Defining terms and delimiting jurisdiction

Under legacy financial laws and regulations, it may not be clear how to categorize personal digital credit or where to place jurisdiction for its various dimensions. A typology of regulatory regimes for digital credit may include:

• Institution-based: A regime that sets separate rules for traditional FIs (e.g., banks, moneylenders, credit unions) and for others – in a few cases bespoke rules for digital lenders.
• Activity-based: A regime where all digital lending by any entity is brought under an umbrella law or regulation that defines digital credit.
• Risk-based: A regime with expansive coverage of credit, incorporating provisions on financial consumer protection, data control, and digital security that take the special risks of digital credit into account.

Institution- and activity-based regimes offer the advantages of bespoke regulations designed specifically for digital credit providers or products. But this approach is the exception rather than the rule across the range of countries we have reviewed. Where it has been tried, policymakers have confronted two immediate challenges: (a) defining the activity and/or institution, and (b) applying the definition and the rules in a way that avoids gaps and inconsistencies across the credit landscape.

Kenya and India adopted regulations with the aim of bringing digital credit providers, many of them outside the then-existing regulatory perimeter, under the control of the central bank. Whereas Kenya defines digital credit as borrowing through a digital channel¹, India defines it as follows:

A remote and automated lending process, largely by use of seamless digital technologies for customer acquisition, credit assessment, loan approval, disbursement, recovery, and associated customer service.²

Bringing digital credit expressly within the financial regulator’s authority can remove some gaps and ambiguities while enhancing consistency of treatment. Yet in India and especially Kenya, this change still left some digital lending unregulated due to the jurisdictional limits on the central bank contained in financial legislation. Kenya responded to this challenge by expanding the central bank’s competence to include the business of lending in general. A 2024 law requires all entities that offer credit services but do not accept deposits (with minor exceptions) to obtain a license from the Central Bank of Kenya and conform to CBK regulations.³

Other jurisdictions have also adopted broad-based, technology-neutral consumer credit laws and regulations – but without first defining digital credit activities or providers. Australia brought consumer credit under its financial regulator, the Australian Securities and Investment Commission (ASIC).⁴With robust authority to enforce responsible lending obligations and related standards, ASIC has successfully pursued a number of high-profile cases against digital lenders.⁵Through a combination of regulatory adjustments and enforcement actions, Australia, along with the EU, the U.S, and the UK, has made it clear that consumer credit rules apply to digital lenders as well as to digital platforms that otherwise broker or source credit online.

Another approach is to fit digital lenders into various institution-based frameworks. In Tanzania, the central bank in 2024 responded to the country’s own Kenya-style digital lending crisis by using its authority under microfinance legislation to ban unlicensed digital lenders, thus bringing them within its regulatory perimeter.⁶Others have applied fintech regulation to digital lenders. Mexico recently moved in this direction with the enactment of a fintech law and regulations.⁷Indonesia’s financial conduct authority (OJK) designed a regulatory sandbox to allow fintech companies to deploy operations on a pilot basis. All fintechs not otherwise regulated must register for the OJK sandbox and comply with its principles of responsible DFS innovation – and this includes many digital lenders.⁸

An alternative avenue is to bring personal digital credit under a general consumer protection regulator (or a competition commission with consumer rights as part of its remit). For example, Nigeria’s competition and consumer protection agency (FCCPC) established a task force to deal with a rash of unregulated digital lending that led to a small debtor crisis. The agency on behalf of the task force issued interim digital credit guidelines setting a deadline for unsanctioned lending apps to register as Digital Money Lenders and come into compliance – or face removal from Google Playstore.⁹The guidelines do not define digital credit, but it is clear that lending apps not otherwise regulated must comply. The role of Google Playstore as a kind of enforcer reappears in other contexts where authorities are contending with unregulated apps. Also important, the task force brought together financial, consumer, and ICT regulators to ensure cooperation and full coverage.

Recommendation: Digital personal credit poses mainly consumer protection risks and therefore should ideally come within the ambit of consumer credit rules, whether general, activity-based, or risk-based. Digital loans could be covered by bespoke rules but are more often regulated as high-cost short-term loans that fall within the categories of consumer credit, money lending, payday loans, or microcredit. The enforcement of these rules can be housed in any number of places. These include a specialized agency (e.g., the U.S. CFPB), a team within the central bank or unified financial regulator (e.g., ASIC), the financial conduct regulator in a twin peaks system (e.g., the UK FCA), or a general consumer protection agency (e.g., Nigeria FCCPC). Unless digital loan risk is carried by a bank, there is little reason to involve the prudential regulator – and most of the systems we have reviewed follow this principle. On the other hand, coordination with telco, ICT, and data control agencies – and regulatory consistency across agencies – is vital.