



Network Working Group                                         T. Adebayo
Internet-Draft                                             F. Makanjuola
Intended status: Informational                               Veridom Ltd
Expires: 22 September 2026                                 21 March 2026


    OMP Domain Profile: Kenya Digital Credit Providers -- CBK NDTCP
            Regulations 2022 and AI Decision Accountability
                       draft-veridom-omp-ndtcp-00

Abstract

   This document defines the OMP domain profile for digital credit
   providers (DCPs) operating under the Central Bank of Kenya Digital
   Credit Providers Regulations 2022 (CBK NDTCP).  It specifies the
   Intent Class configuration, routing threshold ranges, Watchtower
   definitions, and Audit Trace extensions required to satisfy per-
   decision explainability and human oversight evidence requirements for
   AI-assisted credit decisions under the CBK framework.

   The Central Bank of Kenya AI Banking Sector Survey (July 2025) found
   that few institutions using AI for credit decisions have mechanisms
   for per-decision explainability.  The CBK AI Guidance Note, in
   preparation as of March 2026, will define what adequate AI governance
   evidence means for all 195 licensed DCPs.  This profile specifies the
   technical architecture that satisfies those requirements.

   This profile REQUIRES implementation of the core OMP protocol as
   defined in draft-veridom-omp.  All terms and base protocol
   specifications in that document apply to this profile.  This document
   specifies only the domain parameters.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 22 September 2026.



Adebayo & Makanjuola    Expires 22 September 2026               [Page 1]

Internet-Draft              OMP NDTCP Profile                 March 2026


Copyright Notice

   Copyright (c) 2026 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Regulatory Reference Framework  . . . . . . . . . . . . . . .   3
   3.  Intent Class Configuration  . . . . . . . . . . . . . . . . .   4
   4.  Watchtower Configuration  . . . . . . . . . . . . . . . . . .   5
     4.1.  WT-NDTCP-01: CRB Consent Verification . . . . . . . . . .   5
     4.2.  WT-NDTCP-02: Adverse Action Trigger . . . . . . . . . . .   5
     4.3.  WT-NDTCP-03: High-Value Loan Guardrail  . . . . . . . . .   5
   5.  Audit Trace Extensions  . . . . . . . . . . . . . . . . . . .   6
   6.  Proof-Point Output Format . . . . . . . . . . . . . . . . . .   6
   7.  Security Considerations . . . . . . . . . . . . . . . . . . .   7
   8.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   7
   9.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   7
     9.1.  Normative References  . . . . . . . . . . . . . . . . . .   7
     9.2.  Informative References  . . . . . . . . . . . . . . . . .   7
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   8

1.  Introduction

   The Central Bank of Kenya licensed 195 digital credit providers under
   the NDTCP framework [CBK-NDTCP-2022] as of January 2026.  The CBK 
   AI Banking Sector Survey conducted in March 2025 and published July 3, 
   2025 found that 50% of regulated institutions have adopted AI tools, 
   of which 65% use AI for credit risk scoring.  The survey further found 
   that few institutions using AI have mechanisms for bias detection, 
   algorithm explainability, or customer redress.  Ninety-three percent 
   of survey respondents stated that CBK should develop and issue 
   AI Guidance.

   Matu Mugo, Director of Bank Supervision at CBK, confirmed publicly at
   the CBK AI Hackathon (November 20, 2025) that the Bank is formulating
   a Guidance Note on Artificial Intelligence covering governance, risk
   management frameworks, data integrity, and the necessity of human
   oversight in automated decision-making.






Adebayo & Makanjuola    Expires 22 September 2026               [Page 2]

Internet-Draft              OMP NDTCP Profile                 March 2026


   For the purposes of this profile, per-decision explainability means a
   cryptographically sealed record of: (i) the input data at the moment
   of the credit decision, (ii) the classification and confidence scores
   applied, (iii) the policy compliance evaluation, (iv) the routing
   outcome (AUTONOMOUS, ASSISTED, or ESCALATED), and (v) the identity of
   any Named Accountable Officer who reviewed the decision.  The OMP
   Audit Trace defined in draft-veridom-omp satisfies all five
   requirements when configured per this profile.

   The Kenya Office of the Data Protection Commissioner (ODPC) issued
   its largest combined fines in history in December 2025 -- KES
   9,375,000 in a single decision -- against digital credit providers
   specifically for the absence of traceable consent and data processing
   audit trails.  This profile addresses those specific evidentiary
   requirements.
2.  Conventions and Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in BCP
   14 [RFC2119] when, and only when, they appear in all capitals, as
   shown here.


3.  Regulatory Reference Framework

   The following regulatory instruments govern DCP operations in Kenya.
   This section maps each instrument's evidentiary requirements to
   specific OMP NDTCP profile technical responses.

   CBK NDTCP Regulation 18:  Requires reasonable assessment of borrower
      repayment ability.  The OMP AUTONOMOUS path with full Audit Trace
      provides a sealed record of the input data and classification
      rationale at the moment of the credit decision, satisfying the
      evidencing requirement for each loan.

   CBK AI Guidance Note (in preparation, expected Q2 2026):  Expected to
      require per-decision explainability of AI credit decisions.  The
      complete OMP Audit Trace -- including Intent Class, Confidence
      Score components, Watchtower evaluations, and routing rationale --
      constitutes the per-decision explainability record.  The Proof-
      Point artifact generates the regulator-ready export on demand.

   Kenya Data Protection Act 2019 [KENYA-DPA-2019] / ODPC 
      enforcement:  Requires traceable consent and data processing 
      audit trail.  Watchtower WT-01 (PII Exposure Shield) prevents 
      PII ingestion to the inference layer.  H_s anchors the data state 
      at query time.  The Proof-Point generates the consent and 
      processing audit trail on examination demand.

   CBK NDTCP Regulation 27:  Consumer complaint handling and response
      timelines.  Watchtower WT-04 (Regulatory Silence Detector)
      enforces SLA compliance.  The Audit Trace records every complaint
      interaction with timestamps.  Proof-Point provides SLA compliance
      evidence on demand.




Adebayo & Makanjuola    Expires 22 September 2026               [Page 3]

Internet-Draft              OMP NDTCP Profile                 March 2026


4.  Intent Class Configuration

   The following Intent Classes MUST be defined for NDTCP deployments.
   Routing thresholds are specified as minimum values; implementations
   MAY set higher thresholds based on institutional risk assessment.

     +============================+=======+=========================+
     | Intent Class               | Theta | Rationale               |
     |                            | Min   |                         |
     +============================+=======+=========================+
     | CREDIT_SCORE_QUERY         | 0.88  | Routine credit score    |
     |                            |       | inquiry.  No lending    |
     |                            |       | decision.  High volume. |
     +----------------------------+-------+-------------------------+
     | LOAN_DECISION              | 0.92  | AI-assisted loan        |
     |                            |       | origination.  High      |
     |                            |       | consequence.  Named     |
     |                            |       | officer review required |
     |                            |       | above threshold.        |
     +----------------------------+-------+-------------------------+
     | REPAYMENT_CAPACITY_ASSESS  | 0.90  | Regulation 18           |
     |                            |       | compliance.  MUST log   |
     |                            |       | data sources used in    |
     |                            |       | assessment.             |
     +----------------------------+-------+-------------------------+
     | COMPLAINT_RESOLUTION       | 0.85  | Customer complaint      |
     |                            |       | routing.  Silence       |
     |                            |       | Detector active.        |
     |                            |       | 24-hour SLA.            |
     +----------------------------+-------+-------------------------+
     | ADVERSE_ACTION_NOTICE      | 0.95  | Credit denial or        |
     |                            |       | adverse terms.  Named   |
     |                            |       | officer MUST review     |
     |                            |       | before dispatch.        |
     +----------------------------+-------+-------------------------+
     | DATA_RECTIFICATION_REQUEST | 0.88  | ODPC-governed data      |
     |                            |       | correction.  Full audit |
     |                            |       | trail mandatory.        |
     +----------------------------+-------+-------------------------+
     | CRB_CONSENT_VERIFICATION   | 0.99  | Credit Reference Bureau |
     |                            |       | access.  Consent MUST   |
     |                            |       | be logged before query. |
     +----------------------------+-------+-------------------------+

                                 Table 1






Adebayo & Makanjuola    Expires 22 September 2026               [Page 4]

Internet-Draft              OMP NDTCP Profile                 March 2026


5.  Watchtower Configuration

   The following Watchtowers MUST be active in NDTCP deployments.  WT-01
   and WT-04 from the core registry apply without modification.  The
   following NDTCP-specific Watchtowers are defined for this profile.

5.1.  WT-NDTCP-01: CRB Consent Verification

   Severity:  HARD_BLOCK

   Trigger:  CRB query attempted without a logged, timestamped borrower
      consent record predating the query timestamp.

   Action:  Blocks CRB query.  Routes interaction to ESCALATED.  Logs
      trigger evidence including attempted query timestamp and absence
      of consent record.

   Regulatory basis:  Kenya Data Protection Act 2019; CBK consumer
      protection guidelines requiring explicit consent for CRB access.

   ODPC enforcement precedent:  Mulla Pride Ltd / KeCredit / Faircash
      (December 2025): KES 2,975,000 fine specifically for absence of
      traceable consent records.  This Watchtower closes that specific
      evidence failure mode.

5.2.  WT-NDTCP-02: Adverse Action Trigger

   Severity:  FORCE_ASSISTED

   Trigger:  LOAN_DECISION intent where Confidence Score indicates
      probable denial outcome (implementation-defined threshold,
      RECOMMENDED: C below 0.40 for the approval outcome class).

   Action:  Forces ASSISTED path.  Named Accountable Officer MUST review
      and apply a Resolution Action before denial notice is dispatched.

   Regulatory basis:  CBK consumer protection; forthcoming AI Guidance
      Note requirement for human oversight of adverse AI credit
      decisions.

5.3.  WT-NDTCP-03: High-Value Loan Guardrail

   Severity:  FORCE_ASSISTED

   Trigger:  Loan application above KSh 1,000,000 (configurable; this is
      the RECOMMENDED default).

   Action:  Forces ASSISTED path.  Named officer MUST approve before



Adebayo & Makanjuola    Expires 22 September 2026               [Page 5]

Internet-Draft              OMP NDTCP Profile                 March 2026


      AUTONOMOUS dispatch of any loan decision.

6.  Audit Trace Extensions

   The following fields extend the base Audit Trace schema for NDTCP
   deployments.  All fields are mandatory unless marked OPTIONAL.

   {
     "cbk_dcp_licence_number":    "string",
     "crb_consent_hash":          "sha256 | null",
     "crb_consent_timestamp":     "ISO 8601 UTC | null",
     "loan_application_id":       "string | null",
     "regulation_18_data_sources": ["string"],
     "adverse_action_flag":       "boolean",
     "ndtcp_schema_version":      "NDTCP-PROFILE-v1.0"
   }

   cbk_dcp_licence_number MUST be present in every trace for regulator
   identification.  crb_consent_hash MUST be present and non-null for
   any interaction where a CRB query was made.
   regulation_18_data_sources MUST be populated for
   REPAYMENT_CAPACITY_ASSESS intent class.

7.  Proof-Point Output Format

   When generated for a CBK examination, the Watchtower 6 Proof-Point
   MUST include the following sections in addition to the base format
   defined in draft-veridom-omp:

   *  Credit Decision Evidence: total loan decisions in period with
      AUTONOMOUS/ASSISTED/ESCALATED split, adverse action count, Named
      Officer review rate for adverse decisions.

   *  CRB Consent Compliance: percentage of CRB queries with logged
      consent.  Zero-tolerance metric -- any CRB query without consent
      logs is a WT-NDTCP-01 violation and MUST be separately itemised.

   *  ODPC Compliance Indicators: PII exposure events prevented (WT-01
      activations).  Data rectification requests and resolution status.

   *  Named Officer Accountability: list of Named Accountable Officers
      active in the period with resolution action distribution (RA-1
      through RA-4 counts).

   *  Chain Integrity Verification: confirmation that SHA-256 Merkle
      chain and RFC 3161 timestamps are intact across all traces in the
      period.  Independent verification instructions included.




Adebayo & Makanjuola    Expires 22 September 2026               [Page 6]

Internet-Draft              OMP NDTCP Profile                 March 2026


8.  Security Considerations

   All security considerations in draft-veridom-omp apply.  The
   following considerations are specific to the NDTCP profile.

   CRB Consent Sequencing: An institution could attempt to log a
   fabricated consent record after the CRB query.  WT-NDTCP-01 MUST
   verify that the crb_consent_hash references a consent record whose
   timestamp predates the CRB query timestamp.  Any consent record
   timestamped after the CRB query timestamp MUST be flagged as a
   sequencing violation and the interaction MUST be routed to ESCALATED.

   Adverse Action Suppression: An institution could attempt to route
   adverse credit decisions through the AUTONOMOUS path by manipulating
   confidence score inputs.  WT-NDTCP-02 triggers on outcome
   probability, not on the routing confidence score, to prevent this
   manipulation.

9.  IANA Considerations

   This document makes no requests of IANA.

   References

9.1.  Normative References

   draft-veridom-omp
              Adebayo, T., "Operating Model Protocol (OMP): A
              Deterministic Routing and Evidence Architecture for AI
              Decision Accountability in Regulated Industries", Work in
              Progress, Internet-Draft, draft-veridom-omp-00, 21 March
              2026, <https://datatracker.ietf.org/doc/html/draft-
              veridom-omp-00>.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997,
              <https://www.rfc-editor.org/rfc/rfc2119>.

9.2.  Informative References

   
              Central Bank of Kenya, "AI Banking Sector Survey", July
              2025.

   [CBK-NDTCP-2022]
              Central Bank of Kenya, "The Central Bank of Kenya (Digital
              Credit Providers) Regulations 2022", March 2022.




Adebayo & Makanjuola    Expires 22 September 2026               [Page 7]

Internet-Draft              OMP NDTCP Profile                 March 2026


   [KENYA-DPA-2019]
              Republic of Kenya, "Data Protection Act 2019", 2019.

   ZENODO-OMP
              Adebayo, T., "OMP - Operating Model Protocol: A
              Deterministic Routing Invariant for Tamper-Evident AI
              Decision Accountability in Regulated Industries",
              Zenodo 10.5281/zenodo.19140948, 21 March 2026.

Authors' Addresses

   Tolulope Adebayo
   Veridom Ltd
   Email: tolulope@veridom.io


   Festus Makanjuola
   Veridom Ltd
   Email: festus@veridom.io
































Adebayo & Makanjuola    Expires 22 September 2026               [Page 8]
