The Office of the Data Protection Commissioner (ODPC) wants the CBK to revoke the licences of two digital lenders over persistent breaches of data protection laws.
The ODPC says borrowers have continued to raise complaints against the two unnamed digital lenders despite past administrative action against them.
The CBK is allowed to suspend or revoke the license of a digital lender for contraventions of the Central Bank Act and complementary regulations, which rein in consumer data abuses, including access to borrowers’ phonebooks.
“We have seen a reduction in the number of complaints, but we still have rogue digital lenders. For these repeat lenders, we have written to CBK to strike out their certificates,” Data Commissioner Immaculate Kassait told this publication.
All digital lenders are required to register with the ODPC as data controllers and processors and carry an obligation to process personal data under the law.
The collection of information relating to family or private affairs, for instance, requires a valid explanation from the processors.
Data subjects also have a right to be informed of the use to which their personal data is to be put, access their data, or object to the processing of all or part of the data according to the Data Protection Act of 2019.
CBK’s Digital Credit Providers Regulations of 2022 list more specific violations by digital lenders, especially during credit collection, including access to contact lists or posting personal information online.
“A digital credit provider, its officers, employees or agents shall not, in the course of debt collection, engage in any of the following conduct against a customer or any other person…access the customer’s phone book or contact list and other phone records for purposes of sending them messages in the event of untimely payment or non-payment,” reads part of the regulations.
The regulations also block digital lenders from posting personal or sensitive information online or on any other forum or medium for shaming defaulters.
A spot check by this publication in June revealed that some digital lenders reverted to their old aggressive and intrusive debt collection tactics barely three years after the onset of regulations to curb the practice.
The check confirmed a fresh charge in cases where debt collectors working for digital credit providers (DCPs) were harassing Kenyans on contact lists with the hope of recovering bad loans.
Chapeo Capital Limited, a CBK-licensed digital credit provider that operates apps including ZKPesa and Chapeo Cash, was one of the errant firms that had bombarded individuals with calls and text messages urging them to pressure their contacts to repay their loans.
“Your contact **** has an unpaid loan of Sh1,720 due for seven days, despite several reminders. This is business money, and prompt payment is expected. Please urge them to pay NOW,” read a text message sent to one of this publication’s staff.
Other digital lenders included in recent complaints include Whitepath, Rocketpesa, Platinum Credit, Azura Credit, Mulla Pride, and Credit Watch Investments- all the players have been accused of debt shaming practices, some of which have led to regulatory warnings and fines.
Players in digital lending have welcomed the tough enforcement action by the ODPC, highlighting the need for decisive action to weed out the rogue practices that became a definitive feature of digital lending before the onset of regulation.
Kevin Mutiso, chairman of the Digital Financial Services Association of Kenya (DFSAK), said that some licensed lenders have become complacent in following CBK and data protection rules in the expectation that enforcement would be lenient.
“There is a perception that regulation can be managed. Enforcement will be a signal that this can no longer be the case,” he said on Thursday.
“We should expect to see some swift enforcement because we have seen rogue lending returning to the market, ruining the reputation of digital lending once again.”
The CBK has so far licensed 27 digital lenders as of June 5, 2025, but at least 574 digital lenders are awaiting clearance.
The banking sector watchdog started regulating this space after public outcry about the pricing of digital loans and the extent to which players will go to recover their money from defaulters.
Digital credit providers (DCPs) have gained popularity due to their ease of application for borrowers seeking quick cash for emergencies and survival without requiring collateral.
CBK is set to make changes to the digital lending regulations to encompass all non-deposit-taking credit providers following amendments passed in December under the Business Laws (Amendment) Act, 202.
