The Finnovation Fintech series events organized by Ethico Live had a session in Nairobi last week at the Radisson Blu in Nairobi. The event meant to steer conversations around financial innovation in the banking sector brought together key players in the industry including banking leaders, policy makers, investors and most importantly the innovators driving the change for financial inclusion. As part of the discussion one idea became prominent; the need for collaboration between the old and new; the banks and fintechs respectively. This need takes me back to the article by Sunny Bindra’s article here where he tackles the importance of staying analogue as much as it is important to go digital for the sake of progress. Collaboration was seen as a key factor to drive the agenda of financial inclusion as the banks are endowed with resources among other advantages while the fintechs operate within little to no regulation which encourages innovation among other advantages.

This article shall discuss issues discussed that touched on regulation. As the end customer of these businesses, the aspect of consumer protection was explored with regards to the emerging fintech apps available in the Kenyan market and claims that some of them charge abnormal interest rates for lending. Additionally, the apps were faulted for giving out loans without scrutinizing whether the same person had borrowed a loan on another app calling for a review of lending policies. Consequently, people borrow loans to repay loans borrowed on other apps; not surprising that these money lending apps were among the most downloaded apps in Kenya according to BAKE. In this light, it was agreed that some due diligence ought to be exercised by the apps before lending to ensure that credit is obtained for purposeful reasons. In what has been dubbed ‘fintech fueled lending craze’ that has seen almost 2.7 million users negatively listed by the Credit Reference Bureau, the government of Kenya intends to bring sanity into this area. Currently, a draft Bill (Financial Markets Conduct Bill, 2018) to regulate the lending has been proposed which among other things will seek to cap the lending rates of the different lending apps. In matters of regulating the lending apps it was agreed that it is important to not add other levels of regulators which would consequently increase the cost of compliance.

The question of whether regulation would be an enabler or a threat to financial innovation was addressed. The good example of M-pesa and how it is has grown largely unregulated as a financial services provider was given; the challenge here remains whether it should be regulated as financial services provider or under telecommunications. Despite the fear of the stifling effect of regulation, it was well agreed that it is mandatory to regulate the multi-faceted fintech space due to the various ways it is affected; systems security, cybercrime, adherence to sector standards such as PCI-DSS where a company stores, transmits and processes card information and IFRS reporting. One of the self-regulation practices that financial institutions that carry out digital banking may be involved in is the Know Your Customer procedures (eKYC), this was highlighted as a way of lenders to shield themselves from risk. In Kenya, KYC regulations are legislated only for money laundering under the Proceeds of Crimes and Anti Money Laundering Regulations.

The State of the Internet report 2017 by BAKE indicated the importance of sound regulation as regulation can affect public perceptions; progressive regulations have the potential of bringing about good perceptions hence there may be more adoption of the technology.


Having discussed the importance of policy and regulation in the fintech world, it will be mandatory to ensure that these should be formulated to enable investments. The Nigerian market was used as a good example of how policy can be used as a propeller of growth. One such regulation is the Venture Capital (Incentives) Act that gives companies engaging in venture projects incentives to operate in the country.

The issue of regulation lagging behind due to rapid technological advancements was raised. This was met by a suggestion of real time regulation in these times where lending is done in a faster way than before and as more products continue to infiltrate the market. In practical terms, the regulations should ensure that such innovations come with transparency in terms of how it works and reveal the interest rates that are charged on a monthly basis this will curtail enterprises that charge exorbitant rates to unknowing customers.

The aspect of cloud computing adoption by banks was explored. Several emerging cloud trends which legislation could have a bearing on were also highlighted such as data localization. Data localization laws are crucial because they would inform where customers’ data would be stored. Thus, informing certain business decisions such as whether to open data centres in the region. However, for now Kenya has no data protection laws and such decisions are the sole reserve for organisations.

Discussion around data analytics were held as this is as a key factor driving these fintech which use alternative credit scoring methods most of which are data driven as opposed to the brick and mortar banks which largely perform collateral based lending. Indeed, from a legal perspective, this raises data privacy issues, especially the contention around hideous terms and conditions which force users to give up data privacy to be able to use the apps.

Lastly, the issue of security of wallets (a software that facilitates the transaction of digital currencies by storing the private and public keys necessary to conduct a transaction) was addressed. It was stated that as more adoption of cryptocurrency continues it will be necessary to get a trusted wallet provider for safe transactions.




The successful report launch by the Centre for Intellectual Property and Information Technology on the use of Biometrics technology for elections was well attended with key players in the ICT sphere. The event began with opening remarks from the Dr. Isaac Rutenberg, Director of CIPIT followed by presentations on the findings on the investigations by Francis Monyango and Robert Muthuri both from CIPIT. This was followed by presentations by John Walubengo, Mr. Fernando, Sharon Bosire, IEBC representative and lastly, Senator Halake.

The report found that Kenyan voters remain exposed to personal data abuse so long as there lacks appropriate legislative and enforcement issues. The full report can be found here.

John Walubengo, an ICT expert shed more light on the General Data Protection Regulations (GDPR). The presentation focused on defining who a data collector is as per the GDPR while giving emphasis on the rights and obligations of the data collectors and data subjects. The concept of data minimization as a principle of data privacy emerged in explaining the rights of data subjects one of them being the right to have only relevant and not excessive data of the subjects collected. In terms of security of data, developers of products that use personal data were advised on the importance of not only securing data but demonstrating to users that their data is secure.

With regards to data controllers who in this case are the developers, certain obligations were highlighted. They include: breach notification, obtaining the necessary consents before using data, territoriality of data and lastly, the issue of penalties with regards to not fulfilling obligations was highlighted.

Sharon Bosire the Legal Officer at Communication Authority, brought to the attention of the attendees, the legal framework currently in existence in Kenya that addresses issues of data privacy; the Kenya Information Communication Act (KICA), 2009 and the KICA (Consumer Protection) Regulations, 2010. The CA representative was brought to task to explain why the authority did not have a portal for complaints on matters of infringement of data privacy during the election similar to the one of NCIC for reporting hate speech during the electioneering period.

Mr. Fernando Wangila, the ICT Director at National Transport and Safety Authority (NTSA) made a presentation on the efforts that the transport authority is making to ensure that the citizens’ data is secure given the introduction on the smart driving licenses that replaces the manual process of obtaining licenses. The presentation pointed to a belief that the illegalities that mar the vehicle registration and insuring of motor vehicles in Kenya will be cured through the use of online services and such efforts can only be bolstered by a secure data base that is free from manipulation. In this presentation, the aspect of integrity on the part of the authority’s officials was emphasized as a key ingredient to ensure that such databases remain accurate and trustworthy. One of the ways mentioned that would prevent illegal activities is the Transport Integrated Management System(TIMS) platform by NTSA where one can obtain digital log books, for online transfer of motor vehicles and for registration of vehicles.

The IEBC Representative gave an overview of how the IEBC systems work and the security measures that it has taken up. He sought to set the record straight with regards to security measures that IEBC has taken up to secure that citizens’ data is secure. The importance of accuracy of data that is inputted in systems was well emphasised, pointing out that inaccurate data would inadvertently affect the smooth operation of elections as was witnessed in the last elections.

Senator Halake, the Vice- Chair of the ICT Committee gave suggestions on how to tackle the data privacy issue form a legislative and enforcement point. In terms of legislation, she advised the academic sector such as CIPIT as well as other stakeholders such as KICTANET to come up with draft laws on Data Protection and Cybersecurity and submit them to the ICT committee for consideration. She emphasized that such contributions would be more practical as compared to expecting the legislature to come up with draft laws that are consistently requiring amendments due to challenges such as lack of well researched laws. In enforcement, she called for a reduction in the number of authorities being created to oversee implementation of various legislations. In this case, she applauded the recommendation in the report to allocate the role of Data Protection Authorities as is in other jurisdictions to the Office of the Ombudsman in Kenya. Lastly, she warned against adopting the provisions of the GDPR into our national legislation and called for coming up with legislation that serves our unique needs as GDPR serves the EU needs. In legislating, she pointed out the importance of striking a balance between encouraging innovation using data and protection of data of Kenyan citizens as she cautioned against too much legislation that would end up stifling innovation.