The Central Bank of Kenya (CBK) has invited public views on its newly drafted Non-Deposit Taking Credit Providers Regulations 2025, which aim to tighten the regulation of credit providers outside the traditional banking sector.
CBK first attempted to regulate the digital lending business in 2021 with the CBK Amendment Act 2021, which established a licence and regulatory framework for digital credit providers (DCPs), who were previously unregulated.
In a significant step forward, CBK released the Digital Credit Providers Regulations in 2022, resulting in the licensing of 126 DCPs; nonetheless, reservations about the framework’s efficacy persisted.
Industry actors continued to exploit legal and enforcement weaknesses in the system, prompting the Non-Deposit Taking Credit Providers Regulations, 2025, which aim to close these gaps by providing borrowers with improved protection against exorbitant interest rates, debt collectors and personal data exploitation. The regulations broaden the regulatory net on privacy and data protection.
Privacy and data protection
The regulations appear to be moving the sector towards data protection by design and default, which means that a Non-Deposit Taking Credit Provider must include data protection considerations in all aspects of their processing activities.
Privacy-by-design and privacy-by-default are two fundamental principles in data protection legal frameworks that are codified in the Data Protection Act 2019.
For starters, they state that in order to be granted a license and/or registration, a non-deposit taking credit provider must have a valid data protection registration certificate from the Office of the Data Protection Commissioner (ODPC).
Registration is only one facet of complying with data protection regulations, since organisations in Kenya cannot function as data controllers or processors unless they have registered with the ODPC.
In addition to the aforesaid registration, a non-deposit taking credit provider must create, publish, submit and routinely update its data protection policy.
A data protection policy describes how an organisation handles, secures, and utilises personal information.
It addresses the nature of personal data collected and held, how a data subject can access and exercise their rights, complaint handling mechanisms, the lawful purpose for processing personal data, requirements for data transfer outside Kenya, the retention period and so on.
The regulations reflect data protection’s Integrity and Confidentiality principle.
The principle states that personal data should be processed in a way that ensures appropriate security and confidentiality, including protection against unauthorised or unlawful access to the processing equipment, as well as accidental loss, destruction, or damage, through the use of appropriate technical or organisational measures.
Therefore, non-deposit taking credit providers will be obliged to maintain systems to preserve the confidentiality of customer information and transactions, as well as to prohibit the unrestricted sharing of customer data unless the customer has agreed or as required by law.
This secrecy extends to an entity’s officials even after they leave their positions.
Auxiliary, the proposed regulations allow for credit information exchange with licensed Credit Reference Bureaus, which is a classic example of data sharing with third parties outside the business.
However, this is not absolute; such submissions must be timely, complete and accurate; errors must be corrected as soon as possible, and customers must be notified before submitting negative data.
And while at it, the non-deposit taking credit provider must comply with the purpose limitation principle and all the provisions of the Data Protection Act.
Additionally, the proposed regulations embed the principle of data minimisation: meaning a non-deposit taking credit provider is supposed to collect the minimum amount of personal data needed for credit appraisal, approval, disbursement and collection, loan agreements, repayment schedules and total cost of credit.
All that being said, central to these regulations is the acknowledgement of individuals’ rights over their data; protection of customer data from fraud, abuse and theft, as well as the promotion of openness in marketing and the avoidance of deceptive data collecting.
This empowerment is critical in an era where data exploitation may have serious ramifications for consumers.
Finally, the proposed regulations provide a strong foundation for protecting individual privacy while simultaneously enhancing consumer trust in corporate transactions.
As non-deposit taking credit providers navigate this legislative landscape, addressing privacy by design and privacy by default will be critical for establishing customer trust and, ultimately, cultivating a culture of respect for personal information.
The writer is Partner, Sisule & Associates LLP
Unlock a world of exclusive content today!Unlock a world of exclusive content today!
