By Stella Situma
Kenya has become a digital powerhouse, and its banking and finance sector is a clear leader in this innovation. Financial institutions, particularly banks, are evolving rapidly, driven by technology and changing consumer expectations.
Yet, this transformation brings with it a complex legal landscape, especially when it comes to consumer protection, data privacy, and regulatory compliance.
Let’s address what consumer protection in digital finance really means.
The rapid rise of fintech solutions, from mobile money platforms like M-PESA to Digital Credit Providers (DCPs), has amplified the need for robust consumer protection laws.
The Central Bank of Kenya’s DCP regulations, introduced to curb abuses such as exploitative interest rates and unethical debt collection practices, are a response to these concerns. This regulatory shift underscores a broader change in expectations from both consumers and the government, who now demand financial institutions and DCPs to exercise transparency and show a greater respect for consumer rights.
In a digital age, consumers are no longer passive users; they are aware of their rights and quick to act when those rights are breached. For banks and financial institutions, this means that consumer trust isn’t just desirable; it’s essential for business sustainability.
These financial institutions must adapt to these new expectations by embedding transparency, data privacy, and ethical practices into their operations.
Kenya’s Data Protection Act (DPA) of 2019 (DPA) was a milestone, placing stringent requirements on how consumer data is collected, stored, and used. However, many financial institutions are still catching up on compliance. A critical area that remains under scrutiny is data consent, particularly for historical data collected before the DPA became operational. Financial institutions must now determine if such data can still be stored and processed without infringing on the DPA.
The Office of the Data Protection Commissioner (ODPC) guidance on consent specifies that consent forms must be distinct from terms and conditions, and all consent must be informed and explicit. Banks and financial institutions need to review their documentation such as their privacy policies on their websites and bank documentation (especially older records), to ensure they are compliant with the DPA.
Therefore, it is advisable for these institutions to audit historical records, seek updated consent where needed, and implement data minimisation practices, retaining only the most essential data to limit legal exposure.
With an already complex digital banking landscape, the evolution will continue with new bills on the horizon.
Upcoming legislation, such as the draft Consumer Protection (Amendment) Bill 2024 and the draft Banking (Penalties) Regulations 2024, will have a profound impact on the financial sector.
The Consumer Protection Amendment Bill seeks to empower the Competition Authority of Kenya (CAK) to investigate digital activities, even without a complaint having been lodged, including cases where data collection practices appear exploitative which will be deemed as abuse of superior bargaining position.
It also introduces fines for financial institutions that fail to ensure fair dealings in their digital interactions with consumers. Meanwhile, the Banking Penalties Regulations propose fines of up to KES 20 million for non-compliance on issues like disclosing a customer’s credit costs or handling consumer data improperly.
For legal compliance and business sustainability, it’s crucial for financial institutions to implement various measures including the appointment of a Data Protection Officer even though this is not a mandatory legal requirement who will ensure that they are compliant and who will act as the liaison person with the ODPC.
It’s all good and well to have a detailed privacy policy in place with an educated staff, but what about benchmarking and regulator engagement? The evolving regulatory framework also requires proactive engagement with the ODPC and other regulatory bodies, such as the Central Bank of Kenya (CBK) and the CAK.
Benchmarking with other jurisdictions that have mature data protection laws—such as the UK’s Information Commissioner’s Office (ICO)—could provide a foundation for best practices. For instance, the ICO offers self-assessment tools for compliance, which Kenyan regulators could emulate to streamline local oversight and guidance for banks.
Additionally, financial institutions would benefit from regular sector-based discussions with the ODPC to clarify industry-specific challenges, such as consent requirements for historical data.
Engaging in ongoing consultations with these bodies could foster a collaborative environment where banks can share insights on digital transformation needs, while regulators develop nuanced guidelines tailored to the financial sector.
While this is key, this still ignores the most important detail in this digital landscape – transparency and clear communication.
One of the primary consumer grievances in digital finance relates to hidden fees and ambiguous terms. Financial institutions must ensure transparency in all communications, from SMS updates to website disclosures, particularly around transaction fees, loan conditions, and data usage policies.
The CAK and ODPC emphasise that misleading or unclear communication is a regulatory infraction that may lead to penalties and reputational damage.
Publishing a clear and accessible privacy notice on digital platforms is no longer optional—it is a regulatory requirement. Financial institutions should detail data collection practices, including how they obtain consent and the specific purposes for which data is used.
Privacy notices should also clarify if sensitive data, such as biometrics or health information, will be processed, given the DPA’s stringent requirements for sensitive data handling.
Ultimately, digital transformation presents exciting growth prospects for Kenya’s financial sector, but with these opportunities come significant responsibilities.
Financial institutions must integrate data privacy into their everyday practices, engage proactively with regulators, and commit to transparency.
By doing so, they can shield themselves from legal pitfalls and foster strong, lasting trust with their customers. By embracing these changes now, Kenya’s financial institutions have the chance to lead the way in responsible digital banking, setting a benchmark for others to follow.
The writer is a Partner in the Banking, Finance & Projects practice at Cliffe Dekker Hofmeyr (CDH) Kenya