KENYA Law and Practice Contributed by: Sammy Ndolo, Njeri Wagacha, Brian Muchiri and Valere Nyaboke, Cliffe Dekker Hofmeyr
Failure to comply with the Data Protection Act may result in administrative penalties of up to KES5 million (approximately USD35,000) or 1% of the preceding year’s annual turnover, whichever is lower. Addition - ally, a fintech may face criminal sanctions, including imprisonment for up to ten years or fines of up to KES3 million (approximately USD20,000). Consumer Protection The Consumer Protection Act safeguards consum - ers and prohibits unfair trade practices in consumer transactions. Under the Act, businesses are strictly prohibited from providing false, misleading or deceptive representa - tions about their products or services. This includes: • claiming a product has characteristics it does not actually possess; • implying higher quality than what is accurate; • suggesting availability for reasons not disclosed; or • contradicting information previously provided in advertising. Businesses must also clearly explain a customer’s rights, remedies and obligations, and must not use exaggeration, vague language or hidden information to mislead customers. The Act further prohibits unconscionable representa - tions. A representation is considered unconscionable where a business knows – or should reasonably know – that a consumer is unable to protect their own inter - ests due to factors such as disability, lack of under - standing or illiteracy. Unconscionable conduct also includes agreements that are excessively one‑sided or where a consumer was pressured into entering the transaction. If a fintech makes a false, misleading, deceptive or unconscionable representation, the customer may rescind the agreement and seek additional remedies under the law, including damages. Cybersecurity The Computer Misuse and Cybercrimes Act (CMCA), Cap 79C of the Laws of Kenya, provides a frame - work for the timely and effective detection, prevention,
response, investigation and prosecution of computer and cybercrimes. Under the CMCA, any entity that provides users with the ability to communicate through a computer sys - tem (ie, a service provider) must: • comply with any court order requiring the submis - sion of subscriber information to a police officer or authorised person; • comply with requests from a police officer or authorised person to preserve data at risk of modi - fication, loss or destruction; and • respond promptly to requests for assistance from a police officer or authorised person. Fintech companies fall within the definition of a ser - vice provider and are therefore required to meet these obligations. Additionally, any person who, without authorisation, gains access to, interferes with or intercepts data relating to a protected computer system commits an offence. Upon conviction, the penalty may include a fine of up to KES25 million, imprisonment for up to 20 years, or both. A protected computer system includes systems used directly in connection with communica - tion infrastructure, banking and financial services, and payment and settlement systems and instruments. 2.12 Review of Industry Participants by Parties Other Than Regulators The activities of fintechs are largely subject to review by various private industry organisations, such as the Kenya Bankers Association, the Fintech Association of Kenya, the Digital Financial Services Association of Kenya and the Association of Fintechs in Kenya. These organisations aim to act as forums for edu - cation, information sharing and networking between fintechs, policymakers and the general public. 2.13 Conjunction of Unregulated and Regulated Products and Services Industry participants do offer unregulated products and services, but such activities are undertaken through affiliate entities rather than by the regulated entity itself, due to restrictions placed on the regu - lated entities by the applicable laws. For instance, a
468 CHAMBERS.COM
Powered by FlippingBook