A Refresher on the Licensing and Ongoing Compliance Requirements for Non-Deposit Taking Lenders in Kenya

The festive season is a distant memory, the decorations are back in storage, and that “New Year, New Me” energy has officially faded. But for many Kenyans, and the credit providers who serve them, there’s one lingering holiday guest that refuses to leave: the Krisi Loans.

Yes, those convenient, flexible micro-loans that financed everything from home upgrades to holiday travel (and perhaps one too many goat-eating sessions) are now coming due. For non-deposit taking credit providers (NDTCPs) and non-deposit taking microfinance businesses (NDTMBs), this repayment wave necessitates a reminder of a significant regulatory shift introduced by the Business Laws (Amendment) Act 2024 (the Act).

What changed?

The Act amended the Central Bank of Kenya Act (Cap 491) (the CBK Act) (with respect to NDTCPs) and the Microfinance Act (Cap 493C) (the Microfinance Act) (with respect to NDTMBs). The amendments introduced stricter compliance requirements for NDTCPs and NDTMBs, including enhanced disclosure obligations, more robust consumer protection measures, and clearer guidelines on interest rate calculations and fee structures. For these businesses, the regulatory perimeter has tightened particularly around lending practices, borrower assessments, and recovery procedures.

Non-Deposit Taking Credit Providers

For NDTCPs, the amendments introduce key provisions including mandatory transparency requirements with respect to the terms and conditions of credit that must be accepted by the borrower. Additionally, a NDTCP’s license may be suspended or revoked if the NDTCP fails to conclusively address a customer’s complaint within the time and in the manner prescribed by the Central Bank of Kenya (CBK) or if the NDTCP imposes unreasonable or unjustifiable charges on the loan.

In addition to the amendments introduced by the Act, on 7 August 2025, the CBK circulated to the public the draft Central Bank of Kenya (Non-Deposit Taking Credit Providers) Regulations, 2025 (the NDTCP Regulations) for public comments. If approved in their current form, the NDTCP Regulations shall, on commencement, apply to any NDTCP who is not regulated under any other written law. As we have highlighted in previous commentaries, the scope of the NDTCP Regulations is drafted in very broad terms and, on a literal reading, could technically bring a wide range of non-deposit taking lenders within the CBK’s regulatory purview. It remains to be seen whether, and to what extent, this broad licensing requirement will be applied to non‑deposit‑taking wholesale credit providers, project financiers and alternative financing models such as chamas.

Crucially, under the NDTCP Regulations, NDTCPs are required to either apply for registration (where their initial capital is less than KES 20 million) or licensing (where their initial capital is more than KES 20 million) by the CBK within six (6) months of the commencement of the NDTCP Regulations. The comprehensive licensing and registration framework implements different capital and compliance thresholds applying to each category.

The NDTCP Regulations will introduce comprehensive compliance requirements including detailed fit-and-proper criteria for directors and significant shareholders, stringent consumer protection measures prohibiting aggressive collection practices or unauthorised contact with customer references, and robust anti-money laundering obligations. Additionally, specific limitations on interest recoverable from non-performing loans, and restrictions on variation of pricing parameters and credit terms shall also apply. Failure to comply attracts significant consequences as CBK is empowered to impose a broad range of enforcement and administrative sanctions. These include monetary penalties starting at a minimum of KES 2,000,000, prohibitions on carrying out certain permissible activities and in severe cases, the suspension or revocation of licenses or registration.

Non-Deposit Taking Microfinance Businesses

The Act introduces significant amendments to the Microfinance Act with respect to NDTMBs. NDTMBs’ are now required to apply to the CBK for a licence to conduct their business. Any NDTMB who fails to comply with this requirement commits an offence under the Microfinance Act. The Microfinance Act as amended by the Act gave existing NDTMB’s, a six (6) month grace period to apply for licensing. This transition period expired on 27 June 2025. The transition provision in the Act allows existing NDTMBs who applied for licencing within the six months grace period permission to continue conducting their business pending determination of their applications by the CBK.

The licensing framework is complemented by comprehensive transparency and consumer protection requirements. These obligations mandate NDTMBs to clearly inform their borrower customers of all financial costs associated with a micro-loan, including interest, fees, and other charges which may only be collected if expressly provided for in the loan agreement. NDTMBs must also safeguard the confidentiality of borrower information. The Microfinance Act expressly prohibits NDTMBs from employing aggressive recovery methods, such as harassment or threats directed at a borrower or any other person. Further, the Microfinance Act requires NDTMBs to always comply with the Data Protection Act and constitutional privacy rights.

Why it matters now

As Krisi Loans mature, lenders and borrowers must take into account the changes introduced by the Act to the CBK Act and the Microfinance Act. NDTCPs and NDTMBs who offer consumer loans such as logbook-backed facilities, salary advances, or consumption loans must comply with these enhanced compliance requirements when collecting and recovering these outstanding Krisi Loan portfolios. Non deposit taking credit providers must also anticipate and plan for compliance with the more rigorous standards for credit collection practices on the horizon such as those proposed in the NDTCP Regulations. Every non-deposit taking credit provider who already has or expects to have lending arrangements with borrowers resident in Kenya must understand the registration and licencing requirements proposed in the NDTCP Regulations and prepare for registration or licencing.

This is particularly relevant in light of the CBK’s active efforts to rein in rogue lenders and strengthen borrower protections. On 25 February 2026, the Cabinet Secretary for National Treasury and Economic Planning, John Mbadi, briefed the Senate on measures the Government is implementing to safeguard consumers in the rapidly expanding credit market. He identified the NDTCP Regulations as a central tool, underscoring the pressing need for credit providers to align their policies with these requirements. He also noted that the CBK is working with the Office of the Data Protection Commissioner (ODPC) to ensure consistent data privacy standards across digital lenders.

The ODPC has similarly demonstrated a commitment to active enforcement of privacy protections in this sector. This year, the ODPC delivered a landmark decision regarding the unlawful processing of personal data by Ceres Tech t/a Rocketpesa, a popular a digital lender. The ODPC imposed a KES 700,000 penalty on the digital lender over unlawful debt collection practices including excessive texts, calls and threats. The ODPC has previously sanctioned this digital lender and others including Rosky Credit, a NDTMB over promotional messages sent to customers without their consent.

The potential risk and liability exposure for non-compliance is therefore significant. If not already done, every credit provider must undertake a review of its current consumer protection policies, recovery procedures and pricing models now to ensure that it remains compliant as the regulatory framework tightens. Debtors, meanwhile, benefit from greater transparency, but also face the reality of their obligations in a more regulated environment.

The path forward

The message is clear: the holiday may be over, but regulatory compliance is evergreen. NDTCPs and NDTMBs must balance effective portfolio recovery with adherence to both current and forthcoming regulations. This includes ensuring all recovery practices respect the new consumer protection standards, maintaining proper documentation for regulatory reporting, and preparing for the transition to the anticipated comprehensive regulatory framework. For debtors, understanding these protections, and their continued obligations, is equally important. The regulatory changes don’t eliminate debt; they ensure recovery happens within a fair, transparent framework.

At Spencer West Kenya, we are guiding clients through these changes because understanding the fine print is always in season and preparing for tomorrow’s regulations today is simply good business.

For enquiries on financial services regulation and compliance strategy, please contact Joseph Githaiga, Peter Mwaura, Michael Okeyo and Kellen Maganjo. Please note that this e-alert is meant for general information only and should not be relied upon without seeking specific subject matter legal advice.