The Compliance Brief
The FCA just showed what precise AI regulation looks like — naming a harm, tracing it to its systemic root, and setting a timeline. Kenya's AI Bill has the right instincts, but not yet the same precision.
On 6 July 2026, Reuters and Global Banking & Finance Review both reported the same story out of London: the UK's Financial Conduct Authority had published a landmark review — commissioned from Executive Director Sheldon Mills — into whether general-purpose AI tools such as ChatGPT, Claude and Gemini should fall within the regulatory perimeter governing financial advice. It is a useful mirror for Kenya's own Artificial Intelligence Bill, 2026, now before the Senate — not to copy, but to measure against.
Three findings, each narrower and sharper than most national AI legislation attempts.
Mills recommended the FCA decide, within three to six months, whether to “secure and adapt” the regulatory perimeter — a template of precision Kenya's own AI Bill has not yet matched.
Kenya's AI Bill, 2026 anticipated parts of this before Geneva or London formalised the language.
A structural attempt at exactly the kind of baseline-setting the FCA is asking for.
For high-risk systems, including those touching finance.
Already bans decisions made solely on automated processing — Kenya's closest equivalent to the guidance/advice boundary.
A partial answer to the erosion-of-trust concern the FCA and Bank of England have both raised.
Expand each for the practical shortfall.
Kenya's Bill treats finance as one line item among seven high-risk sectors, with no equivalent inquiry into algorithmic lending or chatbot-driven financial guidance — despite a High Court petition already flagging automated credit decisions as a constitutional risk.
Businesses cannot yet determine, from the Bill's text, whether their systems will be classified high-risk.
The FCA names concentration in a handful of AI providers as a systemic risk. Kenya's Bill has no equivalent provision, despite Kenyan AI adoption being overwhelmingly adoption of foreign-built models.
The AI Commissioner's powers look, on paper, like a fully resourced regulator's — but Kenya's institutional capacity is starting from close to zero, unlike the FCA's decades of supervisory infrastructure.
The FCA's review is fundamentally consumer-trust driven. Kenya's Advisory Committee structure excludes organised labour (COTU) entirely, and has no explicit consumer-protection lens.
| Question | FCA / UK approach | Kenya AI Bill, 2026 |
|---|---|---|
| Sector-specific scrutiny of finance | Dedicated review of AI in financial advice | Finance is one line item among seven high-risk sectors |
| Provider concentration risk | Named explicitly as a systemic risk | Not addressed |
| Classification criteria | Being defined through a scoped 3–6 month review | Deferred to future regulations, undefined |
| Consumer protection mandate | Explicit, central to the review's purpose | Implicit at best; no dedicated consumer lens |
Kenya's AI Bill, 2026 is a genuine achievement — it ends a regulatory vacuum and responds to a live constitutional finding. But ambition and precision are not the same thing. The FCA review is worth Kenya's attention not for its conclusions, but for its discipline: naming a precise harm, tracing it to its systemic cause, and committing to a defined timeline for closing the gap.
The FCA's own review process runs three to six months. Kenya's AI Bill still needs to clear the National Assembly — a comparable window in which these gaps can still be closed.
An AI governance framework doesn't sit apart from data protection law — most AI systems in Kenya run on personal data, which means your obligations under the Data Protection Act, 2019 are already live even before the AI Bill passes.
Muchangi Patrick & Co. Advocates advises boards, AI deployers, and startups on data protection compliance, AI governance readiness, and cross-border data flows. If you're building or deploying AI systems in Kenya, we can help you map your exposure before the regulator does it for you.
Muchangi Patrick & Co. Advocates advises fintechs, startups, corporates and institutions on data protection and data privacy compliance across Kenya — from ODPC registration and DPIAs to outsourced DPO services and cross-border data transfer advisory. If the issues raised above touch your business, we can help you get ahead of them.