Digital lenders in Kenya, operating under the umbrella of the Digital Financial Services Association of Kenya (DFSAK), have raised significant concerns regarding the regulatory landscape. They accuse the Central Bank of Kenya (CBK) of overstepping its mandate, particularly in relation to the data aspect of their businesses. This challenge is exacerbated by a multiplicity of regulatory bodies—specifically the CBK, the Competition Authority of Kenya (CAK), and the Office of the Data Protection Commissioner (ODPC)—all asserting mandates, sometimes on the same issues. This forces digital lenders to allocate considerable resources to comply with various, sometimes conflicting, recommendations, leading to operational challenges.

Kevin Mutiso, Chairperson of DFSAK, highlighted the worry among players about regulatory overreach by the CBK. During a stakeholder meeting graced by Data Commissioner Immaculate Kassait, Mutiso stated, “We worry about regulatory overreach by CBK. They seem to also want to regulate the data aspect of our business.” He also pointed out a re-emergence of rogue players in the sector, which he hopes the CBK (Non-deposit taking credit providers) Regulations, 2025, will address. However, a pressing need remains for a clear framework to guide how and to whom complaints should be channeled for proper redress, as consumers are often not well-versed on which regulator handles what type of complaint.

Kennedy Osore, head of public affairs at Tala, echoed these sentiments, explaining the consumer's difficulty: “The challenge the consumer has is who they go to if they have a complaint. The process is not clear.” He added that the intersection of data protection complaints, which might typically go to CAK, also falls under CBK's purview as the primary regulator, creating a “multiplicity” that causes significant operational challenges for lenders.

The Office of the Data Protection Commissioner (ODPC) plays a crucial role in this ecosystem. Data Commissioner Immaculate Kassait revealed that her office has received 5,284 complaints since 2021. These complaints primarily revolve around unlawful access to contacts and personal data on customers’ phones, the processing of third-party personal data, a lack of transparency regarding data collection and storage, and the absence of consent before data collection. The ODPC has issued 39 determinations, 22 enforcement notices, facilitated 27 compensations, and issued eight penalty notices in response to these issues.

Kassait affirmed that the ODPC works closely with other regulators, including the CBK. She confirmed that, in cases where perpetual digital lenders were not seriously addressing raised issues, her office resorted to writing to the CBK to request the deregistration of these lenders. This measure proved effective in ensuring compliance, with lenders realizing the gravity of the situation only after facing potential deregistration.

However, Kassait also brought to light an anomaly: some consumers attempt to exploit the Data Protection Act to avoid repaying their loans. These individuals might even fabricate messages purporting to be from lenders harassing them for payment. Kassait emphasized that the ODPC dismisses such cases, stating, “You cannot use the law to try and beat the purpose of contracts.”