MNL ADVOCATES LLP (MN LEGAL)

  • Kenya’s VASP Act 2025: What It Means for Foreign Investors and Operators

    Kenya’s VASP Act 2025: What It Means for Foreign Investors and Operators

    Kenya’s VASP Act 2025: What It Means for Foreign Investors and Operators

    Kenya’s enactment of the Virtual Asset Service Providers Act 2025 is the most significant development in the country’s digital finance regulatory landscape to date. Passed by Parliament in October 2025, the Act establishes the first comprehensive legal framework governing crypto exchanges, digital wallet providers, custodians, and related virtual asset service platforms in Kenya. It marks a decisive shift away from the informal and legally ambiguous crypto environment that preceded it, toward a structured, supervised, and internationally aligned regulatory regime.

    For foreign companies and individuals, who have been among Kenya’s most active blockchain and digital asset sector participants, the implications are both substantial and immediate. This insight sets out what the Act introduces, how it affects foreign operators and investors, and what practical steps responsible organisations should take now, ahead of the implementing guidelines that will give the regime its operational detail.

    Kenya VASP Act 2025 impact on foreign investors and operators abstract blockchain compliance graphic
    Kenya’s VASP Act 2025 transforms the country from a loosely regulated crypto market into a structured, compliance-oriented digital asset environment.

    Important context: The VASP Act 2025 establishes the legislative framework. Implementing guidelines from the National Treasury are awaited. Until those guidelines are issued, certain procedural details including licensing timelines, fee structures, and specific AML/KYC thresholds remain subject to those forthcoming rules. This article reflects the framework as currently enacted.

    1) A formal licensing regime: what it requires and who it covers

    The most structurally significant change introduced by the VASP Act is the requirement that all virtual asset service providers obtain a licence before operating in Kenya. The Act covers a broad range of activities: crypto exchanges, digital wallet operators, custodians, digital asset brokers, token issuers, and platforms facilitating cross-border payments using digital assets. Licensing is supervised jointly by the Central Bank of Kenya and the Capital Markets Authority, reflecting the dual financial and capital markets dimensions of virtual asset activity.

    Infographic showing who needs a VASP licence in Kenya including crypto exchanges, wallet providers, custodians, brokers, token issuers and cross-border payment platforms
    Six categories of virtual asset activity require licensing under the VASP Act 2025, supervised jointly by CBK and CMA.

    For foreign operators, this creates a structural decision point. Informally onboarding Kenyan users from offshore is no longer a viable or legally defensible model. Foreign VASPs must either obtain a local licence, which involves meeting fit and proper requirements and satisfying the CBK and CMA’s supervisory expectations, or operate through a licensed Kenyan VASP partner under a model that allocates responsibilities clearly between the parties.

    This approach mirrors the direction taken by regulators in the EU, Singapore, and the UAE, all of whom have moved to require territorial authorisation or regulated partner arrangements for virtual asset activities affecting their residents. Kenya’s decision to align with that direction raises its standing among internationally operating digital finance businesses and signals that the country intends to be a credible regulatory jurisdiction rather than a permissive offshore gateway.

    2) AML/KYC and consumer protection standards

    The VASP Act introduces mandatory anti-money laundering and know-your-customer obligations for all licensed providers. This includes customer identity verification, ongoing transaction monitoring, and suspicious activity reporting. Consumer protection safeguards are also embedded in the framework, addressing fraud prevention, data misuse, and the standards of disclosure owed to users of digital asset platforms.

    For foreign investors using Kenyan platforms, the practical consequence is that the anonymous or lightly verified access that characterised earlier market participation is no longer available. Identity verification will be required and enforced. For foreign firms operating in Kenya, AML compliance is an additive obligation that sits alongside their home-country AML framework, increasing the operational complexity and cost of serving the Kenyan market.

    The longer-term benefit, however, is a more trusted and fraud-resistant market. The period before the VASP Act saw a significant number of unregulated offshore platforms operating in Kenya, some of which exposed users to exit scams, insolvency events, and fraud with no regulatory recourse. The new framework is specifically designed to close that gap.

    3) Cross-border investment and remittances

    Kenya is consistently ranked among the highest-adoption crypto markets globally, and a significant portion of that activity is remittance-driven. The VASP Act acknowledges the importance of digital assets in cross-border financial flows and provides a legal structure within which those flows can operate with certainty.

    Diaspora communities and foreign workers in Kenya benefit from a predictable, legally recognised framework for using digital asset platforms to send and receive funds. Transactions through licensed VASPs will be documented and compliant, which carries secondary benefits: those records can support immigration, tax, and financial reporting obligations in other jurisdictions. Foreign fintech businesses with a cross-border remittance focus gain access to a regulated Kenyan operating environment that was previously unavailable to them in a structured form.

    Kenya’s established position in mobile money, built significantly through M-Pesa’s growth, and its large crypto adoption base make it a strategically important market for any firm seeking East African expansion with digital asset capabilities. The VASP Act gives that expansion a compliant and structured pathway.

    4) A more orderly market: what the removal of unregulated operators means

    One of the most commercially significant effects of the VASP Act is the exclusion of unlicensed foreign platforms from the Kenyan market. Before the Act, offshore entities with no local presence, no supervisory accountability, and no compliance infrastructure could and did operate in Kenya. The consequences for Kenyan users were well-documented: fraud exposure, custody risks, and losses from platform failures with no legal recourse.

    Infographic showing opportunities and obligations for foreign operators under Kenya VASP Act 2025
    The VASP Act creates both a compliance obligation and a commercial opportunity for foreign operators who choose to engage properly.

    The Act changes this materially. Unregistered foreign platforms are barred from serving Kenyan clients. Foreign investors engaging with the Kenyan digital asset market are directed toward licensed, regulated, and accountable entities. The reduction in regulatory ambiguity also helps foreign individuals whose trading or investment activity from within Kenya previously created uncertainty for tax reporting and cross-border financial disclosure purposes.

    5) Compliance obligations vs reduced legal risk

    The VASP Act increases the compliance obligations of foreign companies seeking to participate in the Kenyan market. This includes audit requirements, transaction reporting, record retention, cybersecurity standards, and the resourcing of compliance functions capable of meeting ongoing supervisory expectations. These costs are real and should be factored into any market entry plan.

    Against that, the Act removes the legal uncertainty that previously made institutional engagement with the Kenyan crypto market difficult. Banks, telecom operators, and regulated financial institutions that were reluctant to partner with crypto firms, due to the absence of a legal framework and the reputational and regulatory risk of association with unregulated entities, have a clearer basis for engagement once licensing becomes operational. For larger foreign players, this unlocks commercial relationships that were structurally blocked before the Act.

    6) Tax transparency and reporting implications

    Although the VASP Act is not a tax statute, its licensing and record-keeping architecture supports the broader direction of Kenya’s digital economy tax policy. Kenya has been developing its approach to taxation of digital market participants, and the documentation trail created by licensed VASP operations provides infrastructure on which tax obligations can be more accurately assessed and enforced.

    For foreign crypto investors, this means a greater likelihood of clearer and enforceable tax obligations on Kenya-related digital asset activity. Foreign VASPs operating locally will need reporting systems capable of supporting both domestic tax filings and, where applicable, cross-border information exchange obligations. For foreign individuals transacting through Kenyan exchanges, structured records create a more straightforward basis for international tax compliance, which is increasingly expected by regulators in major economies.

    7) Summary: the dual impact on foreign participants

    The VASP Act transforms Kenya from a loosely regulated and legally uncertain crypto market into a structured digital asset environment with compliance standards comparable to leading international jurisdictions. For foreign participants, the impact falls into two categories that operate simultaneously.

    On the opportunity side, the Act provides legal certainty for compliant foreign firms, a legitimate gateway for East African market expansion, the possibility of institutional partnerships with banks and regulated financial entities previously unavailable, and a safer operating environment for foreign individuals using digital asset platforms for trading, investment, or remittances.

    On the obligation side, the Act requires local licensing or a licensed partner arrangement, ongoing AML/KYC compliance, consumer protection adherence, transaction reporting and record-keeping, and cybersecurity standards. These obligations are not trivial, but they are the standard expected of any serious digital finance business operating in a regulated market.

    Infographic showing five-step VASP compliance readiness guide for foreign firms entering Kenya
    Foreign firms should begin compliance readiness planning now, ahead of the implementing guidelines.

    Strategic point: The firms that will be best positioned when implementing guidelines are released are those that begin compliance readiness planning now: classifying their activities, assessing their licensing pathway, and building the internal frameworks that any licence application will require.

    How MN Legal helps

    MN Legal supports virtual asset businesses, fintech operators, and foreign investors navigating Kenya’s evolving digital asset regulatory landscape. As implementing guidelines from the National Treasury are issued, our regulatory and fintech team will be ready to support clients with precision and depth.

    Our support covers

    Preparing and submitting VASP licence applications, including documentation and regulatory engagement with CBK and CMA. Designing compliant AML/KYC and risk management frameworks tailored to Kenya’s revised standards. Structuring market entry strategies for foreign firms, including subsidiaries, partnership models, and local agent arrangements. Developing internal policies, governance systems, and reporting mechanisms to ensure ongoing compliance. Advising on tax, data protection, and consumer protection considerations that arise under the new regime.

    Schedule a consultation  |  Fintech and Regulatory practice

    FAQ

    What is the Kenya VASP Act 2025?

    The Virtual Asset Service Providers Act 2025 is Kenya’s first comprehensive legal framework governing virtual asset service providers including crypto exchanges, wallet providers, custodians, and related platforms. It was passed by Parliament in October 2025 and introduces licensing, AML/KYC obligations, and consumer protection standards under joint CBK and CMA supervision.

    Do foreign crypto businesses need a licence to operate in Kenya?

    Yes. Under the VASP Act, foreign VASPs can no longer informally serve Kenyan users from offshore. They must either obtain a local licence or operate through a licensed Kenyan VASP partner. The specific licensing procedures will be detailed in the implementing guidelines from the National Treasury.

    When will the implementing guidelines be released?

    The implementing guidelines are expected from the National Treasury but had not been released at the time of writing. The practical details of licensing procedures, fee structures, and specific compliance thresholds will be contained in those rules. Monitoring their release and preparing in advance is the recommended approach.

    What does the VASP Act mean for foreign individuals using Kenyan platforms?

    Foreign individuals will face identity verification requirements under AML/KYC standards. In exchange, they gain a more regulated and fraud-resistant environment. Documented transactions through licensed platforms may also support tax and financial reporting obligations in their home jurisdictions.

    How should a foreign firm start preparing for VASP Act compliance?

    The recommended starting point is to classify your activities under the Act, assess whether a local licence or a licensed partner model is appropriate, begin building AML/KYC and risk management frameworks, and align data protection and cybersecurity standards with what a licence application will require. Legal structuring advice at this stage reduces rework when implementing guidelines are issued.

    Disclaimer: This article is general information and does not constitute legal or regulatory advice. The VASP Act 2025 implementing guidelines had not been released at the time of publication. Requirements may change as guidelines are issued. Consult a qualified Kenyan regulatory lawyer for advice specific to your business model and activities.

  • Legal Compliance for Hiring in Kenya: A Guide for Foreign Companies and SMEs.

    Legal Compliance for Hiring in Kenya: A Guide for Foreign Companies and SMEs.

    Employing People in Kenya: A Legal Compliance Guide for Foreign Companies and Growing SMEs

    The first hire in a new market is where many foreign employers discover that employment law has practical consequences. Kenya’s employment framework is procedurally demanding, statutory in its obligations, and increasingly data-aware. Getting it right from the start is measurably cheaper than correcting it under pressure.

    Employing people in Kenya legal compliance guide for foreign companies and SMEs featured header
    Employment compliance in Kenya starts before the first contract is signed.

    This guide covers the compliance areas that matter most for foreign employers: classification, contracts, statutory setup, work permits, employee data, and termination procedure. It includes sector notes for technology, professional services, and manufacturing, and is accompanied by a downloadable employer compliance checklist.

    Practical framing: Many employment disputes and compliance exposures that reach lawyers are preventable. They typically result from one of three failures: the wrong classification, an absent or deficient contract, or a termination handled without following the required procedure.

    1) Employee or contractor: get this right first

    Classification is the decision that precedes every other employment compliance question. It determines which statutory deductions apply, what rights the individual holds, and whether unfair dismissal protections are available. Critically, a written agreement that describes someone as a contractor does not, on its own, determine their legal status.

    Kenyan courts and the Employment and Labour Relations Court look at the substance of the relationship, not the label. A person who works exclusively for one business, uses the business’s tools, is integrated into its operations, and has tax deducted at source is likely to be treated as an employee regardless of what the agreement says.

    Employee versus contractor classification test in Kenya showing six practical indicators

    A written agreement alone does not determine employment status in Kenya.

    The practical risk of misclassification is threefold: unpaid statutory contributions and associated penalties, tax exposure, and unfair dismissal claims if the engagement is terminated without following the employment procedure. Many foreign employers inherit this risk from early-stage arrangements that were not revisited as the engagement matured.

    Practical action: If you have contractors who work exclusively for your business, have been engaged for more than a few months, and are integrated into your workflows, review their classification before scaling or restructuring.

    2) The employment contract: what must be in writing

    Kenya’s Employment Act requires that certain information be provided to an employee in writing. Foreign employers often use home-country templates which typically miss Kenya-specific requirements and can create enforceability gaps or ambiguity on termination, post-employment obligations, and dispute resolution.

    A compliant Kenya employment contract should address the nature of the employment and probation period, remuneration and the basis of payment, working hours and leave entitlements, notice periods and termination conditions, governing law and the forum for disputes, and any post-employment restrictions. Where the employer intends to rely on confidentiality obligations or non-solicitation provisions, these must be proportionate and clearly drafted to have a reasonable prospect of enforcement in a Kenyan court.

    Non-compete clauses deserve particular attention. Kenyan courts apply a reasonableness standard and have in a number of decisions declined to enforce broad or disproportionate restraints. The clause must be limited in scope, geography, and duration to have a realistic chance of standing.

    3) Statutory registrations and payroll setup

    Before the first payroll run, three statutory frameworks require attention: PAYE administered through KRA, NSSF contributions, and SHIF contributions which replaced the former NHIF structure. These obligations arise at the point of hiring and late or missing remittances attract penalties.

    Kenya statutory employer obligations showing PAYE, NSSF and SHIF requirements at a glance

    Statutory registrations should be in place before the first payroll cycle.

    Beyond the mechanics of remittance, payroll compliance also requires accurate and timely payslips, recordkeeping for audit purposes, and the ability to produce records on demand from regulators or in litigation. Foreign employers should confirm that their payroll systems can generate Kenya-compliant outputs from day one.

    Key references: Kenya Revenue Authority, NSSF, and SHIF.

    4) Work permits and immigration for foreign staff

    Foreign nationals working in Kenya require an appropriate work authorisation before commencing employment. The permit category depends on the nature of the role, the level of the individual, and in some cases the sector. Permit applications involve documentation of the employer, the role, and the individual, and timelines should be factored into hiring plans.

    Kenya’s immigration framework also engages citizen-to-foreigner ratio considerations in certain sectors. Foreign employers should confirm the applicable requirements for their industry before making overseas hires and should treat permit renewals as a calendar-managed compliance item, not an ad hoc task.

    Reference: Department of Immigration Services.

    Practical tip: Start work permit applications as early as possible. Processing times can affect onboarding plans, and a foreign employee working without the correct authorisation creates legal risk for the employer.

    5) HR data and employee privacy

    Employment generates significant personal data: identity documents, payroll records, performance history, health information, device and system access logs, and in some cases location data or biometric attendance records. Kenya’s data protection framework applies to this data, and employers should not assume that existing home-country privacy notices and policies are sufficient.

    A defensible employment data posture includes a clear HR privacy notice that tells employees what data is collected, why, how long it is retained, and who it is shared with. It also requires appropriate vendor terms for payroll providers, HR platforms, and cloud-based systems. Where biometric data is used for attendance or access control, a higher standard of care is required, including risk assessment and documented justification.

    The ODPC has published guidance and issued determinations that are relevant to employer data practices. The safest approach is to treat HR data compliance as part of market entry, not a post-launch consideration. Reference: Office of the Data Protection Commissioner.

    6) Discipline and termination: the procedural standard

    This is the area where foreign employers most frequently face exposure, because the Kenyan employment framework is procedurally demanding in a way that differs from many other jurisdictions. An employer may have a substantively valid reason for dismissal and still face an unfair dismissal finding if the required procedure was not followed.

    Termination in Kenya procedural requirements flow showing five steps from valid reason to right of appeal

    Procedural failure can result in an unfair dismissal finding even where the substantive reason for dismissal is valid.

    The procedure requires that the employee receives written notice of the allegation, is given a genuine opportunity to respond and be heard, receives a written decision, and is offered an internal right of appeal. Documentation at each stage is essential: if the procedure is not evidenced, it is difficult to defend.

    Redundancy is separately regulated and requires a different process that includes notice to the relevant authority, notification to the union where applicable, and payment of redundancy entitlements. Foreign employers planning workforce restructuring should not apply home-country redundancy procedures in a Kenyan context.

    7) What to have in place before you scale

    Employment exposure grows as headcount grows. Small teams often operate on informal arrangements that become difficult to manage as the business scales. The transition point, where employment records, policies, and procedures need to be formalised, is typically earlier than most founders expect.

    Practically, employers should have written contracts for all staff, an HR data policy and privacy notice, a basic disciplinary and grievance procedure, payroll records that are complete and audit-ready, and documented onboarding that includes statutory disclosures. For employers using commission-based, flexible, or non-standard arrangements, the terms should be clear, documented, and consistent with statutory minimums.

    8) Sector notes

    Technology and SaaS businesses

    Tech businesses often rely heavily on contractor arrangements for product development and sales. Classification risk is particularly acute where contractors are embedded, exclusive, and long-term. IP assignment clauses in employment and contractor agreements are critical: the default position on who owns work created by an employee or contractor may not align with what the business intends. HR data exposure is also higher where platforms, devices, and access systems generate significant volumes of employee metadata.

    Professional services businesses

    Professional services firms face particular risk around restrictive covenants, client relationship ownership, and the enforceability of non-solicitation provisions when senior staff depart. Employment contracts in this sector should address client and staff solicitation, confidential information obligations, and gardening leave in a way that is proportionate and likely to be upheld.

    Manufacturing and industrial businesses

    Manufacturing employers should pay particular attention to working hours compliance, overtime calculations, health and safety obligations, and the statutory rules around collective bargaining where staff numbers are significant. Redundancy processes in this sector require careful management given union engagement obligations and the reputational and operational risks of a poorly handled workforce restructuring.

    9) Download the Kenya Employer Legal Compliance Checklist (2026)

    Kenya Employer Legal Compliance Checklist 2026 gated PDF cover

    Kenya Employer Legal Compliance Checklist (2026)

    A 12-area PDF checklist covering every employment compliance obligation for employers in Kenya, from pre-hire classification through to termination and post-employment obligations. Used by HR leads, COOs, and compliance teams at foreign companies expanding into Kenya.

    Covers: classification, contracts, statutory deductions, work permits, HR data, discipline, termination, and more.

    Download the Checklist (Free PDF)

    You will receive the checklist by email. No spam.

    FAQ

    Do foreign companies need written employment contracts in Kenya?

    Yes. Kenya’s Employment Act requires written contracts for most employment relationships. Using a home-country template without localisation can create enforceability gaps and compliance exposure.

    What happens if we misclassify an employee as a contractor?

    Misclassification creates exposure across three areas: unpaid statutory contributions and penalties, tax liability, and the risk of unfair dismissal claims on termination. Classification is determined by the substance of the relationship, not the label in the agreement.

    Can we terminate an employee in Kenya without a formal process?

    No. Kenyan employment law requires a procedurally fair process including notice of the allegation, a hearing, a written decision, and an opportunity to appeal. Skipping steps can result in an unfair dismissal finding even where the reason for termination is substantively sound.

    Are non-compete clauses enforceable in Kenya?

    They can be, but only if they are proportionate in scope, geography, and duration. Broad or poorly drafted non-compete clauses are regularly declined enforcement by Kenyan courts.

    What data protection obligations apply to HR data in Kenya?

    Employee data is subject to Kenya’s data protection framework. Employers should maintain HR privacy notices, appropriate vendor terms, and documented data handling policies. Biometric processing for attendance requires heightened care. Reference: ODPC.

    Need an employment contract review or HR compliance audit for Kenya?

    MN Legal supports foreign companies and growing SMEs with employment contract localisation, statutory compliance setup, work permit guidance, HR data governance, and termination procedure advice.

    Contact MN Legal  |  Employment and Labour practice

    Disclaimer: This article provides general information and does not constitute legal or employment advice. Requirements can change and may depend on your sector, workforce structure, and operating model. Consult a qualified Kenyan employment lawyer for advice on your specific facts.

  • Entering the Kenyan Market: A Practical Legal Roadmap for SMEs

    Entering the Kenyan Market: A Practical Legal Roadmap for SMEs

    Kenya is a strong gateway into East Africa, with a mature services economy and a growing technology and consumer base. For foreign SMEs, the opportunity is real, but the first ninety days often determine whether expansion is smooth or whether the business spends months correcting avoidable compliance gaps.

    This guide is a practical legal roadmap focused on two foundations: incorporation and compliance. It is written for foreign SMEs who want a clear sequence of steps, realistic expectations, and a defensible operating posture.

    Entering the Kenyan market legal roadmap for SMEs with Nairobi skyline and checklist motif
    Plan entry as a sequence: structure, incorporation, registrations, and compliance controls.

    Practical framing: Treat incorporation as the start of operations, not the end of setup. Tax registration, employment readiness, data protection, and sector licensing are where market entry succeeds or stalls.

    Contents

    1. The first 90 days: a realistic timeline
    2. Choose the right entry structure
    3. Incorporation and BRS filings
    4. Tax and statutory registrations
    5. Employment and payroll readiness
    6. Data protection compliance
    7. Sector licensing and permits
    8. Common mistakes and how to avoid them
    9. FAQ

    1) The First 90 Days: A Realistic Timeline for Foreign SMEs

    Market entry is rarely linear. The fastest approach is to run tasks in parallel, while keeping the legal sequence correct. The timeline below is a practical planning tool. It is not a promise of regulator processing time, which can vary.

    Use a 90-day plan to coordinate incorporation, tax, hiring, privacy, and sector approvals.

    Need a Tailored Entry Plan?

    If you share your sector, revenue model, and hiring plan, we can map the relevant registrations, licensing triggers, and the most efficient sequence.

    Contact MN Legal

    2) Choose the Right Entry Structure and Avoid Expensive Rework

    Your entry structure affects liability, tax posture, banking onboarding, licensing, and your ability to hire and contract locally. Many foreign SMEs default to a local company without checking whether a subsidiary, branch, or distributor model best fits their operating plan.

    A structure choice should match your contracting needs, tax plan, and licensing pathway.

    Subsidiary

    A Kenyan private company limited by shares is often the preferred structure for foreign SMEs seeking local operational flexibility, easier contracting, and a clearer separation of liability from the parent.

    Branch

    A branch can work where the foreign parent wants to operate directly and keep governance centralised. It may, however, present different tax and risk implications and can be perceived as less local for certain procurement and banking workflows.

    Distributor or Agent Model

    This can be a lower overhead route to test the market, but it shifts risk into contracts. If you enter through an intermediary, your agreements must address IP protection, pricing control, compliance obligations, and termination.

    3) Incorporation and BRS Filings: What the Process Looks Like

    Most company registration is processed through the Business Registration Service using the government eCitizen platform. In practice, delays usually come from incomplete documentation, unclear ownership chains, or inconsistencies in director and shareholder details.

    Filing portals and references: eCitizen and Business Registration Service.

    Foreign SMEs should plan beneficial ownership disclosures early, especially where a shareholder is a foreign company and the ownership chain is multi-layered. Cleaning this up after filing can create unnecessary friction with banks and counterparties during onboarding.

    4) Tax and Statutory Registrations: Align Early With How You Will Trade

    Tax posture should be addressed at the beginning, not after revenue starts. It affects pricing, invoicing, contract drafting, and cash flow. Registration and ongoing compliance requirements depend on your model, including whether you hire staff, import goods, or provide taxable services.

    Authority reference: Kenya Revenue Authority.

    Practical tip: Align your contracting and invoicing templates to your tax plan early. A common expansion mistake is signing customer contracts before the tax and invoicing model is settled.

    5) Employment and Payroll Readiness: Plan Before the First Hire

    Hiring is often the first operational move after incorporation. That is also where compliance risk begins to compound. SMEs should treat employment documentation, payroll systems, and statutory registrations as part of market entry, not an HR afterthought.

    Key agency references: NSSF and SHIF.

    6) Data Protection Compliance: A Common Blind Spot for Foreign SMEs

    If you collect personal data in Kenya including customer data, employee data, prospect lists, or analytics identifiers data protection compliance should be treated as a baseline operational requirement. This is especially true if you use a CRM, third-party marketing platforms, payroll providers, cloud hosting, or cross-border processing.

    Regulator reference: Office of the Data Protection Commissioner.

    A defensible posture typically requires clear privacy notices, appropriate vendor terms, and evidence that rights requests and opt-outs are handled reliably. Where processing is high-risk, an impact assessment is a practical safeguard, even where it is not explicitly demanded in every scenario.

    7) Sector Licensing and Permits: Confirm Triggers Before You Sign Leases or Launch

    Many foreign SMEs underestimate the number of licences and approvals that can apply depending on sector and county. Licensing triggers can affect timelines, banking onboarding, and procurement. The best approach is to map licensing requirements before signing a lease, importing equipment, or launching customer acquisition.

    Where relevant to your sector, you may also need approvals from sector regulators. For energy-related business models, see: EPRA.

    8) Common Mistakes Foreign SMEs Make and How to Avoid Them

    Mistake One: Incorporating Before Confirming Licensing and Tax Implications

    This leads to restructuring, amended contracts, and launch delays. Avoid it by mapping the revenue model, staffing plan, and regulated activities before filing.

    Mistake Two: Using Generic Templates for Kenya Contracts

    Templates often miss Kenya-specific issues such as tax clauses, limitation of liability, dispute resolution, and enforceability details. Localisation is cheaper than litigation or renegotiation.

    Mistake Three: Delaying Privacy Compliance Until After Launch

    Once you onboard staff or customers, you are processing personal data. Early privacy-by-design is almost always less costly than remediation after complaints.

    FAQ

    Can we incorporate in Kenya without a physical visit?

    Many steps can be coordinated remotely, depending on documentation and onboarding requirements. Banking and sector licensing can require additional local coordination.

    Which structure is best for a foreign SME?

    It depends on liability appetite, tax strategy, licensing requirements, and how you intend to hire and contract locally. A subsidiary is common, but not always optimal.

    Which agencies are usually involved early?

    Common touchpoints include BRS via eCitizen, KRA, statutory payroll agencies such as NSSF and SHIF, and ODPC for data protection compliance where relevant.

    Next Step: Get an Entry Plan You Can Execute

    If you are a foreign SME expanding into Kenya, a short scoping call can clarify your structure, registrations, licensing triggers, and the most efficient setup sequence for your first 90 days.

    Make an enquiry

    Disclaimer: This article provides general information and does not constitute legal or tax advice. Requirements can change and may depend on your sector, ownership, and operating model.

  • How Capital Markets Licensing Affects Legal Tech Providing Investment, Crowdfunding or Securities Solutions

    How Capital Markets Licensing Affects Legal Tech Providing Investment, Crowdfunding or Securities Solutions

    How Capital Markets Licensing Affects Legal Tech Providing Investment, Crowdfunding or Securities Solutions

    The most commercially successful legal-tech products in capital markets are often the least dramatic: tools that help licensed
    intermediaries keep clean records, onboard investors efficiently, deliver disclosures with audit trails, and demonstrate compliance
    during due diligence.

    Yet licensing questions arise precisely because these products sit close to the regulatory frontier. A platform may be built as
    “workflow software” and still be treated as a regulated service if, in substance, it gives investment recommendations, arranges
    transactions, holds client money, or functions as part of the public offering machinery.

    Abstract capital markets licensing and legal-tech compliance graphic (no logos)
    Licensing risk is rarely about labels. Regulators look at function, control, and investor impact.

    Executive summary: Capital markets regulators tend to apply a functional approach. If your platform performs, controls,
    or materially influences regulated activity, licensing or a licensed partner model may be required, regardless of how the product is marketed.

    The licensing perimeter: the standard regulators apply

    Across most capital markets regimes, licensing is not triggered by a company’s branding (“we are a technology company”) but by what
    the company does. This is sometimes described as a substance-over-form or functional approach.

    In practical terms, the perimeter tends to tighten around four activities:
    (i) giving investment advice or making personalised recommendations,
    (ii) arranging, placing, routing, or executing transactions,
    (iii) handling client money, securities, or custody-like flows, and
    (iv) facilitating public offering communications in a way that creates mis-selling or disclosure risk.

    Legal-tech tools can sit safely outside the perimeter when they operate as internal compliance infrastructure for a licensed intermediary
    and remain subject to clear boundaries: the tool supports, records, and evidences; the licensed entity decides, approves, and executes.

    Where legal-tech products typically trigger perimeter concerns

    Licensing risk most often appears not in a single feature, but in the way features combine into a workflow. Products designed for
    investor onboarding, digital disclosures, and transactional workflow can become “front office” infrastructure very quickly.

    Where licensing risk appears in legal-tech products (onboarding, disclosures, transaction flow, custody)

    Onboarding, disclosures, order flow, and custody-adjacent design are the most common perimeter pressure points.

    Investor onboarding and eligibility

    KYC and onboarding tooling is generally defensible when it remains a controlled workflow with clear oversight. Risk escalates when
    the platform begins to make final determinations (who may invest, what products are suitable) without the licensed intermediary’s
    meaningful review, or where the “profiling” output becomes a de facto recommendation.

    Digital disclosures and investor communications

    Digital disclosure tools are often low-risk, and highly valuable, when they solve the evidence problem: document versioning,
    distribution logs, acknowledgements, and audit trails. Concerns arise where communications drift into promotion of an offer to the
    public without adequate controls, or where disclosures are delivered without traceable evidence of what the investor received and when.

    Order and transaction workflows

    Interfaces that display information are one thing; workflows that route orders, “match” investors to opportunities, or control
    execution logic may look like arranging or execution activity depending on the jurisdiction and the facts.

    Custody, payments, and settlement-adjacent flows

    Products that touch client funds directly or through accounts the platform controls require particular care. Even where a third-party
    payment provider is involved, the question regulators ask is who controls the flow and who bears responsibility for safekeeping.

    A practical perimeter test for founders and buyers

    The most efficient way to avoid late-stage licensing surprises is to run an early perimeter test and write down the conclusion.
    Think of it as a short internal legal memo that you can update at every major release.

    Regulatory perimeter test flowchart for legal-tech serving capital markets
    A simple test helps teams classify risk before product scope drifts.

    The test is deliberately plain. It asks: what service is the product enabling; who is the client; who touches money; who influences
    decisions; who executes; and who controls the communications. If the honest answers point toward advice, arranging/execution, custody-like
    flows, or public offer facilitation, then the product should be structured around a licensed entity either by obtaining the relevant
    permissions or by partnering with a licensed intermediary and allocating responsibilities clearly.

    Designing for compliance: standards that travel across jurisdictions

    Legal-tech teams operating internationally need principles that work across regimes even where definitions differ. The following
    standards tend to be robust:

    Build vs partner vs avoid matrix for licensing-sensitive product features
    A product decision matrix keeps commercial teams, engineers, and compliance aligned.

    First, keep regulated functions with the licensed entity where required. Second, build systems that generate evidence: approvals,
    versioning, acknowledgements, exception handling, and user action logs. Third, ensure that governance is not merely documented,
    but operational meaning there are named owners, review points, and the ability to demonstrate what happened in a specific investor journey.

    The strategic benefit is commercial as much as legal. Strong evidence and clearly bounded operating models reduce friction in procurement,
    accelerate partner onboarding, and make regulatory discussions more orderly.

    A realistic scenario: when “crowdfunding software” becomes a regulated service

    Consider a platform built initially to support issuers with document workflows: issuer onboarding, disclosure templates, and investor
    acknowledgements. The tool performs well and demand grows. Then the roadmap adds convenience features: investor “matching,” automated
    eligibility approval, and in-platform collection of funds “to simplify settlement.”

    Each feature looks incremental. Collectively, the platform may now resemble the machinery of a public offer and transaction facilitation.
    At that point, the perimeter question becomes unavoidable: is the platform merely enabling a licensed intermediary, or is it effectively
    arranging participation, influencing investment decisions, and controlling flows that look custody-adjacent?

    The fix is usually not a full rebuild. It is a structural decision: allocate regulated steps to a licensed partner (or obtain the
    necessary permissions), revise workflows to ensure meaningful oversight, and strengthen disclosures and records so the investor journey
    is defensible.

    Governance and documentation: what sophisticated partners will ask for

    Intermediaries, institutional partners, and sophisticated clients increasingly require evidence of regulatory thinking. A premium posture
    is to maintain a living file that includes: a perimeter memo, a feature risk register, an operating model diagram, vendor allocations,
    and a compliance evidence map (what logs exist, who reviews them, and how exceptions are handled).

    This is where legal-tech has an advantage. Unlike traditional paper processes, well-designed systems can produce reliable logs and
    demonstrate accountability. The goal is not to generate paperwork; it is to make compliance auditable.

    How MN Legal helps

    Perimeter advice, partner models, and defensible product workflows

    MN Legal advises legal-tech founders and capital markets intermediaries on regulatory perimeter mapping, licensing and partnering
    structures, disclosure and onboarding workflow design, and the contractual allocation of responsibilities between platforms and
    licensed entities. Where appropriate, we also support incident readiness and records strategy so your compliance posture is
    evidenced not assumed.

    Make an enquiry

    External reference points that inform global standards include
    IOSCO (securities regulation principles),
    FATF (AML/KYC expectations),
    and market regulators such as
    ESMA and the
    FCA.

    FAQ

    Does every investment or crowdfunding tool require licensing?

    No. Many tools remain outside the perimeter when they are genuinely internal compliance or recordkeeping infrastructure for a licensed
    intermediary. Risk depends on function and control particularly advice, arranging/execution, custody-like flows, and public communications.

    What features most often create licensing pressure?

    Personalised recommendations, investor matching/placement functions, order routing or execution logic, custody-adjacent payment flows,
    and public offer communications without robust controls.

    How should international legal-tech teams manage multi-jurisdiction uncertainty?

    Start with consistent standards: a perimeter memo, a feature risk register, a partner model where regulated steps are performed by
    licensed entities, and strong evidence (audit trails, disclosure versioning, acknowledgements, exception workflows).

    Disclaimer: This article is general information and not legal advice. Licensing requirements vary by jurisdiction and facts. For advice on your specific model, contact MN Legal.

  • AI Vendor Contracts: Key Clauses to Demand in 2026

    AI Vendor Contracts: Key Clauses to Demand in 2026

    A practical guide to negotiating AI vendor terms: data use, training limits, security, audit rights, and liability, without slowing procurement.

    AI adoption is now routine. What is not routine is how most organisations buy AI. Many businesses still procure AI tools like ordinary software: click accept, sign an order form, and move on. In 2026, that approach creates avoidable risk. AI changes the procurement risk surface: data may be reused in unexpected ways, outputs may affect customers and employees, and models can change after signature.

    Practical rule: AI risk starts before the first prompt, inside your contract.

    AI vendor contract negotiation: why contracts are where privacy, security, IP, and liability become enforceable
    Contracts are where privacy, security, IP, and liability become enforceable.

    Contents

    1. What changed in 2026 and why AI contracts matter more
    2. The AI procurement risk map
    3. The 12 clauses to demand
    4. Case example: AI support tool adoption
    5. Common mistakes companies make
    6. 30-minute contract review checklist
    7. 30-day implementation plan
    8. FAQ

    1. What Changed in 2026 and Why AI Vendor Contracts Matter More

    Three shifts make AI contracts materially different from standard SaaS procurement:

    • AI is embedded into core operations. Support, marketing, finance, HR, fraud, and analytics workflows increasingly depend on AI features.
    • Models update continuously. What you buy today can change next month, affecting accuracy, cost, and risk.
    • Evidence expectations have increased. Partners and enterprise customers now ask for vendor terms, security posture, and governance controls as part of due diligence.

    Helpful global references include the NIST AI Risk Management Framework and the NIST Privacy Framework.

    2. The AI Procurement Risk Map: What You Are Really Buying

    Before negotiating clauses, align internally on what the tool actually does. Most procurement surprises happen because teams do not map data and decision pathways before signing.

    AI procurement risk map: inputs, processing, outputs, storage, transfers, third parties, and decision pathways
    Map inputs, processing, outputs, storage, transfers, third parties, and who relies on AI decisions before you sign.

    Questions Your Team Should Answer Before Signing

    • Inputs: What data goes in: customer tickets, IDs, HR data, financial data, call recordings?
    • Outputs: What comes out: recommendations, replies, scores, summaries?
    • Training: Does the vendor train on your content by default?
    • Location: Where is data stored and processed? Are there cross-border processing concerns?
    • Third parties: Which sub-processors or model providers are involved?
    • Change control: Can the vendor materially change the model or terms without notice?

    3. The 12 AI Vendor Contract Clauses to Demand in 2026

    12 essential AI vendor contract clauses for 2026: data use, training, security, sub-processors, audit rights, liability
    A practical clause set that aligns AI procurement with privacy, security, and business risk.

    1) Data Use Restrictions

    Limit processing strictly to service delivery. Avoid broad “business purposes” language that could expose your data to reuse you did not intend.

    2) Training and Improvement: Opt-In, Not Default

    Require an explicit opt-in before your data, prompts, or outputs are used to train or improve models. Without this, your confidential information could become part of a vendor’s training dataset.

    3) Retention, Deletion, and Exit Obligations

    Define retention periods, deletion timelines, and how deletion is confirmed after termination. Ensure you have audit rights to verify compliance.

    4) Confidentiality Covering Prompts, Outputs, and Derived Data

    Prompts can contain trade secrets and personal data. Outputs can create sensitive derivatives. Your contract must cover both explicitly.

    5) Security Controls That Are Specific, Not Vague

    Anchor security to concrete commitments: encryption standards, access controls, logging, and vulnerability management. Demand specifics, not general assurances.

    6) Sub-Processor Controls and Change Notifications

    Get an up-to-date sub-processor list, notice periods for changes, and a right to object where risk is high. Ensure flow-down obligations are in place.

    7) Incident and Breach Notification Timelines

    Define notice timelines and cooperation obligations so you can meet your own regulatory and client requirements after an incident.

    8) Audit Rights and Reporting

    Where full audits are not feasible, require structured alternatives: SOC2 or ISO reports, penetration test summaries, and security questionnaires. You need real visibility, not just promises.

    9) Change Control for Material Model Updates

    Require notice of material changes, transparency on impact, and exit or rollback rights where risk or performance materially changes. The model you signed up for may not be the one you are using next month.

    10) IP and Output Rights

    Clarify your rights to use outputs commercially, address restrictions, and ensure your inputs remain your property. Do not assume ownership without a clear contractual basis.

    11) Warranties and Disclaimers

    For critical use cases, avoid accepting “as-is” terms without meaningful commitments on security, performance, or compliance. Negotiate warranties that match your actual risk profile.

    12) Liability Allocation That Matches Risk

    Liability caps and exclusions should reflect the sensitivity of data processed and the impact of the use case. Consider tailored indemnities where appropriate.

    For broader governance guidance, see the EDPB and UK ICO.

    4. Case Example: SME Adopts an AI Support Tool

    A growing services company implements an AI support assistant integrated into its helpdesk. Staff begin pasting screenshots into the tool to speed up ticket resolution. Those screenshots include customer IDs, account details, and internal notes.

    A customer subsequently complains after receiving a response that reveals information that should not have been shared. No security breach occurred. The business now faces a confidentiality issue, a data protection question about what data was processed and under what terms, and commercial risk as clients begin asking for vendor due diligence evidence.

    The first document everyone opens is the vendor agreement. What it says about data use, retention, training, security, incident notice, and cooperation determines how fast and how effectively the business can respond.

    5. Common Mistakes Companies Make in AI Procurement

    • Shadow procurement. Teams buy AI tools without legal or security review, so risk accumulates unnoticed.
    • No AI use register. The business cannot state what AI tools are in use or what data they process.
    • Assuming terms are non-negotiable. Many vendors negotiate, especially for business plans. Always ask.
    • Ignoring cross-border processing. The tool stack is often global by default, creating transfer obligations that go unaddressed.
    • Relying on staff care alone. Without clear policy, training, and technical restrictions, sensitive data will be entered into external tools.

    6. 30-Minute AI Vendor Contract Review Checklist

    30-minute AI vendor contract review checklist: data use, security, change control, sub-processors, and liability
    Use this checklist to triage AI vendor terms before signature.

    MN Legal supports organisations reviewing and negotiating AI vendor contracts and DPAs, mapping cross-border and vendor risk, drafting AI usage policies and governance frameworks, and advising on incident readiness where AI touches personal or confidential data.

    Make an enquiry  |  Explore Practice Areas

    7. What Businesses Should Do Next: 30-Day Plan

    Week 1: Inventory and Ownership

    • Create an AI use register: tool, owner, purpose, data types, vendor, and risk rating.
    • Flag high-risk uses such as customer decisions, HR screening, and sensitive data processing.

    Week 2: Procurement Controls

    • Set a minimum contract standard covering DPA, security, change control, and incident notice.
    • Define when legal and security sign-off is mandatory before a tool is adopted.

    Week 3: Contract Cleanup

    • Negotiate high-risk vendor terms or implement a contractual addendum.
    • Document cross-border processing and sub-processors for critical tools.

    Week 4: Training and Operational Rules

    • Train teams on what data cannot be entered into external AI tools.
    • Implement a practical escalation process for AI incidents such as harmful outputs or data exposure.

    Frequently Asked Questions

    Are AI vendor terms negotiable?

    Often yes, especially for business and enterprise tiers. Where standard terms apply, use addenda to address data use, security, incident notice, audit rights, and change control.

    Do we need a DPA when buying AI tools?

    If the vendor processes personal data on your behalf, you typically need data processing terms covering purpose, security, sub-processors, international transfers, and deletion obligations.

    What if the vendor changes the AI model after we sign?

    Include a change control clause requiring notice of material changes, transparency on impact, and rights to pause, roll back, or terminate if risk or performance materially changes.

    What is the biggest contractual risk in AI procurement?

    Unrestricted data use including training on your content, unclear retention and deletion obligations, weak incident notification requirements, and liability caps that do not match the sensitivity of data or the use case.

    How can MN Legal help with AI vendor contracts?

    MN Legal helps businesses implement practical procurement controls and defensible vendor terms for AI tools, aligned with privacy, security, and commercial realities. If you are procuring AI tools this quarter, a scoped contract and risk review can prevent expensive rework later.

    Disclaimer: This article is for general information only and does not constitute legal advice. Requirements vary by jurisdiction and specific facts. For advice on your organisation’s situation, contact MN Legal.

  • The Privacy Evidence Pack: What to Build, Measure, and Show in 2026

    The Privacy Evidence Pack: What to Build, Measure, and Show in 2026

    Updated guidance for organisations on building a defensible data protection record: what to document, what to measure, and what to show regulators, partners, and customers.

    In 2026, data protection compliance is no longer judged by what your privacy policy says. It is judged by what you can prove on demand: decisions, controls, logs, contracts, and records. Organisations that cannot produce a credible privacy evidence pack quickly will struggle under regulator questions, enterprise procurement scrutiny, or post-incident review.

    Bottom line: Build a privacy evidence pack that lets you answer due diligence and audit questions fast, without scrambling across email threads and spreadsheets.

    Contents

    1. What a privacy evidence pack is and why it matters in 2026
    2. The 10 privacy artifacts every organisation should have
    3. Cross-border data transfers: document it in 5 steps
    4. AI and privacy: 7 controls for teams using AI tools
    5. How to run privacy as a system: cadence and KPIs
    6. FAQ

    1. What a Privacy Evidence Pack Is and Why It Matters in 2026

    A privacy evidence pack is the set of materials that demonstrate how your organisation manages personal data in practice, not just in policy. It is what makes data protection auditable and defensible internally (board oversight), externally (partners and enterprise customers), and regulator-facing (when questions arise).

    This matters globally because privacy regimes differ in their details but converge on a shared expectation: accountability, transparency, and demonstrable controls. Whether you are subject to Kenya’s Data Protection Act, the GDPR, or equivalent frameworks, the evidence standard is broadly the same.

    2. The 10 Privacy Artifacts Every Organisation Should Have (2026)

    If you want a documentation standard that travels well across jurisdictions, focus on artifacts that satisfy multiple regulatory frameworks simultaneously. These ten items form a practical baseline for any organisation handling personal data.

    Privacy evidence pack checklist 2026: 10 essential data protection artifacts for organisations
    Use this as your internal index: each missing item is a documented gap to close before an audit or due diligence request.

    What “Good” Looks Like Across All 10 Artifacts

    • Owned: each artifact has a named owner and a defined review cadence.
    • Current: updated whenever vendors, products, or data flows change.
    • Provable: you can show records and decisions, not just policy statements.

    3. Cross-Border Data Transfers: Document It in 5 Steps

    Most organisations transfer personal data across borders without recognising it as a transfer. Cloud hosting, CRMs, helpdesks, analytics platforms, marketing tools, and AI vendors can all create cross-border data flows that require documentation and appropriate safeguards.

    Cross-border data transfer documentation framework: five-step approach for privacy compliance
    A practical five-step method to map and document cross-border data flows without overcomplicating the process.

    Practical Tip

    Start with your top ten vendors ranked by data sensitivity and volume. Do not attempt to perfect the entire map at once. Get a defensible baseline documented first, then iterate as you onboard new tools or expand into new markets.

    4. AI and Privacy: 7 Controls for Teams Using AI Tools

    In 2026, many organisations face a data protection risk that did not exist at the same scale a few years ago: everyday data leakage into AI tools through prompts, file uploads, meeting notes, transcripts, and customer tickets. AI adoption also increases vendor complexity and creates new cross-border transfer obligations.

    AI and data protection: seven privacy controls for organisations using AI tools in 2026
    These AI privacy controls are designed to be genuinely adoptable by operational teams and designed to be used, not written and ignored.

    Minimum Documentation for AI Use

    • AI use register: tool name, purpose, owner, data input types, and risk classification.
    • Data entry restrictions: a clear record of what categories of data cannot be entered into external AI tools.
    • Vendor controls: data retention terms, training-use clauses, incident notification obligations, and sub-processor lists.

    5. How to Run Privacy as a System: Cadence and KPIs

    Monthly Review

    • Vendor changes and newly adopted tools, especially AI tools.
    • New processing activities arising from product or service changes.
    • Open data subject rights requests and incident log review.

    Quarterly Review

    • High-risk processing review: DPIAs and PIAs for new or changed activities.
    • Cross-border transfer review for top vendors.
    • Board and leadership privacy report covering risks, incidents, and remediation status.

    KPIs That Are Practical to Track

    • Average time to complete data subject rights requests.
    • Percentage of critical vendors with signed DPAs and documented transfer safeguards.
    • Time-to-triage for incidents and time-to-close for remediation actions.
    • Percentage of teams trained and completion rate of AI-use controls.

    Need This Implemented in Your Organisation?

    MN Legal supports privacy evidence-pack readiness, vendor and cross-border transfer contracting, AI governance controls, and breach readiness so your organisation can demonstrate compliance efficiently when it matters most.

    Make an enquiry  |  Explore Practice Areas

    Key References

    Frequently Asked Questions

    What is a privacy evidence pack?

    A privacy evidence pack is the set of documents, logs, and records that prove how your organisation manages personal data in practice, going beyond policy statements alone. It typically includes your processing register, DPIAs, vendor DPAs, incident log, data subject rights log, retention schedule, and staff training records.

    Does our organisation need a DPIA?

    A DPIA is most valuable when processing is likely to create high risk for individuals. For example, large-scale processing of sensitive data, profiling, automated decision-making, or the use of new technologies. It is also strong evidence that you assessed risks and implemented appropriate controls before processing began.

    How should we handle cross-border data transfers in 2026?

    Map your transfers by system, vendor, and destination country. Identify the legal mechanism and safeguards applicable to each transfer, document your risk assessment, ensure appropriate contractual clauses are in place, and maintain an evidence trail of approvals and periodic reviews.

    What should we do about staff using AI tools with personal data?

    Maintain an AI use register, establish clear restrictions on what data categories may be entered into external tools, implement vendor procurement and contractual controls, require human review for high-impact AI outputs, and keep an audit trail for high-risk use cases.

    What do regulators and procurement teams ask for during due diligence?

    Common requests include your processing register, privacy notices, completed DPIAs, vendor DPAs and transfer documentation, a security measures summary, your incident response plan and incident log, and records of data subject rights requests and staff training completion.

    How can MN Legal help with data protection compliance?

    MN Legal supports privacy programme design and evidence-pack readiness, vendor and cross-border transfer contracting, AI governance controls, and incident readiness so organisations can demonstrate compliance efficiently when facing regulators, partners, or post-incident scrutiny.

    Disclaimer: This article is for general information only and does not constitute legal advice. Requirements vary by jurisdiction and specific facts. For advice on your organisation’s situation, contact MN Legal.

    Download: Privacy Evidence Pack Checklist (2026)

    A one-page index of the 10 artifacts and logs your organisation should be able to produce on demand. Built for international organisations operating across multiple jurisdictions.

    Download PDF Checklist
  • How Kenyan courts scrutinise listed-company transactions

    How Kenyan courts scrutinise listed-company transactions

    Listed-company transactions in Kenya increasingly require an evidence-backed compliance and governance record.

    Kenyan Courts and the Oversight of Transactions Involving Listed Companies

    Updated guidance for boards, sponsors, and advisers on judicial restraint, minority shareholder risk, and defensible process in Kenyan capital markets transactions.

    The judicial oversight of transactions involving publicly listed companies in Kenya is undergoing a quiet but significant shift. For much of Kenya’s corporate law history, courts adopted a posture of restraint intervening only where clear illegality, fraud, or contractual breach was demonstrated. Recent litigation signals a gradual recalibration: Kenyan courts are increasingly willing to scrutinise listed-company transactions where regulatory compliance, minority shareholder protection, and public interest are implicated.

    Key point: Courts may avoid disrupting markets at the interim stage, but listed-company transactions are not immune from judicial scrutiny where credible regulatory or constitutional issues are raised.

    Contents

    1. Context: the courts’ historical restraint
    2. The Diageo–EABL petition as a lens
    3. Interlocutory posture: restraint vs scrutiny
    4. What Kenyan courts are increasingly willing to scrutinise
    5. Minority shareholders and “quasi-public” listed companies
    6. Practical guidance for boards and deal teams
    7. Key references
    8. FAQ

    1. Context: The Courts’ Historical Restraint in Commercial Matters

    Kenyan jurisprudence has long recognised the need for judicial caution in commercial matters. Courts have consistently warned against undue interference with market activity particularly where such interference may disrupt commercial certainty or investor confidence. This principle remains intact.

    The practical logic is straightforward: interim orders can effectively determine a transaction before parties are fully heard, and can create market instability especially where listed securities and dispersed investors are involved.

    2. The Diageo–EABL Petition as a Lens on Capital Markets Oversight

    The petition challenging Diageo Plc’s proposed disposal of its majority shareholding in East African Breweries Limited (EABL) provides a useful lens through which to examine the courts’ emerging role in capital markets oversight in Kenya.

    The impugned transaction concerns the proposed disposal by Diageo Plc of its controlling interest in EABL — a company listed on the Nairobi Securities Exchange (NSE). A petition was lodged seeking, among other reliefs, orders restraining the transaction on grounds of alleged non-compliance with statutory and regulatory requirements governing changes in corporate control of listed companies.

    3. Interlocutory Posture: Judicial Restraint Does Not Equal Abdication

    At the interlocutory stage, the High Court declined to grant prohibitory relief and instead postponed the hearing for further directions. While no determination was made on the merits, the Court’s approach is instructive in understanding contemporary judicial attitudes toward complex commercial transactions involving listed entities.

    By declining to issue immediate restraining orders, the Court reaffirmed the importance of preserving transactional stability pending a full hearing.

    However, restraint does not equate to abdication. The Court’s willingness to entertain the petition and defer the matter for further consideration underscores a clear recognition: transactions involving listed companies are not immune from judicial scrutiny particularly where allegations of regulatory non-compliance or constitutional violations are raised.

    4. What Kenyan Courts Are Increasingly Willing to Scrutinise

    A notable feature of recent litigation is the increasing justiciability of corporate transactions traditionally regarded as private commercial affairs. Kenyan courts have demonstrated readiness to interrogate:

    • Compliance with capital markets and corporate governance regulations
    • Procedural propriety in the obtaining of regulatory approvals
    • Protection of minority shareholder interests
    • Constitutional principles including transparency, accountability, and fair administrative action
    Six triggers that attract judicial scrutiny in Kenyan listed-company transactions
    Common triggers that can attract judicial scrutiny in listed-company transactions in Kenya.

    5. Minority Shareholders and the Quasi-Public Nature of Listed Companies

    The Court’s approach suggests that regulatory compliance is no longer viewed as an exclusively administrative concern it is one capable of judicial evaluation where public interest considerations arise.

    The growing prominence of minority shareholders in litigation involving listed companies marks a significant development in Kenyan corporate law. Courts appear increasingly receptive to arguments that transactions affecting control of listed entities engage broader public and investor interests beyond the contracting parties.

    This trend aligns with constitutional values and the evolving understanding of corporate governance in capital markets, where listed companies occupy a quasi-public position by virtue of their dispersed ownership and market participation.

    6. Practical Guidance for Boards and Deal Teams

    The takeaway for deal teams is not that courts will routinely stop transactions. It is that deal documentation and process should be built to withstand scrutiny if challenged.

    A) Build an Approvals Map Early

    • Document the approvals pathway board, shareholder, and regulator steps where applicable.
    • Maintain a clean record of submissions and key decision points.
    • Align internal authorisations with transaction timelines and disclosure obligations.

    B) Treat Governance Evidence as Deal-Critical

    • Keep board papers and minutes that show rationale, risk consideration, and oversight.
    • Document how conflicts are identified and managed.
    • Maintain a single deal file with supporting evidence — not scattered email threads.

    C) Plan for Minority Shareholder Scrutiny

    • Stress-test fairness and disclosure arguments before announcements are made.
    • Ensure communications are consistent across channels and documents.
    • Anticipate interim applications and prepare a defensible narrative of compliance and process.
    Deal-team checklist for listed-company transactions in Kenya — approvals, governance, disclosure, litigation readiness
    A deal-team checklist to strengthen defensibility and reduce process risk in listed-company transactions.

    Need Deal Counsel on a Listed-Company Transaction in Kenya?

    MN Legal advises on transaction structuring, approvals pathways, governance documentation, and litigation risk management for transactions involving regulated or listed entities in Kenya and across East Africa.

    Make an enquiry  |  Explore Practice Areas

    Key References

    Related MN Legal pages: Practice Areas and Contact.

    Frequently Asked Questions

    Can Kenyan courts stop a transaction involving a listed company?

    Yes, courts can grant interim or final relief in appropriate cases. They generally exercise caution to avoid destabilising markets, but may intervene where credible illegality, regulatory non-compliance, or procedural unfairness is alleged.

    Does regulatory approval prevent court scrutiny of a listed-company transaction?

    Regulatory approval is significant, but it does not automatically insulate a transaction from challenge — especially where constitutional principles or procedural fairness issues are raised.

    Why are minority shareholders increasingly relevant in listed-company disputes in Kenya?

    Listed companies have dispersed ownership and broad public participation. Kenyan courts may treat certain control-related transactions as implicating wider investor and market integrity concerns beyond the contracting parties.

    What documentation reduces litigation risk in listed-company transactions?

    A defensible approvals map, clear board papers and minutes, consistent disclosures, and a complete record of compliance steps and key decisions are often critical to withstanding challenge.

    What is the biggest interim-stage risk for deal teams in Kenya?

    Interim applications that delay closing or disrupt markets. Strong process evidence and consistency in disclosure reduce vulnerability to urgent injunctive relief at the interlocutory stage.

    When should legal counsel be engaged on a listed-company transaction in Kenya?

    Early during structuring and approvals planning. Early involvement improves process quality, reduces rework, and strengthens the defensibility of the transaction record.

    Disclaimer: This case comment is provided for academic and professional discussion only and does not constitute legal advice.