Kenya is one of Africa’s leading FinTech markets, and the regulatory framework supporting it has matured considerably from a single payments statute into a layered structure spanning the Central Bank of Kenya Act, the National Payment System Act, 2011 (NPSA), the Banking Act, and the Kenya Information and Communications Act for electronic transactions. A FinTech business operating across more than one of these categories, payments, lending, and data processing, for instance, needs to track compliance under each framework separately rather than assume a single CBK licence covers the whole stack.
Licensing Under the NPSA
The NPSA gives the CBK oversight over payment systems and payment service providers. Mobile money operators, payment processors, card issuers, and remittance providers must obtain a CBK licence, with different tiers applying depending on the nature and scale of services offered. The licensing process involves assessment of the business model, the applicant’s financial position, AML/KYC controls, and technical infrastructure, and the CBK’s scrutiny of technical infrastructure in particular has increased as payment volumes have grown, with applicants now expected to demonstrate resilience and incident response capability rather than only transaction processing capacity. A payment service provider operating across multiple payment channels, mobile money, card processing, and bank transfers, for instance, should expect the CBK to assess each channel’s infrastructure separately rather than treat a single technical audit as covering the entire product suite.
Digital Lending Regulation
The Central Bank of Kenya (Amendment) Act, 2021 brought non-deposit-taking digital credit providers under CBK regulation for the first time, inserting what is now Section 33R of the principal Act, which gives the CBK power to register, license, and regulate non-deposit-taking credit providers not already regulated under another statute, approve the channels through which digital credit business may be conducted, determine pricing parameters, and prescribe a binding code of conduct. This framework was further amended by the Central Bank of Kenya (Amendment) Act, 2024, reflecting how actively this area continues to be revised; a digital lender working from the 2021 amendment alone, without checking the 2024 update, may be missing a requirement added since. A person cannot lawfully carry on non-deposit-taking credit business without a licence under this framework. Licensed digital lenders must disclose all costs, obtain informed consent, and comply with data protection requirements for any personal data used in credit scoring, and the CBK’s responsible lending standards in this space have specifically targeted aggressive debt collection practices and undisclosed fee structures that characterised the digital lending sector before regulation was introduced. A lending app’s terms of service and in-app disclosures are exactly the kind of material the CBK will review for compliance with these standards, so disclosure language needs to be drafted with the regulatory standard in mind from the outset rather than adapted after a complaint is received.
The CBK FinTech Regulatory Sandbox
The CBK operates a regulatory sandbox that allows innovators to test new financial products and services under CBK oversight without immediately satisfying full regulatory compliance, subject to defined parameters around customer numbers, transaction limits, and testing duration agreed with the CBK in advance. Sandbox participation is generally understood as a pathway to mainstream licensing once a business model has been proven within the sandbox’s constraints, though it is not itself a licence and does not exempt a participant from the underlying legal requirements that will apply once it exits the sandbox and begins operating commercially at scale. A FinTech business should treat sandbox entry as a structured pilot with a defined regulatory off-ramp, not as an extended period of unregulated operation, and should plan the transition to full licensing well before the sandbox testing window expires rather than treating that deadline as a problem to solve once it arrives.
AML/KYC Requirements
Payment service providers are reporting institutions under the Proceeds of Crime and Anti-Money Laundering Act (POCAMLA) and must implement a full anti-money laundering compliance programme, including customer due diligence at onboarding, ongoing transaction monitoring, suspicious transaction reporting to the Financial Reporting Centre, and record keeping for the periods prescribed under the Act. This obligation applies regardless of which specific CBK licence or registration a FinTech business holds; a payment processor and a digital lender are both reporting institutions under POCAMLA even though they are licensed under different provisions of the CBK framework, and a compliance programme built only around the licensing-specific obligations while overlooking the separate POCAMLA reporting obligations is incomplete. A FinTech business that has confirmed its CBK licence is in good standing should not assume that satisfies its POCAMLA obligations as a separate reporting institution; the two compliance tracks are assessed independently and a gap in one does not require a corresponding gap in the other to constitute a contravention.
Data Protection in Credit Scoring and Payments
FinTech products that process personal data for credit scoring, fraud detection, or transaction monitoring sit at the intersection of CBK regulation and the Data Protection Act, 2019, and satisfying one does not automatically satisfy the other. A credit scoring algorithm that uses alternative data sources, mobile money transaction history or social media activity, for example, needs a lawful basis for processing that personal data under the Data Protection Act independently of whatever consent or disclosure the CBK’s responsible lending standards require for the credit decision itself. A FinTech business building or licensing a scoring model from a third-party provider should confirm the data sources feeding that model are themselves lawfully obtained, since liability for unlawful processing can attach to the business using the score even where the underlying data collection was carried out by a different party.
Cross-Border FinTech and Regional Expansion
A Kenyan FinTech business expanding into other East African Community markets should treat each jurisdiction’s payment and lending licensing regime as a separate compliance exercise rather than assume a CBK licence carries any cross-border recognition, since payment system regulation in Kenya operates on a national licensing basis without an automatic passporting arrangement comparable to some other regional blocs. Equally, a foreign FinTech business entering the Kenyan market needs to satisfy the same CBK licensing, NPSA, and POCAMLA requirements as a domestic provider, and foreign ownership of a CBK-regulated entity may itself trigger separate notification or approval requirements depending on the specific licence category and the proportion of foreign shareholding involved. A regional expansion plan should build in the licensing timeline for each target jurisdiction from the outset, since payment licensing processes in the region commonly run from several months to over a year depending on the regulator and the complexity of the business model being assessed.
Clay & Associates Advocates advises FinTech businesses on CBK and NPSA licensing applications, digital lending compliance under the Section 33R framework, regulatory sandbox applications, AML/KYC programme design under POCAMLA, and data protection compliance for credit scoring and payments products. If you are launching a payments product, a digital lending platform, or applying to the CBK sandbox, we can help you map the current requirements across each applicable framework before launch.
Launching a FinTech product or applying for a CBK licence? Contact Clay & Associates Advocates. Book a Consultation
Related reading: Data Protection for Media and Technology Companies | Insurance Law and Regulation in Kenya
