Key Developments

Kenya’s fintech market has strengthened its position as a continental leader, driven by ongoing innovation, regulatory progress, and growing adoption of digital financial services. The following developments have shaped the country’s fintech landscape over the past 12 months.

Enactment of the Virtual Asset Service Providers Act

The Virtual Asset Service Providers Act (VASPA) came into force on 4 November 2025. The Act establishes a licensing and supervisory framework for virtual asset service providers (VASPs). Under the new regime, applicants must demonstrate financial soundness, strong governance and risk‑management structures, robust cybersecurity controls, and compliance with fit‑and‑proper requirements.

VASPA also sets out ongoing obligations for licensed VASPs, including safeguarding customer assets, maintaining ethical and market‑conduct standards, and complying with anti‑money laundering and counter‑terrorism financing laws.

Growth of digital lending

Digital lending continues to expand rapidly. In 2025, the Central Bank of Kenya (CBK) licensed approximately 110 digital credit providers, bringing the total number of licensed entities to 195. These lenders rely on data analytics and alternative credit‑scoring models to deliver faster, more accessible loans to individuals and small businesses.

Since the introduction of the licensing framework in March 2022, the CBK has received over 800 applications, signalling strong market demand and illustrating the rapid growth of digital credit activities.

Mobile money dominance

Mobile money remains the dominant pillar of Kenya’s financial ecosystem, showing sustained growth in both penetration and usage. According to the Communications Authority of Kenya (CA), mobile money subscriptions reached 47.7 million active accounts by June 2025, equivalent to approximately 91% population penetration – up significantly from about 77.3% the previous year.

This growth reflects continued consumer uptake and the critical role of mobile wallets in everyday financial activity. Mobile money now supports a wide range of transactions beyond peer‑to‑peer transfers, including bill payments, merchant payments and savings. This expansion has helped deepen financial inclusion across both urban and rural areas. Data from the CBK and sector reports indicate that mobile money transactions continue to record high volumes and values, even where macroeconomic conditions influence fluctuations in transaction values.

Looking Forward

Regulatory spotlight

Over the next 12 months, Kenya’s fintech sector is expected to shift from rapid product experimentation to a stronger focus on regulatory implementation, supervision and enforcement – particularly in higher‑risk verticals such as digital credit and virtual assets.

Although VASPA is now in force, the licensing regime will only become operational once the Cabinet Secretary for the National Treasury issues implementing regulations. These will follow consultations and advice from sector regulators including the CBK and the Capital Markets Authority (CMA). Recent regulatory communications indicate that the National Treasury is developing these regulations, with licensing set to begin once they are issued, though no firm timeline has been publicly confirmed.

Artificial Intelligence in Fintech Products and Services

AI adoption in Kenyan financial services is already underway and is expected to deepen over the next 12 months. Key applications include credit scoring and credit decision-making, fraud detection, customer engagement, and process automation.

The CBK has published a dedicated Survey on Artificial Intelligence in the Banking Sector, highlighting that institutions are integrating AI into core functions – particularly credit scoring and fraud detection – and emphasising the need for strong governance, responsible AI principles and human oversight.

In addition, Kenya has released a National AI Strategy (2025–2030), positioning AI adoption – including in financial services – within a framework of responsible deployment and alignment with existing laws such as data protection legislation.

The Kenyan fintech market is largely driven by business models centred on digital banking, digital lending, and payment services. Additional sectors such as investment services, insurtech, edtech, and agritech continue to expand as technology adoption increases across the country.

Digital Banking

Kenyan banks and microfinance institutions increasingly deliver their services through digital platforms. Customers can open accounts, access and monitor their banking information, and carry out a wide range of transactions – such as funds transfers and bill payments – using mobile phones or other digital devices.

Digital Credit Services

Non-deposit credit providers (NDCPs) offer a variety of digital credit solutions, including credit facilities, asset financing, buy-now-pay-later arrangements, credit guarantees, pay-as-you-go models, and peer-to-peer lending. These providers typically issue small, short‑term loans to individuals and businesses, with funds disbursed directly to borrowers’ mobile money accounts. Repayment processes are also streamlined, often facilitated through mobile apps or simple USSD codes.

Payment Services

Payment services encompass the systems and processes that enable financial transactions. They support interactions between businesses, between businesses and customers, and between individual consumers. Key players in this space include the following.

• Mobile network providers – licensed mobile operators have significantly broadened financial inclusion through mobile money platforms such as M-PESA.
• Payment service providers (PSPs) – specialised entities offering payment services such as transaction processing and technology‑driven payment solutions.
• Banks and money remittance operators – traditional banks and licensed remittance operators facilitate cross‑border transactions. Money remittance operators, in particular, enable fund transfers between individuals without requiring either party to hold a traditional bank account.

Investment Services

Investment service providers in Kenya are increasingly leveraging technology to widen access to investment opportunities. Key offerings include the following.

• Brokerage services – start-ups are collaborating with licensed collective investment schemes to simplify the process for retail investors to participate in various investment products.
• Forex trading – online foreign exchange trading continues to grow in popularity. The Capital Markets Authority (CMA) regulates both forex brokers offering online platforms and intermediaries who connect clients to the forex market in exchange for commissions or spread mark‑ups.
• Crowdfunding platforms – online crowdfunding platforms provide investors with access to debt‑ and equity‑based financing opportunities. These platforms are regulated by the CMA to ensure adequate investor protection when offered within Kenya.

Insurtech

Kenya’s historically low insurance penetration rate has fostered considerable innovation in insurtech. Both start-ups and established insurers are deploying technology to improve accessibility and efficiency. Innovations include digital platforms that facilitate policy access, claims submission, and policy management, as well as microinsurance products designed to serve underserved populations.

Edtech

Following the nationwide school closures in 2020 during the COVID‑19 pandemic, Kenya experienced significant growth in edtech adoption. Current solutions offer a range of services, including revision materials, textbook supply, and interactive learning delivered through mobile applications and USSD technology. These platforms are designed to cater to users with varying levels of digital literacy.

Agritech

Given that approximately 70% of Kenya’s rural population is engaged in agriculture, agritech solutions have seen steady uptake. These technologies provide critical tools and resources to farmers, including soil quality testing, expert agricultural advice, access to credit for small‑scale operations, and digital marketplaces for agricultural products and services.

There is no standalone regulatory regime for fintech in Kenya. Instead, fintech products and services fall under various existing financial laws. In addition to the VASPA, the main legislation governing the financial services sector – and the corresponding regulators – is outlined below.

Digital Banking and Digital Lending

The Central Bank of Kenya Act, Cap 491 establishes the Central Bank of Kenya (CBK), which regulates and supervises various deposit‑taking and non‑deposit‑taking financial institutions, including banks, microfinance institutions, non‑deposit‑taking credit providers and payment service providers (PSPs).

The Banking Act, Cap 488 provides for the licensing and regulation of banks conducting “banking business” in Kenya. This includes accepting deposits from the Kenyan public and using those deposits for lending or investment.

The Microfinance Act, Cap 493C provides for the licensing and regulation of deposit‑taking microfinance institutions operating in Kenya and offering services to small or micro enterprises or low‑income households.

The Central Bank of Kenya Prudential Guidelines guide banks on operational conduct, including licensing procedures, capital adequacy requirements and enforcement of banking laws and regulations.

Digital Lending

The Central Bank of Kenya (Digital Credit Providers) Regulations, 2022 (DCP Regulations) provide for the licensing and regulation of non‑deposit‑taking digital credit providers (NDCPs).

Payment Services

The National Payments Systems Act, Cap 491A provides for the authorisation and regulation of payment service providers in Kenya, including e‑money issuers, electronic retail providers and cash merchants.

The Central Bank of Kenya (Money Remittance Regulations), 2013 provide for the licensing and regulation of money remittance operators.

Investment

The Capital Markets Act, Cap 485A establishes the Capital Markets Authority (CMA) and regulates the offering of securities in Kenya, whether public or private.

The Retirement Benefits Act, Cap 197 establishes the Retirement Benefits Authority and governs the registration and regulation of retirement benefits schemes.

Insurance

The Insurance Act, Cap 487 establishes the Insurance Regulatory Authority and provides for the regulation of insurance providers and insurance products, including digital insurance products.

Consumer Protection

The Competition Act, Cap 504 ensures a fair and competitive marketplace. It protects consumers from harmful business practices such as misleading advertising or unfair pricing and establishes the Competition Authority of Kenya (CAK) to enforce fair competition standards.

The Consumer Protection Act, Cap 501 offers targeted safeguards for individuals using credit. It requires lenders to disclose loan terms clearly and prohibits penalties for early repayment.

The Data Protection Act, Cap 411C provides the legal framework for protecting personal data, including financial data processed by fintech providers. It requires institutions to collect and safeguard customer data responsibly and implement technical and organisational security measures.

Industry Compensation Practices

Industry players apply different compensation models for their services.

• PSPs and market intermediaries generally charge a transaction fee for each action a customer performs on their platform, such as using a debit card or initiating an online payment.
• NDCPs primarily focus on offering credit and typically charge a credit facility fee, which is often deducted from the loan amount at disbursement.
• Banks employ a hybrid model. They may charge transaction fees for transactional services while also providing credit facilities that attract fees or interest.

Additionally, the various sectoral laws impose specific requirements on how industry participants may charge customers and what disclosures must be provided.

Digital Banking

Banks providing credit facilities are prohibited from imposing default charges or prepayment penalties. For non‑performing loans, interest on the overdue amount ceases to accrue once the accumulated interest equals the principal amount.

Banks must disclose to customers all charges, fees, and penalties associated with a product or service before the customer selects it. They must also notify consumers of any changes to fees or charges within a reasonable time – typically 30 days – before implementing such changes.

Digital Credit

NDCPs must disclose to customers all payments required in connection with a loan, including interest, fees, expenses, and any other costs. They may not increase charges or credit limits without providing at least 30 days' prior notice.

NDCPs must also submit their pricing models to the CBK for approval. Once approved, they cannot alter their pricing models or parameters without the CBK’s prior written consent. They are further subject to similar restrictions as banks regarding default charges, prepayment penalties, and interest on non‑performing loans.

Payment Services

PSPs are required to disclose all service charges and must publish and display this information prominently at all points of service.

They must also notify both customers and the CBK of any material changes in rates, terms, or charges at least seven days before the changes take effect.

Investment Services

CMA‑licensed service providers (market intermediaries) must inform customers of all applicable fees for their services. They may not deduct fees or charges from a client's funds, nor may they liquidate a client’s securities to recover fees, unless permitted under the client agreement or as prescribed by the CMA.

Market intermediaries include:

• stockbrokers;
• derivatives brokers;
• REIT managers;
• trustees;
• dealers;
• investment advisers;
• fund managers;
• investment banks;
• central depositories;
• authorised securities dealers;
• authorised depositories;
• online forex brokers;
• commodity dealers; and
• commodity brokers.

If the services or products offered by fintechs fall under existing Kenyan regulations, there is no distinction in how fintechs and traditional financial institutions are regulated. In such cases, both fintechs and legacy players must obtain the appropriate licence from the relevant regulator before offering the service or product.

CMA

The Capital Markets Authority (CMA) has established the CMA Regulatory Sandbox, a framework designed to enable live testing of innovative financial products, solutions and services, while placing strong emphasis on investor protection.

The Sandbox operates under the Regulatory Sandbox Policy Guidance Note, issued in early 2019, which sets out clear eligibility criteria, application procedures, safeguards and testing requirements for firms seeking participation.

After the testing period, the CMA may take one of the following actions.

• Grant a full licence or approval to operate in Kenya.
• Issue a Letter of No Objection allowing the applicant to operate under specific conditions.
• Develop new regulations, guidelines or notices if insights from testing indicate a need for broader legal reforms or a new regulatory framework to support innovative business models.
• Deny permission to operate where the innovation fails to meet prevailing legal and regulatory standards.

Approach to regulation

Once a fintech is onboarded into the CMA Sandbox, it must comply with certain minimum regulatory requirements applicable to all capital markets participants. These include obligations related to preventing money laundering, counter‑terrorism financing and other illicit activities.

If a fintech is already licensed by the CMA, the licence continues to apply to all non‑sandbox‑approved activities undertaken by the firm.

The CMA may revoke or suspend a participant’s approval to operate within the Sandbox if the fintech:

• fails to maintain required safeguards;
• submits false information; or
• does not address defects or vulnerabilities in its products that result in service disruptions or fraud incidents.

CA

The Communications Authority (CA) has also established a regulatory sandbox aimed at fostering innovation in Kenya’s ICT sector. The CA Sandbox provides a controlled environment for testing new products and services across areas such as broadcasting, cybersecurity, multimedia, telecommunications and e‑commerce.

Its operation mirrors that of the CMA Sandbox, and after testing the CA may:

• grant a licence or approval to operate under existing regulations;
• authorise operation under specific conditions, where full licensing is not yet appropriate;
• develop new regulations, guidelines or notices informed by insights obtained during sandbox testing, particularly where regulatory gaps are identified; and
• deny permission to operate if the innovation does not satisfy current legal and regulatory requirements.

It is common for more than one regulator to have jurisdiction over a fintech operating in Kenya. The scope of each regulator’s authority is determined by the relevant enabling legislation. For example, a mobile network provider would be regulated by:

• the Communications Authority of Kenya (CA), which oversees the provider’s core telecommunications services;
• the Central Bank of Kenya (CBK), which supervises the provider’s mobile payment services, money remittance activities, and/or digital credit services;
• the Competition Authority of Kenya, which reviews mergers and acquisitions and monitors potential abuses of market dominance to ensure fair competition; and
• the Kenya Revenue Authority, which manages the tax obligations arising from the provider’s business activities.

Typically, regulators with overlapping mandates enter into memoranda of understanding to co-ordinate their respective roles or consult one another before taking regulatory action.

Regulators in Kenya have historically issued “letters of no objection”, which formally state that an organisation’s proposed activities do not violate existing laws or regulatory frameworks. A well‑known example is the Central Bank of Kenya’s (CBK) issuance of such a letter in February 2007, which enabled the launch and operation of M‑PESA – Kenya’s pioneering mobile money transfer platform – at a time when the sector lacked clear regulation.

This practice also extends to the regulation of virtual assets. The Virtual Asset Service Providers Act introduces specific circumstances in which letters of no objection are required. Under this law, such letters are necessary in the following situations.

Initial Virtual Asset Offerings

When an entity intends to issue or promote an initial virtual asset offering within or originating from Kenya, it must apply for a license from either the CBK or the Capital Markets Authority (CMA). The relevant authority would then issue a letter of no objection indicating that it does not oppose the proposed issuance.

Licensing of Virtual Asset Service Providers in Other Regulated Sectors

When the CBK or CMA considers granting a virtual asset service provider licence to an applicant already operating within another regulated sector, a letter of no objection from the respective regulator overseeing that sector is required as a prerequisite.

Digital Banking

Under the Central Bank Prudential Guideline on Outsourcing (CBK/PG/16), any person undertaking “banking business” is:

• prohibited from outsourcing certain core management functions, including corporate planning, organisation, management and control, and all decision‑making functions;
• permitted to outsource certain “material activities”, but only with prior approval from the CBK – these activities include information system management and maintenance, application processing (eg, loan origination), claims administration, cash movement, and internal audit; and
• permitted to outsource specific activities that only require notifying the CBK rather than obtaining advance approval – these activities include:
1. courier services;
2. credit background checks;
3. background investigations; and
4. employment of contract or temporary staff.

All permitted outsourcing arrangements must be governed by a clearly written contract. The contract should emphasise clearly defined services, performance standards, and mechanisms for monitoring the service provider. It must also address data security, termination rights, subcontractor approval, audit rights, dispute‑resolution mechanisms, and specify pricing and fees.

Payment Service Providers

A PSP may outsource operational functions related to payment services. However, such outsourcing must comply with specific guidelines, including:

• maintaining robust internal quality‑control measures;
• ensuring the CBK retains oversight of all involved parties;
• ensuring senior management remains ultimately responsible for the outsourced functions; and
• strictly complying with customer contract terms and licensing requirements.

A PSP intending to outsource any of its functions must notify the CBK at least 30 days before implementing the outsourcing agreement.

Market Intermediaries

Market intermediaries may engage third parties to perform any of their functions, but they must maintain detailed records of each engagement. These records must include:

• contracts clearly outlining the services the third party will provide;
• verification of the third party’s legal standing, including documentation confirming financial soundness; and
• details of the skills and experience of the third party’s employees who will be performing work on behalf of the intermediary.

Even when tasks are delegated to a third party, the market intermediary remains ultimately responsible for ensuring the correct and proper completion of the outsourced tasks.

Fintechs would be liable for failures to notify the Financial Reporting Centre of any transactions that are suspected to be related to money laundering or the proceeds of crime. See 2.14 Impact of AML and Sanctions Rules.

Kenyan financial laws, as set out in 2.2 Regulatory Regime, adopt similar approaches to regulatory enforcement. Accordingly, the main regulatory enforcement actions that may be imposed by regulators include:

• imposing discretionary fines;
• revoking or suspending licences;
• imprisonment of a company’s officials;
• ordering compensation or restitution to persons affected by a regulatory breach;
• issuing enforcement notices specifying the remedial actions required to rectify a breach; and
• disqualification of directors from holding office in financial institutions.

The imprisonment of company officials and the imposition of fines may be carried out through court proceedings in accordance with the applicable statutes.

Data Protection

The Data Protection Act regulates the processing of personal data, outlining the rights of data subjects and the obligations of data controllers and data processors.

Any fintech that processes personal data belonging to individuals in Kenya, or any personal data that is resident in Kenya, must comply with the Act. Key obligations include:

• registering with the Office of the Data Protection Commissioner (ODPC) as a data controller or data processor;
• obtaining consent from a data subject before processing their personal data;
• ensuring that personal data is processed only to the extent necessary; and
• reporting and documenting any personal data breaches.

Failure to comply with the Data Protection Act may result in administrative penalties of up to KES5 million (approximately USD35,000) or 1% of the preceding year’s annual turnover, whichever is lower. Additionally, a fintech may face criminal sanctions, including imprisonment for up to ten years or fines of up to KES3 million (approximately USD20,000).

Consumer Protection

The Consumer Protection Act safeguards consumers and prohibits unfair trade practices in consumer transactions.

Under the Act, businesses are strictly prohibited from providing false, misleading or deceptive representations about their products or services. This includes:

• claiming a product has characteristics it does not actually possess;
• implying higher quality than what is accurate;
• suggesting availability for reasons not disclosed; or
• contradicting information previously provided in advertising.

Businesses must also clearly explain a customer’s rights, remedies and obligations, and must not use exaggeration, vague language or hidden information to mislead customers.

The Act further prohibits unconscionable representations. A representation is considered unconscionable where a business knows – or should reasonably know – that a consumer is unable to protect their own interests due to factors such as disability, lack of understanding or illiteracy. Unconscionable conduct also includes agreements that are excessively one‑sided or where a consumer was pressured into entering the transaction.

If a fintech makes a false, misleading, deceptive or unconscionable representation, the customer may rescind the agreement and seek additional remedies under the law, including damages.

Cybersecurity

The Computer Misuse and Cybercrimes Act (CMCA), Cap 79C of the Laws of Kenya, provides a framework for the timely and effective detection, prevention, response, investigation and prosecution of computer and cybercrimes.

Under the CMCA, any entity that provides users with the ability to communicate through a computer system (ie, a service provider) must:

• comply with any court order requiring the submission of subscriber information to a police officer or authorised person;
• comply with requests from a police officer or authorised person to preserve data at risk of modification, loss or destruction; and
• respond promptly to requests for assistance from a police officer or authorised person.

Fintech companies fall within the definition of a service provider and are therefore required to meet these obligations.

Additionally, any person who, without authorisation, gains access to, interferes with or intercepts data relating to a protected computer system commits an offence. Upon conviction, the penalty may include a fine of up to KES25 million, imprisonment for up to 20 years, or both. A protected computer system includes systems used directly in connection with communication infrastructure, banking and financial services, and payment and settlement systems and instruments.

The activities of fintechs are largely subject to review by various private industry organisations, such as the Kenya Bankers Association, the Fintech Association of Kenya, the Digital Financial Services Association of Kenya and the Association of Fintechs in Kenya. These organisations aim to act as forums for education, information sharing and networking between fintechs, policymakers and the general public.

Industry participants do offer unregulated products and services, but such activities are undertaken through affiliate entities rather than by the regulated entity itself, due to restrictions placed on the regulated entities by the applicable laws. For instance, a bank can only undertake “banking business” and is not permitted to undertake any other type of business.

The Proceeds of Crime and Anti-Money Laundering Act, Cap 59A of the Laws of Kenya (POCAMLA) sets out the rules and obligations that various types of “reporting institutions” must comply with. A fintech entity becomes subject to POCAMLA if it falls within the Act’s definition of a “reporting institution”.

Under POCAMLA, a “reporting institution” is defined as a financial institution or a designated non‑financial business or profession. A financial institution is a person or entity that conducts business in any of the following activities or operations:

• accepting deposits and other repayable funds from the public;
• lending, including consumer credit, mortgage credit, factoring (with or without recourse), and financing of commercial transactions;
• issuing and managing means of payment (such as credit and debit cards, cheques, travellers’ cheques, money orders, bankers’ drafts, and electronic money);
• participation in securities issues and the provision of financial services related to such issues;
• investing, administering, or managing funds or money on behalf of other persons;
• underwriting and placement of life insurance and other investment‑related insurance; and
• money and currency changing.

Any fintech engaging in these activities would fall within the definition of a “reporting institution” and would therefore be subject to POCAMLA. Reporting institutions must comply with obligations that include:

• monitoring all complex, unusual, suspicious, large, or otherwise noteworthy transactions on an ongoing basis; and
• reporting suspicious or unusual transactions or activity to the Financial Reporting Centre whenever there is reason to suspect that such transactions may constitute or relate to money laundering or the proceeds of crime.

In addition, under the DCP Regulations, NDCPs are required to provide the Central Bank of Kenya (CBK) with evidence of the sources of funds invested or intended to be invested in their business. This requirement is intended to ensure that such funds do not originate from criminal activity.

Furthermore, market intermediaries are required to obtain the following information from their clients before placing any investment order on their behalf:

• details regarding the origin of funds used or intended to be used for the investment, including confirmation from the remitting entity (where funds originate from outside Kenya) regarding the client’s business and the source of the funds; and
• a written statement from the client verifying the accuracy of the information provided and confirming that the funds are not the proceeds of money laundering or other illegal activities.

Anti‑money laundering and sanctions regulations in Kenya are generally aligned with the standards set by the Financial Action Task Force (FATF). Key Kenyan AML legislation – such as the Proceeds of Crime and Anti‑Money Laundering Act (POCAMLA) and the Prevention of Terrorism Act, CAP 59B – closely follows FATF Recommendations.

In addition, various financial sector laws have been amended to explicitly assign regulatory authorities – including the Central Bank of Kenya, the Capital Markets Authority, and the Insurance Regulatory Authority (IRA) – with responsibility for regulating, supervising, and ensuring compliance with anti‑money laundering, combating the financing of terrorism, and countering proliferation financing measures for all reporting institutions within their respective jurisdictions.

In Kenya, there is no single, uniform approach to reverse solicitation, and the applicable rules vary across different sectors. For example, in the capital markets sector, securities issued outside Kenya cannot be offered to Kenyan citizens within Kenya – even in reverse solicitation scenarios – without prior approval from the Capital Markets Authority. A comparable position applies in the insurance sector, where offshore insurance providers must obtain authorisation before offering their products or services locally.

In the banking sector, there have historically been no explicit restrictions on reverse solicitation. However, recent amendments to the Central Bank Act have introduced circumstances in which an offshore provider of banking products or services may now be required to seek regulatory approval from the Central Bank of Kenya before offering such products or services in Kenya.

The Virtual Asset Service Providers Act does not expressly address or impose restrictions on reverse solicitation in relation to virtual assets.

As there are currently no specific regulations governing robo‑advisers in Kenya, there are likewise no prescribed business models that must be adopted for robo‑advisory services.

However, the Capital Markets Authority has taken steps toward regulating robo‑advisers involved in the provision of investment services. Through the CMA Regulatory Sandbox, the Authority has issued letters of no‑objection to two entities – FourFront Management Limited and Waanzilishi Capital Limited – allowing them to offer automated, algorithm‑driven financial planning services with limited or no human intervention.

It is important to note that these letters of no‑objection were granted on the basis that both entities already hold the appropriate licences. FourFront Management Limited operates as a division of Standard Investment Bank, a licensed investment bank in Kenya, while Waanzilishi Capital Limited is registered as a fund manager. Under the Capital Markets Act, both investment banks and fund managers are empowered and authorised to provide investment advice to customers in Kenya.

Currently, one of the licensed robo-advisers is a legacy player (Standard Investment Bank) and it needed to seek approval for the implementation of the solution through the CMA Sandbox given the lack of existing regulation on robo-advisers.

There are currently no specific regulations that prescribe how robo‑advisers must execute customer trades. However, because robo‑advisory services are provided by licensed market intermediaries, these intermediaries are required to comply with the Capital Markets (Conduct of Business) (Market Intermediaries) Regulations, 2011. Under these regulations, a market intermediary must:

• deal for a client on the best terms available to that client;
• refrain from executing an order unless the client has made sufficient arrangements for the necessary funds or securities; and
• ensure that all transactions executed are allocated to the clients who placed the orders in a timely and equitable manner.

There are no major differences in how loans are regulated for individuals, small businesses, or other borrowers. Instead, variations in Kenyan lending regulations arise primarily from the source of the funds being used for lending.

The key factor in determining regulatory requirements is whether the loans are issued using customer deposits. Under the Banking Act, both “banking business” and “finance business” are regulated activities. Each involves:

• accepting money on deposit from the public, which must be repayable on demand; and
• using the deposited funds by lending, investing, or otherwise deploying them at the risk of the entity that lends or invests the funds.

A similar regulatory framework applies under the Microfinance Act, which provides a comparable definition for “microfinance business”.

There are no specific regulations that prescribe the underwriting process for industry participants. However, the DCP Regulations impose an obligation on an NDCP not to advance any credit to a customer until it has taken reasonable steps to assess the customer’s ability to repay the credit facility.

NDCPs will typically use consumer data and apply automated algorithms to make automated decisions regarding a customer’s creditworthiness and risk. When undertaking such an assessment, the DCP Regulations require the NDCP to collect and assess only the customer data necessary for the appraisal. This requirement aligns with the data processing principles set out under the Data Protection Act.

Deposit‑Taking Lenders

Entities that undertake deposit‑taking business (eg, banks) raise funds from several sources.

Customer deposits

As outlined in 4.1 Differences in the Business or Regulation of Fiat Currency Loans Provided to Different Entities, entities carrying out “banking business” or “microfinance business” obtain deposits from customers. These deposits are then used to issue loans to those customers.

Equity capital

Shareholders of a deposit‑taking business typically provide capital in the form of:

• permanent shareholders’ equity, including issued and fully paid‑up ordinary shares and perpetual non‑cumulative preference shares;
• disclosed reserves, such as ordinary share capital and perpetual non‑cumulative share premium; and
• retained earnings.

Debt capital

Deposit‑taking businesses may also raise capital through debt obtained from lenders or investors (eg, through instruments such as convertible notes).

Non‑Deposit‑Taking Lenders

Lenders that do not obtain deposits from customers but still provide loans (eg, NDCPs) raise funds through equity capital or debt capital, similar to deposit‑taking lenders.

Regulation of Sources of Funds

Raising debt or shareholder capital becomes subject to regulation if the fundraising activity is considered a public offer of securities. In such cases, the entity must comply with:

• the Capital Markets Act; and
• the Capital Markets (Securities) (Public Offers, Listing and Disclosures) Regulations, 2002.

A public offer of securities occurs when a company invites a broad segment of the public to invest in its financial instruments. This arises if:

• the invitation extends beyond a small, predefined group of investors; or
• the offer structure allows securities to be transferred to individuals who were not the original intended recipients.

Syndication of loans is not common in Kenya, and there are no specific regulations governing the practice. However, when loan syndication does occur, the process generally follows the steps outlined below.

Origination

A borrower identifies a significant funding requirement and selects a lead arranger – typically an experienced investment bank or commercial bank – to co-ordinate the syndication process.

Details and Negotiation

The lead arranger works with the borrower to prepare a detailed information package describing the borrower’s business and financial position. This information forms the basis for negotiating the main loan terms, including the loan amount, interest rate, and repayment structure.

Finding Partners

The lead arranger then approaches other banks or investors, inviting them to participate in the lending group (the syndicate). These prospective lenders review the information package and assess the borrower’s risk profile before deciding whether to join.

Commitments and Contracts

Lenders who choose to participate determine the portion of the loan they are willing to fund. The loan terms are refined, and a comprehensive loan agreement is drafted, legally binding all parties involved.

Funding and Beyond

Once the agreement is signed, the lead arranger disburses the funds to the borrower. Often, a designated bank is appointed to administer the loan on behalf of the syndicate and to ensure that the borrower complies with the agreed terms.

Payment processors can either use existing payment rails or create and implement new ones.

To operate in Kenya, a payment processor must first be authorised as a PSP by the Central Bank of Kenya under the National Payment Systems (NPS) Act. Under the NPS Act, a PSP is an entity that:

• sends, receives, stores, or processes payments, or provides other services through any electronic system;
• owns, possesses, operates, manages, or controls a public switched network for the provision of payment services; or
• processes or stores data on behalf of PSPs or users of payment services.

Once authorised, a PSP may use existing payment rails to facilitate payments between customers in Kenya, subject to any conditions imposed by the CBK as part of the authorisation.

Cross‑border payments and remittances are regulated under the Money Remittance Regulations, which require any person wishing to conduct “money remittance business” to obtain a licence from the Central Bank of Kenya.

The Money Remittance Regulations define “money remittance business” as a service that enables the transmission of money, or any representation of monetary value, without creating payment accounts in the name of the payer or payee, where:

• funds are received from a payer solely for the purpose of transferring a corresponding amount to a payee, or to another payment service operator acting on behalf of the payee; or
• funds are received on behalf of the payee and made available to them.

Currently, the CBK requires Payment Service Providers to obtain a money remittance licence in order to facilitate cross‑border transactions. This requirement stems from the fact that the National Payment System (NPS) Act does not explicitly address the involvement of PSPs in such services. To prevent ambiguity and ensure seamless operations, there is a need for clearer regulatory provisions that directly address this legislative gap.

Additionally, banks and deposit‑taking microfinance institutions are exempt from the Money Remittance Regulations and may carry out cross‑border payments and remittances without obtaining a money remittance licence.

Different types of marketplaces and trading platforms are permitted in Kenya for the trading of securities. These marketplaces and platforms are regulated by the Capital Markets Authority and include the following.

• Securities exchange – a formal marketplace where various securities are bought, sold, or exchanged. Tradeable securities on an exchange include shares, debt securities, government securities, warrants, options, futures, units in a collective investment scheme (CIS), depository receipts, and asset‑backed securities.
• Derivatives exchange – a CMA‑licensed securities exchange specifically designed for the listing and trading of exchange‑traded derivative contracts. These are standardised financial instruments whose value is derived from underlying assets, indices, or interest rates.
• Commodities market – a regulated marketplace – licensed by the CMA or an equivalent authority – that facilitates the buying, selling, or trading of commodity contracts. Trading can take place physically or electronically. Tradeable commodities include agricultural, livestock, fishery, forestry, mining, or energy goods, as well as related manufactured or processed products, financial instruments, indices, and rights or interests linked to such commodities.
• Over‑the‑counter (OTC) securities exchange – a decentralised market in which securities not listed on a formal exchange are traded directly between participants, usually through a broker‑dealer network. OTC markets are typically less regulated than traditional exchanges.
• Online foreign exchange platforms – internet‑based systems operated by online foreign exchange brokers that enable the trading of foreign currencies, including contracts for difference (CFDs) based on foreign underlying assets.

The different assets tradable on the platforms and marketplaces listed in 6.1 Permissible Trading Platforms are regulated under the Capital Markets Act and the regulations issued pursuant to it.

The regulations issued under the Capital Markets Act in relation to derivatives, asset‑based securities, commodities, and CFDs set out the requirements for how these assets should be traded on their respective exchanges and platforms, as well as the obligations of market intermediaries when dealing with such assets.

The VASPA establishes a regulatory framework for cryptocurrency exchanges in Kenya, with a primary focus on centralised exchanges. Supervisory responsibility is broadly divided between the CMA, which oversees trading‑related activities, and the CBK, which regulates payment‑like services and stablecoin‑related activities. The overarching objective of the regime is to integrate exchanges into the formal financial system, enable lawful banking relationships, ensure compliance with anti‑money‑laundering requirements, and strengthen standards of cybersecurity, consumer protection, and market integrity.

VASPA defines a “virtual asset trading platform” as a digital platform that, for a fee or other economic benefit, enables third‑party trading of virtual assets for fiat currency or other virtual assets, and that either (i) holds or controls client virtual assets in order to facilitate such trades, or (ii) intermediates matched trades by purchasing virtual assets from sellers and selling them to buyers. This definition is intentionally structured to capture the core operational features of centralised exchanges.

The legislative and policy materials underpinning VASPA focus on the licensing and supervision of identifiable “exchanges” and “virtual asset service providers”, thereby creating clear regulatory hooks for centralised intermediaries. However, VASPA provides limited clarity on the regulatory challenges posed by offshore operators and non‑custodial, decentralised exchange (DEX) models. In practice, platforms that interface with Kenyan users on a business basis – particularly where they provide custody of assets, operate order books, offer fiat on‑ or off‑ramps, or actively market into Kenya – are likely to fall within the scope of VASP licensing expectations. By contrast, purely protocol‑level DEX activity raises more complex questions regarding regulatory reach and supervision, which are likely to be addressed gradually through guidance, enforcement practice, and the regulation of adjacent service providers.

The listing of shares (stocks) and fixed‑income securities (such as bonds) on a securities exchange in Kenya is governed by several key regulations and guidelines.

The Capital Markets (Securities) (Public Offers, Listing and Disclosures) Regulations, 2002

This is the primary legal framework issued by the Capital Markets Authority. It sets out the fundamental requirements and procedures that issuers must follow when offering and listing their securities on a securities exchange in Kenya.

Nairobi Securities Exchange (NSE) Listing Rules

These rules apply specifically to the listing of securities on the NSE. While aligned with the Capital Markets (Securities) (Public Offers, Listing and Disclosures) Regulations, they provide more detailed, segment‑specific requirements and procedures. The NSE Listing Rules cover the following market segments.

• Main Investment Market Segment (MIMS) – designed for large, well‑established companies with a strong, proven operational and financial track record.
• Alternative Investment Market Segment (AIMS) – offers more flexible listing conditions to accommodate small and medium‑sized enterprises (SMEs).
• Fixed Income Securities Market Segment (FISMS) – facilitates the listing and trading of fixed‑income securities, primarily corporate bonds and government bonds.
• Growth Enterprises Market Segment (GEMS) – caters to high‑growth companies and start‑ups, enabling them to access the capital markets even without a long profitability history.

The handling of orders is governed by the Capital Markets (Conduct of Business) (Market Intermediaries) Regulations, 2011, which set out specific obligations for market intermediaries when acting on behalf of clients. These obligations include the following.

• Executing client orders in the chronological order in which they are received, and ensuring that outstanding orders are given priority.
• Allocating all executed transactions to the clients who placed the orders in a timely and equitable manner.
• Refraining from executing any order unless the client has made sufficient arrangements for the necessary funds or securities.
• Where a market intermediary aggregates a client’s order with its own account transaction or with another client’s order, ensuring that the subsequent allocation does not give unfair preference to itself or to any particular client. If all orders cannot be fully satisfied, priority must be given to fulfilling client orders.
• Avoiding any own-account transactions in relevant securities, or in related investments, when the intermediary has a pending client order or intends to issue price‑sensitive recommendations, research, or analysis to clients. This restriction applies until the client order is executed or until the intended clients have had, or are reasonably likely to have had, sufficient opportunity to act on the information.

Peer‑to‑peer (P2P) cryptocurrency trading platforms have become increasingly popular in Kenya. However, because they are currently unregulated, Kenyan users lack legal protection if these platforms fail or cease operations. The VASPA seeks to address this gap by introducing regulatory oversight for P2P trading platforms, requiring them to obtain a licence as virtual asset service providers in order to operate legally.

There are no explicit rules that either permit or prohibit payment for order flow. However, such practices may be restricted if they undermine the integrity of a securities exchange or violate legal requirements under the Capital Markets (Conduct of Business) (Market Intermediaries) Regulations, 2011, or the rules established by a securities exchange (such as the NSE).

When conducting a regulated activity, a market intermediary must apply the principles of best practice. These include maintaining a high standard of integrity and fair dealing, acting with due skill, care and diligence, and upholding high standards of market conduct.

A market intermediary is also required to adhere to the following principles:

• ensuring that any agreement, written communication, notification or information provided to clients is presented clearly and fairly;
• determining whether any of its clients are insiders and keeping records that support effective monitoring of insider dealing;
• holding clients’ funds in trust on their behalf and keeping client bank accounts segregated from any accounts containing the intermediary’s own funds; and
• avoiding any conflict of interest between itself and its clients.

High‑frequency and algorithmic trading are not regulated in Kenya. However, one of the robo‑advisers that exited the CMA Sandbox, FourFront Management, is offering algorithmic trading services as part of its robo‑advisory solutions. These services fall under the scope of the letter of no‑objection issued by the CMA.

As there is no regulatory regime for high-frequency and algorithmic trading, there are no market players acting in a principal capacity who would need to register as market makers.

As there is no regulatory regime on high-frequency or algorithmic trading, there is no distinction between funds and dealers that engage in these activities.

As there is no regulatory regime on high-frequency or algorithmic trading, there are no regulations with respect to programmers who develop and create trading algorithms and other electronic trading tools.

The Insurance Act does not establish any specific regulations that apply exclusively to insurtech entities, nor does it impose particular underwriting requirements on them.

In practice, the underwriting process for participants in the insurance industry is guided by the guidelines and circulars issued by the Insurance Regulatory Authority (IRA). The IRA has published a range of guidelines requiring industry participants to develop clear criteria for risk assessment, as well as to continuously monitor and update their processes where necessary. These include, among others, the IRA guidelines on insurance products, risk management, and market conduct.

The Insurance Act provides for the regulation of both general insurance business and long‑term insurance business, treating these two categories differently.

Long‑term insurance business includes any of the following classes:

• life assurance;
• annuities;
• pensions (personal pension or deposit administration);
• group life;
• group credit;
• permanent health;
• investment (unit‑linked and linked investments or non‑linked investments); and
• any incidental business.

General insurance, by contrast, refers to any class or classes of insurance business that are not long‑term insurance business.

Insurers that offer both long‑term and general insurance must maintain separate capital reserves for each type of business. Additionally, the assets held in support of long‑term insurance policies are strictly protected. These assets exist solely for the benefit of long‑term policyholders and cannot be used to meet liabilities arising from the general insurance side of the business.

Regtech providers are currently unregulated in Kenya. However, the evolving regulatory landscape presents a significant opportunity for the introduction of regtech solutions. These solutions may include automated compliance systems capable of monitoring transactions in real time, detecting anomalies, ensuring adherence to local regulations, and generating the necessary reports required by regulatory bodies.

There are no established practices on regtech in Kenya.

Kenyan financial institutions have explored various use cases for blockchain within their operations and have sought regulatory approval for blockchain‑linked products. However, there remains limited publicly available information to determine the extent of actual blockchain adoption.

Kenya has made significant strides in regulating blockchain technology and virtual assets. Blockchain can be defined as a digital ledger or database of transactions relating to virtual assets that are recorded chronologically and are capable of being audited.

The VASPA designates both the CBK and the CMA as key regulatory authorities for virtual assets. The CBK will oversee crypto service providers that offer payment‑ and currency‑related solutions, while the CMA will regulate entities involved in trading, exchange, and initial public offerings of virtual assets. This collaborative approach marks a shift from the previous stance of caution toward a more structured and proactive engagement with the crypto industry.

Blockchain assets (hereinafter “virtual assets”) are considered a form of regulated financial instrument in Kenya. The VASPA provides the regulatory framework for virtual assets, defining them as “any digital representation of value that can be digitally traded or transferred and can be used for payment or investment purposes, and does not include digital representations of fiat currencies, e‑money, securities, or other financial assets.”

However, the following types of assets are excluded from regulation under the VASPA.

• Digital representations of value or rights that operate within a closed ecosystem of the issuer, including those that are:
1. non-transferable outside the closed ecosystem;
2. non-exchangeable for real‑world goods, services, discounts, or purchases outside the closed ecosystem;
3. non-tradeable on a secondary market outside the closed ecosystem;
4. non-saleable on a secondary market outside the closed-loop system;
5. non-usable for payment or investment purposes; and
6. non-exchangeable for fiat currency.
• Digital representations of fiat currencies, securities, and other financial instruments to the extent that they are regulated by other laws in Kenya.
• Digital representations of fiat currencies issued by the CBK or any other jurisdiction.
• Non‑fungible tokens (NFTs) that are not used for payment, investment, or any other financial purposes.
• NFTs which, by their nature and function rather than the designation given by the issuer, are not used for payment or investment purposes and are not a digital representation of any financial asset.
• Any other digital representations of value or rights that the relevant regulatory authority expressly excludes.

The CMA considers initial coin offerings to constitute an offer of “securities”, and therefore believes they should fall under its regulatory authority. Under the VASPA, initial coin offerings are classified as a regulated activity, meaning they may only be conducted by a licensed virtual asset service provider and must receive approval from the relevant authority.

The VASPA provides the regulatory framework for virtual asset trading platforms. These platforms are centralised services that:

• facilitate the trading and exchange of virtual assets for fiat currency or other virtual assets;
• hold custody or exercise control over virtual assets on behalf of clients to enable such exchanges; and
• purchase virtual assets from a seller when transactions or matched bids and offers occur, in order to then sell those assets to a buyer.

For further information on the regulation of virtual asset trading platforms, refer to 6.3 Impact of the Emergence of Cryptocurrency Exchanges.

VASPA introduced a regulatory framework for virtual asset activities. Although the law does not explicitly mention staking, its broad definition of regulated “virtual asset services” would likely include staking services. Under VASPA, activities such as providing custodial wallet services, facilitating virtual asset transactions, offering investment advisory services, or validating transactions require registration or regulatory approval.

Given this scope, staking service providers in Kenya would likely be required to register and obtain the appropriate regulatory approval under VASPA. In addition, these providers would need to comply with the anti‑money laundering and combating the financing of terrorism (AML/CFT) obligations set out in the VASPA.

Cryptocurrency lending generally involves providing loans secured by cryptocurrency collateral, facilitating the transfer of cryptocurrencies between lenders and borrowers, and handling loan repayments or distributions. Although the VASPA does not explicitly define cryptocurrency lending, its broad definition of “virtual asset services” potentially encompasses several aspects of these activities.

• Custodial Wallet Services – platforms that hold cryptocurrency as collateral may fall within this category. Such platforms would therefore be required to obtain licensing and be subject to regulation by either the CBK or the CMA.
• Transfer Services of Virtual Assets – platforms that facilitate the movement of cryptocurrency between lenders and borrowers are likely to be regulated under this category. These platforms would similarly be subject to licensing requirements from the CBK or CMA.
• Payment Gateway Services – lending platforms that manage loan disbursements or repayments involving cryptocurrency may be regulated by the CBK as payment gateway service providers. This would entail obligations such as customer due diligence, transaction monitoring, risk management, and compliance with AML requirements.

Given the breadth of these definitions, crypto lending platforms operating in Kenya will likely require registration and regulatory oversight under the VASPA. However, additional regulatory guidance would be needed to clarify the precise applicability of existing financial services and lending regulations to cryptocurrency lending activities.

Certain cryptocurrency derivatives activities are regulated under the VASPA. The legislation provides a broad definition of “virtual asset services”, which may encompass several types of activities related to cryptocurrency derivatives.

• Platforms for Trading and Exchange – cryptocurrency derivative trading platforms that facilitate transactions – including clearing and settlement functions – would likely fall within the regulatory scope of the VASPA.
• Custodial Wallet Services – entities that hold cryptocurrency assets on behalf of clients participating in derivative transactions (such as for collateral management) would also be required to obtain licensing under the VASPA.

There is currently no regulation on DeFi in Kenya.

There are currently no regulations governing how funds can invest in virtual assets. For fund managers licensed under the Capital Markets Act and the Retirement Benefits Act to invest in virtual assets, the investment guidelines outlined within these regulatory frameworks would need to be amended to permit investment in blockchain‑based assets.

Virtual currencies are not currently expressly defined under Kenyan law. However, the Finance Act introduces a digital asset tax that applies to income derived from the transfer or exchange of a “digital asset”.

The Finance Act, 2025 defines a “digital asset” to include “anything of value that is not tangible, including cryptocurrencies, token code, or numbers held in digital form and generated through cryptographic means or otherwise, by whatever name called, providing a digital representation of value exchanged with or without consideration that can be transferred, stored or exchanged electronically”. This definition encompasses virtual currencies, meaning that any gains from the exchange of virtual currencies are subject to tax in Kenya.

Under the VASPA, virtual currencies fall within the broader definition of virtual assets. Accordingly, there is no distinction between the treatment of virtual currencies and other types of virtual assets.

There is currently no regulatory framework in place for NFTs or NFT platforms. However, the VASPA provides for the regulation of NFTs issued by VASPs in Kenya and identifies specific categories of NFTs that are excluded from regulation. These exclusions apply to:

• NFTs that are not used for payment, investment, or any other financial purposes; and
• NFTs that, by their nature and function – rather than the designation given by their issuer – are not used for payment or investment purposes and do not constitute a digital representation of any financial asset.

Stablecoins are expressly regulated under the VASPA, which both defines “stablecoin” and designates “stablecoin issuance” as a regulated virtual‑asset activity. Any person issuing or otherwise carrying on in‑scope virtual‑asset services in or from Kenya must be licensed as a VASP. Responsibility for the oversight of stablecoin issuance sits with the CBK, while trading‑ and markets‑facing activities elsewhere in the value chain are overseen by the CMA under the Act’s allocation of responsibilities.

At present, the VASPA sets out the licensing perimeter and the core conduct and prudential obligations applicable to all VASPs – including stablecoin issuers. These obligations include fit‑and‑proper governance requirements, maintaining a physical presence in Kenya, prudent business conduct, audited financial statements, robust cybersecurity controls, and comprehensive AML/CFT/CPF compliance. Client asset protection duties are already in force: a licensee must segregate client virtual assets from its own property, maintain sufficient quantities of each virtual asset to meet its obligations to customers, and ensure that client assets are not subject to claims by the licensee’s creditors. The VASPA also provides for capital, solvency, liquidity, and insurance requirements to be prescribed for different categories of virtual‑asset business.

The detailed, stablecoin‑specific regulatory framework – covering matters such as reserve composition and custody, asset‑liability management, disclosures and attestation, and any redemption‑at‑par mechanisms – will be established through forthcoming regulations.

Kenya currently does not have specific open banking regulations. As a result, the sharing of personal financial data with third parties is governed by the Data Protection Act. However, in its National Payments Strategy 2022–2025, the Central Bank of Kenya has indicated its commitment to developing appropriate API standards and encouraging secure data‑sharing practices.

The adoption of secure APIs by digital financial service providers would streamline connectivity between third‑party entities – primarily fintechs offering specialised solutions – and traditional financial institutions. Such integration would enhance both the efficiency and security of Kenya’s financial sector.

While there are no regulations that specifically address open banking, banks and technology providers are still required to comply with the Data Protection Act; see 2.11 Implications of Additional, Non‑Financial Services Regulations.

The key elements of fraud are:

• a false representation of an existing fact;
• made with the intention that another party should rely on it; and
• resulting in that party suffering damage.

In legal proceedings, an allegation of fraud requires a heightened standard of proof. This standard is stricter than the usual “balance of probabilities” applied in civil cases, demanding more compelling evidence. Although it does not reach the level of the criminal standard of “beyond a reasonable doubt”, it nevertheless requires a significantly more persuasive demonstration of fraudulent conduct.

Regulators prioritise investigating and taking action against individuals or businesses that conduct regulated financial activities without the required licences, as well as those that charge excessive interest on their financial products. Such fraudulent or improper practices can cause significant harm to customers, including financial losses and increased vulnerability.

Examples of enforcement activities include the following.

• Issuing cease‑and‑desist orders – regulators typically require unlicensed entities to immediately stop their operations.
• Imposing fines – regulators may levy financial penalties on individuals or businesses that carry out regulated activities without the appropriate licensing.
• Criminal prosecutions – regulators can collaborate with law enforcement agencies to pursue criminal charges against persons engaged in unlicensed regulated activity.
• Public warnings – regulators often release statements or alerts to inform consumers about unlicensed entities or fraudulent schemes they have identified.

In Kenya, a fintech service provider may be held responsible for customer losses in various circumstances, primarily if the loss or damage arises from fraudulent actions, regulatory violations, breach of contract, or inadequate security measures by the provider.

Specifically, a provider can be liable:

• if it engages in fraud, gross negligence, or intentional misconduct, leading directly to financial harm or loss to customers;
• if it breaches contractual obligations, particularly when customer agreements or consumer protection laws have been violated; or
• for failure to comply with regulatory obligations, including licensing requirements, data protection standards, and cybersecurity obligations.

In such cases, customers may seek remedies, including compensation for financial losses, refunds, or other legal sanctions. Regulators such as the CBK, Competition Authority of Kenya, and Office of the Data Protection Commissioner can impose fines, regulatory sanctions, or require customer compensation.

Customers affected by fraudulent or negligent activities by fintech providers also have the option to file complaints with regulators or seek legal redress through Kenyan courts.