The Central Bank of Kenya (“CBK”) on 21st March 2022 announced the publication of the Central Bank of Kenya (Digital Credit Providers) Regulations, 2022 (“the Regulations”) in the Kenya Gazette by way of Legal Notice No. 46 of 18th March, 2022.
The gazettement follows CBK’s invitation for comments from the public on the draft Regulations up to 21st January, 2022. We have noted some changes made to the initial draft Regulations whose key provisions we had earlier on highlighted in our article on the Effects of the Central Bank of Kenya (Amendment) Act, 2021 on Digital Credit/Lenders Businesses.
In this alert, we seek to provide an update on the salient changes made to the initial draft Regulations and their import as well as give a breakdown on the licensing requirements under the Regulations.
- SALIENT CHANGES MADE TO THE DRAFT REGULATIONS
|Area of concern||Provisions under the Draft Regulations (if any)||Provision under Gazetted Regulations|
|Regulation 4 and 5 on Licensing||The requirement for licensing was clearly spelt out as well as the requisite documentation to procure a license.||In addition to the stipulated required documentation, the CBK has issued guidance on the procedure to be followed while applying for a licence to operate as a Digital Credit Provider (DCP) which we shall discuss in depth in the second part of the alert. Once DCP’s are licensed they are now required to pay their annual fee as well as submit a return to the CBK certifying its compliance with the Act and Regulations on or before the 31st of December every year. Considering the initial and continuous compliance requirements it would be imperative for DCP’s to ensure they have a very robust internal compliance mechanism to avoid running afoul of the Act and Regulations.|
|Regulation 6 on Transfer of License||DCP’s were precluded from transferring or assigning their license||Licenses may be transferred or assigned with the prior written approval of the CBK|
|Regulation 7 on Fit and Proper Obligations||There was no requirement to inform CBK of the changes in the structure of the DCP||DCP’s are required to inform the CBK of any intended changes in its significant shareholding, board or management structure, or the appointment of a new director, chief executive officer or a senior officer at least thirty (30) days before the effective date of the change of appointment.|
|Regulation 8 on Activities of a Digital Credit Provider||DCP’s were generally precluded from collecting deposits in any form||In addition to the prohibition against collecting deposits, the Regulations now specifically prohibit taking of cash collateral as security for loans while carrying out digital credit business.|
|Regulation 9 on suspension or revocation of a license||The grounds for revocation or suspension of a license were clearly enumerated||Failure to pay annual fees or any monetary penalty imposed by the CBK has been included as an additional ground for suspension or revocation of a license. This is to ensure prompt compliance by the DCP’s.|
|Regulation 10 on Amalgamations and transfer of assets and liabilities||Amalgamations and transfer of assets and liabilities require the prior written approval of the CBK||A proviso to this provision has been included, in that, asset disposal in the ordinary course of business does not require approval from the CBK Additionally, DCP’s are required to notify the CBK at least thirty (30) days before entering into any arrangements with a third party seeking to invest in or finance the DCP and the CBK may call for additional information and documentation as it considers necessary for considering the transaction. This is in line with the CBK’s aim to combat any money laundering schemes.|
|Regulation 14 on Exchange of credit information||DCP’s were required to notify customers in writing of their intention to submit the customers negative credit information to a licensed credit reference bureau either thirty days before submitting the negative information or within a shorter period as the contract between the DCP and the customer, however this period was not specified||The shorter pre-listing period has been set at a minimum of seven (7) days. The previous wording of this part gave room for interpretation and inclusion of unreasonable pre-listing periods in contracts. This amendment brings clarity and uniformity and provides a reasonable notice period to the consumer.|
|Regulation 17 on Product Approval||–||Flowing from our comment in our previous article, DCP’s will require written approval from the CBK for the introduction of new digital credit products as well as any variations to any existing products. Further to this, DCP’s are required to notify their customers of any variations to any existing products within at least thirty (30) days before the variations take effect.|
|Regulation 23 on Business Continuity||–||DCP’s are required to put in place systems and processes to minimize disruptions and ensure business continuity. DCP’s should carry out audits on the systemic risks they are exposed to so that they can proactively deploy mitigation strategies.|
|Regulation 26 on access and collection of customer information||–||DCP’s are required to only collect and access customer information that is necessary or reasonably required for a customer’s credit appraisal, approval, disbursement and collection. Additionally, customers should have the choice to opt out of marketing messages by the DCP. The Regulations lay emphasis on the data protection mechanisms employed by DCP’s, in particular, this part highlights the importance of data minimization and data subject consent to DCP’s as they provide their services. It would be prudent for DCP’s to ensure they integrate data protection mechanisms as they design their products and processing procedures.|
|Regulation 27 on Terms and Conditions||The draft Regulations enumerated the minimum required information in a DCP’s terms and conditions||The gazetted regulations now include the requirement to furnish a customer with the terms and conditions upon request as well as giving a thirty (30) day notice to customers prior to varying its terms and conditions.|
|Regulation 33 on Reporting requirements, on-site and off-site monitoring||DCP’s were only required to readily avail their books and records for inspection and other supervisory purposes by the CBK||In addition, to availing their books and records, DCP’s will be required to also avail their premises and systems as well for inspection by the CBK as and when required.|
|Part X- Enforcement||The Regulations only provided for the enforcement and administrative sanctions that the CBK can impose on any party that fails to comply with the Act, the Regulations or directives issued by the CBK||An elaborate framework for enforcement and imposition of administrative sanctions has been set out. The Regulations now stipulate the circumstances in which administrative action may be taken as well as the factors that the CBK would take into consideration in determining the administrative sanction to impose on a party, including issuing a notice to show cause. Where a party has acted contrary to the Act, Regulations or any directives given by the CBK, the CBK will issue a Notice to Show Cause to the party and they will be given an opportunity to make any representations which the CBK will consider and make its determination.|
|Part XI-Review||–||DCP’s or other aggrieved persons may, within 14 days of notification of CBK’s decision, request a review of the same. The Regulations set out the grounds for review that a party may seek to rely on. This provides an avenue for redress for DCP’s whose licenses have been revoked or suspended.|
- LICENSING REQUIREMENTS PURSUANT TO THE REGULATIONS
The licensing procedures aim to breathe life into Part II of the Regulations. In particular, regulation 4 of the Regulations prohibits any person from establishing or carrying out digital credit business in Kenya or otherwise hold themselves out as carrying out digital credit business in Kenya unless they are licensed.
The licensing procedure has been broken down into three steps. However, it is worth noting that Step 1 only applies to newly established DCP’s.
We will highlight below, in summary, the steps and the relevant documentation required by the CBK:
STEP 1: NAME APPROVAL
- Propose and reserve, in order of preference, at least three business names with the Registrar of Companies. Seeing as the Company’s Registry has digitized most if not all its services, the name reservation would presumably be done on the e-citizen platform.
- Submission of the proposed names to CBK for approval, in order of preference through the online portal below https://gdi.centralbank.go.ke/ui/nameapproval/
- Incorporation of a limited liability company with the Registrar of Companies using the approved name. It would be important to factor in the cost of incorporation and name reservation which is usually a cumulative figure paid at the point of incorporation.
STEP 2: LICENSE APPLICATION
|Create an online user profile and set a username and password through the CBK online portal.||Applicant’s name, e-mail address, physical address, telephone number, CR-12 number and name of the DCP|
|Complete an online license application form, then print and sign the form.||FORM CBK DCP 1|
|Download the fit and proper forms. Complete and execute the forms||FORM CBK DCP 2 (for Directors, Chief Executive Officer, Senior Officers) Form-CBK-DCP-2 (for and Significant Shareholders)|
|Scan and uploaded the duly completed application form and fit and proper forms on the online portal, together with the supporting documentation highlighted||Constitutive documents A certified copy of the certificate of incorporation of the applicant.A certified copy of the Memorandum and Articles of Association of the applicant.A certified copy of the Memorandum and Articles of Association of any corporate body that has a significant shareholding in the applicant.A certified copy of the constitutive documents of an unincorporated body that has a significant shareholding in the applicant Technology and systems Description of the information and communication technology system to be used in the applicant’s operations and an independent assurance on the systems.Description of delivery channels or platforms to be deployed by the applicant Policies Description of, and terms and conditions of credit products and services which the applicant intends to provide.The applicant’s Anti-Money Laundering and Combating the Financing of Terrorism (AML/CFT) policies and procedures. The applicant’s data protection policies and procedures. The applicant’s consumer redress mechanisms, policies and proceduresCredit policyCode of ethics and market conductCorporate governance policy Consumer Protection The applicant’s pricing model and parameters Anti- Money Laundering measures Description and evidence of source of funds to be invested in the applicant Contracts Agreement with a telecommunication or other service provider for provision of channel or platform for the provision of digital credit Regulatory compliance documentation Certificate of good conduct, tax compliance certificate and credit reference bureau report for each of the digital credit provider’s individual significant shareholders, directors and senior officers.|
The original documents should be submitted to CBK for consideration together with a non-refundable application fee of Ksh.5,000
STEP 3: DATA SUBMISSION TESTING AND LICENCING
- Once CBK, is satisfied with the assessment, the applicant will be required to test their ‘data submission’ capability (Regulatory reporting) using Application Programming Interfaces (APIs) with guidance from CBK.
Presumably CBK are employing their Banking Supervision mandate to mitigate cyber security related risks such as data breaches that may ordinarily be identified with open banking. This data submission process may be utilized to interrogate whether the DCP has robust API’s that effectively promotes pseudonymity and anonymization of personal data. In its Strategy document and policy documents, the CBK has previously intimated its intention to facilitate the development of open but secure API standards. More so in a way that guarantees access, safety and integrity of data sharing systems. These standards may include API specifications for identification, verification and authentication of customer data whose protection is enshrined in law. This is in line with CBK’s legal mandate of safeguarding consumer protection and promoting data protection safeguards.
- Applicant will then pay the prescribed licence fee of Ksh.20,000.
- Upon fulfilment of all the licencing requirements and successful data submission testing, CBK will issue a licence to the DCP and publish the same in the Kenya Gazette.
Having analyzed the various provisions under the Regulations as well as the licensing procedure and requirements, we would advise DCPs to take the following steps:
- Conduct a thorough review of their constituent documents to ensure that they correspond with the requirements.
- Put in place stringent fit and proper tests for Directors, Chief Executive Officer, Senior Officers and shareholders.
- Practical steps such as legal and compliance as well as governance audits should be taken as a risk mitigation strategy in this regard.
- Establish a robust Risk & Compliance function which puts in place sound internal governance structures and an internal control framework that sets clear responsibilities for DCPs. This is necessitated by the fact that there are several initial and continuing compliance obligations.
- DCPs will also have to revise their Privacy Policies to clearly outline their data processing methods and safeguards in alignment with these regulations as well.
- DCPs are subject to the Data Protection Act, 2019 (“DPA”) and Regulations and the prevailing Consumer Protection laws in Kenya since they involve processing of personal data whilst carrying out services. The applications deployed by the DCPs may allow access to various types of data. The DPA sets out principles that persons processing data must adhere to. These include lawful and fair processing, purpose, adequacy and retention limitations. DCPs should conduct a Data Protection Impact Assessment to ensure that their processes are aligned with the principles enshrined in the DPA.
- Promptly ensure licensing by September 17, 2022, as stipulated by CBK in its guidance note.