18 August 2025

The Office of the Data Protection Commissioner (ODPC) found that KWFT attempted to sell a customer’s loan to Co-op and Family Bank, passing on her loan details and contact information without her consent.

The ODPC’s ruling highlighted a breach of Kenya’s Data Protection Act of 2019, noting that both Co-operative Bank and KWFT contacted the borrower directly — an action deemed illegal under the law. Africa Digest News reported that Co-op Bank justified its contact based on “market intelligence,” while KWFT failed to disclose how the customer’s information would be utilised. The regulator concluded that both explanations did not meet the legal standards required for processing personal data.

Moses Maweu, founder of Chemkuza, a Kenyan AI-driven formulation laboratory, publicly criticised the banks for their failure to protect client privacy. He stated on LinkedIn that “trust in banking is hard to earn but easy to lose,” emphasising that data protection is a vital survival skill. Maweu warned that aggressive debt collection and misuse of personal information can lead to fines and damage to reputation.

In a separate incident, Co-operative Bank was fined an additional $385 (Sh50,000) for sending unsolicited marketing messages about a dormant account, despite the customer not opting in to receive such communications — another violation of the Data Protection Act.

Kenya’s Data Protection Act mandates explicit consent for processing personal data and prohibits unsolicited marketing messages without prior opt-in approval. The ODPC has been ramping up enforcement efforts recently, indicating that breaches will attract substantial penalties.

Maweu concluded that for Kenya’s banking sector, the message is clear: data privacy violations are no longer minor infractions. They come with tangible fines, potential public exposure, and long-term damage to customer trust.