A fresh surge in privacy breaches by digital lenders has triggered fines from the data protection watchdog and turned focus on the Central Bank of Kenya (CBK), which recently introduced new laws to tame rogue players.
In the latest development, mobile lenders Whitepath, Platinum Credit, and Rocketpesa have been ordered to pay a combined Sh2.25 million in fines for privacy breaches—joining a growing list of sanctioned digital lenders and putting them at risk of drawing the CBK’s attention to enforce the regulations it introduced in 2022 to tame exploitative loans rates, abuse of personal data and unorthodox debt recovery strategies.
For example, Regulation 20 of the Central Bank of Kenya (Digital Credit Providers) Regulations 2022, prohibits the use of threat, violence, harm, use of obscene or profane language with customers or a customer’s contacts for purposes of shaming them, accessing the customer’s phone book or contact list, making calls and messages to the customer’s contacts by the digital credit providers, its officers, or agents while in the course of debt collection.
Regulation 35(1) of the Digital Credit Providers) Regulations, 2022, gives CBK powers to invoke administrative sanctions against wayward firms, including monetary fines and revocation of operation permits.
The sanctions may include a monetary penalty on a digital credit provider, its directors, officers, or employees responsible for non-compliance in such amounts not exceeding Sh500,000 for each violation or non-compliance, additional penalties not exceeding Sh10,000 in each case for each day or part thereof during which the violation or non-compliance continues.
In new determinations last week, the ODPC faulted the three lenders for violating the Data Protection Act in what is becoming increasingly commonplace in the sector despite new regulations meant to rein in such violations.
Whitepath, which operates three different loaning apps—InstarCash, Zuri Cash, and Skypesa—is the top culprit in the newly published rulings and has been ordered to pay three different people Sh1.15 million.
The lender, which has found itself on the receiving end of the ODPC’s whip before, has mainly been accused of harassing third parties listed as guarantors for loans disbursed to its clients.
It has been ordered to pay Dennis Caleb Owuor Sh250,000, and Sh450,000 each to Fridah Kemunto Obuba and Marline Ngina Mutunga, and an enforcement order has been issued against it in all rulings.
“In so doing, this office takes into account the negligent and intentional conduct of the respondent (Whitepath) in unlawfully processing the complainant’s personal data,” said Data Commissioner Immaculate Kassait in the rulings.
In all three cases, Whitepath had collected the personal data of the complainers who were listed by borrowers as guarantors but failed to notify them of the collection nor ask for their consent to that collection, violating their right to be informed.
This was also the case with Ceres Tech Limited, trading as Rocketpesa, which contacted Anthony Mwenda via WhatsApp demanding that he repays a loan he had purportedly taken, even though he denied ever tapping the credit from the company.
The regulator’s investigations revealed that someone had used Mr Mweda’s identification number to take a loan, but the lender did not inform him of the collection nor the intended use of the data collected.
“From the foregoing, this office finds that the respondent (RocketPesa) violated the complainant’s right to be informed and his right to object to the processing of his personal data,” said Ms Kassait.
Rocketpesa was ordered to pay Mr Mwenda Sh700,000 as compensation “for the unlawful processing of his personal data, and for violation of his right to be informed of the use to which his personal data is to be put.
Ms Kassait also recommended prosecution of the company’s director for giving false information to the regulator. According to data at the Business Registration Services, the company has one director and sole shareholder—Kennedy Muthonge Mwongela.
Platinum Credit Limited, which is licensed as a non-deposit-taking microfinance bank and not a digital lender was fined for contacting Samwel Kamau Waweru to market a loan product without obtaining his consent.
The lender has been ordered to pay Mr Waweru Sh400,000 and its directors have been recommended for prosecution also for giving false information to the ODPC in an attempt to cover up the breach. A handful of other digital lenders have also recently been caught in data privacy breaches, some even multiple times and fined by the data regulator, but the CBK has remained mum on the violations.
Loaning firms that have recently been fined for privacy violations include Azura Credit which operates TruePesa app, Mulla Pride, which owns KeCredit and Faircash, and Credit Watch Investments, which operates Cloadloan app.
