.
Kenya's Digital Payments Regulatory Checklist for Businesses
Quick disclaimer
Regulation changes. Use this as a practical checklist and consult the Central Bank of Kenya (CBK) and Communications Authority (CA) or legal counsel for binding advice.
Practical checklist
- Know your regulators
- Central Bank of Kenya (CBK) — oversight on financial services.
- Communications Authority (where relevant for telecom-led services).
- Data Protection Office — for personal data handling.
- KYC & AML
- If your business holds customer funds or offers credit, determine if you meet thresholds for KYC/AML obligations.
- For payments processing merchants integrating with M-Pesa (as a payment acceptance channel), ensure your customer data handling aligns with DPA requirements.
- Data protection
- Store only the minimum personal data required.
- Encrypt secrets (API keys, passkeys) at rest and in transit.
- Publish a clear privacy policy and obtain consent where required.
- Transaction records
- Keep transaction logs for the legally required retention period (confirm with CBK).
- Make reconciliation records available for audits.
- Consumer protection
- Provide clear refund/cancellation terms for airtime purchases.
- Have an accessible help/support channel for failed or disputed transactions.
Final note
Regulatory compliance is an ongoing process: build for observability, law-aware record-keeping, and have escalation paths for customer disputes.