Network Working Group T. Adebayo Internet-Draft F. Makanjuola Intended status: Informational Veridom Ltd Expires: 22 September 2026 21 March 2026 OMP Domain Profile: Kenya Digital Credit Providers -- CBK NDTCP Regulations 2022 and AI Decision Accountability draft-veridom-omp-ndtcp-00 Abstract This document defines the OMP domain profile for digital credit providers (DCPs) operating under the Central Bank of Kenya Digital Credit Providers Regulations 2022 (CBK NDTCP). It specifies the Intent Class configuration, routing threshold ranges, Watchtower definitions, and Audit Trace extensions required to satisfy per- decision explainability and human oversight evidence requirements for AI-assisted credit decisions under the CBK framework. The Central Bank of Kenya AI Banking Sector Survey (July 2025) found that few institutions using AI for credit decisions have mechanisms for per-decision explainability. The CBK AI Guidance Note, in preparation as of March 2026, will define what adequate AI governance evidence means for all 195 licensed DCPs. This profile specifies the technical architecture that satisfies those requirements. This profile REQUIRES implementation of the core OMP protocol as defined in draft-veridom-omp. All terms and base protocol specifications in that document apply to this profile. This document specifies only the domain parameters. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 22 September 2026. Adebayo & Makanjuola Expires 22 September 2026 [Page 1] Internet-Draft OMP NDTCP Profile March 2026 Copyright Notice Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Regulatory Reference Framework . . . . . . . . . . . . . . . 3 3. Intent Class Configuration . . . . . . . . . . . . . . . . . 4 4. Watchtower Configuration . . . . . . . . . . . . . . . . . . 5 4.1. WT-NDTCP-01: CRB Consent Verification . . . . . . . . . . 5 4.2. WT-NDTCP-02: Adverse Action Trigger . . . . . . . . . . . 5 4.3. WT-NDTCP-03: High-Value Loan Guardrail . . . . . . . . . 5 5. Audit Trace Extensions . . . . . . . . . . . . . . . . . . . 6 6. Proof-Point Output Format . . . . . . . . . . . . . . . . . . 6 7. Security Considerations . . . . . . . . . . . . . . . . . . . 7 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 7 9.1. Normative References . . . . . . . . . . . . . . . . . . 7 9.2. Informative References . . . . . . . . . . . . . . . . . 7 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8 1. Introduction The Central Bank of Kenya licensed 195 digital credit providers under the NDTCP framework [CBK-NDTCP-2022] as of January 2026. The CBK AI Banking Sector Survey conducted in March 2025 and published July 3, 2025 found that 50% of regulated institutions have adopted AI tools, of which 65% use AI for credit risk scoring. The survey further found that few institutions using AI have mechanisms for bias detection, algorithm explainability, or customer redress. Ninety-three percent of survey respondents stated that CBK should develop and issue AI Guidance. Matu Mugo, Director of Bank Supervision at CBK, confirmed publicly at the CBK AI Hackathon (November 20, 2025) that the Bank is formulating a Guidance Note on Artificial Intelligence covering governance, risk management frameworks, data integrity, and the necessity of human oversight in automated decision-making. Adebayo & Makanjuola Expires 22 September 2026 [Page 2] Internet-Draft OMP NDTCP Profile March 2026 For the purposes of this profile, per-decision explainability means a cryptographically sealed record of: (i) the input data at the moment of the credit decision, (ii) the classification and confidence scores applied, (iii) the policy compliance evaluation, (iv) the routing outcome (AUTONOMOUS, ASSISTED, or ESCALATED), and (v) the identity of any Named Accountable Officer who reviewed the decision. The OMP Audit Trace defined in draft-veridom-omp satisfies all five requirements when configured per this profile. The Kenya Office of the Data Protection Commissioner (ODPC) issued its largest combined fines in history in December 2025 -- KES 9,375,000 in a single decision -- against digital credit providers specifically for the absence of traceable consent and data processing audit trails. This profile addresses those specific evidentiary requirements. 2. Conventions and Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] when, and only when, they appear in all capitals, as shown here. 3. Regulatory Reference Framework The following regulatory instruments govern DCP operations in Kenya. This section maps each instrument's evidentiary requirements to specific OMP NDTCP profile technical responses. CBK NDTCP Regulation 18: Requires reasonable assessment of borrower repayment ability. The OMP AUTONOMOUS path with full Audit Trace provides a sealed record of the input data and classification rationale at the moment of the credit decision, satisfying the evidencing requirement for each loan. CBK AI Guidance Note (in preparation, expected Q2 2026): Expected to require per-decision explainability of AI credit decisions. The complete OMP Audit Trace -- including Intent Class, Confidence Score components, Watchtower evaluations, and routing rationale -- constitutes the per-decision explainability record. The Proof- Point artifact generates the regulator-ready export on demand. Kenya Data Protection Act 2019 [KENYA-DPA-2019] / ODPC enforcement: Requires traceable consent and data processing audit trail. Watchtower WT-01 (PII Exposure Shield) prevents PII ingestion to the inference layer. H_s anchors the data state at query time. The Proof-Point generates the consent and processing audit trail on examination demand. CBK NDTCP Regulation 27: Consumer complaint handling and response timelines. Watchtower WT-04 (Regulatory Silence Detector) enforces SLA compliance. The Audit Trace records every complaint interaction with timestamps. Proof-Point provides SLA compliance evidence on demand. Adebayo & Makanjuola Expires 22 September 2026 [Page 3] Internet-Draft OMP NDTCP Profile March 2026 4. Intent Class Configuration The following Intent Classes MUST be defined for NDTCP deployments. Routing thresholds are specified as minimum values; implementations MAY set higher thresholds based on institutional risk assessment. +============================+=======+=========================+ | Intent Class | Theta | Rationale | | | Min | | +============================+=======+=========================+ | CREDIT_SCORE_QUERY | 0.88 | Routine credit score | | | | inquiry. No lending | | | | decision. High volume. | +----------------------------+-------+-------------------------+ | LOAN_DECISION | 0.92 | AI-assisted loan | | | | origination. High | | | | consequence. Named | | | | officer review required | | | | above threshold. | +----------------------------+-------+-------------------------+ | REPAYMENT_CAPACITY_ASSESS | 0.90 | Regulation 18 | | | | compliance. MUST log | | | | data sources used in | | | | assessment. | +----------------------------+-------+-------------------------+ | COMPLAINT_RESOLUTION | 0.85 | Customer complaint | | | | routing. Silence | | | | Detector active. | | | | 24-hour SLA. | +----------------------------+-------+-------------------------+ | ADVERSE_ACTION_NOTICE | 0.95 | Credit denial or | | | | adverse terms. Named | | | | officer MUST review | | | | before dispatch. | +----------------------------+-------+-------------------------+ | DATA_RECTIFICATION_REQUEST | 0.88 | ODPC-governed data | | | | correction. Full audit | | | | trail mandatory. | +----------------------------+-------+-------------------------+ | CRB_CONSENT_VERIFICATION | 0.99 | Credit Reference Bureau | | | | access. Consent MUST | | | | be logged before query. | +----------------------------+-------+-------------------------+ Table 1 Adebayo & Makanjuola Expires 22 September 2026 [Page 4] Internet-Draft OMP NDTCP Profile March 2026 5. Watchtower Configuration The following Watchtowers MUST be active in NDTCP deployments. WT-01 and WT-04 from the core registry apply without modification. The following NDTCP-specific Watchtowers are defined for this profile. 5.1. WT-NDTCP-01: CRB Consent Verification Severity: HARD_BLOCK Trigger: CRB query attempted without a logged, timestamped borrower consent record predating the query timestamp. Action: Blocks CRB query. Routes interaction to ESCALATED. Logs trigger evidence including attempted query timestamp and absence of consent record. Regulatory basis: Kenya Data Protection Act 2019; CBK consumer protection guidelines requiring explicit consent for CRB access. ODPC enforcement precedent: Mulla Pride Ltd / KeCredit / Faircash (December 2025): KES 2,975,000 fine specifically for absence of traceable consent records. This Watchtower closes that specific evidence failure mode. 5.2. WT-NDTCP-02: Adverse Action Trigger Severity: FORCE_ASSISTED Trigger: LOAN_DECISION intent where Confidence Score indicates probable denial outcome (implementation-defined threshold, RECOMMENDED: C below 0.40 for the approval outcome class). Action: Forces ASSISTED path. Named Accountable Officer MUST review and apply a Resolution Action before denial notice is dispatched. Regulatory basis: CBK consumer protection; forthcoming AI Guidance Note requirement for human oversight of adverse AI credit decisions. 5.3. WT-NDTCP-03: High-Value Loan Guardrail Severity: FORCE_ASSISTED Trigger: Loan application above KSh 1,000,000 (configurable; this is the RECOMMENDED default). Action: Forces ASSISTED path. Named officer MUST approve before Adebayo & Makanjuola Expires 22 September 2026 [Page 5] Internet-Draft OMP NDTCP Profile March 2026 AUTONOMOUS dispatch of any loan decision. 6. Audit Trace Extensions The following fields extend the base Audit Trace schema for NDTCP deployments. All fields are mandatory unless marked OPTIONAL. { "cbk_dcp_licence_number": "string", "crb_consent_hash": "sha256 | null", "crb_consent_timestamp": "ISO 8601 UTC | null", "loan_application_id": "string | null", "regulation_18_data_sources": ["string"], "adverse_action_flag": "boolean", "ndtcp_schema_version": "NDTCP-PROFILE-v1.0" } cbk_dcp_licence_number MUST be present in every trace for regulator identification. crb_consent_hash MUST be present and non-null for any interaction where a CRB query was made. regulation_18_data_sources MUST be populated for REPAYMENT_CAPACITY_ASSESS intent class. 7. Proof-Point Output Format When generated for a CBK examination, the Watchtower 6 Proof-Point MUST include the following sections in addition to the base format defined in draft-veridom-omp: * Credit Decision Evidence: total loan decisions in period with AUTONOMOUS/ASSISTED/ESCALATED split, adverse action count, Named Officer review rate for adverse decisions. * CRB Consent Compliance: percentage of CRB queries with logged consent. Zero-tolerance metric -- any CRB query without consent logs is a WT-NDTCP-01 violation and MUST be separately itemised. * ODPC Compliance Indicators: PII exposure events prevented (WT-01 activations). Data rectification requests and resolution status. * Named Officer Accountability: list of Named Accountable Officers active in the period with resolution action distribution (RA-1 through RA-4 counts). * Chain Integrity Verification: confirmation that SHA-256 Merkle chain and RFC 3161 timestamps are intact across all traces in the period. Independent verification instructions included. Adebayo & Makanjuola Expires 22 September 2026 [Page 6] Internet-Draft OMP NDTCP Profile March 2026 8. Security Considerations All security considerations in draft-veridom-omp apply. The following considerations are specific to the NDTCP profile. CRB Consent Sequencing: An institution could attempt to log a fabricated consent record after the CRB query. WT-NDTCP-01 MUST verify that the crb_consent_hash references a consent record whose timestamp predates the CRB query timestamp. Any consent record timestamped after the CRB query timestamp MUST be flagged as a sequencing violation and the interaction MUST be routed to ESCALATED. Adverse Action Suppression: An institution could attempt to route adverse credit decisions through the AUTONOMOUS path by manipulating confidence score inputs. WT-NDTCP-02 triggers on outcome probability, not on the routing confidence score, to prevent this manipulation. 9. IANA Considerations This document makes no requests of IANA. References 9.1. Normative References draft-veridom-omp Adebayo, T., "Operating Model Protocol (OMP): A Deterministic Routing and Evidence Architecture for AI Decision Accountability in Regulated Industries", Work in Progress, Internet-Draft, draft-veridom-omp-00, 21 March 2026, . [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997, . 9.2. Informative References Central Bank of Kenya, "AI Banking Sector Survey", July 2025. [CBK-NDTCP-2022] Central Bank of Kenya, "The Central Bank of Kenya (Digital Credit Providers) Regulations 2022", March 2022. Adebayo & Makanjuola Expires 22 September 2026 [Page 7] Internet-Draft OMP NDTCP Profile March 2026 [KENYA-DPA-2019] Republic of Kenya, "Data Protection Act 2019", 2019. ZENODO-OMP Adebayo, T., "OMP - Operating Model Protocol: A Deterministic Routing Invariant for Tamper-Evident AI Decision Accountability in Regulated Industries", Zenodo 10.5281/zenodo.19140948, 21 March 2026. Authors' Addresses Tolulope Adebayo Veridom Ltd Email: tolulope@veridom.io Festus Makanjuola Veridom Ltd Email: festus@veridom.io Adebayo & Makanjuola Expires 22 September 2026 [Page 8]