John Syekei, Eddah Kiai and Rose Njeru from Bowmans analyse the security and data handling issues that impact fintech activity in Kenya
There has been a dramatic shift in the provision of financial services, and particularly in the consumer credit market, in Kenya in the past decade. An increase in the credit appetite in the market has seen financial service providers turn to technology to meet demand. Fintech companies such as online lenders, microfinance providers, mobile money service providers and even traditional banks have turned to technology as the primary base for service delivery.
In order to access the services, consumers have to register on the various platforms. This is as part of the know-your-customer (KYC) obligations, which entities engaging in lending are required to meet. The Proceeds of Crime and Anti-Money Laundering Act, 2009 (the AML Act) and the Proceeds of Crime and Anti-Money Laundering Regulations, 2013 (the AML Regulations) apply in this regard to fintech companies. This is because the AML Act relies on its own definition of a financial institution, notwithstanding the manner in which the entity is registered or set up (formally or informally).
The AML Act defines a financial institution to include any person or entity that conducts the business of lending; this includes consumer credit, mortgage credit, factoring, with or without recourse, and the financing of commercial transactions; financial leasing; or financial guarantees. Provided that an entity engages in consumer credit, it is considered to be a financial institution under the AML Act. These institutions are required to verify their customers' identity.
The AML Act provides a penalty on both financial institutions and their consumers in the event that either of them does not comply with the KYC requirements. A blanket penalty is applicable against any person, financial institution or supervisory body that contravenes the provisions of the AML laws. Such persons, financial institutions and supervisory bodies are liable to conviction, to a fine not exceeding KES5 million (approximately $50,000) or to imprisonment for a term not exceeding three years, or both.
Consequently, fintech companies have to obtain an official record reasonably capable of establishing the true identity and the full names of the applicant from any applicant seeking to enter into a business relationship with the company or to carry out a transaction or series of transactions through the company's product. The legal requirement is to "verify the identity of the customer". Practically, this means relying on an official record reasonably capable of establishing the true identity and the full names of the customer. This could be a birth certificate, a national identity card, a driver's licence or a passport in case of an individual. The person's name must be collected as a minimum, and this will be accompanied with any of the other distinguishing data available from the official record relied on (customer's phone number, date of birth, identification number or passport number).
Criticisms of data privacy infringement by social networks on the world stage have enlightened many Kenyans about their rights
The AML Act and Regulations do not specify how the KYC information should be verified. However, the Directorate of Immigration and Registrations maintains the Integrated Population Register (IPR) System, access to which is granted on application to the Directorate. The IPR System contains data on citizens' full legal names, identification numbers, photographs, date of birth and fingerprints.
Neither the AML Act nor the AML Regulations expressly allow or prohibit the reliance on a partner's KYC verification processes. Should a fintech entity choose not to undertake its own KYC verification process, the company can formally contract with a critical, licensed third-party partner who has a legal obligation to verify the identity of their customers as part of their normal business operations.
Given the personal nature of the information provided by consumers as part of the KYC process, data protection is imperative to fintech entities, consumers and regulators. Traditionally, Kenyan consumers were more concerned with access to the facilities, and did not pay particular attention to the terms and conditions attached to such services. The recent criticisms of data privacy infringement by social networks on the world stage have enlightened many Kenyans about their rights in this regard.
Unfortunately, Kenya does not have particular legislation on privacy and data protection. Legislators are cognizant of the fact that substantive legislation is required to be in place, and have responded by having two concurrent pieces of draft legislation, one published by the Senate, and another by the National Assembly's Committee on Information, Communication and Technology. The provisions of the bills vary greatly, however they seem to be aligned on the need to put in place measures to obtain informed customer consent before data is collected and processed. The bills diverge on other critical issues, with the Senate Bill purporting to exclude the government from any data protection obligations, and the National Assembly proposing the registration of all data controllers. The fate of both bills is undetermined at the present date, however the enactment of either will be a great leap forward in data protection in Kenya.
Currently, the main protections offered to consumers are enshrined in the Constitution of Kenya, 2010. The Constitution provides for the right to privacy under Article 31, which includes the right not to have information relating to their family or private affairs unnecessarily required or revealed, or the privacy of their communications infringed. Fintech companies should ensure that the use and storage of data in their possession conforms to this right of privacy lest constitutional petitions be brought against them. As there is no singular substantive legislation on privacy, the guiding principle as set out by the courts has been based on consent of the data subject. A fintech entity should therefore obtain the consent of the data owner before collecting, processing, using and transferring data.
Tied to the right to privacy is the right to access information held by another person and required for the exercise or protection of any right under the Constitution. In essence, consumers have a right to enquire and be informed of all information held by third parties, including fintech companies. Consumers also have the right to correction or deletion of untrue or misleading information affecting them, thereby ensuring the accuracy of information held by entities on their customers. The Access to Information Act (the AIA) requires data collecting entities to appoint an 'information access officer' and make public the officer's name and contact details.
A greater burden lies on banks that have adopted fintech. The banker-customer relationship is characterised primarily by a duty of confidentiality owed to the customer. Banks are obliged not to unnecessarily and unlawfully reveal a customer's financial and personal information without the customer's consent. The unlawful disclosure of financial and personal information opens banks up to actions for damages and injunctions.
The Prudential Guidelines on Consumer Protection requires institutions governed by the Banking Act to protect consumer data and privacy. This involves protection of financial and personal information through appropriate control and protection measures, which define the purpose for which the data may be collected, processed, held, used or disclosed. The protection mechanisms have to acknowledge the right of consumers to be informed about data-sharing, to access data and to obtain the prompt correction and/or deletion of inaccurate or unlawfully collected or processed data.
The board of an institution is responsible for the governance of information technology of the institution. In particular, the Guidelines on Corporate Governance requires manage-ment to demonstrate to the board that the institution has adequate business resilience arrangements in place for disaster recovery and business continuity. It is the responsibility of the board and management to ensure that the office, data centre or server room recovery is not in the same building or close to the normal business operation of the institution for purposes of business continuity under the Guidelines on Business Continuity Manage-ment. These obligations ensure that consumer data is adequately protected and can be recovered in the event of a disaster.
Given the lack of specific local regulations on data protection, local fintech companies with an international market are guided by the laws of the countries in which they have customers. For instance, fintech companies have to comply with the General Data Protection Regulation (GDPR) when offering financial goods or services to EU data subjects. The lack of proper local regulation, especially in light of the requirement of the GDPR for adequacy of the level of protection in the transfer of data, may be overcome by the companies having inbuilt protection/ safeguards within the organisation.
As for foreign and local companies wishing to transfer and use locally sourced data across the border, there is currently no restriction on this. Such companies can organise and use such data in whichever way is most efficient to them, so long as they are compliant with the laws of the countries where the data is being used and/or where the foreign company is based, as applicable. However, companies should observe the principle that personal data can only be transferred to third parties if the transfer is in line with the purpose for which it was collected, and the transfer was anticipated in the notification provided to the data subject at collection.
Due to the requirements under the different sectoral laws such as the AML Act, it is important for a company to conduct a careful analysis of which regulations apply to it and the requirements under each. Thereafter, it becomes easy for the company to identify the assets or resources that are required to comply with the regulations and protect and develop them. Fintech companies should recognise the vital role that their computer systems play in ensuring privacy and data protection. Proper systems should be in place to maintain such systems.
Above all, internal and external safeguards such as firewalls, encryption technologies and back-up servers should be in place to ensure the data is secured and can be retrieved in the event of a force-majeure event. In Kenya, encryption technologies are expressly but inadequately dealt with under the Kenya Information Communications Act, where encryption is defined as a method of transforming signals in a systematic way so that the signal would be unintelligible without a suitable receiving apparatus.
Borrowing from the GDPR, the ability to recover and restore the availability and access to personal data in a timely manner is key. Fintech entities should come up with processes for regularly testing, assessing and evaluating the effectiveness of organisational and technical recovery measures in order to foster the secure and expeditious recovery of leaked personal information. In a breach/data leak, liability normally vests in the data processor.
Though some service agreements may stipulate that a fintech entity will not be liable for data lost or misplaced owing to a customer's negligent acts or omissions, this may not be adequate protection for fintech companies. Such a provision would cater for breach of contractual obligations to protect the data, but the entity could also be sued for breach of the constitutional rights discussed above.
Constitutional claims for breach of privacy are fairly new in Kenya. It is therefore difficult to state with accuracy what damages could be awarded to claimants. For instance, in COM vs Standard Group Limited and Another  eKLR, the petitioner was awarded KES1.5 million/- in damages for breach of privacy. The petitioner's claim against the respondent was based on an article published by the respondent which disclosed that the petitioner was HIV positive. The petitioner argued that although he had agreed to give the interview, he had done so on the condition that his image and/or name would not be disclosed by the media house.
From this case, it appears that the court would award damages based on the effect that the breach/ data leak would have on a petitioner, including but not limited to, stigma, ostracism and the ability to access further credit.
AML in Kenya
The AML Act criminalises the failure to report suspicion regarding proceeds of crime, misrepresentation, malicious reporting and misuse of information, as well as the failure to comply with a court order, amongst other offences. The obligations placed on financial institutions under the act override any obligation as to secrecy or restrictions on disclosure of information imposed by any other law (section 17). There is however protection built into the act, where the information and the person giving the information relating to any offence under the act must be kept confidential.
It establishes a Financial Reporting Center (FRC) and every financial institution is required to register with the FRC. FRC has extensive functions and power, including receiving and analysing reports of unusual or suspicious transactions filed by financial institutions, assisting in the identification of the proceeds of crime, the combating of money laundering and the financing of terrorism.
Once the FRC receives a report, it sends the information to the appropriate law enforcement authorities, intelligence agency or any other supervisory body for further handling if the Director of FRC has reasonable grounds to suspect that a transaction or activity involves the proceeds of crime, money laundering or financing of terrorism.
Continuous monitoring of all complex, unusual, suspicious or large transactions, whether completed or not, is expected of reporting institutions
Financial institutions are required, apart from registering with the FRC and filing reports of suspicious transactions, to develop and implement Anti-Money Laundering Advisory Board approved policies, controls and procedures that will enable it to effectively manage and mitigate identified AML risks. Continuous monitoring of all complex, unusual, suspicious or large transactions, whether completed or not, is expected of reporting institutions.
Enhanced customer due diligence is mandated on business relationships and transactions with any persons or financial institutions originating from higher risk countries, as identified by the Financial Action Task Force or the cabinet secretary. In such instances, the reporting institution is also expected to implement countermeasures, such as limiting or terminating business relationships or transactions with persons from those countries, prohibiting reliance on third parties for KYC and submitting reports listing customers and legal arrangements originating from such countries to the FRC, among others.
Compliance with the AML Act's requirements is also evidenced by maintaining records of all transactions and establishing and maintaining internal reporting procedures. The procedures should incorporate persons to whom suspicious transactions are reported and sufficient access for such a person to information necessary to determine whether the matter should be reported. An internal AML policy easily accessible to employees and on which the employees are trained is usually sufficient to show compliance. The FRC further requires reporting institutions to file an annual compliance report indicating whether the entity has complied with all the provisions of the AML Act and AML Regulations.
The AML Board has not published any report on effectiveness of the measures to combat money laundering espoused in the AML Act or data on the number of entities that have complied with the registration requirements. Regulated institutions, such as banks, have been issued with guidelines including the Guideline on Anti-Money Laundering and Combating the Financing of Terrorism (the Guidelines) by the regulators.
There is a noted similarity between provisions on the definition of politically exposed persons (PEPs), the focus on a risk-based approach to AML and transparency between the EU's fourth Anti-money Laundering Directive 2017 and the Guidelines. The Guidelines are however based on the AML Act and the conventions to which the state is signatory.
In conclusion, the law on privacy and data handling in Kenya in relation to fintech is not well developed. Companies have to ensure they comply with the general provisions in the Constitution and sectoral laws. International companies should always consider the laws of the relevant country where they have operations to complement Kenya's general law. AML law on the other hand is on the other end of the spectrum and strict compliance with AML law is advised to avoid the sanctions that infringement attracts and to maintain a good corporate image.
|About the author|
John Syekei is a partner in Bowmans' Nairobi office and heads the intellectual property & technology, media and telecommunications practice group. John is regionally and globally renowned for his excellence in the IP space and has received several top citations and recognitions from international directories such as Chambers Global, World Trademark Reviews, IP Stars and WIPR Leaders. He advises clients on IP issues arising within the financial services (including fintech), manufacturing, IT, telecommunications and pharmaceutical sectors. He also runs a very busy filing practice (trademarks, designs and patents) across Kenya, Uganda, Tanzania, Rwanda, Burundi, Ethiopia and Sudan. John is an advocate of the High Court of Kenya as well as a Patent Agent, Commissioner of Oaths and a Notary Public. He holds a LLB from Moi University.
|About the author|
Eddah Kiai is a senior associate in our Nairobi office and a member of the intellectual property and IT department. Eddah specialises in fintech law, intellectual property law, information and technology and telecommunications law. Her experience extends to consumer protection, e-commerce, advertising, trademarks, patent drafting, data privacy and project management. She is admitted as an advocate of the High Court of Kenya and a member of the Law Society of Kenya. Eddah graduated with a bachelor of laws (LLB) degree from the Catholic University of East Africa and a LLM degree from the University of Cape Town and is a registered patent agent.