How Kenyan Law Protects You When Taking a Mobile Loan

EDITOR'S NOTE: This article is a part of our Money254 Partner Series and is produced in partnership with Zenka Digital Kenya. For more on Money254’s editorial policy, read here.  

In March 2022, the Central Bank of Kenya (Digital Credit Providers) Regulations, 2022, issued under the CBK (Amendment) Act, 2021, were published, requiring digital lenders to have applied for licences as of September 2022.

This formally brought digital lenders under the supervision and regulation of the CBK, similar to other financial institutions such as commercial banks and microfinance banks.

DCPs that were already in operation when the new regulations came in place were allowed to continue operating, so long as they had submitted a licence application by September 17, 2022. 

The licensing process includes an assessment of the DCP's data protection and lending practices. Collectively, the regulations are designed to protect consumers of digital loans by ensuring a fair and non-discriminatory marketplace for access to credit.

By March 2023, the CBK had licensed 32 DCPs and is in the process of reviewing over 300 more applications. As this continues, digital lenders that already have licences are beginning to align their Know Your Customer (KYC) processes with their commercial banking counterparts. 

To mark the first anniversary of CBK’s Intervention in the digital lending market, this article will explore some of the changes in the digital lending space. 

Fraud Protection 

Identity theft and impersonation in digital lending, such as using stolen phones to secure loans, have been a grave concern for many Kenyans for several years now. 

Regulation 31 of The Central Bank Of Kenya (Digital Credit Providers) Regulations, 2022, states, "A digital credit provider shall take reasonable measures to satisfy itself as to the identity of its customers while performing transactions with them."

In compliance with this regulation that is aimed at combating money laundering, licensed digital lenders are now adopting customer identification measures similar to those employed by banks.

Zenka, for instance, has implemented an optional facial biometric verification system, where customers provide a selfie during the loan application process to prevent impersonation and ensure compliance with Regulation 31.

This reflects the broader evolution of KYC practices across regulated financial institutions to enhance customer protection and mitigate fraud and impersonation. This is especially due to the threats associated with the digital transformation of financial services. 

Like Zenka, commercial banks offering loans digitally and other digital banking services like digital savings accounts have been translating the existing physical KYC process - that requires a customer to present their original ID, KRA PIN copy and a passport-size photo - into a digital option of uploading a copy of ID, PIN and a selfie image in the place of a printed passport size photograph.

Transparency and Accountability of DCPs 

Under the new CBK regulations, DCPs are required to be completely transparent to their customers about their products. To start, they must provide customers with the terms and conditions of the loan agreement before granting the loan. This includes disclosing interest rates, fees, and repayment terms upfront. 

This transparency requirement allows borrowers to understand the true cost of the loan and determine if it aligns with their financial needs. It also enables borrowers to better compare different lenders, fostering healthy competition and encouraging DCPs to offer competitive terms.

To ensure accountability, the CBK also requires DCPs to submit annual returns to the Bank certifying their compliance with Regulations. This helps the CBK to monitor the digital credit market and take action against DCPs that violate the Regulations.

Protection for Borrowers 

Since the Regulations came into effect, various measures and safeguards to protect borrowers against unscrupulous lenders have been introduced. DCPs have to undergo a rigorous vetting process to align with their regulated counterparts such as banks. 

CBK plays a pivotal role in this process, reviewing the eligibility of DCPs and scrutinising their lending processes, fees, and the technology they employ in disbursing loans. 

This means that the 32 licensed lenders have been vetted and have met all the requirements set by the CBK, which worked in coordination with the Office of the Data Protection Commissioner among other regulators. 

Some of the consumer protections include:

1. Changing Loan Terms: DCPs are now barred from altering loan terms without obtaining approval from the CBK and informing the borrower. This ensures transparency and fairness in lending practices.
2. Transaction receipts: DCPs are required to generate and issue a receipt of transactions carried out by or with a customer and provide a comprehensive statement when a customer requests. This is meant to help borrowers keep a record of all their repayments. 
3. Customer complaints resolution: The regulations require DCPs to offer a complaints redress mechanism, including a channel for communicating customer complaints, and ensure proper communication of this mechanism to its customers. All complaints have to be addressed within 30 days and a record of the outcome maintained. 
4. Ethical Credit Collection: Licenced lenders such as Zenka are required to follow the right debt collection procedures that don’t involve shaming, harassing, oppressing, or infringing on any person's privacy. 

Reduced Risk of Over-Indebtedness 

Over-indebtedness can occur when individuals accumulate multiple loans they cannot afford to repay, leading to a severe financial crisis. When borrowers are extended credit beyond their means, they may struggle to meet their repayment obligations, potentially leading to financial distress, missed payments, and a cycle of debt.

Before the CBK intervention, some borrowers resorted to loan stacking - a practice that involves borrowing from multiple loans from various digital lenders within a short period. They typically do this to avoid default - to borrow from one to pay another - or to top up from many lenders the amount needed, but this often leads to a high debt burden.

To reduce the risk of over-indebtedness and curb loan stacking, CBK introduced Regulation 18, which states, “A digital credit provider shall not advance credit to a customer before it has taken reasonable steps to assess the customer’s ability to repay the credit facility.”

Additionally, the Regulations also put a limit on the interest recoverable from a defaulter. The maximum amount a digital lender can recover from a borrower includes the outstanding loan principal when it becomes non-performing, interest as per the contract, but not exceeding the non-performing principal, and any recovery expenses incurred by the lender.

For example, if you borrow Ksh2,000 and default, the maximum the lender can try to collect is the original amount you borrowed (Ksh2,000) plus any outstanding interest as stated in your agreement, but the interest can't be more than the original Ksh2,000 you borrowed. So, the maximum you can repay would be Ksh4,000 plus any recovery fees the lender incurred. 

This protects borrowers from excessive interest charges, especially when they are already financially vulnerable. Before these limits, borrowers could be required to pay the principal plus any interest and late fees that accumulated over the period they were in default and recovery fees.

Improved Data Protection

Since the Regulations were enacted, licensed digital lenders are now required to implement robust data security measures to ensure that borrowers' personal and financial information is kept confidential and protected from unauthorised access or misuse.

As per Regulation 13, licensed DCPs are required to put appropriate policies, procedures, and systems to ensure the confidentiality of their customer information and transactions. Additionally, the law bars them from sharing customer information with anyone, except with the customer’s consent.

However, the law allows digital lenders to disclose any positive or negative information about you to a Credit Reference Bureau (CRB) when such information is reasonably required for the functions of the digital lenders or CRBs.  

If you borrow more than Ksh1,000 and default, licensed lenders are required to notify you before forwarding your details to a CRB. Borrowers can use the pre-listing notice period to repay their balance and protect their credit ratings.

Crackdown on Copycats or Fake Lenders

The CBK Regulations have introduced essential measures that empower consumers to make informed choices while penalising illegitimate lenders. Here are some of the measures:

• The requirement to tell customers CBK regulates them: Licensed digital lenders are required to tell their customers and potential customers that CBK regulates them to enable them to accurately assess the credit decision they are making.  
• Google's Proactive Measures: Google has implemented stringent measures to ensure that only licensed lenders operate on its Play Store. Digital lenders are required to provide a copy of their licence from the CBK as part of their declaration. However, Google has allowed some of the digital lenders who were in operation when the CBK regulations kicked in to continue operating - after providing proof their application for a licence is being processed by the CBK. 
• Central Bank of Kenya Transparency: To help borrowers independently verify lenders' authenticity, the CBK maintains a publicly accessible database that lists the addresses and trading names of licensed DCPs on its website.

WRAPPING UP

As of March 2022, the CBK had received 401 licence applications, but only 32 have been licenced so far. 

According to the regulator, other applications are at different stages in the process, largely awaiting the submission of requisite documentation.

As more DCPs get licensed, it is vital to be familiar with the Regulations and understand your rights as a borrower.