How Kenya’s Critical Tech Systems Are Secretly Controlled by Private Hands—A System-by-System Breakdown

In our investigation into Kenya’s critical digital infrastructure, Kenya Insights has uncovered a disturbing pattern of opaque private control over systems that manage billions in public funds and sensitive citizen data. Our analysis reveals a systematic bypassing of competitive bidding processes, conflicts of interest reaching the highest levels of government, and alarming gaps in oversight that create fertile ground for corruption.

SHIF: A KSh 104.8 Billion Contract Awarded in a Single Day

The Social Health Insurance Fund (SHIF) system, awarded through a letter issued on September 19, 2024, and remarkably signed off by the Social Health Authority within 24 hours, completely bypassed competitive bidding despite its staggering KSh 104.8 billion value over ten years.

The consortium controlling SHIF raises serious red flags:

• Apeiro Ltd (59.55%): Wholly owned by SIH Africa Ltd, a vehicle of Abu Dhabi’s International Holding Company. Its directors include Judy Mwende Gatabaki, wife of Presidential economic adviser Dr. David Ndii, alongside two Adani-linked nominees, Aswanth Bindhu and Nishant Mishra.
• Safaricom PLC (22.56%): Already 35% government-owned, with its board chaired by State House insider Adil Khawaja.
• Konvergenz Network Solutions (17.89%): Original shareholders Asha Abdi Sheikh and Mohamed Abdi Yunis were diluted via two opaque nominee holding companies in 2023. A parliamentary probe into beneficial ownership has been launched but is unlikely to yield results.

Critical vulnerabilities in the arrangement include the consortium hosting the national health claims database on a private cloud, with the Ministry of Health receiving only an API feed rather than raw records. Industry experts note this creates a potential channel for selling sensitive healthcare data for AI training without detection. Furthermore, the contract permits the vendors to charge “escalation fees” tied to annual contribution growth—effectively imposing a tax on every Kenyan payslip.

Civil society activists including Okiya Omtatah have demanded the deal’s cancellation, citing the direct family link to Dr. Ndii and Safaricom’s chairperson’s position on the presidential advisory council.

eCitizen: Revenue Without Transparency

Kenya’s digital services portal operates through a patchwork of vendors without a unified master contract:

• Webmasters Kenya Ltd: Founded by James Ayugi, handling customer support and code base.
• Pesaflow Ltd: Running the payment gateway and billing the government KSh 100-200 million monthly. The company’s beneficial owners remain hidden behind P.O. Box nominees, though corporate filings reveal overlapping staff with Webmasters.
• Olive Tree Media Ltd: Providing bulk SMS and security notifications.

Originally built in 2014 with IFC financing, subsequent maintenance and extensions have occurred through direct variations with these private firms, circumventing competitive processes. Parliament has launched a formal investigation, though historical precedent suggests limited results.

Most concerning is that the Treasury owns neither the source code nor the payment switch. All transaction funds—representing billions in government revenue—first enter Pesaflow’s Standard Chartered account before daily transfers to the Central Bank of Kenya, completely outside the Integrated Financial Management Information System (IFMIS). The government cannot trigger independent security audits without vendor consent.

Hustler Fund: Banking on Conflicts

The digital lending platform launched as a flagship initiative operates without having undergone an open tender. Instead, the Ministry of Finance issued a “framework agreement” on October 31, 2022, to partners including Safaricom, KCB Group, NCBA, Airtel, and Family Bank.

Under the current revenue model, telecommunications companies retain service fees and float interest, while banks earn the credit spread. The Auditor-General has identified KSh 368 million overcharged to borrowers and KSh 8.7 billion in doubtful loans.

The State secretariat lacks an internal management information system, relying instead on CSV file dumps from Safaricom to record transactions. Private operators can issue new loans before previous ones are repaid.

Significant conflicts of interest exist: NCBA’s largest shareholder is the Kenyatta family, while Safaricom’s earnings increase with each disbursement, potentially incentivizing risky lending practices. None of the private partners fall under the Public Finance Management Act’s oversight.

Electronic Travel Authorization: Swiss Control of Kenyan Borders

Implemented under a pilot contract running from August 1, 2024, to February 29, 2025, the ETA system is operated by Swiss-based Travizory Border Security SA. The company retains 23% of every US$30 application fee—approximately KSh 1.5 billion from the KSh 6.5 billion collected—with gross revenues deposited in UBS-Zurich before weekly remittance to Kenya.

The arrangement began when the Interior Cabinet Secretary signed a sole-source “Proof-of-Concept” that quietly transformed into the operational system. A performance audit tabled in April 2025 revealed no Treasury or Central Bank approval for the collection account.

The system creates multiple risks: revenue leakage through foreign exchange spreads; personal data subject to Swiss rather than Kenyan privacy laws during the pilot period; and an opaque exit clause allowing Travizory to claim intellectual property indemnity fees if Kenya builds its own system.

IFMIS: The 70 Billion Shilling Money Pit

Kenya’s Integrated Financial Management Information System has consumed over KSh 70 billion since 2010, with Treasury planning another KSh 7.6 billion upgrade between 2025-2027 for additional Oracle licenses.

License renewals and support are single-sourced to Oracle partners each cycle, locking the government into perpetual fees without competitive benchmarking. Both the U.S. Trade Representative and Kenya’s Auditor-General have cited IFMIS as vulnerable to manipulation—noting its role in the NYS (2018) and Afya House (2016) financial scandals.

A fundamental conflict exists as Treasury both controls the purse and owns the system, eliminating independent oversight. Senior officials routinely approve their own license purchases.

NEMIS: Education System Under Scrutiny

Built in 2017 under an $88.4 million Global Partnership for Education grant, the National Education Management Information System faces ongoing controversy. Programmer George Kamau of Netresource Ltd claims his earlier prototype was used without compensation and has initiated legal action for intellectual property rights.

On April 17, 2025, the Public Accounts Committee ordered a special audit after capitation funds went missing and duplicate learner IDs were discovered in the system.

The Ministry of Education holds only administrative keys, not the source code repository, creating vendor lock-in that prevents government IT teams from patching security vulnerabilities. The system lacks checksum verification on uploaded enrollment files, allowing “ghost learners” to be created—facilitating an ongoing capitation funds heist.

Systemic Vulnerabilities and the Path to Reform

Across these critical systems, four concerning patterns emerge:

1. Procurement manipulation: Single-source or emergency procurements have become standard practice. In each case, private vendors either wrote their own scope or were added through opaque “variation” letters after minimal pilot periods.
2. Data and financial control surrendered: The government has relinquished custody of raw data and money flows. Whether SHIF claims, eCitizen payments, Hustler Fund loan records, or ETA fees, primary ledgers reside on servers the State does not own.
3. Political insider influence: Family vehicles and nominee chains pervade these arrangements. The Apeiro-Ndii connection represents the clearest example, but similar patterns appear in Konvergenz’s ownership restructuring and Pesaflow’s hidden beneficiaries.
4. Weak audit provisions: Most contracts provide vendors 30-90 days’ notice before inspections—ample time to sanitize records.

Transparency advocates recommend three immediate actions: utilizing the Beneficial Ownership e-Register to identify the true owners of these companies; demanding framework agreements for the Hustler Fund and eCitizen under Freedom of Information requests; and implementing real-time API mirroring from vendor databases to the Controller of Budget.

With over KSh 300 billion annually flowing through systems Parliament cannot adequately audit—many controlled by opaque private entities with direct links to government insiders—Kenya’s digital backbone remains vulnerable to exploitation. Until competitive tenders are reinstated, source code placed in independent escrow, and payment systems rerouted through proper government channels, the infrastructure meant to modernize Kenya’s governance instead risks becoming its greatest corruption vulnerability.

This investigative report was developed through analysis of public records, contract documents, and confidential sources within relevant government departments.