MNL ADVOCATES LLP (MN LEGAL)

Banking & Finance

Banking & Finance

  • Finance Bill 2026: KRA’s New Data Powers and What Founders Must Know | MNL Advocates LLP

    Finance Bill 2026: KRA’s New Data Powers and What Founders Must Know | MNL Advocates LLP

    When the Taxman Becomes the Data Collector: KRA’s New Powers Under Finance Bill 2026 and What Founders Must Know

    Quick Summary: The Finance Bill 2026, published on 5 May 2026 and tabled before the National Assembly, proposes a new Section 18A into the Tax Procedures Act. The provision empowers the Kenya Revenue Authority Commissioner to issue tax assessments using secondary data including eTIMS records, withholding tax declarations, and whistleblower reports. This creates a direct collision with the Data Protection Act 2019 and raises constitutional questions under Articles 24, 27, 31, and 47 of the Constitution of Kenya. Founders and business operators need to act now.

    Every year, Kenya’s Finance Bill arrives with new proposals. Every year, businesses brace. Most founders read the headline changes, note the new rates, and move on. Finance Bill 2026, published on 5 May 2026 and formally tabled before the National Assembly, deserves considerably more attention than that.

    Buried within its proposed amendments to the Tax Procedures Act is a provision that fundamentally changes the relationship between the Kenya Revenue Authority, your business data, and the law enacted specifically to protect it.

    The provision is proposed Section 18A. It would empower the KRA Commissioner to determine whether a person has entered into or carried out a tax avoidance scheme and to issue tax assessments accordingly, using secondary data. The data sources the Bill authorises are broad: withholding tax declarations, employer tax filings, eTIMS transaction records, whistleblower reports, third-party information, KRA audit findings, and any information obtained under other written laws. KRA would have up to five years to issue assessments arising from such determinations.

    This is not a routine tax measure. It is a structural realignment of how the state can access, interpret, and act on your personal and business information, without necessarily asking you first.

    The Finance Bill 2026 matters to every founder running transactions through eTIMS, every fintech operator filing withholding tax records, every digital asset platform with user data sitting in third-party systems, and every business operator whose tax position could be assessed by a regulator who has access to data you have never personally disclosed to KRA.

    Understanding what the Bill proposes, where it conflicts with existing law, and what you should do right now is not optional. It is operational necessity.

    What Section 18A of the Finance Bill 2026 Actually Proposes

    The plain-language version of Section 18A is this: the KRA Commissioner gains the power to form a view that you have engaged in a tax avoidance scheme, and to assess your tax liability on that basis, using data that was collected by other parties for other purposes.

    The secondary data sources the Bill lists are not hypothetical. They are systems already in operation. eTIMS records reflect every transaction your business has processed through the electronic tax invoice management system. Withholding tax declarations carry financial information filed by your counterparties. Employer tax filings show your payroll obligations. Whistleblower reports can come from anyone. Third-party information can originate from financial institutions, other government agencies, or individuals with no direct relationship to your business. KRA audit findings from entirely separate investigations are included.

    The five-year assessment window means that KRA can revisit your tax position for up to five years after identifying a suspected avoidance scheme, using data aggregated across that entire period.

    Two parallel provisions compound the picture. The Bill introduces mandatory annual information returns for virtual asset service providers, requiring them to file detailed user and transaction data with KRA. It also proposes expanded royalty definitions that capture digital payment platforms, card schemes, and switching systems, widening the net of entities under heightened reporting obligations.

    The government frames all of this as modernising Kenya’s tax administration, aligning with global digital enforcement trends, and closing longstanding revenue leakages. That framing is not entirely without foundation. But the mechanism chosen to achieve those objectives raises serious legal questions that no founder operating in Kenya should ignore.

    Data SourceOriginal PurposeProposed New Use Under Section 18A
    eTIMS transaction recordsInvoice compliance and VAT trackingEvidence of tax avoidance schemes
    Withholding tax declarationsThird-party tax deduction reportingSecondary data for income assessments
    Employer tax filingsPAYE and payroll complianceCross-referencing business income positions
    Whistleblower reportsVoluntary information from informantsEvidentiary basis for avoidance determination
    Third-party informationVarious, including financial institutionsSupporting data for assessments
    KRA audit findingsConclusions from separate audit processesCross-use in new avoidance determinations

    Not sure how these provisions affect your specific business? Speak with MNL’s compliance team.

    Finance Bill 2026 Kenya tax documents being reviewed and annotated at a legal desk
    Section 18A of the Finance Bill 2026 proposes to allow KRA to issue tax assessments using secondary data collected by third parties for entirely different purposes.

    Where Finance Bill 2026 Collides with Kenya’s Data Protection Framework

    Kenya’s Data Protection Act 2019 is not aspirational. It is operational, enforceable, and backed by the Office of the Data Protection Commissioner, which has demonstrated a willingness to act. The Act gives effect to Articles 31(c) and 31(d) of the Constitution. It applies to every entity that collects and processes personal data, including financial data, and it applies to government bodies as much as it applies to private ones.

    The proposed KRA framework under Section 18A cuts against four of the DPA’s core principles.

    Purpose Limitation

    Data collected for one purpose cannot be repurposed for another without a fresh lawful basis. When a supplier’s withholding tax data, visible on iTax for payroll compliance purposes, is used to compute an entirely separate tax liability under a suspected avoidance scheme, the purpose for which that data was originally collected has been exceeded. The DPA does not permit this without explicit authority and proportionality.

    Transparency

    Data subjects have the right to know who is accessing their information and why. When whistleblower reports, whose sources a taxpayer may never be permitted to know, form the evidentiary basis of a tax assessment, the transparency requirement has been circumvented. The taxpayer has no visibility into the origin, accuracy, or context of the information driving the assessment against them.

    Automated Processing and Profiling

    The DPA provides that individuals have the right not to be subjected to decisions made solely through automated processing, including profiling. When eTIMS transaction records are fed into KRA’s digital systems to profile business behaviour and generate assessments, this prohibition is directly engaged. KRA has not published the technical architecture of how these assessments will be generated. The absence of that disclosure is itself a transparency problem.

    Data Accuracy

    As EY Associate Director Rachel Njuguna noted in published commentary on the Bill, the risk is concrete: data held by third parties may not accurately reflect a taxpayer’s actual tax position. The proposed framework offers no mechanism for a taxpayer to verify or challenge the accuracy of the source data before an assessment is issued. The burden of disproving an assessment derived from potentially inaccurate data falls on the taxpayer after the fact.

    KRA Proposed PowerConflicting DPA 2019 Protection
    Use eTIMS data to determine tax avoidancePurpose limitation: data must be used only for the purpose collected
    Use whistleblower reports without source disclosureTransparency: data subjects must know who accesses their data and why
    Profile business behaviour through transaction dataRight not to be subject to automated processing with legal effects
    Issue assessments before taxpayer can review source dataRight to challenge inaccurate personal data before legal consequences arise
    Proposed KRA exemption from DPA accuracy obligationsDPA requires all data controllers to maintain accurate, current data

    The Constitutional Dimension

    Kenya’s Constitution is explicit. Article 31 guarantees every person the right to privacy, including the right not to have information relating to their family or private affairs unnecessarily required or revealed. Any law that limits this right must satisfy Article 24, which requires that the limitation be reasonable and justifiable in an open and democratic society, and that it be proportionate to the objective being pursued.

    Civil society organisations, including Amnesty International Kenya and ARTICLE 19 Eastern Africa, have assessed the proposed expansion of KRA’s data powers directly. Their conclusion is unequivocal: the provision does not meet the Article 24 threshold. The limitation goes beyond what is necessary to achieve the stated objective of closing tax revenue leakages. Less intrusive enforcement mechanisms already exist and are in active use.

    The due process concern is compounded by the proposed exemption of KRA from certain DPA accountability obligations. If the Bill is enacted as drafted, KRA would face reduced obligations to ensure that the data it uses is accurate, to maintain clear data retention policies, and to give taxpayers meaningful visibility into how their information is being used. For a framework that will determine tax liabilities, with direct legal and financial consequences for individuals and businesses, that is a significant gap.

    Article 47, the right to fair administrative action, reinforces the concern. Where an administrative decision is likely to adversely affect a person, that person is entitled to written reasons and an opportunity to be heard. An assessment issued on the basis of third-party secondary data, without prior disclosure of that data to the taxpayer, raises serious questions about compliance with Article 47 obligations.

    This Pattern Is Not New

    Finance Bill 2026 is not the first time this boundary has been tested, and understanding the pattern matters for how you position your business going forward.

    Finance Bill 2025 contained a provision seeking to repeal Section 59A(1B) of the Tax Procedures Act, a statutory safeguard that then prohibited KRA from compelling taxpayers to disclose personal data or trade secrets obtained during business operations. That proposal drew fierce opposition from the Law Society of Kenya, KPMG East Africa, and Ernst and Young. KRA’s Commissioner General subsequently committed, before the Departmental Committee on Finance and Economic Planning, to work with the Office of the Data Protection Commissioner on a Data Minimisation Strategy under the 9th Corporate Plan.

    Finance Bill 2026 returns to the same contested territory. The mechanism is different but the practical effect is the same: expanding KRA’s reach to data that the existing legal framework was not designed to accommodate without additional safeguards.

    The policy direction is now clear across successive Finance Bills. Kenya is moving toward a data-driven tax enforcement model. Whether Parliament enacts or moderates these specific provisions, the trajectory will not reverse. Businesses need to be positioned for a compliance environment where the state has broader access to financial data than it has had at any previous point, where assessments can be generated from aggregated secondary sources, and where the burden of proving inaccuracy may rest with the taxpayer.

    Preparation now costs far less than litigation later. That is not a theoretical observation. It is the consistent finding of every business that has waited for enforcement pressure before addressing its compliance posture.

    Five Things Founders and Business Operators Should Do Right Now

    This is about operational readiness, not legal panic. The Bill has not passed. You have time to act intelligently. Here is where to start.

    1. Audit Your Digital Data Footprint

    Every transaction processed through eTIMS, every withholding tax record filed against your PIN, and every employer filing associated with your payroll is already visible within KRA’s digital systems. Under the proposed framework, this data can be aggregated, cross-referenced, and used to assess your tax position without a prior audit flag. Accuracy in your digital records is no longer merely good practice. It is your first line of defence. Reconcile your eTIMS records against your own books now, before any assessment process begins.

    2. Know Your Rights as a Data Subject

    Even before these amendments are enacted, the Data Protection Act 2019 gives you rights that apply today. You can request to know what personal data KRA holds on you. You can challenge inaccuracies in that data. You have the right to be informed about automated processing that produces legal effects. These rights exist under current law, and exercising them proactively creates a documented record that is valuable if an assessment dispute arises. Understand your Data Protection Act 2019 obligations and the corresponding rights they give you.

    3. Engage the Public Participation Process

    Finance Bill 2026 is at the public participation stage before the National Assembly. This is a formal legal opportunity to submit memoranda, appear before the committee, or support industry associations presenting evidence-based objections. Bowmans and other firms have already made public submissions on specific provisions. The window is open. Founders with direct knowledge of how data-driven tax assessments would affect their operating models have information the committee needs and does not yet have from affected parties at scale.

    4. Assess Your Obligations If You Operate in Fintech or Digital Assets

    Virtual asset service providers and digital payment platforms face the most immediate and specific new obligations under the Bill. If your business falls within those categories, the question of what data you will be required to file, when, and under what governance framework requires legal advice now, before enactment. The fintech reporting compliance Kenya landscape is changing materially with this Bill, and the obligations are not minor.

    5. Document Your Internal Data Governance

    If your data is going to be used in an assessment against you, the best protection is records that speak for themselves. Clear internal policies on data retention, transaction documentation, and reconciliation processes that can withstand external scrutiny are not just compliance infrastructure. They are your evidentiary foundation in any dispute. Building strong corporate data governance in Kenya now converts a future risk into a managed position.

    Not sure how Finance Bill 2026 affects your specific business model? Our Team can walk you through the risk exposure and what documentation you need in place before this Bill passes. Book a compliance review with MNL.

    The Window to Act Is Open

    Finance Bill 2026 does not exist in a regulatory vacuum. Kenya has a Data Protection Act. It has a functioning Office of the Data Protection Commissioner. It has a Constitution with an enforceable bill of rights. None of these are suspended by a Finance Bill.

    The legal question Parliament must answer before enacting Section 18A is not whether tax enforcement matters. It plainly does. The question is whether this particular mechanism, with its current absence of taxpayer safeguards, data accuracy obligations, and transparency requirements, is the proportionate and lawful means of achieving that objective.

    For businesses, the practical question is narrower but no less urgent: are you operationally prepared for a tax environment where secondary data can drive assessments, where the burden of proving inaccuracy may fall on you, and where the data generating those assessments may be held by parties you have never directly dealt with?

    The Bill is before the National Assembly. The public participation window is open. Your records are either accurate and documented or they are not. Your data rights are either understood and exercised or they are not. The cost of getting ahead of this is low. The cost of responding to an assessment after the fact is not.

    Ready to understand exactly how Finance Bill 2026 affects your business?
    MNL Advocates LLP advises clients across fintech, technology, and commercial law on regulatory compliance, data protection, and tax matters in Kenya and across East Africa.
    Initiate a Confidential Consultation with MNL.

    Frequently Asked Questions: Finance Bill 2026 and KRA Data Powers

    What does Section 18A of the Finance Bill 2026 allow KRA to do?

    Section 18A proposes to empower the Kenya Revenue Authority Commissioner to determine whether a person has entered into or carried out a tax avoidance scheme and to issue tax assessments accordingly using secondary data. The authorised sources include withholding tax declarations, employer tax filings, eTIMS transaction records, whistleblower reports, third-party information, KRA audit findings, and information obtained under other written laws. KRA would have up to five years to issue assessments arising from such

  • Mauritius – An Emerging Hub for Fintech & Payment Solutions in Africa

    Mauritius – An Emerging Hub for Fintech & Payment Solutions in Africa

    Mauritius – An Emerging Hub for Fintech & Payment Solutions in Africa

    In the past decade, Mauritius has emerged as a strategic location for a variety of financial services in Africa. Under the guidance of the Mauritius Financial Services Commission (FSC), a robust framework now exists for the regulation of derivatives activities, payment & banking services, as well as digital asset / virtual currency projects. 

    Payment Services for Africa & The Globe

    Starting off with payment services, Mauritius offers two distinct licenses: Payment Intermediary Services (PIS) and Payment Service Provider (PSP). There are major differences between these licenses which are worth delving into greater detail. 

    The major distinction between the PIS and PSP license is that the former is overseen by the Mauritius FSC while the Bank of Mauritius issues all PSP licenses. From our professional experience, the PIS license is more attractive due to lower capital requirements (2,000,000 MUR), a speedier license approval period as well as lower substance requirements. Furthermore, the PIS license is a better fit for cross-border payment services with the PSP license being issued primarily for local business in Mauritius itself. Finally, the Payment Intermediary Services license focuses primarily on card issuance services. Experience has shown that higher demand exists for card and mobile payment services throughout Africa, making the PIS license a better fit for the majority of new payment projects.  

    Derivatives & Virtual Currency

    Moving on to exchange traded products, Mauritius has two distinct regulatory paths for brokers and digital asset providers / crypto exchanges. On the brokerage side, the FSC has a unique license class for brokerage services, known as an Investment Dealer. This license allows one to offer brokerage services in derivatives, stocks, and futures which can be used to target a global audience. An additional benefit of the Investment Dealer license is the underwriting permission. By upgrading the Investment Dealer license to this permission set, licensed brokerage firms in Mauritius will have the ability to initiate stock listings on the Mauritius public stock exchange. 

    In addition to derivatives regulation, Mauritius also for the establishment of fully regulated digital asset firms. VAITOS 2021, which is the regulatory framework for crypto licensing in Mauritius, sets the standard for Virtual Asset Service Provider (VASP) regulation. Licensed activities include: exchange permissions, wallet services, custodian of tokens, and exchange services. 

    Investment Banking Activities

    Finally, the Mauritius FSC also provides a clear pathway for the establishment of an Investment Banking license. A key advantage is flexibility as a variety of financial activities are permitted under this license. Examples of permitted activities include: merger & acquisition advisory, asset management, securities dealing, the underwriting of securities, as well as corporate finance. It is important to highlight that receiving deposits and other types of banking activities do require separate authorisation from the Bank of Mauritius, making a clear distinction between investment and commercial banking activities. 

    In addition to this level of flexibility, Mauritius offers two major incentives to firms looking to establish a presence on the island. First, Mauritius currently has 46 Double Tax Agreements with a variety of countries around the world, examples include China, South Africa, UK and France. Additionally, any new investment bank will enjoy a 5 year tax holiday from the standard 15% corporate tax rate. 

    Discover the Benefits of Mauritius Regulation Today!

    As interest in mobile payment services and digital assets continues to grow throughout Africa and the world, Mauritius will remain the ideal jurisdiction for the quick and efficient regulation of these emerging financial services. We hope this brief overview was useful in providing a basic introduction to Mauritius.

    For many businesses, it strikes the right balance between innovation and compliance.

    At MNL Advocates LLP, we work closely with fintech companies, financial institutions, and investors to navigate complex regulatory landscapes across Africa and offshore jurisdictions such as Mauritius.

    Our support includes:

    • Advising on the most suitable licensing structures (PIS, PSP, VASP, Investment Dealer, Investment Banking)
    • Managing end-to-end license applications and regulatory engagement
    • Structuring cross-border operations and corporate entities
    • Drafting compliance frameworks and internal policies
    • Providing ongoing legal and regulatory support
    • Acquisition of a fully licensed Investment Dealer or VASP firm.

    Whether you are launching a fintech startup or expanding an existing operation, our team is well-positioned to guide you through every stage of the process.

    Have questions or exploring Mauritius as your next hub? Get in touch with MNL ADVOCATES LLP to start the conversation.

  • Guide to Licensing Payments in Kenya: A Strategic Approach

    Guide to Licensing Payments in Kenya: A Strategic Approach

    PSP and e-money pathways, VASP developments, and compliance as a commercial asset for fintechs operating in Kenya.

    Kenya’s payments market is often described in the language of speed: faster checkout, instant transfers, real-time settlement, embedded finance. That narrative is accurate but incomplete. Payments innovation at scale is not only a product story. It is a regulatory perimeter story, and increasingly a governance and resilience story.

    When a business operates in payments in Kenya, whether through a gateway, a digital wallet, merchant acquiring, or a platform layered onto mobile money rails, the question that matters is not simply whether the product works. It is whether the product is operating inside a licensing framework that regulators, counterparties, and sophisticated customers can recognise as safe.

    Key insight: Licensing is not merely an approval step. It is an operating standard testing capital, governance, AML/CFT readiness, cybersecurity, reporting capability, and data governance.

    Contents

    1. The core shift: licensing as operational readiness
    2. Who regulates payment services in Kenya
    3. The payments licensing perimeter
    4. PSP licensing pathways: why “PSP” is not one licence
    5. Virtual assets: what the VASP Act signals
    6. When payments drifts into banking-style regulation
    7. Compliance as a commercial asset
    8. Timelines and capital: planning realistically
    9. FAQ

    1. The Core Shift: Licensing as Operational Readiness

    Early-stage teams sometimes treat licensing as a binary hurdle: licensed or not licensed. In practice, regulators treat licensing as a continuous assurance framework. It requires firms to demonstrate, before launch and throughout operations, that they can manage financial risk, conduct and consumer risk, financial crime risk, technology and operational risk, and data governance.

    This changes how founders should plan. If licensing is treated as a late-stage filing exercise, it often collides with reality: incomplete governance, unclear control ownership, weak documentation, and vendor arrangements that do not match the regulatory story the firm wants to tell.

    2. Who Regulates Payment Services in Kenya

    For most payment service providers and payment systems, the Central Bank of Kenya (CBK) is the anchor regulator under the National Payment System framework. CBK’s focus is pragmatic: safeguarding the integrity and stability of the payment ecosystem and protecting users.

    Depending on the business model, other authorities may also be relevant:

    • Capital Markets Authority (CMA) where virtual assets or investment-adjacent features appear.
    • Communications Authority where telecom rails or authorisations are integral to the model.
    • Financial Reporting Centre (FRC) for AML/CFT reporting obligations.
    • Office of the Data Protection Commissioner (ODPC) for data protection compliance.
    • Kenya Revenue Authority (KRA) for tax compliance.

    3. The Payments Licensing Perimeter: Substance Over Labels

    The fastest way to understand licensing is to describe the product functionally rather than in marketing terms. Regulators are generally less interested in whether a product is called a “platform” or a “technology provider,” and more interested in what it controls:

    • Transaction initiation and processing.
    • Issuance of stored value.
    • Operation of a payment instrument or payment system.
    • Control over settlement flows.
    • The integrity of communications to users.

    In practical terms, licensing outcomes often turn on where the business sits in the value chain: whether it is processing payments, operating payment rails, issuing e-money, or touching customer funds even briefly.

    4. PSP Licensing Pathways: Why “PSP” Is Not One Licence

    “PSP licence” is commonly used as shorthand, but in practice there are distinct categories that reflect different risk profiles, particularly the distinction between facilitating payments and issuing stored value.

    Electronic Retail Payments and Transfer Services (Without E-Money)

    This category generally captures providers facilitating electronic retail payment transactions such as gateways, acquiring and processing, and bill payments, without issuing stored value.

    Small E-Money Issuer (SEMI)

    SEMI structures recognise that some wallet products are low-value or limited in scope. While thresholds may differ, the underlying supervisory expectations remain meaningful: governance, AML/CFT controls, cybersecurity posture, and reporting capability must be credible.

    E-Money Issuer

    Where a platform issues, stores, and redeems e-money, particularly where it is usable with third parties, the regulatory intensity typically rises. At this level, safeguarding structures, reconciliations, consumer risk, and operational resilience become central.

    Payment Instruments and Payment Systems

    Where a business owns or operates payment instruments or systems, including switching or settlement-adjacent infrastructure, the authorisation posture can shift again, particularly where scale raises systemic considerations.

    5. Virtual Assets: What the VASP Act Signals for Kenya Fintechs

    Kenya’s Virtual Asset Service Providers Act, 2025 signals a formal shift toward licensing and supervision of digital asset activity. While implementing regulations and guidelines are awaited, the strategic implication for product teams is immediate: classify activities honestly (custody, exchange, issuance, advisory) and build for licensing readiness in governance, AML/CFT maturity, cybersecurity controls, and defensible disclosures.

    6. When Payments Drifts Into Banking-Style Regulation

    A common strategic risk is designing a payments product that quietly begins to resemble deposit-taking or bank-like services. Where a model involves deposit-like accounts, savings behaviour, or lending structures, the licensing framework can shift into a materially stricter regime under the Banking Act.

    Product design should therefore be treated as regulatory design, particularly where the roadmap includes credit, savings, or account-like features.

    7. Compliance as a Commercial Asset for Kenya Fintechs

    For growth-stage fintechs, licensing and compliance are often viewed as cost centres. In reality, they are frequently deal accelerators. Sophisticated counterparties increasingly ask for evidence: who owns AML/CFT controls, what cybersecurity standards are implemented, how personal data is handled, what incident response looks like, and whether vendor relationships allocate responsibilities clearly.

    Firms that can answer these questions with coherent documentation, including governance papers, policies, logs, and enforceable contracts, move faster in negotiations and inspire confidence in partners and investors.

    8. Timelines and Capital: Planning Realistically

    Licensing is a project, not a form. A realistic plan allows time for pre-application engagement, application review, regulator queries, and final issuance steps. Depending on the model and readiness, timelines can extend over several months and, in some cases, closer to a year.

    Minimum capital requirements vary by category. Examples commonly referenced for certain PSP categories include:

    • Small E-Money Issuer (SEMI): KES 1,000,000
    • Electronic retail payments services: KES 5,000,000
    • E-Money Issuer: KES 20,000,000
    • Designated payment instrument issuer: KES 50,000,000

    Capital, however, is rarely the only determinant of speed. Governance and operational controls are often what determine momentum through the licensing process.

    MN Legal supports clients across the lifecycle of payment and digital finance businesses, from early model structuring to licensing submissions and ongoing compliance posture. This includes mapping transaction flows to the right authorisation pathway, preparing governance and compliance documentation, aligning AML/CFT and operational resilience expectations, advising on data protection governance, and structuring partner and vendor contracts so the operating model matches the regulatory position.

    Make an enquiry  |  Explore Practice Areas

    Frequently Asked Questions

    What licence does a payment service provider need in Kenya?

    It depends on the model. The CBK regulates most PSP activity under the National Payment System framework. The right category depends on whether the business is processing payments, issuing e-money, operating payment instruments, or touching settlement flows. There is no single “PSP licence.”

    How long does payment licensing take in Kenya?

    Realistically, several months from pre-application engagement to issuance, and in some cases closer to a year. Governance and operational controls readiness often determines pace more than capital alone.

    What does the VASP Act mean for digital asset businesses in Kenya?

    The Virtual Asset Service Providers Act, 2025 introduces a formal licensing and supervision framework for digital asset activity. Businesses should classify their activities honestly and begin building for licensing readiness now, ahead of implementing regulations.

    Can a payments product drift into banking regulation?

    Yes. Where a model begins to resemble deposit-taking, savings, or lending, the applicable framework can shift toward the Banking Act, which carries significantly stricter requirements. Product design should be treated as regulatory design from the outset.

    Why does licensing matter commercially, not just regulatorily?

    Sophisticated partners, investors, and enterprise customers increasingly ask for evidence of governance, AML/CFT controls, cybersecurity posture, and data protection compliance. Firms with coherent documentation move faster in commercial negotiations and due diligence processes.

    How can MN Legal help with Kenya payments licensing?

    MN Legal advises on model structuring, licensing pathway selection, governance and compliance documentation, AML/CFT readiness, data protection governance, and vendor and partner contracting for payment and digital finance businesses operating in Kenya.

    Disclaimer: This article is for general information only and does not constitute legal advice. Licensing requirements vary by jurisdiction and specific facts. For advice on your specific model, contact MN Legal.

  • How Capital Markets Licensing Affects Legal Tech Providing Investment, Crowdfunding or Securities Solutions

    How Capital Markets Licensing Affects Legal Tech Providing Investment, Crowdfunding or Securities Solutions

    How Capital Markets Licensing Affects Legal Tech Providing Investment, Crowdfunding or Securities Solutions

    The most commercially successful legal-tech products in capital markets are often the least dramatic: tools that help licensed
    intermediaries keep clean records, onboard investors efficiently, deliver disclosures with audit trails, and demonstrate compliance
    during due diligence.

    Yet licensing questions arise precisely because these products sit close to the regulatory frontier. A platform may be built as
    “workflow software” and still be treated as a regulated service if, in substance, it gives investment recommendations, arranges
    transactions, holds client money, or functions as part of the public offering machinery.

    Abstract capital markets licensing and legal-tech compliance graphic (no logos)
    Licensing risk is rarely about labels. Regulators look at function, control, and investor impact.

    Executive summary: Capital markets regulators tend to apply a functional approach. If your platform performs, controls,
    or materially influences regulated activity, licensing or a licensed partner model may be required, regardless of how the product is marketed.

    The licensing perimeter: the standard regulators apply

    Across most capital markets regimes, licensing is not triggered by a company’s branding (“we are a technology company”) but by what
    the company does. This is sometimes described as a substance-over-form or functional approach.

    In practical terms, the perimeter tends to tighten around four activities:
    (i) giving investment advice or making personalised recommendations,
    (ii) arranging, placing, routing, or executing transactions,
    (iii) handling client money, securities, or custody-like flows, and
    (iv) facilitating public offering communications in a way that creates mis-selling or disclosure risk.

    Legal-tech tools can sit safely outside the perimeter when they operate as internal compliance infrastructure for a licensed intermediary
    and remain subject to clear boundaries: the tool supports, records, and evidences; the licensed entity decides, approves, and executes.

    Where legal-tech products typically trigger perimeter concerns

    Licensing risk most often appears not in a single feature, but in the way features combine into a workflow. Products designed for
    investor onboarding, digital disclosures, and transactional workflow can become “front office” infrastructure very quickly.

    Where licensing risk appears in legal-tech products (onboarding, disclosures, transaction flow, custody)

    Onboarding, disclosures, order flow, and custody-adjacent design are the most common perimeter pressure points.

    Investor onboarding and eligibility

    KYC and onboarding tooling is generally defensible when it remains a controlled workflow with clear oversight. Risk escalates when
    the platform begins to make final determinations (who may invest, what products are suitable) without the licensed intermediary’s
    meaningful review, or where the “profiling” output becomes a de facto recommendation.

    Digital disclosures and investor communications

    Digital disclosure tools are often low-risk, and highly valuable, when they solve the evidence problem: document versioning,
    distribution logs, acknowledgements, and audit trails. Concerns arise where communications drift into promotion of an offer to the
    public without adequate controls, or where disclosures are delivered without traceable evidence of what the investor received and when.

    Order and transaction workflows

    Interfaces that display information are one thing; workflows that route orders, “match” investors to opportunities, or control
    execution logic may look like arranging or execution activity depending on the jurisdiction and the facts.

    Custody, payments, and settlement-adjacent flows

    Products that touch client funds directly or through accounts the platform controls require particular care. Even where a third-party
    payment provider is involved, the question regulators ask is who controls the flow and who bears responsibility for safekeeping.

    A practical perimeter test for founders and buyers

    The most efficient way to avoid late-stage licensing surprises is to run an early perimeter test and write down the conclusion.
    Think of it as a short internal legal memo that you can update at every major release.

    Regulatory perimeter test flowchart for legal-tech serving capital markets
    A simple test helps teams classify risk before product scope drifts.

    The test is deliberately plain. It asks: what service is the product enabling; who is the client; who touches money; who influences
    decisions; who executes; and who controls the communications. If the honest answers point toward advice, arranging/execution, custody-like
    flows, or public offer facilitation, then the product should be structured around a licensed entity either by obtaining the relevant
    permissions or by partnering with a licensed intermediary and allocating responsibilities clearly.

    Designing for compliance: standards that travel across jurisdictions

    Legal-tech teams operating internationally need principles that work across regimes even where definitions differ. The following
    standards tend to be robust:

    Build vs partner vs avoid matrix for licensing-sensitive product features
    A product decision matrix keeps commercial teams, engineers, and compliance aligned.

    First, keep regulated functions with the licensed entity where required. Second, build systems that generate evidence: approvals,
    versioning, acknowledgements, exception handling, and user action logs. Third, ensure that governance is not merely documented,
    but operational meaning there are named owners, review points, and the ability to demonstrate what happened in a specific investor journey.

    The strategic benefit is commercial as much as legal. Strong evidence and clearly bounded operating models reduce friction in procurement,
    accelerate partner onboarding, and make regulatory discussions more orderly.

    A realistic scenario: when “crowdfunding software” becomes a regulated service

    Consider a platform built initially to support issuers with document workflows: issuer onboarding, disclosure templates, and investor
    acknowledgements. The tool performs well and demand grows. Then the roadmap adds convenience features: investor “matching,” automated
    eligibility approval, and in-platform collection of funds “to simplify settlement.”

    Each feature looks incremental. Collectively, the platform may now resemble the machinery of a public offer and transaction facilitation.
    At that point, the perimeter question becomes unavoidable: is the platform merely enabling a licensed intermediary, or is it effectively
    arranging participation, influencing investment decisions, and controlling flows that look custody-adjacent?

    The fix is usually not a full rebuild. It is a structural decision: allocate regulated steps to a licensed partner (or obtain the
    necessary permissions), revise workflows to ensure meaningful oversight, and strengthen disclosures and records so the investor journey
    is defensible.

    Governance and documentation: what sophisticated partners will ask for

    Intermediaries, institutional partners, and sophisticated clients increasingly require evidence of regulatory thinking. A premium posture
    is to maintain a living file that includes: a perimeter memo, a feature risk register, an operating model diagram, vendor allocations,
    and a compliance evidence map (what logs exist, who reviews them, and how exceptions are handled).

    This is where legal-tech has an advantage. Unlike traditional paper processes, well-designed systems can produce reliable logs and
    demonstrate accountability. The goal is not to generate paperwork; it is to make compliance auditable.

    How MN Legal helps

    Perimeter advice, partner models, and defensible product workflows

    MN Legal advises legal-tech founders and capital markets intermediaries on regulatory perimeter mapping, licensing and partnering
    structures, disclosure and onboarding workflow design, and the contractual allocation of responsibilities between platforms and
    licensed entities. Where appropriate, we also support incident readiness and records strategy so your compliance posture is
    evidenced not assumed.

    Make an enquiry

    External reference points that inform global standards include
    IOSCO (securities regulation principles),
    FATF (AML/KYC expectations),
    and market regulators such as
    ESMA and the
    FCA.

    FAQ

    Does every investment or crowdfunding tool require licensing?

    No. Many tools remain outside the perimeter when they are genuinely internal compliance or recordkeeping infrastructure for a licensed
    intermediary. Risk depends on function and control particularly advice, arranging/execution, custody-like flows, and public communications.

    What features most often create licensing pressure?

    Personalised recommendations, investor matching/placement functions, order routing or execution logic, custody-adjacent payment flows,
    and public offer communications without robust controls.

    How should international legal-tech teams manage multi-jurisdiction uncertainty?

    Start with consistent standards: a perimeter memo, a feature risk register, a partner model where regulated steps are performed by
    licensed entities, and strong evidence (audit trails, disclosure versioning, acknowledgements, exception workflows).

    Disclaimer: This article is general information and not legal advice. Licensing requirements vary by jurisdiction and facts. For advice on your specific model, contact MN Legal.