Digital lenders struggling with data law - regulator

Kassait says penalising sends a strong message

In Summary

• CBK recently gave 10 more digital lenders a go ahead to resume operations in the country. 

The number of digital lenders currently operating in Kenya now stands at 32.

ODPC Data Commissioner Immaculate Kassait speaking during a media engagement breakfast in Nairobi
ODPC Data Commissioner Immaculate Kassait speaking during a media engagement breakfast in Nairobi
Image: ODPC

Digital lenders  in Kenya still face data protection compliance challenges, according to the Data Protection Commissioner.

Immaculate Kassait said audits have established that data protection is relatively new to most digital lenders. 

This comes at a time when the Central Bank of Kenya has cleared 10 more digital to resume operations. The number of licensed digital lenders currently stands at 32.

Since March 2022, the banking sector regulator has received 401 applications for vetting under the CBK Digital Providers Regulations 2022.

The need for legislation was sparked by a rise in the number of unregulated digital credit providers in Kenya.

This raised consumer protection concerns, such as lack of proper disclosure, aggressive debt collection practices and high interest rates. 

Other concerns include data protection concerns, such as misuse of personal consumer data, and financial integrity concerns, such as money laundering and financing of terrorism. 

According to CBK’s bank supervision annual report 2022, the regulator has engaged other regulators and agencies pertinent to the licensing process, including ODPC. 

Speaking at a press meeting, Kassait said some digital credit lenders failed to understand what data protection by default and by design meant. 

“When we even ask them about data safeguards that they have in place, most say that they have firewalls,” she said. 

She said the lenders must demonstrate how they collect, process and dispose of data, capacity building resources, data governance as well as a data policy for their organisations.

Kassait noted that penalising digital lenders has, however, begun to send a strong message.

In April, ODPC fined Whitepath Company Limited Sh 5 million for breaching the data protection law. 

Regus Kenya, which generally deals with co-working spaces in Nairobi, was also fined the same amount. 

“Those who are serious with their businesses are coming to request for more time to comply and be guided in terms of what to do,” Kassait said. 

Digital services are projected to add an extra $180bn (Sh23 trillion) to Africa's GDP by 2025, according to the United Nations Conference on Trade and Development (UNCTAD).

The 2022 Data Protection and Privacy Survey report shows Saccos, NGOs, research firms and SMEs lagged in compliance with data privacy laws.

They have also been slow in seeking registration as data processors or controllers with the Office of Data Protection Commissioner (ODPC).

Banks, insurers, telcos and healthcare firms lead in compliance with data privacy laws and registration.

WATCH: The latest videos from the Star