The credit model decided in a second. Two regulators will ask what it decided on.
A digital lender scores and decides a loan in the time it takes to tap a phone, on data the borrower barely knows it holds. Kenya now inspects that decision twice — the Central Bank for fair and transparent lending, the data regulator for whether the data behind it was lawfully obtained and used. The decision and its data both have to hold.
Digital lending is the fintech workflow African regulators have moved on most decisively, because it caused the most harm. Kenya's Central Bank, having been given the power in 2021, licensed Digital Credit Providers under dedicated regulations from 2022, and by mid-2025 more than 150 licensed lenders had advanced 5.5 million loans worth 76.8 billion shillings, mostly through USSD codes and apps. The model reads a thin file — airtime top-ups, mobile-money history, app behaviour, sometimes the borrower's own contacts — and decides a small, short loan instantly. The reach is genuine and the inclusion is real; so was the harm that brought the regulators in.
The regulation is unusually specific about both the decision and the data. The Central Bank licenses the lender, requires transparent pricing, and has moved to cap charges and reclassify digital lenders under tightened rules. In parallel, the Office of the Data Protection Commissioner requires every Digital Credit Provider to register, has fined lenders for abusing borrowers' personal data, and has asked the Central Bank to revoke the licences of repeat offenders. The harvesting of a borrower's phone contacts for debt collection — once the industry's signature practice — is now a criminal offence, and the courts have held that tapping 'allow' on a permissions screen is not informed consent. The lending decision and the data behind it are governed by two regulators at once, working in concert.
That dual inspection is what makes digital credit distinct from the bank lending covered elsewhere. A bank's credit decision is tested for prudential soundness and fair treatment; a digital lender's decision is tested for those and for whether the alternative data that powered it was obtained and used lawfully. A model that scores accurately on contact lists harvested without informed consent has made a decision that is sound as credit and unlawful as data processing — and the second failure now carries criminal exposure, not merely a fine. Accuracy is not a defence if the data underneath it should never have been used.
The over-indebtedness concern sits underneath all of it. Digital credit is fast, small, and easy to roll, and the same speed that includes the underserved borrower can trap them in a cycle the lender's model has every incentive to sustain. Regulators have applied the in duplum rule to cap accumulating charges and required notification before negative credit-bureau listing. A lending model optimised purely for repayment probability, with no account of whether the loan is suitable, is exactly the pattern the consumer-protection rules were written against — and a lender that cannot show its decisions weighed suitability is exposed as the rules tighten.
The operational gap is that the scoring model returns a decision without a basis either regulator could read. When the Central Bank asks why a borrower was lent to on terms they could not sustain, or the data regulator asks what data the score was built on and whether it was lawfully held, the lender is reconstructing the answer from a model that logged an outcome. A credit decision that cannot show both its reasoning and the lawful provenance of its data is undefendable on the two fronts that now matter most.
The licence itself has become the precondition for everything that follows, including recovery. In 2025 Kenyan courts dismissed scores of loan-recovery suits brought by lenders that lacked a Central Bank licence, and applied the in duplum rule to cap the charges a digital loan could accumulate. A lender that decides and prices outside the regime cannot enforce the debt it creates, which turns compliance from a cost into the basis of the business: a non-compliant decision is not merely exposed to a fine, it is unenforceable, and the loan book built on it is worth less than it appears on the balance sheet.
A score built on contacts harvested without consent is sound as credit and criminal as data processing. Accuracy is not a defence.
Where each sits.
Akki governs which data sources feed the credit model and logs the lawful basis for each, so the lender can state exactly what the decision rested on and prove its provenance. The Data Protection Commissioner's demand to show what data was processed and on what basis becomes a query against the platform rather than a scramble through a model nobody can fully account for.
Solva structures the credit decision and produces the basis underneath it — the factors that drove the score, their grounding, and the confidence the evidence warranted — and refuses to decide on data it cannot establish was lawfully obtained. Where a decision would rest on harvested contacts or data outside the consented purpose, it surfaces that rather than scoring on it. The lender can show the Central Bank a reasoned, suitability-aware decision and show the data regulator that the data behind it was lawful.
Alternative-data lending is a strong home for SyniSense. The mobile-money history, airtime patterns, and behavioural data the score rests on are anonymised at the perimeter so the model reasons over the repayment pattern without holding the identifiable borrower's life in identifiable form off-platform — and the categories of data the regulations forbid, such as harvested contacts, are kept out of the model entirely rather than filtered downstream.
For the credit head, the decision is defensible to both regulators at once. It carries its reasoning for the Central Bank and the lawful provenance of its data for the Data Protection Commissioner, so the decision that was sound as credit is also demonstrably lawful as data processing — the two tests a digital lender now has to pass together.
For the data protection officer, the criminal exposure that the contact-harvesting prohibition created is closed off by construction. Forbidden data categories never enter the model, and what does is logged with its basis, so the firm is not relying on a downstream filter to keep it on the right side of a criminal line.
For the borrower, the protection is real on both fronts. The decision weighs suitability rather than only repayment probability, and the data behind it was lawfully obtained — which is precisely the combination the consumer-protection and data-protection rules were written to require.
For the regulator — the Central Bank, the data commissioner, and the competition authority that share oversight of this market — the lender presents decisions that are transparent, suitable, and lawfully grounded. That is the posture that separates the licensed lender the regulators want in the market from the rogue one they are working to remove.