Access to credit has never been easier. With mobile loan products such as M-shwari to digital credit providers such as Tala, Branch, and the like, making alluring invitations for loans free of collateral and the hassle of paperwork, the borrowing culture of Kenyans has grown immensely. This is a salvation factor from the barrier of the traditional banking system which often requires collateral and depends on its customers’ credit history and empirical asset muscle.

While this quick and easy loan access is a plus as far as credit access is concerned, the burgeoning of digital lending services came with unwelcome practices with respect to data privacy. Digital lenders became notorious for predatory debt collection practices such as debt shaming.

Defaulting borrowers would receive incessant and threatening calls and messages. Some lenders even go the extent of accessing borrowers’ contacts and sending unsolicited and threatening messages to their friends, family and, worse still, employers.

The CBK (Digital Credit Providers) Regulations, 2022 however came in to try and induce some sanity into digital lending practice. The regulations not only require the licensing of all digital lenders, but prohibits the sharing of customer information without the customer’s consent. This will curtail the practice by digital lenders where they would share the customer information with debt collecting agencies, who would apply offensive methods in debt collection, such as harassing the customers.

The regulations prohibit digital lenders from using threats, violence, obscene or profane language against customers or their references or contacts for purposes of shaming them in the course of debt collection. It further prohibits digital lenders from accessing a customer’s phone book or contacts list and sending them messages in the event of debt default.

The CBK regulations serve to bolster the Data Protection Act 2019, which introduced stringent standards for data protection in Kenya. The Act prohibits collecting and sharing personal data from data subjects without their consent. Hefty fines are imposed on persons or entities that do not comply with the data protection provisions. Digital Lenders have not been spared the implementation hook of the Act.

We recently witnessed the Data Commissioner impose a fine of Ksh 50M on two digital lending firms after customers complained that the lenders had accessed their mobile phone contacts and were sending unwarranted text messages to the customers’ contacts.

The move to bring digital lending under regulation is definitely a desirable one since in an age where personal data has become a fundamental transaction tool, data protection is of most paramount need.

You can also report data malpractices by a digital lender to the CBK via

Leave a Reply

Your email address will not be published. Required fields are marked *

× How can I help you?