OMP Domain Profile: Kenya Digital Credit Providers -- CBK NDTCP Regulations 2022 and AI Decision Accountability

Internet-Draft	OMP NDTCP Profile	March 2026
Adebayo & Makanjuola	Expires 22 September 2026	[Page]

Abstract

This document defines the OMP domain profile for digital credit providers (DCPs) operating under the Central Bank of Kenya Digital Credit Providers Regulations 2022 (CBK NDTCP). It specifies the Intent Class configuration, routing threshold ranges, Watchtower definitions, and Audit Trace extensions required to satisfy per-decision explainability and human oversight evidence requirements for AI-assisted credit decisions under the CBK framework.¶

The Central Bank of Kenya AI Banking Sector Survey (July 2025) found that few institutions using AI for credit decisions have mechanisms for per-decision explainability. The CBK AI Guidance Note, in preparation as of March 2026, will define what adequate AI governance evidence means for all 195 licensed DCPs. This profile specifies the technical architecture that satisfies those requirements.¶

This profile REQUIRES implementation of the core OMP protocol as defined in draft-veridom-omp. The full specification is also available at ZENODO-OMP. All terms and base protocol specifications in that document apply to this profile. This document specifies only the domain parameters.¶

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶

This Internet-Draft will expire on 22 September 2026.¶

Copyright Notice

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.¶

1. Introduction

The Central Bank of Kenya licensed 195 digital credit providers under the NDTCP framework as of January 2026 [CBK-NDTCP-2022]. The CBK AI Banking Sector Survey [CBK-AI-SURVEY-2025] conducted in March 2025 and published July 3, 2025 found that 50% of regulated institutions have adopted AI tools, of which 65% use AI for credit risk scoring. The survey further found that few institutions using AI have mechanisms for bias detection, algorithm explainability, or customer redress. Ninety-three percent of survey respondents stated that CBK should develop and issue AI Guidance.¶

Matu Mugo, Director of Bank Supervision at CBK, confirmed publicly at the CBK AI Hackathon (November 20, 2025) that the Bank is formulating a Guidance Note on Artificial Intelligence covering governance, risk management frameworks, data integrity, and the necessity of human oversight in automated decision-making.¶

For the purposes of this profile, per-decision explainability means a cryptographically sealed record of: (i) the input data at the moment of the credit decision, (ii) the classification and confidence scores applied, (iii) the policy compliance evaluation, (iv) the routing outcome (AUTONOMOUS, ASSISTED, or ESCALATED), and (v) the identity of any Named Accountable Officer who reviewed the decision. The OMP Audit Trace defined in [I-D.veridom-omp] satisfies all five requirements when configured per this profile.¶

The Kenya Office of the Data Protection Commissioner (ODPC) issued its largest combined fines in history in December 2025 -- KES 9,375,000 in a single decision -- against digital credit providers specifically for the absence of traceable consent and data processing audit trails. This profile addresses those specific evidentiary requirements. Additional background on OMP is available in [ZENODO-OMP].¶

3. Regulatory Reference Framework

The following regulatory instruments govern DCP operations in Kenya. This section maps each instrument's evidentiary requirements to specific OMP NDTCP profile technical responses.¶

CBK NDTCP Regulation 18:: Requires reasonable assessment of borrower repayment ability. The OMP AUTONOMOUS path with full Audit Trace provides a sealed record of the input data and classification rationale at the moment of the credit decision, satisfying the evidencing requirement for each loan.¶
CBK AI Guidance Note (in preparation, expected Q2 2026):: Expected to require per-decision explainability of AI credit decisions. The complete OMP Audit Trace -- including Intent Class, Confidence Score components, Watchtower evaluations, and routing rationale -- constitutes the per-decision explainability record. The Proof-Point artifact generates the regulator-ready export on demand.¶
Kenya Data Protection Act 2019 [KENYA-DPA-2019] / ODPC enforcement:: Requires traceable consent and data processing audit trail. Watchtower WT-01 (PII Exposure Shield) prevents PII ingestion to the inference layer. H_s anchors the data state at query time. The Proof-Point generates the consent and processing audit trail on examination demand.¶
CBK NDTCP Regulation 27:: Consumer complaint handling and response timelines. Watchtower WT-04 (Regulatory Silence Detector) enforces SLA compliance. The Audit Trace records every complaint interaction with timestamps. Proof-Point provides SLA compliance evidence on demand.¶

4. Intent Class Configuration

The following Intent Classes MUST be defined for NDTCP deployments. Routing thresholds are specified as minimum values; implementations MAY set higher thresholds based on institutional risk assessment.¶

Table 1
Intent Class	Theta Min	Rationale
CREDIT_SCORE_QUERY	0.88	Routine credit score inquiry. No lending decision. High volume.
LOAN_DECISION	0.92	AI-assisted loan origination. High consequence. Named officer review required above threshold.
REPAYMENT_CAPACITY_ASSESS	0.90	Regulation 18 compliance. MUST log data sources used in assessment.
COMPLAINT_RESOLUTION	0.85	Customer complaint routing. Silence Detector active. 24-hour SLA.
ADVERSE_ACTION_NOTICE	0.95	Credit denial or adverse terms. Named officer MUST review before dispatch.
DATA_RECTIFICATION_REQUEST	0.88	ODPC-governed data correction. Full audit trail mandatory.
CRB_CONSENT_VERIFICATION	0.99	Credit Reference Bureau access. Consent MUST be logged before query.

5. Watchtower Configuration

The following Watchtowers MUST be active in NDTCP deployments. WT-01 and WT-04 from the core registry apply without modification. The following NDTCP-specific Watchtowers are defined for this profile.¶

Severity:: HARD_BLOCK¶
Trigger:: CRB query attempted without a logged, timestamped borrower consent record predating the query timestamp.¶
Action:: Blocks CRB query. Routes interaction to ESCALATED. Logs trigger evidence including attempted query timestamp and absence of consent record.¶
Regulatory basis:: Kenya Data Protection Act 2019; CBK consumer protection guidelines requiring explicit consent for CRB access.¶
ODPC enforcement precedent:: Mulla Pride Ltd / KeCredit / Faircash (December 2025): KES 2,975,000 fine specifically for absence of traceable consent records. This Watchtower closes that specific evidence failure mode.¶

5.2. WT-NDTCP-02: Adverse Action Trigger

Severity:: FORCE_ASSISTED¶
Trigger:: LOAN_DECISION intent where Confidence Score indicates probable denial outcome (implementation-defined threshold, RECOMMENDED: C below 0.40 for the approval outcome class).¶
Action:: Forces ASSISTED path. Named Accountable Officer MUST review and apply a Resolution Action before denial notice is dispatched.¶
Regulatory basis:: CBK consumer protection; forthcoming AI Guidance Note requirement for human oversight of adverse AI credit decisions.¶

5.3. WT-NDTCP-03: High-Value Loan Guardrail

Severity:: FORCE_ASSISTED¶
Trigger:: Loan application above KSh 1,000,000 (configurable; this is the RECOMMENDED default).¶
Action:: Forces ASSISTED path. Named officer MUST approve before AUTONOMOUS dispatch of any loan decision.¶

6. Audit Trace Extensions

The following fields extend the base Audit Trace schema for NDTCP deployments. All fields are mandatory unless marked OPTIONAL.¶

{
  "cbk_dcp_licence_number":    "string",
  "crb_consent_hash":          "sha256 | null",
  "crb_consent_timestamp":     "ISO 8601 UTC | null",
  "loan_application_id":       "string | null",
  "regulation_18_data_sources": ["string"],
  "adverse_action_flag":       "boolean",
  "ndtcp_schema_version":      "NDTCP-PROFILE-v1.0"
}

cbk_dcp_licence_number MUST be present in every trace for regulator identification. crb_consent_hash MUST be present and non-null for any interaction where a CRB query was made. regulation_18_data_sources MUST be populated for REPAYMENT_CAPACITY_ASSESS intent class.¶

7. Proof-Point Output Format

When generated for a CBK examination, the Watchtower 6 Proof-Point MUST include the following sections in addition to the base format defined in draft-veridom-omp:¶

Credit Decision Evidence: total loan decisions in period with AUTONOMOUS/ASSISTED/ESCALATED split, adverse action count, Named Officer review rate for adverse decisions.¶
CRB Consent Compliance: percentage of CRB queries with logged consent. Zero-tolerance metric -- any CRB query without consent logs is a WT-NDTCP-01 violation and MUST be separately itemised.¶
ODPC Compliance Indicators: PII exposure events prevented (WT-01 activations). Data rectification requests and resolution status.¶
Named Officer Accountability: list of Named Accountable Officers active in the period with resolution action distribution (RA-1 through RA-4 counts).¶
Chain Integrity Verification: confirmation that SHA-256 Merkle chain and RFC 3161 timestamps are intact across all traces in the period. Independent verification instructions included.¶

8. Security Considerations

All security considerations in draft-veridom-omp apply. The following considerations are specific to the NDTCP profile.¶

CRB Consent Sequencing: An institution could attempt to log a fabricated consent record after the CRB query. WT-NDTCP-01 MUST verify that the crb_consent_hash references a consent record whose timestamp predates the CRB query timestamp. Any consent record timestamped after the CRB query timestamp MUST be flagged as a sequencing violation and the interaction MUST be routed to ESCALATED.¶

Adverse Action Suppression: An institution could attempt to route adverse credit decisions through the AUTONOMOUS path by manipulating confidence score inputs. WT-NDTCP-02 triggers on outcome probability, not on the routing confidence score, to prevent this manipulation.¶

10. References

10.1. Normative References

[I-D.veridom-omp]: Adebayo, T., "Operating Model Protocol (OMP): A Deterministic Routing and Evidence Architecture for AI Decision Accountability in Regulated Industries", Work in Progress, Internet-Draft, draft-veridom-omp-00, 21 March 2026, <https://datatracker.ietf.org/doc/html/draft-veridom-omp-00>.
[RFC2119]: Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997, <https://www.rfc-editor.org/rfc/rfc2119>.

10.2. Informative References

[CBK-AI-SURVEY-2025]: Central Bank of Kenya, "AI Banking Sector Survey", July 2025.
[CBK-NDTCP-2022]: Central Bank of Kenya, "The Central Bank of Kenya (Digital Credit Providers) Regulations 2022", March 2022.
[KENYA-DPA-2019]: Republic of Kenya, "Data Protection Act 2019", 2019.
[ZENODO-OMP]: Adebayo, T., "OMP - Operating Model Protocol: A Deterministic Routing Invariant for Tamper-Evident AI Decision Accountability in Regulated Industries", Zenodo 10.5281/zenodo.19140948, 21 March 2026.