KENYA Law and Practice Contributed by: Sammy Ndolo, Njeri Wagacha, Brian Muchiri and Valere Nyaboke, Cliffe Dekker Hofmeyr
should emphasise clearly defined services, perfor - mance standards, and mechanisms for monitoring the service provider. It must also address data secu - rity, termination rights, subcontractor approval, audit rights, dispute‑resolution mechanisms, and specify pricing and fees. Payment Service Providers A PSP may outsource operational functions related to payment services. However, such outsourcing must comply with specific guidelines, including: • maintaining robust internal quality‑control meas - ures; • ensuring the CBK retains oversight of all involved parties; • ensuring senior management remains ultimately responsible for the outsourced functions; and • strictly complying with customer contract terms and licensing requirements. A PSP intending to outsource any of its functions must notify the CBK at least 30 days before implementing the outsourcing agreement. Market Intermediaries Market intermediaries may engage third parties to per - form any of their functions, but they must maintain detailed records of each engagement. These records must include: • contracts clearly outlining the services the third party will provide; • verification of the third party’s legal standing, including documentation confirming financial soundness; and • details of the skills and experience of the third party’s employees who will be performing work on behalf of the intermediary. Even when tasks are delegated to a third party, the market intermediary remains ultimately responsible for ensuring the correct and proper completion of the outsourced tasks. 2.9 Gatekeeper Liability Fintechs would be liable for failures to notify the Financial Reporting Centre of any transactions that
are suspected to be related to money laundering or the proceeds of crime. See 2.14 Impact of AML and Sanctions Rules . 2.10 Significant Enforcement Actions Kenyan financial laws, as set out in 2.2 Regula- tory Regime , adopt similar approaches to regula - tory enforcement. Accordingly, the main regulatory enforcement actions that may be imposed by regula - tors include: • imposing discretionary fines; • revoking or suspending licences; • imprisonment of a company’s officials; • ordering compensation or restitution to persons affected by a regulatory breach; • issuing enforcement notices specifying the reme - dial actions required to rectify a breach; and • disqualification of directors from holding office in financial institutions. The imprisonment of company officials and the impo - sition of fines may be carried out through court pro - ceedings in accordance with the applicable statutes. 2.11 Implications of Additional, Non- Financial Services Regulations Data Protection The Data Protection Act regulates the processing of personal data, outlining the rights of data subjects and the obligations of data controllers and data pro - cessors. Any fintech that processes personal data belonging to individuals in Kenya, or any personal data that is resident in Kenya, must comply with the Act. Key obli - gations include: • registering with the Office of the Data Protection Commissioner (ODPC) as a data controller or data processor; • obtaining consent from a data subject before pro - cessing their personal data; • ensuring that personal data is processed only to the extent necessary; and • reporting and documenting any personal data breaches.
467 CHAMBERS.COM
Powered by FlippingBook