Fintech: Using compliance as a competitive advantage in 2017

East Africa’s FinTech scene is ‘boomin’. Major disruptive developments are identifiable: crowd funding is becoming an important part of corporate finance, mobile payment is growing fast, virtual currencies such as bitcoin are gaining popularity and algorithms are providing a new way of assessing credit-worthiness.

The main challenge in launching and expanding FinTech businesses is navigating the complex regulatory landscape, to understand, develop and implement a compliance and regulatory framework and to obtain the required regulatory permissions to get started.

To add on to my previous post I thought it would be useful to highlight the key compliance issues that FinTech firms should be focused on in 2017, whether they plan to revolutionize the delivery of a financial service, or simply provide a better mouse trap to existing industry players. FinTech investors also can use this post to ask questions of the companies they have or will invest in as a way to gauge whether management’s creativity extends to the concerns of key regulators.

Operating FinTech that is separate from regulation

Ideally before rolling out, a Fintech firm will have to undertake a detailed analysis of its business model against applicable financial regulation to fully understand what can be achieved without becoming a regulated entity, or, conversely, to help them seek appropriate licenses or approvals.

Anti-money Laundering

The Proceeds of Crime and Anti-Money Laundering Act (POCAMLA) of 2009 introduced various obligations and restrictions on “financial institutions” as measures for combating money laundering. The extent to which the POCAMLA affects the operations of a Platform depends on whether the Platform falls within the definition of “financial institutions” or a “designated non-financial business”. POCAMLA defines financial institutions to include:

  • any person who transfers funds or value through formal and informal channels;
  • issues and manages means of payment including credit cards and electronic money; and
  • engages in money and currency changing.


Cyber security issues continue to present compliance challenges for everyone, with reports of high-profile cyber events now a regular occurrence. FinTech firms are no exception to this trend. In fact, the intersection between cybersecurity and FinTech business models means that FinTech firms will likely find themselves increasingly in the cybersecurity “crosshairs” in 2017.

Consumer protection 

Laws and regulations governing the provision of financial services and products to consumers/retail investors are part of the FinTech competitive landscape. Depending on the nature of the particular product or service, firms may need to understand consumer protection is a constitutional right and that a customer includes a natural person or a company which the firm may contract with or would offer its services to.

Opportunity & outlook

The momentum of the tech boom should build a good platform for potential capacities of FinTech firms in the East African region. Networking, know-how and resources sharing between start-ups, investors and established players on the market are essential for the success of startups.

Firms should also recognize that as they become more successful, regulators such as the CBK will increasingly turn their attention to FinTech. The areas highlighted above may provide the lens through which regulators will seek to further regulate FinTech. Even firms that only provide their technologies to others will feel the pressure from vendor management requirements.

The tip

Speed and reliable partnerships are key to success. To deal with the legal issues, a reliable partner makes a difference. Regulation is a hurdle but a solvable one.


The legals on phone tapping and personal data

Last Friday media reports suggested that the Communications Authority of Kenya(“the CA”) intended to roll out an application called the Device Management System (DMS) capable of tapping into a mobile phone carrier’s network enabling the CA to access personal information from people using that carrier’s network. The CA clarified that it intends to curb the proliferation of counterfeit devices by identifying and isolating those devices and denying them access to services and not collecting a subscriber’s personal information. Despite this, questions as to data protection for the rest of the users of the network have arisen.

Current position

It is well known that phone tapping, surveillance and interception of communications violates the right to privacy (see Kennedy vs Ireland (1987) I.R 587 and Coalition for Reforms and Democracy (CORD) v Attorney General Petition No.630 of 2014.)

There are two bases to challenge this phone tapping.  Firstly, the Constitution provides that every person has the right to privacy – which includes the right not to have information relating to their family or private affairs unnecessarily required or revealed.

The Constitution grants every person the right to institute court proceedings when his/her fundamental right or freedom, such as the right to privacy as described above, has been denied, violated, infringed or is threatened.

The Kenya Information and Communications Act (Act no. 2 of 1998 (as amended)) (“KICA”), provides that the Cabinet Secretary in charge of  Information and Communication has the power to make regulations in relation to a telecommunication service and specifically, to make regulations on the privacy of telecommunication.

Pursuant thereto, the KICA Consumer Protection Regulations require that a Customer has a right to personal privacy and protection against unauthorized use of personal information and specifically restricts a telecommunication licensee from allowing any person to monitor or disclose the content flowing through their system.

Further,  the KICA (Registration of Subscribers of Telecommunication Services) Regulations bars the sharing of subscriber data by mobile providers without the express authority of the affected subscriber.


The current legal position in Kenya is that any person, including a public entity, collecting personal information has to abide by the Constitutional provisions of the Right to Privacy and the KICA regulations on consumer/customer protection.

Consequently, it appears that there would be good grounds to challenge the tapping of the carrier networks by the CA. For now the High Court has granted orders stopping the implementation of the CA directive ordering that it be heard on March 6 2017.


Verizon to get Yahoo at a 350M discount following cyber attacks

Yahoo will now sell its core business to Verizon at 4.48 billion USD (350 million less the original amount of 4.8) following Yahoo’s disclosure on massive cyber-attacks back in September 2016. While not a deal-breaker as posted earlier, a significant cut to the original price has left Yahoo licking its wounds and sending a message to Kenyan companies that cyber security is a big deal.

It is reported that Verizon will get Yahoo’s Internet business, which includes Yahoo Mail, Flickr, Tumblr and Web properties such as Yahoo Finance and Yahoo Sports, hoping to rival Facebook and Google in digital advertising.

Read more of the story here

Kenya’s drone regulations approved

In January I wrote on the impact of technology in Africa in which I delved deeply into Kenya’s global outlook as a technology hub. One of the issues I touched on was the impact of drone-tech in inaccessible areas looking at the success of Zipline in Rwanda. Recent developments from the Kenya Civil Aviation Authority (the KCAA) are that the Remotely Piloted Aircraft Systems Regulations (the drone regulations) have been approved enabling drone-tech firms to operate the technology. What started out in the military to increase surveillance and hit enemy targets has crossed over to wildlife conservation, film production, delivery of goods in neighborhoods, relief services, oil and gas exploration as well as recreation.

The KCAA approved the drone regulations on Monday 6th February after the authority met with the Executive Arm. An official Kenya Gazette together with an Aeronautical Information Circular will be published as soon as notice from the meeting is received. The regulations classify drones as recreational, private and commercial.

Weight, height and time

With the exception of the military, drones are not permitted in areas designated by the KCAA as restricted. Those that weigh between 0-5 kilograms are categorized for recreation or sports only. Those weighing between 5-25 kilograms will be for private activities. Those weighing more than 25 kilograms will be used for commercial purposes.

The regulations provide that a drone used for recreational or private purposes should not fly at more than 400 feet above the ground. Drone operators (who will require KCAA approval) are also barred from flying them at night.

Flying cross-borders

The regulations also require an operator starting a flight in Kenya and landing it any other territory to seek KCAA approval beforehand. The same applies to those who start flying in other countries and want to land in Kenya.

Your password may be required if you’re visiting the US

password image.pngIf you come from Iraq, Iran, Syria, Yemen, Somalia, Sudan and Libya, your social media passwords may soon be required to enter the USA according to Security Secretary John Kelly. According to news reports this was one of several issues considered as additional screening measures to vet refugees and visa applicants from those countries during talks around Trump’s embattled executive order on immigration.  While this was not an official policy decision, to suggest it on the record indicates the Government’s intention.

Using social media as part of the verification process is not new. The Obama administration had proposed a Social media identification policy however requiring passwords ended up not being a part of it.

Should this pass, there will be challenges. Noting how easy it is to create fake social media accounts, one may wonder why this was on the agenda.

I shall not touch on the obvious privacy issues arising with one volunteering their password.

Let’s wait and see how this pans out.

The impact of technology in Africa

As a major transformative force around the world, technology is increasingly disrupting existing monopolies and in some segments, completely changing the game. From  artificial intelligence technologies (AI), financial services technology (fin-tech), Medical care technology (med-tech), education (edu-tech), innovations in law (legal tech), mining and exploration (mine-tech) among others, supported by high-speed internet penetration and mobile phones offers Africa a huge opportunity to enhance development.

Africa’s penetration of smartphones is expected to reach 50% by 2020, from only 18 percent in 2015.[1] Mobile payments are sweeping across the region with East Africa being the global leader in mobile payments. E-commerce is growing fast as is e-learning.

Technology has also been used to bring government officials to task and therefore there is an increase in integrity and accountability of government officers. This should offer investors comfort to come in. Given this relative stability, some of the regions commercially oriented start-ups such as Africa Internet Group and Interswitch are either being acquired or going public. Investors will be keen on which others show similar potential.

Ubiquity in internet access 

Placing internet access in a ubiquitous position requires consistent innovation. Companies have began testing alternative technologies to make this possible such as Google’s balloons [2] and Facebook’s solar powered drones[3]). Currently there are two impediments to a fully connected continent:

  1. Cost – costs are many times higher in Africa, an Internet Society report mentions that a person needs 15.7% of average GDP per capita in Kenya to get broadband – compared to less than 2% in Europe[4].
  2. Geography – the geography of Africa is extremely challenging with large open spaces or dense jungle – often sparsely populated.

Full internet connectivity is likely only going to come through a mix of technologies and cost improvements.


In 2013 Kenya completed a pilot on the deployment of internet use in rural areas. Dubbed Project Mawingu[5] (Swahili for “cloud”), Microsoft together with Strathclyde University, local telecoms firms and the Communications Authority began tests to provide affordable, high-speed wireless broadband to rural areas using alternative untapped technologies in TV “whitespaces” (TVWS).

White Space refers to the unused broadcasting frequencies in the wireless spectrum. Television networks leave gaps between channels for buffering purposes, and this space in the wireless spectrum is similar to what is used for 4G and so it can be used to deliver widespread broadband internet. It is believed that Kenya could lead the way with a model of wireless broadband access that in Europe and the USA has been tied up in red tape.  This pilot does not require mains electricity and is being run totally on solar power.

The internet  impacting  traditional/rural societies on education and social norms

There are, two schools of thought in African societies in relation to the impact of the internet:

  • Those who embrace the internet as a tool to protect, maintain and promote cultural diversity; and
  • Those who believe that the internet serves only to endorse capitalist ideals and sanction products of the modern industrial society[6]

There is no denying that a democratization of information will lead to impacts on traditional and rural societies.  Western social mores, celebrities and news are going to be now available to everyone.

That said, there is no guarantee that traditional and rural societies will be overwhelmed.  The internet will allow people’s art, language, culture, histories and traditions to be shared, learned, promoted and distributed[7].

The expansion of mobile money payment systems such as M-Pesa. 

Expansion to new markets in developing countries is continuing as is bringing more people into the mobile money market. As at March 2016, M-Pesa had entered into Tanzania, DRC, Mozambique, Uganda, Rwanda and Zambia.

In India, the National Rural Livelihoods Mission uses M-Pesa to enable financial inclusion for women’s groups. The Mission is using the service to disburse pre-natal health benefits.

A mobile money solution is proven in Kenya to bring people into the money economy and in unbanked countries, is a good way of bringing people out of barter into the money economy. However, M-Pesa’s current iteration will  not have success in more developed countries.  Mpesa failed in South Africa[9] partly due to the fact that most South Africans already have good banking access.

The impact of drone technology in inaccessible areas.

The potential in this space is huge. In Rwanda, San Francisco based start-up Zipline got the go ahead to pilot drone tech in doing daily deliveries of critical medical supplies (primarily blood and vaccines) to 21 locations across the country.  Drones allow items to be delivered in areas where roads are unreliable or impassable.

As elsewhere in the world, African regulators are struggling to determine the appropriate regulatory response. In Nigeria [10] the person flying the drone must have a pilot license and pay significant fees to get a security clearance.  Kenya has similar rules currently before the National Security Advisory Committee.  Until then, the use of drones is banned. Drones will remain a future technology until the regulatory issues are resolved.

The educated urban elite and global competitiveness

The educated urban tech-savvy African now has all his work and school in his phone and backed up in his email-managed cloud account. With good internet access, he/she can join meetings virtually, submit school assignments and work reports, run a successful business while still keeping tabs on family and friends.

The educated urban elite in Africa is becoming more like the urban elite of other countries and joining the global middle class.  Africans have been ready adopters of platforms like Facebook and twitter.

Africans are learning to code and adapting programs to their particular needs.  There is a thriving technology scene in Africa’s bigger cities – Lagos, Nairobi, Cairo – where Africans are developing African solutions to their problems.

That said, it is unlikely that African technology will emerge as a major player on the world scene.  The big money in technology resides in Los Angeles/San Francisco, London and New York.  Africa’s best and brightest technologists will likely end up in those cities working for Google, Facebook or Microsoft.

Social media as an organizational tool for political systems

The Arab Spring showed the power of social media on corrupt and violent governments.  High internet penetration and social media allowed protesters to mobilize and organize these revolutions.

Social media gives a voice to the people that might not otherwise have existed in many regimes.  It is clear that the Chinese Communist party has realized that not only does social media bring down governments but that it also gives governments a real time insight into what people are interested in[11].

In China, the government is both listening and also looking to capitalize on the data created by social media and internet interactions as a tool of social control[12].  China’s track record of censorship and suppression is now extending online with no open Internet and no Net Neutrality in their vocabulary.

In Africa there is a big hurdle to social media having a positive or negative social impact – only urban elites are generally on social media so it is unlikely to lead to a mass movement in sub-saharan African countries (Kenya and South Africa excepted where internet usage much more prevalent). Consequently, social media is unlikely to have any impact on political systems in the near term – but who knows about the future.

There will still be brain drain

The internet has removed the tyranny of distance and allows a good professional sitting in Africa to work anywhere in the world.  Sites such as upwork, freelancer and others allow people to sell their services to a worldwide market.

That said, the big deals and high profile jobs are still based in London, New York, Paris and Berlin.  It is, to a certain extent, a rite of passage for an African professional to seek professional fulfillment overseas.  The internet is unlikely to change this to any great extent.

Tech prospects on raw material extraction and advanced manufacturing in Africa?

  • Mining

African mining is currently extremely labour intensive and dangerous for the miners.  Technology will undoubtedly change both of these things.  Mining in many other jurisdictions is much more automated – especially once the grades of ore become poorer.

Much of the mine-tech used in Africa is developed abroad. As a result, most companies remain at the early stage of the adoption curve-placing a majority of their innovation focus on technological optimization of old techniques in a bid to reduce costs or discover deposits more efficiently. Given the rapid pace of technological advancement, companies have to keep an eye on cross sectional innovations that may impact mining in the future. These include:

Artificial Intelligence: The move towards autonomous vehicles and automated technologies such as Australia’s AutoHaul has already revolutionized mine operations. As the “intelligence” of these machines grows, they will be able to perform increasingly complex tasks, including hazardous processing activities—reducing labor costs and enhancing productivity as a result.

Wearables: there is huge potential for innovations in the occupational safety market which mining is one of them. For example Night runner a US product initially developed for night athletes is being reconfigured to cater for miners of the night shift.

  • Advanced manufacturing

The prospects for significant amounts of advanced manufacturing in Africa are bleak.  The lack of infrastructure (bad roads, ports, limited rail options), political instability in some states, lack of reliable water and electricity, lack of access to local markets and generally low productivity among the workforce means that companies seeking to set up advanced manufacturing generally look elsewhere.

That said, progress is being made in relation to each of these impediments and it may be that Africa can look forward to a future of rapid industrialization.

Investment interests and drivers

Africa shows that there is potentially a feasible market in catering to the developing lower classes.  You don’t need to have a product that appeals to the AB demographic in a western country to be successful or make a meaningful impact in Africa.  There is a huge demand for products and services that cater to the less developed parts of the continent.

For example the informal economy represents about 80% of the total job market. A large number of informal businesses lack access to services such as ERP systems, small business banking (even with Mpesa, a large number of Africans are still unbanked), affordable third-party logistics or internet access. These present a huge opportunity for VC-backed start-ups to attempt scalable applications.


Kenyan based startup Lynk focuses connecting households with informal workers. Borrowing from the LinkedIn model, the application has been dubbed the LinkedIn for the ‘linked out’ allowing customers to book services from over 60 categories, ranging from plumbers to nannies. The platform works via mobile app, the web and SMS, and automatically identifies qualified workers based on sub skills and other signals such as location, price range, language and experience.

There are several pre-requisites for Africa to draw investment and interest:

  • Political stability – African countries have risen from past hostilities, creating the political stability necessary to attract investment thus far. For the momentum to continue there has to be a continuation of this stability and a strong legal protection of assets.
  • Appropriate regulatory standards towards Data Protection and Cyber Security – Africa’s tech sector is not bullet proof to cyber threats that face the industry in other parts of the world. Anti-virus adoption and creation of awareness around cyber security is key to building the trust of investors. In addition, Africa needs an increase in tech lawyers to better advise potential investors.
  • Increase Africa’s internet bandwidth and develop a stronger and more reliable tech infrastructure.
  • Tech-preneurs need to be equipped with business skills – there is a reason why only around 2% of start-ups attract investors, compared to more than a third in Silicon Valley. Africans may be tech savvy but not so much in the business skills to successfully grow their companies.
[1] Estimated by MGI using forecasts from The mobile economy: Sub-Saharan Africa 2015, GSMA, 2015; UN Population Division
[5] See  accessed on 3/1/2017

Threat Advisory: Key Vulnerability Found In Cisco’s WebEx Chrome Extension – Herjavec Group

A critical vulnerability has recently been uncovered in the Chrome extension of Cisco WebEx, a web conferencing software widely used by enterprise businesses, leaving 20 million users susceptible to attack. Windows Chrome users are in danger of getting hacked if unknowingly visiting a malicious website. The malicious websites host a file or other resource that contains the string “cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html” …

Source: Threat Advisory: Key Vulnerability Found In Cisco’s WebEx Chrome Extension – Herjavec Group

Bitcoin 101


What is Bitcoin?

It’s a digital currency.

Yeah, I get that, but who is behind Bitcoin?


What do you mean by nobody? Somebody must be controlling it!

Nobody is controlling it, it is an algorithm.

What? You mean like I-Robot? So you say the world is going to be taken over by machines?

Well, not the world, but maybe some businesses.

Right… (Rolling her eyes) But who controls the algorithm? Some mad scientist?

It’s an open source project.

An open what?

Open source, as in it’s free code. You can download it from the internet and do with it whatever you want.

So you don’t have to pay for the “program”?

Well, it’s free as in freedom, not free as in beer.

What does beer have to do with it?

The code is not only free in the sense that you can use the program free of charge, it is also free in the sense that you can take the code, modify it, and release a program of your own with it.

Wait a second! If I can do that then I can make my own bitcoins. What value does a bitcoin have then?

No, you cannot mint your own bitcoins. What you can do is invent your own currency. And then you have to somehow make it gain acceptance…

Oh! But this surely is the end of Bitcoin. If you can make as many currencies as you want, none of them would have any value.

Currencies have value because of social convention. Bitcoin has value because people are willing to assign value to it.

I don’t think you are right. Euros or dollars have value, everybody knows that.

Well if bitcoins do not have value I will gladly accept your bitcoins (smiling).

Bitcoins are not backed by anything so they cannot have value.

Neither shillings, dollars nor Bitcoin are backed by anything. You can say that all of them are the result of consensual hallucination. They have value because people give value to them. There is not much difference between them in this regard.

I don’t think so. You can buy things with euros or dollars, but what can you buy with bitcoins?

You can buy almost anything with bitcoins. There are companies that will gladly accept your bitcoins in return for regular currency that you can use to buy anything. Converting bitcoins to sovereign currencies is just a technical interface and many companies provide this service. Besides, you can do things with bitcoins that you cannot do with sovereign currencies.

Like what?

For example, you could launch a crowd-funding campaign, just creating a special type of Bitcoin transaction.

That sounds cool.

There are many more applications that were impossible until now, such as a car which reads its ownership from the cloud. If you want to buy the car, you just pay the owner with bitcoins and the car knows automatically you are its new owner because it can look it up in Bitcoin’s database. And there might be more applications to come that nobody has thought of yet, as was the case (and still is) with the internet.

I guess I did not think of it that way.

As they say, a currency is just the first application. The technology allows transferring value securely and in a decentralized way and this can lead to many new cool applications.

I am intrigued; I’d like to learn more.

Another drink?

*credits to Pedro Franco

The Internet of Things: approaches to liability

Think of a world where physical objects are seamlessly integrated into an information network; cars, homes, books, watches, spectacles, kitchens and so on. And where the physical objects can become active participants in business processes that is, they become ‘smart’, coupled with services being available to interact with these ‘smart objects’ over the Internet, analyze their state and any information associated with them, taking into account security and privacy issues. That is the Internet of Things (IoT) and it is here.

Mckinsey estimates that IoT impact on the global economy might be as high as $ 6.2 trillion by 2025 and there lies the issue. Given the current surge in cyber-attacks, businesses and consumers will be keen to understand liability and risk allocation in IoT.

The curse in the blessing

We are now able to control the various connected devices on the network using an app on our phones and tablets. However, like anything digital, these networks run the risk of being hacked. The question is who is liable when something goes wrong?

As the IoT can connect devices from different manufacturers, it is possible for a user to own a smart TV from maker X, a smart coffee machine from maker B, and a smart air vent from maker A, which are all controlled by a smartphone from maker Z that runs on software created by a third-party. Looking at the complexity of these connected devices makes it much harder to establish who is liable, under current laws and regulations, when something goes wrong.

Even on a simple level, if a smart cooker leaks when a smart toaster is turned on, causing it to explode and burn down a house, the owner has a plethora of companies who are liable for the loss. These range from the retailer, to the manufacturers, through to the developers of the phone app or cooker-toaster software. Will one party be solely accountable? Or will the parties involved in creating and processing the integrated data components of the cooker and toaster be liable to some extent?

This interoperable risk is heightened as many of these devices are likely to be mass produced and therefore, not secure enough to protect personal data.

Product liability

The situation with product liability may not be that complex today. When a stand-alone consumer device is malfunctions within a specified period of time, the user is entitled to certain remedies that are implied into every sale.

Product liability law in Kenya is governed by the Consumer Protection Act (the CPA) which introduced statutory liability for defective products. Liability under the CPA exists alongside liability in negligence, and in some cases a common law claim may succeed where a claim would not be available under the CPA. The CPA applies to both products used by consumers and products used in a place of work. The CPA imposes strict liability on manufacturers of defective products for harm caused by those products. This means that people who are injured by defective products can sue for compensation without having to prove that the manufacturer was negligent. It is merely necessary to prove that the product was defective, and that any injury or damage was most likely caused by the product.

Product liability will continue to play a role in the IoT. For example, if a smartwatch develops a mechanical fault shortly after purchase the user is able to return it to the seller.

Degree of liability

Worryingly to manufacturers of IoT devices, network providers and software developers, a user may bring a claim against one or all of them following a device malfunction or security breach. It is not clear if the aggrieved user will be required to prove that they have suffered damage as a result of an IoT player’s actions or if the courts will adopt a ‘strict liability’ approach.

Alternatively, courts can consider apportioning liability between everyone in the IoT product and network circle, regardless of their culpability. But even this poses problems. For example in a security hack of a network router, a court would have to decide if liability lies with the router manufacturer, the internet service provider or the actual hacker. The latter option may prove problematic as many hackers are anonymous.

Criminal or civil remedies

Currently, the law is not clear whether an aggrieved user is entitled to a criminal remedy, a civil remedy, or both. All likelihood points to the severity of the liability. For example, a mere malfunction of a smart fitness monitor leaving the user unable to measure their heart rate at the gym, is not likely to give rise to a civil or criminal conviction.

Futuristically on the other hand, a smart city malfunction could create both criminal and civil liability. For example, if smart traffic lights installed by a county council malfunction, and an automated car driving under them is incompatible with the traffic lights, meaning that the car fails to stop and drives into an oncoming vehicle, the result could be serious injury to road users. A situation like this could raise claims of criminal liability. However, it appears unfair to hold the car owner/driver responsible for causing injury when the culprit was in part the malfunctioning traffic lights and in part the malfunctioning car. In this type of situation, looking outside the traditional liability frontiers may be required.

IoT is still a work in progress

Regardless of how they are used, there is always the potential for a device to malfunction or for a network to be hacked. The IoT will create new risks and this in turn will require a focus on liability.

Indeed IoT is still in its early stages. The legal fraternity needs to consider either new forms of liability, or new ways to manage and apply existing laws to different entities in the IoT supply chain. With the security and privacy risks a growing public interest issue, the IoT is still a work in progress.

Getting regulatory approvals for Fin-tech: It’s not a one stop shop yet.

Fin-tech in Kenya was pioneered by Safaricom’s M-pesa application at a time when there was no regulation, pushing the unbanked and informal sector (which represents 80% of the total job market) to buy mobile phones and move from brick-and-mortar banking into the digital economy. Since then, Fin-tech has expanded to person-to-business (P2B – utility payments, shopping etc.), business-to-business (B2B), and credit and savings services, purchasing and transferring of airtime and so on.

Regulatory Framework

The current regulatory framework poses challenges that could potentially be a barrier to innovation and investors. Fin-tech obscures the current independent sectors of regulation; telecommunications and banking presenting an overlap between different ministries and Government agencies. It involves confirming with these agencies whether licensing or authorization is needed to operate, in addition to understanding which licenses would apply.

Generally, a tech company looking to launch Fin-tech in Kenya should be aware of the following licenses and applications.

1. An application to be authorized and designated as a payment service provider from the Central Bank of Kenya (CBK) for the money transfer services it would offer its proposed users. CBK has to be satisfied that the tech company has a minimum core capital of Kenya Shillings five million (KES.5,000,000/=) to be licensed as an electronic payment service provider. The CBK may label/designate the platform as a payment system if it believes that its payment system poses systemic risk, is necessary to protect the interest of the public, or if designation is in the interest of the integrity of the payment system. Though Kenya Electronic Payments and Settlement System (KEPSS) is the only payment system that is known as having been designated, the decision to designate remains with CBK.

2. Application to the Communications Authority of Kenya (CA) for a Content Service Provider (CSP) license, an Application Service Provider (ASP) license and /or a Network Facilities Provider (NFP) license;

  • Where the platform features sending SMS’s using a network carrier in Kenya, it will be considered to be providing a communication service under Kenya Information and Communication Act and thus a Content Service Provider CSP license would be needed.
  • Where the platform provides notifications and alerts in connection with the Fin-tech products that it offers, the platform will need to be licensed as an application services provider (ASP) by the CA.
  • Where the tech company will in addition to the above set up and operate communications infrastructure (based on satellite, mobile or fixed), it shall be required to procure a Network Facilities Provider (NFP) license.
  • If the application will only be web based then CA approval may not be needed however this needs to be confirmed by them.

3. If the platform offers cross border sending or receiving of money (money remittance), the tech company has to be licensed as a money remittance operator. For this license, the company has to demonstrate that it has a core capital of at least Kenya Shillings twenty million (KES. 20,000,000).

4. Other legal requirements that would be considered are money laundering, bribery, consumer protection, data protection and cybercrime.