Regulatory Frameworks for Payment & Electrification Innovation in Kenya

Kenya's regulatory environment for digital financial innovation is widely (and correctly) regarded as one of the most enabling in Africa. The environment for electrification-related finance has become similarly substantive in the past two years. The Lab reads four specific instruments as the load-bearing elements of the policy terrain. They are taken in turn here.

The foundational instrument. The NPS Act establishes the Central Bank of Kenya's authority over payment systems and payment-service providers, defines licensing categories, and — crucially for the Lab's programme — provides the legal basis under which the mobile-money operators (Safaricom's M-Pesa, Airtel Money) and their aggregator counterparts operate.

The relevant operational fact for the research programme is that the NPS Act and the CBK Payment Systems Regulations that implement it provide a reasonably well-defined pathway for novel payment-service providers to engage the regulator. The CBK Fintech Office has, since its establishment, operated an active regulatory-sandbox pathway that permits pilot deployments of new payment architectures under time-limited, conditions-bounded authorisation. The Lab's finance programme treats sandbox engagement as a first-class component of any pilot that would operate commercially at scale.

What the NPS Act does not currently address — and where the Lab's policy reading identifies a specific research gap — is the treatment of non-bank cross-network payment facilitation by actors who are not themselves mobile-money operators. An interoperability-layer operator would, in the current framework, be treated either as a payment-service provider in its own right (a relatively heavy regulatory burden) or as an aggregator (a lighter burden but with specific restrictions on direct user relationships). Neither treatment maps cleanly onto what an interoperability-layer operator actually does. The Lab's engagement with the CBK Fintech Office includes flagging this specific gap.

The Digital Credit Regulations (DCR), operational since 2022, brought previously unregulated digital-lending providers under direct CBK supervision. The regulations address a real problem — the predatory-lending practices that proliferated in the unregulated digital-credit space — and impose substantive requirements on licensed digital credit providers (DCPs), including interest-rate disclosure, complaint-handling procedures, and consumer-protection standards.

For the Lab's architectures analysis, the DCR matters because it sets the regulatory floor on which PAYGO and ride-to-own asset-finance products operate. PAYGO financiers in Kenya operate as licensed DCPs; ride-to-own financiers typically as microfinance institutions or non-deposit-taking credit providers. Each licensing category imposes different compliance requirements and permits different product structures.

A live research question, pursued through the Lab's finance programme, is whether interoperability-layer authorisation grants fall within DCR's remit or outside it. Scoped, revocable, fine-grained authorisation for recurring asset-finance instalments is not, in any straightforward reading, "digital credit provision" — but it is also not obviously outside the DCR's perimeter. Clarifying the boundary is one of the policy-engagement outputs the finance programme expects to produce.

Kenya's DPA, closely patterned on the EU's GDPR, is the legislative framework governing personal-data processing by operators in the financial-inclusion space. Its key operational constraints for the Lab's research programme and for any deployed pilot include lawful-basis requirements for data processing, data-minimisation obligations, cross-border-transfer restrictions, and the rights of data subjects (access, rectification, erasure, portability) that any operator must honour.

For research fieldwork, the DPA together with GDPR (which applies to the Lab's EU-based data handling) is operationalised through the HREC-approved research protocol that specifies consent procedures, anonymisation and pseudonymisation of collected data, cross-border transfer safeguards, and data-subject-rights honouring. The protocol was reviewed and revised during 2025–26 to strengthen its treatment of consent for non-interview data types and to align cross-border data handling with both the Kenyan and EU regimes. A consolidated ICF (Informed Consent Form) was produced as part of the revision process.

For deployment, the DPA and GDPR together produce a specific constraint on interoperability-layer design: the layer must not, through its operation, create a data-processing relationship that either regime would treat as unlawful or inadequately justified. The layer's design posture — in which the user controls disclosure of her own obligation identifiers, and in which payment counterparties see only the specific authorised scope — is a direct response to this constraint. Compliance is not an afterthought; it shapes the design.

The newest instrument in the Lab's policy terrain. Published in February 2026 by the Ministry of Roads and Transport, the National Electric Mobility Policy (NEMP) is Kenya's first comprehensive policy framework for electric-vehicle transition. It names targets for EV uptake, sets out infrastructure-development priorities, specifies tax-incentive regimes, and — most relevantly for the Lab's electrification programme — addresses the financing architecture of the transition.

Three NEMP provisions are particularly consequential for the Lab's reading.

First, the policy explicitly names interoperability of charging and swap infrastructure as a policy priority. It does not, at the current level of specification, prescribe standards; it names the outcome and leaves the mechanism to subsequent regulation. The Lab's research on battery-swap interoperability (see the electrification programme and the interoperability deep-dive) is directly responsive to this provision.

Second, the policy recognises the specific financing-architecture innovations that have grown up in the Kenyan market — PAYGO, ride-to-own, BaaS — and signals regulatory acceptance of their operation in the EV context. This is a light-touch provision but a consequential one; it reduces the regulatory uncertainty that might otherwise have complicated the operators' balance-sheet planning.

Third, the policy commits (at the level of intention, with implementation details deferred) to regulatory support for diaspora engagement in the EV transition. The provision is under-specified in the policy as published; the Lab's diaspora brief develops what a substantive implementation of this provision would look like.

Read individually, each instrument is substantively well-developed. Read together, the four instruments produce a specific envelope of policy-constrained possibility that has distinctive features worth naming.

The sandbox is real but narrow. The CBK Fintech Office sandbox provides a real pathway for pilot deployment of novel payment architectures, but its scope is explicitly limited and the typical sandbox authorisation runs for six to twelve months with specific conditions on user numbers, transaction volumes, and data handling. Research-grade pilots (the Lab's target scale — 100–200 users, 10,000+ transactions) fit within the sandbox envelope comfortably; commercial scale-up requires graduating out of sandbox into full licensing.

The data regime is a constraint, not an obstacle. The DPA/GDPR overlap creates real compliance overhead but does not, in the Lab's reading, foreclose any of the research or deployment activities the finance and water programmes pursue. The specific design-posture choices that honour data-subject rights (scoped authorisation, user-controlled disclosure, minimal data retention) are in any case the same design choices that produce a durable interoperability outcome.

The NEMP opens a window. The February 2026 publication of the NEMP creates a short-to-medium-term window in which research inputs to the subsequent implementing regulations are welcomed. The Lab's policy-engagement plan treats this window as a high-priority opportunity and is preparing structured policy briefs for the relevant regulatory actors.

Cross-instrument gaps exist. The single most consequential gap, from the Lab's vantage point, is the unclear regulatory treatment of interoperability-layer operators under the NPS Act and DCR. Clarifying that treatment — through either regulator-issued guidance or amendments to the implementing regulations — is on the policy engagement agenda for 2026–27.