Corporate Governance 2026 Comparisons

Kenyan law provides diverse legal structures to accommodate various specific needs.

Companies

The most common form of corporate organisation is a company. The Companies Act, Chapter 486 of the Laws of Kenya (“Companies Act”) provides for the following types of companies:

Companies limited by shares

A company is limited by shares if the liability of its members is limited by the company’s articles to any amount unpaid on the shares held by the members. A company limited by shares can take one of two forms:

• a private limited company – companies whose articles restrict a member’s right to transfer shares, limit membership to 50, prohibit public invitations to subscribe for shares or debentures of the company and require all members to consent to add a new member; and
• public limited company – companies whose articles allow their members the right to transfer their shares in the company and do not prohibit initiations to the public to subscribe for shares or debentures of the company.

Companies limited by guarantee

A company is limited by a guarantee if its articles limit its members’ liability to the amount they undertake to contribute to the company’s assets in the event of its liquidation and its certificate of incorporation states that it is limited by guarantee.

Unlimited companies

A company is unlimited if there is no limit on the liability of its members and its certificate of incorporation states that the liability of its members is unlimited.

Partnerships

Kenya also recognises various partnership structures. These are set out below.

General partnerships

A partnership is a relationship between persons carrying on a business in common and seeking profit. This traditional model entails unlimited liability for all partners, who share full responsibility for the partnership’s operations. They can:

• sue and be sued in their own name;
• enter into contracts and own property for business purposes; and
• ensure continuity despite partner changes, subject to the partnership agreement.

Limited partnerships (LP)

In Kenya, an LP is a form of partnership that involves:

• at least one general partner with unlimited liability and responsibility for the management of the limited partnership’s business; and
• one or more limited partners whose liability is restricted to their initial contribution to the partnership.

Limited liability partnerships (LLPs)

LLPs combine features of general partnerships with limited liability benefits typically associated with companies. Upon registration, LLPs become a separate legal entity with perpetual succession. As such, an LLP:

• is a legal entity separate from its members;
• has unlimited capacity and can do anything that a legal person can do; and
• its members have limited liability, hence they do not need to meet the LLP’s liabilities.

Several key sources that establish corporate governance requirements for companies in Kenya have been outlined below.

• The Companies Act sets out the primary legal framework governing the formation, operation and dissolution of companies, including aspects of corporate governance.
• The Insolvency Act, Chapter 53 of the Laws of Kenya (“Insolvency Act”), provides regulations for dealing with financially distressed companies and influences how companies manage their finances.
• The Partnership Act, Chapter 29 of the Laws of Kenya (“Partnership Act”) sets out the framework for the formation, management and operation of general partnerships and limited partnerships.
• The Limited Liability Partnerships Act, Chapter 30 of the Laws of Kenya (“LLP Act”) specifically addresses the registration and management of LLPs.
• Common law: Principles established through past court decisions (precedent) in England regarding companies can still be relevant even if not directly codified in Kenyan law.
• Internal governance documents: A company’s articles of association or a partnership’s partnership deed and, in the case of companies listed on the Nairobi Securities Exchange (“NSE”), its board charter, establish internal rules governing its operations, including directors’ powers and shareholder meetings.
• The Code of Corporate Governance Practices for Issuers of Securities to the Public, 2015 (the “CMA Governance Code”) is a set of guidelines issued by the Capital Markets Authority (“CMA”) that applies to publicly traded companies in Kenya and sets out various requirements aimed at ensuring fair treatment of shareholders, transparency and responsible management.
• The Code of Governance for State Corporations (Mwongozo) is a set of guidelines that lays a foundation for the management, governance and oversight of state corporations in Kenya.

Publicly traded companies in Kenya must comply with the CMA Governance Code, with some of its key requirements outlined below.

Fair Treatment of Shareholders

The CMA Governance Code mandates companies to treat all shareholders fairly, including minority and foreign shareholders. This includes ensuring equal voting rights and access to information.

Disclosure

The CMA Governance Code follows an “Apply or Explain” principle in which listed companies are required to fully disclose any instances where they are not complying with the CMA Governance Code. While the CMA may consider satisfactory explanations for non-compliance, adherence to the mandatory disclosure provisions outlined in the Capital Markets (Public Offers, Listing and Disclosures) Regulations, 2023 (“POLD Regulations”) is essential.

The POLD Regulations introduced significant changes to listing requirements affecting corporate governance in Kenya. These changes were further clarified by CMA Circular No. 06/2024 dated 13 June 2024 (“CMA Circular”).

Board Composition and Structure

Independent directors – tenure limitation

Under the POLD Regulations, an independent director is defined as a board member who is not an executive director, does not have a material or pecuniary relationship with the company or related persons, is compensated through sitting fees or allowances and does not own shares in the company. Critically, after six years of continuous service, such a director shall no longer be considered an independent director. This represents a reduction from the previous nine-year maximum tenure under the previous 2002 Regulations.

The CMA Circular clarifies that this provision applies prospectively to new appointments only. Existing independent directors whose letters of appointment indicate a nine-year term under the previous Regulations may continue to serve as such. Upon expiry of the six-year term, an independent director may be retained but must be redesignated as a non-executive director.

Non-executive directors – independence from related entities

The POLD Regulations defines a non-executive director as a board member who is not an executive director and is not an executive director or employee of a related entity. This means non-executive directors cannot have formal day-to-day responsibility in a company closely connected or affiliated with the issuer where they serve. The rationale is to uphold independence and objectivity, ensuring non-executive directors offer impartial oversight without influence from personal or professional connections within a corporate group.

Board composition requirements

The POLD Regulations require that boards comprise a balance of executive and non-executive directors, with a majority of non-executive directors. Independent directors must constitute at least one-third of the total number of board members. The chairperson must be a non-executive member and cannot hold such a position in more than two publicly listed companies at any one time. Executive directors are limited to holding such positions in no more than two publicly listed companies.

Corporate Governance Code – Mandatory Compliance

A significant development is the settlement of the debate regarding mandatory versus voluntary compliance with the CMA Governance Code. The POLD Regulations now provide in mandatory language that every issuer “shall comply” with the Code. CMA Circular confirms that the Code remains in force and that its enforceability has been clarified by this mandatory drafting.

Where any conflict arises between the POLD Regulations and the CMA Governance Code, the POLD Regulations take precedence. The CMA has indicated it will review and harmonise the CMA Governance Code with the POLD Regulations to ensure consistency.

The principal bodies and functions involved in the governance and management of a company in Kenya are the board of directors, the company secretary, the shareholders and the contact person.

Board of Directors

The board of directors is ultimately responsible for overseeing the company’s affairs. As stipulated by the Companies Act, the directors are entrusted with the power to direct and regulate the company’s business, set strategic direction and ensure compliance.

While the board of directors retains ultimate authority, it can delegate specific functions to individual directors, committees, management teams and employees.

Company Secretary

The Companies Act mandates that public and private companies with a share capital of KES5,000,000 (approximately USD38,760) or more appoint a company secretary.

The company secretary has various responsibilities, including documenting board and shareholder meetings and maintaining registers of directors, shareholders and debenture holders. They also liaise with the Registrar of Companies and file the required documents, such as annual returns and financial statements.

Shareholders

Shareholders are the owners of shares in a company. Their ownership translates into specific rights and influence over the company’s direction. Shareholders exercise their power through voting rights, allowing them to elect board members and approve significant changes, including amendments to the company’s articles of association.

Contact Person

Private companies or companies limited by guarantee that do not meet the threshold for a company secretary and do not have a resident director in Kenya must appoint a contact person.

The contact person’s primary function is to maintain critical company records, including those related to directorships, shareholding, beneficial ownership and any other information required by law. Notably, the contact must be a natural person with a permanent Kenyan residence.

Directors

The board of directors is the primary decision-making body for the company. It is entrusted with overseeing day-to-day operations and setting the company’s strategic direction. The articles of association will typically provide that the company’s business is to be managed by the directors, who are empowered to exercise all the company’s powers.

Shareholders

Certain fundamental decisions are explicitly reserved for the shareholders and require a formal resolution passed at a duly constituted meeting. These decisions typically involve significant changes to the company’s core structure or capital, such as amendments to the articles of association and alterations to the share capital. The company’s articles of association may, however, allow for the delegation of certain reserved decisions to the board of directors.

The board of directors and the shareholders make the decisions through the following processes:

Directors

The board makes decisions through formal resolutions, typically reached during board meetings. The company’s articles of association outline the specific procedures, quorum requirements (the number of members needed to be present), meeting notice periods and voting requirements for passing resolutions. Generally, a simple majority vote suffices. Written resolutions can also be used to make decisions without a physical meeting.

Shareholders

Shareholders make decisions through shareholder resolutions. These resolutions can be passed either by a vote at a formal shareholders’ meeting or as a written resolution without a meeting. Some exceptions exist, such as the early removal of a director or auditor, which requires a meeting and cannot be done through a written resolution. The type of resolution needed ordinary (simple majority) or special (75% majority), depends on the specific decision and is dictated by both the Companies Act and the company’s articles of association.

Number of Directors

Private companies must have at least one natural director, although their governing documents may establish a higher or lower limit.

Public companies, on the other hand, require at least two directors, one of whom must be a natural person. As with private companies, public companies retain the flexibility to set higher minimum or maximum numbers of directors in their governing documents.

Leadership

In most cases, the board elects a chairperson from among its members to lead and manage board meetings, unless the company’s articles of association or a shareholders’ agreement specify otherwise.

The Companies Act provides for a single-tiered board of directors with no distinctions unless a company elects to differentiate certain managerial roles for certain board members. In some cases, the chairperson may be given a casting vote in the event of a deadlock in a decision of the directors. The board of directors as a whole is responsible for managing the company’s business.

The Companies Act does not prescribe the composition of the board of directors for private or unlisted public companies. These entities are free to appoint directors as deemed necessary to fulfil their specific requirements.

However, companies listed on the NSE must ensure their board composition complies with the recommendations set forth in the CMA Governance Code. These recommendations are as follows.

• Balance of directors – The board should be comprised of a balanced mix of executive directors responsible for the company’s day-to-day operations and non-executive directors who provide independent oversight and guidance. A majority of the directors should be non-executive and one-third of the board should be independent non-executive directors.
• Board size – The optimal board size should be determined by the company’s specific needs and operations. It should be large enough to accommodate a diversity of expertise and perspectives yet remain conducive to productive discussions during board meetings.
• Director limits – An individual director of a listed company (excluding corporate directors) cannot hold such a position in more than three publicly listed companies concurrently.

In addition, certain industries, such as banking and insurance, may have additional board composition requirements based on “fit-and-proper” assessments of directors conducted by the relevant regulatory bodies.

Appointment of Directors

The Companies Act allows for appointing directors upon a company’s incorporation. This process is set out in the articles of association for future appointments. As such, directors are typically appointed by a resolution of the shareholders, with a simple majority vote sufficing. However, the articles of association may prescribe specific instances where the directors may appoint a director (eg, filling a casual vacancy)

Restrictions on the Appointment of Directors

The Companies Act imposes certain restrictions on who can be appointed as a director. Firstly, any individual under the age of eighteen is automatically ineligible. Furthermore, the company’s articles of association will ordinarily preclude specific groups of people from acting as directors. Such groups may include undischarged bankrupts and individuals deemed to be of unsound mind. This aligns with the Insolvency Act, which further prohibits undischarged bankrupts from participating in the management or control of any business without the express consent of a bankruptcy trustee or the court.

Removal of Directors

Ordinary resolutions can remove a director. However, specific procedures must be followed. A special notice detailing the proposed removal must be served on the director in question. The director is then given the opportunity to submit written representations within twenty-one days of receiving the notice.

Following the receipt of any representations, the board must convene a meeting to consider the matter. The director facing removal is entitled to be heard during this meeting when the motion for removal is being considered. If the motion for removal is passed, the director retains the right to challenge the removal in court.

It is important to note that even after being removed from office, a director remains subject to certain continuing duties. These duties include:

• the obligation to avoid conflicts of interest regarding exploiting any property, information or opportunity that the individual became aware of while acting as a director; and
• the prohibition on accepting benefits from third parties concerning actions taken or omitted during their tenure as a director.

Independence of Directors

There are no rules and requirements on the independence of directors in private companies or unlisted public companies. Listed companies, on the other hand, must ensure that at least one-third of the board of directors are independent non-executive directors. Under the CMA Governance Code and the POLD Regulations, a director is considered to be independent if he or she:

• is not an executive director;
• does not have a material or pecuniary relationship with the company or related persons;
• is compensated through sitting fees or allowances;
• does not own shares or owns less than 5% of the shares in the listed company;
• serves in such a role for a maximum period of six years.

Conflict of Interest

The Companies Act provides that a director of a company must avoid a situation in which he has or can have, a direct or indirect interest that conflicts with or may conflict with the company’s interests. The duty to avoid conflict of interest is not breached where the matter in question has been approved by the other directors.

The duty to avoid conflict of interest and not to accept benefits from third parties to survive the cessation from office as a director dictates that if a director has personal interests in proposed or existing transactions with the company, they are required to give notice of such interest to the other directors and, in the case of a public company, to the members of the company within 72 hours. Failure to disclose a personal interest in accordance with the Companies Act is an offence and on conviction, the director concerned is liable to pay a fine not exceeding KES1,000,000.

The principal legal duties of directors in Kenya arise from common law and have been codified under the Companies Act, including the duties listed below.

Act Within Their Powers

Directors have specific authorities outlined in the company’s constitution. These powers must be used solely to benefit the company, not for personal gain or the interests of others and for the specific purpose for which they are conferred.

Promote the Company’s Success

Directors are obligated to make decisions they believe, in good faith, will best promote the company’s success for its shareholders. This includes considering long-term consequences, employee interests, community impact and fostering good relationships. When a company becomes insolvent, the director’s primary duty shifts to protecting creditors’ interests.

Exercise Independent Judgment

While seeking professional advice is encouraged, directors must ultimately make independent decisions. They cannot blindly follow the will of others or rely solely on external advice. However, some situations may require following pre-existing agreements or the company’s constitution.

Exercise Reasonable Care and Diligence

Directors are expected to exhibit the same level of care, skill and diligence as a reasonably competent person in their position. This includes applying their own knowledge and experience alongside any relevant expertise. Failure to do so could lead to negligence claims against them.

Avoid Conflicts of Interest

Directors must avoid situations in which their personal interests, directly or indirectly, conflict with the company’s interests. This includes exploiting company property, information or opportunities. This is a strict duty, regardless of whether the company could benefit from it. Breaches can result in serious consequences, including criminal action. However, situations unlikely to create a conflict are acceptable.

Not Accept Benefits from Third Parties

Directors are prohibited from accepting benefits (gifts, bribes, etc) from third parties arising from their position. This includes offers of hospitality intended to influence their decisions. Such actions violate the Companies Act and may also violate other anti-bribery laws. However, minor benefits unlikely to create a conflict are permissible. Additionally, benefits from the company itself are not restricted by this duty.

Disclose Any Interest in Transactions

Directors must declare any direct or indirect interest they have in company transactions or arrangements. This applies to both private and public companies, with varying disclosure timelines and procedures. Failure to disclose or provide inaccurate information can lead to penalties. However, directors are not responsible for situations in which:

• they are unaware of a conflict; or
• their interest is insignificant.

Under Kenyan law, directors primarily owe their duty to the company and not to individual shareholders or other stakeholders. This principle is codified in the Companies Act.

While the company’s success remains the directors’ primary objective, their duties can, in certain circumstances, encompass other stakeholders’ well-being. This may include employees, customers and suppliers. For instance, the duty to promote the company’s success can involve considering the impact on employees, the community and the environment, as well as fostering strong relationships with suppliers and customers.

In addition, if the company enters insolvency proceedings, the directors’ duties shift. The Insolvency Act takes precedence, requiring them to prioritise the interests of creditors and other stakeholders involved in the insolvency process.

Directors owe their primary duty to the company, not to the shareholders. Therefore, acting through its proper organs (usually the board or shareholders at a general meeting), the company is the primary party that can enforce a breach of directors’ duties.

However, shareholders have derivative claim rights under Kenyan law. This means that if the company fails to take action for a breach of directors’ duties that harms the company, a shareholder can bring a lawsuit against the directors on behalf of the company. The directors’ actions ultimately affect the value of the company’s shares, which in turn affects shareholders.

Breach of directors’ duties in Kenya can lead to several consequences for directors:

• personal liability – directors can be ordered to pay damages to the company for any losses resulting from their breach;
• accountability for profits – if directors breach their duty by profiting from a conflict of interest, they may be required to return those profits to the company;
• removal from office – shareholders can remove directors who have breached their duties by voting at a general meeting;
• disqualification – in serious cases, a court can disqualify a director from holding office in any company for a set period (which can significantly damage a director’s career prospects); and
• criminal prosecution – certain breaches of directors’ duties may be criminal offences punishable by fines or imprisonment.

Beyond breaches of corporate governance requirements, directors and officers in Kenya can face claims and enforcement actions for various reasons under Kenyan law, including:

• negligence – directors and officers must act with reasonable care and skill in managing the company; if their actions or lack thereof cause harm to the company, shareholders or creditors due to negligence, they can be held personally liable;
• breach of fiduciary duty – directors and officers owe a fiduciary duty to the company (including duties of loyalty and good faith) and they can be liable for the resulting losses if they act in their interests or those of a third party at the company’s expense;
• misfeasance and/or breach of trust – similar to a breach of fiduciary duty, this applies when directors or officers misuse company property or assets for personal gain or purposes outside the company’s interests; and
• statutory violations – specific laws such as the Companies Act, the Capital Markets Act or the Competition Act may impose liability on directors and officers for breaches of their provisions.

The Companies Act in Kenya restricts attempts to shield directors and officers from liability and voids any clause in the company’s articles, contracts or other documents that seeks to exempt directors from liability arising from negligence, default, breach of duty or breach of trust.

Companies can, however, obtain directors and officers insurance to cover liabilities incurred while acting in the company’s best interests. This insurance wouldn’t protect directors from intentional wrongdoing or gross negligence.

Directors’ service contracts that extend beyond two years require the approval of company members. This requirement does not apply to companies not registered under the Companies Act or wholly owned subsidiaries of other corporate entities. Where a director’s service contract is entered into in contravention of the provisions of the Companies Act, the contract is void to the extent of the contravention and the company is entitled to terminate the contract with reasonable notice.

Directors of a company (excluding companies subject to the small companies regime) are required to include details of the benefits they have received in that financial year in the notes to the company’s individual financial statement.

The directors of a listed company shall prepare a directors’ remuneration report for each of the company’s financial years. A quoted company is one whose equity share capital is included in the official list of a stock exchange or other regulated market in Kenya.

Individuals become members of a company by subscribing to shares by:

• incorporation; or
• the creation of new shares; or
• a transfer of shares from an existing shareholder.

Shareholders provide equity/financial backing to a company and are generally liable only for the amount of their unpaid shares.

The Companies Act provides that a company’s constitution binds the company and its members to the same extent as if the company and its members had covenanted with each other to observe the constitution, making the relationship contractual in nature.

The company’s constitution (articles of association) governs the relationship between the company and its members, including the rights attached to the respective members’ shares. In some cases, members may opt to enter into a private shareholders’ agreement to govern the relationship amongst themselves.

Generally, a company is a separate legal entity from its shareholders. This separate personality is not without limits and courts may allow piercing the corporate veil in cases of fraud and serious misconduct. The concept of piercing the corporate veil is recognised under Kenyan law and courts will do so if satisfied that there has been serious misconduct or fraud. In doing so, the individuals behind the company who have committed a wrong using the company will be held personally liable.

The Companies Act requires a company to maintain a register of its shareholders, which must include their names, addresses, shareholding details, dates of becoming and ceasing to be shareholders and any distinctions between classes of shares. The register must be kept at the company’s registered office and a copy must be submitted to the Registrar of Companies. Although the Companies Act does not expressly provide for public access to this information, certain shareholder details may be obtainable through a formal search at the Companies Registry, subject to the applicable fees, including the shareholders’ names, addresses and shareholding details.

Shareholders are not involved in the company’s day-to-day operations, as this is the board of directors’ function. Shareholders, however, have the power to appoint and remove directors from office. In addition, certain decisions, such as loans by a company to its directors, may only be made with the approval of shareholders.

Every company must hold an annual general meeting within a year. Failure to do so can result in a fine of up to KES100,000 (approximately USD775).

All private or public companies must provide members with at least 21 days’ notice for annual general meetings. For other types of meetings, a 14-day notice period is required. However, a company’s articles of association may specify longer notice periods.

Members may request that directors convene a general meeting. In such a case, the directors must schedule the meeting within 21 days.

The Companies Act permits hybrid or virtual meetings. Notices for such meetings must clearly outline how to join and participate. Additionally, companies must adhere to the provisions of their articles of association regarding the conduct of general meetings.

The Companies Act recognises the institution of derivative claims by shareholders on behalf of a company. For purposes of derivative claims, a “member” includes a person who is not a member but to whom shares in the company have been transferred or transmitted by operation of the law. This means that an applicant need not appear in the company’s register of members or hold a share certificate; it is sufficient to show that they are beneficially entitled to any shares.

The grounds that the court will consider to permit a derivative claim include negligence, default, breach of duty and breach of trust by a company director. Courts in Kenya have held that permission to commence a derivative claim will be denied where the suit is not in the interest of or of benefit to, the company and where the company has authorised the proposed act.

Shareholders in publicly traded companies in Kenya are subject to various disclosure obligations, as follows.

Notification of Holdings Above Certain Thresholds

Any person obtaining a “notifiable interest” (ie, 3% or more) in shares of a listed company or who ceases to be interested in such shares must notify the listed company of the acquisition or cessation of interest in the shares. The Licensing Regulations also require that listed companies report to the NSE on a monthly basis:

• all persons who have acquired or cease to have a notifiable interest in its shares;
• all directors holding 1% or more in the relevant share capital; and
• cumulative holding of the relevant share capital by directors.

Disclosure Obligations for Ultimate Beneficial Owners

Subject to certain exceptions, companies incorporated in Kenya are required to file a register of beneficial owners. A beneficial owner is a natural person who holds at least 10% of the shares or voting rights or has the power to change directorship or has a significant influence over the company.

Shareholding Disclosures

Listed companies must publish detailed information about their shareholding, including:

• a quarterly disclosure to the NSE of every person who holds or acquires 3% or more of the listed company’s ordinary shares;
• publication by a listed company in its annual report of (i) distribution of shareholders; and (ii) names of the ten largest shareholders and the number of shares in which they have an interest as shown in the issuer’s register of members;
• immediate disclosure by an issuer of any information likely to have a material effect on market activity; and
• disclosure in the annual report of any substantial sale of assets involving 25% or more of the total assets.

Notification to the Kenya Revenue Authority

Every business entity is required to report to the Commissioner-General of the Kenya Revenue Authority within thirty days of any change in the ownership structure resulting in a change of ten 10% or more of the issued share capital.

Directors of a company are required to prepare annual financial statements that give a true and fair view of the company’s financial position for the relevant year. A copy of the annual financial statement must be sent to every member of the company, every holder of the company’s debentures and every person entitled to receive notice of general meetings.

In addition, directors are required to prepare a director’s report for each financial year. For companies that do not qualify for exemption under the small companies’ regime, the report should also include a business review of the company’s operations.

Listed companies are required to publish their annual financial statements, as well as the directors’ report, on their website.

The directors are required to lodge certain documents, such as balance sheets, annual financial statements, directors’ report and auditor’s report, with the Registrar of Companies, but in practice, this is not done as the Companies Registry only provides for filing a company’s annual returns.

The CMA Governance Code requires institutions to explain in their annual reports how they have applied its recommendations.

In Kenya, companies are incorporated and registered through the Business Registration Service (BRS), a statutory agency responsible for managing the incorporation process and maintaining company records. It oversees the Companies Registry, which handles regulatory filings and stores official records for all registered companies. Most services offered by the BRS are now available online through the eCitizen portal.

As part of its regulatory mandate, BRS requires companies to lodge annual returns with the Registrar on the anniversary of their incorporation or, if their last return was made on a different date, on the anniversary of that date. Failure to lodge annual returns may result in the company and each officer in default being separately liable to a fine not exceeding KES200,000. The annual returns are open for public inspection.

Following a recent amendment of the Companies Act by the Anti-Money Laundering and Combating of Terrorism Financing Laws (Amendment) Act, 2023, a company may be deemed not to be carrying on business if it has failed to file annual returns or financial statements for a period of five years or more or where a company has failed to lodge a copy of the register of beneficial owners after being directed to do so by the Registrar.

The Registrar of Companies has been given broad powers to ensure compliance with corporate obligations. These include the authority to strike off companies from the register if they appear to be inactive, such as those that have not submitted annual returns or financial statements for an extended period or have not provided their register of beneficial owners after being instructed to do so.

In line with these powers, BRS issued a compliance notice on 11 April 2025 to private companies that have not filed their register of beneficial owners. The notice warned that non-compliant companies may be presumed to be inactive or not operating, which could result in their removal from the official register of companies.

Kenya’s AML framework is aligned with international standards established by the Financial Action Task Force (“FATF”). As a member of the Eastern and Southern Africa Anti-Money Laundering Group, Kenya has incorporated these standards into domestic law through the Proceeds of Crime and Anti-Money Laundering Act, Cap. 59A (“POCAMLA”) and its subsidiary legislation. POCAMLA distinguishes between obligations that apply specifically to “reporting institutions” (as defined in the POCAMLA) and general criminal offences that apply to all persons, including companies that are not reporting institutions.

Obligations Applicable to Reporting Institutions

Definition of reporting institutions

Under POCAMLA, a “reporting institution” means a financial institution or a designated non-financial business or profession. These are the entities to which Part IV of POCAMLA applies. The categories include:

• financial institutions – entities conducting activities such as accepting deposits, lending, money transmission, foreign exchange, securities trading, portfolio management, insurance underwriting and money changing; and
• designated non financial businesses and professions (“DNFBPs”) – casinos (including internet casinos), real estate agencies, dealers in precious metals and stones, accountants, advocates, notaries and other independent legal professionals and trust and company service providers.

Companies operating within these categories are “reporting institutions” for the purposes of POCAMLA and are subject to the full suite of AML compliance obligations set out in Part IV of POCAMLA. A company that does not fall within either category is not a reporting institution and is not subject to Part IV obligations (though it remains subject to the general criminal offences discussed below).

Suspicious transaction reporting

POCAMLA imposes mandatory monitoring and reporting obligations on reporting institutions. Reporting institutions must monitor all complex, unusual, suspicious or large transactions on an ongoing basis. Upon suspicion that any transaction could constitute or be related to money laundering, terrorism financing, proliferation financing or the proceeds of crime, the reporting institution must file a suspicious transaction report (“STR”) with the Financial Reporting Centre (“FRC”) within two days after the suspicion arose. The obligation arises upon reasonable suspicion and does not require proof of criminal conduct.

In addition to STRs, reporting institutions must file reports on:

• large and unusual transactions;
• cash transactions exceeding USD 15,000 or its equivalent (per the Fourth Schedule to POCAMLA); and
• cross border transportation of monetary instruments.

Customer due diligence and beneficial ownership

Reporting institutions must:

• verify customer identity;
• identify and verify beneficial owners;
• maintain customer and transaction records for at least ten years; and
• disclose beneficial ownership information to relevant authorities.

These obligations were strengthened by the Anti Money Laundering and Combating of Terrorism Financing Laws (Amendment) Act, 2023, which aligned Kenyan law with FATF Recommendations on transparency and beneficial ownership.

Internal controls and compliance

POCAMLA requires reporting institutions to establish and maintain internal controls and internal reporting procedures. This includes identifying persons to whom employees should report suspicious activities, ensuring those persons have access to relevant information and requiring direct reporting to the FRC where a sufficient basis exists. These functions fall within board oversight as they concern enterprise-wide risk management and statutory compliance.

Obligations Applicable to All Companies (Including Non-Reporting Institutions)

While the Part IV compliance obligations discussed above apply only to reporting institutions, POCAMLA also creates general criminal offences that apply to all persons, including companies that are not reporting institutions.

Money laundering offences

Under POCAMLA, any person (including a company) commits an offence if they enter into any agreement, arrangement or transaction with respect to property that is the proceeds of crime, knowing or having reason to believe that the property is proceeds of crime. Under POCAMLA, any person who acquires, uses or possesses property knowing or having reason to know that it forms part of the proceeds of crime commits an offence. These offences apply to all companies regardless of whether they are reporting institutions.

Tipping off and misrepresentation

POCAMLA makes it an offence for any person who knows or ought reasonably to have known that a report is being prepared or has been sent to the FRC to disclose information relating to that report. POCAMLA makes it an offence for any person to knowingly make a false statement or provide a false document to a reporting institution, supervisory body or the FRC. These offences apply to all persons and companies.

Cross-border transportation of monetary instruments

Under POCAMLA, any person (not only reporting institutions) intending to convey monetary instruments exceeding USD 10,000 or its equivalent into or out of Kenya must declare this to an authorised person. Wilful failure to report or material misrepresentation of the amount, is a criminal offence. This obligation applies to all persons and companies.

Board Oversight and Personal Liability

For reporting institutions, the board bears responsibility for ensuring compliance with Part IV of POCAMLA. This includes approving AML/CFT policies and risk frameworks, ensuring adequate resourcing of compliance functions and receiving periodic compliance reports. Directors owe statutory duties under the Companies Act to act in good faith, exercise reasonable care, skill and diligence and ensure the company’s compliance with applicable laws. A failure by the board to oversee AML compliance or respond to red flags may constitute a breach of statutory duty.

Personal Liability (All Companies)

POCAMLA provides that where an offence is committed by a body corporate with the consent or connivance of any director, manager, secretary or other officer, that person (as well as the body corporate) may be prosecuted. This applies to both reporting institutions and non-reporting companies that commit offences under the Act.

For reporting institutions, the FRC is empowered to impose civil penalties for non-compliance with the Act or any instruction, direction or guideline issued by the FRC. Penalties may be up to KES5,000,000 for individuals and KES25,000,000 for corporate bodies, with additional daily penalties of KES10,000 for continued non-compliance. The FRC may also issue warnings, compliance orders or request the suspension or revocation of licences.

Companies are generally required to appoint an independent auditor to review their annual financial statements. There are exemptions for small and dormant companies.

• Small company: A company qualifies as “small” if its turnover for the relevant year does not exceed KES50,000,000 (approximately USD387,570) and the value of its net assets at the end of the financial year does not exceed KES20,000,000 (approximately USD155,026).
• Dormant company: A dormant company is one that has not traded or has minimal activity during the year. However, this exemption does not apply to companies in specific industries, even if they are dormant. These industries include insurance companies, banking companies and e-money issuers.

Even if a company falls under the small or dormant company exemptions, its members (owners or shareholders) can still require an audit by providing the company with formal notice.

The company’s directors or members vote to appoint and remove an auditor. A simple majority vote is required for appointment, but a special resolution from the members is required for removal.

The Companies Act and the CMA Governance Code establish specific requirements for directors in relation to risk management and internal controls:

• directors’ report – directors must prepare a report for each financial year, which should include a business review detailing the company’s principal risks and uncertainties; and
• internal control systems – the boards of listed companies must:
1. establish and regularly review the adequacy and integrity of the company’s internal control systems;
2. ensure compliance with applicable laws and regulations; and
3. establish an effective risk management framework.

There are no requirements for private or public companies to report on ESG issues. However, companies listed on the NSE have reporting requirements, as follows.

• Companies Act: The directors’ report for listed companies must incorporate a business review section. This section delves into the company’s environmental practices, employee treatment and social and community involvement.
• NSE ESG Disclosures Guidance Manual (“ESG Manual”): Issued in late 2021, this manual provides listed companies with a framework for collecting, analysing and publicly disclosing ESG information. The objective is to achieve alignment with internationally recognised reporting standards.

In addition, certain industries, such as the banking sector, have established their own ESG-related guidelines. For instance, the Kenya Bankers Association’s Sustainable Finance Initiative (“SFI”) encourages its member banks to:

• implement robust environmental and social risk management systems; and
• publish comprehensive sustainability reports biannually (every two years).

Despite the global political debate and partial pushback against ESG in some jurisdictions, there has been no material retreat from ESG in Kenya. Instead, the trend has been toward greater formalisation and integration of ESG considerations, particularly for listed and regulated entities.

Environmental Component

The most significant change is in the environmental component, where climate-related risks are increasingly treated as financial and operational risks rather than purely reputational issues. This is especially evident in the financial sector, where regulators and industry bodies are encouraging structured climate risk management and more robust environmental disclosures.

Governance Component

The governance component is also strengthening, with clearer expectations around board-level oversight of ESG matters, including sustainability strategy, risk management and the integrity of ESG disclosures. ESG is increasingly viewed as part of core corporate governance rather than as a voluntary form of corporate social responsibility.

Social Component

By contrast, the social component has evolved more incrementally, with the primary change being enhanced transparency and reporting rather than new substantive legal obligations.

Kenya currently has no AI-specific board oversight requirements in force. However, the Artificial Intelligence Bill, 2026 (the “AI Bill”), introduced in Parliament, proposes to establish a comprehensive regulatory framework for AI governance. In the interim, AI-related matters are addressed indirectly through existing frameworks governing material risks, corporate governance, data protection, investor protection and anti-money laundering.

The key sources of current and proposed regulations are outlined below.

Companies Act

The Companies Act imposes statutory duties on directors to act in good faith, exercise reasonable care, skill and diligence and act in the best interests of the company. In addition, the Companies Act requires directors to exercise independent judgment.

Where AI systems present material risks to the company’s operations, finances or reputation, directors must ensure adequate oversight and risk management.

A failure to address foreseeable AI-related risks may constitute a breach of these duties, potentially exposing directors to personal liability under derivative actions or unfair prejudice provisions.

Capital Markets Act

The Companies Act empowers the CMA to regulate public companies and market intermediaries, including in relation to disclosure and governance.

Issuers must comply with continuous disclosure obligations and boards must ensure that material risks (including those arising from AI) are appropriately identified and disclosed.

POLD Regulations

The POLD Regulations require listed companies to disclose in their annual reports all material risks affecting the company and its prospects.

Where AI systems are integral to a company’s operations or pose significant risks, boards must ensure that these matters are addressed in financial statements and management commentary.

Failure to disclose material AI-related risks may result in enforcement action by the CMA and civil liability to investors for misrepresentation or omission.

Data Protection Act

The Data Protection Act requires data controllers and processors to implement appropriate technical and organisational measures to protect personal data.

Where AI systems process personal data, boards must ensure compliance with data protection principles, including lawfulness, fairness, transparency, purpose limitation and data minimisation.

In addition, the Data Protection Act imposes specific obligations regarding automated decision-making, including the right of data subjects to obtain human intervention and to contest decisions.

AI Bill

The AI Bill proposes specific governance requirements for AI systems. In this regard, the AI Bill introduces a risk-based classification system, categorising AI systems as unacceptable risk (prohibited), high-risk, limited risk or minimal risk. High-risk systems include those used in healthcare, education, finance, employment and public administration.

In addition, the AI Bill imposes mandatory obligations on providers and deployers of high-risk AI systems, including:

• conducting risk assessments before deployment and implementing mitigation measures, including human oversight;
• conducting human rights impact assessments before deployment;
• ensuring transparency, traceability and explainability of the system’s decision-making processes;
• maintaining records of data inputs, training datasets, outputs and performance metrics for at least five years;
• complying with the Data Protection Act in relation to personal data processing; and
• incorporating measures for robustness, accuracy and cybersecurity.

The AI Bill also requires that AI systems be designed and deployed in a manner that enhances, rather than replaces, human capabilities, incorporates features that support human involvement and provides for human oversight in critical decisions.

Furthermore, the AI Bill mandates disclosure to users and affected persons regarding the nature, purpose and limitations of AI systems, the extent of automated decision-making and measures taken to mitigate bias.

Kenya does not currently have dedicated AI legislation in force. However, the existing regulatory framework addresses AI-related risks through several interconnected statutes. See response to 8.1 Board Oversight of AI.

Key AI Governance Developments in 2025-2026

The most significant development is the introduction of the AI Bill, which had its first reading in the Senate on 2 April 2026. If enacted, the AI Bill will establish Kenya’s first comprehensive AI regulatory framework. Key governance elements are as follows.

Risk classification

The AI Bill establishes a four-tier classification system (unacceptable risk, high-risk, limited risk, minimal risk). Systems classified as unacceptable risk (those posing severe threats to health, safety, fundamental rights or societal welfare) are prohibited.

High-risk system obligations

The AI Bill imposes mandatory obligations on providers and deployers of high-risk AI systems, including risk assessments, human rights impact assessments, transparency and explainability requirements, record-keeping for at least five years, data protection compliance and cybersecurity measures.

Regulatory oversight

The AI Bill establishes the Office of the Artificial Intelligence Commissioner as a body corporate with powers to oversee implementation and enforcement, conduct audits and post-market surveillance, issue enforcement notices and impose administrative fines and maintain a public register of high-risk AI systems.

Ethical guidelines

The AI Bill requires the AI Commissioner to develop and publish ethical guidelines that address bias prevention, privacy protection, human oversight and accountability, environmental sustainability and the prohibition of non-consensual use of personal images or likenesses in AI-generated content.

• Regulatory sandboxes: the AI Bill authorises the AI Commissioner to establish regulatory sandboxes for testing AI systems in controlled environments, with prescribed conditions including safeguards for ethics, data protection and risk monitoring.

Allocation of Responsibility for AI Governance

Under current law, responsibility for AI governance is distributed across organisational levels, with ultimate accountability resting on the board of directors. The board sets AI strategy, oversees key risks and ensures proper governance of AI systems in line with its fiduciary duties under the Companies Act to act in good faith, exercise reasonable care and skill and promote the company’s success.

The audit and risk committee would typically oversee AI-related risks as part of the broader enterprise risk management framework, including cybersecurity, data governance, internal controls and legal compliance. Under the POLD Regulations, listed companies must establish audit committees with responsibility for reviewing internal controls and risk management systems. In more advanced organisations, a dedicated technology or AI committee may be established to provide specialised oversight of AI deployment, algorithmic fairness and ethical considerations, although this remains best practice rather than a legal requirement.

Management would be responsible for the day-to-day implementation of AI systems, including deployment, monitoring and compliance with internal policies and applicable law, with support from IT, legal, data protection and compliance teams. For reporting institutions under POCAMLA, management must ensure that AI systems used in AML compliance meet the standards required by the Act.

If the AI Bill is enacted, management will be responsible for conducting risk assessments and human and rights impact assessments and for maintaining records. Ultimately, however, the board retains final accountability for AI-related outcomes and associated risks, including regulatory, financial and reputational impacts.

Disclosure Failures

Boards and officers may incur liability for failure to disclose material AI-related risks. Under the Capital Markets Act, issuers are required to provide accurate and complete information to investors.

The POLD Regulations require disclosure of all material risks in prospectuses and annual reports. Where AI systems are integral to a company’s operations or present significant risks (eg, reliance on algorithmic trading, AI-driven credit decisions or automated customer interactions), failure to disclose such reliance or associated risks may constitute a material omission.

The CMA may impose administrative sanctions and affected investors may pursue civil claims for misrepresentation or omission under common law or the relevant provisions of the Capital Markets Act.

Data Protection and Privacy Breaches

AI systems that process personal data expose organisations to significant liability under the Data Protection Act.

Data Protection sets out data protection principles, including lawfulness, fairness, transparency, purpose limitation and data minimisation. Data controllers and processors are required to implement appropriate technical and organisational measures to protect personal data.

In addition, the Data Protection Act specifically addresses automated decision-making, providing data subjects with the right not to be subject to decisions based solely on automated processing that significantly affect them and the right to obtain human intervention.

Breaches may arise from unlawful processing, inadequate consent, lack of transparency regarding AI decision-making or data security failures. Enforcement is primarily undertaken by the ODPC, which may impose administrative penalties. If the AI Bill is enacted, it will require providers and deployers of high-risk AI systems to comply with the Data Protection Act, thus reinforcing these obligations.

Unfair Practices and Consumer Harm

AI-driven decisions or outputs that are misleading, discriminatory or unfair may expose companies to liability under the Consumer Protection Act. This includes situations where AI systems produce biased outcomes (eg, discriminatory credit scoring or insurance pricing) or fail to provide adequate transparency to consumers. The Consumer Protection Act prohibits unfair trade practices and provides for compensation for loss or damage.

If the AI Bill is enacted, it will require adherence to ethical guidelines that address the prevention of bias, discrimination and exclusion, with particular regard to vulnerable groups. The AI Bill creates an offence for contravening ethical guidelines where such contravention results in bias, discrimination or harm to individuals, punishable by a fine of up to KES1,000,000 or imprisonment for up to six months.

Cybersecurity and System Failures

AI systems are vulnerable to cybersecurity risks, including hacking, adversarial manipulation and data breaches. Under the Computer Misuse and Cybercrimes Act, critical information infrastructure operators are required to implement appropriate security measures.

The Data Protection Act requires data controllers to implement technical and organisational measures appropriate to the risk. If the AI Bill is enacted, it will require providers and deployers of high-risk AI systems to incorporate measures for robustness, accuracy and cybersecurity. Failure to implement adequate security measures may result in regulatory enforcement, civil liability to affected parties and reputational harm.

Breach of Directors’ Duties

Directors may be personally liable under the Companies Act where they fail to exercise reasonable care, skill and diligence in overseeing AI-related risks.

The Companies Act imposes a duty to act in good faith and in the best interests of the company, requires the exercise of independent judgment and requires directors to exercise the care, skill and diligence that would be exercised by a reasonably diligent person with the general knowledge, skill and experience reasonably expected of a director.

Failure to implement appropriate AI governance frameworks, monitor AI system performance or respond to known risks may constitute a breach of these duties. Enforcement may occur through shareholder derivative actions or court proceedings for unfair prejudice.

Under the AI Bill (if enacted), where an offence is committed by a body corporate, every director or officer who had knowledge of the commission of the offence and did not exercise due diligence to ensure compliance shall be guilty of the offence.

Intellectual Property Infringement

AI systems may infringe intellectual property rights, for example, by using copyrighted material in training datasets or by generating infringing outputs. Liability may arise under the Copyright Act and the Industrial Property Act. Enforcement is typically undertaken by rights holders through civil litigation, with remedies including damages, injunctions and an account of profits.

The AI Bill does not directly address IP liability but requires consent where AI systems generate or manipulate images, voice or likeness and creates an offence for generating AI content using a person’s image, voice or likeness without explicit consent where such content causes harm, misinformation, defamation or infringement of privacy.

AML Non-Compliance (Reporting Institutions)

For reporting institutions under POCAMLA, AI systems used in AML compliance (eg, transaction monitoring, customer due diligence, risk scoring) must meet the standards required by the Act. POCAMLA requires monitoring and reporting of suspicious transactions.

If AI systems fail to detect or correctly flag suspicious activity, the institution may face liability for failure to comply with AML obligations. POCAMLA provides that where an offence is committed by a body corporate with the consent or connivance of any director, manager, secretary or other officer, that person may be prosecuted alongside the body corporate.

AI Bill Offences (if enacted)

The AI Bill creates several offences that may expose boards and officers to liability:

• deploying a system classified as unacceptable risk – up to KES5,000,000 or two years imprisonment;
• deploying a high-risk system without conducting required risk assessments or implementing mitigation measures – up to KES5,000,000 or two years imprisonment;
• failing to comply with disclosure or transparency obligations – up to KES1,000,000 or six months imprisonment;
• obstructing the AI Commissioner or providing false information – up to KES1,000,000 or six months imprisonment;
• generating AI content using a person’s image, voice or likeness without consent, causing harm, misinformation, defamation or privacy infringement – up to KES5,000,000 or two years imprisonment.

The AI Bill imposes personal liability on directors and officers: where an offence is committed by a body corporate, every director or officer who had knowledge of the commission of the offence and did not exercise due diligence to ensure compliance shall be guilty of the offence.

Reputational Risk

Reputational risk is a pervasive consequence of AI-related failures, often arising from data breaches, biased outputs, unethical use of AI or regulatory investigations. While not a standalone legal claim, reputational damage can lead to significant financial loss, shareholder actions and increased regulatory scrutiny.

Boards may be exposed where reputational harm results from inadequate oversight or failure to manage foreseeable AI risks. Under the Companies Act, directors owe duties to promote the company’s success, including safeguarding its reputation.

Failure to establish robust AI governance frameworks may therefore constitute a breach of duty where foreseeable reputational harm materialises.

Capital Markets Disclosure

Kenya does not currently have AI-specific disclosure requirements. However, under the Capital Markets Act and the POLD Regulations, listed companies must disclose all material risks affecting the company and its prospects in annual reports and prospectuses. Where AI systems are integral to a company’s operations or present significant risks, such matters must be addressed in financial statements and management commentary.

In addition, material events must be disclosed promptly. AI-related incidents that may trigger disclosure obligations include:

• data breaches involving personal data or confidential information;
• AI system failures materially affecting operations or financial performance;
• cyberattacks or security incidents; and
• regulatory investigations or enforcement actions.

Data Protection Disclosure

Under the Data Protection Act, data controllers must provide certain information to data subjects at the point of data collection (or as soon as reasonably practicable thereafter). Where AI systems process personal data, this includes disclosure of the existence of automated decision-making and the logic involved, to the extent that such disclosure does not adversely affect trade secrets or intellectual property.

AI Bill Disclosure Requirements (If Enacted)

If the AI Bill is enacted, it will impose specific transparency and disclosure obligations. Providers and deployers of AI systems will be required to disclose to users and affected persons:

• the nature, purpose and limitations of the AI system;
• the extent to which decisions or outputs are generated by automated processes, including any human intervention; and
• measures taken to identify, mitigate and monitor biases and to ensure fairness.

The failure to properly disclose may result in an enforcement action by the ODPC, administrative penalties, compensation claims by data subjects and reputational damage to companies.

Providers of high-risk AI systems will also be required to submit annual compliance reports to the AI Commissioner, with non-confidential information made publicly available.