India vs Kenya: Two Ways to Regulate AI in Finance

Share

Two of the most dynamic emerging markets looked at the same problem AI giving financial advice and reached for almost opposite tools. The contrast tells you something about what regulating AI actually means.


Every regulator in the world is staring at the same question right now: what do you do when software starts giving people financial advice?

It is a genuinely hard question, and not for the reasons people assume. The technology is the easy part. The hard part is conceptual. An AI tool that helps someone with their investments doesn't fit cleanly into any of the categories financial regulation was built around. It isn't quite a person. It isn't quite a product. It advises, but it can't be held responsible. It scales infinitely, but it can be wrong in ways no human adviser ever could. Regulators built their entire rulebooks around licensed human professionals who carry duties and bear consequences and now they have to decide where a piece of software fits in that picture.

Two emerging markets I follow closely Kenya and India, have both answered this question recently, and what makes them worth putting side by side is that they answered it differently. Not in the details, but in the fundamental approach. Faced with the same problem, they reached for opposite tools. Understanding why is a small masterclass in what "regulating AI" actually means once you get past the slogans.

Kenya: build a new box

Kenya's approach, codified in the Capital Markets (Licensing Requirements) (General) Regulations, 2025, was to create a new category.

The old framework, dating to 2002, was built for a market of clearly defined brokers and exchange-floor trading, with very little technology in between. It had no concept of an app that advises you. So Kenya's Capital Markets Authority did something direct: it expanded the definition of "investment adviser" to expressly capture digital platforms providing automated, algorithm-driven investment advice with little to no human supervision. In plain terms, it named the robo-adviser, drew a box around it, and said: if you are this thing, you now need a licence, with capital requirements, a principal bank account in Kenya, security standards, and a data protection policy attached. Existing licensees have until 11 December 2026 to comply.

This is the categorical approach. The regulator identifies a new type of actor in the market and builds a dedicated regulatory home for it. The defining feature of Kenya's definition is the phrase "little to no human supervision" that is the trigger. The regulation is explicitly aimed at the autonomous tool, the one making consequential recommendations with nobody in the loop. Pull a human meaningfully back into the process, and you may fall outside the box entirely, into the safer territory of education and human-reviewed assistance.

The logic here is clean and has real virtues. It creates a clear identity for the thing being regulated. A new entrant knows whether they are or aren't a robo-adviser, and what's required if they are. It also concentrates the regulator's attention precisely where the novel risk lives: fully automated advice to ordinary retail investors. The cost is rigidity. Categories are brittle. Define the box too tightly and clever products design their way around the edges; define it too loosely and you sweep in tools nobody meant to capture. And a category drawn in 2025 has to keep pace with a technology that changes every few months.

India: make the licensee swallow it

India, governing a far larger and more mature capital market through the Securities and Exchange Board of India, went the other way. Rather than build a new box for the AI, it kept the AI inside the existing box and made the human licensee fully responsible for it.

India's foundation was already different. Under the SEBI (Investment Advisers) Regulations, 2013, anyone giving investment advice for compensation must register as an investment adviser, full stop. When robo-advisers appeared, SEBI's position, clarified across consultation papers and memoranda, was essentially: an automated tool giving advice is still advice, and whoever operates it is still an adviser, subject to all the same registration and conduct requirements. There was no need for a new actor the AI was simply a tool used by an existing regulated one.

What India did add, and this is the crucial move, was to nail down accountability with unusual force. Through a 2025 amendment introducing what's been described as a sole-liability rule for AI tools, SEBI made any regulated entity solely liable for the AI/ML tools it uses whether built in-house or bought from a vendor. Liability covers the integrity of the AI's outputs, data security, and compliance with all applicable law. The message to the industry, as several Indian lawyers summarized it, was blunt: using AI does not reduce your responsibility it increases it. You cannot blame the algorithm. You cannot point at "machine predictions." If your AI gives bad advice, you, the licensed human entity, own that failure completely.

Alongside this, SEBI's June 2025 consultation paper on responsible AI/ML use sketched a broader governance regime disclosure to clients when AI materially affects them, testing in segregated environments before deployment, five-year retention of model inputs and outputs, board-approved AI governance frameworks, independent audits, and explainability requirements.

This is the principles-and-accountability approach. The regulator doesn't try to define the AI as a new kind of actor. It says: we already regulate the human or firm giving advice; AI is just a new instrument in their hands; and we will hold them to account for it without compromise. The virtue is flexibility it doesn't matter what the technology is or how it evolves, because the obligation attaches to the licensed entity, not to a frozen definition of the tool. The cost is that it offers less clarity to genuinely new entrants who don't already sit inside the licensed perimeter, and it leans heavily on enforcement: the whole edifice rests on the regulator actually holding firms to that liability when something goes wrong.

Why the difference, and what it reveals

It would be easy to read this as one regulator being smarter than the other. It isn't that. The difference flows from the markets they're regulating and the problems each is actually trying to solve.

India is regulating a deep, mature market with millions of retail investors, a large established advisory industry, and a fast-growing wealth-tech sector. Its problem is scale and accountability: lots of licensed players are racing to bolt AI onto existing advisory businesses, and the risk SEBI most needs to manage is that they use the technology to dilute responsibility to let "the algorithm did it" become an excuse. Hence the hammer of sole liability. The licensed perimeter already exists and is densely populated; the job is to make sure AI doesn't become a hole in it.

Kenya is regulating a younger, thinner capital market where the more pressing dynamic is access and entry. A wave of app-based platforms is bringing first-time investors into the market through their phones, often without sitting inside any traditional licensed structure at all. The CMA's problem is less "stop licensees from hiding behind AI" and more "bring these new app-based actors into the regulatory perimeter in the first place." Hence the new category you need a box to put the newcomers in before you can supervise them.

So the two approaches aren't really rivals. They're answers to different questions. India is closing a gap inside a crowded perimeter. Kenya is extending a perimeter to reach actors who were outside it. One built a new room; the other made everyone already in the house fully liable for their new appliances.

The thread that connects them

For all the contrast, look at what both regulators independently insisted on, and you find the same instinct underneath. Both, in their own grammar, refused to let AI become an accountability vacuum.

Kenya did it by targeting the "little to no human supervision" tool drawing its regulatory attention precisely to the case where no human is answerable. India did it by making the human licensee absorb total liability for whatever the AI does. Different mechanisms, identical underlying conviction: somewhere in the loop, an accountable human or institution must remain. Neither regulator was willing to let "the model decided" be a complete answer when someone's money is on the line.

That convergence is the real signal, and it matters far beyond these two countries. The global conversation about AI regulation often gets lost in abstractions alignment, existential risk, the long-run trajectory of the technology. Meanwhile, two emerging-market regulators quietly did something concrete and shippable. They each found a workable way to keep a responsible human attached to a financial AI system, using the legal tools they already had. Kenya reached for definition; India reached for liability. Both were really reaching for the same thing.

If you build AI financial tools, the practical lesson is the same in Nairobi and Mumbai, even though the rulebooks look nothing alike: design your system so that a named, accountable human stands behind its consequential outputs. In Kenya that keeps you on the right side of a category. In India it keeps you on the right side of a liability rule. Everywhere, it happens to be how you build something trustworthy.

The regulators have told you what they want, in two different languages that turn out to mean the same thing. The frontier of AI in finance isn't going to be defined by whoever builds the most autonomous system. It's going to be defined by whoever builds the most accountable one.


Frontier Finance AI covers the collision of artificial intelligence and capital markets across Africa and Asia. This piece is analysis, not legal advice; anyone building in either market should consult local counsel on their specific product.

Read more