1 Legal and enforcement framework
1.1 In broad terms, which legislative and regulatory provisions govern the fintech space in your jurisdiction?
The Ministry of Information, Communications and Technology sets policy in this regard. In general, the applicable legislative and regulatory provisions will depend on the specific area/sector of operation. They include the following:
- The Central Bank of Kenya Act (Cap 491) established the Central Bank of Kenya (CBK), which is charged with regulating the financial sector as a whole. Its objects include the establishment, regulation and supervision of efficient and effective payment, clearing and settlement systems.
- The National Payment System Act (39/2011) provides for the regulation and supervision of payment systems and payment service providers. It gives the CBK oversight powers over payment service providers and the power to issue guidelines in this regard. The National Payment System Regulations 2014 set out the application and approval process and the ongoing compliance requirements for such entities.
- The Kenya Information and Communications Act (enacted in 1998 and amended in 2013) provides a regulatory framework for the information, communications, media and broadcasting sector. The Communications Authority of Kenya (CAK) provides oversight in this sector. This legislation applies if the operations of the fintech business require it to establish its own telecommunications infrastructure or result in content generation. In this regard, the CAK must issue an approval, licence or letter of no objection.
- The Banking Act (Cap 488) and its regulations regulate banking business. It provides, among other things, that no one may transact any banking business or financial business, or the business of a mortgage finance company, unless it has obtained the consent of the CBK.
- The Capital Markets Act (Cap 485A) established the Capital Markets Authority (CMA), which is charged with regulating the capital markets and companies listed on the Nairobi Securities Exchange. The CMA has approved the Regulatory Sandbox Policy Guidance Note, which paves the way the acceptance of applications for the admission of fintech firms to its Regulatory Sandbox. Fintech firms and innovators that successfully apply for admission to the Regulatory Sandbox will have a 12-month period to deploy and conduct live tests of their innovative products, solutions and services.
- The Insurance Act (Cap 487) regulates insurance, insurers and insurance products. Fintech firms seeking to offer insurance-related products and services must seek an approval, licence or letter of no objection from the Insurance Regulatory Authority established under the act.
- The Competition Act (12/2010) aims to promote and safeguard competition in the national economy by regulating mergers and acquisitions, prohibiting restrictive trade practices and concentration of economic power (monopolies), and protecting consumers from unfair and misleading market practices. The Competition Authority implements the act.
1.2 Do any special regimes apply to specific areas of the fintech space?
In Kenya, the National Payment System Act, the National Payment System Regulations 2014 and the Regulatory Sandbox Police Guidance Note are the only sector-specific regimes governing fintech. Fintech firms must identify and comply with the regulations governing the specific area of business in which they operate as further outlined in question 1.1.
1.3 Which bodies are responsible for enforcing the applicable laws and regulations? What powers do they have?
As set out in question 1.1 above, they are:
- the CBK;
- the CMA;
- the CAK;
- the Insurance Regulatory Authority; and
- the Competition Authority.
Broadly, the regulatory bodies can issue sanctions including suspension and revocation of licences/permits, financial penalties, restitution or compensation orders for aggrieved persons and tracing of the assets of anyone found to have engaged in fraudulent dealings.
1.4 What is the regulators' general approach to fintech?
Whereas the previous approach was reactionary, regulators now cooperate with fintech players to come up with new policies. There is visible stakeholder engagement with fintech players and associations. Concepts such as the Regulatory Sandbox are a good indication that the regulators are making every effort to catch up with fintech.
1.5 Are there any trade associations for the fintech sector?
Yes, trade associations include the Digital Lenders Association of Kenya, the Blockchain Association of Kenya and the Payment Association of Kenya. Other fintech efforts are being spearheaded by AI Kenya, the Kenya Private Sector Alliance, the Kenya ICT Action Network and Technology Service Providers of Kenya.
2 Fintech market
2.1 Which sub-sectors of the fintech industry have become most embedded in your jurisdiction?
- Payments and billing;
- Money transfer remittances; and
2.2 What products and services are offered?
- Digital lending;
- Global remittances;
- Peer-to-peer (P2P) payments; and
- P2P lending.
2.3 How are fintech players generally structured?
They are generally set up as private limited liability companies limited by shares under the Companies Act, 2015.
2.4 How are they generally financed?
Fintech start-ups are mostly financed through equity and convertible debt. The Companies Act 2015 allows for classes of shares (ordinary and preference), and thus investors can be issued with preference shares. Companies in the growth and expansion stage may be financed through debt, equity or a combination of both.
2.5 How are they positioned within the broader financial services landscape?
They have a growing market share, as they are meeting consumer expectations and offering an improved consumer experience, and serve both the banked and unbanked population.
2.6 Do start-ups generally outsource back office functions and is there a developed market for them to access? What are the legal implications of outsourcing?
Although there is a developed market for outsourced back office functions, generally fintech start-ups do not outsource their back office functions. The Employment and Labour Relations Court has held that outsourcing is legal as long as set parameters are met. Non-compliance will result in the award of damages by the court. Where there is an outsourcing service agreement, the remedies depend on the nature of breach and may include damages, injunctions and rescission.
3.1 How are the following key technologies in the fintech space regulated and what specific legal issues are associated with each? (a) Internet (e-commerce); (b) Mobile (m-commerce); (c) Big data (mining); (d) Cloud computing; (e) Artificial intelligence; and (f) Distributed ledger technology (Blockchain, cryptocurrencies)
(a) Internet (e-commerce)
No specific regulations exist as yet, although parts of the Kenya Information and Communications Act apply regarding consumer protection. The main legal issues experienced by e-commerce platforms are privacy, payment fraud, identity theft, taxation and access to complaints system.
(b) Mobile (m-commerce)
The National Payment Systems Act regulates mobile money transactions, while the Money Remittance Regulations govern international transactions executed through players such as Western Union and Alipay. Cybersecurity and privacy remain the biggest challenges.
(c) Big data (mining)
No specific regulations exist as yet. However due to the extraterritorial reach of the EU General Data Protection Regulation, the industry must adhere to principles of data protection. The main legal issues faced are privacy related, with many corporates choosing not to implement an explicit consent requirement, but instead opting to bundle this with other terms and conditions.
(d) Cloud computing
No specific regulations exist as yet, although certain provisions, especially in the financial services sector, do relate to cloud computing. For banks, the Central Bank of Kenya (CBK) Guidelines on Outsourcing include comprehensive provisions on outsourcing information system management, which cover data centres and cloud computing. For payment service providers (PSPs), the Cyber Security Guidelines for Banks and PSPs include provisions on outsourcing of cloud services. There are also concerns regarding the hosting of sensitive data in the cloud and restrictions on the cross-border transfer of personal identifiable data.
(e) Artificial intelligence
No specific regulations exist as yet. AI Kenya is an association that is lobbying for favourable laws; but thus far, most corporates have adopted analytics, roboadvisers and machine learning, but not artificial intelligence.
(f) Distributed ledger technology (Blockchain, cryptocurrencies)
No specific regulations exist as yet, but an official government taskforce – the Distributed Ledgers Technology and Artificial Intelligence Task Force – has prepared a report on this which will inform policy formulation and implementation. The government has not embraced cryptocurrencies, as evidenced by the warning issued by the CBK urging the public not to trade in cryptocurrencies, as they are not legal tender in Kenya. Blockchain technology has been embraced and is used to address some issues regarding a lack of transparency issues (eg, it has been used in the Lands Registry to achieve greater transparency).
4.1 How are the following key activities in the fintech space regulated and what specific legal issues are associated with each? (a) Crowdfunding, peer-to-peer lending; (b) Online lending and other forms of alternative finance; (c) Payment services (including marketplaces that route payments from customers to suppliers (eg, Uber and AirBnb); (d) Forex; (e) Trading; (f) Investment and asset management; (g) Risk management; (h) Roboadvice; and (i) Insurtech.
(a) Crowdfunding, peer-to-peer lending
No specific regulations exist as yet. However, banks and payment service providers require approval from the Central Bank of Kenya (CBK) in order to engage in these activities. Cybersecurity and privacy remain the key legal issues for players in this sector.
(b) Online lending and other forms of alternative finance
Digital lending is booming in Kenya. No specific regulations exist as yet, but if passed into law, the Financial Market Conduct Bill may regulate this. The CBK has on several occasions had to step in due to the rogue nature of lenders. The biggest concerns from a regulatory point of view are high interest rate and privacy violations.
(c) Payment services (including marketplaces that route payments from customers to suppliers (eg, Uber and AirBnb)
Apart from the National Payment Systems Act and to some extent the Banking Act, no other regulations govern payment services. There is thus a gap in regulation, as players such as integrators and mobile virtual network operators are not covered by the National Payment Systems Act. Thus, the greatest legal concern in this sector is the lack of appropriate regulation that covers the entire ecosystem. The Payment Association of Kenya was formed to address this and to push for legislation akin to the EU second Payment Service Directive, which addresses emerging trends such as open banking.
The Forex Bureau Guidelines 2011, the Central Bank of Kenya (Foreign Exchange Bureau) (Penalties) Regulations 2009 and the Money Remittance Regulations 2013 all apply. The most significant challenges in this sector are terrorist financing and money laundering.
Forex trading is licensed under the Capital Markets (Online Foreign Exchange Trading) Regulations, 2017. The key legal issues are terrorist financing and money laundering.
(f) Investment and asset management
The Capital Markets Act (Cap 485A), the Capital Markets (Licensing Requirements) (General) Regulations 2002 and the Capital Markets (Collective Investment Schemes) Regulations 2001 all apply. The main issues are investor protection and systemic failure.
(g) Risk management
Risk management is covered under the Central Bank of Kenya Guidelines on Risk Management. A similar set of guidelines specifically covers savings and credit cooperative societies. The legal issues include data breaches and cybersecurity.
The uptake of roboadvisers is still low compared to that of chatbots. No specific regulations as yet exist.
No specific regulations as yet exist. The greatest legal challenge is the requirement to obtain approval from the Insurance Regulatory Authority, which is yet to give regulatory direction in this regard. The 2018-2022Strategic Plan of the Insurance Regulatory Authority aims at amongst others promoting innovation, Regulatory Sandbox and insuretech.
5 Data security and cybersecurity
5.1 What is the applicable data protection regime in your jurisdiction and what specific implications does this have for fintech companies?
The Constitution of Kenya 2010 guarantees every person's right to privacy, which includes the right not to have his or her private information, or that of his or her family, revealed unnecessarily or the privacy of his or her communications infringed.
The Kenya Information and Communications Act also protects the right to privacy of a person.
The EU General Data Protection Regulation (GDPR) applies in Kenya in instances where its extraterritorial reach comes into play – for example:
- where the data of EU citizens is processed;
- where an organisation is a third country party as defined under the GDPR; or
- where it has been adopted as best practice.
A Data Protection Bill is pending in Parliament which seeks to set out the framework for the protection of personal information and data. The provisions in this bill largely mirror the principles of data protection under the GDPR.
5.2 What is the applicable cybersecurity regime in your jurisdiction and what specific implications does this have for fintech companies?
The applicable cybersecurity regime includes the following instruments:
- The Computer Misuse and Cybercrimes Act (5/2018) governs offences relating to computer systems. It aims to enable the timely and effective detection, prohibition, prevention, response, investigation and prosecution of computer and cybercrimes, and to facilitate international cooperation in dealing with such matters. It establishes the National Computer and Cybercrimes Coordination Committee, whose mandate includes advising the government on security-related issues relating to blockchain technology, critical infrastructure and mobile money. Currently, certain sections of the act relating to offences have been suspended by the court as a result of litigation which is still ongoing.
- The Kenya Information and Communications Act sets out various offences, such as improper use of systems, modification of messages and interception and disclosure of messages.
- The Guideline on Cybersecurity for Payment Service Providers of July 2019 issued by the Central Bank of Kenya sets the minimum standards that payment service providers (PSPs) are required to adopt in order to develop and implement effective cybersecurity governance and risk management frameworks. It further outlines the minimum requirements that PSPs are required to build upon in developing and implementing strategies, policies, procedures and related activities for mitigating cyber risk.
- The Guidance Note on Cybersecurity for the Banking Sector of August 2017 applies to all institutions licensed under the Banking Act. It outlines the minimum requirements that such institutions shall build upon in developing and implementing strategies, policies, procedures and related activities aimed at mitigating cyber risk. It also sets the minimum standards that institutions should adopt to develop effective cybersecurity governance and risk management frameworks.
6 Financial crime
6.1 What provisions govern money laundering and other forms of financial crime in your jurisdiction and what specific implications do these have for fintech companies?
- The Proceeds of Crime Proceeds of Crime and Anti-money Laundering Act (9/2009) seeks to prevent money laundering, tax evasion, terrorist financing, theft and fraud, among other crimes. It introduces measures to combat these offences and provides for the identification, tracing, freezing, seizure and confiscation of the proceeds of crime. The act establishes the Financial Reporting Centre, whose main objective is to assist in the identification of the proceeds of crime and the combating of money laundering and terrorist financing. For fintech businesses, non-compliance is an offence punishable by imprisonment, fines, both imprisonment and fines, and confiscation and realisation orders. The Proceeds of Crime Proceeds of Crime and Anti-money Laundering Regulations 2013 supplement the act.
- The Guidelines on the Prevention of Money Laundering and Terrorism financing in the Capital Markets, issued through Gazette Notice 1421, emphasise due diligence, record keeping, the need to establish policies and procedures to address specific risks associated with the use of new technology and business relations or transactions conducted at a distance, and reporting to the Financial Reporting Centre.
- The Bribery Act (47/2016) applies to the public, public officers and private entities. The act makes it an offence to give or receive a bribe. Sanctions include imprisonment, fines, imprisonment and fines, and confiscation orders.
7.1 Does the fintech sector present any specific challenges or concerns from a competition perspective? Are there any pro-competition measures that are targeted specifically at fintech companies?
So far, the notices received by the Competition Authority have related to mergers and exclusions guided by amongst other factors the turnover threshold. Future concerns will include an analysis of the dynamics of the fintech market, in which competitive advantage is not expressed in market share. No specific pro-competitive advantages are available to fintechs. Currently three major bank and a mobile money operator are the largest lenders, despite the fact that Kenya has many digital lenders that are not banks.
8.1 How is innovation in the fintech space protected in your jurisdiction?
The Constitution of Kenya 2010 is one of the very few constitutions in the world to protect IP rights, providing that the state shall support, promote and protect IP rights. Further, Kenya is a member of the World Intellectual Property Organization and has acceded to various international treaties, including the Paris Convention for the Protection of Industrial Property, the African Regional Intellectual Property Organization Agreement and the Madrid Agreement Concerning the International Registration of Marks. IP rights are protected by the following laws:
- The Industrial Property Act protects patents, industrial designs and utility models. The ownership of a patent, industrial design or utility models lies with the individual inventor or the enterprise on whose behalf the industrial property was developed.
- The Trademarks Act protects trademarks. The ownership of a trademark lies with the entity or person offering the service or goods.
- The Copyright Act protect copyright. The ownership of copyright lies with the person that fixes the work or the person on whose behalf of whom a work is fixed.
8.2 How is innovation in the fintech space incentivised in your jurisdiction?
The Regulatory Sandbox by CMA and the White Box of the Ministry of Information, Communications and Technology serve as incentives to innovators, allowing them to develop their products without fear of violating the law.
9 Talent acquisition
9.1 What is the applicable employment regime in your jurisdiction and what specific implications does this have for fintech companies?
The Constitution of Kenya 2010 underpins employment law in Kenya and provides the Employment and Labour Relations Court with the basis for interpreting employer-employee rights and fair labour practices.
The Employment Act 2007 (11/2007) is the primary law on employment in Kenya, containing substantive and procedural law on:
- the employment relationship;
- the respective rights and duties of employer and employee;
- termination and dismissal of employees; and
- the disputes and settlement procedure.
The Labour Relations Act 2007 (14/2007) provides for the registration, regulation and management of trade unions, organisations and federations.
The Labour Institutions Act 2007 (12/2007) establishes various labour institutions, such as the National Labour Board, the Committee of Inquiry and the Wages Council.
The Occupational Safety and Health Act 2007 (15/2007) provides for the safety and welfare of employees and all persons lawfully present at workplaces.
Fintech companies must adhere to these laws, as breach of their provisions constitutes an offence punishable by fines or imprisonment. Where the termination of an employee through dismissal or redundancy is found not to comply with the law, the Employment and Labour Relations Court can award damages, among other things.
9.2 How can fintech companies attract specialist talent from overseas where necessary?
The Kenya Citizenship and Immigration Act 2011 provides for the issuance of work visas and work permits to foreigners who wish to work in Kenya. In procuring work permits for its non-Kenyan employees, a fintech company must demonstrate that a Kenyan understudy is being trained to take on the job. Fintechs setting up through the Kenya Investment Authority may be assisted in processing work permits.
10 Trends and predictions
10.1 How would you describe the current fintech landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?
The introduction of the Regulatory Sandbox is a welcome development in the fintech landscape. It is expected that a growing number of fintech companies will apply for admission to the Regulatory Sandbox. A press release issued by the Capital Markets Authority (CMA) announced that as of 31 July 2019, three fintech companies had been admitted to the Regulatory Sandbox. One of these is testing its cloud-based data analytics platform, designed for use by investors, fund managers, custodian banks, actuaries, pension administrators and regulators; another is testing an internet-based crowdfunding platform through which investors can provide loan facilities structured as loan notes (debentures) for small and medium-sized enterprises. Upon exiting the sandbox, participants will be considered for:
- the grant of an existing applicable licence or approval to operate in Kenya, subject to compliance with relevant legal and regulatory requirements;
- the grant of permission to operate in Kenya, subject to compliance with the specified terms of a letter of no objection in respect of a business falling outside existing regulatory provisions; or
- a denial of permission to operate in Kenya, in light of regulatory concerns identified during the testing phase.
The sandbox is also expected to enhance the CMA's understanding of emerging technologies, support the adoption of an evidence-based approach to regulation, and deepen and broaden Kenya's capital markets. It is highly likely that the CMA may draft new regulations, guidelines or notices pursuant to Sections 12 and 12A of the Capital Markets Act.
Another notable development is the significant increase in self-regulatory associations. Regulation always plays catch-up with innovation. In Kenya, innovators have realised that ceasing to innovate is not an option; so self-regulation thus seems like the most viable option. This is a way to ensure that when laws are finally enacted, they do not prove overly harsh, and to present a united front in lobbying for favourable laws. Examples include the Payment Association of Kenya and the Digital Lenders Association of Kenya.
Prevailing trends in the fintech landscape include regtech, insuretech and wealth management. Technology-led decisions in the betting and gaming industry are also expected.
While initially it appeared that fintech companies would replace banks, we are now seeing collaboration between banks and fintech companies. Banks are also setting up their own fintech outfits and incorporating them into their processes. For example, local bank launched a WhatsApp banking solution to offer customised mobile banking services to customers, including virtual account opening, funds transfer, loans, bill payments and goods purchases.
11 Tips and traps
11.1 What are your top tips for fintech players seeking to enter your jurisdiction and what potential sticking points would you highlight?
- If there is no regulation:
- protect the innovation under the applicable IP laws; and
- engage the regulator in the sector.
- Make use of the Regulatory Sandbox.
- Join forces with other industry players in lobbying for favourable policies and laws.
- Participate in calls for stakeholder input to provide feedback on bills that are relevant to your industry.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.