The Compliance Brief
Kenya's digital credit sector has moved from a lightly monitored fintech frontier to a tightly licensed, jointly supervised market. Here's what changed, what it costs to comply, and what it means if you lend, borrow, or invest in the space.
By mid-2026, the CBK, the National Treasury and the ODPC have jointly dismantled the era of unregulated mobile loan apps. Mandatory licensing, tiered capital thresholds, strict affordability tests, and a hard line on data scraping have reshaped a sector that was, until recently, a regulatory grey zone.
The CBK accelerated its vetting pace specifically to push out predatory operators. The funnel has been unforgiving.
| Capital / loan book size | Regulatory status required |
|---|---|
| Below KES 20 million | Registered status — reduced annual fees |
| KES 20 million and above | Full CBK licence — rigorous ongoing oversight |
Text-based sign-up is no longer sufficient. AML and identity-theft concerns pushed verification into biometric territory.
The practice that defined mobile lending's worst years — scraping a borrower's contacts and harassing their network — is now explicitly illegal, with the ODPC and CBK enforcing jointly.
Modern operating systems now flag contact-list access requests, and a user can report an offending app directly through the ODPC portal — the complaint pathway that used to not exist at all.
Kenya still has no absolute interest rate cap — but nothing you didn't disclose upfront is legally collectible anymore.
If a lender levies an undeclared fee, the contract becomes legally void and the operator faces statutory penalties — the CBK can also revoke a licence outright where the practical APR is deemed unconscionable.
This isn't just about cash-loan apps anymore.
| Violation | Consequence |
|---|---|
| Operating without a licence | KES 5,000,000 |
| Unsolicited debt-shaming | KES 5,000,000 |
| Illegal data scraping / mining | KES 5,000,000 |
| Failure to submit KRA returns | Licence revocation |
Enforcement extends beyond licensed operators. Unlicensed "ghost apps" distributed via direct APK downloads have drawn a joint response from the Communications Authority and local ISPs, who now block the IP addresses and download domains of rogue lending operations.
The dispute pathway is now a defined, four-step process rather than a dead end.
Screenshots, call logs, credit reports showing sub-KES 1,000 CRB listings.
Written complaint via the app's mandated dispute channel — 14 days for a response.
Case Management Portal complaint, plus a parallel email to CBK Bank Supervision.
Regulator audits backend logs; can trigger fines or an operations freeze.
Bank-backed mobile lending (M-Shwari, KCB M-Pesa) used to sit under the Banking Act while standalone apps operated in a vacuum. That gap is closed.
A commercial bank can no longer auto-enrol an existing account holder into a digital overdraft, or raise a mobile loan limit, without the same explicit, documented consent a standalone fintech now needs. Uniform consumer protection, equal KES 1,000 CRB thresholds, and standardised Key Facts disclosures apply across both.
Compliance costs — enterprise-grade encryption, IPRS and CRB integration fees, dedicated compliance officers — have pushed undercapitalised startups toward acquisition rather than survival. Well-funded groups and Tier-2 banks are absorbing smaller licensed lenders for their tech and user bases. At the same time, the predictability of a clear licensing regime has drawn back institutional capital and development finance institutions that had previously stayed away over reputational risk. Regionally, the framework is increasingly viewed as a template the East African Community may harmonise around.
The compliance bar is real, and it has already forced consolidation. But for lenders that clear it, licensing itself has become a competitive signal — proof of stability that both borrowers and investors are now actively selecting for.
Licensed digital lenders don't just face CBK supervision — most also process sensitive personal and financial data at scale, which brings the Data Protection Act's consent, purpose-limitation, and third-party sharing rules squarely into play alongside the new licensing regime.
Muchangi Patrick & Co. Advocates advises fintechs and digital lenders on data protection compliance, licensing, and how the two regimes interact in practice. If you're navigating the new licensing rules, we can help you cover the data protection side at the same time.
Muchangi Patrick & Co. Advocates advises fintechs, startups, corporates and institutions on data protection and data privacy compliance across Kenya — from ODPC registration and DPIAs to outsourced DPO services and cross-border data transfer advisory. If the issues raised above touch your business, we can help you get ahead of them.