For years, Kenya focused on getting citizens into the financial system, but now, Kenyans are posing a hard question: who is protecting them once they are in?

From cash to mobile wallets, from bank queues to instant loans from mobile apps, the country built one of the most advanced digital finance ecosystems in the world. Platforms like M-Pesa became not just tools, but infrastructure powering everything from household payments to business transactions.

But the law does not always move at the same speed. That is the problem the Financial Consumer Protection Framework (2026 Draft) aims to address.

At its heart, the framework is less about introducing new rights and more about harmonising and enforcing them across a system that has grown fragmented, complex, and increasingly digital.

Why Regulators Are Stepping in Now

For years, consumer protection in Kenya’s financial sector has been split across multiple regulators, banks under the Central Bank, mobile money under the Communications Authority (CA), competition issues under the Competition Authority of Kenya (CAK), and so on. Each had rules, but the system as a whole lacked consistency.

The framework acknowledges this directly: existing protections are sector-specific and fragmented, leaving gaps that digital finance increasingly exposes. This matters because today’s financial products don’t sit neatly in one box. A single M-Pesa transaction can involve payments, credit, data processing, and third-party integrations, each under a different regulatory lens. The result? Consumers fall through the cracks.

The framework’s response is to create a single, harmonised standard that applies across all financial service providers: banks, telcos, fintechs, SACCOs, regardless of the channel they use. But what is the significance of the framework?

The Legal Shift: From Rules to Outcomes

What makes this framework technically significant is its regulation. Instead of focusing only on specific rules, it introduces what regulators call “fair consumer outcomes”. In simple terms, providers are no longer judged just by what they do, but by consumers’ experience.

Legally, this is anchored in six core principles: fair treatment, transparency, suitability, asset protection, complaint resolution, and data protection. But the real shift is deeper.

Financial service providers are now required to embed these principles into their governance, culture, and business models. Boards and senior management are explicitly made responsible for ensuring compliance. This is significant, as it turns consumer protection from a compliance issue into a strategic one.

What This Means in Practice

Much of the framework reads as a response to real, everyday consumer pain points, especially in digital finance. Take transparency, for example. The law now requires that financial information be provided in plain language, not legal or technical jargon, and that key details such as fees, risks, and obligations are clearly visible.

This is reinforced through the introduction of Key Facts Statements (KFS), standardised summaries that must be given to consumers before they sign up for a product. Think of it as a one-page breakdown of what you’re actually agreeing to.

On pricing, providers are prohibited from charging any fee that has not been clearly disclosed upfront. Hidden charges, which have long been a source of frustration in mobile and digital lending, are explicitly targeted.

And on contracts, the framework goes further to outlaw unfair terms that could harm consumers without being necessary to protect the provider’s legitimate interests.

Digital Finance Under a Microscope

The framework becomes particularly relevant to M-Pesa and similar platforms in its treatment of digital systems. For the first time, there is a clear expectation that digital platforms, USSD interfaces, and algorithms must be designed to protect consumers. With this in mind:

• Digital platforms must be easy to use and understand.
• Consumers must be given enough time to review terms before committing.
• No pre-ticked boxes or forced consent mechanisms are allowed.
• Any algorithm or automated decision-making tool must be tested for fairness and risk.

In effect, the law is no longer just regulating products; it is regulating user experience. That is a major shift for mobile money ecosystems, where design choices often shape financial behaviour.

Data, Consent, and the M-Pesa Question

Given the recent Senate discussions on unlawful data sharing, data protection is also critical. The framework introduces a strict definition of “informed consent.” Consent must be clear, specific, freely given, and easy to withdraw. It cannot be bundled into other agreements or hidden in fine print.

For platforms like M-Pesa, which sit at the centre of vast amounts of transactional data, this raises important questions about data collection, use, and sharing, particularly with third-party lenders and service providers. It also reinforces alignment with Kenya’s broader data protection regime, signalling tighter scrutiny of digital financial ecosystems.

Stronger Protections for Everyday Risks

The framework also tackles issues that have become increasingly visible in Kenya’s market. On fraud and scams, providers are required to actively monitor risks, alert consumers, and provide support when things go wrong.

In cases of mistaken transactions, a common issue for mobile money providers is assisting in reversing payments and bearing the burden of proving when a transaction was correctly executed.

The rules are even more explicit on debt collection. Harassment, public shaming, and accessing a borrower’s contact list to pressure repayment are all prohibited. This directly targets some of the most controversial practices in digital lending.

A More Coordinated Regulatory State

Perhaps the most structural change is how regulators will operate. The framework establishes a shared market conduct supervision model in which regulators coordinate, share information, and align enforcement actions.

It is designed to be:

• Risk-based (focusing on areas of highest consumer harm).
• Data-driven (using real market insights).
• Consumer-centric (evaluating actual user outcomes).

For businesses, this means fewer regulatory silos but also less room to exploit them.

The Direction of Travel

What this framework ultimately signals is a shift in how Kenya views its financial system.

The first phase was about access – getting Kenyans into the system. The next phase is about protection, ensuring the system works for them. As the Senate continues to interrogate mobile money, digital lending, and data use, this framework provides the legal and policy foundation for that conversation. However, it is important to note that this is still a draft. That means the standards are not yet final, and industry players, from banks to telcos to fintechs, still have a window to engage, shape, and prepare for what is likely to become a more coordinated and stricter regulatory environment.

In many ways, this is the transition moment. Kenya is moving from a system that enabled rapid digital growth to one that must now sustain it safely, transparently, and with built-in accountability.