← Muchangi Patrick Published Work
⇩ Download PDF
Muchangi Patrick & Co. Advocates logo Muchangi Patrick & Co. Advocates ← Back to Insights

The Compliance Brief

Vol. 03 — Issue 30
Nairobi Edition
Regulation, technology & the business of Kenya
CBK · National Treasury · ODPC

The Wild West of mobile lending just closed

Kenya's digital credit sector has moved from a lightly monitored fintech frontier to a tightly licensed, jointly supervised market. Here's what changed, what it costs to comply, and what it means if you lend, borrow, or invest in the space.

Analysis 9 min read Fintech & Banking
By Patrick Muchangi, Founder & Advocate — Muchangi Patrick & Co. Advocates · Published March 2026
Download PDF

By mid-2026, the CBK, the National Treasury and the ODPC have jointly dismantled the era of unregulated mobile loan apps. Mandatory licensing, tiered capital thresholds, strict affordability tests, and a hard line on data scraping have reshaped a sector that was, until recently, a regulatory grey zone.

259Licensed digital credit providers
7.5MLoans disbursed by licensed DCPs
KES 133.5BTotal value disbursed
~30%Vetting approval rate

§1 Licensing: from 800 applicants to 259 survivors

The CBK accelerated its vetting pace specifically to push out predatory operators. The funnel has been unforgiving.

800+ applications received since the licensing exercise began
Multi-stage CBK vetting — operating during review without clearance means shutdown
259 fully licensed Digital Credit Providers active today
Capital / loan book sizeRegulatory status required
Below KES 20 millionRegistered status — reduced annual fees
KES 20 million and aboveFull CBK licence — rigorous ongoing oversight

§2 Identity checks got a lot harder to fake

Text-based sign-up is no longer sufficient. AML and identity-theft concerns pushed verification into biometric territory.

§3 The end of debt-shaming

The practice that defined mobile lending's worst years — scraping a borrower's contacts and harassing their network — is now explicitly illegal, with the ODPC and CBK enforcing jointly.

What changed for borrowers

Modern operating systems now flag contact-list access requests, and a user can report an offending app directly through the ODPC portal — the complaint pathway that used to not exist at all.

§4 Every fee has to be on the label

Kenya still has no absolute interest rate cap — but nothing you didn't disclose upfront is legally collectible anymore.

Standard Key Facts Statement
Monthly interest rate5% – 22% (market range)
Annual Percentage RateExplicitly stated
Rollover / extension feesFixed upfront
Late payment penaltyCapped by law
Any fee not listed here cannot be legally collected

If a lender levies an undeclared fee, the contract becomes legally void and the operator faces statutory penalties — the CBK can also revoke a licence outright where the practical APR is deemed unconscionable.

§5 Before and after, in one table

Pre-reform era
→ Contact list scraping
→ Aggressive "debt-shaming" calls
→ CRB listing over KES 50 debts
→ 100%+ hidden annualised fees
2026 regulated market
→ Zero phone-data permissions
→ Timed, limited SMS reminders only
→ KES 1,000 minimum CRB threshold
→ Mandatory Key Facts Statements

§6 The regulatory perimeter is widening

This isn't just about cash-loan apps anymore.

§7 What non-compliance costs

ViolationConsequence
Operating without a licenceKES 5,000,000
Unsolicited debt-shamingKES 5,000,000
Illegal data scraping / miningKES 5,000,000
Failure to submit KRA returnsLicence revocation

Enforcement extends beyond licensed operators. Unlicensed "ghost apps" distributed via direct APK downloads have drawn a joint response from the Communications Authority and local ISPs, who now block the IP addresses and download domains of rogue lending operations.

§8 How a borrower actually files a complaint

The dispute pathway is now a defined, four-step process rather than a dead end.

01

Document the evidence

Screenshots, call logs, credit reports showing sub-KES 1,000 CRB listings.

02

File with the lender

Written complaint via the app's mandated dispute channel — 14 days for a response.

03

Escalate to ODPC / CBK

Case Management Portal complaint, plus a parallel email to CBK Bank Supervision.

04

Statutory review

Regulator audits backend logs; can trigger fines or an operations freeze.

§9 Banks and fintechs, one rulebook

Bank-backed mobile lending (M-Shwari, KCB M-Pesa) used to sit under the Banking Act while standalone apps operated in a vacuum. That gap is closed.

Level playing field

A commercial bank can no longer auto-enrol an existing account holder into a digital overdraft, or raise a mobile loan limit, without the same explicit, documented consent a standalone fintech now needs. Uniform consumer protection, equal KES 1,000 CRB thresholds, and standardised Key Facts disclosures apply across both.

§10 What it means for the market

Compliance costs — enterprise-grade encryption, IPRS and CRB integration fees, dedicated compliance officers — have pushed undercapitalised startups toward acquisition rather than survival. Well-funded groups and Tier-2 banks are absorbing smaller licensed lenders for their tech and user bases. At the same time, the predictability of a clear licensing regime has drawn back institutional capital and development finance institutions that had previously stayed away over reputational risk. Regionally, the framework is increasingly viewed as a template the East African Community may harmonise around.

Bottom line

The compliance bar is real, and it has already forced consolidation. But for lenders that clear it, licensing itself has become a competitive signal — proof of stability that both borrowers and investors are now actively selecting for.

How this touches your data protection exposure

Licensed digital lenders don't just face CBK supervision — most also process sensitive personal and financial data at scale, which brings the Data Protection Act's consent, purpose-limitation, and third-party sharing rules squarely into play alongside the new licensing regime.

Muchangi Patrick & Co. Advocates advises fintechs and digital lenders on data protection compliance, licensing, and how the two regimes interact in practice. If you're navigating the new licensing rules, we can help you cover the data protection side at the same time.

Talk to us

Muchangi Patrick & Co. Advocates advises fintechs, startups, corporates and institutions on data protection and data privacy compliance across Kenya — from ODPC registration and DPIAs to outsourced DPO services and cross-border data transfer advisory. If the issues raised above touch your business, we can help you get ahead of them.

Book a Consultation → Chat on WhatsApp