CBK's New ID and Selfie Verification Rules: What Kenya's Digital Lenders Must Do Now

Kenya's digital lending market has exploded. The Central Bank of Kenya (CBK) has licensed 227 Digital Credit Providers (DCPs) as of April 2026, up from just 85 before 2025. All 227 CBK licensed digital lenders must now comply with stricter identity verification standards.

But rapid growth has brought serious fraud. Safaricom investigated 47 SIM swap fraud cases in 2025 alone, a 327% increase from 2024. Across Africa, the Smile ID 2026 Digital Identity Fraud Report found that 87% of failed biometric verifications in Southern Africa were caused by AI-driven spoofing, with deepfake attempts surging 15x year over year.

The CBK's response is clear: if you lend digitally in Kenya, you must verify who you are lending to. The Central Bank of Kenya (Amendment) Act 2021 and the Digital Credit Providers Regulations 2022 established the licensing framework. Now, enforcement is tightening with mandatory ID and selfie verification for every borrower, and Draft Non-Deposit Taking Credit Providers Regulations 2025 propose expanding oversight even further.

This is not optional. It is a regulatory baseline that all CBK digital lenders must meet today.

What Exactly Do the New Rules Require?

The CBK's KYC framework for digital lenders rests on four pillars. Each must be completed before a loan is disbursed.

National ID Document Verification

Every borrower must submit a valid Kenyan national ID card. The lender must verify the document through OCR extraction, database cross-referencing against government records (such as the national ID database), and validation of document authenticity, including layout, expiry, and forgery indicators.

This is not a formality. The Youverify 2026 compliance guide documents cases where fraudsters in Nigeria purchased rural National Identification Numbers and generated AI-fabricated document slips to open accounts. Kenya faces similar risks with its national ID system, and document verification is the first line of defence.

Live Selfie with Liveness Detection

A real-time selfie capture with active liveness detection is now mandatory. The selfie must confirm three things: the person is physically present (not a photo, video, or mask), the person matches the ID photo submitted, and the capture is happening live on the device (not injected via emulators or virtual cameras).

This requirement directly addresses the fraud landscape. The Smile ID report found that 42% of biometric fraud in Africa involves spoofing, while injection attacks through emulators and virtual cameras exceeded 100,000 per month across the continent.

Tala Kenya, one of the largest DCPs, implemented this in April 2026. Their Senior Compliance Manager Tabby Mugechi confirmed that borrowers must now complete ID upload and live selfie verification through the app before accessing any loan. Existing users who have not updated their verification face service restrictions.

AML and Sanctions Screening

The Proceeds of Crime and Anti-Money Laundering Act (POCAMLA) 2009, as amended, requires DCPs to screen borrowers against sanctions lists (OFAC, UN, EU, and local Kenyan lists), conduct Politically Exposed Persons (PEP) checks, and flag adverse media. This must happen at onboarding and on an ongoing basis.

Ongoing Monitoring and CRB Reporting

DCPs must report borrower data to licensed Credit Reference Bureaus (CRBs) and maintain records for a minimum of five years. Ongoing transaction monitoring for suspicious activity is required under CBK's AML guidelines.

Compliance Requirements at a Glance

What Are the Penalties for Non-Compliance?

The CBK has structured penalties to make non-compliance far more expensive than investing in proper verification systems.

The daily penalty provision under the DCP regulations Kenya lenders must follow is particularly significant. A KYC gap that persists for 30 days could accumulate KES 800,000 in fines (KES 500,000 + 30 days at KES 10,000) before any operational sanctions are applied.

And these are not theoretical. CBK has actively rejected and delayed license applications for DCPs that fail to demonstrate adequate KYC systems. The Bowmans Law analysis notes that unlicensed operators were ordered to cease operations entirely after the September 2022 deadline.

How Does Kenya's Data Protection Act Affect Biometric KYC?

The Data Protection Act Kenya (2019), enforced by the Office of the Data Protection Commissioner (ODPC), classifies biometric data, including facial recognition captures and selfie-based liveness checks, as sensitive personal data under Section 44. This creates a parallel compliance obligation for every DCP collecting selfies.

What this means in practice:

• Data Protection Impact Assessment (DPIA) is mandatory before deploying biometric KYC at scale. The ODPC Guidance Note for Digital Credit Providers explicitly requires this.
• Lawful basis must be documented. For lending KYC, "performance of contract" (Section 30(1)(b)) or "legal obligation" (Section 30(1)(c)) under CBK regulations are the strongest bases. Relying on consent alone is risky due to power imbalances in lending.
• Purpose limitation is strict. Biometric data collected for KYC cannot be repurposed for marketing, profiling, or any other use without a separate lawful basis.
• Breach notification must happen within 72 hours to the ODPC if there is risk of harm to data subjects.
• Data minimization applies. Collect only what is necessary. Tiered KYC (basic ID for low-risk, full biometrics for standard/high-risk) aligns with this principle.

The ODPC's 2025 Guidance Note on Biometric Data reinforces privacy-by-design and prohibits surveillance-like uses of biometric systems. DCPs must treat biometric KYC as a regulated activity with its own compliance trail, separate from but parallel to CBK requirements.

What Fraud Threats Make ID and Selfie Verification Essential?

The regulatory mandate did not emerge in a vacuum. Kenya's digital lending ecosystem faces three escalating fraud vectors that make robust identity verification a business necessity, not just a compliance checkbox.

SIM Swap Fraud Is Draining Mobile Lending Platforms

SIM swap fraud remains the most financially damaging attack on Kenya's mobile-first lending ecosystem. Criminals convince or bribe telco agents to port a victim's phone number to a new SIM, intercepting OTPs and draining M-Pesa wallets, bank accounts, and loan disbursements.

The scale is alarming. Safaricom investigated 47 SIM swap cases in 2025, up 327% from 11 cases in 2024. Total losses linked to SIM swaps and stolen identities exceeded Sh500 million. The FinAccess 2024 survey found that 9.8% of mobile money users in Kenya had lost money to fraud.

Safaricom has responded with an API that flags recent SIM swaps to partner banks and lenders, reducing attempted fraud by over 75%. But the API only helps if lenders integrate it. For DCPs still relying on SMS-based OTPs without biometric verification, borrowers remain exposed.

Deepfake and Synthetic Identity Attacks Are Surging Across Africa

The Smile ID 2026 report, based on analysis of over 200 million biometric checks across 35 African countries, found that deepfake attempts surged 15x, from fewer than 200 per month to over 3,000 per month. In West Africa, 65% of digital fraud attempts involved biometric spoofing.

The attack methods are sophisticated. Fraudsters use injection attacks through emulators and virtual cameras, bypassing basic selfie checks entirely. The report noted over 100,000 injection attacks per month, up from 15% of rejected verifications in 2023 to 90% in 2025.

In South Africa, synthetic identity fraud, where real government IDs are combined with AI-generated selfies, spiked 481% according to the TransUnion 2025 Africa Fraud Report. Kenya faces the same risk as fraudsters combine stolen national ID numbers with deepfake-generated selfie images.

Passive selfie capture is no longer sufficient. Only active liveness detection that validates physical presence and blocks injection attacks can address this threat landscape.

Identity Theft Fuels Loan Fraud at Scale

Beyond SIM swaps and deepfakes, basic identity theft remains pervasive. Safaricom fired 113 employees in FY2024 for fraud, including SIM swap facilitation and identity theft. Organised syndicates in regions like Mulot (Bomet County) maintain "hit lists" of victims' IDs and phone numbers, using them to open accounts and take out loans.

For digital lenders, the cost is not just the loan loss. It is the regulatory risk, the CRB reporting liability for a loan taken by a fraudster under a real person's identity, and the reputational damage when borrowers discover loans they never applied for.

Robust document verification combined with biometric face matching is the only way to break this chain. The national ID confirms the document is real. The liveness check confirms the person holding the phone is the person on the ID.

What Does a Compliant Digital Lending KYC Flow Look Like?

A CBK-compliant KYC flow for digital lenders Kenya-wide follows a tiered approach, matching verification intensity to risk level while meeting baseline requirements for every borrower.

The critical flow for Tier 2 (most common):

1. Borrower opens app and initiates a loan request.
2. National ID capture: Borrower photographs their Kenyan national ID. OCR extracts name, ID number, date of birth. System cross-references against the national ID database and validates document authenticity.
3. Live selfie capture: App prompts a real-time selfie with active liveness detection. System confirms physical presence (blocks photos, videos, masks, deepfakes, injection attacks). Face matching algorithm compares selfie to ID photo.
4. AML screening: System runs borrower data against sanctions lists (OFAC, UN, EU, local), PEP databases, and adverse media in real time.
5. CRB check and risk scoring: Credit history pulled from licensed CRBs. Combined with verification data for risk assessment.
6. Loan decision: If all checks pass, loan is approved and disbursed to M-Pesa or bank account.

The entire flow should complete in seconds, not minutes. Fenergo's 2025 survey of 600 senior decision-makers found 70% of firms lost clients in the past year due to inefficient onboarding, up from 67% in 2024 and 48% in 2023.

How Signzy Helps Digital Lenders Meet CBK's Verification Rules in Kenya

Meeting CBK's ID and selfie verification requirements does not have to mean building verification infrastructure from scratch. Signzy's One-Touch KYC (OTKYC) platform bundles the entire compliance flow into a single, no-code API that digital lenders can deploy in days.

ID Verification: Signzy supports 14,000+ document types across 150+ countries, including Kenyan national IDs, passports, and driving licences. OCR extraction, database cross-referencing, and forgery detection run automatically per document.

Liveness Check: Signzy's liveness detection uses layered AI to block photos, videos, masks, 3D spoofs, face swaps, and synthetic deepfakes. Both active and passive liveness modes are supported, with results returned in under five seconds.

Face Match: Biometric face matching compares the live capture against the ID photo, with smart prompts (e.g., remove glasses or mask) to maximise first-attempt pass rates.

AML Screening: Real-time sanctions, PEP, and adverse media checks are built into the same flow, so compliance teams do not need a separate tool.

Speed and UX: The full verification flow, from document capture to liveness check to AML screening, completes in seconds. A drag-and-drop UI builder lets lenders customise branded flows without developer resources.

For Kenyan digital lenders navigating CBK's tightening requirements, the choice is between assembling multiple point solutions or deploying a single platform that covers document verification, biometric liveness, face matching, and AML in one integration.

Talk to Signzy's team about building a compliant KYC flow→