← Muchangi Patrick Published Work
⇩ Download PDF
Muchangi Patrick & Co. Advocates logo Muchangi Patrick & Co. Advocates ← Back to Insights

The Compliance Brief

Vol. 03 — Issue 32
Nairobi Edition
Regulation, technology & the business of Kenya
FCA Mills Review · July 2026

What the UK's AI review means for Kenya's AI Bill

The FCA just showed what precise AI regulation looks like — naming a harm, tracing it to its systemic root, and setting a timeline. Kenya's AI Bill has the right instincts, but not yet the same precision.

Analysis 8 min read AI & Financial Regulation
By Patrick Muchangi, Founder & Advocate — Muchangi Patrick & Co. Advocates · Published July 2026
Download PDF

On 6 July 2026, Reuters and Global Banking & Finance Review both reported the same story out of London: the UK's Financial Conduct Authority had published a landmark review — commissioned from Executive Director Sheldon Mills — into whether general-purpose AI tools such as ChatGPT, Claude and Gemini should fall within the regulatory perimeter governing financial advice. It is a useful mirror for Kenya's own Artificial Intelligence Bill, 2026, now before the Senate — not to copy, but to measure against.

§1 What the FCA review actually found

Three findings, each narrower and sharper than most national AI legislation attempts.

Why it matters

Mills recommended the FCA decide, within three to six months, whether to “secure and adapt” the regulatory perimeter — a template of precision Kenya's own AI Bill has not yet matched.

§2 Where Kenya's Bill already answers this

Kenya's AI Bill, 2026 anticipated parts of this before Geneva or London formalised the language.

Four-tier risk classification

A structural attempt at exactly the kind of baseline-setting the FCA is asking for.

Mandatory human rights impact assessments

For high-risk systems, including those touching finance.

Section 35, Data Protection Act

Already bans decisions made solely on automated processing — Kenya's closest equivalent to the guidance/advice boundary.

Deepfake criminalisation

A partial answer to the erosion-of-trust concern the FCA and Bank of England have both raised.

§3 Five gaps measured against the FCA's standard

Expand each for the practical shortfall.

01 No sector-specific answer for finance

Kenya's Bill treats finance as one line item among seven high-risk sectors, with no equivalent inquiry into algorithmic lending or chatbot-driven financial guidance — despite a High Court petition already flagging automated credit decisions as a constitutional risk.

Business impactFinancial-services deployers get the same generic obligations as an agritech app, when their risk profile is materially different.
02 Classification criteria deferred to future regulations

Businesses cannot yet determine, from the Bill's text, whether their systems will be classified high-risk.

Business impactCompliance planning stalls behind regulations that don't yet exist.
03 Silence on provider concentration

The FCA names concentration in a handful of AI providers as a systemic risk. Kenya's Bill has no equivalent provision, despite Kenyan AI adoption being overwhelmingly adoption of foreign-built models.

Business impactNo mechanism exists to assess Kenya's own exposure if a dominant foreign provider fails or withdraws service.
04 Enforcement capacity unproven

The AI Commissioner's powers look, on paper, like a fully resourced regulator's — but Kenya's institutional capacity is starting from close to zero, unlike the FCA's decades of supervisory infrastructure.

Business impactRisk of inconsistent enforcement and overlapping mandates with the ODPC and Communications Authority.
05 No consumer-protection or labour mandate

The FCA's review is fundamentally consumer-trust driven. Kenya's Advisory Committee structure excludes organised labour (COTU) entirely, and has no explicit consumer-protection lens.

Business impactHalf the accountability relationship AI creates — the workers and consumers on the receiving end — goes unaddressed.

§4 How the two frameworks compare

QuestionFCA / UK approachKenya AI Bill, 2026
Sector-specific scrutiny of financeDedicated review of AI in financial adviceFinance is one line item among seven high-risk sectors
Provider concentration riskNamed explicitly as a systemic riskNot addressed
Classification criteriaBeing defined through a scoped 3–6 month reviewDeferred to future regulations, undefined
Consumer protection mandateExplicit, central to the review's purposeImplicit at best; no dedicated consumer lens

§5 What to do now

§6 The bottom line

Kenya's AI Bill, 2026 is a genuine achievement — it ends a regulatory vacuum and responds to a live constitutional finding. But ambition and precision are not the same thing. The FCA review is worth Kenya's attention not for its conclusions, but for its discipline: naming a precise harm, tracing it to its systemic cause, and committing to a defined timeline for closing the gap.

Where this goes next

The FCA's own review process runs three to six months. Kenya's AI Bill still needs to clear the National Assembly — a comparable window in which these gaps can still be closed.

How this touches your data protection exposure

An AI governance framework doesn't sit apart from data protection law — most AI systems in Kenya run on personal data, which means your obligations under the Data Protection Act, 2019 are already live even before the AI Bill passes.

Muchangi Patrick & Co. Advocates advises boards, AI deployers, and startups on data protection compliance, AI governance readiness, and cross-border data flows. If you're building or deploying AI systems in Kenya, we can help you map your exposure before the regulator does it for you.

Talk to us

Muchangi Patrick & Co. Advocates advises fintechs, startups, corporates and institutions on data protection and data privacy compliance across Kenya — from ODPC registration and DPIAs to outsourced DPO services and cross-border data transfer advisory. If the issues raised above touch your business, we can help you get ahead of them.

Book a Consultation → Chat on WhatsApp