forbids businesses from taking advantage of vulnerable consumers and making unconscionable representations. It is considered unconscionable for a business to make claims knowing (or where they should know) that the consumer is unable to fully protect themselves due to factors like a disability, lack of understanding or illiteracy. The law also prevents deals that are heavily one-sided in favour of the business or contain extremely unfair terms for the consumer, or where the consumer was pressured into making a decision.

If a fintech makes a false, misleading or deceptive representation or an unconscionable representation, any agreement entered into between the fintech and the customer can be rescinded by the customer, who would be entitled to apply for other remedies available under the law, including damages.

Cybersecurity

The Computer Misuse and Cybercrimes Act, Cap 79C of the Laws of Kenya (CMCA), seeks to enable the timely and effective detection, prohibition, prevention, response, investigation and prosecution of computer and cybercrimes in Kenya.

Under the CMCA, any entity that gives users of its services the means to communicate by use of a computer system (ie, a service provider) is required to:

• comply with any order issued by a court to submit subscriber information to a police officer or authorised person;
• comply with any requests from a police officer of authorised person to preserve any data that is at risk of modification, loss or destruction; and
• respond expeditiously to requests for assistance from a police officer or authorised person.

A fintech would fall within the definition of a service provider and would therefore be required to comply with the above requirements.

In addition, any person who obtains unauthorised access, causes unauthorised interference or, without authorisation, intercepts data in relation to a protected computer system commits an offence and is liable on conviction to a fine not exceeding KES25 million or imprisonment for a term not exceeding 20 years, or both. A protected computer system is defined in the CMCA to include a computer system used directly in connection with – or necessary for the provision of services directly related to – communications infrastructure, banking and financial services, and payment and settlement systems and instruments.

The activities of fintechs are largely subject to review by various private industry organisations, such as the Kenya Bankers Association, the Fintech Association of Kenya, the Digital Financial Services Association of Kenya and the Association of Fintechs in Kenya. These organisations aim to act as forums for education, information sharing and networking between fintech, policymakers and the general public.

Industry participants do offer unregulated products and services, but such activities are undertaken through affiliate entities rather than by the regulated entity itself, due to restrictions placed on the regulated entities by the applicable laws. For instance, a bank can only undertake “banking business” and is not permitted to undertake any other type of business.

The Proceeds of Crime and Anti-Money Laundering Act, Cap 59A of the Laws of Kenya (POCAMLA), sets out rules and obligations that various types of “reporting institutions” are required to abide by. In this regard, a fintech would be subject to POCAMLA if it falls within the definition of a “reporting institution”.

Under POCAMLA, a “reporting institution” is a financial institution or a designated non-finance business and profession. A financial institution is defined as a person or entity that conducts business in one of the following activities or operations:

• accepting deposits and other repayable funds from the public;
• lending, including consumer credit, mortgage credit, factoring, with or without recourse, and financing of commercial transactions;
• issuing and managing means of payment (such as credit and debit cards, cheques, travellers’ cheques, money orders and bankers’ drafts, and electronic money);
• participation in securities issues and the provision of financial services related to such issues;
• investing, administering or managing funds or money on behalf of other persons;
• underwriting and placement of life insurance and other investment-related insurance; and
• money and currency changing.

Any fintech that engages in these activities would fall within the definition of a “reporting institution” and would be subject to POCAMLA. The activities with such fintechs would have to comply include:

• monitoring all complex, unusual, suspicious, large or such other transactions, on an ongoing basis; and
• reporting suspicious or unusual transactions or activity to the Financial Reporting Centre upon suspecting that they could constitute or be related to money laundering or the proceeds of crime.

In addition, under the DCP Regulations, NDCPs are required to provide evidence to the CBK of the sources of funds invested or to be invested in their business. This ensures that these funds are not the proceeds of criminal activity.

Furthermore, market intermediaries are required to obtain the following information from their clients, prior to making any investment order on their client's behalf:

• details regarding the origin of funds used or to be used for the investment, including confirmation from the remitting entity (if funds originate outside Kenya) regarding the client's business and funds origin; and
• a written statement from the client verifying the accuracy of the provided information and confirming that the funds are not the proceeds of money laundering or other illegal activities.

Anti-money laundering (AML) and sanctions rules in Kenya generally follow the standards set by the Financial Action Task Force (FATF). Key Kenyan AML legislation, such as POCAMLA and the Prevention of Terrorism Act, CAP 59B, align closely with FATF Recommendations.

In addition, various financial sector laws have been amended to explicitly assign regulatory authorities – including the CBK, CMA, and IRA – with responsibility for regulating, supervising, and ensuring compliance with anti-money laundering, combating the financing of terrorism, and countering proliferation financing measures for all reporting institutions under their respective jurisdictions.

In Kenya, there is no uniform approach regarding reverse solicitation, and the position varies by sector. For instance, in the capital markets sector, any securities issued outside Kenya cannot be offered to Kenyan citizens within Kenya – even under reverse solicitation scenarios – without prior approval from the CMA. A similar position is applicable within the insurance sector, where offshore insurance providers must obtain authorisation to offer their products or services locally.

In the banking sector, historically, there have generally been no explicit restrictions on reverse solicitation. However, recent amendments to the Central Bank Act have introduced circumstances under which an offshore provider of banking products or services might now require regulatory approval from the CBK to offer such products or services in Kenya.

Regarding virtual assets, the current draft of the VASPs Bill does not explicitly restrict reverse solicitation. Nonetheless, it is anticipated that, as the Bill evolves, the approach adopted may align more closely with existing regulations in other financial sectors.

As there are specific robo-adviser regulations in Kenya, there are no prescriptions on business models to be adopted in relation to robo-advisers.

However, the CMA has taken steps in relation to the regulation of robo-advisers for the provision of investment services. In this regard, the CMA has, through the CMA Sandbox, issued letters of no-objection to two entities (FourFront Management Limited and Waanzilishi Capital Limited), allowing them to provide automated, algorithm-driven financial planning services with limited to no human intervention.

It should be noted that the letters of no-objection are issued on the back of licences issued to the two entities – FourFront Management Limited is a division of Standard Investment Bank, a licensed investment bank in Kenya, and Waanzilishi Capital Limited is registered as a fund manager. Both investment banks and fund managers have the power and authority under the Capital Markets Act to provide investment advice to customers in Kenya.

Currently, one of the licensed robo-advisers is a legacy player (Standard Investment Bank) and it needed to seek approval for the implementation of the solution through the CMA Sandbox given the lack of existing regulation on robo-advisers.

There are currently no regulations prescribing how robo-advisers can best execute customer trades. However, as robo-advisory services are currently provided by licensed market intermediaries, the market intermediaries would need to comply with the Capital Markets (Conduct of Business) (Market Intermediaries) Regulations, 2011, which require a market intermediary to:

• deal for a client on the best terms available for the client;
• not execute an order unless the client has made sufficient arrangements for the necessary funds or securities; and
• ensure that transactions it executes are allocated to the clients who gave the orders in a timely and equitable manner.

There are no significant differences in the business or regulation of loans to individuals, small businesses and others. Differences in Kenyan lending regulations exist based on the source of funds.

The key element for the regulation of loans is whether the loans are made from customer deposits. Under the Banking Act, “banking business” and “finance business” are regulated activities, which both involve:

• accepting money on deposit from members of the public, which is repayable on demand; and
• using the money held on deposit by lending, investing or other means, at the risk of the person lending or investing the funds.

A similar definition is set out for “microfinance business” under the Microfinance Act.

There are no specific regulations that prescribe the underwriting process for industry participants.

However, the DCP Regulations impose an obligation on an NDCP not to advance any credit to a customer before it has taken reasonable steps to assess the customer's ability to repay the credit facility.

NDCPs will typically use consumer data and apply automated algorithms to make automated decisions on a customer's creditworthiness and risk. In undertaking such an assessment, the DCP Regulations require the NDCP to only collect and assess such customer data as is required for the appraisal. This is in line with the requirements on the processing of personal data set out under the Data Protection Act.

Deposit-Taking Lenders

Entities that undertake deposit-taking business (eg, banks) raise funds from the following sources.

Customer deposits

As set out in 4.1 Differences in the Business or Regulation of Fiat Currency Loans Provided to Different Entities, entities undertaking “banking business” or “microfinance business” will obtain deposits from customers, which will then be used to issue loans to customers.

Equity capital

The shareholders of a deposit-taking business will typically provide capital in the form of:

• permanent shareholders’ equity (issued and fully paid-up ordinary shares and perpetual non-cumulative preference shares);
• disclosed reserves (such as ordinary share capital and perpetual non-cumulative share premium); and
• retained earnings.

Debt capital

Deposit-taking business can also raise capital through debt from lenders or investors (eg, convertible notes).

Non-Deposit-Taking Lenders

Lenders that do not obtain deposits from customers but provide loans (eg, NDCPs) source funds from capital raised as either equity capital or debt capital, in a similar manner to deposit-taking lenders.

Regulation of Sources of Funds

Raising debt or shareholder capital would be subject to regulation if such capital raise is considered to be a “public offer of securities”. In such instances, the entity would be required to comply with the Capital Markets Act and the Capital Markets (Securities) (Public Offers, Listing and Disclosures) Regulations, 2002.

A public offer of securities occurs when a company extends an invitation to a broad segment of the public to invest in its financial instruments, and would occur if:

• the invitation extends beyond a small, predefined group of investors; or
• the structure of the offer allows for securities to be transferred to individuals who were not the initial targets.

Syndication of loans is not common in Kenya and there are no prescribed regulations governing such activity. However, the syndication process is typically as follows.

• Origination – a borrower identifies a significant funding need. They choose a lead arranger, typically an experienced investment bank or commercial bank, to organise the syndication.
• Details and negotiation – the lead arranger assists the borrower in creating a detailed information package about its business and financial health. This is used to negotiate core loan terms like the amount, interest rates and repayment plans.
• Finding partners – the lead arranger strategically approaches other banks or investors, inviting them to join the lending group (the syndicate). These potential partners carefully review the company's information and evaluate the risk.
• Commitments and contracts – interested lenders decide how much of the loan they are willing to fund. The terms are fine-tuned and a comprehensive loan agreement is drawn up, legally binding all parties.
• Funding and beyond – upon signing the agreement, the lead arranger releases the funds to the company. Often, a specific bank is appointed to manage the loan on behalf of everyone in the syndicate and ensure the borrower adheres to the agreed-upon terms.

Payment processors can use existing payment rails or can create or implement new payment rails.

To operate in Kenya, a payment processor would first need to be authorised as a PSP by the CBK under the NPS Act. Under the NPS Act, a PSP is an entity that:

• sends, receives, stores or processes payments or provides other services through any electronic system;
• owns, possesses, operates, manages or controls a public switched network for the provision of payment services; or
• processes or stores data on behalf of PSPs or users of payment services.

Upon authorisation, a PSP would be able to make use of existing payment rails to facilitate payments between customers in Kenya, subject to any conditions imposed by the CBK in its authorisation.

Cross-border payments and remittances are regulated the Money Remittance Regulations, under which any person who wishes to undertake “money remittance business” is required to obtain a licence from the CBK.

“Money remittance business” is defined in the Money Remittance Regulations as a service for the transmission of money or any representation of monetary value without any payment accounts being created in the name of the payer or the payee, where:

• funds are received from a payer for the sole purpose of transferring a corresponding amount to a payee or to another payment service operator acting on behalf of the payee; or
• funds are received on behalf of and made available to the payee.

The CBK currently requires PSPs to obtain a money remittance licence for cross-border transactions. This is because the NPS Act does not explicitly address PSP involvement in such services. To avoid confusion and ensure smooth operations, clearer regulations are needed to address this gap in the legislation.

In addition, banks and deposit-taking microfinance institutions are exempted from the Money Remittance Regulations and can undertake cross-border payments and remittances without the need to obtain a money remittance licence.

Different types of marketplaces and trading platforms are permitted in Kenya with respect to the trading of securities. These marketplaces and trading platforms are regulated by the CMA and include the following.

• Securities exchange: a formal marketplace where various securities are bought, sold or exchanged. Tradeable securities on an exchange encompass shares, debt securities, government securities, warrants, options, futures, units in a CIS, depository receipts and asset-backed securities.
• Derivatives exchange: a CMA-licensed securities exchange specifically designed for the listing of exchange-traded derivative contracts. These standardised financial instruments derive their value from underlying assets, indices or interest rates.
• Commodities market: a regulated marketplace, licensed by the CMA or equivalent authority, facilitating the buying, selling or trading of commodity contracts. This market can operate in a physical or electronic format. Tradeable commodities include agricultural, livestock, fishery, forestry, mining or energy goods and related manufactured/processed products, financial instruments, indices, rights or interests tied to such commodities.
• Over-the-counter (OTC) securities exchange: a decentralised market where securities not listed on a formal exchange are traded directly between participants (usually through a broker-dealer network). OTC markets are typically less regulated than traditional exchanges.
• Online foreign exchange platforms: internet-based systems managed by online foreign exchange brokers that enable the trading of foreign currencies, including contracts for difference (CFDs) based on foreign underlying assets.

The different assets tradeable on the platforms and marketplaces listed in 6.1 Permissible Trading Platforms are regulated by the Capital Markets Act and the regulations issued thereunder.

The regulations issued under the Capital Markets Act in relation to derivatives, asset-based securities, commodities and CFDs each set out how the assets should be traded in the respective exchanges and platforms, and the obligations of market intermediaries in dealing with the assets.

Cryptocurrency exchanges are currently not regulated in Kenya, but both the CBK and the CMA have taken stances on the regulation of cryptocurrencies.

In the past, the CBK has issued cautionary statements in relation to dealing in cryptocurrencies, warning Kenyans that the cryptocurrencies are not legal tender in Kenya and therefore there is no protection if the cryptocurrency exchange fails or goes out of business.

On the other hand, the CMA views cryptocurrencies as “securities” subject to regulation under the Capital Markets Act; this stance was legally confirmed by the High Court in the case of Wiseman Talent Ventures v Capital Markets Authority [2019] eKLR.

There have been progressive steps towards the regulation of cryptocurrency in Kenya.

• The Finance Act of 2023 introduced a 3% tax on income earned from the transfer or exchange of digital assets (including cryptocurrencies). The Finance Act also requires the owners of a crypto exchange to register in Kenya (for purposes of taxation), withholding the digital asset tax and filing returns with the Kenya Revenue Authority.
• In January 2025, the draft VASPs Bill and National Policy on VAs and VASPs were circulated for public comment. If enacted, the VASPs Bill will lay the groundwork for the regulation of cryptocurrencies and VASPs operating in Kenya, mitigating risks to Kenya's financial system and reputation, while promoting transparency and accountability in the growing virtual asset industry.

The listing of shares (stocks) and fixed income securities (like bonds) on a securities exchange in Kenya is subject to the following regulations and guidelines.

• The Capital Markets (Securities) (Public Offers, Listing and Disclosures) Regulations, 2002: this primary legislation from the CMA establishes the overarching framework for how issuers can list and trade their securities on a securities exchange.
• Nairobi Securities Exchange (NSE) Listing Rules: these rules are specifically tailored to the listing of securities on the NSE, but they are in line with the Capital Markets (Securities) (Public Offers, Listing and Disclosures) Regulations. The Listing Rules outline the detailed requirements and procedures companies must follow to list on the following NSE different segments:
1. the Main Investment Market Segment (MIMS), designed for larger, well-established companies with a proven track record;
2. the Alternative Investment Market Segment (AIMS) offers more flexible listing criteria to accommodate smaller and medium-sized enterprises (SMEs);
3. the Fixed Income Securities Market Segment (FISMS) facilitates the listing and trading of fixed income securities, primarily corporate and government bonds; and
4. the Growth Enterprises Market Segment (GEMS) caters to high-growth companies and start-ups, giving them access to capital markets even without extensive profitability history.

The handling of orders is prescribed by the Capital Markets (Conduct of Business) (Market Intermediaries) Regulations, 2011, which impose certain requirements on a market intermediary when handling orders on behalf of a client, including:

• executing client orders in the chronological sequence in which the orders were received, and giving priority to outstanding orders;
• ensuring that all transactions that it executes are allocated to the clients who gave the orders in a timely and equitable manner;
• not executing an order unless the client has made sufficient arrangements for the necessary funds or securities;
• if a market intermediary has aggregated an order for a client’s transaction with an order for its own account transaction, or with an order for another client’s transaction, in the subsequent allocation, not giving unfair preference to itself or to any of the clients, and giving priority to satisfying orders for client transactions, if all orders cannot be satisfied; and
• where a market intermediary has a client order to execute, or where it intends to give clients a price-sensitive recommendation or research or analysis, not knowingly effecting an own account transaction in the securities concerned or in any related investment until the order has been executed or until the clients for whom the publication was principally intended have had, or are likely to have had, a reasonable opportunity to react to it.

Peer-to-peer (P2P) cryptocurrency trading platforms have gained significant popularity in Kenya. Currently unregulated, these platforms leave Kenyan users without legal protection should the platforms experience failures or cease operations. However, the proposed VASP Bill aims to address this issue. If passed, the bill would regulate P2P trading platforms, requiring them to obtain a licence as virtual asset service providers in order to operate legally.

There are no express rules permitting or prohibiting payment for order flow. However, such activities may be prohibited if they are detrimental to the integrity of a securities exchange or run afoul of legal requirements under the Capital Markets (Conduct of Business) (Market Intermediaries) Regulations, 2011 or rules prescribed by a securities exchange (such as the NSE).

When conducting a regulated activity, a market intermediaryis required to apply the principles of best practice. These include observing a high standard of integrity and fair dealing, acting with due skill, care and diligence, and observing high standards of market conduct.

A market intermediary is also required to adhere to the following principles:

• ensuring that any agreement, written communication, notification or information that it gives or sends to clients to whom it provides a service is presented fairly and clearly;
• ascertaining if any of its clients are insiders and maintaining records that assist it to monitor insider dealing;
• holding its clients’ funds in trust for and on behalf of the clients and segregating its client bank accounts from any account holding funds belonging to the market intermediary; and
• avoiding any conflict of interest between itself and a client.

High-frequency and algorithmic trading are not regulated in Kenya. However, one of the robo-advisers exited from the CMA Sandbox (FourFront Management) is providing algorithmic trading services as part of the robo-advisers services approved under the letter of no-objection issued by the CMA.

As there is no regulatory regime for high-frequency and algorithmic trading, there are no market players acting in a principal capacity who would need to register as market makers.

As there is no regulatory regime on high-frequency or algorithmic trading, there is no distinction between funds and dealers that engage in these activities.

As there is no regulatory regime on high-frequency or algorithmic trading, there are no regulations with respect to programmers who develop and create trading algorithms and other electronic trading tools.

The Insurance Act does not set any regulations that apply to insurtech; there are no specific underwriting requirements for these entities.

Generally, the underwriting process for insurance industry participants is guided by guidelines and circulates issued by the IRA. The IRA has published various guidelines that require industry participants to develop criteria for risk assessment and to monitor and amend their processes as necessary, such as the IRA guidelines on insurance products, risk management and market conduct.

The Insurance Act provides for the regulation of general insurance business and long-term insurance business, and these two types of insurance business are treated differently. Long-term insurance business is insurance business in any of the following classes:

• life assurance;
• annuities;
• pensions (personal pension or deposit administration);
• group life;
• group credit;
• permanent health;
• investment (unit link and linked investments or non-linked investments); and
• any incidental business.

General insurance, on the other hand, is any insurance business for any class or classes not being long-term insurance business.

Insurers that offer both long-term and general insurance must maintain distinct capital reserves for each type of business. In addition, the assets held for long-term insurance policies are strictly protected. They are exclusively for the benefit of long-term policyholders and cannot be accessed to cover liabilities from the general insurance side of the business.

Regtech providers are unregulated in Kenya. However, the evolving regulatory landscape in Kenya creates an opportunity for the introduction of regtech solutions such as automated compliance systems that monitor transactions in real-time, detect anomalies, ensure adherence to local regulations, and generate necessary reports for regulatory bodies.

There are no established practices on regtech in Kenya.

Kenyan financial institutions have explored use cases for blockchain in the operations and sought regulatory approval for blockchain-linked products. However, there is a lack of information available to ascertain the uptake of blockchain technology.

Kenya has made significant strides in regulating blockchain technology and virtual assets. The VASPs Bill defines blockchain as “a digital ledger or database of transactions relating to virtual assets which are recorded chronologically, and which are capable of being audited”. This definition underscores the government's recognition of blockchain's role in ensuring transparency and security in digital transactions.

The VASPs Bill designates both the CBK and the CMA as key regulatory authorities for virtual assets. The CBK will oversee crypto service providers offering payment and currency-related solutions, while the CMA will regulate entities involved in trading, exchange and initial public offerings of virtual assets. This collaborative approach signifies a shift from previous caution towards a more structured engagement with the crypto industry.

Blockchain assets (hereinafter virtual assets) are not considered a form of regulated financial instrument in Kenya. However, the draft VASPs Bill seeks to provide the regulation of virtual assets, which are defined as “any digital representation of value that can be digitally traded or transferred and can be used for payment or investment purposes and does not include digital representation of fiat currencies, e-money, securities and other financial assets”. However, the following types of assets are excluded from regulation under the VASPs Bill:

• digital representations of value or rights that operate within a closed ecosystem of the issuer, including those that are:
1. non-transferable outside a closed ecosystem;
2. non-exchangeable with real-world goods, services, discounts or purchases outside a closed ecosystem;
3. non-tradeable onwards on the secondary market outside of the closed ecosystem;
4. non-saleable on a secondary market outside of the closed-loop system;
5. non-usable for payment or investment purposes; and
6. non-exchangeable for fiat-currency;
• digital representations of fiat currencies, securities and other financial instruments to the extent that they are regulated by other laws in Kenya;
• digital representations of fiat currencies issued by the CBK or any other jurisdiction;
• non-fungible tokens (NFTs) that are not used for payment, investment or any other financial purposes;
• NFTs that, by their nature and function rather than the designation given by its issuer, are not used for payment or investment purposes, and are not a digital representation of any financial asset; and
• any other digital representations of value or rights sought to be expressly excluded by the relevant regulatory authority.

Currently, there are no regulations pertaining to issuers of virtual assets. However, the CMA views initial coin offerings as an offer of “securities”, which should be subject to its regulation. Under the VASPs Bill, initial coin offerings would be a regulated activity that can only be undertaken by a licensed virtual asset service provider and approved by the relevant authority.

There are currently no regulations relating to virtual asset trading platforms or the secondary market trading of virtual assets. However, the VASPs Bill provides for the regulation of virtual asset trading platforms, which are centralised platforms that:

• facilitate the trading and exchange of virtual assets for fiat currency or other virtual assets;
• hold custody or control virtual assets on behalf of clients to facilitate an exchange; and
• purchase virtual assets from a seller when transactions or bids and offers are matched in order to sell them to a buyer.

Currently, Kenya does not have specific laws or regulations explicitly governing cryptocurrency staking services.

However, the VASPs Bill aims to introduce a regulatory framework for virtual asset activities. Although this proposed law does not explicitly mention staking, its broad definition of regulated "virtual asset services" would likely cover staking services. Under the VASPs Bill, activities involving custodial wallet services, facilitating virtual asset transactions, providing investment advisory, or validating transactions would require registration or regulatory approval.

Given this, staking service providers in Kenya would likely need to register and obtain the necessary regulatory approval under the proposed framework. Additionally, staking service providers would need to comply with anti-money laundering and combating financing of terrorism (AML/CFT) obligations outlined in the VASPs Bill.

Currently, Kenya does not have specific regulations governing cryptocurrency lending services. However, the VASPs Bill aims to introduce a regulatory framework that could apply to such services.

Cryptocurrency lending generally involves providing loans secured by cryptocurrency collateral, facilitating the transfer of cryptocurrencies between lenders and borrowers, and handling loan repayments or distributions. Although the VASP Bill does not explicitly define cryptocurrency lending, its broad definition of "virtual asset services" potentially covers:

• Custodial Wallet Services: Platforms holding cryptocurrency as collateral may fall within this category and would require licensing and regulation by the CBK or the CMA.
• Transfer Services of Virtual Assets: Platforms facilitating cryptocurrency transfers between lenders and borrowers would likely be regulated under this category, subject to licensing by CBK or CMA.
• Payment Gateway Services: Lending platforms managing loan disbursements or repayments involving cryptocurrencies may be regulated by CBK, with obligations such as customer due diligence, transaction monitoring, risk management, and compliance with AML requirements.

Given these broad definitions, crypto lending platforms operating in Kenya may soon require registration and regulatory oversight if the VASPs Bill is enacted. Additional regulatory guidance would likely be needed to clarify the specific applicability of existing financial services and lending regulations to cryptocurrency lending activities.

Currently, Kenya does not have specific laws or regulations explicitly governing cryptocurrency derivatives. Traditional financial derivatives are regulated by the CMA, with the CBK overseeing related aspects affecting financial stability and payments.

However, under the VASPs Bill, certain cryptocurrency derivatives activities may become regulated. The Bill broadly defines "virtual asset services," potentially covering:

• Platforms for Trading and Exchange: Cryptocurrency derivative trading platforms facilitating transactions, including clearing and settlement, would likely be regulated.
• Custodial Wallet Services: Entities holding cryptocurrency assets on behalf of clients involved in derivative transactions (eg, collateral management) would require licensing.

There is currently no regulation on DeFi in Kenya.

There are currently no regulations on how funds can invest in virtual assets. For fund managers licensed under the Capital Markets Act and the Retirement Benefits Act to be able to invest in virtual assets, the investment guidelines set out in the respective regulatory frameworks would need to be amended to allow for investment in blockchain assets.

Virtual currencies are not currently expressly defined in Kenyan law. The Finance Act provides for the imposition of digital asset tax on income derived from the transfer or exchange of a “digital asset”.

The term “digital asset” is defined in the Finance Act to include “anything of value that is not tangible and cryptocurrencies, token code, number held in digital form and generated through cryptographic means or otherwise, by whatever name called, providing a digital representation of value exchanged with or without consideration that can be transferred, stored or exchanged electronically”. This definition would capture virtual currencies and, as such, any gain from the exchange of virtual currencies would be subject to tax in Kenya.

Under the VASPs Bill, virtual currencies fall within the definition of virtual assets. As such, if the VASPs Bill is implemented in its current form, there would be no distinction between the treatment of virtual currencies and the treatment of other virtual assets.

There is currently no regulatory framework for NFTs or NFT platforms. However, the VASPs Bill provides for the regulation of NFTs issued by VASPs in Kenya and excludes certain types of NFTs from regulation, including:

• NFTs that are not used for payment, investment or any other financial purposes; and
• NFTs that, by their nature and function rather than the designation given by their issuer, are not used for payment or investment purposes, and are not a digital representation of any financial asset.

Kenya currently lacks specific open banking regulations. As such, the sharing of personal financial data with third parties falls under the purview of the Data Protection Act. However, within its National Payments Strategy 2022-2025, the CBK has expressed a commitment to developing appropriate API standards and promoting secure data-sharing practices. The adoption of secure APIs by digital financial providers would streamline connectivity between third parties, primarily fintechs specialising in tailored solutions, and traditional financial institutions. This integration would lead to enhanced efficiency and security within the financial sector.

While there are no regulations that specifically deal with open banking, banks and technology providers would need to be compliant with the Data Protection Act; please see 2.11 Implications of Additional, Non-Financial Services Regulations.

The key elements of fraud are:

• a false representation of a false fact;
• with the intention that another party should act on it; and
• that party suffers damage.

In legal proceedings, an accusation of fraud carries a heightened standard of proof. This standard exceeds the “balance of probabilities” threshold common in civil cases, demanding more substantial evidence. While this standard falls short of the “beyond a reasonable doubt” requirement of criminal cases, it necessitates a significantly more persuasive demonstration of fraudulent conduct.

Regulators prioritise investigating and taking action against individuals or businesses that conduct regulated financial activities without the necessary licences and those that overcharge interest on their financial products. These fraudulent practices harm customers by potentially leading to lost funds and financial vulnerability.

Examples of enforcement activities include:

• issuing cease-and-desist orders – regulators typically order unlicensed entities to immediately halt their operations;
• imposing fines – regulators have the power to impose financial penalties on persons undertaking regulated activity without appropriate licensing;
• criminal prosecutions – regulators may work with law enforcement to pursue criminal charges against persons undertaking regulated activity without appropriate licensing; and
• public warnings – regulators often issue public statements and warnings to inform consumers about unlicensed entities or fraudulent schemes they have identified.

In Kenya, a FinTech service provider may be held responsible for customer losses in various circumstances, primarily if the loss or damage arises from fraudulent actions, regulatory violations, breach of contract, or inadequate security measures by the provider.

Specifically, a provider can be liable:

• If it engages in fraud, gross negligence, or intentional misconduct, leading directly to financial harm or loss to customers.
• If it breaches contractual obligations, particularly when customer agreements or consumer protection laws have been violated.
• For failure to comply with regulatory obligations, including licensing requirements, data protection standards, and cybersecurity obligations.

In such cases, customers may seek remedies, including compensation for financial losses, refunds, or other legal sanctions. Regulators such as the CBK, Competition Authority of Kenya , and Office of the Data Protection Commissioner can impose fines, regulatory sanctions, or require customer compensation.

Customers affected by fraudulent or negligent activities by FinTech providers also have the option to file complaints with regulators or seek legal redress through Kenyan courts.