REGULATORY ALERT
CBK Releases Landmark Draft Regulations for Non-Deposit-Taking Credit Providers
Date: August 2025
Issued by: CM Advocates LLP
Introduction
The
Central Bank of Kenya (CBK) has
published the Draft Central Bank of
Kenya (Non-Deposit-Taking Credit Providers) Regulations, 2025, ushering
in a comprehensive and robust
regulatory regime for all credit providers operating outside the
traditional deposit-taking framework. Developed pursuant to Section 57 of the
CBK Act (Cap. 491), the draft Regulations are part of ongoing reforms aimed at
promoting financial integrity, consumer protection, and systemic stability
within Kenya’s credit market.
Scope
of Application
The
Regulations are targeted at credit
providers not otherwise regulated under any other written law, including:
- Digital lenders,
- Micro-lenders,
- Buy-now-pay-later platforms,
- Peer-to-peer platforms (outside
capital markets regulation).
Exemptions include:
- Licensed banks and microfinance institutions,
- SACCOs,
- Kenya Post Office Savings Bank,
- Trade credit incidental to the sale of goods/services,
- Any other entity approved by CBK.
Regulatory
Milestones & Timelines
Transition Period:
- Existing providers must apply for a licence or registration
within six (6) months of the Regulations coming into effect.
- Entities may continue operations during the
transition but must comply with applicable CBK directives.
KEY
REGULATORY FEATURES
1.
Licensing vs Registration
|
Capital
Threshold |
Requirement |
|
KES ≥ 20 million |
Apply for CBK Licence |
|
KES < 20 million |
Apply for CBK Registration |
Applications must be accompanied by
an extensive suite of documentation, including:
- Corporate governance structures,
- AML/CFT, data protection, and credit policies,
- Fit and proper declarations, tax and CRB clearances.
2.
Governance & Integrity Standards
All
significant shareholders (≥10%), directors, CEOs, and senior officers must
undergo CBK’s fit and proper assessment
covering:
- Professional qualifications,
- Moral suitability,
- Financial soundness,
- Background checks under
AML/CFT, Data Protection, and Consumer Protection laws.
3.
Strictly Prohibited Activities
The
draft Regulations clearly define the
boundaries of non-deposit credit businesses. Prohibited activities
include:
- Taking deposits or cash
collateral,
- Foreign exchange trading,
- Fund transfers or payment
services,
- Collecting upfront registration
or membership fees from borrowers.
4.
Consumer Protection at the Core
CBK
embeds global best practices on
responsible lending and consumer welfare. Key requirements include:
- Transparent pricing and
disclosure of the Total Cost of
Credit (TCC),
- Caps
on recoverable interest for
non-performing loans (interest must not exceed the principal),
- Prohibition
of harassment, blackmail, and unethical
collection methods,
- Mandatory consumer complaints mechanisms
and dispute resolution procedures.
5.
Data, Credit Information & Digital Ethics
- Compliance with the Data Protection Act is mandatory.
- Positive
and negative credit information
must be reported to CRBs.
- Negative listing must be
preceded by:
- A 30-day written notice, or
- A 7-day notice for short-tenure loans (e.g., <30 days),
- Post-listing notification to
affected customers within 30 days.
6.
Operational & Prudential Controls
- Introduction of new products,
pricing changes, or delivery channels requires CBK pre-approval.
- Notification to CBK required
for:
- Use of mobile apps or paybill
numbers,
- Outsourcing agreements,
- Opening or relocating business
premises.
- Risk management frameworks must
address credit, operational,
compliance, liquidity, reputation, and IT risks.
7.
Oversight, Monitoring & Enforcement
CBK is empowered to:
- Conduct on-site and off-site
inspections,
- Request regular reports (e.g.,
complaints, loan performance, CRB reports),
- Impose administrative sanctions for non-compliance, including:
- Monetary penalties up to KES 2 million or 3x financial gain,
- Daily fines,
- Suspension or revocation of
licence/registration,
- Restrictions on activities,
agents, or delivery channels.
Mandatory
Policies and Disclosures
Every NDTCP must develop and file
with CBK:
- Credit Policy,
- Consumer Protection Policy,
- AML/CFT Policy,
- Data Protection Policy,
- Code of Conduct,
- Pricing Model showing all cost components,
- Complaints register and annual returns.
What
You Should Do Now
All
existing or intending NDTCPs should:
- Assess applicability of the Regulations to your business,
- Initiate licensing or
registration preparations,
- Update internal policies and
systems to align with CBK
requirements,
- Engage legal, regulatory, and
data protection experts to
review compliance gaps and risk exposures.
Public
Participation
CBK
has invited stakeholder feedback
on the draft Regulations. This is a vital opportunity for industry players,
fintech associations, lenders, and investors to shape Kenya’s non-deposit
credit ecosystem.
How CM Advocates LLP Can Support You
Our
Financial Services Practice offers end-to-end
legal and compliance support including:
- Business structuring and licensing strategies,
- Preparation and filing of CBK-compliant applications,
- Drafting policies (credit, AML, consumer protection,
data),
- Training boards and staff on governance and regulatory
obligations,
- Representing clients in regulatory engagements and
reviews.
Contact
Us
Head Office – Nairobi
I&M Bank House, 7th Floor, 2nd Ngong Avenue
📧 cmaina@cmadvocates.com
or law@cmadvocates.com
Mombasa Office
Links Plaza, 4th Floor, Links Road, Nyali
📧 mombasaoffice@cmadvocates.com
