Fintech 2022 Comparisons

Several investments have been made in the Fintech space in Kenya in the last quarter of 2021, including start-up Kwara, which was able to raise USD4 million in a seed round of investment, and Asilimia, which secured USD2 million in pre-seed funding (USD1 million equity and USD1 million debt).

The 2021 Findexable Global Fintech Rankings report placed Kenya number 31 in the global top 100 rankings of the world’s leading fintech hub countries and number 3 in the Middle East and Africa. In terms of African cities, Nairobi was ranked the second largest fintech city hub in Africa. These rankings can be attributed to the presence of an estimated 20% of African fintechs in Nairobi, an emerging ecosystem of local investors, an enabling human resource environment, increased mobile phone penetration and growing interest from global technology firms. 

The key driver of the fintech revolution in Kenya has been the collaboration between technology providers, traditional financial institutions, fintech start-ups and regulators, together with sustained market demand, an open-minded appetite for these types of solutions, and an enabling regulatory framework. Increasingly, partnerships are being formed and integration is occurring between Mobile Network Operators (MNOs) offering mobile money services and traditional financial institutions such as commercial banks. The most popular services being offered as a result of these partnerships are payment solutions, money transfer and access to credit. In this way, commercial banks are able to reach the MNOs’ extensive customer bases while the MNOs benefit by increasing the number of services they offer. 

There has also been significant growth in digital credit products that use credit-scoring algorithms and provide credit through mobile payment systems. The existence of mobile payment technologies has been a key growth factor for digital credit as these provide a channel for digital credit providers to transfer funds to borrowers and for borrowers to repay the borrowed amounts. The credit transactions are conducted over both the digital credit mobile applications or USSD platforms and mobile payment systems. The growth of the digital credit products has informed the introduction of the regulation of digital credit business, which became effective in December 2021.

The COVID-19 pandemic created opportunities for the development of fintech products and services, and fuelled increased use of fintech solutions. Additionally, the pandemic stimulated e-commerce business, which led to an increase in the use of electronic payment methods.

There has also been an increase in dealings in cryptocurrencies and crypto-assets in Kenya. According to the 2021 Chainalysis Global Crypto Adoption Index, Kenya was ranked fifth overall and first on P2P exchange trade volume worldwide. In February 2022, the Central Bank of Kenya (CBK) noting the public’s growing interest in cryptocurrencies, issued its Discussion Paper on Central Bank Digital Currency (the "CBDC Paper") in Kenya, which considers the issuance by the CBK of central bank digital currency (CBDC). The CBK has requested written submissions and representations on the CBDC Paper by 20 May 2022.

Notwithstanding the above, dealings in cryptocurrencies and crypto assets is presently not regulated in Kenya. However, the CBK and the Capital Markets Authority (CMA) have issued cautionary statements to the public with respect to dealing in cryptocurrencies and crypto assets. The CBK further issued directives to financial institutions not to engage in virtual currencies and not to provide services to persons dealing in virtual currencies. There has also been significant interest in the provision of payment solutions demonstrated by the licensing of two additional payment service providers and the increase in the entities interested in entering the payments market in Kenya. On 23 February 2022, the CBK also launched the National Payments Strategy, which is aimed at realising the vision of a secure, fast, efficient and collaborative payments system that supports financial inclusion and innovations that benefit Kenyans.

There have also been several investments in the Fintech sector in 2021, such as investments in:

• Kwara by Breega SoftBank to help with the building of a neobank app to enable clients to sign up to their preferred credit unions to access various financial services;
• Asimila, which provides payment services that are devoid of transfer charges; and
• Paylend, which provides access to finance and digitising MSMEs.

As the mainstream use of fintech gains traction in Kenya, commercial enterprises and government entities continue to explore the adoption of fintech to promote their efficiency and improve service delivery. 

The predominant fintech business models that emerged in Kenya in 2021 were digital banking, digital lending, asset management, payment gateways and insurtech. We have also seen a rise in agritech and healthcare tech business such as M-TIBA, which is currently the leading health financing technology platform for consumers, insurers, healthcare providers and governments.

Digital Banking

Most banks in Kenya have adopted digital platforms to provide their products and services. Customers are able to access their bank accounts, view their account information and statements, transfer funds, carry out foreign exchange transactions and pay utility bills, among others. Certain banks have partnered with MNOs to provide mobile banking services, thereby allowing customers to access their accounts through their phones and to deposit and withdraw funds from their accounts through mobile money wallets.

Digital Lending

Digital lending is one of the most prominent fintech business platforms in Kenya with lenders providing small loans to individuals and businesses. Digital lenders such as Branch, Tala and Zenka provide loans through mobile applications or USSDs. The disbursement and repayment of loans is mainly conducted through mobile payment platforms. 

Payment Gateways

Payment gateways are MNO platforms that facilitate payment for goods and services by customers to merchants or between merchants. The platforms provide integrated payment systems between merchants, banks and other MNOs. The most popular payment gateway in Kenya is MPESA, which is owned by Safaricom. Banks also have partnerships with credit card providers, such as Mastercard and Visa, who have also facilitated electronic payments.

Asset Management

Asset management companies have also adopted technology in the provisions of their services through mobile apps and USSDs. Consumers are able to sign up to asset management companies, make payments and withdraw funds from asset managements through mobile apps that are linked to mobile payment methods or digital banking channels.

Insurtech

Insurance companies have also increasingly adopted online platforms through which customers can view their policy details and premium statements, report and track claims, make service requests and view service providers, among others. Other intermediaries in the insurance business are adopting digital platforms to link insurance companies, customers, agents and other intermediaries. 

Agritech

There has been a proliferation of agritech entities that provide an online marketplace for farm products and connect farmers with suppliers and service providers. These platforms enable farmers to sell their produce, track their farm expenses and input purchases, obtain information on soil profiles and recommendations for best farm output.

Healthcare

Fintech in healthcare brings new and improved digital financial service models into the healthcare space through leveraging blockchain, artificial intelligence and machine learning to eliminate inefficiencies endemic to most healthcare plans. They aim to streamline the flow of information and money between patients and providers to save time for everyone involved. Other healthcare payment-oriented fintech solutions include health savings accounts and low interest healthcare loans.

There is no separate regime for the regulation of fintech in Kenya, so fintech products and services fall under the existing financial services regulatory framework. Currently, most fintech players are unregulated and where they offer services or products that are regulated, they have an obligation to comply with the regulations applicable to the services or products offered.

That said, there are efforts to regulate certain fintech businesses. For instance, in December 2021, the Central Bank Amendment Act, 2021 (the "CBK Amendment Act"), amended the Central Bank Act (Chapter 491 of the Laws of Kenya) (the "CBK Act"), to provide for the regulation of digital credit providers. The CBK issued draft Digital Credit Providers Regulations in December 2021, which will operationalise the CBK Amendment Act and are expected to come into effect in March 2022.

The main regulators of the financial services industry are the CBK, the Capital Markets Authority (CMA) and the Insurance Regulatory Authority (IRA). Other regulators that play a role in regulating specific segments of the market or activities relating to it are the Retirement Benefits Authority, the Sacco Societies Regulatory Authority, the Competition Authority of Kenya, Financial Reporting Centre (FRC), the Office of the Data Protection Commissioner (ODPC) and the National Computer and Cybercrimes Co-ordination Committee (NC4). Their respective mandates are governed by the following legislation.

• Capital Markets Act, Chapter 485A (and the Regulations thereunder), empowering the CMA to regulate the capital markets and all public issuers of securities. 
• Banking Act (Chapter 488), which regulates banks and banking business in Kenya.
• CBK Act (Chapter 491), which establishes the CBK and provides for the supervision of banks and foreign exchange businesses. The CBK Act was amended by the CBK Amendment Act to provide for regulation of digital credit providers by the CBK.
• The National Payment System Act No 39 of 2011 (and the Regulations thereunder), which provides for the authorisation and regulation of payment services and payment service providers (PSPs) by the CBK. 
• The Insurance Act Chapter 487 (and the Regulations thereunder), which establishes the IRA and provides for the regulation of insurance services, insurers and insurance intermediaries.
• The Retirement Benefits Act No 3 of 1997 (and the Regulations thereunder), which establishes the Retirement Benefits Authority (RBA) and provides for the regulation of retirement benefit schemes. 
• The Consumer Protection Act No 46 of 2012 (and the Regulations thereunder), which provides for the protection of consumers and restrictions against unfair trade practices in consumer transactions.
• The Microfinance Act No 19 of 2006, which provides for the licensing and regulation of microfinance institutions. 
• The Savings and Credit Co-operative (Sacco) Societies Act No 14 of 2008, which establishes the Sacco Societies Regulatory Authority and provides for the registration and regulation of Sacco societies. 
• The Competition Act (and the Regulations thereunder), which establishes the Competition Authority of Kenya (CAK), regulates competition and provides for consumer protection from unfair and misleading market practices. 
• The Data Protection Act No 24 of 2019 (and the Regulations thereunder), which establishes the ODPC and provides for the regulation of the processing or personal data, the rights of data subject and the obligations of data controllers and data processors.
• Computer Misuse and Cybercrimes Act No 5 of 2018, which establishes the NC4 and provides for offences relating to computer systems. The purpose of this Act is to enable timely and effective detection, prohibition, prevention, response, investigation and prosecution of computer and cybercrimes.
• Proceeds of Crime and Anti-Money Laundering Act No 9 of 2009, which establishes the FRC and provides for the offence of money laundering and measures for combating this offence.
• The Kenya Information and Communications Act No 2 of 1998 (and the Regulations thereunder), which establishes the Communications Authority of Kenya and regulates the information and communications sector (including broadcasting, multimedia, telecommunications and postal services). 

Several regulators have also issued guidelines, circulars and directives on the application and interpretation of the statutes.

There are no specific provisions on the permissible compensation that industry participants may charge their customers. However, certain general provisions apply to specific players, for instance:

• lenders are prohibited from charging borrowers default interest or prepayment penalties; 
• lenders, insurers, and capital market intermediaries (brokers, investment advisers, fund managers and dealers) and payment service providers are required, prior to transactions, to disclose the full charges for their services, such as fees, interest rate, penalties, premiums, etc (a borrower is not liable to pay any costs that have not been disclosed); and 
• payment providers are required to notify the CBK of any material changes to their charges.

The Draft DCP Regulations provide that digital credit providers should submit their pricing model and parameters to the CBK for approval and not amend the pricing model and parameters without the CBK’s approval. The Draft DCP Regulations limit interest recoverable from non-performing loans to the principal, and interest not exceeding the principal owing as at the time a loan becomes non-performing and the expenses incurred in the recovery of the loan.

Most fintech players are unregulated and where they offer services or products that are regulated, they have an obligation to comply with the regulations applicable to the services or products offered. For the most part, new players would partner with legacy players to ensure compliance, while other players apply for their own licences, especially in the payment services sector. As indicated in 2.2 Regulatory Regime, there have, however, been efforts by the regulators and parliament to update the regulations to cover technological developments, eg, as with the CBK Amendment Act. 

The CMA established a regulatory sandbox to accelerate its understanding of emerging technologies and to facilitate the deepening and broadening of Kenya’s capital markets. The sandbox is a platform that will allow testing of innovative products, solutions and services that have the potential to enhance Kenya’s capital markets.

In March 2019, the CMA released the Regulatory Sandbox Policy Guidance Note, which provides a framework for the operation of the sandbox. 

The sandbox is available to entities that are either incorporated in Kenya or licensed by a securities market regulator in an equivalent jurisdiction; with the intention to offer an innovative product, solution or service in Kenya.

Once the CMA has approved an application to participate in the sandbox, together with the applicant’s testing plan, the applicant can proceed with testing the product or service in Kenya. The CMA may, during the testing period, require modifications to be made to the testing plan. During the testing period, the applicants are required to submit interim reports on the progress of the tests and comply with other requirements from the regulator, including safeguard mechanisms. 

Once the testing period is complete, the CMA may either license and grant the participant permission to operate in Kenya, or deny and reject the participant’s licence request.

According to the CMA Regulatory Sandbox Milestones Report, April 2021 (the "CMA Sandbox Report"), the CMA had received applications for participation in the sandbox, including:

• participants with various innovative products and services covering robo-advisory services;
• tokenisation, eKYC, use of blockchain;
• data analytics; and
• crowdfunding, among others. 

On 12 October 2020, the CMA granted a "No Objection" letter to Pezesha Africa Limited to operate its debt-based crowd-funding platform in the Kenyan capital markets, after a successful one-year testing period. 

According to the CMA Sandbox Report, the sandbox has elicited increased interest from the fintech community in Kenya. It has also enabled many SMEs to access funding through the first crowd funding platform approved by the CMA following successful testing in the sandbox. The sandbox has also helped inform the development of a facilitative regulatory framework for fintechs.

The CMA Sandbox Report also highlights some of the challenges faced in the operation of the sandbox. These include the novelty and complexity of the regulatory sandbox concept and applications, insufficient information on the risk universe in the various areas and the need for continuous capacity building to enhance regulatory competence to review different types of applications. Other challenges are the cross-border nature of certain solutions, such as crowdfunding platforms, which create jurisdictional challenges in terms of different property, insolvency and tax laws as well as enforcement and the dilemma of encouraging self-regulation through fintech associations vis-a-vis direct state regulation.

It is understood that the CMA will continue in its mandate to develop adaptable and more responsive regulatory frameworks to support fintech and innovation in the capital markets.

Where more than one regulator has jurisdiction over an industry participant, each regulator only regulates the participant to the extent that they fall within their jurisdiction. For example, listed banks are regulated by the CBK and the CMA, each of which limits their regulation to the scope of their respective legislative mandates. See the specific mandates of the regulators in 2.2 Regulatory Regime.

It is, however, expected that such regulators would adopt a collaborative approach. For instance, the CMA has indicated that discussions are underway towards establishing a multi-sector regulatory sandbox to address developments such as cryptocurrency and evolving payment technologies, which are related to, but are not the sole province of, capital markets.

Although regulated functions can be outsourced, outsourcing is subject to various restrictions in most sectors. For instance, the Central Bank of Kenya’s Prudential Guidelines (Guideline on Outsourcing CBK/PG/16) prohibit banks from outsourcing core functions such as corporate planning and management and control. Furthermore, the guidelines provide that any outsourcing of any material activity such as IT, market research and internal auditing should be approved by the CBK. These guidelines were issued in 2013 and have yet to be updated to reflect the current sector developments.

The guidelines provide for mandatory contractual requirements such as:

• a clear description of the outsourced activities;
• the regulated entity’s supervision mandate of the outsourced activities; 
• CBK’s right to supervise and inspect the third party’s performance of the outsourced activities;
• contingency plans to ensure business continuity; and 
• details of the pricing and fee structure.

The National Payment System Regulations, 2014 provide that a payment service provider (PSP) may outsource operational functions. However, it cannot outsource material operational functions. A material function is one that, if a defect or performance failure were to occur, would materially impair the PSP’s continuing compliance with the requirements of its licence, financial performance and soundness or continuity. 

A PSP is required to notify the Central Bank of Kenya of proposed outsourcing 30 days prior to the outsourcing arrangement taking effect. 

The Capital Markets (Corporate Governance) (Market Intermediaries) Regulations, 2011 provide that, where market intermediaries contract third parties to undertake any functions on their behalf, they must ensure that:

• there is a contract describing the services; and 
• details of the third parties are provided, including details of the qualifications and experience of their employees. 

These Regulations further clarify that outsourcing does not diminish the regulated entities’ liability with respect to their obligations.

From a regulatory perspective, it is much easier for market entrants to collaborate with existing licensed institutions and provide their products or services as outsourced functions, for instance, as this minimises the regulatory oversight and burden on them. 

Currently there are no specific regulations on the responsibility of fintech providers over their platforms. This responsibility and liability are mainly established contractually. Where such providers are subject to indirect regulatory oversight, eg, as third-party vendors, the responsibility may be implied through the requirement to comply with regulatory standards.

The main regulatory enforcement actions across the verticals are: 

• monetary penalties subject to the regulator’s discretion;
• prohibition from continuing operations;
• suspension or revocation of licences; 
• termination of the employment of an officer; 
• prohibition from opening branches or limiting an entity’s activities; and 
• disqualification of directors from holding office in other licensed institutions. 

Regulators may also institute court proceedings against regulated entities and/or their employees for committing offences under the statutes. On conviction, the courts may impose fines or prison terms for the relevant officers. The term of imprisonment or the amount of the fines varies under different regimes and depends on the nature of the offence committed.

The Data Protection Act

The Data Protection Act, 2019 regulates the processing of personal data of data subjects who are resident in Kenya, by data controllers and data processors. The Act regulates the processing of personal data, provides for the rights of data subjects and prescribes the obligations of data controllers and data processors. Kenya recently appointed its first Data Commissioner, who is currently setting up the Office of the Data Commissioner, as mandated by the Data Protection Act. 

On 14 January 2022, three sets of Data Protection Regulations were published in the Kenya Gazette and take effect from 11 February 2022 subject to annulment or approval by the National Assembly Committee on Delegated Legislation. These Regulations are the:

• the Data Protection (General) Regulations, 2021;
• the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021; and
• the Data Protection (Complaints Handling and Enforcement) Regulations.

Under the Data Protection Act, the Data Commissioner may cancel the registration of a data controller or data processor that, without any lawful reason, fails to comply with the Act. It further provides that a data subject is entitled to compensation from a data controller or processor where the subject suffers damage by reason of contravention of the Act. 

The Data Commissioner also has the power to serve an enforcement notice on a data controller or processor to take certain steps within a specified period to be in compliance with the law, and may issue penalty notices requiring the payment of certain amounts specified in the notice if the enforcement notice is not honoured.

A person who commits an offence under the Data Protection Act for which no specific penalty is provided, or who otherwise contravenes the provisions of the Act, is liable on conviction to a fine not exceeding KES3 million (approximately USD30,000) or to an imprisonment term not exceeding 10 years, or both.

The Computer Misuse and Cybercrimes Act

The Computer Misuse and Cybercrimes Act (the "CMC Act") is also pertinent. Among other aims, it seeks to protect the confidentiality, integrity and availability of computer systems, programs and data, and to facilitate the prevention, detection, investigation, prosecution and punishment of cybercrimes. This Act requires service providers to assist in investigating offences, such as by collecting and providing data. A service provider is defined as a public or private entity whose services provide users with the means to communicate by use of a computer system, as well as any other entity that processes or stores computer data on behalf of that entity or its users.

The penalties for offences under the CMC Act range from fines of approximately KES100,000 (approximately USD1,000) to KES20 million (approximately USD200,000) and/or imprisonment terms of between three and 20 years. The Act provides for enhanced penalties where these offences are committed with respect to protected computer systems. These include systems for the provision of services directly related to communications infrastructure, banking and financial services, payment and settlement systems, and instruments.

Readers should note that the CMC Act was ruled unconstitutional on 29 October 2020. This followed a ruling by the High Court which nullified 24 Acts of parliament ("the Laws") enacted by the national assembly without reference to and input from the senate as required under the Constitution of Kenya. The High Court has suspended the nullification of the Laws until 29 July 2021 to allow the national assembly to comply with the constitution and regularise the Laws. The Court of Appeal subsequently reinstated 21 Laws, the CMC Act being among those re-instated. However, an appeal has now been taken before the Supreme Court of Kenya to determine the status of all these Laws.

The National Computer and Cybercrimes Co-ordination Committee

The National Computer and Cybercrimes Co-ordination Committee administers the CMC Act and was recently launched (late 2021) to carry out its mandate under the CMC Act. Failure to comply with a request for assistance or a related court order is an offence, with penalties of a fine of up to approximately KES5 million (approximately USD50,000) or imprisonment for up to three years. Service providers are not liable for the disclosure of any data or other information that they divulge pursuant to a requirement under the Act.

Other than regulators, there are a number of organisations that review the activities of industry participants. Among them are the Kenya Bankers Association, FSD Africa, East Africa Venture Capital Association (EAVCA), and capital market intermediaries such as Cytonn. For instance, in 2018, FSD Africa and EAVCA published the report "Fintrek: Exploring New Frontiers in Fintech Investments in East Africa" on the funding options available for the fintech sector. 

However, as reports on the sector are limited, it is difficult to ascertain the industry practice in detail. 

Industry participants do offer unregulated as well as regulated products and services. However, these are mainly offered through alternative entities, as most regulated entities, such as banks and capital market intermediaries, are subject to restrictions prohibiting them from engaging in any activity for which they are not licensed. 

Among the unregulated services that regulated entities may provide in Kenya, an example is the provision of investment advice to private and sophisticated investors, which is not subject to regulation by the CMA. However, providing investment advice to the public is regulated, and a licensed investment adviser may provide investment advice to both private and public investors.

Anti-money laundering rules impact fintech companies to the extent that they are deemed to be reporting institutions as per the provisions of the Proceeds of Crime and Anti-Money Laundering Act, No 9 of 2009 (the "AML Act"). A reporting institution under the AML Act includes a financial institution and a designated non-financial business and profession. A financial institution is defined to mean any person or entity which conducts as a business, one or more of the following activities or operations:

• accepting deposits and other repayable funds from the public;
• lending, including consumer credit, mortgage credit, factoring with or without recourse and financing of commercial transactions;
• transferring of funds or value by any means, including both formal and informal channels;
• issuing and managing means of payment (such as credit and debit cards, cheques, traveller’s cheques, money orders and bankers’ drafts and electronic money);
• participation in securities issues and the provision of financial services related to such issues;
• otherwise investing, administering or managing funds or money on behalf of other persons;
• underwriting and placement of life insurance and other investment related insurance; and
• money and currency changing.

Given this broad definition, fintech companies that engage in the above activities are required to comply with the provisions of the AML Act whether they are regulated or not. Further, the AML Act applies to any company that is doing business in Kenya regardless of whether  such company is resident.

There are no specific regulations in Kenya relating to robo-advisers. Robo-advisory is regulated by the CMA as general investment advisory. The business models for robo-advisers in Kenya are dependent on the type of licensing obtained from the authority and not the asset classes. For instance, fund managers and investment advisers are licensed as intermediaries that may provide advisory services with respect to any asset classes.  

The CMA has admitted a participant to the sandbox to test robo-advisory services in Kenya, with a view to adopting suitable regulations for robo–advisory services. 

There do not appear to be any robo-advisers in Kenya (save for the participants admitted to the sandbox such as FourFront Management Limited and Waanzilishi Capital Limited) or any legacy players that employ solutions from robo-advisers. 

The CMA has prescribed regulations requiring market intermediaries to deal for a client on the best terms available for the client. Intermediaries must execute orders in a timely and equitable manner and in the chronological sequence in which the orders were received, giving priority to outstanding orders. To the extent that robo-advisers are market intermediaries under the capital markets framework in Kenya, they will be required to comply with the above provisions.

Kenyan law regulates (i) financial businesses that have an element of "deposit-taking business" and requires such businesses to be licensed by the CBK, and (ii) digital credit business. Deposit-taking business entails (i) accepting money on deposit, and (ii) lending the money at the risk of the person lending the money or financing the activities of one business from such funds. Digital credit business is the business of providing credit facilities or loan services through a digital channel. A digital channel refers to the internet, mobile devices, computer devices, applications or any other digital system as may be prescribed by the CBK.

Lending that is part of deposit-taking businesses or digital credit business is regulated. However, lending in itself does not require licensing and is not subject to regulation. Save for the above, there are no other significant differences in the business or regulation of loans to individuals, small businesses and others. The regulation of lending businesses is not based on the type of borrower but on the nature of the lending.  

The commonly used underwriting process is the analysis of consumer data using set machine-learning algorithms that make automated decisions on a customer’s credit worthiness and risk.  

As this involves data processing, it is regulated under the Data Protection Act and the regulations made thereunder. Data subjects have a right not to be subject to automated decision-making unless the processing complies with the applicable legislation.  

Lenders who are engaged in deposit-taking businesses such as banks, Sacco societies and microfinance institutions secure funds from: 

• the public, in the case of licensed banks, microfinance institutions and Sacco societies (only these entities can take deposits from the public and utilise the same for loans as this is deposit-taking business which is regulated under the Banking Act, the Microfinance Act and the Sacco Societies Act); 
• capital from shareholders and other investors, such as direct foreign investors; and  
• loans from other institutions, eg, other banks.  

Lenders who do not engage with deposit-taking institutions primarily source funds from capital raised as either equity or debt from other investors. 

Raising funds through equity and debt is only regulated to the extent that the securities are issued to the public under the Capital Markets (Securities) (Public Offers, Listing and Disclosures) Regulations, 2002. 

Raising funds through securitisation is regulated under the Capital Markets (Asset Backed Securities) Regulations, 2007. However, securitisation is not common in Kenya.  

There is no specific regulation for syndication of loans in Kenya. The syndication process follows the current industry practice, as follows:  

• an arranger is appointed; 
• the borrower and the arranger agree on the syndication strategy; 
• the arranger prepares the information memorandum which is circulated to lenders that are interested in participating in the syndication; 
• the lenders who agree to participate in the syndicate agree on their commitments and negotiate the finance deal;  
• the finance documentation, including the loan agreement and the security documents, is prepared, negotiated and executed by the borrower, lenders and other parties that may be involved, such as guarantors, security trustees and hedge providers, among others; 
• the borrower satisfies the precedent conditions set out in the facility agreement; and 
• upon satisfaction of the precedent conditions, the lenders disburse the funds to the borrower, including the fees payable to the arranger, facility agent, security agent, etc.  

Payment processors may use existing payment rails or create new payment rails. However, a payment processor is required to obtain authorisation as a PSP in order to provide payment services (irrespective of whether the payment service is through an existing or new payment rail). 

The National Payment System Act defines a PSP to include a person, company or organisation: 

• acting as provider in relation to sending, receiving, storing or processing of payments or the provision of other services in relation to payment services through any electronic system; 
• that owns, possesses, operates, manages or controls a public switched network for the provision of payment services; or 
• that processes or stores data on behalf of such PSPs or users of such payment services. 

The National Payment System Act regulates the provision of payment services to persons resident in Kenya. Any person outside Kenya who provides payment services in Kenya is a PSP and is subject to the provisions of the Act. PSPs that provide payment services in Kenya on a cross-border basis are required to obtain authorisation from the CBK and comply with the provisions of the National Payment System Act.  

The following fund administrators are regulated in Kenya: 

• fund administrators for retirement benefit schemes that are regulated under the Retirement Benefits Act; and 
• fund managers for collective investment schemes that are regulated under the Capital Markets (Collective Investment Schemes) Regulations, 2001 (the "Collective Investment Schemes Regulations"), which require that fund managers be administrators of the collective schemes they manage; however, there is no restriction against the fund managers outsourcing the administrative functions of the fund. 

Note that a collective investment scheme refers to an investment company, unit trust, mutual fund or other scheme, whether or not established or organised in Kenya, which collects and pools funds from the public or a section of the public for investment. 

The Retirement Benefits (Administrators) Regulations, 2007 provide that an administrator must enter into a written agreement with the relevant scheme. Such agreement sets out the specific arrangements for the required administration services and must be entered into prior to the commencement of the provision of administrative services. The agreement should be a service level agreement that clearly sets out all the relevant agreed requirements and acceptable standards for delivery, and stipulates the basis on which the administrator is to be remunerated. 

There are no mandatory provisions for contracts with administrators under the Collective Investment Schemes Regulations. However, when engaging a fund administrator, it is prudent to include the statutory functions of the fund administrators as part of their scope of work. Some of the administrative roles of a fund manager under the Collective Investment Schemes Regulations include: 

• preparing and timeously dispatching all cheques, warrants, notices, accounts, summaries, etc; 
• making records and books of accounts available for inspection by directors, trustees and auditors; and  
• publishing the price of the shares daily in local newspapers.  

Where a fund manager outsources fund administration functions, they need to ensure that the outsourcing contract complies with the above statutory requirements. 

Trading platforms in Kenya can either be: 

• licensed securities exchanges for shares, bonds, commodities and derivatives which are regulated by the CMA under:
1. the Capital Markets (Licensing Requirements) (General) Regulations, 2002; 
2. the Capital Markets (Coffee Exchange) Regulations, 2020;  
3. the Capital Markets (Derivatives Markets) Regulations, 2015; or  
• trading platforms which are accessible through licensed dealing or non-dealing online foreign exchange brokers for foreign exchange trading (this includes trading in contracts for differences based on a foreign underlying asset; these brokers are regulated by the CMA under the Capital Markets (Online Foreign Exchange Trading) Regulations, 2017). 

The regulations provide for the licensing, corporate governance and conduct of business of entities, and the supervision of the markets.  

There is currently only one licensed securities exchange in Kenya, the Nairobi Securities Exchange. As at December 2021, there were six licensed online foreign exchange brokers.   

Asset classes are generally subject to a similar regulatory regime. However, there are regulations that contain specific provisions for specific asset classes, taking into consideration the differences inherent in the nature of the assets. The following asset classes have different special regulations: 

• derivatives; 
• forex trading and contracts for difference; 
• asset-backed securities; 
• commodities; 
• units in collective investment schemes such as money market funds, unit trusts and real estate investment trusts; and 
• repurchase agreements. 

The different regulations prescribe the instruments of ownership and the mode of trading of the assets. Furthermore, they also prescribe the conduct of market intermediaries while dealing in and managing the assets. For instance, the Collective Investment Schemes Regulations provide for the management of collective investment schemes and the conduct of the fund managers, trustees and custodians. The Derivatives Exchange rules provide for the conduct of derivatives brokers and the conduct of trading at the Derivatives Exchange.  

Cryptocurrency exchanges are not presently regulated in Kenya. However, Kenya’s securities regulatory regime under the Capital Markets Act, and the subsidiary legislation thereunder, are broadly drafted. For instance, the Act defines a "security" to include "any other instrument" prescribed by the CMA to be a security for the purpose of the Act. This arguably allows the CMA to extend the regulatory purview of the Act by prescribing, for example, virtual currency as a security. Consequently, despite not presently being regulated, if the CMA were to prescribe that virtual currencies are securities under the Capital Markets Act, virtual currency markets would be regulated. 

The CBK has issued a warning to the public to the effect that virtual currencies are not legal tender and there is no protection available to persons dealing or trading in them. The CBK does not recognise virtual currency as legal tender and therefore does not regulate it. 

Listing requirements for shares and fixed income instruments are provided under the Capital Markets (Securities) (Public Offers, Listing and Disclosures) Regulations, 2002. These Regulations provide for listing requirements in the following market segments: 

• the Main Investment Market Segment; 
• the Alternative Investment Market Segment; 
• the Fixed Income Securities Market Segment; and 
• the Growth Enterprises Market Segment. 

Securities exchanges are also required to provide their own listing standards that may complement (but not contravene) the standards in the regulations. Consequently, the Nairobi Securities Exchange also prescribes listing standards that are largely similar to the standards in the regulations. 

Order handling rules prescribed by the CMA apply. The general order handling rules to be followed by market intermediaries are found in the Capital Markets (Conduct of Business) (Market Intermediaries) Regulations, 2011 (the "Conduct of Business Regulations"). The Regulations specify that market intermediaries must: 

• not execute an order unless the client has made sufficient arrangements for the necessary funds or securities; 
• execute client orders in the chronological sequence in which the orders were received and give priority to outstanding orders; 
• deal for a client on the best terms available for the client; 
• ensure that transactions it executes are allocated to the clients who gave the orders in a timely and equitable manner; and
• where a market intermediary has aggregated an order for a client’s transaction with an order for its own account transaction, or with an order for another client’s transaction, not give unfair preference to itself or to any of the clients, and give priority to satisfying orders for client transactions, if all orders cannot be satisfied. 

The Nairobi Securities Exchange has also prescribed order handling rules with respect to the trading of shares, fixed income securities and derivatives. The order handling rules provide for qualification requirements for orders, validity periods for orders, allowable spreads and limits on bids and offers, and the execution and settlement of trades. 

Peer-to-peer trading platforms are rising in Kenya especially in relation to the trade in cryptocurrencies. As indicated at 1.1 Evolution of the Fintech Market, Kenya was ranked first peer-to-peer cryptocurrency trading volume by the Chainalysis Global Crypto adoption Index 2021. As these platforms are largely unregulated and their business models unknown/unclear, it is difficult to assess the impact such platforms might have on traditional and fintech players, and the regulatory challenges posed. 

The Conduct of Business Regulations provide that a market intermediary shall deal for the client on the best terms, timeously and fairly. There are instances where market intermediaries fail to comply with these requirements by: 

• failing to execute client instructions; 
• churning, ie, dealing in circumstances that could reasonably be considered as too frequent or too large, having regard to the trading activities, investment objectives, size and operations of such clients, mainly for the purpose of creating hefty commissions for the market intermediary; 
• front running; 
• insider dealing; and  
• executing unauthorised transactions. 

Any market intermediary that fails to comply with the statutory provisions may be sanctioned by the CMA in any of the ways set out in 2.9 Significant Enforcement Actions.  

There are no express rules against payment for order flow. However, the practice may be prohibited to the extent that it contravenes other trading rules, eg, dealing in the best interest of the client, avoiding conflict of interests and fair dealing.  

The Conduct of Business Regulations provide the following principles of market integrity governing trading by market intermediaries: 

• independence – when advising or acting on behalf of a client, an intermediary must ensure that it maintains its independence and impartiality;  
• fair dealing; 
• fair and clear communications – intermediaries are required to communicate clearly to the client and disclose relevant information, such as the risks of a transaction and the charge for services; 
• conflict of interest – a market intermediary is required to avoid any conflict of interest between itself and a client and where such a conflict exists, decline to act, or if it considers that the conflict can be managed, disclose it to the client and follow the policies developed to minimise damage to the client and to put the client’s interests ahead of its own; 
• confidentiality – an intermediary must keep all the information in its possession relating to a client confidential, whether obtained from the client or third parties; 
• not to front-run, churn or participate in insider dealing; and  
• not to use client funds without the client’s instructions. 

In Kenya, high frequency and algorithmic trading are not regulated.  

However, it is advisable for a person who has created and wants to use such technologies to apply to the CMA to be placed in a regulatory sandbox, for purposes of allowing small-scale, live testing of innovations by private firms in a controlled environment. 

Generally, no person is entitled to undertake market making unless they have been authorised to operate as such under the Nairobi Securities Exchange Rules and they hold a licence from the CMA, such as a stockbroker’s or dealing licence. Therefore, to the extent that a person engaging in high frequency or algorithmic trading creates demand and supply for securities by way of entry into the automated trading system of bids and offers for the purposes of enhancing liquidity, they will be required to be registered as a market maker with the Nairobi Securities Exchange. This applies whether or not they are acting in a principal capacity and hold a licence from the CMA.   

Given that there are no regulations on high frequency or algorithmic trading, there are no distinctions between funds and dealers that engage in these activities.  

However, the Capital Markets Act makes a distinction between a dealer and a fund manager. Accordingly, a dealer mainly engages in the business of buying, selling, dealing, trading, underwriting or retailing of securities, except exchange-traded derivatives contracts, whether or not the dealer carries on any other business. Whereas a fund manager is defined as a manager of a collective investment scheme, registered venture capital company or an investment adviser who manages a portfolio of securities.  

Programmers who develop and create trading algorithms and other electronic tools are not regulated in Kenya. 

Financial research platforms are not subject to registration in Kenya. However, to the extent that a financial research platform qualifies as an investment adviser, then it must be licensed by the CMA. An investment adviser is defined as a person who carries on the business of advising others concerning securities, or as part of a regular business, issues or provides analyses or reports concerning securities, or manages a portfolio of securities on behalf of a client. 

The spreading of rumours and other unverified information with respect to securities is regulated by the Capital Markets Act. To this end, it is an offence for a person to make any statement which at the time and in light of the circumstances in which it is made, is false or misleading, and which that person knows or ought to have reasonably known is false or misleading in relation to securities. It is also an offence where a person makes a false or misleading statement by omitting a material fact. It is also an offence for a person to create a false or misleading impression of active trading in securities, or the price of dealings in securities traded on the securities market of a securities exchange. 

Additionally, the CMC makes it an offence for a person to intentionally publish false, misleading or fictitious data or misinformation with the intent that the data shall be considered or acted upon as authentic, with or without financial gain. 

In order to avoid pump-and-dump schemes, spreading of false information or other types of unacceptable behaviour, the Capital Markets Act makes it an offence for:

• a person to do anything which is intended or is likely to create a false or misleading impression of active trading in securities or with respect to the market for, or the price for, dealings in securities traded on the securities market of a securities exchange; and 
• a person to induce or attempt to induce another person to subscribe for, sell or purchase securities by making or publishing statements, promises or forecasts that are false, misleading or deceptive; or by concealing material facts; or by recording or storing on any device information that is false or misleading.  

Persons posting on a financial research platform must ensure that the information posted does not breach the law or amount to an offence. Platform owners with editorial capabilities should also ensure that the content posted on their platforms does not amount to an offence as they may be vicariously liable.  

The insurance industry participants' underwriting process includes KYC checks and conducting due diligence on insurable interest for the purposes of risk acceptance. The IRA has issued guidelines and regulations on the basic KYC information to be obtained and the minimum rates that can be charged in the market.  

The underwriting process differs among different types of insurance. Under the Insurance Act, the funds for life insurance business and non-life insurance business must be completely separate, and a business cannot use funds from life insurance business to settle any claim by a non-life customer. It is the practice that insurance businesses incorporate two companies, one to undertake life insurance and another to undertake non-life insurance. The underwriting processes to be adopted for the two types of insurance may therefore differ by practice.  

Regtech providers remain unregulated in Kenya. The uptake of regtech in the Kenyan market is very low, with most financial services firms opting to meet their compliance requirements and returns manually.   

As the uptake of regtech in the Kenyan market is very low, there are no established practices on the contractual relationships between regtech providers and financial services firms. Regulations on this have yet to be developed, as the industry is still in its very early days and industry custom is yet to be established. As the regulatory framework of Kenya’s financial services firms is based on self-assessment and reporting, firms still bear all the risks associated with this reporting and, as such, may not be able to transfer any liability to regtech providers.  

Traditional financial institutions in Kenya have been exploring the possible integration of blockchain (distributed ledger technologies or DLT) to assist them in facilitating payments and creating credit-scoring models. The CBK has indicated that it has received a number of applications from financial institutions seeking approval and licensing of products and services linked to blockchain technology. 

No legislative or regulatory proposals have as yet been published with respect to blockchain in Kenya. However, industry players such as the CBK and the Communications Authority are said to be working on regulations relating to blockchain, cryptocurrencies and forex online trading.  

Although Kenya does not presently have a regulatory regime for blockchain or blockchain assets, the CBK has indicated that there is a need to create a robust regulatory framework for cryptocurrencies since they can have an impact on financial stability and may carry inherent risks. 

Although Kenya does not have a regulatory regime for blockchain, the CMA has previously issued a cautionary notice (in January 2019) warning investors against participating in Initial Coin Offerings (ICOs). The CMA's view is that ICOs form part of regulated activities as they amount to raising capital from the public, but they have not yet been approved in Kenya.  

Kenya does not currently have a regulatory regime for blockchain, including blockchain asset trading platforms. 

No specific regulatory requirements on investments by funds in blockchain assets apply in Kenya. However, regulated funds in Kenya will need to adhere to any prudential requirements and investment restrictions under the existing regulatory regimes. Noting the warning from the CBK and the CMA to their licensees against dealings in cryptocurrencies and crypto-assets, most funds are likely to shy away from investing in these assets.  

Kenya does not presently have a regulatory regime for blockchain assets, including cryptocurrencies or any other form of virtual currencies. However, the CBK and the CMA have warned persons under their regulations against dealings in cryptocurrencies and crypto-assets. 

At this point in time, Kenya does not have a regulatory regime for "DeFi" (decentralised finance).

NFTs and NFT platforms are not currently part of the fintech regulatory paradigm in Kenya as there is no specific law governing the regulation of NFTs and NFT platforms. Further, it is not clear whether the existing legal framework for intellectual property would apply and serve to safeguard the rights of artists or holders of NFTs.

Kenya is yet to publish any specific regulations or standards for open banking infrastructure and practice. The sharing of consumer data and related personally identifiable financial data by any service provider and participating bank will be subject to the provisions of the Data Protection Act. The Data Protection Act is the primary legislation on data protection and privacy that regulates the processing of personal data, provides for the rights of data subjects, and prescribes the obligations of data controllers and data processors. 

Notwithstanding the lack of open banking-specific regulation, the collection and processing (including data sharing) of personal data by banks and technology providers is subject to the provisions of the Data Protection Act. To comply, banks and technology providers are developing data processing policies that meet the requirements under the Act and that govern their operations. There has also been an increased trend towards appointing data protection officers to monitor and ensure organisational compliance with the requirements under the Act.