3 Banks Fined Sh650,000 for Illegally Sharing Borrower Data
Read Time:2 Minute, 21 Second
Three Kenyan banks, Co-operative Bank, Family Bank, and KWFT, have been fined a combined Sh650,000 for illegally sharing a borrower’s personal data, including loan details and contact information, without consent.
The case arose after KWFT attempted to sell a customer’s loan to Co-operative Bank and Family Bank, which then contacted the borrower directly, violating Kenya’s Data Protection Act of 2019.
Unauthorized Sharing of Borrower Data
The issue began when KWFT, a microfinance institution regulated by the Central Bank of Kenya, tried to sell a customer’s loan to Co-operative Bank and Family Bank without obtaining the borrower’s explicit consent.
During this process, the borrower’s personal information, including loan details and contact information, was shared with the two banks, which subsequently contacted her to discuss the loan transfer.
This action breached Kenya’s Data Protection Act, which requires that personal data be processed only with the data subject’s consent or under specific legal grounds and mandates that individuals be informed about how their data will be used.
- Can Customers Trust Banks After Equity Loses Fraud Case
- How Banks in Kenya Are Losing Millions to Insider Fraud Schemes
- How Kenyans Are Having Their IDs Used in Tax Scams
The ODPC’s investigation revealed that KWFT charged in failing to adequately disclose to the borrower how her personal information would be handled during the loan sale. Co-operative Bank and Family Bank charged in processing the borrower’s data unlawfully by contacting her without confirming consent.
Notably, Co-operative Bank admitted to relying on “market intelligence” to justify its actions, a practice deemed non-compliant with the Data Protection Act. ODPC imposed fines on all three institutions for these violations.
Co-operative Bank’s Additional Fine for Unsolicited Messaging
In a separate ruling, Co-operative Bank was fined an additional KSh 50,000 for sending unsolicited marketing messages to a customer regarding a dormant account. The customer had not opted in to receive such communications, and this action also violated Kenya’s Data Protection Act, which restricts processing personal data for direct marketing without consent.
Legal Framework
Kenya’s Data Protection Act of 2019 is designed to safeguard personal data and ensure privacy and security in processing, including within the banking sector.
The Act requires banks and other institutions to handle customers’ personal data, such as names, contact details, and financial information lawfully, transparently, and with consent. It prohibits unauthorized sharing of personal data and regulates unsolicited communications.
Banks must implement measures such as data protection impact assessments and secure systems to prevent breaches. Non-compliance can result in fines or other sanctions, as enforced by the Office of the Data Protection Commissioner (ODPC).
Jefferson Wachira is a writer at Africa Digest News, specializing in banking and finance trends, and their impact on African economies.
Happy
0 %
Sad
0 %
Excited
0 %
Sleepy
0 %
Angry
0 %
Surprise
0 %
0
0
Average Rating