NCBA, backed by Kenya’s richest families, fined by regulator

Key Points

• NCBA Bank fined Ksh250,000 ($1,933) for breaching Kenya’s data privacy laws by failing to erase incorrect customer information shared with a third party.
• Data Commissioner ruled NCBA violated privacy rights, despite the bank claiming it acted after being alerted about the erroneous email.
• Kenya’s regulators intensify scrutiny of banks over data compliance, warning of rising legal and reputational risks for mishandling consumer information.

NCBA Bank, the flagship banking subsidiary of NCBA Group, partly owned by some of Kenya’s wealthiest families, has been fined by Kenya’s Office of the Data Protection Commissioner (ODPC) for violating provisions of the Data Protection Act. The fine, prompted by a customer complaint, comes as regulators tighten oversight of financial institutions, reinforcing the push for compliance with Kenya’s data privacy laws amid rising digital risks.

NCBA penalized for mishandling personal data

The Ksh250,000 ($1,933) penalty follows a complaint from a customer, Brian Githaiga, whose sensitive account information was repeatedly sent to an unauthorized third party — despite numerous requests to the bank to delete an incorrect email address from its system.

The ODPC’s investigation found that NCBA failed to act on Githaiga’s erasure requests, even after the unintended recipient also raised the alarm. In its defense, the lender argued that the email address in question was part of the original account registration, and that it had acted promptly to update its records once notified. Regulators, however, ruled that NCBA mishandled the deletion process and breached the customer’s right to data privacy.

“The respondent is hereby found liable for violating the complainant’s right to erasure… and is ordered to pay the complainant Ksh250,000($1,933),” Data Commissioner Immaculate Kassait ruled. The fine underscores intensifying regulatory scrutiny of customer data practices across Kenya’s financial sector. While the penalty is modest, it highlights the growing reputational risks banks face for mishandling personal data — as authorities move to enforce Kenya’s 2019 privacy laws more aggressively.

Regulatory spotlight shines on Kenyan banks

NCBA Group, a Nairobi-based holding company with subsidiaries in Tanzania, Rwanda, Uganda, and Côte d’Ivoire, was formed in 2019 from the merger of NIC Bank and Commercial Bank of Africa. Partly owned by Kenya’s influential Kenyatta, Merali, and Ndegwa families, NCBA is steadily deepening its local presence while scaling across the region.

But even as it grows, NCBA isn’t immune to the challenges facing Kenya’s banking sector. Its recent fine over data privacy breaches has put it in the spotlight, part of a broader wave of enforcement that’s sweeping through the country. Last year, Family Bank, SBM Bank, and telecom provider Zuku were also penalized for mishandling customer information.

Authorities are making it clear: failure to honor requests to delete or correct personal data isn’t just bad service — it’s against the law. With Kenya tightening its data protection rules, financial institutions and digital firms are under increasing pressure to clean up their practices or risk steep fines and reputational damage.