The Office of the Data Protection Commissioner (ODPC) has asked the Central Bank of Kenya (CBK) to revoke the licenses of two digital lenders for persistent breaches of data protection laws.
In a statement, the ODPC said despite previous administrative actions against these lenders, borrowers are still complaining of intrusive and aggressive practices, hence the call for stricter enforcement.
Breaches and Data Protection Laws
According to the ODPC, digital lenders are still violating data protection regulations, particularly on the use of borrowers’ personal information, including unauthorized access to phonebooks. This has continued even after the CBK introduced new regulations to curb such breaches.
The CBK’s Digital Credit Providers Regulations of 2022 prohibit digital lenders from accessing customers’ personal contacts or sharing sensitive information online, yet some lenders are still practicing what was meant to be curtailed.
What the Regulations Say:
- Debt Collection Practices: Digital lenders are not allowed to access a borrower’s phonebook or contact list to pressure family and friends into repaying loans.
- Online Shaming: The regulations also outlaw posting personal or sensitive borrower information online or on other public forums to shame defaulters.
More Complaints from Borrowers
Immaculate Kassait, the Data Commissioner, said the breaches are persistent. “We have seen a reduction in complaints, but we still have rogue digital lenders,” she said, referring to the repeat offenders.
The CBK can suspend or revoke the licenses of lenders who breach these regulations. The ODPC has written to the CBK to take action against the repeat offenders.
Digital Lenders’ Rogue Practices
A spot check in June 2025 found some digital credit providers (DCPs) had gone back to old debt collection methods. One is Chapeo Capital Limited, a CBK-licensed lender operating apps like ZKPesa and Chapeo Cash. The company was found to have sent harassing messages to individuals on borrowers’ contact lists, asking them to pressure their contacts to repay.For example, one of the messages read: “Your contact **** has an outstanding loan of Sh1,720 for 7 days despite several reminders. This is business money and payment is expected ASAP. Please urge them to pay NOW.”
Other digital lenders under the spotlight are Whitepath, Rocketpesa, Platinum Credit, Azura Credit and Mulla Pride, all of which have been accused of debt-shaming. Some of these companies have already received regulatory warnings and fines.
Support for Tougher Enforcement
The Digital Financial Services Association of Kenya (DFSAK), which represents digital lenders, is backing ODPC’s stance. The association’s chairman, Kevin Mutiso, said some licensed lenders had become complacent, thinking the CBK and data protection rules would be soft.
“There is a perception that regulation can be managed. Enforcement will be a signal that this can no longer be the case,” Mutiso said, adding that swift enforcement will restore the image of digital lending.
Current Digital Lending Landscape
As of June 2025, the CBK had licensed 27 digital lenders, but over 574 digital lenders are still awaiting approval. The CBK started regulating the digital lending sector following public outcry over exorbitant loan costs and aggressive debt collection tactics.
Digital lending has become a popular option for many Kenyans seeking quick, unsecured loans for emergencies. However, issues related to high-interest rates, harassment, and data privacy violations have raised concerns about the sector’s regulation and ethical practices.