Use the Lexology Navigator tool to compare the answers in this article with those from 20+ other jurisdictions.
How would you describe the regulatory policy for fintech products and services in your jurisdiction?
The regulatory approach towards fintech products has always been reactive. Policy seems to be developed in reaction to emerging technology advancements; but generally, the policies have been cautiously receptive. Different regulatory bodies govern the fintech industry. This is due to the lack of a comprehensive singular body dealing exclusively with technology:
- The Central Bank of Kenya is the primary regulator governing financial services and formulates financial policies. The Central Bank policies are receptive to technology but very cautious.
- The Ministry of Information, Communications and Technology sets policy in the technology sector. The ministry is keen to explore opportunities in the fintech space. This can be seen through a collaboration with MasterCard to develop a digital payment platform for government services.
Have any fintech-specific laws or regulations been enacted in your jurisdiction? Are any envisaged?
The National Payment System Act brings all payment service providers, including mobile phone service providers, into one regulatory framework, and provides the Central Bank with direct oversight of these service providers and their products to ensure the safety and efficiency of their platforms.
Other than the above, there are no sector-specific regulations governing fintech. Fintech businesses will have to identify and comply with the regulations controlling the specific area of business that they operate in.
Which government authorities regulate the provision of fintech products and services?
The following authorities regulate fintech products and services:
- the Central Bank of Kenya;
- the Communications Authority of Kenya;
- the Capital Markets Authority; and
- the Competition Authority.
Financial regulatory framework
Which laws and regulations governing the provision of financial services apply to fintech businesses?
The following financial services laws and regulations apply:
- The National Payment System Act makes provision for the regulation and supervision of payment systems and payment service providers and for connected purposes;
- The Kenya Information and Communications Act (enacted in 1998, amended in 2010 and 2013) provides the mandate of the Communications Authority of Kenya and a framework to regulate the information, communications, media and broadcasting subsector;
- The Banking Act and its regulations generally regulate the business of banking and related matters;
- The Central Bank of Kenya Act establishes the Central Bank of Kenya, charged with controlling and regulating banking and the financial sector as a whole;
- The Capital Markets Act establishes the Capital Markets Authority, charged with regulating the capital market and companies listed on the Nairobi Securities Exchange; and
- The Insurance Act regulates insurances, insurers and insurance products.
Under what conditions are fintech businesses subject to licensing requirements? Are there any exemptions?
Licences are issued by various authorities depending on the type of technologies utilised. For instance, clearance from the Central Bank and Communications Authority of Kenya should be obtained before launching a mobile money product. Fintech business services are varied and would require clearance from relevant bodies in specific sectors before commencing operation.
Are any fintech products or services prohibited in your jurisdiction?
There are no specific fintech products prohibited in Kenya.
While the Central Bank has issued a warning on the use of crypto-currencies due to their perceived volatility and the lack of specific regulation, there is no law prohibiting their use. It is also useful to bear in mind that, depending on their nature, various elements of cryptocurrencies may be subject to existing payment systems regulations.
Data protection and cybersecurity
What rules and regulations govern the processing and transfer (domestic and cross-border) of data relating to fintech products and services?
Currently, data privacy is based on a constitutional right to privacy. Any fintech enterprise should be diligent in the use and storage of data to avoid possible claims under this right. All collection, use, processing and transfer of data must be done with the consent of the data subject.
The Access to Information Act obliges all entities to disclose information on request by a private third party if the information requested relates to the requester, or is necessary to allow the requester to enforce any fundamental right before a court of law or other forum.
There are currently no restrictions on the cross-border transfer of data, subject to the above constitutional right to privacy.
Where a fintech product and/or service is required to be licensed under the Kenya Information and Communications Act, it may be subject to certain regulations that provide the operational and financial requirements for licensing, records management, security guidelines to be followed in rendering certification services and confidentiality of subscriber-specific information.
What cybersecurity regulations or standards apply to fintech businesses?
The Kenya Information and Communications Act makes provision for offences such as modification or interference with the content of messages and interception and disclosure of messages.
In addition, a proposed Computer and Cybercrimes Bill seeks:
- to provide for offences relating to computer systems;
- to enable timely and effective collection of forensic material for use as evidence; and
- to facilitate international cooperation in dealing with cybercrime matters and connected purposes.
What anti-fraud, anti-money laundering or other financial crime regulations govern the provision of fintech products and services?
The following anti-fraud, anti-money laundering and financial crime regulations apply to fintech:
- The Proceeds of Crime and Anti Money Laundering Act 2009, which came into effect in 2010, which targets:
- money laundering;
- tax evasion;
- theft, fraud;
- terrorist financing;
- drug trafficking;
- piracy; and
- bribery and corruption.
- The Anti-corruption and Economic Crimes Act provides for the prevention, investigation and punishment of corruption, economic crime and related offences.
- The National Payment System (Anti-money Laundering Guidelines for the Provision of Mobile Payment Services) Guidelines 2013 provide guidance to mobile payment services on the monitoring and reporting of suspected money laundering activities on their platforms.
- The Prevention of Terrorism Act requires entities to monitor their products and services for possible use in aiding and facilitating terrorist activities.
- The Bribery Act requires private entities to put in place procedures appropriate to their size and to the nature of the operation for the prevention of bribery and corruption.
What precautions should fintech businesses take to ensure compliance with these provisions?
Fintech businesses should register with the Financial Reporting Commission and actively exercise due diligence and conduct constant legal compliance audits to avoid violating the law.
What consumer protection laws and regulations apply to the provision of fintech products and services?
The Constitution of Kenya 2010 and its enabling statute, the Consumer Protection Act 2010, provide for general requirements for protecting the consumer. Under the Consumer Protection Act, strict guidelines are issued on the performance of credit agreements, as well as agreements executed over the Internet.
The Kenya Information and Communications (Dispute Resolution) Regulations 2010 and the Kenya Information and Communications (Consumer Protection) Regulations 2009 set out various consumer rights applicable to fintech products that require licensing under the Kenya Information and Communications Act. Such rights include:
- the right to receive clear and complete information about rates;
- the right to be charged only for the products and services subscribed to; and
- equal opportunity for access to the same type and quality of service as other consumers in the same area at substantially the same tariff.
Does the provision of fintech products or services in your jurisdiction raise any particular competition regulatory concerns?
The Competition Act prohibits restrictive practices and unconscionable business conduct. It establishes the Competition Authority, which has good working relationships with specific sector regulators (eg, the Central Bank and the Communications Authority) for cooperation in investigating and prosecuting anti-competitive practices.
Are there any particular regulatory issues concerning the cross-border provision of fintech products and services (eg, operating jurisdiction rules and currency controls)?
Generally speaking, there are no currency controls in Kenya, other than that the exchange must be effected through a registered bank or similarly regulated financial institution.
However, depending on the nature of the fintech product or service, money remittance regulations and anti-money laundering regulations may come into play.
Anti-money laundering laws
The Proceeds of Crime and Anti-money Laundering Act provides obligations to reporting institutions, which include financial institutions and designated non-financial businesses and professions.
Reporting institutions are required, among other things, to:
- monitor and report suspected money laundering activity;
- verify customer identities;
- establish and maintain customer records;
- establish and maintain internal reporting procedures; and
- register with the Financial Reporting Centre.
Money remittance laws
The Central Bank of Kenya has enacted the Money Remittance Regulations 2013. The regulations provide for the licensing and regulation of a money remittance operator to deal in inbound and outbound international money transfer transactions.
The regulations provide:
- the application process for licensing and renewal of licences;
- the prescribed form and fees, supporting documents, capital requirements and appointment of agents; and
- the conditions on the issuance of the licence.
The regulations require that the payment transaction be executed in the currency agreed by the parties. Where the currency conversion service is offered before the initiation of a payment, the money remittance operator must disclose all the charges required for such conversion.
A money remittance operator must maintain an account entitled ‘Customer's account’ in the name of the licensee at any commercial bank. The operator must then deposit into this account all funds that the customer has deposited for transmission to a foreign country.
A money remittance operator may offset and deposit funds in the customer’s account in order to effect transfer of funds. The operator must ensure that its officers are adequately trained in the operations of the business.
For foreign exchange payments, a money remittance operator is allowed to net off payments during settlement with counterparties. All foreign exchange inflows and outflows of money remittance operators must be received through commercial banks, documented and advised to the Central Bank in the prescribed format.
The regulations require money remittance operators to maintain a list of all transactions, a daily summary of all monies received and sent and a fixed assets register.
Money remittance operators must:
- make daily returns of money sent and received equivalent to or above $10,000. This includes customers who transact repeat transactions in a day amounting to $10,000;
- make weekly returns of money remittance transactions;
- perform quarterly balance sheet and profit and loss accounts; and
- produce audited balance sheet, and profit and loss accounts.
The regulations prohibit money remittance operators from:
- acting as authorised dealers in gold;
- engaging in lending money;
- engaging in deposit taking;
- maintaining current accounts on behalf of customers;
- establishing letters of credit;
- acting as custodians of funds on behalf of customers; or
- processing a transaction that appears to have been deliberately split into small amounts equivalent to $10,000 or below to avoid the requirement of reporting to the Financial Reporting Centre as provided under the Proceeds of Crime and Anti-money Laundering Act.
A money remittance operator is required to comply with the provisions of the Proceeds of Crime and Anti-money Laundering Act 9/2009.
With respect to consumer protection, a money remittance operator is required to disclose to its customers the fees, charges or commissions, if any, and any other conditions applicable to the money. The operator must disclose that it is neither a deposit-taking nor lending institution within the meaning of the Banking Act, the Microfinance Act or the Savings and Credit Cooperative Societies Act. It must further disclose that it is not subject to any deposit protection, and must provide any customer care procedures for complaints, together with the address, customer care contact number and contact details for the money remittance operator.
Money remittance operators are required to establish a customer care system within six months to address client complaints.
Click here to view the full article.