The 14 days given to John Bigingi to repay a loan of Sh8,200 had barely lapsed when he started receiving text messages threatening to call the contacts on his phone and expose him as a defaulter.
“Silence means you don’t want to pay your loan which is already due,” said an SMS message sent by digital lender iPesa to Mr Bigingi and shown to the Thomson Reuters Foundation.
“Take it serious. Your 50 contacts and emergency contacts will start receiving 20 calls and 15 messages (at) exactly 6pm. Pay now to avoid embarrassment!!!” read the message, which was written in capital letters.
The 42-year-old Kenyan taxi driver was horrified.
“I didn’t understand how they got my contacts but soon after they called my closest relatives, including my brother and my wife, who didn’t know about the loan,” he said.
Ipesa did not respond to requests for comment.
Experiences like Bigingi’s are increasingly common as more cash-strapped Kenyans borrow from scores of unregulated mobile-based loan apps, though a group representing the sector said such practices were limited to a few “rogue” lenders.
Offering quick, collateral-free credit to the largely unbanked, digital lenders have provided millions of Kenyans with access to finance to pay for everything from medical bills and school fees to capital for their businesses.
Economists have hailed them for boosting financial inclusion in a nation where only about 40 per cent of people have a bank account, but many are also accused by customers and digital rights groups of using unethical practices to profit from the poor.
Some borrowers say the loan apps are infringing on their data privacy by bombarding the contacts saved on their phones with calls and message when they default.
Digital rights groups also accuse them of illegally sharing clients’ personal information with third parties and charging exorbitant interest rates that push poor families deeper into debt.
Seeking to crack down on predatory lenders, Kenya approved legislation regulating the sector in December.
Data Commissioner Immaculate Kassait, who has been investigating complaints about lenders, said the legislation would curtail the abuse of private data by loan apps and boost compliance with the country’s two-year-old data protection law.
“The (new law) makes it an additional requirement for digital lenders to comply with the Data Protection Act, should they wish to retain their licences,” said Ms Kassait, whose office is responsible for enforcing the 2019 law.
Dubbed “Silicon Savannah”, Kenya has emerged as a major player in the fintech space since telecoms operator Safaricom pioneered its M-Pesa mobile money service in 2007 for people without access to the formal banking network.
From a basic SIM card-based money transfer application, M-Pesa has evolved into a fully-fledged financial service, offering loans and savings in conjunction with local banks.
In a country of 47 million people, there are more than 34.5 million active subscribers to mobile money transfer services, Communications Authority of Kenya data shows.
With mobile penetration surging, a plethora of fintech start-ups have emerged, eager to tap into the high demand for loans from low-income Kenyans who struggle to access credit due to lack of employment, collateral or guarantors.
More than 120 digital lenders operate in Kenya – some backed by Silicon Valley and Chinese investors – and are found on various platforms, including Google Play store.
Using machine learning algorithms, the apps assess the creditworthiness of borrowers by scanning personal data on their phones including contacts, mobile money transactions, their social media footprint and web history.
Within minutes, loans – ranging from Sh500 to Sh50,000 – are deposited and accessible on borrowers’ phones.
Demand for such loans has surged: two million Kenyans used loan apps in 2019, up from 200,000 in 2016, Central Bank of Kenya (CBK) data shows.
But the sector has been largely unregulated, allowing some digital lenders to engage in heavy-handed tactics.
“They called my boss and informed him that I had taken a loan and he should remind me to pay up,” said 26-year-old accountant Susan Njeri from Meru, who took a two-week loan of Sh2,300 from an app called Opesa.
“I guess they got (his number) from my contacts.”
Opesa said did not respond to a request for a comment.
Digital rights researchers say some apps have been selling customers’ personal information to data analytic and marketing firms and sharing defaulters’ details with credit reference companies, harming their future credit rating.
CBK has also voiced concern over the apps’ excessive interest rates – sometimes up to 400 per cent per year – and the impact on rising household debt.
Around 77 per cent of mobile loan borrowers had to pay penalties and were charged to roll over their debts, a 2021 survey by the Competition Authority of Kenya found.
Digital rights groups said many Kenyans were unaware of their privacy rights and did not know the loan apps were illegally mining and commodifying their personal information.
“Your data is taken, it is used to profile you and attain data on your contacts and then sold on. In return, what you get is an expensive loan which you can’t pay back,” said Grace Mutung’u, digital rights expert at the Open Society Foundation.
“The terms and conditions are difficult to understand and need to be simplified. There has to be public sensitisation.”
Kevin Mutiso, chairman of the Digital Lenders Association of Kenya, which has 25 members, said sharp practices were limited to a handful of “rogue and unscrupulous lenders”.
“It is not the intention of this technology to harm society, but unfortunately in any society there are some who have noble intentions and some who have predatory intentions,” said Mutiso, apologising for the “horrible experiences” of some borrowers.
Under the legislation approved last month, the central bank will regulate digital lenders and take action against those using illegal tactics.
Loan apps will need to have their business models approved by the bank before they are issued a licence, and will also be covered by the data protection law – prohibiting the sharing of personal data without consent.
Those found in breach of the laws could have their licences revoked or face hefty fines and jail terms of up to three years.
But some privacy rights groups questioned the government’s ability to enforce the data protection law.
“We welcome any regulation that protects peoples’ privacy rights, but we really need better implementation of the data protection law,” said Bridget Andere, Africa Policy Associate at the digital rights group Access Now.
“The government has simply not given enough importance to the issue of privacy.”
Data Commissioner Kassait disagreed, saying her office had the government support – including the budget and independence – it needed to work effectively.
Since its establishment a year ago, the office has fulfilled its mandate to manage complaints, investigations and raise awareness, she said.
“At the time of my swearing-in, I was the only employee of the Office,” she said.
“It is said that Rome was not built in a day, neither could the Office of the Data Protection Commissioner.”