Digital lenders probed over breach of personal data

Immaculate Kassait

Data Commissioner Immaculate Kassait.

Photo credit: Pool

What you need to know:

  • Office of Data Protection Commissioner reported that it received more than 700 complaints.
  • Lack of data protection certificate has prevented many lenders from being licensed by the CBK.

Digital lenders have had to eat a humble pie and go slow on unethical practices such as debt shaming during debt recovery, after the Office of Data Protection Commissioner (ODPC) investigated 38 of them for breach of personal data.

The 38 were audited following growing complaints by Kenyans regarding breach of their personal data, as the ODPC reported that it received more than 700 complaints regarding unethical practices by digital lenders.

With the complaints the highest for any sector, the office said had to also partner with a global university to train the lenders to improve their operations, before they were issued with data protection certificates.

“We did preliminary inspections of 38 firms as a result of challenges we witnessed on complaints around digital lenders. When you see a consistent complaint in a certain sector, you have to ask yourself ‘what is the issue?’,” Data Commissioner, Immaculate Kassait said.

Debt shaming

The Data Commissioner said the audit process was part of compliance requirements by the digital lenders, who have to have data protection certificates to be licensed.

The lack of data protection certificate, among other factors has prevented many lenders from being licensed by the Central Bank of Kenya (CBK), close to two years since it started licensing them to clean up the sector.

“It’s a requirement that before you are licensed by the CBK, you are supposed to have a data protection certificate. The law was changed as part of cleaning up to make sure that we have hygiene in the area of digital lenders,” Ms Kassait said.

Ms Kassait said the audits revealed that many digital lenders had not factored protection of their users’ personal data in their products designs, which resulted in massive breach of people’s personal information.

The CBK started cleaning up the industry in March last year following huge complaints of unethical practices, mainly debt shaming.

Unlicensed lenders

By March, the last time CBK issued an update on licensing of the digital lenders, only 32 had been licensed, out of the 401 digital lenders who applied for license in March 2022.

“The focus of the engagements has been inter alia on business models, consumer protection and fitness and propriety of proposed shareholders, directors, and management. This is to ensure adherence to the relevant laws and importantly that the interests of customers are safeguarded,” the CBK said in March.

The regulator indicated that unlicensed lenders were required to submit requisite documentation.

Ms Kassait said since onset of the interventions, the office has witnessed a reduction in complaints being filed against digital lenders.

“They were the biggest complaints in our database, which speaks to action on their part,” Ms Kassait said.