Kenya’s Credit Sector Faces Fresh Oversight Under CBK Draft Rule
Central Bank of Kenya has released the Draft Non-Deposit-Taking Credit Providers (NDTCPs) Regulations, 2025, inviting public feedback before 5 September. The move marks the latest step in reshaping oversight of Kenya’s fast-changing credit market and comes just three years after the first digital lending regulations were introduced.
The draft widens the regulatory net. Where the 2022 Digital Credit Providers rules applied only to lenders offering credit digitally, the new framework targets all non-deposit-taking lenders—whether they operate online, offline, or through a mix of channels. The shift follows changes made in the Business Laws (Amendment) Act, 2024, which gave the Central Bank authority to supervise the broader category of NDTCPs.
The proposed rules set out tougher governance requirements. Shareholders, directors, chief executives, and other senior officers must be vetted and approved by the Central Bank before taking up their roles. Licences must be displayed at all business premises, and every provider must maintain at least one registered office in Kenya. CBK must be notified 30 days before any branch is opened or closed.
The draft also draws clear lines on what these lenders can do. They may issue credit directly or digitally, but they cannot take deposits, run payment services, trade in foreign currency, or accept cash as security. This is meant to keep their activities within a defined scope and prevent them from drifting into other regulated financial services without proper licensing.
Borrower protection is a recurring theme. The amount recoverable on a defaulted loan is limited to the principal, interest capped at the principal, and reasonable recovery costs. Harassment, public shaming, or contacting unrelated third parties to pressure repayment is banned. Loan agreements must clearly set out all costs and repayment terms, and complaints must be acknowledged and resolved within specified timelines.
Data handling is addressed in detail. Lenders must comply with the Data Protection Act, obtain consent before sharing customer data with agents or credit bureaus, and refrain from reporting defaults of less than KSh 1,000. Outsourcing is permitted, but CBK must be informed in advance, and the lender remains responsible for its agents’ conduct.
For the regulator, these measures are about building trust and stability in a sector that has grown quickly and, at times, recklessly. CBK says effective oversight is essential to protect borrowers and the financial system. The draft also requires lenders to have risk management frameworks, cybersecurity measures, and disaster recovery plans, and to report significant IT changes.
Industry reaction is mixed. Some fintech operators worry that the compliance costs will be too high for smaller players, potentially driving them out of the market and concentrating power among larger firms. Others welcome the clarity, arguing that weeding out bad actors will help restore confidence in a market damaged by predatory practices.
Consumer advocates see the draft as a chance to reset the lender-borrower relationship. They point to the ban on harassment and stronger disclosure requirements as overdue safeguards. But they also caution that regulations on paper mean little without consistent enforcement—and that CBK will need the capacity to monitor a large and diverse group of providers.
The consultation period is short, and the decisions made in the coming weeks will shape the sector for years. Whether these rules lead to a fairer, more transparent credit market or one that is smaller and less competitive will depend on how the final regulations balance protection, accessibility, and innovation.
| Area | 2022 Digital Credit Providers Regulations | 2025 Draft NDTCP Regulations |
|---|---|---|
| Scope | Applied only to lenders offering credit digitally | Applies to all non-deposit-taking credit providers, digital or otherwise |
| Legal Basis | CBK Act amendments (2021) | Expanded powers via Business Laws (Amendment) Act, 2024 |
| Governance | Vetting of significant shareholders and senior officers | Expanded fit-and-proper checks; mandatory CBK approval before appointment |
| Physical Presence | Not explicitly required | At least one registered office in Kenya; CBK notified 30 days before branch changes. |
| Permitted Activities | Digital lending only | Any credit provision (digital or physical); explicit bans on deposit-taking, payment services, forex, and cash security |
| Consumer Protection | Interest rate disclosure; fair debt collection | Interest capped at principal; ban on harassment & public shaming; complaints resolved within set timelines |
| Data Protection | Align with Data Protection Act | Adds consent requirements for data sharing; no CRB listing for debts < KSh 1,000 |
| Outsourcing | Allowed with oversight | CBK notification required; lender remains fully liable |
| Risk & IT Governance | General provisions | Formal risk management, cybersecurity, disaster recovery, CBK notification for major It changes |
2021
CBK Act Amended
. Parliament amends the Central Bank of Kenya Act.
. Gives CBK power to license and regulate Digital Credit Providers (DCPs).
. Driven by complaints over predatory lending and data abuse.
2022
DCP Regulations Enacted
. First licensing framework for digital lenders.
. Applied to purely digital credit providers.
. Required licensing, disclosure, and fair collection practices.
2023
Market Adjustments
. Enforcement begins; unlicensed players exit or adapt
. Complaints continue, especially over debt collection
2024
Business Laws (Amendment) Act
. Expands CBK’s oversight to all non-deposit-taking credit providers.
. Removes the “digital” limitation.
August 2025
Draft NDTCP Regulations Released
. CBK publishes draft rules and opens public feedback until 5 September 2025.
. Proposes stricter governance, broader scope, enhanced consumer protection, and stronger data rules.
Late 2025
Expected Finalisation
. Final regulations to replace 2022 DCP rules entirely
